FB: ser

Author: incorbador

packages/connect-react/src/types/flags.ts

@@ -12,6 +12,15 @@ export class Flags {
   addFlags(items: Record<string, string>) {
     for (const [name, value] of Object.entries(items)) {
       this.items[name] = value;
+
+      if (
+        name === keyConditionalUI &&
+        value === 'false' &&
+        this.items[keyEventLow] &&
+        this.items[keyEventLow] === 'true'
+      ) {
+        this.items[keyEventLow] = 'false';
+      }
     }
   }
 

packages/web-core/src/services/WebAuthnService.ts

@@ -74,16 +74,22 @@ export class WebAuthnService {
       } as never)) as PublicKeyCredential;
     }
 
+    if (WebAuthnService.isInjectedCredential(credential) || !credential.toJSON) {
+      return {
+        response: JSON.stringify(createResponseToJSON(credential)),
+        message: 'using fallback serializer (extension-injected credential)',
+      };
+    }
+
     try {
-      console.log('credential', credential);
       return {
         response: JSON.stringify(credential.toJSON()),
         message: '',
       };
     } catch (e) {
       return {
         response: JSON.stringify(createResponseToJSON(credential)),
-        message: 'toJSON() not available on PublicKeyCredential',
+        message: 'toJSON() threw on PublicKeyCredential',
       };
     }
   }
@@ -134,6 +140,13 @@ export class WebAuthnService {
       signal: abortController.signal,
     })) as PublicKeyCredential;
 
+    if (WebAuthnService.isInjectedCredential(credential) || !credential.toJSON) {
+      return {
+        response: JSON.stringify(getResponseToJSON(credential)),
+        message: 'using fallback serializer (extension-injected credential)',
+      };
+    }
+
     try {
       return {
         response: JSON.stringify(credential.toJSON()),
@@ -142,7 +155,7 @@ export class WebAuthnService {
     } catch (e) {
       return {
         response: JSON.stringify(getResponseToJSON(credential)),
-        message: 'toJSON() not available on PublicKeyCredential',
+        message: 'toJSON() threw on PublicKeyCredential',
       };
     }
   }
@@ -339,6 +352,32 @@ export class WebAuthnService {
     }
   }
 
+  /**
+   * Detects whether a `PublicKeyCredential` was returned by a browser-extension
+   * password manager (e.g. Dashlane, 1Password, Bitwarden) rather than the
+   * browser's native WebAuthn implementation.
+   *
+   * Such extensions monkey-patch `navigator.credentials.get/create` and return
+   * an object that lacks the WebAuthn internal slots. Calling the native
+   * `PublicKeyCredential.prototype.toJSON()` on these objects either throws
+   * `TypeError: Illegal invocation` or silently returns empty buffers
+   * (`clientDataJSON`, `attestationObject`, `signature`, ...).
+   *
+   * Heuristic: real credentials inherit `getClientExtensionResults` from the
+   * prototype; injected ones replace it with an own function.
+   *
+   * See https://github.com/bitwarden/clients/issues/12060.
+   */
+  static isInjectedCredential(credential: PublicKeyCredential): boolean {
+    try {
+      return (
+        credential.getClientExtensionResults !== PublicKeyCredential.prototype.getClientExtensionResults
+      );
+    } catch (e) {
+      return true;
+    }
+  }
+
   static async raceWithTimeout<T>(p: Promise<T>, ms: number): Promise<T> {
     const timeout = new Promise<never>((_, reject) =>
       setTimeout(() => reject(new ConnectError(ConnectErrorType.RaceTimeout, `timeout of ${ms}ms reached`)), ms),