feat!: backup flag validation (#240)

This adds additional support for level 3 ensuring the backup flags match desired known good configurations. BREAKING CHANGE: This breaks implementations which do not strictly adhere to the specification. Several major providers either have or are currently "upgrading" existing WebAuthn credential records to BE and BS passkeys. Co-authored-by: zahra.keshtkar <[email protected]>
go-webauthn · May 28, 2024 · 2195f33 · 2195f33
1 parent c99e7a7
commit 2195f33
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/webauthn/login.go b/webauthn/login.go
@@ -307,8 +307,16 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
 
 	// Handle step 17.
 	loginCredential.Authenticator.UpdateCounter(parsedResponse.Response.AuthenticatorData.Counter)
+	// Check if the BackupEligible flag has changed.
+	if loginCredential.Flags.BackupEligible != parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() {
+		return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag inconsistency detected during login validation")
+	}
+
+	// Check for the invalid combination BE=0 and BS=1.
+	if !parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() && parsedResponse.Response.AuthenticatorData.Flags.HasBackupState() {
+		return nil, protocol.ErrBadRequest.WithDetails("Invalid flag combination: BE=0 and BS=1")
+	}
 
-	// TODO: The backup eligible flag shouldn't change. Should decide if we want to error if it does.
 	// Update flags from response data.
 	loginCredential.Flags.UserPresent = parsedResponse.Response.AuthenticatorData.Flags.HasUserPresent()
 	loginCredential.Flags.UserVerified = parsedResponse.Response.AuthenticatorData.Flags.HasUserVerified()