fix: check the credential id length att data (#16)

This checks the credential id length based on the spec. See https://w3c.github.io/webauthn/#attested-credential-data.

Author: james-d-elliott

protocol/authenticator.go

@@ -8,9 +8,10 @@ import (
 	"github.com/go-webauthn/webauthn/protocol/webauthncbor"
 )
 
-var (
+const (
 	minAuthDataLength     = 37
 	minAttestedAuthLength = 55
+	maxCredentialIDLength = 1023
 )
 
 // Authenticators respond to Relying Party requests by returning an object derived from the
@@ -203,6 +204,10 @@ func (a *AuthenticatorData) unmarshalAttestedData(rawAuthData []byte) (err error
 		return ErrBadRequest.WithDetails("Authenticator attestation data length too short")
 	}
 
+	if idLength > maxCredentialIDLength {
+		return ErrBadRequest.WithDetails("Authenticator attestation data credential id length too long")
+	}
+
 	a.AttData.CredentialID = rawAuthData[55 : 55+idLength]
 
 	a.AttData.CredentialPublicKey, err = unmarshalCredentialPublicKey(rawAuthData[55+idLength:])