Merge pull request #19 from YubicoLabs/wip/v2.1.0

Wip/v2.1.0

Author: elukewalker

NEWS

@@ -1,4 +1,11 @@
-== Version 2.0.0 RC ==
+== Version 2.1.0 ==
+
+- Integration with FIDO MDS
+- Automatic nicknames given to authenticators through MDS
+- New Edit modal for Trusted Devices
+- Various bug fixes for internationalization, Android resident key settings, and Safari user handle default values
+
+== Version 2.0.0 ==
 
 - Updated look and feel of UI
 - Attestation data now displayed to the user (if they are using a YubiKey)

backend/lambda-functions/CreateAuth/CreateAuthChallengeFIDO2.js

@@ -131,9 +131,9 @@ async function getCreateCredentialsOptions(event, creds) {
 
         const coseLookup = {"ES256": -7, "EdDSA": -8, "RS256": -257};
 
-        startRegisterPayload.requestId = startRegisterPayload.requestId.base64;
-        startRegisterPayload.publicKeyCredentialCreationOptions.user.id = startRegisterPayload.publicKeyCredentialCreationOptions.user.id.base64;
-        startRegisterPayload.publicKeyCredentialCreationOptions.challenge = startRegisterPayload.publicKeyCredentialCreationOptions.challenge.base64;
+        startRegisterPayload.requestId = startRegisterPayload.requestId.base64url;
+        startRegisterPayload.publicKeyCredentialCreationOptions.user.id = startRegisterPayload.publicKeyCredentialCreationOptions.user.id.base64url;
+        startRegisterPayload.publicKeyCredentialCreationOptions.challenge = startRegisterPayload.publicKeyCredentialCreationOptions.challenge.base64url;
         startRegisterPayload.publicKeyCredentialCreationOptions.attestation = startRegisterPayload.publicKeyCredentialCreationOptions.attestation.toLowerCase();
         startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.userVerification = startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.userVerification.toLowerCase();
         startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.authenticatorAttachment = authSelectorResolve[startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.authenticatorAttachment];
@@ -179,14 +179,14 @@ async function getCredentialsOptions(username) {
         let startAuthPayload = JSON.parse(JSON.parse(response.Payload));
         console.log("startAuthPayload: ", startAuthPayload);
 
-        startAuthPayload.requestId = startAuthPayload.requestId.base64;
+        startAuthPayload.requestId = startAuthPayload.requestId.base64url;
         console.log("requestId: ", startAuthPayload.requestId);
         startAuthPayload.publicKeyCredentialRequestOptions.userVerification = startAuthPayload.publicKeyCredentialRequestOptions.userVerification.toLowerCase();
-        startAuthPayload.publicKeyCredentialRequestOptions.challenge = startAuthPayload.publicKeyCredentialRequestOptions.challenge.base64;
+        startAuthPayload.publicKeyCredentialRequestOptions.challenge = startAuthPayload.publicKeyCredentialRequestOptions.challenge.base64url;
         console.log("challenge: ", startAuthPayload.publicKeyCredentialRequestOptions.challenge);
         startAuthPayload.publicKeyCredentialRequestOptions.allowCredentials = startAuthPayload.publicKeyCredentialRequestOptions.allowCredentials.map( (cred) => { 
             cred.type = cred.type.toLowerCase().replace('_','-');
-            cred.id = cred.id.base64;
+            cred.id = cred.id.base64url;
             return cred
         });
         console.log("response payload: ", startAuthPayload);

backend/lambda-functions/FIDO2KitAPI/FIDO2KitAPI.js

@@ -180,7 +180,7 @@ async function updateFIDO2CredentialNickname(username, body) {
     const payload = JSON.stringify({
         "type": "updateCredentialNickname",
         "username": username,
-        "credentialId": data.credential.credentialId.base64,
+        "credentialId": data.credential.credentialId.base64url,
         "nickname": data.credentialNickname.value,
     });
     console.log("updateCredentialNickname request payload: "+payload);
@@ -264,15 +264,15 @@ async function startUsernamelessAuthentication() {
         let startAuthPayload = JSON.parse(JSON.parse(response.Payload));
         console.log("startAuthPayload: ", startAuthPayload);
 
-        startAuthPayload.requestId = startAuthPayload.requestId.base64;
+        startAuthPayload.requestId = startAuthPayload.requestId.base64url;
         console.log("requestId: ", startAuthPayload.requestId);
         startAuthPayload.publicKeyCredentialRequestOptions.userVerification = startAuthPayload.publicKeyCredentialRequestOptions.userVerification.toLowerCase();
-        startAuthPayload.publicKeyCredentialRequestOptions.challenge = startAuthPayload.publicKeyCredentialRequestOptions.challenge.base64;
+        startAuthPayload.publicKeyCredentialRequestOptions.challenge = startAuthPayload.publicKeyCredentialRequestOptions.challenge.base64url;
         console.log("challenge: ", startAuthPayload.publicKeyCredentialRequestOptions.challenge);
         if(startAuthPayload.publicKeyCredentialRequestOptions.allowCredentials){
             startAuthPayload.publicKeyCredentialRequestOptions.allowCredentials = startAuthPayload.publicKeyCredentialRequestOptions.allowCredentials.map( (cred) => { 
                 cred.type = cred.type.toLowerCase().replace('_','-');
-                cred.id = cred.id.base64;
+                cred.id = cred.id.url;
                 return cred
             });
         }
@@ -289,18 +289,11 @@ async function startUsernamelessAuthentication() {
 async function startRegisterFIDO2Credential(profile, body, uid) {
     console.log("startRegisterFIDO2Credential userId: "+profile.id+" body:",body);
     const jsonBody = JSON.parse(body);
-
-    let invalidResult = validate({nickname: jsonBody.nickname}, constraints);
-    console.log("nickname invalidResult: ", invalidResult);
-    if(invalidResult && invalidResult.nickname) {
-        return error(invalidResult.nickname.join(". "));
-    }
 
