Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

fix: passwordless login form leak information about users

Download Browse

Part of story #33005 login with only my passkey Login form leak information about who has registered a passkey or not. To prevent that, when a users has no passkey, form send a false key then check of authentication will failed. *Testing:* Try to authenticate with a user with no passkey, it will ask to use one, send result to server and failed authentication. For users with registered passkey nothing change. Change-Id: I3a3df2028af44de23aae88d58a3194ff7858412f

+14 −6
Kevin Traini (ktraini) 2023-11-03 10:13
Kevin Traini (ktraini) 2023-11-03 10:39
854716f43423990ca83a84f88ec72ecf8b241a23
addbf4259e16888bdfff8fd1b0afa2a8a07d2736
git #tuleap/stable/854716f43423990ca83a84f88ec72ecf8b241a23

Modified Files

Side by side diff
Inline diff
Name
M src/common/WebAuthn/Controllers/PostAuthenticationChallengeController.php +12 −4 Go to diff View file
M tests/unit/common/WebAuthn/Controllers/PostAuthenticationChallengeControllerTest.php +2 −2 Go to diff View file