Redirect user to signin after webauthn error has occurred #3962

jenshenny · 2023-07-26T16:47:34Z

What problem are you solving?

Part of: #3335

When an error does get hit in sessions#webauthn_create eg. login_failure("Credentials required"), the ensure block is run which deletes session[:webauthn_authentication].

When the user tries to authenticate again, @user = User.find(session.dig(:webauthn_authentication, "user")) will blow up with an ActiveRecord record not found error and will fail to authenticate or fail to display any error.

What approach did you choose and why?

Currently, if a user enters the wrong totp code during mfa verification, they'll be redirected back to the sign in page. This PR would do the same with webauthn.

This would solve #3335 as the sign in flow would be reset and the correct session variables will be set when the user is prompted again. A reason I decided to redirect back to sign in instead of re-rendering the prompt page is that another error that could occur is that their login session is expired. It wouldn't make sense to re-render the prompt page as auth would always fail (the login session is expired).

Next steps

Will need to revisit the same for email confirmations, multifactor auth level update and password reset.

codecov · 2023-07-26T16:59:22Z

Codecov Report

Merging #3962 (fb8661c) into master (34325b6) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #3962      +/-   ##
==========================================
- Coverage   98.86%   98.86%   -0.01%     
==========================================
  Files         221      221              
  Lines        5466     5465       -1     
==========================================
- Hits         5404     5403       -1     
  Misses         62       62

Files Changed	Coverage Δ
app/controllers/sessions_controller.rb	`100.00% <100.00%> (ø)`

jenshenny · 2023-07-27T02:56:35Z

app/controllers/sessions_controller.rb

    @user = find_user

    if @user&.mfa_enabled?
-      setup_webauthn_authentication(form_url: webauthn_create_session_path, session_options: { "user" => @user.id })


From #3859 (comment)

Use mfa user session variable for webauthn verification

ed015bd

jenshenny force-pushed the fix-credentials branch 2 times, most recently from 28c0f4a to 94b6223 Compare July 26, 2023 20:22

jenshenny changed the title ~~Allow users to verify webauthn credentials after webauthn error has occurred~~ Redirect user to signin after webauthn error has occurred Jul 26, 2023

jenshenny added 2 commits July 26, 2023 16:27

Refactor webauthn_create controller tests

afc7dfc

Render signin if webauthn login is unsuccessful

fb8661c

jenshenny force-pushed the fix-credentials branch from 94b6223 to fb8661c Compare July 26, 2023 20:27

jenshenny mentioned this pull request Jul 26, 2023

Use setup_webauthn_authentication helper method in updating MFA level #3963

Merged

jenshenny marked this pull request as ready for review July 26, 2023 20:51

jenshenny commented Jul 27, 2023

View reviewed changes

simi approved these changes Aug 1, 2023

View reviewed changes

simi merged commit ed8133d into rubygems:master Aug 1, 2023

simi mentioned this pull request Aug 1, 2023

User cannot verify webauthn credentials after error is returned #3335

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Redirect user to signin after webauthn error has occurred #3962

Redirect user to signin after webauthn error has occurred #3962

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Redirect user to signin after webauthn error has occurred #3962

Redirect user to signin after webauthn error has occurred #3962

Uh oh!

Conversation

Uh oh!

What problem are you solving?

What approach did you choose and why?

Next steps

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants