fix(webauthn): skip mds validation for none format

[james-d-elliott]

The attestation format none does not include attestation data and therefore cannot be validated against MDS3 metadata. Previously the login flow attempted to validate it, which caused unnecessary failures for authenticators using the none format. This change ensures that none is explicitly exempt from MDS3 validation, allowing logins with such authenticators to succeed as expected. The registration flow already implements this measure.

Fixes #387

[coderabbitai]

Warning

Rate limit exceeded

@james-d-elliott has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 15 minutes and 2 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between b2ac688 and 7890c15.

📒 Files selected for processing (1)

• README.md (1 hunks)

Walkthrough

Adds attestationFormat to protocol.ValidateMetadata and updates callers in attestation verification and login. Introduces an early return in metadata validation when attestation format is none. Minor comment correction in login.go. No other control-flow or error-handling changes.

Changes

Cohort / File(s)	Summary
Metadata validation API + logic protocol/metadata.go, protocol/attestation.go	Extend ValidateMetadata signature to include attestationFormat; propagate a.Format from VerifyAttestation; add guard to skip validation when AttestationFormatNone; otherwise unchanged.
Login flow call-site update webauthn/login.go	Update validateLogin to pass credential.AttestationType as the new argument in ValidateMetadata call; minor comment grammar tweak.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant RP as RelyingParty
  participant Login as validateLogin
  participant Proto as protocol.ValidateMetadata
  participant MDS as metadata.Provider

  RP->>Login: Login request (credential)
  Login->>Proto: ValidateMetadata(ctx, mds, aaguid, attestationType="", attestationFormat, x5cs=nil)
  alt attestationFormat == "none"
    Proto-->>Login: return nil (skip)
  else attestationFormat != "none"
    Proto->>MDS: Lookup AAGUID / entries
    MDS-->>Proto: Metadata entries
    Proto-->>Login: Validation result
  end
  Login-->>RP: Continue login flow

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Skip metadata validation during login when no attestation is present (AttestationFormatNone) [#387]	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Comment grammar fix in validateLogin (webauthn/login.go)	Non-functional documentation change not tied to #387.

Possibly related PRs

• fix(protocol): ensure attca is parsed correctly #280 — Touches VerifyAttestation in protocol/attestation.go, overlapping the area where attestation details are handled.
• feat(metadata)!: rework as a provider #239 — Adjusts metadata provider interactions and ValidateMetadata API, closely related to this signature change and callers.
• fix(webauthn): login validates attestation format #384 — Modifies metadata validation/login paths, intersecting with the updated ValidateMetadata usage here.

Poem

I hop through code with careful sight,
When attestation’s “none,” I skip the fight.
AAGUIDs rest, the login’s clear,
No needless checks to cause a fear.
Thump-thump! The flow is light and bright—
Carrot-approved, it just works right. 🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-att-format-none

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.97%. Comparing base (46046ca) to head (7890c15).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
protocol/metadata.go	0.00%	4 Missing ⚠️
webauthn/login.go	0.00%	2 Missing ⚠️
protocol/attestation.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #497      +/-   ##
==========================================
- Coverage   45.01%   44.97%   -0.05%     
==========================================
  Files          37       37              
  Lines        3328     3331       +3     
==========================================
  Hits         1498     1498              
- Misses       1625     1628       +3     
  Partials      205      205              

Files with missing lines	Coverage Δ
protocol/attestation.go	57.44% <0.00%> (ø)
webauthn/login.go	34.36% <0.00%> (ø)
protocol/metadata.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

protocol/attestation.go (1)

213-219: Consider threading through a caller-supplied context instead of context.Background().

Not urgent, but using context.Background() here prevents upstream request cancellation/timeouts from propagating into MDS calls. If feasible, extend the API to accept a context.Context and pass it down.

protocol/metadata.go (2)

27-27: Typo in user-facing error message ("retreiving" → "retrieving").

Minor but user-visible in logs; worth correcting:

- return ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. Error occurred retreiving the metadata entry: %+v", aaguid, err))
+ return ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. Error occurred retrieving the metadata entry: %+v", aaguid, err))

---

13-21: Document parameter semantics to avoid future misuse.

Given two adjacent string params whose meanings are easy to mix up, add a brief doc comment clarifying expected values (e.g., attestationType: "basic|self|attca|anonca|none"; attestationFormat: "packed|tpm|android-key|android-safetynet|fido-u2f|apple|none"). This will reduce future footguns.

webauthn/login.go (1)

354-364: Minor readability: redundant assignment to found=false in loop.

found is already false before the loop; resetting it on each non-match is unnecessary and slightly obscures intent.

- for _, credential = range credentials {
-     if bytes.Equal(credential.ID, parsedResponse.RawID) {
-         found = true
-         break
-     }
-     found = false
- }
+ for _, credential = range credentials {
+     if bytes.Equal(credential.ID, parsedResponse.RawID) {
+         found = true
+         break
+     }
+ }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 46046ca and b2ac688.

📒 Files selected for processing (3)

• protocol/attestation.go (1 hunks)
• protocol/metadata.go (1 hunks)
• webauthn/login.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

protocol/metadata.go (1)

protocol/options.go (2)

• AttestationFormat (194-194)
• AttestationFormatNone (224-224)

protocol/attestation.go (1)

protocol/metadata.go (1)

• ValidateMetadata (13-110)

webauthn/login.go (2)

protocol/metadata.go (1)

• ValidateMetadata (13-110)

webauthn/types.go (1)

• Config (29-76)

🔇 Additional comments (4)

protocol/attestation.go (1)

217-219: Passes attestation format into metadata validation — aligns with intent to gate on "none".

Good call to include a.Format when invoking ValidateMetadata. This enables the callee to short-circuit for the "none" case and keeps attestation-type checks orthogonal to attestation-format handling.

protocol/metadata.go (1)

1-110: ValidateMetadata signature change acknowledged – internal updates complete

The ValidateMetadata function signature in protocol/metadata.go was modified to:

func ValidateMetadata(
    ctx context.Context,
    mds metadata.Provider,
    aaguid uuid.UUID,
    attestationType string,
    attestationFormat string,
    x5cs []any,
) *Error

All internal call sites have been updated to match the new parameter order:

• webauthn/login.go:385
  protocol.ValidateMetadata(context.Background(), webauthn.Config.MDS, aaguid, "", credential.AttestationType, nil)

• protocol/attestation.go:217
  ValidateMetadata(context.Background(), mds, aaguid, attestationType, a.Format, x5cs)

No further code changes are required within this codebase. However, because this is a public API break, please:

• Add a clear note to the upcoming release’s breaking changes section, calling out the updated signature and its parameter order.
• Verify any downstream consumers (external projects or clients) update their call sites accordingly.

webauthn/login.go (2)

375-375: Grammar nit fixed.

“are not used” reads better. Thanks for tightening the comment.

---

376-388: Security posture check: intentionally skipping MDS on "none".

This change prevents status checks for “none” credentials as well (revocations, compromised reports). That matches the issue’s objective and registration behavior, but do verify this is acceptable for your deployment and threat model.

Would you like a targeted unit test that ensures:

• login skips MDS when attestation is “none” and succeeds, and
• login still enforces MDS status for non-“none” credentials?
  I can draft it using a stubbed metadata.Provider.