fix(webauthn): address PR #55 code review feedback

devondragon · devondragon · commit 7f36b38b30a6 · 2026-02-21T17:05:14.000-07:00
- escapeHtml: encode " and ' after DOM-based escape to prevent
  attribute breakout in data-* attributes
- webauthn-manage: use JSON-with-text-fallback for rename and delete
  error responses to avoid throwing on non-JSON bodies (500/403)
- login: add passkeyBtn null check to prevent TypeError if element
  is missing from template
- login: add #passkeyError alert div and wire showMessage to it so
  passkey auth failures are visible to the user instead of silently
  swallowed
diff --git a/src/main/resources/static/js/user/login.js b/src/main/resources/static/js/user/login.js
@@ -15,8 +15,9 @@ document.addEventListener("DOMContentLoaded", () => {
 	const passkeySection = document.getElementById("passkey-login-section");
 	const passkeyBtn = document.getElementById("passkeyLoginBtn");
 
-	if (passkeySection && isWebAuthnSupported()) {
+	if (passkeySection && passkeyBtn && isWebAuthnSupported()) {
 		passkeySection.style.display = "block";
+		const passkeyError = document.getElementById("passkeyError");
 
 		passkeyBtn.addEventListener("click", async () => {
 			passkeyBtn.disabled = true;
@@ -27,7 +28,7 @@ document.addEventListener("DOMContentLoaded", () => {
 				window.location.href = redirectUrl;
 			} catch (error) {
 				console.error("Passkey authentication failed:", error);
-				showMessage(null, "Passkey authentication failed. Please try again.", "alert-danger");
+				showMessage(passkeyError, "Passkey authentication failed. Please try again.", "alert-danger");
 				passkeyBtn.disabled = false;
 				passkeyBtn.innerHTML = '<i class="bi bi-key me-2"></i> Sign in with Passkey';
 			}
diff --git a/src/main/resources/static/js/user/webauthn-manage.js b/src/main/resources/static/js/user/webauthn-manage.js
@@ -153,8 +153,15 @@ function renamePasskey(credentialId, currentLabel) {
             });
 
             if (!response.ok) {
-                const data = await response.json();
-                throw new Error(data.message || 'Failed to rename passkey');
+                let msg = 'Failed to rename passkey';
+                try {
+                    const data = await response.json();
+                    msg = data.message || msg;
+                } catch {
+                    const text = await response.text();
+                    if (text) msg = text;
+                }
+                throw new Error(msg);
             }
 
             renameModalInstance.hide();
@@ -199,8 +206,15 @@ async function deletePasskey(credentialId) {
         });
 
         if (!response.ok) {
-            const data = await response.json();
-            throw new Error(data.message || 'Failed to delete passkey');
+            let msg = 'Failed to delete passkey';
+            try {
+                const data = await response.json();
+                msg = data.message || msg;
+            } catch {
+                const text = await response.text();
+                if (text) msg = text;
+            }
+            throw new Error(msg);
         }
 
         if (globalMessage) {
diff --git a/src/main/resources/static/js/user/webauthn-utils.js b/src/main/resources/static/js/user/webauthn-utils.js
@@ -71,5 +71,5 @@ export function escapeHtml(text) {
     if (!text) return '';
     const div = document.createElement('div');
     div.textContent = text;
-    return div.innerHTML;
+    return div.innerHTML.replace(/"/g, '&quot;').replace(/'/g, '&#39;');
 }
diff --git a/src/main/resources/templates/user/login.html b/src/main/resources/templates/user/login.html
@@ -20,6 +20,8 @@
 							<div th:if="${param.error != null and errormessage == null}" class="alert alert-danger text-center" role="alert" id="loginError">
 								<span th:text="${session.SPRING_SECURITY_LAST_EXCEPTION?.message} ?: 'Invalid email or password'">Invalid email or password</span>
 							</div>
+							<!-- Passkey error message (shown by JS) -->
+							<div id="passkeyError" class="alert alert-danger text-center d-none" role="alert"></div>
 
 							<!-- Card Header -->
 							<div class="card-header text-center">

Original file line number	Diff line number	Diff line change
`@@ -71,5 +71,5 @@ export function escapeHtml(text) {`
`71`	`71`	`if (!text) return '';`
`72`	`72`	`const div = document.createElement('div');`
`73`	`73`	`div.textContent = text;`
`74`		`- return div.innerHTML;`
	`74`	`+ return div.innerHTML.replace(/"/g, '"').replace(/'/g, ''');`
`75`	`75`	`}`