Increase allowed length for webauthn registration “credential_xid” column

Summary

The registration of a new Webauthn device using a Nitrokey 3 fails with the following error in /var/log/gitlab/postgresql/current:

ERROR:  new row for relation "webauthn_registrations" violates check constraint "check_e54008d9ce"

Looking at the constraint check_e54008d9ce on the table webauthn_registrations it limits the size of this column to 340 characters ("check_e54008d9ce" CHECK (char_length(credential_xid) <= 340)). However, the value has a length of 432 characters.

Is this a problem of the device used? Is there a reason to limit the column length to 340 characters, or at all?

Steps to reproduce

• Connect a Nitrokey 3 to your computer
• Go to User Settings → Account → Two-Factor Authentication
• Click on “Set up new device” under Register WebAuthn Device
• Touch the Nitrokey
• Give it name and click “Register device”

What is the current bug behavior?

The application gives a 500 error page and logs the error mentioned above.

What is the expected correct behavior?

The application accepts the device and lists the new device on a regular page.

Relevant logs and/or screenshots

Started POST "/-/profile/two_factor_auth/create_webauthn" for 192.168.110.67 at 2022-01-05 03:34:54 -0500
Processing by Profiles::TwoFactorAuthsController#create_webauthn as HTML
Parameters: {"authenticity_token"=>"[FILTERED]", "device_registration"=>{"name"=>"Nitrokey", "device_response"=>"{\"type\":\"public-key\",\"id\":\"owBZAR5U…\",\"rawId\":\"owBZAR5U…\",\"clientExtensionResults\":{},\"response\":{\"clientDataJSON\":\"eyJ0eXB…\",\"attestationObject\":\"o2NmbXRkbm9uZ…\"}}"}}

==> /var/log/gitlab/postgresql/current <==
2022-01-05_08:34:54.29141 ERROR:  new row for relation "webauthn_registrations" violates check constraint "check_e54008d9ce"
2022-01-05_08:34:54.29143 DETAIL:  Failing row contains (6, 2, 16, 2022-01-05 08:34:54.276904+00, 2022-01-05 08:34:54.276904+00, owBZAR5UnLmp8mn42bYm..., Nitrokey, pQECA..., null).
2022-01-05_08:34:54.29144 STATEMENT:  /*application:web,correlation_id:01FRMP0X3AFWFF60Q8YPT7C789,endpoint_id:Profiles::TwoFactorAuthsController#create_webauthn,db_config_name:main*/ INSERT INTO "webauthn_registrations" ("user_id", "counter", "created_at", "updated_at", "credential_xid", "name", "public_key") VALUES (2, 16, '2022-01-05 08:34:54.276904', '2022-01-05 08:34:54.276904', 'owBZAR5U…', 'Nitrokey', 'pQECAy…') RETURNING "id"

