Should challenge.issued_at use unix time?

[woylie]

I noticed that the issued_at value in Wax.Challenge is set using :erlang.monotonic_time/1. Is there a reason for this choice? It seems a bit problematic to me, since:

1. This value is monotonically increasing, but not strictly monotonically increasing. Consecutive calls can produce the same result.
2. The produced value is not the same on different runtime instances. If a challenge is generated on one node, stored in a session, and the verification happens to be handled on a different node, the timeout detection may fail.

Shouldn't the value be the unix time instead? Also, the timeouts in the WebAuthn specification are defined in milliseconds. I think it would be good to use millisecond values in the library as well, to avoid confusion. So in short, DateTime.to_unix(DateTime.utc_now(), :millisecond).

[tanguilp]

I think I did it this way for some security reasons: bad actors can succeed in changing the UNIX time (hacking NTP, changing the time on the OS...) and make an expired challenge valid again.

Now, this is probably overstretched as an attack scenario, and the issue with different nodes is real. We probably need to change that as you suggest.

Which issue do you have exactly?

[woylie]

I have an implementation where the authenticator response is submitted with a POST request on a controller route. The challenge is stored in a session cookie. In a multi-node deployment, I cannot guarantee that this request is made on the same node that generated the session.

[tanguilp]

Ok so this needs to be changed. Going to fix it this WE, check out for a new version on Monday.

Until then, have a good WE!

[tanguilp]

Feel free to check and comment #39

[woylie]

Thank you for the quick release!