     const payload = JSON.stringify({
         "type": "startRegistration",
         "username": profile.username,
         "displayName": profile.username,
-        "credentialNickname": jsonBody.nickname,
         "requireResidentKey": jsonBody.requireResidentKey,
         "requireAuthenticatorAttachment": jsonBody.requireAuthenticatorAttachment,
         "uid": uid
@@ -322,14 +315,13 @@ async function startRegisterFIDO2Credential(profile, body, uid) {
 
         const coseLookup = {"ES256": -7, "EdDSA": -8, "RS256": -257};
 
-        startRegisterPayload.requestId = startRegisterPayload.requestId.base64;
-        startRegisterPayload.publicKeyCredentialCreationOptions.user.id = startRegisterPayload.publicKeyCredentialCreationOptions.user.id.base64;
-        startRegisterPayload.publicKeyCredentialCreationOptions.challenge = startRegisterPayload.publicKeyCredentialCreationOptions.challenge.base64;
+        startRegisterPayload.requestId = startRegisterPayload.requestId.base64url;
+        startRegisterPayload.publicKeyCredentialCreationOptions.user.id = startRegisterPayload.publicKeyCredentialCreationOptions.user.id.base64url;
+        startRegisterPayload.publicKeyCredentialCreationOptions.challenge = startRegisterPayload.publicKeyCredentialCreationOptions.challenge.base64url;
         startRegisterPayload.publicKeyCredentialCreationOptions.attestation = startRegisterPayload.publicKeyCredentialCreationOptions.attestation.toLowerCase();
         startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.userVerification = startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.userVerification.toLowerCase();
         startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.residentKey = startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.residentKey.toLowerCase();
-        startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.requireResidentKey = false;
-        if(startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.residentKey === "required") {
+        if(startRegisterPayload.requireResidentKey) {
             startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.requireResidentKey = true;
         }
         startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.authenticatorAttachment = authSelectorResolve[startRegisterPayload.publicKeyCredentialCreationOptions.authenticatorSelection.authenticatorAttachment];
@@ -341,7 +333,7 @@ async function startRegisterFIDO2Credential(profile, body, uid) {
         });
         startRegisterPayload.publicKeyCredentialCreationOptions.excludeCredentials = startRegisterPayload.publicKeyCredentialCreationOptions.excludeCredentials.map( (cred) => { 
             cred.type = cred.type.toLowerCase().replace('_','-');
-            cred.id = cred.id.base64;
+            cred.id = cred.id.base64url;
             console.log("cred: "+ JSON.stringify(cred));
             return cred;
         });

backend/lambda-functions/JavaWebAuthnLib/pom.xml

@@ -64,6 +64,30 @@
             <version>2.13.1</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.13.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.13.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jdk8</artifactId>
+            <version>2.13.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+            <version>2.13.2</version>
+        </dependency>
+
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>url-connection-client</artifactId>
@@ -124,13 +148,32 @@
         <dependency>
             <groupId>com.yubico</groupId>
             <artifactId>webauthn-server-core</artifactId>
-            <version>1.12.1</version>
+            <version>2.0.0</version>
         </dependency>
 
         <dependency>
             <groupId>com.yubico</groupId>
             <artifactId>webauthn-server-attestation</artifactId>
-            <version>1.12.1</version>
+            <version>2.0.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.yubico</groupId>
+            <artifactId>yubico-util</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>com.upokecenter</groupId>
+            <artifactId>cbor</artifactId>
+            <version>4.5.2</version>
+        </dependency>
+        
+        <dependency>
+            <groupId>com.augustcellars.cose</groupId>
+            <artifactId>cose-java</artifactId>
+            <version>1.1.0</version>
         </dependency>
 
         <!-- Test Dependencies -->

backend/lambda-functions/JavaWebAuthnLib/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolverWithEquality.java

@@ -0,0 +1,29 @@
+package com.yubicolabs.data;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import java.util.Set;
+
+import com.yubico.fido.metadata.AttachmentHint;
+import com.yubico.webauthn.data.AuthenticatorTransport;
+
+import lombok.Builder;
+import lombok.Value;
+import lombok.With;
+
+@Value
+@Builder
+@With
+public class AttestationRegistration {
+  @JsonInclude(JsonInclude.Include.NON_NULL)
+  public String aaguid;
+  @JsonInclude(JsonInclude.Include.NON_NULL)
+  public String aaid;
+  @JsonInclude(JsonInclude.Include.NON_NULL)
+  public Set<AttachmentHint> attachmentHint;
+  @JsonInclude(JsonInclude.Include.NON_NULL)
+  public String icon;
+  @JsonInclude(JsonInclude.Include.NON_NULL)
+  public String description;
+  @JsonInclude(JsonInclude.Include.NON_NULL)
+  public Set<AuthenticatorTransport> authenticatorTransport;
+}

backend/lambda-functions/JavaWebAuthnLib/src/main/java/com/yubicolabs/App.java

@@ -3,7 +3,6 @@
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.RegisteredCredential;
-import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.data.UserIdentity;
 import java.time.Instant;
 import java.util.Optional;
@@ -13,7 +12,7 @@
 
 @Value
 @Builder
-@With 
+@With
 public class CredentialRegistration {
 
     long signatureCount;
@@ -33,7 +32,7 @@ public class CredentialRegistration {
 
     RegisteredCredential credential;
 
-    Optional<Attestation> attestationMetadata;
+    Optional<AttestationRegistration> attestationMetadata;
 
     RegistrationRequest registrationRequest;
 
@@ -57,4 +56,3 @@ public String getUsername() {
     }
 
 }
-

backend/lambda-functions/JavaWebAuthnLib/src/main/java/com/yubicolabs/data/AttestationRegistration.java

@@ -42,7 +42,20 @@
     "add-form-label": "Nickname",
     "date-last-used": "Date last used:",
     "delete-button": "Delete",
-    "trusted-devices": "Trusted Devices"
+    "trusted-devices": "Trusted Devices",
+    "edit-button": "Edit",
+    "edit-header": "Edit your Trusted Device",
+    "edit-form-label": "Nickname",
+    "edit-usernameless": "Usernameless a.k.a. Client-Side Discoverable Credential:",
+    "edit-cancel-button": "Cancel",
+    "edit-delete-button": "Delete",
+    "edit-save-button": "Save changes",
+    "att-device-name": "Device name:",
+    "att-device-info": "Device info",
+    "att-device-interfaces": "Available interfaces:",
+    "att-aaguid": "Device AAGUID:",
+    "att-aaid": "Device AAID:",
+    "yubico-att-label": "Device Information:"
   },
   "logout": "Thank you for joining us!",
   "registration": {
@@ -54,6 +67,7 @@
     "add-key-2": "Follow the steps in the browser",
     "add-key-3": "Give your Security Key a nickname to easily identify it later",
     "primary-button": "Continue",
+    "secondary-button": "Continue without editing credential nickname",
     "primary-button-loading": "Creating your account",
     "success-header": "Security Key added",
     "success-prompt": "You have successfully registered your Security Key",
@@ -88,10 +102,12 @@
     "last-time-used": "Last used time:",
     "last-update-time": "Last updates time:",
     "registration-time": "Registration time:",
-    "yubico-att-label": "Yubico Device Information:",
+    "yubico-att-label": "Device Information:",
     "att-device-name": "Device name:",
     "att-device-info": "Device info",
     "att-device-interfaces": "Available interfaces:",
+    "att-aaguid": "Device AAGUID:",
+    "att-aaid": "Device AAID:",
     "edit-cancel-button": "Cancel",
     "edit-delete-button": "Delete",
     "edit-save-button": "Save changes"
@@ -133,7 +149,8 @@
     "generate-codes": "Generate new recovery codes",
     "generate-codes-text": "When you generate new recovery codes, you must copy them to a safe spot. Your old codes will not work anymore.",
     "generate-codes-button": "Generate",
-    "close-button": "Close"
+    "close-button": "Not now, ask me again later",
+    "ignore": "Ignore, and don't ask again"
   },
   "sv-pin": {
     "enter-pin": "Enter U2F Password",
@@ -184,7 +201,7 @@
         "If prompted, select Use Face ID",
         "Allow your device to scan your face"
       ],
-      "HELLO": [
+      "WINDOWS_HELLO": [
         "In the prompt, select Built in Authenticator",
         "Scan your Fingerprint or enter your PIN"
       ]

backend/lambda-functions/JavaWebAuthnLib/src/main/java/com/yubicolabs/data/CredentialRegistration.java

@@ -64,7 +64,7 @@ const RegisterKeySuccessStep = function ({ setForm, formData, navigation }) {
       const credentialToUpdate = {
         credential: {
           credentialId: {
-            base64: ls_credential.id,
+            base64url: ls_credential.id,
           },
         },
         credentialNickname: {
@@ -91,6 +91,10 @@ const RegisterKeySuccessStep = function ({ setForm, formData, navigation }) {
     dispatch(credentialActions.validateCredentialNickname(nickname));
   }
 
+  function skipStep() {
+    history.push("/");
+  }
+
   return (
     <>
       <div className={styles.default["textCenter"]}>
@@ -125,6 +129,9 @@ const RegisterKeySuccessStep = function ({ setForm, formData, navigation }) {
             variant="primary btn-block mt-3">
             {t("registration.primary-button")}{" "}
           </Button>
+          <Button onClick={() => skipStep()} variant="secondary btn-block mt-3">
+            {t("registration.secondary-button")}{" "}
+          </Button>
         </div>
       </div>
     </>

backend/template.yaml

@@ -11,6 +11,7 @@ import AddCredentialGuidance from "./AddCredentialGuidance";
 // eslint-disable-next-line camelcase
 import aws_exports from "../../aws-exports";
 import { WebAuthnClient } from "..";
+import DetectBrowser from "../../_helpers/DetectBrowser";
 
