fix(passkeys): sign_count should be uint32

Author: fadymak

internal/api/apierrors/errorcode.go

@@ -118,9 +118,9 @@ const (
 	ErrorCodeTooManyPasskeys ErrorCode = "too_many_passkeys"
 
 	// WebAuthn protocol-level errors (shared between passkeys and MFA WebAuthn)
-	ErrorCodeWebAuthnCredentialNotFound ErrorCode = "webauthn_credential_not_found"
+	ErrorCodeWebAuthnCredentialNotFound ErrorCode = "webauthn_credential_not_found" // #nosec G101 -- not a credential
 	ErrorCodeWebAuthnChallengeNotFound  ErrorCode = "webauthn_challenge_not_found"
 	ErrorCodeWebAuthnChallengeExpired   ErrorCode = "webauthn_challenge_expired"
 	ErrorCodeWebAuthnVerificationFailed ErrorCode = "webauthn_verification_failed"
-	ErrorCodeWebAuthnCredentialExists   ErrorCode = "webauthn_credential_exists"
+	ErrorCodeWebAuthnCredentialExists   ErrorCode = "webauthn_credential_exists" // #nosec G101 -- not a credential
 )

internal/api/passkey_virtual_authenticator_test.go

@@ -103,7 +103,7 @@ func (va *virtualAuthenticator) buildAuthData(credentialID []byte, privKey *ecds
 	// attestedCredentialData: aaguid (16) || credIdLen (2) || credId || coseKey
 	aaguid := make([]byte, 16) // all zeros
 	credIDLen := make([]byte, 2)
-	binary.BigEndian.PutUint16(credIDLen, uint16(len(credentialID)))
+	binary.BigEndian.PutUint16(credIDLen, uint16(len(credentialID))) //#nosec G115 — we control the length and ensure it's within bounds
 
 	var authData []byte
 	authData = append(authData, rpIDHash[:]...)

internal/models/webauthn_credential.go

@@ -53,7 +53,7 @@ type WebAuthnCredential struct {
 	PublicKey       []byte             `json:"-" db:"public_key"`
 	AttestationType string             `json:"attestation_type" db:"attestation_type"`
 	AAGUID          *uuid.UUID         `json:"aaguid,omitempty" db:"aaguid"`
-	SignCount       int64              `json:"sign_count" db:"sign_count"`
+	SignCount       uint32             `json:"sign_count" db:"sign_count"`
 	Transports      WebAuthnTransports `json:"transports" db:"transports"`
 	BackupEligible  bool               `json:"backup_eligible" db:"backup_eligible"`
 	BackedUp        bool               `json:"backed_up" db:"backed_up"`
@@ -76,7 +76,7 @@ func NewWebAuthnCredential(userID uuid.UUID, cred *webauthn.Credential, friendly
 		CredentialID:    cred.ID,
 		PublicKey:       cred.PublicKey,
 		AttestationType: cred.AttestationType,
-		SignCount:       int64(cred.Authenticator.SignCount),
+		SignCount:       cred.Authenticator.SignCount,
 		Transports:      WebAuthnTransports(cred.Transport),
 		BackupEligible:  cred.Flags.BackupEligible,
 		BackedUp:        cred.Flags.BackupState,
@@ -105,7 +105,7 @@ func (pc *WebAuthnCredential) ToWebAuthnCredential() webauthn.Credential {
 			BackupState:    pc.BackedUp,
 		},
 		Authenticator: webauthn.Authenticator{
-			SignCount: uint32(pc.SignCount),
+			SignCount: pc.SignCount,
 		},
 	}
 
@@ -154,7 +154,7 @@ func CountWebAuthnCredentialsByUserID(conn *storage.Connection, userID uuid.UUID
 	return count, nil
 }
 
-func (pc *WebAuthnCredential) UpdateSignCount(tx *storage.Connection, signCount int64) error {
+func (pc *WebAuthnCredential) UpdateSignCount(tx *storage.Connection, signCount uint32) error {
 	pc.SignCount = signCount
 	return tx.UpdateOnly(pc, "sign_count", "updated_at")
 }

internal/models/webauthn_credential_test.go

@@ -112,11 +112,11 @@ func (ts *WebAuthnCredentialTestSuite) TestUpdateSignCount() {
 	pc := ts.createTestCredential("sign-count-test", false)
 
 	require.NoError(ts.T(), pc.UpdateSignCount(ts.db, 42))
-	require.Equal(ts.T(), int64(42), pc.SignCount)
+	require.Equal(ts.T(), uint32(42), pc.SignCount)
 
 	found, err := FindWebAuthnCredentialByID(ts.db, pc.ID)
 	require.NoError(ts.T(), err)
-	require.Equal(ts.T(), int64(42), found.SignCount)
+	require.Equal(ts.T(), uint32(42), found.SignCount)
 }
 
 func (ts *WebAuthnCredentialTestSuite) TestUpdateLastUsedAt() {