Invalid Base 64 Url Safe character.

[PhilETaylor]

on login recently Im getting errors about Invalid Base 64 Url Safe character

Note the issue is intermittent because not every string encoded by this lib will result in a string with banned chars in it. The example below is a good example where each string ends in a = which is invalid for a base64url

This was all working well, until a few days ago when one of the web-auth libs upgraded.

On inspecting the signed request I note that the values are base64 encoded and not base64url encoded... (evidenced by appended equals signs which are invalid for base64url encoded)

{
"id": "QRX-uGMoPEsiIY_OZJIR7tD9o3jB4eYAmXZ1Ikpt3KFWK8JNBHMBggwMMC8ynXtDonp5nmW-BDTEBigv5d-LpQ", 
"rawId": "QRX+uGMoPEsiIY/OZJIR7tD9o3jB4eYAmXZ1Ikpt3KFWK8JNBHMBggwMMC8ynXtDonp5nmW+BDTEBigv5d+LpQ==", 
"response": {
"authenticatorData": "d2m7v2nZjBFAnawAPbcoXuOsb/WObPUBvBxuOGBMcocFAAACVQ==", 
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidklvOEt5N01QVlg1TkUwTmlQakVMbUhYT0doeTh0eW1JSVcxN2JZSWFWQSIsIm9yaWdpbiI6Imh0dHBzOi8vbWFuYWdlLm15c2l0ZXMuZ3VydSIsImNyb3NzT3JpZ2luIjpmYWxzZX0=", 
"signature": "MEUCIQCnmDWCDjxYP+O5VtFfREj0A0rA6ALmWJwtPq6MTiX/TgIgfbhYLU/VYGJmSannRdfsfj2DPkhkeDvbcXHYphchPZM=", 
"userHandle": ""
}, 
"type": "public-key"
}

If I manually convert those from base64 to base64url then the exception is resolved and I can login again.

I think the problem might be this comment being incorrect:

// Converts an array of bytes into a Base64Url string

https://github.com/web-auth/webauthn-helper/blob/e30930982857d9b57f188878cb1a53e3e771e099/src/common.js#L36-37

According to https://developer.mozilla.org/en-US/docs/Web/API/btoa

The btoa() method creates a [Base64](https://developer.mozilla.org/en-US/docs/Glossary/Base64)-encoded ASCII string from a binary string

That to me sounds like a base64 and not a base64url despite the comment telling me that is should return a base64url

my stack is symfony 6.1 with

    web-auth/cose-lib: v4.0.6
    web-auth/metadata-service: 4.1.2
    web-auth/webauthn-lib: 4.1.2
    web-auth/webauthn-symfony-bundle: 4.1.2
    web-token/jwt-core: 3.1.1
    web-token/jwt-signature: 3.1.1

Sentry.io Stack Trace for reference https://sentry.io/share/issue/e173edee1abc4c6693ef24ee8a68644e/ (click FULL once page loaded)

[Spomky]

Hi,

Thank you for reporting this issue.
More and more servers become fully compliant with the Webauthn specification. This frontend library is not.
For the moment, I would suggest you to use https://github.com/MasterKale/SimpleWebAuthn which is really great.
I will certainly update this library, but I cannot say when.

[PhilETaylor]

Absolutely no worries :-) I just converted the incoming request back to base64url myself and my app is up and running again and working :) but wanted to ensure that it was logged - as others will probably get the same issue eventually.

Certainly zero pressure from me for a fix here :) Thanks for your work, saved me hours not having to reinvent the wheel.

[stayallive]

@Spomky maybe it's an idea to link to this other library the docs of the PHP library since I just ran into this while following the instructions: https://webauthn-doc.spomky-labs.com/prerequisites/javascript.