Increase Webauthn credential XID length (!91438) · Merge requests · GitLab.org / GitLab

The source project of this merge request has been removed.

Spotlight Deveaux requested to merge (removed):master into master Jun 29, 2022

Hi, all - this is my first MR to GitLab! I'm attempting to follow the Database Review Guidelines - please let me know if I can provide further information 😄

What does this MR do and why?

This MR closes issue #349596 (closed) by increasing the allowed credential ID length to 1023 bytes. (This is 1364 bytes when base64 encoded, matching what's stored within the database). This was tested against a SoloKey v2 within Safari, and the key successfully registered.

The number for 1023 comes from the current editor's draft, in which they write:

Credential ID

A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions. At most 1023 bytes long.

Though the currently released specification notes no upper limit, discussion within the specification repository states that 1023 is chosen as a worst-case number based on other factors.

This database migration cannot be reverted: as credential XIDs past this migration may potentially be larger than the prior length, data would be truncated to fit. However, should an administrator wish to manually modify the webauthn_registrations table to revert to the lower length, no code would prevent such.

Migration/Rollback Output

Output

$ gdk rails db:migrate
main: == 20220629220129 IncreaseWebauthnXidLength: migrating ========================
main: -- transaction_open?()
main:    -> 0.0000s
main: -- current_schema()
main:    -> 0.0007s
main: -- current_schema()
main:    -> 0.0003s
main: -- execute("SET statement_timeout TO 0")
main:    -> 0.0005s
main: -- execute("ALTER TABLE webauthn_registrations VALIDATE CONSTRAINT check_f5ab2b551a;")
main:    -> 0.0011s
main: -- execute("RESET statement_timeout")
main:    -> 0.0004s
main: -- transaction_open?()
main:    -> 0.0000s
main: -- transaction_open?()
main:    -> 0.0000s
main: -- execute("ALTER TABLE webauthn_registrations\nDROP CONSTRAINT IF EXISTS check_e54008d9ce\n")
main:    -> 0.0006s
main: == 20220629220129 IncreaseWebauthnXidLength: migrated (0.0121s) ===============

ci: == 20220629220129 IncreaseWebauthnXidLength: migrating ========================
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- current_schema()
ci:    -> 0.0002s
ci: -- current_schema()
ci:    -> 0.0002s
ci: -- execute("SET statement_timeout TO 0")
ci:    -> 0.0003s
ci: -- execute("ALTER TABLE webauthn_registrations VALIDATE CONSTRAINT check_f5ab2b551a;")
ci:    -> 0.0006s
ci: -- execute("RESET statement_timeout")
ci:    -> 0.0003s
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- execute("ALTER TABLE webauthn_registrations\nDROP CONSTRAINT IF EXISTS check_e54008d9ce\n")
ci:    -> 0.0003s
ci: == 20220629220129 IncreaseWebauthnXidLength: migrated (0.0073s) ===============

$ gdk rails db:rollback:main
main: == 20220629220129 IncreaseWebauthnXidLength: reverting ========================
main: == 20220629220129 IncreaseWebauthnXidLength: reverted (0.0003s) ===============

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

database

Increase Webauthn credential XID length

What does this MR do and why?

Migration/Rollback Output

MR acceptance checklist

Merge request reports