From 77cfcc7f8c6a5ef99d784dbdb0a12ea25e2a2650 Mon Sep 17 00:00:00 2001
From: Frederic Jahn <frederic.jahn@hanko.io>
Date: Thu, 4 Aug 2022 12:22:42 +0200
Subject: [PATCH] fix: remove transports at webauthn login

---
 backend/handler/webauthn.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/handler/webauthn.go b/backend/handler/webauthn.go
index 88c302f61..766576317 100644
--- a/backend/handler/webauthn.go
+++ b/backend/handler/webauthn.go
@@ -205,6 +205,12 @@ func (h *WebauthnHandler) BeginAuthentication(c echo.Context) error {
 		return fmt.Errorf("failed to store webauthn assertion session data: %w", err)
 	}
 
+	// Remove all transports, because of a bug in android and windows where the internal authenticator gets triggered,
+	// when the transports array contains the type 'internal' although the credential is not available on the device.
+	for i, _ := range options.Response.AllowedCredentials {
+		options.Response.AllowedCredentials[i].Transport = nil
+	}
+
 	return c.JSON(http.StatusOK, options)
 }
 
@@ -215,7 +221,6 @@ func (h *WebauthnHandler) FinishAuthentication(c echo.Context) error {
 		return dto.NewHTTPError(http.StatusBadRequest, err.Error())
 	}
 
-
 	return h.persister.Transaction(func(tx *pop.Connection) error {
 		sessionDataPersister := h.persister.GetWebauthnSessionDataPersisterWithConnection(tx)
 		sessionData, err := sessionDataPersister.GetByChallenge(request.Response.CollectedClientData.Challenge)