From 33c0a2c219fdf4136d634b7ef5847c48eaf36eea Mon Sep 17 00:00:00 2001
From: Sean Liao <sean+git@liao.dev>
Date: Sat, 9 Nov 2024 21:48:50 +0000
Subject: [PATCH] fix(webauthn): SessionData.UserID empty checks

Using the candidate json/v2 encoder
https://github.com/go-json-experiment/json SessionData doesn't
roundtrip properly through json as an empty []byte is encoded as "".
Use len(field) == 0 instead of nil checks to be more resilient.
---
 webauthn/login.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webauthn/login.go b/webauthn/login.go
index 89ff5f87..2132c8db 100644
--- a/webauthn/login.go
+++ b/webauthn/login.go
@@ -211,11 +211,11 @@ func (webauthn *WebAuthn) ValidateDiscoverableLogin(handler DiscoverableUserHand
 
 // ValidatePasskeyLogin is an overloaded version of ValidateLogin that allows for passkey credentials.
 func (webauthn *WebAuthn) ValidatePasskeyLogin(handler DiscoverableUserHandler, session SessionData, parsedResponse *protocol.ParsedCredentialAssertionData) (user User, credential *Credential, err error) {
-	if session.UserID != nil {
+	if len(session.UserID) != 0 {
 		return nil, nil, protocol.ErrBadRequest.WithDetails("Session was not initiated as a client-side discoverable login")
 	}
 
-	if parsedResponse.Response.UserHandle == nil {
+	if len(parsedResponse.Response.UserHandle) == 0 {
 		return nil, nil, protocol.ErrBadRequest.WithDetails("Client-side Discoverable Assertion was attempted with a blank User Handle")
 	}