webauthn: Unexpected RpIdHash

I am implementing webauthn in chrome extension, registration works, authentication fails with Unexpected RpIdHash: foo vs bar

client:

async function authenticate() {
    const challenge = await ky
        .create({ prefixUrl: process.env.API_URL, credentials: 'include' })
        .post('auth/challenge', { json: { username: 'testuser' } })
        .json<{ challenge: string; id?: string }>();

    const authentication = await client.authenticate(challenge.id ? [challenge.id] : [], challenge.challenge, {
        authenticatorType: 'auto',
        userVerification: 'required',
        mediation: 'required',
        timeout: 60000,
        debug: false,
    });

    await ky
        .create({ prefixUrl: process.env.API_URL, credentials: 'include' })
        .post('auth/login', { json: { authentication } })
        .json<{ message: string }>();
}

server:

  const authentication = req.body.authentication as AuthenticationEncoded

  const credential = await db.credential.findUniqueOrThrow({ where: { credentialId: authentication.credentialId } })

  await server.verifyAuthentication(
    authentication,
    {
      id: credential.credentialId,
      algorithm: credential.algorithm,
      publicKey: credential.publicKey,
    },
    {
      challenge: req.signedCookies.challenge,
      origin: 'chrome-extension://id',
      userVerified: false,
      verbose: true,
    },
  )

About this issue

  • Original URL
  • State: closed
  • Created 3 months ago
  • Comments: 15

Most upvoted comments

Solved in v1.6.0 You can now override rp:{id:..., name:...} in the registration options

+1
dagnelies on Apr 18, 2024
Read more comments on GitHub
← automerge-action: Does not automerge when "branch is out-of-date with the base branch"
Android-DirectoryChooser: java.lang.NoClassDefFoundError: Failed resolution of: Lcom/gu/option/Option; →