 // eslint-disable-next-line camelcase
 axios.defaults.baseURL = aws_exports.apiEndpoint;
@@ -69,26 +70,19 @@ const AddCredential = function () {
    */
   const handleSaveAdd = async () => {
     setSubmitted(true);
-
-    const result = validate({ keyName: nickname }, constraints);
-    if (result) {
-      setInvalidNickname(result.keyName.join(". "));
-    } else {
-      setInvalidNickname(undefined);
-      setLoading(true);
-      try {
-        await register();
-      } catch (error) {
-        console.error(
-          t("console.error", {
-            COMPONENT: "AddCredential",
-            METHOD: "handleSaveAdd()",
-            REASON: t("console.reason.addCredential0"),
-          }),
-          error
-        );
-        setLoading(false);
-      }
+    setLoading(true);
+    try {
+      await register();
+    } catch (error) {
+      console.error(
+        t("console.error", {
+          COMPONENT: "AddCredential",
+          METHOD: "handleSaveAdd()",
+          REASON: t("console.reason.addCredential0"),
+        }),
+        error
+      );
+      setLoading(false);
     }
   };
 
@@ -133,6 +127,16 @@ const AddCredential = function () {
     return pinResult.value;
   }
 
+  /**
+   * Android will not allow for a ResidentKey to be created - and will return an error during the WebAuthn ceremony if RequireResidentKey is True and ResidentKey is set to required
+   * This method will hide the checkbox to create a resident key from the UI on android device
+   * @returns false to hide if on android, true if otherwise
+   */
+  function handleAndroidResidentKey() {
+    if (DetectBrowser.getPlatform().id === "ANDROID_BIOMETRICS") return false;
+    return true;
+  }
+
   /**
    * Primary logic of this method
    * Calls to the register API, and creates the credential on the security key
@@ -147,7 +151,6 @@ const AddCredential = function () {
        * More information can be found here: https://www.w3.org/TR/webauthn-2/#enum-attachment
        */
       await WebAuthnClient.registerNewCredential(
-        nickname,
         isResidentKey,
         "CROSS_PLATFORM",
         registerUV
@@ -189,41 +192,21 @@ const AddCredential = function () {
           )}
           <AddCredentialGuidance />
 
-          <label>{t("credential.add-form-label")}</label>
-          <input
-            type="text"
-            name="nickname"
-            autoFocus
-            value={nickname}
-            ref={inputRef}
-            onChange={handleChange}
-            className={`form-control${
-              submitted && invalidNickname ? " is-invalid" : ""
-            }`}
-            onKeyPress={(ev) => {
-              if (ev.key === "Enter") {
-                handleSaveAdd();
-                ev.preventDefault();
-              }
-            }}
-          />
-          {invalidNickname ? (
-            <Alert variant="danger">{invalidNickname}</Alert>
-          ) : null}
-          <br />
-          <label>
-            <input
-              name="isResidentKey"
-              type="checkbox"
-              checked={isResidentKey}
-              onChange={handleCheckboxChange}
-            />{" "}
-            {t("credential.usernameless-label")}
-            <br />
-            <em>
-              <small>{t("credential.usernameless-note")}</small>
-            </em>
-          </label>
+          {handleAndroidResidentKey() && (
+            <label>
+              <input
+                name="isResidentKey"
+                type="checkbox"
+                checked={isResidentKey}
+                onChange={handleCheckboxChange}
+              />{" "}
+              {t("credential.usernameless-label")}
+              <br />
+              <em>
+                <small>{t("credential.usernameless-note")}</small>
+              </em>
+            </label>
+          )}
         </Modal.Body>
         <Modal.Footer>
           <Button variant="secondary" onClick={handleClose}>

clients/web/react/public/i18n/en-US.json

@@ -24,8 +24,7 @@ const checkAttestation = (credential) => {
  * @returns
  */
 const getAttestationImage = (credential) => {
-  const imgUrl =
-    credential.attestationMetadata?.value?.deviceProperties?.imageUrl;
+  const imgUrl = credential.attestationMetadata?.value?.icon;
   if (imgUrl) return imgUrl;
   return "https://www.yubico.com/wp-content/uploads//2021/02/illus-shield-lock-r1-dkteal.svg";
 };
@@ -52,14 +51,11 @@ const Credential = function ({ credential }) {
         </div>
         <div className="p-2 flex-grow-1">
           <h5>{credential.credentialNickname.value}</h5>
-          {checkAttestation(credential) && (
-            <h6>
-              {
-                credential.attestationMetadata.value.deviceProperties
-                  .displayName
-              }
-            </h6>
-          )}
+          {credential?.attestationMetadata?.value?.description &&
+            credential.attestationMetadata.value.description !==
+              credential.credentialNickname.value && (
+              <h6>{credential.attestationMetadata.value.description}</h6>
+            )}
           <p>
             {t("credential.date-last-used")}:{" "}
             {new Date(credential.lastUsedTime.seconds * 1000).toLocaleString()}

clients/web/react/src/RegisterPage/RegisterKeySuccessStep.tsx

@@ -40,7 +40,7 @@ const EditCredential = function ({ credential }) {
   const handleDelete = () => {
     setShow(false);
     dispatch(
-      credentialActions.delete(credential.credential.credentialId.base64)
+      credentialActions.delete(credential.credential.credentialId.base64url)
     );
   };
   const constraints = {
@@ -86,18 +86,6 @@ const EditCredential = function ({ credential }) {
   };
   const inputRef = useRef(null);
 
-  /**
-   * Checks if attestation data exists on the credential, used to determine if additional data should be displayed
-   * @param credential credential that was passed into this component by parent
-   * @returns
-   */
-  const checkAttestation = (credential) => {
-    const credAtt =
-      credential.attestationMetadata?.value?.deviceProperties?.displayName;
-    if (credAtt) return true;
-    return false;
-  };
-
   return (
     <>
       <Button variant="secondary" onClick={handleShow}>
@@ -134,6 +122,39 @@ const EditCredential = function ({ credential }) {
           ) : null}
           &nbsp;&nbsp;
           <br />
+          <h4>{t("credential.yubico-att-label")}</h4>
+          {credential?.attestationMetadata?.value?.description && (
+            <p>
+              <em>{t("credential.att-device-name")}</em>{" "}
+              {credential.attestationMetadata.value.description}
+            </p>
+          )}
+          {credential?.attestationMetadata?.value?.aaguid && (
+            <p>
+              <em>{t("credential.att-aaguid")}</em>{" "}
+              {credential.attestationMetadata.value.aaguid}
+            </p>
+          )}
+          {credential?.attestationMetadata?.value?.aaid && (
+            <p>
+              <em>{t("credential.att-aaid")}</em>{" "}
+              {credential.attestationMetadata.value.aaid}
+            </p>
+          )}
+          {credential?.attestationMetadata?.value?.authenticatorTransport &&
+            credential?.attestationMetadata?.value?.authenticatorTransport
+              .length > 0 && (
+              <p>
+                <em>{t("credential.att-device-interfaces")}</em>{" "}
+                <ul>
+                  {credential.attestationMetadata.value.authenticatorTransport.map(
+                    (transport, index) => (
+                      <li key={index}>{transport.id}</li>
+                    )
+                  )}
+                </ul>
+              </p>
+            )}
           <label>
             <em>{t("credential.edit-usernameless")}</em>{" "}
             {credential.registrationRequest
@@ -168,41 +189,6 @@ const EditCredential = function ({ credential }) {
               : ""}
           </label>
           <br />
-          <br />
-          {checkAttestation(credential) && (
-            <>
-              <h4 style={{ color: "#9aca3c" }}>
-                {t("credential.yubico-att-label")}
-              </h4>
-              <p>
-                <em>{t("credential.att-device-name")}</em>{" "}
-                {
-                  credential.attestationMetadata.value.deviceProperties
-                    .displayName
-                }{" "}
-                -{" "}
-                <a
-                  href={
-                    credential.attestationMetadata.value.deviceProperties
-                      .deviceUrl
-                  }
-                  target="_blank"
-                  rel="noreferrer">
-                  {t("credential.att-device-info")}
-                </a>
-              </p>
-              <div>
-                <em>{t("credential.att-device-interfaces")}</em>{" "}
-                <ul>
-                  {credential.attestationMetadata.value.transports.map(
-                    (transport, index) => (
-                      <li key={index}>{transport}</li>
-                    )
-                  )}
-                </ul>
-              </div>
-            </>
-          )}
         </Modal.Body>
         <Modal.Footer>
           <Button variant="secondary" onClick={handleClose}>

clients/web/react/src/_components/Credential/AddCredential.tsx

@@ -24,6 +24,10 @@ const RecoveryCodes = function ({ credentials }) {
   // Indicates if all codes have been consumed by login
   const { allRecoveryCodesUsed } = credentials;
 
+  const [ignoreModal, setIgnoreMoral] = useState(
+    localStorage.getItem("recoveryCodesModal") === "true"
+  );
+
   const recoveryCodes = useSelector(
     (state: RootStateOrAny) => state.recoveryCodes
   );
@@ -54,16 +58,27 @@ const RecoveryCodes = function ({ credentials }) {
     dispatch(credentialActions.generateRecoveryCodes());
   };
 
+  const handleIgnore = () => {
+    localStorage.setItem("recoveryCodesModal", "true");
+    setShowCodes(false);
+  };
+
   /**
    * The modal will continue to appear on the parent component if the user has not generated new credentials
    * OR if all the codes have been consumed
    */
   useEffect(() => {
-    if (!recoveryCodesViewed || allRecoveryCodesUsed) {
+    if ((!recoveryCodesViewed || allRecoveryCodesUsed) && !ignoreModal) {
       handleShow();
     }
   }, [recoveryCodesViewed, allRecoveryCodesUsed]);
 
