Incorporate Bitwarden FIDO SDK/passkey-rs changes #2190
Conversation
|
Great job! No new security vulnerabilities introduced in this pull request |
## 🎟️ Tracking [PM-17241](https://bitwarden.atlassian.net/browse/PM-17241) ## 📔 Objective This updates the SDK to point to a new version of our passkey-rs fork that has been synced with upstream. (The remaining differences between upstream and our fork are documented in the README of our fork.) If approved, we should update `passkey-rs`'s `main` branch to point to the version referenced in this PR (bitwarden/passkey-rs@2e5c0ba). ## 🚨 Breaking Changes - `is_user_verification_enabled()` is no longer asynchronous. Clients should implement any dynamic checks for UV availability in the `check_user()` implementation. - `user_handle has been added to the `find_credential()` method as an optional parameter. If the incoming request contains the user handle, then clients should pass it on. Otherwise, pass a `null` value, and the previous behavior. iOS PR: bitwarden/ios#2190 [PM-17241]: https://bitwarden.atlassian.net/browse/PM-17241?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
| return false | ||
| case .preferred: | ||
| return await fido2UserVerificationMediator.isPreferredVerificationEnabled() | ||
| return true |
There was a problem hiding this comment.
❓ Why does this return true at all times now?
There was a problem hiding this comment.
Good question. This part of the class is in fulfillment of the PasskeyAuthenticator trait from passkey-rs. That is intended to be a static configuration for whether user verification would ever be available for an authenticator, not whether it's available for this specific call. (It essentially enables an early return from the library for processing UV.) Cf 1Password/passkey-rs#74 (comment)
This dynamic call should instead deferred to the checkUser() function, which we're still doing in checkEnforceRequiredVerification() at L234 (called from checkUser() at L144)
There was a problem hiding this comment.
Oh alright, have you tested that the flows keep working as expected for .preferred UV? Particularly with session timeout -> Never.
If so, given that's the case then in the same file this should be removed alongside with their calls as part of this change as they're not needed anymore and just were there to workaround having UV in isVerificationEnabled which was a wrong assumption:
private var userVerificationPreference: Uv? (code)
func setupCurrentUserVerificationPreference(userVerificationPreference: Uv) (code)
🎟️ Tracking
PM-17241
Depends on bitwarden/sdk-internal#606.
📔 Objective
This addresses the breaking changes introduced by syncing our fork of passkey-rs with upstream.
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes