Bug 216600 - Propagate user gesture through `isUserVerifyingPlatformAuthenticatorAvailable`
Summary: Propagate user gesture through `isUserVerifyingPlatformAuthenticatorAvailable`
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks: 181943
  Show dependency treegraph
 
Reported: 2020-09-15 23:17 PDT by Eiji Kitamura
Modified: 2021-03-30 17:09 PDT (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eiji Kitamura 2020-09-15 23:17:45 PDT
When invoking WebAuthn with a local authenticator (Touch ID / Face ID), user gesture is required in WebKit.
Thank you for fixing the issue that blocks user gesture on Fetch API. (https://bugs.webkit.org/show_bug.cgi?id=214444)
However, it has been still blocked on my code and finally figured that it was caused by `isUserVerifyingPlatformAuthenticatorAvailable`.
Please propagate user gesture on `iUVPAA` as well.

To reproduce the issue, you can try and modify the code here:
https://glitch.com/edit/#!/iuvpaa-issue

See code in public/client.js and enable/dislable `iUVPAA`.
Comment 1 Jiewen Tan 2020-09-15 23:24:45 PDT
(In reply to Eiji Kitamura from comment #0)
> When invoking WebAuthn with a local authenticator (Touch ID / Face ID), user
> gesture is required in WebKit.
> Thank you for fixing the issue that blocks user gesture on Fetch API.
> (https://bugs.webkit.org/show_bug.cgi?id=214444)
> However, it has been still blocked on my code and finally figured that it
> was caused by `isUserVerifyingPlatformAuthenticatorAvailable`.
> Please propagate user gesture on `iUVPAA` as well.
> 
> To reproduce the issue, you can try and modify the code here:
> https://glitch.com/edit/#!/iuvpaa-issue
> 
> See code in public/client.js and enable/dislable `iUVPAA`.

Oh, I probably forgot doing this. But you don't necessary need to call the method after user interactions. This method is safe to call even for onload given it doesn't affect your rest API or any server model you have.
Comment 2 Eiji Kitamura 2020-09-15 23:30:06 PDT
Yeah I know, but Google's WebAuthn codelab has this within the same event loop and it would be nice if this was fixed.
I'll add a workaround to the codelab meanwhile.
Comment 3 Eiji Kitamura 2020-09-15 23:58:12 PDT
On a second thought, I realized Google's codelab is not a good design. The button shouldn't be pressed if UVPAA is not available from the first place.
Anyway, I'll leave this issue here as it might hint some people who bump into the same problem.
Comment 4 Radar WebKit Bug Importer 2020-09-22 23:59:21 PDT
<rdar://problem/69418131>
Comment 5 Anthony Johnston 2021-03-24 16:21:53 PDT
I need to make an async call to indexdb before calling credential get, this also causes an error, even though its within the context of a gesture.

Further, iOS 14.4 has a popup which asks the user if the want to use FaceID or not, why is it necessary to have the user gesture before this as well?

Remove the requirement for user gesture and allow us to call the api. The popup handles the requirement for user confirmation anyway.