+  useEffect(() => {
+    if (localStorage.getItem("recoveryCodesModal") === "true") {
+      setIgnoreMoral(true);
+    }
+  }, []);
+
   return (
     <>
       <Card className={styles.default["cardSpacing"]}>
@@ -134,9 +149,12 @@ const RecoveryCodes = function ({ credentials }) {
           </Button>
         </Modal.Body>
         <Modal.Footer>
-          <Button variant="primary" onClick={handleClose}>
+          <Button onClick={handleClose} variant="primary btn-block mt-3">
             {t("recovery-codes.close-button")}
           </Button>
+          <Button onClick={handleIgnore} variant="light btn-block mt-3">
+            {t("recovery-codes.ignore")}
+          </Button>
         </Modal.Footer>
       </Modal>
     </>

clients/web/react/src/_components/Credential/Credential.tsx

@@ -78,30 +78,28 @@ const AddTrustedDevice = function ({ continueStep }) {
    */
   const handleSaveAdd = async () => {
     setSubmitted(true);
-
-    const result = validate({ nickname }, constraints);
-    if (result) {
-      setInvalidNickname(result.nickname.join(". "));
-    } else {
-      setInvalidNickname(undefined);
-      setLoading(true);
-      try {
-        await register();
-        continueStep();
-      } catch (error) {
-        console.error(
-          t("console.error", {
-            COMPONENT: "AddTrustedDevice",
-            METHOD: "handleSaveAdd()",
-            REASON: t("console.reason.addTrustedDevice0"),
-          }),
-          error
-        );
-        setLoading(false);
-      }
+    setLoading(true);
+    try {
+      await register();
+      continueStep();
+    } catch (error) {
+      console.error(
+        t("console.error", {
+          COMPONENT: "AddTrustedDevice",
+          METHOD: "handleSaveAdd()",
+          REASON: t("console.reason.addTrustedDevice0"),
+        }),
+        error
+      );
+      setLoading(false);
     }
   };
 
+  function handleAndroidAuthenticator() {
+    if (DetectBrowser.getPlatform().id === "ANDROID_BIOMETRICS") return false;
+    return true;
+  }
+
   /**
    * Primary logic of this method
    * Calls to the register API, and creates the credential on the authenticator
@@ -117,8 +115,8 @@ const AddTrustedDevice = function ({ continueStep }) {
        * true required to force discoverable credentials to be created on the platform authenticator, which is required
        */
       await WebAuthnClient.registerNewCredential(
-        nickname,
-        true,
+        // nickname,
+        handleAndroidAuthenticator(),
         "PLATFORM",
         null
       );
@@ -155,27 +153,6 @@ const AddTrustedDevice = function ({ continueStep }) {
             <></>
           )}
           <AddTrustedDeviceGuidance PLAT_AUTH={PLAT_AUTH} />
-          <label>{t("trusted-device.add-form-label")}</label>
-          <input
-            type="text"
-            name="nickname"
-            autoFocus
-            value={nickname}
-            ref={inputRef}
-            onChange={handleChange}
-            className={`form-control${
-              submitted && invalidNickname ? " is-invalid" : ""
-            }`}
-            onKeyPress={(ev) => {
-              if (ev.key === "Enter") {
-                ev.preventDefault();
-                handleSaveAdd();
-              }
-            }}
-          />
-          {invalidNickname ? (
-            <Alert variant="danger">{invalidNickname}</Alert>
-          ) : null}
         </Modal.Body>
         <Modal.Footer>
           <Button variant="secondary" onClick={handleClose}>

