[PM-6631] Handle Fido2VerificationException during passkey attestation and assertion

[lizard-boy]

Type of change

- [X] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

In bitwarden#3615 we handled the Fido2VerificationException when asserting a WebAuthn credential for 2FA.

In this PR, we address the MakeNewCredentialAsync methods similarly, as well as the MakeAssertionAsync when asserting a WebAuthn credential for login, which was missed in bitwarden#3615 .

📓 We have https://bitwarden.atlassian.net/browse/PM-4172 in the backlog to consolidate the implementations, at which point we should consider an abstraction.

Code changes

• AssertWebAuthnLoginCredentialCommand: Added try/catch around assertion that returns a BadRequestException instead of the unhandled exception returned previously. This will be handled on the client, as it is the pattern already established in the class for communicating assertion errors.
• CreateWebAuthnLoginCredentialCommand: Added try/catch around attestation that returns false along with a log message. I did this instead of throwing a BadRequestException as this is the pattern already established in this command for handling invalid data. I added a log here as returning false gives no indication of the root cause.
• UserService: Added try/catch around attestation that returns false along with a log message. I did this instead of throwing a BadRequestException as this is the pattern already established in this command for handling invalid data. I added a log here as returning false gives no indication of the root cause.

Before you submit

• Please check for formatting errors (dotnet format --verify-no-changes) (required)
• If making database changes - make sure you also update Entity Framework queries and/or migrations
• Please add unit tests where it makes sense to do so (encouraged but not required)
• If this change requires a documentation update - notify the documentation team
• If this change has particular deployment requirements - notify the DevOps team

Greptile Summary

This pull request addresses exception handling for WebAuthn credential creation and assertion, focusing on improving error management in three key files:

• Added try/catch block in AssertWebAuthnLoginCredentialCommand.cs to handle Fido2VerificationException during login credential assertion
• Implemented error handling in CreateWebAuthnLoginCredentialCommand.cs for WebAuthn credential creation, returning false and logging errors on exception
• Enhanced UserService.cs to catch Fido2VerificationException during WebAuthn registration, logging the error and returning false on failure
• Centralized BadRequestException throwing in AssertWebAuthnLoginCredentialCommand.cs for consistent error handling

[greptile-apps]

_{3 file(s) reviewed, 3 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

style: The catch block swallows the specific exception details. Consider logging the exception message or type for better diagnostics.

[greptile-apps]

logic: Ensure that assertionVerificationResult is not null before accessing its properties.

[greptile-apps]

style: Consider making this method more flexible by allowing custom error messages or including more context in the exception.