Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error prone toUint8Array method

See original GitHub issue

I’ve faced that toUint8Array method treats input as ASCII string: https://github.com/MasterKale/SimpleWebAuthn/blob/bc9ad0f68fc49c4ac23cd22428248faa26d3f9b6/packages/browser/src/helpers/toUint8Array.ts#L6

It is impossible to change transformation of challenge on the client.

Whats wrong?

First: Challenge verification will fail if challenge string contains non ASCII character. For example: abcж yep, ж occupy 2 bytes.

const value = 'abcж';

const array = Uint8Array.from(value, c => c.charCodeAt(0));
const string = String.fromCharCode.apply(null, array);

/// 'abcж' !== 'abc6'
value !== string

Second: user may want to transfer challenge from server in different format:

ASCII string - current assumption
HEX string - I prefer this format
OCTET string
base64 or base64url strings
and so on

So it would be better to allow user configure challenge encoding or move conversion and appropriate helper(s) to userland instead hard coded into the lib.

Issue Analytics

State:
Created 3 years ago
Comments:28 (16 by maintainers)

Top GitHub Comments

1reaction

MasterKalecommented, Jul 31, 2020

PR #42 has been merged in with a fix for this issue. It is available in the newly released v0.8.0.

1reaction

MasterKalecommented, Jul 30, 2020

@mahnunchik #42 is the PR containing my tentative solution to this issue. Fortunately it’s not as breaking a change as I described earlier, and more importantly it manages a variety of values for challenge including ascii strings, utf-8 strings, and crypto.randomBytes(64).

And for good measure I hand-checked the values being passed to authenticators by startAttestation()/startAssertion() to confirm that they were the actual strings/buffers I was passing in as challenge to generateAttesationOptions() and generateAssertionOptions() respectively.

Top Results From Across the Web

JS: Type not convertible to Uint8Array · Issue #97 - GitHub

I'm creating a Uint8Array but protobuf errors because the Uint8Array ... The only way I have found so far to deserialize a buffer...

Uint8Array - JavaScript - MDN Web Docs

Chrome Edge Uint8Array Full support. Chrome7. Toggle history Full support. Edge12... Uint8Array() constructor Full support. Chrome7. Toggle history Full support. Edge12... Constructor without parameters Full support....

How to convert uint8 Array to base64 Encoded String?

I tried to use that in a Word Web AddIn with Edge and got an error 'TextDecoder' is not defined. Fortunately I needed...

Buffer | Node.js v19.3.0 Documentation

The Buffer class is a subclass of JavaScript's Uint8Array class and extends it with methods that cover additional use cases. Node.js APIs accept...

StringView - Archive of obsolete content

method to read the bytes from the data buffer. However, this is slow and error-prone, due to the need for multiple conversions (especially...