Docs: security-webauthn and security-webauthn-quickstart Guide

[jcarranzan]

Describe the bug

I went through https://quarkus.io/guides/security-webauthn guide and found the following issues:

1. In the introduction section https://quarkus.io/guides/security-webauthn#introduction-to-webauthn in the second paragraph also could be added the emulated with webauthn devtools from Chrome browser (https://developer.chrome.com/docs/devtools/webauthn/).
2. MyWebAuthnSetup class in the quickstart application uses @ReactiveTransactional annotation that has been deprecated and points users to use io.quarkus.hibernate.reactive.panache.common.WithTransaction instead. It would be nice to have this change reflected in https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.0#hibernate-reactive-panache.
3. If I execute the security-webauthn-quickstart as said in the README steps, it will throw an error as I described here security-web-authn-quickstart fails with a netty connection refused in localhost/127.0.0.1:32769  quarkus-quickstarts#1336
   HR000021: DDL command failed [io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:32769]
   When the db is up and running (after docker-compose up) , we need to specify in our mvn command these parameters to connect wh the db properly:
   mvn quarkus:dev -Dquarkus.datasource.reactive.url=postgresql://localhost:5432/elytron_security_webauthn -Dquarkus.datasource.username=quarkus -Dquarkus.datasource.password=quarkus
   So I would suggest changing some description steps in the READ.me
4. On the other hand, when the application is running and we go to localhost:8080 and go on the Admin API section (http://localhost:8080/api/admin) without logging in, the server returns a 302 and no changes are observed on the page. Perhaps the server should perform a proper redirection to a new webpage and send a 403 Forbidden code for unauthorized access.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @sberyozkin (security)

[jcarranzan]

Also, area/documentation

[sberyozkin]

@FroMage Hi Steph, is there a chance you can have a quick look, we keep getting issues opened against the WebAuthn extension, see also #32376

[Doogiemuc]

I am really sorry, that I have to support the OP (original poster). The quarkus-webauthn docu does have issues. To add another example:

• The quarkus-webauthn must definitely mention that this whole thing ONLY works in HTTPS with all TLS setup in place!

[sixcorners]

@Doogiemuc I think it works without https. Do you have the bitwarden extension installed? bitwarden/clients#6882 Because that does check for https.

[FroMage]

1. In the introduction section https://quarkus.io/guides/security-webauthn#introduction-to-webauthn in the second paragraph also could be added the emulated with webauthn devtools from Chrome browser (https://developer.chrome.com/docs/devtools/webauthn/).

Good point, I didn't know it existed. I'll add a note about it in Prerequisites and in Testing the Application.

2. MyWebAuthnSetup class in the quickstart application uses @ReactiveTransactional annotation that has been deprecated and points users to use io.quarkus.hibernate.reactive.panache.common.WithTransaction instead. It would be nice to have this change reflected in https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.0#hibernate-reactive-panache.

OK, let's fix that.

3. If I execute the security-webauthn-quickstart as said in the README steps, it will throw an error as I described here security-web-authn-quickstart fails with a netty connection refused in localhost/127.0.0.1:32769  quarkus-quickstarts#1336
   HR000021: DDL command failed [io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:32769]
   When the db is up and running (after docker-compose up) , we need to specify in our mvn command these parameters to connect wh the db properly:
   mvn quarkus:dev -Dquarkus.datasource.reactive.url=postgresql://localhost:5432/elytron_security_webauthn -Dquarkus.datasource.username=quarkus -Dquarkus.datasource.password=quarkus
   So I would suggest changing some description steps in the READ.me

I can't reproduce that.

4. On the other hand, when the application is running and we go to localhost:8080 and go on the Admin API section (http://localhost:8080/api/admin) without logging in, the server returns a 302 and no changes are observed on the page. Perhaps the server should perform a proper redirection to a new webpage and send a 403 Forbidden code for unauthorized access.

This is by design: you get auto-redirected when credentials are needed and you're not logged in. You will get a non-redirect error when trying to access the admin page and you're logged in, though.

[FroMage]

The quarkus-webauthn must definitely mention that this whole thing ONLY works in HTTPS with all TLS setup in place!

For Google Chrome, this is not true, localhost is allowed. I will mention it in the guide, though, because this is relevant for production deployment.

[FroMage]

#38373 should fix that.

[jcarranzan]

Ok, thank you @FroMage .