From 8e7eeab2931461081c5231939a3e1b882bf0f2b3 Mon Sep 17 00:00:00 2001
From: Mathijs van Veluw <black.dex@gmail.com>
Date: Sun, 10 Aug 2025 19:07:05 +0200
Subject: [PATCH] Fix WebauthN issue with Software Keys (#6168)

The check if the token used was a known valid token also checked if it needed to be updated.
This check caused always caused an issue with tokens which do not need or want to be updated.

Since the cred_ids are already checked and deemed valid we only need to check if there is an updated needed.
Their already is a function for this `update_credential`, which returns `Some(true)` if this was the case.
So, only update the records if that is the case, else do not update anything.

Also, used constant time compare to check and validate the cred_id's.

Fixes #6154

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/two_factor/webauthn.rs | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/api/core/two_factor/webauthn.rs b/src/api/core/two_factor/webauthn.rs
index 51e66b97..049145e0 100644
--- a/src/api/core/two_factor/webauthn.rs
+++ b/src/api/core/two_factor/webauthn.rs
@@ -4,6 +4,7 @@ use crate::{
         EmptyResult, JsonResult, PasswordOrOtpData,
     },
     auth::Headers,
+    crypto::ct_eq,
     db::{
         models::{EventType, TwoFactor, TwoFactorType, UserId},
         DbConn,
@@ -434,12 +435,14 @@ pub async fn validate_webauthn_login(
     let authentication_result = webauthn.finish_securitykey_authentication(&rsp, &state)?;
 
     for reg in &mut registrations {
-        if reg.credential.cred_id() == authentication_result.cred_id() && authentication_result.needs_update() {
-            reg.credential.update_credential(&authentication_result);
-
-            TwoFactor::new(user_id.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
-                .save(conn)
-                .await?;
+        if ct_eq(reg.credential.cred_id(), authentication_result.cred_id()) {
+            // If the cred id matches and the credential is updated, Some(true) is returned
+            // In those cases, update the record, else leave it alone
+            if reg.credential.update_credential(&authentication_result) == Some(true) {
+                TwoFactor::new(user_id.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
+                    .save(conn)
+                    .await?;
+            }
             return Ok(());
         }
     }