Installing the extension breaks WebAuthn #11199
Comments
|
Hi there! Thank you for your report, I'm closing this as a duplicate of #11234 If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time in there - our engineering team will be happy to review these. Thanks! |
|
hello, that issue seems unrelated to mine. The only thing in common with the two issues is that they are related to the injected WebAuthn script, however this is a completely different thing that is broken here. On the linked issue, the injection and removal of the script would mess up certain websites if they depend on some JS ordering or something. There is a linked PR as well, that will resolve it, which changes it to no longer remove the injected script from the page. This PR has nothing to do with this issue and will keep this issue still there. This issue is about WebAuthn itself becoming broken because it injects the script even if you are not logged in to a bitwarden account, thus breaking its responses and causing very obvious internal broken state. Also if you read my stacktrace I posted in the original issue you can see: I have debugged this with the browser's debugging tools, but also just in the source code this maps the error to only possibly be coming from here: because this call comes from here: So this issue is very obviously unrelated to the linked issue and I would thus ask you to reopen this. |
|
I can confirm this issue, WebAuthn works fine as soon as you disable the extension. |
|
A guard against a I've tested Webauthn behavior on a number of websites and haven't seen a problem... but I know that a small sample set isn't always indicative of a broad representation of the API usage. |
|
Hello, I have the same issue when I try to log in Gitlab via Teleport (cf screenshot), if it can help detect the bug. But it works on private navigation on Chrome. I wanted to attach a screenshot but it does not work.. |
|
@cagonzalezcs , have you seen my message? |
|
Any example websites or console screen can help with debugging, yes. |
|
Hello, here it is[image: image.png]
It does not show on Github, I hope you see the screenshot in the email.
Le mer. 2 oct. 2024 à 15:12, Cesar Gonzalez ***@***.***> a
écrit :
… Any example websites or console screen can help with debugging, yes.
—
Reply to this email directly, view it on GitHub
<#11199 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AK2FAXDQ2KU52SMXODKQFVLZZPWMVAVCNFSM6AAAAABOWIVQJ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBYGYYTCNJVGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I have the same issue on Chrome. If I log in incognito mode it works(that means no extention installed). |
|
From the vault |
|
Guys, I solved issue. At least for my case. Try to disable and enable the extension. |
|
I tried disabling and reinstalling the extension, still doesn't work. And i can't log off of my account on the extension. What is weird is that i don't have any of these issues on my personal Macbook. Only on the professional one (and it was working up until 2 weeks ago). |
|
since there are a bunch of unrelated comments starting to appear on this issue, where the error is a different pattern and a different exception, I have added the context that mattered for this particular issue on the original comment. I have also linked to what I think is probably the error cause, which I just went through with the GitHub search & outline features. I don't know the exact criteria how to make this state happen, when having been logged into my bitwarden account and then logging out I can't reproduce it, this only happened on a fresh install that wasn't logged in yet. Also you asked for any website where this is happening, however this is happening on anything with webauthn and can be observed on https://webauthn.io/ as well |
|
@WebFreak001 Thanks for the extra context... So this bug isn't replicable when testing the issue on MacOS/Windows. That said, we shouldn't be injecting the fido2 content scripts into a tab unless an account is logged in. If this issue is appearing specifically due to a logged out state, then reworking that behavior to ensure we only inject the content scripts when a user is logged in should resolve the problem. |
|
thanks that sounds like it would solve our particular issue |
Steps To Reproduce
Expected Result
I expect Bitwarden not to trigger and just my native WebAuthn dialog to open
Actual Result
The WebAuthn API call crashes with the following stacktrace, coming from Bitwarden:
making it impossible to login anywhere
Screenshots or Videos
No response
Additional Context
The exception, uncaught and printed to console:
I have debugged this with the browser's debugging tools, the error is coming from here:
clients/apps/browser/src/autofill/fido2/utils/webauthn-utils.ts
Line 125 in 0ecdd46
because
resultis null, which is an invalid argument and also breaks the type systems assumptions.this call comes from here:
clients/apps/browser/src/autofill/fido2/content/fido2-page-script.ts
Line 187 in 0ecdd46
Where it passes
response.result, which comes frommessenger.request({ type: MessageType.CredentialGetRequest }), which just putnullinto the result, which is not what the code and type system is expecting, thus being invalid state and causing this issue in the end.Since on the extension side everything seems to be implemented in a sane way, it looks to me like the most likely cause for this is this
resolve(null);, which should probably be arejectinstead:clients/apps/browser/src/autofill/utils/index.ts
Line 119 in bdf91e2
Operating System
Linux
Operating System Version
No response
Web Browser
Brave
Browser Version
No response
Build Version
2024.9.0
Issue Tracking Info
The text was updated successfully, but these errors were encountered: