WebAuthn cryptically not working in production but works perfectly in development

The site probably works locally because “localhost” is considered a secure context, but an http:// address is not. The “Error while registering” at the start of the error message OP posted would line up with this logic in the except block that tries to handle registration:

Get some HTTPS on spoonjoy.co and I’ll bet you that’ll solve the problem.

P.S. WOW the throttling here is annoying, I split this up into two to get past the “two URLs only” rule and ran into the “30 seconds between posts” rule

Ha! No, spoonjoy.co is an older attempt at building Spoonjoy that’s unrelated, I totally forgot that was up - the .app domain is the correct one, and does use HTTPS

I spent so long fighting the platform that I missed your update! Let me catch up.

Alright, I threw the request data included in the call to https://spoonjoy.app/api/auth into https://debugger.simplewebauthn.dev, and the debugger parsed the JSON just fine, so I don’t think any data is malformed on the front end:

Screen Shot 2022-10-25 at 12.22.51 PM792×951 121 KB

Which would mean the search should turn towards the logic that receives the request, and what it does with the data before trying to verify it.

@rob I’m apparently helping too quickly because all of my posts in here were “flagged by the community” as spam. Can you help me out here? I can’t continue to help here if the forums are going to keep treating me like this.

@IAmKale - I upgraded your membership to trust level 2: member level - hopefully that will help.

It looks like a message or two is still flagged for review. I am not sure if the membership level change will help with further posts.

The last place I wanted to suggest starting to debug this is within webauthnRegister(), or whatever logic within Spoonjoy eventually makes the request to this method:

Maybe this is a case of this.event.body being undefined for some reason? That’s the best guess I have for you without seeing any Spoonjoy code (which I’m definitely not asking for access to, to be clear! )

Yeah it’s just using this, hm

Can you share the Spoonjoy handler that receives the JSON registration body and then attempts to verify it?

That’s all in the open source RedwoodJS code, here’s the documentation for that: Self-hosted Authentication (dbAuth) | RedwoodJS Docs

And the error is thrown specifically in this line: redwood/webAuthn.ts at 7b877e56647c5b5baa5eaa888b35e942e4500e0b · redwoodjs/redwood · GitHub

If you check out this above comment you can see that I’ve verified that the JSON is being properly stringified

I’ll also try out Rob’s above suggestion in a bit and report back here

Based on what I’m seeing in Chrome, that line is likely erroring out because it gets back an HTTP 400 from the server:

Which is telling me that the error is actually getting thrown somewhere in the backend.

If you check out this above comment you can see that I’ve verified that the JSON is being properly stringified

And I believe this too, based on the request payload looking fine to me too:

Screen Shot 2022-10-25 at 12.47.44 PM747×319 63.2 KB

We’re seeing the same thing, right?

Edit: I guess the HTTP 400 is properly getting caught here:

Yeah, that’s the same thing I’m seeing

Do you have any logging setup on the api side so you can see if something is being thrown there?

Sort of, I’ve got the default logging from Vercel and Railway - Vercel is showing no errors being thrown:

Screen Shot 2022-10-25 at 12.52.47 PM2442×386 17 KB

Weirdly, on this call, it doesn’t look like anything is happening on Railway’s end.

The database (Railway) should only get involved if the register is successful, the api side inserts their credentials into that UserCredential table. Can you open up the UserCredential table in some kind of Railway UI and see if any records have been inserted?

@IAmKale What do you think about the error message being “Unexpected token e in JSON at position 0” and the fact that the clientBodyJSON’s first character is the letter “e”?

clientDataJSON: "eyJ0eXBlIjoid2ViYXV0aG4uY3JlY..."

Just a coincidence?

This actually gets weirder, because I’m not seeing any tables whatsoever on Railway’s side

What could I be missing here, hmmmmm

Did a yarn rw prisma migrate deploy ever happen? That should automatically happen if you use our Vercel deploy strategy though…