==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"POST","path":"/-/profile/two_factor_auth/create_webauthn","format":"html","controller":"Profiles::TwoFactorAuthsController","action":"create_webauthn","status":500,"time":"2022-01-05T08:34:54.296Z"    ,"params":[{"key":"authenticity_token","value":"[FILTERED]"},{"key":"device_registration","value":{"name":"Nitrokey","device_response":"{\"type\":\"public-key\",\"id\":\"owBZAR5U…\",\"rawId\":\"owBZAR5U…\",\"clientExtensionResults\":{},\"response\":{\"clientDataJSON\":\"eyJ0eX…\",\"attestationObject\":\"o2NmbX…\"}}"}}],"correlation_id":"01FRMP0X3AFWFF60Q8YPT7C789","meta.user":"user.name","meta.caller_id":"Profiles::TwoFactorAuthsController#create_webauthn","meta.remote_ip":"192.168.110.67","meta.feature_category":"authentication_and_authorization","meta.client_id":"user/2","remote_ip":"192.168.110.67","user_id":2,"username":"user.name","ua":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.2 Chrome/87.0.4280.144 Safari/537.36","request_urgency":"default","target_duration_s":1,"redis_calls":2,"redis_duration_s":0.0005059999999999999,"redis_read_bytes":250,"redis_write_bytes":1217,"redis_shared_state_calls":1,"redis_shared_state_duration_s":0.000236,"redis_shared_state_write_bytes":53,"redis_sessions_calls":1,"redis_sessions_duration_s":0.00027,"redis_sessions_read_bytes":250,"redis_sessions_write_bytes":1164,"db_count":8,"db_write_count":3,"db_cached_count":0,"db_replica_count":0,"db_primary_count":8,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.018,"cpu_s":0.065169,"mem_objects":15103,"mem_bytes":3105880,"mem_mallocs":9508,"mem_total_bytes":3710000,"pid":2307,"exception.class":"ActiveRecord::StatementInvalid","exception.message":"PG::CheckViolation: ERROR: new row for relation \"webauthn_registrations\" violates check constraint \"check_e54008d9ce\"\nDETAIL:  Failing row contains (6, 2, 16, 2022-01-05 08:34:54.276904+00, 2022-01-05 08:34:54.276904+00, owBZAR5U..., Nitrokey, pQECAy..., null).\n","exception.backtrace":["lib/gitlab/database/load_balancing/connection_proxy.rb:126:in `block in write_using_load_balancer'","lib/gitlab/database/load_balancing/load_balancer.rb:112:in `block in read_write'","lib/gitlab/database/load_balancing/load_balancer.rb:172:in `retry    _with_backoff'","lib/gitlab/database/load_balancing/load_balancer.rb:110:in `read_write'","lib/gitlab/database/load_balancing/connection_proxy.rb:125:in `write_using_load_balancer'","lib/gitlab/database/load_balancing/connection_proxy.rb:67:in `block (2 levels) in <class:ConnectionProxy>'","lib/gitlab/database/load_balancing/connection_proxy.rb:126:in `block in write_using_load_balancer'","lib/gitlab/database/load_balancing/load_balancer.rb:112:in `block in read_write'","lib/gitlab/database/load_balancing/load_balancer.rb:172:in `retry_with_backoff'","lib/gitlab/database/load_balancing/load_balancer.rb:110:in `read_write'","lib/gitlab/database/load_balancing/connection_proxy.rb:125:in `write_using_load_balancer'","lib/gitlab/database/load_balancing/connection_proxy.rb:77:in `transaction'","lib/gitlab/database/load_balancing/connection_proxy.rb:126:in `block in write_using_load_balancer'","lib/gitlab/database/load_balancing/load_balancer.rb:112:in `block in read_write'","lib/gitlab/database/load_balancing/load_balancer.rb:172:in `retry_with_backoff'","lib/gitlab/database/load_balancing/load_balancer.rb:110:in `read_write'","lib/gitlab/database/load_balancing/connection_proxy.rb:125:in `write_using_load_balancer'","lib/gitlab/database/load_balancing/connection_proxy.rb:77:in `transaction'","app/services/webauthn/register_service.rb:18:in `execute'","app/controllers/profiles/two_factor_auths_controller.rb:98:in `create_webauthn'","ee/lib/gitlab/ip_address_state.rb:10:in `with'","ee/app/controllers/ee/application_controller.rb:44:in `set_current_ip_address'","app/controllers/application_controller.rb:490:in `set_current_admin'","lib/gitlab/session.rb:11:in `with_session'","app/controllers/application_controller.rb:481:in `set_session_storage'","lib/gitlab/i18n.rb:105:in `with_locale'","lib/gitlab/i18n.rb:111:in `with_user_locale'","app/controllers/application_controller.rb:475:in `set_locale'","app/controllers/application_controller.rb:469:in `set_current_context'","lib/gitlab/middleware/speedscope.rb:13:in `call'","lib/gitlab/request_profiler/middleware.rb:17:in `call'","lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'","lib/gitlab/jira/middleware.rb:19:in `call'","lib/gitlab/middleware/go.rb:20:in `call'","lib/gitlab/etag_caching/middleware.rb:21:in `call'","lib/gitlab/middleware/multipart.rb:173:in `call'","lib/gitlab/middleware/read_only/controller.rb:50:in `call'","lib/gitlab/middleware/read_only.rb:18:in `call'","lib/gitlab/middleware/same_site_cookies.rb:27:in `call'","lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'","lib/gitlab/middleware/basic_health_check.rb:25:in `call'","lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'","lib/gitlab/middleware/request_context.rb:21:in `call'","config/initializers/fix_local_cache_middleware.rb:11:in `call'","lib/gitlab/middleware/compressed_json.rb:26:in `call'","lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'","lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'","lib/gitlab/metrics/requests_rack_middleware.rb:75:in `call'","lib/gitlab/middleware/release_env.rb:13:in `call'"],"exception.sql":"/*application:web,correlation_id:01FRMP0X3AFWFF60Q8YPT7C789,endpoint_id:Profiles::TwoFactorAuthsController#create_webauthn,db_config_name:main*/ INSERT INTO \"webauthn_registrations\" (\"user_id\", \"counter\", \"created_at\", \"updated_at\", \"credential_xid\", \"name\", \"public_key\") VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING \"id\"","db_duration_s":0.04263,"view_duration_s":0.0,"duration_s":0.08204}

==> /var/log/gitlab/gitlab-rails/production.log <==
ActiveRecord::StatementInvalid (PG::CheckViolation: ERROR:  new row for relation "webauthn_registrations" violates check constraint "check_e54008d9ce"
DETAIL:  Failing row contains (6, 2, 16, 2022-01-05 08:34:54.276904+00, 2022-01-05 08:34:54.276904+00, owBZAR5U..., Nitrokey, pQEC..., null).
):

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:         Ubuntu 18.04
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.7.5p203
Gem Version:    3.1.4
Bundler Version:2.1.4
Rake Version:   13.0.6
Redis Version:  6.0.16
Git Version:    2.33.1.
Sidekiq Version:6.3.1
Go Version:     unknown

GitLab information
Version:        14.6.1-ee
Revision:       29ff725b072
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.7
URL:            https://git.domain.tld
HTTP Clone URL: https://git.domain.tld/some-group/some-project.git
SSH Clone URL:  git@git.domain.tld:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        13.22.1
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.22.1 ? ... OK (13.22.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/2 ... yes
… (all yes)
2/402 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git version >= 2.33.0 ? ... yes (2.33.1)
Git user has default SSH configuration? ... yes
Active users: ... 25
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

Possible fixes

The check is defnied on structure.sql:17575. The commit that last changed this line is 86021d06.