Base64-encode usernameless usernames for transport

passwordless-lib · Mar 12, 2023 · 12e0337 · 12e0337
1 parent 0727dd4
commit 12e0337
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/BlazorWasmDemo/Client/Shared/UserService.cs b/BlazorWasmDemo/Client/Shared/UserService.cs
@@ -1,6 +1,7 @@
 namespace BlazorWasmDemo.Client.Shared;
 
 using System.Net.Http.Json;
+using System.Text;
 using System.Text.Json;
 using Fido2.BlazorWebAssembly;
 using Fido2NetLib;
@@ -88,7 +89,7 @@ public async Task<string> RegisterAsync(string? username, string? displayName =
         }
 
         // Build the route to register the credentials
-        var routeCreds = $"{_routeUser}/{username ?? options.User.Name}/{_routeRegister}";
+        var routeCreds = $"{_routeUser}/{username ?? Convert.ToBase64String(Encoding.UTF8.GetBytes(options.User.Name))}/{_routeRegister}";
 
         try
         {

diff --git a/BlazorWasmDemo/Server/Controllers/UserController.cs b/BlazorWasmDemo/Server/Controllers/UserController.cs
@@ -1,5 +1,6 @@
 namespace BlazorWasmDemo.Server.Controllers;
 
+using System.Diagnostics;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 using System.Text;
@@ -55,6 +56,7 @@ public CredentialCreateOptions GetCredentialOptions([FromRoute] string? username
     {
         try
         {
+            var key = username;
             if (string.IsNullOrEmpty(username))
             {
                 var created = DateTime.UtcNow;
@@ -68,7 +70,9 @@ public CredentialCreateOptions GetCredentialOptions([FromRoute] string? username
                     // Less precise but nicer for user if there's a displayName set anyway
                     username = $"{displayName} (Usernameless user created {created.ToShortDateString()})";
                 }
+                key = Convert.ToBase64String(Encoding.UTF8.GetBytes(username));
             }
+            Debug.Assert(key != null); // If it was null before, it was set to the base64 value. Analyzer doesn't understand this though.
 
             // 1. Get user from DB by username (in our example, auto create missing users)
             var user = _demoStorage.GetOrAddUser(username, () => new Fido2User
@@ -107,7 +111,7 @@ public CredentialCreateOptions GetCredentialOptions([FromRoute] string? username
                 );
 
             // 5. Temporarily store options, session/in-memory cache/redis/db
-            _pendingCredentials[username] = options;
+            _pendingCredentials[key] = options;
 
             // 6. return options to client
             return options;
@@ -121,7 +125,7 @@ public CredentialCreateOptions GetCredentialOptions([FromRoute] string? username
     /// <summary>
     /// Creates a new credential for a user.
     /// </summary>
-    /// <param name="username">Use options.User.Name from the create options object received by a call to "/credential-options", even when called usernameless.</param>
+    /// <param name="username">Username of registering user. If usernameless, use base64 encoded options.User.Name from the credential-options used to create the credential.</param>
     /// <param name="attestationResponse"></param>
     /// <param name="cancellationToken"></param>
     /// <returns>a string containing either "OK" or an error message.</returns>