From 568a287850185a2f43cf337098ad4b906122f94b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C4=93teris=20Caune?= Date: Thu, 19 Nov 2020 13:59:23 +0200 Subject: [PATCH] Fix WebAuthn registration to use random bytes for user handle User handle is used in a username-less authentication, to map a credential received from browser with an user account in the database. Since we only use security keys as a second factor, the user handle is not of much use to us. The user handle: - must not be blank, - must not be a constant value, - must not contain personally identifiable information. So we use random bytes, and don't store them on our end. --- hc/accounts/views.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/hc/accounts/views.py b/hc/accounts/views.py index 86e9baee..fe77e900 100644 --- a/hc/accounts/views.py +++ b/hc/accounts/views.py @@ -1,5 +1,6 @@ import base64 from datetime import timedelta as td +from secrets import token_bytes from urllib.parse import urlparse import uuid @@ -616,9 +617,19 @@ def add_credential(request): return redirect("hc-profile") credentials = [c.unpack() for c in request.user.credentials.all()] + # User handle is used in a username-less authentication, to map a credential + # received from browser with an user account in the database. + # Since we only use security keys as a second factor, + # the user handle is not of much use to us. + # + # The user handle: + # - must not be blank, + # - must not be a constant value, + # - must not contain personally identifiable information. + # So we use random bytes, and don't store them on our end: options, state = FIDO2_SERVER.register_begin( { - "id": request.user.username.encode(), + "id": token_bytes(16), "name": request.user.email, "displayName": request.user.email, },