From 46750bf2cd97f32830f80dcbf9379a5625e409c2 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Sun, 30 Mar 2025 15:17:54 +1100
Subject: [PATCH] fix(webauthn): empty aaguid fails login

This fixes an issue where an empty AAGUID would cause a failed login when it should be left to metadata validation.
---
 protocol/metadata.go | 2 +-
 webauthn/login.go    | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/protocol/metadata.go b/protocol/metadata.go
index 01af76a..1937805 100644
--- a/protocol/metadata.go
+++ b/protocol/metadata.go
@@ -36,7 +36,7 @@ func ValidateMetadata(ctx context.Context, mds metadata.Provider, aaguid uuid.UU
 		return nil
 	}
 
-	if mds.GetValidateAttestationTypes(ctx) && attestationType != "" {
+	if attestationType != "" && mds.GetValidateAttestationTypes(ctx) {
 		found := false
 
 		for _, atype := range entry.MetadataStatement.AttestationTypes {
diff --git a/webauthn/login.go b/webauthn/login.go
index a474ec6..aa6b53e 100644
--- a/webauthn/login.go
+++ b/webauthn/login.go
@@ -343,7 +343,9 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
 	if webauthn.Config.MDS != nil {
 		var aaguid uuid.UUID
 
-		if aaguid, err = uuid.FromBytes(credential.Authenticator.AAGUID); err != nil {
+		if len(credential.Authenticator.AAGUID) == 0 {
+			aaguid = uuid.Nil
+		} else if aaguid, err = uuid.FromBytes(credential.Authenticator.AAGUID); err != nil {
 			return nil, protocol.ErrBadRequest.WithDetails("Failed to decode AAGUID").WithInfo(fmt.Sprintf("Error occurred decoding AAGUID from the credential record: %s", err)).WithError(err)
 		}