Passkeys: Do not ask update with a new user handle

2024-10-01 01:26:01 -04:00 · 2024-03-12 20:21:11 +02:00 · 2024-03-12 20:21:11 +02:00 · 8a4787278d
commit 8a4787278d
parent 9329df2b48
2 changed files with 22 additions and 4 deletions
--- a/src/browser/BrowserService.cpp
+++ b/src/browser/BrowserService.cpp
@ -633,12 +633,15 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
    const auto rpId = publicKeyOptions["rp"]["id"].toString();
    const auto timeout = publicKeyOptions["timeout"].toInt();
    const auto username = credentialCreationOptions["user"].toObject()["name"].toString();
+    const auto user = credentialCreationOptions["user"].toObject();
+    const auto userId = user["id"].toString();

    // Parse excludeCredentialDescriptorList
    if (!excludeCredentials.isEmpty() && isPasskeyCredentialExcluded(excludeCredentials, rpId, keyList)) {
        return getPasskeyError(ERROR_PASSKEYS_CREDENTIAL_IS_EXCLUDED);
    }
-    const auto existingEntries = getPasskeyEntries(rpId, keyList);
+
+    const auto existingEntries = getPasskeyEntriesWithUserHandle(rpId, userId, keyList);

    raiseWindow();
    BrowserPasskeysConfirmationDialog confirmDialog;
@ -654,9 +657,6 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
        }

        const auto rpName = publicKeyOptions["rp"]["name"].toString();
-        const auto user = credentialCreationOptions["user"].toObject();
-        const auto userId = user["id"].toString();
-
        if (confirmDialog.isPasskeyUpdated()) {
            addPasskeyToEntry(confirmDialog.getSelectedEntry(),
                              rpId,
@ -1347,6 +1347,22 @@ QList<Entry*> BrowserService::getPasskeyEntries(const QString& rpId, const Strin
    return entries;
 }

+// Returns all Passkey entries for the current Relying Party and identical user handle
+QList<Entry*> BrowserService::getPasskeyEntriesWithUserHandle(const QString& rpId,
+                                                              const QString& userId,
+                                                              const StringPairList& keyList)
+{
+    QList<Entry*> entries;
+    for (const auto& entry : searchEntries(rpId, "", keyList, true)) {
+        if (entry->hasPasskey() && entry->attributes()->value(BrowserPasskeys::KPEX_PASSKEY_RELYING_PARTY) == rpId
+            && entry->attributes()->value(BrowserPasskeys::KPEX_PASSKEY_USER_HANDLE) == userId) {
+            entries << entry;
+        }
+    }
+
+    return entries;
+}
+
 // Get all entries for the site that are allowed by the server
 QList<Entry*> BrowserService::getPasskeyAllowedEntries(const QJsonObject& assertionOptions,
                                                       const QString& rpId,
--- a/src/browser/BrowserService.h
+++ b/src/browser/BrowserService.h
@ -184,6 +184,8 @@ private:
 #ifdef WITH_XC_BROWSER_PASSKEYS
    QList<Entry*> getPasskeyEntries(const QString& rpId, const StringPairList& keyList);
    QList<Entry*>
+    getPasskeyEntriesWithUserHandle(const QString& rpId, const QString& userId, const StringPairList& keyList);
+    QList<Entry*>
    getPasskeyAllowedEntries(const QJsonObject& assertionOptions, const QString& rpId, const StringPairList& keyList);
    bool isPasskeyCredentialExcluded(const QJsonArray& excludeCredentials,
                                     const QString& rpId,