fix: validate resident key capability before credential creation

cadivus · cadivus · commit 9e7c7d29d011 · 2026-04-14T13:22:06.000+02:00
On Linux, check if the connected FIDO2 key supports resident/discoverable
credentials before attempting to create one. Keys like ZUKEY 2 FIDO that
don't support resident credentials would silently create non-resident
credentials, causing registration to appear successful but login to fail.

On Windows, stop hardcoding bRequireResidentKey=TRUE and instead read
the authenticatorSelection.residentKey option from the server response.
diff --git a/packages/auth/amplify_auth_cognito/lib/src/linux/linux_webauthn_platform.dart b/packages/auth/amplify_auth_cognito/lib/src/linux/linux_webauthn_platform.dart
@@ -420,8 +420,25 @@ class LinuxWebAuthnPlatform implements WebAuthnCredentialPlatform {
           true,
         );
 
-        // Set resident key.
+        // Set resident key — but first verify the device actually supports
+        // discoverable credentials. Keys like the ZUKEY 2 FIDO silently
+        // accept the rk flag but create a non-resident credential, causing
+        // registration to appear successful while login later fails.
         if (residentKey == 'required' || residentKey == 'preferred') {
+          final supportsRk = _checkDeviceSupportsResidentKey(b, dev);
+          if (!supportsRk) {
+            _logger.error(
+              'Security key does not support resident/discoverable '
+              'credentials (rk option missing or false in CBOR info). '
+              'residentKey=$residentKey. A non-resident credential would '
+              'be useless for passwordless sign-in.',
+            );
+            throw const PasskeyRegistrationFailedException(
+              'This security key does not support passkeys (discoverable '
+              'credentials). Please use a compatible key such as a '
+              'YubiKey 5 or similar FIDO2 key with resident key support.',
+            );
+          }
           _checkFido(b.fidoCredSetRk(cred, fidoOptTrue), 'set rk', true);
         }
 
@@ -1019,6 +1036,61 @@ class LinuxWebAuthnPlatform implements WebAuthnCredentialPlatform {
     }
   }
 
+  /// Queries the device's CBOR info to check if it supports resident
+  /// (discoverable) credentials via the `rk` option.
+  ///
+  /// Returns `true` if the device advertises `rk: true` in its CTAP2 CBOR
+  /// info options, meaning it can store discoverable credentials on-device.
+  /// Returns `false` if the `rk` option is absent, explicitly `false`, or
+  /// if CBOR info cannot be retrieved.
+  ///
+  /// This is critical for passwordless flows: keys like the ZUKEY 2 FIDO
+  /// that don't support resident credentials will silently create a
+  /// non-resident credential when `rk` is requested, causing registration
+  /// to appear successful but login to fail later because the passkey
+  /// isn't discoverable.
+  bool _checkDeviceSupportsResidentKey(LibFido2Bindings b, Pointer dev) {
+    final ci = b.fidoCborInfoNew();
+    final ciPtr = calloc<Pointer>();
+    ciPtr.value = ci;
+
+    try {
+      final savedMask = _blockProfilerSignal();
+      final rc = b.fidoDevGetCborInfo(dev, ci);
+      _restoreSignals(savedMask);
+
+      if (rc != fidoOk) {
+        _logger.warn(
+          'Could not retrieve CBOR info from device (error: $rc). '
+          'Cannot determine resident key support.',
+        );
+        return false;
+      }
+
+      final optCount = b.fidoCborInfoOptionsLen(ci);
+      final namesPtr = b.fidoCborInfoOptionsNamePtr(ci);
+      final valuesPtr = b.fidoCborInfoOptionsValuePtr(ci);
+
+      for (var i = 0; i < optCount; i++) {
+        final name = namesPtr[i].toDartString();
+        final value = valuesPtr[i];
+        if (name == 'rk') {
+          _logger.debug('Device CBOR info: rk=$value');
+          return value;
+        }
+      }
+
+      _logger.debug(
+        'Device CBOR info does not include "rk" option — '
+        'resident credentials are not supported.',
+      );
+      return false;
+    } finally {
+      b.fidoCborInfoFree(ciPtr);
+      calloc.free(ciPtr);
+    }
+  }
+
   /// Returns the number of PIN retries remaining on the device.
   /// Returns 8 (default) if the query fails.
   int _getRetryCount(LibFido2Bindings b, Pointer dev) {
diff --git a/packages/auth/amplify_auth_cognito/lib/src/windows/windows_webauthn_platform.dart b/packages/auth/amplify_auth_cognito/lib/src/windows/windows_webauthn_platform.dart
@@ -115,6 +115,11 @@ class WindowsWebAuthnPlatform implements WebAuthnCredentialPlatform {
 
     _logger.debug('createCredential: rpId="$rpId", userName="$userName"');
 
