Webauthn Credential ID length too short

[spotlightishere]

Description

Hi all 👋 I recently received a new FIDO2 security key, a SoloKey v2.

Upon registering it to my Gitea instance, a server error was encountered:

WebauthnRegisterPost() [E] [62db09ae] CreateCredential: pq: value too long for type character varying(410)

While debugging this, I noticed that a 270 byte credential ID was generated for my instance. It seems that the current maximum credential ID length is 255 bytes:

gitea/models/migrations/v210.go

Line 28 in 886b1de

CredentialID string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety

After some tentative searching through the linked WebAuthn specification, I noticed the following:

Credential ID

A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions. At most 1023 bytes long.

I think this issue could be resolved by changing the maximum credential ID length to 1023 bytes raw, or 1640 bytes base32-encoded (per head -c 1023 /dev/random | base32 --wrap=0 | wc -c).

Gitea Version

1.17.0-rc2

Can you reproduce the bug on the Gitea demo site?

No - its credential ID was exactly 255 bytes, which probably shouldn't be relied on

Log Gist

https://gist.github.com/spotlightishere/8bcfd9591ca7ec421873091c77644e91

Screenshots

No response

Git Version

No response

Operating System

Debian 11

How are you running Gitea?

Downloaded from https://dl.gitea.io/, running underneath systemd

Database

PostgreSQL

[Gusted]

CC @zeripath migration v4? Didn't expect another issue to pop up after you fiddling with this for so long.

For context: #18770 this isn't the first time issues with this length has popped up.

[zeripath]

ffs.

They changed the spec.

THIS WAS THE SPEC https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#credential-id

[Gusted]

w3c/webauthn#1664 changed the spec

[zeripath]

anyway we'll need yet another migration and we'll need to backport the other migration changes.

I don't know what we can do for 1.16 - a doctor command perhaps.

[Gusted]

1.17 should be around the corner. There aren't any other commit pending for a 1.16.10 release. "Just upgrade" advice?

[zeripath]

As an aside:

This is literally unbelievable they changed the spec 2 days ago and we're already getting behaviour that demands the new spec?!

It's just unreasonable