Pass through AuthenticatorAttestationResponse.getTransports() #44
Conversation
The spec [1] says clients are to return "[...] or an empty sequence if the information is unavailable", so an empty sequence is used in case the client does not support the getTransports() method. [1]: https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorattestationresponse-transports-slot
|
@lgarron any idea when you might have time to look at this? |
|
Ahoy! Apologies for the delay.
I think the current approach in this PR is clever, but I still don't feel comfortable merging it. Per the project name, the goal is to make it so that the client only has to think about JSON. Having objects that are "almost JSON but not quite" is specifically what we're trying to avoid, even if they act like JSON in most situations. So I think adding a Would you be up for those changes? |
|
Sure! I'll get started on the rework as noted in my initial comment. However, I feel like there might be a bit of misunderstanding, so let me clarify one thing: the new "derived" thing will still generate output that is pure JSON. What the change does is integrate the special case for Does that make it more palatable? If not, I'm still happy to rework it as mentioned above. |
Oh, hmm, I seem to have tested it wrong yesterday; I'm getting something more like you described now. I suspect Parcel reused an old cache when I was testing. (I really should move us to |
| @@ -58,8 +59,15 @@ export const publicKeyCredentialWithAttestation: Schema = { | |||
| response: required({ | |||
| clientDataJSON: required(convert), | |||
| attestationObject: required(convert), | |||
| transports: derived( | |||
| copy, | |||
| (response: any) => response.getTransports?.() || [], | |||
There was a problem hiding this comment.
Review note: I was a little concerned that empty transports field might mess with the authentication prompt, but it doesn't seem to be an issue. I'm having trouble finding a place to back that up in the spec, though, so I'm just going off of Chrome/FirefoxSafari on macOS.
There was a problem hiding this comment.
The backing for this in the spec is in the definition of the getTransports() method: 🙂
These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable.
If the getTransports method doesn't exist, then the information is indeed not available, so I think this should be an appropriate fallback value.
See also the definition of navigator.credentials.get() - any credential descriptor with an empty transports member will simply not affect the distinctTransports variable being computed there.
|
Thank you too, I'm glad I could help! |
Includes github/webauthn-json#44, which passes through transports information Also updates parcel and adds some fixes for that
This is only possible since webauthn-json has recently implemented support for [passing this value](github/webauthn-json#44)
Fixes one part of #25 .
This includes and builds upon a related change in how
clientExtensionResultsare declared in the schema, by introducing aderivedoption for properties alongside the existingrequiredandoptional. I think this captures the idea a bit more cleanly, and it also allows some test inputs to definegetClientExtensionResults()instead of injecting aclientExtensionResultsproperty. Then the transports field works the same way using this new schema feature. Plumbing it through for the "extended' target gets a bit ugly, but... it's kind of okay I guess?If you don't agree with that change, I can drop it and rework the
transportsaddition to inject a new property in the same waycreateExtendedResponseToJSON()currently does forclientExtensionResultsfor example. The new tests should apply well enough in that case too.In case the client does not provide the
getTransports()method, the converter will fall back to returning an empty sequence. This is because the spec says clients are to return "[...] or an empty sequence if the information is unavailable", so that seems like a sensible fallback value (since the information is indeed unavailable).