+    // Extract authenticatorSelection options from the server response.
+    final authSelection =
+        optionsMap['authenticatorSelection'] as Map<String, dynamic>? ?? {};
+    final residentKey = authSelection['residentKey'] as String?;
+
     // Extract the challenge for building proper clientDataJSON.
     final challenge = optionsMap['challenge'] as String? ?? '';
 
@@ -235,12 +240,32 @@ class WindowsWebAuthnPlatform implements WebAuthnCredentialPlatform {
         120000,
       );
 
-      // Require a resident/discoverable credential so the passkey is stored
-      // on the device and can be used for sign-in later.
+      // Set resident/discoverable credential requirement based on the
+      // server's authenticatorSelection.residentKey option. For passwordless
+      // flows, Cognito sends 'required' or 'preferred'. The Windows API
+      // will show an error dialog to the user if the security key can't
+      // create a resident credential when required.
+      final int requireResidentKey;
+      switch (residentKey) {
+        case 'required':
+        case 'preferred':
+          // For passwordless, we need a discoverable credential even when
+          // the server says 'preferred' — a non-resident credential would
+          // register successfully but be unusable for sign-in.
+          requireResidentKey = 1; // TRUE
+        case 'discouraged':
+          requireResidentKey = 0; // FALSE
+        default:
+          requireResidentKey = 0; // FALSE — safe default
+      }
+      _logger.debug(
+        'createCredential: residentKey=$residentKey → '
+        'bRequireResidentKey=$requireResidentKey',
+      );
       _writeUint32At(
         options,
         MakeCredentialOptionsOffsets.bRequireResidentKey,
-        1, // TRUE
+        requireResidentKey,
       );
 
       // Require user verification (PIN, biometric, etc.)
diff --git a/packages/auth/amplify_auth_cognito/test/linux_webauthn_platform_test.dart b/packages/auth/amplify_auth_cognito/test/linux_webauthn_platform_test.dart
@@ -334,6 +334,78 @@ class MockLibFido2Bindings extends LibFido2Bindings {
       (_) => fidoOk;
 }
 
+/// Mock bindings that report `rk: true` in CBOR info options,
+/// simulating a key that supports resident/discoverable credentials
+/// (e.g. YubiKey 5).
+class MockLibFido2BindingsWithRk extends MockLibFido2Bindings {
+  MockLibFido2BindingsWithRk({
+    super.mockDeviceCount,
+    super.mockManifestResult,
+    super.mockOpenResult,
+    super.mockMakeCredResult,
+    super.mockGetAssertResult,
+  });
+
+  late Pointer<Pointer<Utf8>> _optionNames;
+  late Pointer<Bool> _optionValues;
+
+  @override
+  int Function(Pointer ci) get fidoCborInfoOptionsLen =>
+      (_) => 2;
+
+  @override
+  Pointer<Pointer<Utf8>> Function(Pointer ci) get fidoCborInfoOptionsNamePtr =>
+      (_) {
+        _optionNames = calloc<Pointer<Utf8>>(2);
+        _optionNames[0] = 'rk'.toNativeUtf8();
+        _optionNames[1] = 'clientPin'.toNativeUtf8();
+        return _optionNames;
+      };
+
+  @override
+  Pointer<Bool> Function(Pointer ci) get fidoCborInfoOptionsValuePtr => (_) {
+    _optionValues = calloc<Bool>(2);
+    _optionValues[0] = true; // rk = true
+    _optionValues[1] = false; // clientPin = false
+    return _optionValues;
+  };
+}
+
+/// Mock bindings that report `rk: false` in CBOR info options,
+/// simulating a key that does NOT support resident/discoverable
+/// credentials (e.g. ZUKEY 2 FIDO).
+class MockLibFido2BindingsWithoutRk extends MockLibFido2Bindings {
+  MockLibFido2BindingsWithoutRk({
+    super.mockDeviceCount,
+    super.mockManifestResult,
+    super.mockOpenResult,
+    super.mockMakeCredResult,
+    super.mockGetAssertResult,
+  });
+
+  late Pointer<Pointer<Utf8>> _optionNames;
+  late Pointer<Bool> _optionValues;
+
+  @override
+  int Function(Pointer ci) get fidoCborInfoOptionsLen =>
+      (_) => 1;
+
+  @override
+  Pointer<Pointer<Utf8>> Function(Pointer ci) get fidoCborInfoOptionsNamePtr =>
+      (_) {
+        _optionNames = calloc<Pointer<Utf8>>(1);
+        _optionNames[0] = 'clientPin'.toNativeUtf8();
+        return _optionNames;
+      };
+
+  @override
+  Pointer<Bool> Function(Pointer ci) get fidoCborInfoOptionsValuePtr => (_) {
+    _optionValues = calloc<Bool>(1);
+    _optionValues[0] = false;
+    return _optionValues;
+  };
+}
+
 void main() {
   TestWidgetsFlutterBinding.ensureInitialized();
 