clients/web/react/src/_components/Credential/EditCredential.tsx

@@ -0,0 +1,218 @@
+import React, { useState, useRef } from "react";
+
+import { Button, Modal, Alert } from "react-bootstrap";
+import { useDispatch } from "react-redux";
+import validate from "validate.js";
+import { useTranslation } from "react-i18next";
+import { credentialActions } from "../../_actions";
+
+/**
+ * Component used to display additional details about a credential, as well as allowing
+ * the user to update the nickname, or delete
+ * @param credential Data related to a specific credential
+ * @returns
+ */
+const EditTrustedDevice = function ({ credential }) {
+  const { t } = useTranslation();
+
+  const [show, setShow] = useState(false);
+
+  const [nickname, setNickname] = useState("");
+
+  const [invalidNickname, setInvalidNickname] = useState(undefined);
+
+  const [submitted, setSubmitted] = useState(false);
+
+  const dispatch = useDispatch();
+
+  /**
+   * Closes the modal
+   */
+  const handleClose = () => setShow(false);
+  const handleShow = () => {
+    setNickname(credential.credentialNickname.value);
+    setShow(true);
+  };
+
+  const constraints = {
+    nickname: {
+      length: {
+        minimum: 1,
+        maximum: 20,
+      },
+    },
+  };
+  /**
+   * Handles the pressing of the delete button
+   * IF the ID of the deleted device matches the ID of the Trusted Device locally stored
+   * then it removes any local information related to the trusted device
+   */
+  const handleDelete = () => {
+    setShow(false);
+    dispatch(
+      credentialActions.delete(credential.credential.credentialId.base64url)
+    );
+    if (
+      credential.credential.credentialId.base64url ===
+      localStorage.getItem("trustedDeviceID")
+    ) {
+      localStorage.removeItem("trustedDevice");
+      localStorage.removeItem("trustedDeviceID");
+    }
+  };
+
+  /**
+   * Handles when the user saves a new nickname for their security key
+   * First validates if the nickname is valid before allowing an update
+   */
+  const handleSave = () => {
+    setSubmitted(true);
+    const result = validate({ nickname }, constraints);
+    if (result) {
+      setInvalidNickname(result.nickname.join(". "));
+      return result;
+    }
+    setInvalidNickname(undefined);
+
+    setShow(false);
+    credential.credentialNickname.value = nickname;
+    dispatch(credentialActions.update(credential));
+  };
+
+  /**
+   * Used to validate nickname changes on user input
+   * @param e Event triggered by user action
+   */
+  const handleChange = (e) => {
+    const { name, value } = e.target;
+    setNickname(value);
+    const result = validate({ nickname: value }, constraints);
+    if (result) {
+      setInvalidNickname(result.nickname.join(". "));
+    } else {
+      setInvalidNickname(undefined);
+    }
+  };
+  const inputRef = useRef(null);
+
+  return (
+    <>
+      <Button variant="secondary" onClick={handleShow}>
+        {t("trusted-device.edit-button")}
+      </Button>
+      <Modal show={show} onHide={handleClose}>
+        <Modal.Header closeButton>
+          <Modal.Title>{t("trusted-device.edit-header")}</Modal.Title>
+        </Modal.Header>
+        <Modal.Body>
+          <label>
+            {t("trusted-device.edit-form-label")}{" "}
+            <input
+              type="text"
+              name="nickname"
+              autoFocus
+              value={nickname}
+              ref={inputRef}
+              onChange={handleChange}
+              className={`form-control${
+                submitted && invalidNickname ? " is-invalid" : ""
+              }`}
+              onKeyPress={(ev) => {
+                if (ev.key === "Enter") {
+                  handleSave();
+                  ev.preventDefault();
+                }
+              }}
+            />
+          </label>
+          <br />
+          {invalidNickname ? (
+            <Alert variant="danger">{invalidNickname}</Alert>
+          ) : null}
+          &nbsp;&nbsp;
+          <br />
+          <h4>{t("trusted-device.yubico-att-label")}</h4>
+          {credential?.attestationMetadata?.value?.description && (
+            <p>
+              <em>{t("credential.att-device-name")}</em>{" "}
+              {credential.attestationMetadata.value.description}
+            </p>
+          )}
+          {credential?.attestationMetadata?.value?.aaguid && (
+            <p>
+              <em>{t("trusted-device.att-aaguid")}</em>{" "}
+              {credential.attestationMetadata.value.aaguid}
+            </p>
+          )}
+          {credential?.attestationMetadata?.value?.aaid && (
+            <p>
+              <em>{t("trusted-device.att-aaid")}</em>{" "}
+              {credential.attestationMetadata.value.aaid}
+            </p>
+          )}
+          {credential?.attestationMetadata?.value?.authenticatorTransport &&
+            credential?.attestationMetadata?.value?.authenticatorTransport
+              .length > 0 && (
+              <p>
+                <em>{t("trusted-device.att-device-interfaces")}</em>{" "}
+                <ul>
+                  {credential.attestationMetadata.value.authenticatorTransport.map(
+                    (transport, index) => (
+                      <li key={index}>{transport.id}</li>
+                    )
+                  )}
+                </ul>
+              </p>
+            )}
+          <label>
+            <em>{t("trusted-device.edit-usernameless")}</em>{" "}
+            {credential.registrationRequest
+              ? credential.registrationRequest.requireResidentKey.toString()
+              : ""}
+          </label>
+          <br />
+          <label>
+            <em>{t("trusted-device.last-time-used")}</em>{" "}
+            {credential.lastUsedTime
+              ? new Date(
+                  credential.lastUsedTime.seconds * 1000
+                ).toLocaleString()
+              : ""}
+          </label>
+          <br />
+          <label>
+            <em>{t("trusted-device.last-update-time")}</em>{" "}
+            {credential.lastUpdatedTime
+              ? new Date(
+                  credential.lastUpdatedTime.seconds * 1000
+                ).toLocaleString()
+              : ""}
+          </label>
+          <br />
+          <label>
+            <em>{t("trusted-device.registration-time")}</em>{" "}
+            {credential.registrationTime
+              ? new Date(
+                  credential.registrationTime.seconds * 1000
+                ).toLocaleString()
+              : ""}
+          </label>
+          <br />
+        </Modal.Body>
+        <Modal.Footer>
+          <Button variant="secondary" onClick={handleClose}>
+            {t("trusted-device.edit-cancel-button")}
+          </Button>
+          <Button variant="danger" onClick={handleDelete}>
+            {t("trusted-device.edit-delete-button")}
+          </Button>
+          <Button variant="primary" onClick={handleSave}>
+            {t("trusted-device.edit-save-button")}
+          </Button>
+        </Modal.Footer>
+      </Modal>
+    </>
+  );
+};
+
+export default EditTrustedDevice;

clients/web/react/src/_components/RecoveryCodes/RecoveryCodes.tsx

@@ -1,8 +1,9 @@
 import React from "react";
 import { useDispatch } from "react-redux";
-import { Button, Image } from "react-bootstrap";
-import { credentialActions } from "../../_actions";
+import { Image } from "react-bootstrap";
 import { useTranslation } from "react-i18next";
+import { credentialActions } from "../../_actions";
+import EditTrustedDevice from "./EditTrustedDevice";
 
 const styles = require("../component.module.css");
 
