kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix WebAuthn CSRF; clarify security key UI

Browse Source 
- Fix webauthn.js CSRF token: read HMAC header value from
  body hx-headers attribute instead of cookie nonce
- Update profile labels to mention security keys/FIDO2
  alongside passkeys

Security: CSRF double-submit was broken for fetch()-based
WebAuthn requests — JS was sending the cookie nonce as the
header value instead of the HMAC. Fixed by reading the
server-rendered header token from the DOM.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-16 19:27:44 -07:00
parent 0b37fde155
commit 446b3df52d
3 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
web/static/webauthn.js
View File

@@ -25,10 +25,17 @@
return bytes.buffer; return bytes.buffer;
} }
// Get the CSRF token from the cookie for mutating requests. // Get the CSRF token from the body's hx-headers attribute (HMAC header value).
// The cookie holds the nonce; the header holds the HMAC — they are different.
function getCSRFToken() { function getCSRFToken() {
var match = document.cookie.match(/(?:^|;\s*)mcias_csrf=([^;]+)/); try {
return match ? match[1] : ''; var hdr = document.body.getAttribute('hx-headers');
if (hdr) {
var parsed = JSON.parse(hdr);
if (parsed['X-CSRF-Token']) return parsed['X-CSRF-Token'];
}
} catch (e) { /* fall through */ }
return '';
} }
function showError(id, msg) { function showError(id, msg) {

2
web/templates/fragments/webauthn_enroll.html
View File

@@ -4,7 +4,7 @@
<div id="webauthn-enroll-success" class="alert alert-success" style="display:none" role="alert"></div> <div id="webauthn-enroll-success" class="alert alert-success" style="display:none" role="alert"></div>
<div class="form-group"> <div class="form-group">
<label for="webauthn-name">Passkey Name</label> <label for="webauthn-name">Passkey Name</label>
<input class="form-control" type="text" id="webauthn-name" placeholder="e.g. YubiKey 5" value="Passkey"> <input class="form-control" type="text" id="webauthn-name" placeholder="e.g. YubiKey 5, Touch ID" value="Passkey">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="webauthn-password">Current Password</label> <label for="webauthn-password">Current Password</label>

6
web/templates/profile.html
View File

@@ -10,12 +10,12 @@
</div> </div>
{{if .WebAuthnEnabled}} {{if .WebAuthnEnabled}}
<div class="card"> <div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Passkeys</h2> <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Passkeys &amp; Security Keys</h2>
<p class="text-muted text-small" style="margin-bottom:.75rem"> <p class="text-muted text-small" style="margin-bottom:.75rem">
Passkeys let you sign in without a password using your device's biometrics or a security key. Register a passkey (Touch ID, Windows Hello) or a hardware security key (YubiKey, FIDO2) for passwordless sign-in or two-factor authentication.
</p> </p>
{{template "webauthn_credentials" .}} {{template "webauthn_credentials" .}}
<h3 style="font-size:.9rem;font-weight:600;margin:1rem 0 .5rem">Add a Passkey</h3> <h3 style="font-size:.9rem;font-weight:600;margin:1rem 0 .5rem">Add a Passkey or Security Key</h3>
{{template "webauthn_enroll" .}} {{template "webauthn_enroll" .}}
</div> </div>
<script src="/static/webauthn.js"></script> <script src="/static/webauthn.js"></script>