Only store valid transports values.

Author: frjo

hypha/apply/users/passkey_views.py

@@ -28,6 +28,7 @@
     AuthenticatorAssertionResponse,
     AuthenticatorAttestationResponse,
     AuthenticatorSelectionCriteria,
+    AuthenticatorTransport,
     PublicKeyCredentialDescriptor,
     RegistrationCredential,
     ResidentKeyRequirement,
@@ -72,6 +73,15 @@ def _load_challenge(request, key: str) -> bytes:
     return base64.b64decode(encoded)
 
 
+_VALID_TRANSPORTS = {t.value for t in AuthenticatorTransport}
+
+
+def _clean_transports(raw) -> list[str]:
+    if not isinstance(raw, list):
+        return []
+    return [t for t in raw if isinstance(t, str) and t in _VALID_TRANSPORTS]
+
+
 # ---------------------------------------------------------------------------
 # Registration — requires an authenticated user
 # ---------------------------------------------------------------------------
@@ -131,6 +141,7 @@ def passkey_register_complete(request):
     except PermissionDenied:
         return JsonResponse({"error": _("No active WebAuthn challenge")}, status=400)
 
+    transports = _clean_transports(data.get("response", {}).get("transports"))
     try:
         credential = RegistrationCredential(
             id=data["id"],
@@ -140,7 +151,7 @@ def passkey_register_complete(request):
                 attestation_object=base64url_to_bytes(
                     data["response"]["attestationObject"]
                 ),
-                transports=data["response"].get("transports", []),
+                transports=transports,
             ),
         )
         verification = verify_registration_response(
@@ -168,7 +179,7 @@ def passkey_register_complete(request):
             credential_id=bytes_to_base64url(verification.credential_id),
             public_key=bytes_to_base64url(verification.credential_public_key),
             sign_count=verification.sign_count,
-            transports=data["response"].get("transports", []),
+            transports=transports,
         )
     except Exception:
         logger.warning(

hypha/apply/users/tests/test_passkey_views.py

@@ -206,6 +206,42 @@ def test_empty_name_gets_date_default(self, mock_verify):
         passkey = self.user.passkeys.first()
         self.assertTrue(passkey.name.startswith("Passkey "))
 
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_unknown_transports_are_filtered_out(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        payload = self._payload()
+        payload["response"]["transports"] = ["internal", "junk-value", "usb", 123]
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.user.passkeys.first().transports, ["internal", "usb"])
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_non_list_transports_is_stored_as_empty_list(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        payload = self._payload()
+        payload["response"]["transports"] = "internal"  # not a list
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.user.passkeys.first().transports, [])
+
     @patch("hypha.apply.users.passkey_views.verify_registration_response")
     def test_verification_failure_returns_400_and_saves_nothing(self, mock_verify):
         mock_verify.side_effect = Exception("crypto error")