WebAuthn cryptically not working in production but works perfectly in development

Get Help and Help Others
1

Hi! For some reason, WebAuthn isn’t working with my webapp once I deploy it. The most information I’m able to get is as follows:

Error while registering: Could not complete registration: Unexpected token e in JSON at position 0
    at Object.register

The Auth payloads look exactly the same. This happens in both Chrome and Safari.

Any ideas how to get more info on this? I’m digging through the @redwoodjs/dist/webAuthn files but to no avail.

Thanks!

2

(and yes, I’ve configured it for production via Self-hosted Authentication (dbAuth) | RedwoodJS Docs)

3

The error is specifically thrown here, on line 163 in webAuthn/index.js:

Screen Shot 2022-10-24 at 7.47.50 PM
Screen Shot 2022-10-24 at 7.47.50 PM1034×398 62.4 KB

4

That classic “Unexpected token e in JSON at position 0” message sounds like text or HTML is being sent in the payload instead of JSON. But if you inspect the network request you can see that indeed, JSON data is going up? And the Content-Type header is actually application/json?

5

Hey @rob,

Yup :frowning:

Screen Shot 2022-10-25 at 9.07.02 AM
Screen Shot 2022-10-25 at 9.07.02 AM744×466 42.8 KB

Screen Shot 2022-10-25 at 9.07.15 AM
Screen Shot 2022-10-25 at 9.07.15 AM1146×372 52.8 KB

Screen Shot 2022-10-25 at 9.07.39 AM
Screen Shot 2022-10-25 at 9.07.39 AM746×144 18.8 KB

6

As far as I can tell, the exact same thing is happening in my dev environment, but I have no such errors - is there anything different happening there?

7

Only that the browser will sometimes make security exceptions for localhost and let you get away with things it wouldn’t from a real domain.

What’s inside that collapsed response key in the payload?

8

Right. Just this - I did think it was weird that clientDataJSON is just the bearer token, and isn’t actually JSON. Maybe that’s the issue? Would explain that it’s specifically complaining about token e

Screen Shot 2022-10-25 at 9.37.41 AM
Screen Shot 2022-10-25 at 9.37.41 AM1070×100 23.2 KB

9

Interesting…what does clientDataJSON look like in local dev, where it does work? No idea why that key would contain different data in development vs. production though!

10

Looks the exact same :confused:

11

Hmmmm…that object is created/handled by the simplewebauthn lib that we use, Redwood’s not creating that or messing with the contents at all. Is there a previous request to that, one that retrieves the registration options? The URL will be something like /auth?method=webAuthnRegOptions … what’s the payload/response of that one look like?

12

Here’s the source for the WebAuthn code if you’re interested: redwood/webAuthn.ts at main · redwoodjs/redwood · GitHub You can see there are four main functions there, one to get registration options, one to register, one to get auth options, one to auth. That’s the web side code, the api side is here: redwood/DbAuthHandler.ts at main · redwoodjs/redwood · GitHub

13

It looks like clientDataJSON is supposed to be a base64-encoded string so maybe that’s okay: SimpleWebAuthn/decodeClientDataJSON.ts at master · MasterKale/SimpleWebAuthn · GitHub

1 Like
14

yes! the response looks like this -

Screen Shot 2022-10-25 at 10.08.10 AM
Screen Shot 2022-10-25 at 10.08.10 AM1424×384 75 KB

15

I’ve also confirmed that it’s not an issue with the JSON stringification that’s being passed into send:

Screen Shot 2022-10-25 at 11.10.21 AM
Screen Shot 2022-10-25 at 11.10.21 AM2108×88 21.4 KB

16

Can you try adding a host entry in /etc/hosts so that you have a “real” domain name and access the site that way? Something like:

127.0.0.1 home.test

You’ll need to make a couple of config changes so that you can access the dev server from there.

In redwood.toml you’ll have to add the hosts line:

[web]
  title = "Redwood App"
  port = 8910
+ host = '0.0.0.0'

And then start the dev server with:

yarn redwood dev --fwd="--allowed-hosts all"

Then see if stuff still works going to http://home.test:8910

17

Hello, author of SimpleWebAuthn here. @arimendelow linked me here via an issue on the project’s repo. I figured I’d try and contribute here since there’s already an existing conversation.

There’s talk of a broken “production” environment here; is that publicly available? I want to throw in some breakpoints in the browser and see if something looks wonky on that environment.

And I apologize in advance if I ask some “dumb” RedwoodJS questions, I’m flattered the project uses my stuff but I’ve not yet used RedwoodJS myself :joy:

1 Like
18

Dude Kale, welcome! Thanks for coming over and offering to help!

1 Like
19

Welcome, @IAmKale! Thanks for taking the time to join us here :slight_smile:

I haven’t yet gotten to try out @rob’s latest suggestion, but yes that production environment is public at https://spoonjoy.app/

Steps to repro:

  1. Login here with the username tester1 and password test
  2. When you get the following screen, hit turn on. During that flow is where the error is thrown.
    Screen Shot 2022-10-25 at 12.12.22 PM
    Screen Shot 2022-10-25 at 12.12.22 PM976×596 28.3 KB

Thanks so much for your help and let me know if there’s any other info I can provide!

20

I found it, looks like http://spoonjoy(dot)co (I have to mangle this because I’m a “new user” and can’t post more than two links :unamused:) is the site? I’ll bet you what we’re dealing with here is a non-HTTPS website trying to use WebAuthn, and the WebAuthn call throws an error because WebAuthn needs to be used in a “Secure Context”: Secure contexts - Web security | MDN