Description
Description
Hi all 👋 I recently received a new FIDO2 security key, a SoloKey v2.
Upon registering it to my Gitea instance, a server error was encountered:
WebauthnRegisterPost() [E] [62db09ae] CreateCredential: pq: value too long for type character varying(410)
While debugging this, I noticed that a 270 byte credential ID was generated for my instance. It seems that the current maximum credential ID length is 255 bytes:
gitea/models/migrations/v210.go
Line 28 in 886b1de
After some tentative searching through the linked WebAuthn specification, I noticed the following:
A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions. At most 1023 bytes long.
I think this issue could be resolved by changing the maximum credential ID length to 1023 bytes raw, or 1640 bytes base32-encoded (per head -c 1023 /dev/random | base32 --wrap=0 | wc -c).
Gitea Version
1.17.0-rc2
Can you reproduce the bug on the Gitea demo site?
No - its credential ID was exactly 255 bytes, which probably shouldn't be relied on
Log Gist
https://gist.github.com/spotlightishere/8bcfd9591ca7ec421873091c77644e91
Screenshots
No response
Git Version
No response
Operating System
Debian 11
How are you running Gitea?
Downloaded from https://dl.gitea.io/, running underneath systemd
Database
PostgreSQL