jeffemmett
/
rspace-online
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rspace-online/backlog/tasks/task-79 - Fix-guardian-invi...

2.5 KiB
Raw Blame History

id title status assignee created_date labels dependencies priority
TASK-79 Fix guardian invitation acceptance — server-initiated WebAuthn flow Done
2026-03-03 00:56
bugfix
encryptid
webauthn
high

Description

Guardian invitation acceptance and auth.rspace.online login were broken. The guardian page and main login page used the client-side SDK's authenticatePasskey()/registerPasskey() which generate their own challenge, then tried to send result.challenge and result.credential to the server — but AuthenticationResult doesn't have those properties (both undefined). The postgres driver threw UNDEFINED_VALUE on getChallenge(undefined), resulting in a raw 500 "Internal Server Error" that the client couldn't parse as JSON.

Fixed by replacing with the proper server-initiated flow (matching rstack-identity.ts): /api/auth/start → WebAuthn → /api/auth/complete, and same for registration. Also fixed Dockerfile.encryptid to include shared/local-first/ in the build context (needed by login-button.ts importing encryptid-bridge).

Acceptance Criteria

  • #1 Guardian invitation acceptance completes without JSON parse error
  • #2 auth.rspace.online login/register works with server-initiated WebAuthn
  • #3 Dockerfile.encryptid builds successfully with shared/local-first context

Final Summary

Fixed 500 error on guardian invitation acceptance caused by client sending undefined challenge/credential to server.

Root cause: Guardian page and auth.rspace.online login used client-side SDK functions (authenticatePasskey()/registerPasskey()) which return AuthenticationResult — but code referenced .challenge and .credential properties that don't exist on that type. Both were undefined, causing postgres UNDEFINED_VALUE error → 500 plain text → client JSON parse failure.

Fix: Replaced with server-initiated WebAuthn flow matching rstack-identity.ts:

  1. POST /api/auth/start → get server challenge
  2. navigator.credentials.get() with that challenge
  3. POST /api/auth/complete with { challenge, credential: { credentialId } }

Also fixed Dockerfile.encryptid to COPY shared/local-first/ (needed by login-button.tsencryptid-bridge.ts).

Commits: 88118cd (WebAuthn flow), 4dd212e (Dockerfile fix). Both rspace-online and encryptid containers rebuilt and deployed.