From 43d517dbf65af064f35fb60e8500b34912de1a1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20K=C3=B6ssler?= <info@timokoessler.de>
Date: Wed, 16 Oct 2024 16:02:40 +0200
Subject: [PATCH] WebAuthn: Improve error msg and add version check

---
 .../Security/WebAuthn/WebAuthnHelper.cs       | 38 +++++++++++++++++--
 .../Security/WebAuthn/WebAuthnInterop.cs      |  1 -
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/Guard.Core/Security/WebAuthn/WebAuthnHelper.cs b/Guard.Core/Security/WebAuthn/WebAuthnHelper.cs
index 5349bc1..47ef59b 100644
--- a/Guard.Core/Security/WebAuthn/WebAuthnHelper.cs
+++ b/Guard.Core/Security/WebAuthn/WebAuthnHelper.cs
@@ -7,7 +7,21 @@ public static class WebAuthnHelper
     {
         public static bool IsSupported()
         {
-            return WebAuthnInterop.CheckApiAvailable();
+            bool apiAvailable = WebAuthnInterop.CheckApiAvailable();
+            if (!apiAvailable)
+            {
+                Log.Logger.Warning("WebAuthn API is not available on this platform.");
+                return false;
+            }
+
+            int version = GetApiVersion();
+            if (version < 4)
+            {
+                Log.Logger.Warning("WebAuthn API version {ApiVersion} is not supported.", version);
+                return false;
+            }
+
+            return true;
         }
 
         public static int GetApiVersion()
@@ -20,9 +34,17 @@ public static int GetApiVersion()
             string keyName
         )
         {
+            Log.Logger.Information(
+                "Registering WebAuthn device with Win32 WebAuthn api version {ApiVersion}",
+                GetApiVersion()
+            );
+
             if (!IsSupported())
             {
-                return (false, "WebAuthn API is not available on this platform.");
+                return (
+                    false,
+                    "Either the WebAuthn API is not available on this platform or the version is not supported."
+                );
             }
 
             var challenge = EncryptionHelper.GetRandomBytes(32);
@@ -121,7 +143,11 @@ out var credential
         {
             if (!IsSupported())
             {
-                return (false, "WebAuthn API is not available on this platform.", null);
+                return (
+                    false,
+                    "Either the WebAuthn API is not available on this platform or the version is not supported.",
+                    null
+                );
             }
 
             webauthnDevices ??= Auth.GetWebAuthnDevices();
@@ -187,7 +213,11 @@ out var assertion
                     || assertion.HmacSecret.Second == null
                 )
                 {
-                    return (false, "HmacSecret is null", null);
+                    return (
+                        false,
+                        "HmacSecret is null. This normally means that your device does not support the HMAC secret extension.",
+                        null
+                    );
                 }
 
                 if (
diff --git a/Guard.Core/Security/WebAuthn/WebAuthnInterop.cs b/Guard.Core/Security/WebAuthn/WebAuthnInterop.cs
index fff698d..a3f3b4b 100644
--- a/Guard.Core/Security/WebAuthn/WebAuthnInterop.cs
+++ b/Guard.Core/Security/WebAuthn/WebAuthnInterop.cs
@@ -25,7 +25,6 @@ public static int GetApiVersion()
                     );
                 }
                 _apiVersion = WebAuthNGetApiVersionNumber();
-                Log.Logger.Information("WebAuthn API version: {ApiVersion}", _apiVersion);
             }
             return _apiVersion
                 ?? throw new PlatformNotSupportedException("Can not get WebAuthn API version.");