@@ -513,6 +585,128 @@ void main() {
       );
     });
 
+    group('resident key capability check', () {
+      test(
+        'succeeds when residentKey=required and device supports rk',
+        () async {
+          final bindings = MockLibFido2BindingsWithRk();
+          final platform = LinuxWebAuthnPlatform(bindings: bindings);
+
+          const optionsJson = '''
+{
+  "rp": {"id": "example.com", "name": "Example"},
+  "user": {"id": "dXNlcjEyMw", "name": "testuser", "displayName": "Test User"},
+  "challenge": "Y2hhbGxlbmdl",
+  "pubKeyCredParams": [{"type": "public-key", "alg": -7}],
+  "authenticatorSelection": {"residentKey": "required", "userVerification": "preferred"}
+}
+''';
+
+          final result = await platform.createCredential(optionsJson);
+          final decoded = jsonDecode(result) as Map<String, dynamic>;
+          expect(decoded['type'], 'public-key');
+          expect(decoded['id'], isNotEmpty);
+        },
+      );
+
+      test(
+        'throws PasskeyRegistrationFailedException when residentKey=required '
+        'and device does NOT support rk',
+        () async {
+          final bindings = MockLibFido2BindingsWithoutRk();
+          final platform = LinuxWebAuthnPlatform(bindings: bindings);
+
+          const optionsJson = '''
+{
+  "rp": {"id": "example.com", "name": "Example"},
+  "user": {"id": "dXNlcjEyMw", "name": "testuser", "displayName": "Test User"},
+  "challenge": "Y2hhbGxlbmdl",
+  "pubKeyCredParams": [{"type": "public-key", "alg": -7}],
+  "authenticatorSelection": {"residentKey": "required", "userVerification": "preferred"}
+}
+''';
+
+          expect(
+            () => platform.createCredential(optionsJson),
+            throwsA(
+              isA<PasskeyRegistrationFailedException>().having(
+                (e) => e.message,
+                'message',
+                contains('does not support passkeys'),
+              ),
+            ),
+          );
+        },
+      );
+
+      test(
+        'throws PasskeyRegistrationFailedException when residentKey=preferred '
+        'and device does NOT support rk',
+        () async {
+          final bindings = MockLibFido2BindingsWithoutRk();
+          final platform = LinuxWebAuthnPlatform(bindings: bindings);
+
+          const optionsJson = '''
+{
+  "rp": {"id": "example.com", "name": "Example"},
+  "user": {"id": "dXNlcjEyMw", "name": "testuser", "displayName": "Test User"},
+  "challenge": "Y2hhbGxlbmdl",
+  "pubKeyCredParams": [{"type": "public-key", "alg": -7}],
+  "authenticatorSelection": {"residentKey": "preferred", "userVerification": "preferred"}
+}
+''';
+
+          expect(
+            () => platform.createCredential(optionsJson),
+            throwsA(isA<PasskeyRegistrationFailedException>()),
+          );
+        },
+      );
+
+      test(
+        'succeeds without authenticatorSelection (no rk check needed)',
+        () async {
+          final bindings = MockLibFido2Bindings();
+          final platform = LinuxWebAuthnPlatform(bindings: bindings);
+
+          const optionsJson = '''
+{
+  "rp": {"id": "example.com", "name": "Example"},
+  "user": {"id": "dXNlcjEyMw", "name": "testuser", "displayName": "Test User"},
+  "challenge": "Y2hhbGxlbmdl",
+  "pubKeyCredParams": [{"type": "public-key", "alg": -7}]
+}
+''';
+
+          final result = await platform.createCredential(optionsJson);
+          final decoded = jsonDecode(result) as Map<String, dynamic>;
+          expect(decoded['type'], 'public-key');
+        },
+      );
+
+      test(
+        'succeeds when residentKey=discouraged even without rk support',
+        () async {
+          final bindings = MockLibFido2BindingsWithoutRk();
+          final platform = LinuxWebAuthnPlatform(bindings: bindings);
+
+          const optionsJson = '''
+{
+  "rp": {"id": "example.com", "name": "Example"},
+  "user": {"id": "dXNlcjEyMw", "name": "testuser", "displayName": "Test User"},
+  "challenge": "Y2hhbGxlbmdl",
+  "pubKeyCredParams": [{"type": "public-key", "alg": -7}],
+  "authenticatorSelection": {"residentKey": "discouraged"}
+}
+''';
+
+          final result = await platform.createCredential(optionsJson);
+          final decoded = jsonDecode(result) as Map<String, dynamic>;
+          expect(decoded['type'], 'public-key');
+        },
+      );
+    });
+
     group('getCredential', () {
       test('returns JSON response on success', () async {
         final bindings = MockLibFido2Bindings();
