Server: exception in webauthn failure scenario
I deliberately simulated an authentication failure scenario with the webAuthn login. I got thrown a HTTP 500. The success scenario works fine.
system info :
- server OS : debian 10 ( buster )
- dockerized : no
- upgrade status : yes, from v18.0.6
though it's a good thing that an unauthorized hardware device doesn't log you in, it should do so gracefully, not with HTTP 500.
I'm sorry I don't know how to pretty print this log line as a good stacktrace.
{"reqId":"wnwAPZ6cJ28Jqw4iEPh6","level":3,"time":"2020-06-11T18:29:14+00:00","remoteAddr":"[REDACTED]","user":"--","app":"index","method":"POST","url":"/login/webauthn/finish","message":{"Exception":"Exception","Message":"Argument 1 passed to OC\\Core\\Controller\\WebAuthnController::finishAuthentication() must be of the type string, null given, called in /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php on line 170","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":137,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\WebAuthnController"},"finishAuthentication"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\WebAuthnController","finishAuthentication",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.WebAuthn.finishAuthentication"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.WebAuthn.finishAuthentication"}]},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.WebAuthn.finishAuthentication"}]},{"file":"/var/www/nextcloud/lib/base.php","line":1007,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/login/webauthn/finish"]},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","Line":110,"Previous":{"Exception":"TypeError","Message":"Argument 1 passed to OC\\Core\\Controller\\WebAuthnController::finishAuthentication() must be of the type string, null given, called in /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php on line 170","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":170,"function":"finishAuthentication","class":"OC\\Core\\Controller\\WebAuthnController","type":"->","args":[null]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":100,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\WebAuthnController"},"finishAuthentication"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":137,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\WebAuthnController"},"finishAuthentication"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\WebAuthnController","finishAuthentication",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.WebAuthn.finishAuthentication"}]},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->","args":[{"_route":"core.WebAuthn.finishAuthentication"}]},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":297,"function":"call_user_func","args":[{"__class__":"OC\\AppFramework\\Routing\\RouteActionHandler"},{"_route":"core.WebAuthn.finishAuthentication"}]},{"file":"/var/www/nextcloud/lib/base.php","line":1007,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/login/webauthn/finish"]},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/nextcloud/core/Controller/WebAuthnController.php","Line":96},"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0","version":"19.0.0.12"}
shinenelson
All 2 comments
Thanks for reporting :+1:
cc @rullzer @ChristophWurst
kesselb
on 11 Jun 2020
I think I know what might have happened. Google Chrome / Chromium gives a very nice visual error message when authentication failed and it probably gobbles up the actual request to the server.
I observed that the request to the server doesn't happen until the notification is dismissed. This doesn't happen on Firefox, it just sends the request.
what I think should be approach here is :
- implement an error fallback flow - throw an error pop-up ( at least on Firefox; it just stays there doing nothing which might lead to a lot of unnecessary spam auth requests to the server )
- don't make a request to the server if the authentication on the client-side has already failed.
shinenelson
on 11 Jun 2020
Related issues
e-alfred
路
3Comments
brylie
路
3Comments
dl5rcw
路
3Comments
MariusBluem
路
3Comments
jancborchardt
路
3Comments
Most helpful comment
Thanks for reporting :+1:
cc @rullzer @ChristophWurst