Tree:
5760ade325
cached-config-operations
main
revert-7033-patch-1
test_dylint
0.10.0
0.11.0
0.12.0
0.13.0
0.9.0
1.0.0
1.1.0
1.10.0
1.11.0
1.12.0
1.13.0
1.13.1
1.14
1.14.1
1.14.2
1.15.0
1.15.1
1.16.0
1.16.1
1.16.2
1.16.3
1.17.0
1.18.0
1.19.0
1.2.0
1.20.0
1.21.0
1.22.0
1.22.1
1.22.2
1.23.0
1.23.1
1.24.0
1.25.0
1.25.1
1.25.2
1.26.0
1.27.0
1.28.0
1.28.1
1.29.0
1.29.1
1.29.2
1.3.0
1.30.0
1.30.1
1.30.2
1.30.3
1.30.4
1.30.5
1.31.0
1.32.0
1.32.1
1.32.2
1.32.3
1.32.4
1.32.5
1.32.6
1.32.7
1.33.0
1.33.1
1.33.2
1.34.0
1.34.1
1.34.2
1.34.3
1.35.0
1.35.1
1.35.2
1.35.3
1.35.4
1.35.5
1.35.6
1.35.7
1.35.8
1.36.0
1.4.0
1.5.0
1.6.0
1.6.1
1.7.0
1.8.0
1.9.0
1.9.1
${ noResults }
1 Commits (5760ade3258ae92fc855430f5cd45211c8486d33)
| Author | SHA1 | Message | Date |
|---|---|---|---|
Zaid Marji
|
5760ade325 |
Fix and harden the passkey login implementation
- Wire key rotation to re-encrypt each passkey's PRF keys, with a superset check in validate_keydata so a passkey can't be left stale. - Persist signature-counter updates and rotated PRF keys with column-scoped writes, avoiding a broad full-row credential update. - Compute prfStatus as the full WebAuthnPrfStatus instead of a 1/0 placeholder. - Move the login challenge from an in-memory cache to a DB-backed table with a scheduled cleanup job. - Use webauthn-rs's discoverable-credential API instead of the JSON state-injection workaround. - Make challenge consumption single-use, rate-limit assertion-options, and return a single generic auth-failure message. - Honor SSO_ONLY at every passkey entry point: login grant, enrollment, refresh, and the unauthenticated assertion-options challenge. - Migrations: real MySQL foreign key and indexes. - Add prfStatus unit tests; codebase-consistency pass. |
2 weeks ago |