Add logging for failed webauthn key registrations

2025-04-03 04:15:29 +00:00 · 2023-11-17 16:06:39 +02:00 · 2023-11-17 16:06:39 +02:00 · 96823a7f90
commit 96823a7f90
parent decd1d4b87
4 changed files with 23 additions and 11 deletions
--- a/hc/accounts/tests/test_add_webauthn.py
+++ b/hc/accounts/tests/test_add_webauthn.py
@ -73,9 +73,10 @@ class AddWebauthnTestCase(BaseTestCase):
        r = self.client.post(self.url, payload)
        self.assertEqual(r.status_code, 400)

+    @patch("hc.accounts.views.logger")
    @patch("hc.accounts.views.CreateHelper.verify")
-    def test_it_handles_verification_failure(self, mock_verify: Mock) -> None:
-        mock_verify.return_value = None
+    def test_it_handles_verification_failure(self, verify: Mock, logger: Mock) -> None:
+        verify.side_effect = ValueError

        self.client.login(username="alice@example.org", password="password")
        self.set_sudo_flag()
@ -88,3 +89,6 @@ class AddWebauthnTestCase(BaseTestCase):

        r = self.client.post(self.url, payload, follow=True)
        self.assertEqual(r.status_code, 400)
+
+        # It should log the verification failure
+        self.assertTrue(logger.exception.called)
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -1,5 +1,6 @@
 from __future__ import annotations

+import logging
 import time
 from datetime import timedelta as td
 from secrets import token_urlsafe
@ -42,6 +43,8 @@ from hc.lib.tz import all_timezones
 from hc.lib.webauthn import CreateHelper, GetHelper
 from hc.payments.models import Subscription

+logger = logging.getLogger(__name__)
+
 POST_LOGIN_ROUTES = (
    "hc-checks",
    "hc-details",
@ -727,8 +730,10 @@ def add_webauthn(request: AuthenticatedHttpRequest) -> HttpResponse:
            return HttpResponseBadRequest()

        state = request.session["state"]
-        credential_bytes = helper.verify(state, form.cleaned_data["response"])
-        if credential_bytes is None:
+        try:
+            credential_bytes = helper.verify(state, form.cleaned_data["response"])
+        except ValueError as e:
+            logger.exception("CreateHelper.verify failed, form: %s", form.cleaned_data)
            return HttpResponseBadRequest()

        c = Credential(user=request.user)
--- a/hc/lib/webauthn.py
+++ b/hc/lib/webauthn.py
@ -47,12 +47,9 @@ class CreateHelper(object):
        return dict(options), state

    def verify(self, state: Any, response_json: str) -> bytes | None:
-        try:
-            doc = json.loads(response_json)
-            auth_data = self.server.register_complete(state, doc)
-            return auth_data.credential_data
-        except ValueError:
-            return None
+        doc = json.loads(response_json)
+        auth_data = self.server.register_complete(state, doc)
+        return auth_data.credential_data


 class GetHelper(object):
--- a/static/css/admin/records.css
+++ b/static/css/admin/records.css
@ -39,4 +39,10 @@

 .field-traceback .readonly {
    font-family: monospace;
-}
+}
+
+.field-message .readonly {
+    width: 90%;
+    font-family: monospace;
+
+}