TypeScript-DOM-lib-generator icon indicating copy to clipboard operation
TypeScript-DOM-lib-generator copied to clipboard
verified publisher icon microsoft

`authenticatorAttachment` field on `PublicKeyCredential` is incompatible with Firefox

Open lgarron opened this issue 3 years ago • 1 comments

@uwolfer informed me at https://github.com/github/webauthn-json/issues/73#issuecomment-1385957680 that TypeScript 4.9.4 includes:

interface PublicKeyCredential extends Credential {
    readonly authenticatorAttachment: string | null;
    // ...
}

However, Firefox does not support this field yet. I was unable to find any plans for Firefox to implement it, so I've filed a bug to get more information: https://bugzilla.mozilla.org/show_bug.cgi?id=1810851

It's not uncommon for browsers to lack support for specific details of a living spec, but this one has some of the trickier aspects:

  • WebAuthn has only two main API calls (create and get), attached to the Credential management API. The types are very unintuitive to understand and debug.
  • There is no way to feature detect the lack of support. If I were accessing the field, the main thing that would tip me off that I need to be careful... would be that the TypeScript type has the field as optional.
  • WebAuthn can be hard to test in CI. There is a protocol for interacting with it using browser automation, but it's not available from browser testing frameworks like Puppeteer.
  • Firefox has support for significant features of WebAuthn, but it varies significantly by platform. For example, it does not have platform authenticator or passkey support on macOS. This can make it a headache to test, and I wouldn't be surprised if developers skip Firefox for WebAuthn testing.
  • caniuse does not have information on support for this specific field: https://github.com/Fyrd/caniuse/issues/5649

Also, this field was only added to TypeScript recently, so I don't think there is going to be a significant amount of code out there that relies on the field to be non-optional. (And as covered above, they'd be mistaken if they assume their code works in Firefox.)

For these reasons, I'd like to advocate for lib.dom.d.ts to mark the field as optional, until Firefox has support:

interface PublicKeyCredential extends Credential {
    readonly authenticatorAttachment: string | null | undefined;
    // ...
}

lgarron avatar Jan 17 '23 20:01 lgarron

This is also an issue on the following methods of AuthenticatorAttestationResponse and AuthenticatorAssertionResponse, none of which are implemented in Firefox:

interface AuthenticatorAttestationResponse extends AuthenticatorResponse {
    // ...
    getAuthenticatorData(): ArrayBuffer;
    getPublicKey(): ArrayBuffer | null;
    getPublicKeyAlgorithm(): COSEAlgorithmIdentifier;
    getTransports(): string[];
}

However, this is less likely to bite developers in practice, because it currently takes two type assertions to get the relevant field from the WebAuthn API without hacks:

const c = await navigator.credentials.create(options); // type: Credential
const pkc = c as PublicKeyCredential;

const { response } = pkc; // type: AuthenticatorResponse
const aar = pkc.response as AuthenticatorAttestationResponse;

console.log(aar);

lgarron avatar Jan 17 '23 21:01 lgarron