@@ -13,24 +14,16 @@ const styles = require("../component.module.css");
 const TrustedDevice = function ({ credential }) {
   const { t } = useTranslation();
 
-  const dispatch = useDispatch();
-
   /**
-   * Handles the pressing of the delete button
-   * IF the ID of the deleted device matches the ID of the Trusted Device locally stored
-   * then it removes any local information related to the trusted device
+   * Takes the image URL provided by the credential after attestation
+   * If no image is found, then a default is set
+   * @param credential
+   * @returns URL from the attestation response, or a default image if no icon is present
    */
-  const handleDelete = () => {
-    dispatch(
-      credentialActions.delete(credential.credential.credentialId.base64)
-    );
-    if (
-      credential.credential.credentialId.base64 ===
-      localStorage.getItem("trustedDeviceID")
-    ) {
-      localStorage.removeItem("trustedDevice");
-      localStorage.removeItem("trustedDeviceID");
-    }
+  const getAttestationImage = (credential) => {
+    const imgUrl = credential.attestationMetadata?.value?.icon;
+    if (imgUrl) return imgUrl;
+    return "https://www.yubico.com/wp-content/uploads//2021/02/illus-shield-lock-r1-dkteal.svg";
   };
 
   return (
@@ -39,21 +32,24 @@ const TrustedDevice = function ({ credential }) {
         <div className="p-2">
           <Image
             className={styles.default["security-key-image"]}
-            src="https://www.yubico.com/wp-content/uploads/2021/01/illus-fingerprint-r1-dk-teal-1.svg"
+            src={getAttestationImage(credential)}
             roundedCircle
           />
         </div>
         <div className="p-2 flex-grow-1">
           <h5>{credential.credentialNickname.value}</h5>
+          {credential?.attestationMetadata?.value?.description &&
+            credential.attestationMetadata.value.description !==
+              credential.credentialNickname.value && (
+              <h6>{credential.attestationMetadata.value.description}</h6>
+            )}
           <p>
             {t("trusted-device.date-last-used")}{" "}
             {new Date(credential.lastUsedTime.seconds * 1000).toLocaleString()}
           </p>
         </div>
         <div className="m-2">
-          <Button variant="danger" onClick={handleDelete}>
-            {t("trusted-device.delete-button")}
-          </Button>
+          <EditTrustedDevice credential={credential} />
         </div>
       </div>
       <hr className={styles.default["section-divider"]} />

clients/web/react/src/_components/TrustedDevices/AddTrustedDevice.tsx

@@ -186,11 +186,14 @@ async function getAuthChallegeResponse(cognitoChallenge) {
     );
 
     const assertionResponse = await get(publicKey);
+    // This needs to be done as Apple sets userHandle to "", preventing the user from logging in
+    if (assertionResponse.response.userHandle === "")
+      assertionResponse.response.userHandle = null;
     console.info(
       t("console.info", {
         COMPONENT: "WebAuthnClient",
         METHOD: "getAuthChallegeResponse()",
-        LOG_REASON: t("console.reason.webauthnClient3"),
+        LOG_REASON: t("console.reason.webauthnClient4"),
       }),
       assertionResponse
     );
@@ -734,7 +737,6 @@ async function signUp(name, requestUV, registerWebKit) {
  * @param requestUV callback used to trigger modal if UV is not present on the authenticator allowing the user to provide a U2F Password
  */
 async function registerNewCredential(
-  nickname,
   isResidentKey,
   authenticatorAttachment = "CROSS_PLATFORM",
   requestUV
@@ -747,15 +749,13 @@ async function registerNewCredential(
         LOG_REASON: t("console.reason.webauthnClient16"),
       }),
       {
-        nickname,
         isResidentKey,
         authenticatorAttachment,
       }
     );
     const startRegistrationResponse = await axios.post(
       "/users/credentials/fido2/register",
       {
-        nickname,
         requireResidentKey: isResidentKey,
         requireAuthenticatorAttachment: authenticatorAttachment,
       }
@@ -805,7 +805,6 @@ async function registerNewCredential(
       requestId,
       pinSet: startRegistrationResponse.data.pinSet,
       pinCode: defaultInvalidPIN,
-      nickname,
     };
     console.info(
       t("console.info", {

clients/web/react/src/_components/TrustedDevices/EditTrustedDevice.tsx

@@ -26,10 +26,11 @@
 }
 
 .security-key-image {
-  border: 3px #e7e7e7 solid;
+  border: 2px #9aca3c solid;
   padding: 10px;
   width: 75px;
-  height: 75px
+  height: 75px;
+  background-color: #e9e9e9;
 }
 
 .security-key-image-col {