WebAuthn: Improve error msg and add version check

timokoessler · Oct 16, 2024 · 43d517d · 43d517d
1 parent 9a956b3
commit 43d517d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 5 deletions.
diff --git a/Guard.Core/Security/WebAuthn/WebAuthnHelper.cs b/Guard.Core/Security/WebAuthn/WebAuthnHelper.cs
@@ -7,7 +7,21 @@ public static class WebAuthnHelper
     {
         public static bool IsSupported()
         {
-            return WebAuthnInterop.CheckApiAvailable();
+            bool apiAvailable = WebAuthnInterop.CheckApiAvailable();
+            if (!apiAvailable)
+            {
+                Log.Logger.Warning("WebAuthn API is not available on this platform.");
+                return false;
+            }
+
+            int version = GetApiVersion();
+            if (version < 4)
+            {
+                Log.Logger.Warning("WebAuthn API version {ApiVersion} is not supported.", version);
+                return false;
+            }
+
+            return true;
         }
 
         public static int GetApiVersion()
@@ -20,9 +34,17 @@ public static int GetApiVersion()
             string keyName
         )
         {
+            Log.Logger.Information(
+                "Registering WebAuthn device with Win32 WebAuthn api version {ApiVersion}",
+                GetApiVersion()
+            );
+
             if (!IsSupported())
             {
-                return (false, "WebAuthn API is not available on this platform.");
+                return (
+                    false,
+                    "Either the WebAuthn API is not available on this platform or the version is not supported."
+                );
             }
 
             var challenge = EncryptionHelper.GetRandomBytes(32);
@@ -121,7 +143,11 @@ out var credential
         {
             if (!IsSupported())
             {
-                return (false, "WebAuthn API is not available on this platform.", null);
+                return (
+                    false,
+                    "Either the WebAuthn API is not available on this platform or the version is not supported.",
+                    null
+                );
             }
 
             webauthnDevices ??= Auth.GetWebAuthnDevices();
@@ -187,7 +213,11 @@ out var assertion
                     || assertion.HmacSecret.Second == null
                 )
                 {
-                    return (false, "HmacSecret is null", null);
+                    return (
+                        false,
+                        "HmacSecret is null. This normally means that your device does not support the HMAC secret extension.",
+                        null
+                    );
                 }
 
                 if (

diff --git a/Guard.Core/Security/WebAuthn/WebAuthnInterop.cs b/Guard.Core/Security/WebAuthn/WebAuthnInterop.cs
@@ -25,7 +25,6 @@ public static int GetApiVersion()
                     );
                 }
                 _apiVersion = WebAuthNGetApiVersionNumber();
-                Log.Logger.Information("WebAuthn API version: {ApiVersion}", _apiVersion);
             }
             return _apiVersion
                 ?? throw new PlatformNotSupportedException("Can not get WebAuthn API version.");