incorrect signed challenge causes a query exception, return null when no webauthn key can be found

Author: matthijs

src/Auth/EloquentWebAuthnProvider.php

@@ -50,6 +50,7 @@ public function retrieveByCredentials(array $credentials): ?User
                 return $this->retrieveById($webauthnKey->user_id);
             } catch (ModelNotFoundException $e) {
                 // No result
+                return null;
             }
         }
 

tests/Unit/Auth/EloquentWebAuthnProviderTest.php

@@ -142,4 +142,29 @@ public function it_retrieve_user_new_format()
         $this->assertNotNull($result);
         $this->assertEquals($user->id, $result->id);
     }
+
+    /**
+     * @test
+     */
+    public function it_does_not_fail_when_retrieving_user()
+    {
+        Webauthn::shouldReceive('validateAssertion')->andReturn(true);
+        Webauthn::shouldReceive('model')->andReturn(WebauthnKey::class);
+
+        $provider = new EloquentWebAuthnProvider(
+            app('config'),
+            app(CredentialAssertionValidator::class),
+            app(Hasher::class),
+            User::class,
+        );
+
+        $result = $provider->retrieveByCredentials([
+            'id' => Base64UrlSafe::encode('id'),
+            'rawId' => 'rawId',
+            'type' => 'public-key',
+            'response' => 'response',
+        ]);
+
+        $this->assertNull($result);
+    }
 }