[EC-598] feat: hash client data and throw if aborted

2025-03-02 03:41:09 +01:00 · 2023-03-30 15:05:58 +02:00 · 2023-03-30 15:05:58 +02:00 · 6fd5801739
commit 6fd5801739
parent 259e646ed7
2 changed files with 36 additions and 2 deletions
--- a/libs/common/src/webauthn/services/fido2-client.service.spec.ts
+++ b/libs/common/src/webauthn/services/fido2-client.service.spec.ts
@ -100,6 +100,21 @@ describe("FidoAuthenticatorService", () => {
      });
    });

+    describe("aborting", () => {
+      // Spec: If the options.signal is present and its aborted flag is set to true, return a DOMException whose name is "AbortError" and terminate this algorithm.
+      it("should throw error if aborting using abort controller", async () => {
+        const params = createParams({});
+        const abortController = new AbortController();
+        abortController.abort();
+
+        const result = async () => await client.createCredential(params, abortController);
+
+        const rejects = expect(result).rejects;
+        await rejects.toMatchObject({ name: "AbortError" });
+        await rejects.toBeInstanceOf(DOMException);
+      });
+    });
+
    function createParams(params: Partial<CreateCredentialParams> = {}): CreateCredentialParams {
      return {
        origin: params.origin ?? "bitwarden.com",
--- a/libs/common/src/webauthn/services/fido2-client.service.ts
+++ b/libs/common/src/webauthn/services/fido2-client.service.ts
@ -1,5 +1,6 @@
 import { parse } from "tldts";

+import { Utils } from "../../misc/utils";
 import { Fido2AuthenticatorService } from "../abstractions/fido2-authenticator.service.abstraction";
 import {
  AssertCredentialParams,
@ -14,9 +15,9 @@ import { Fido2Utils } from "../abstractions/fido2-utils";
 export class Fido2ClientService implements Fido2ClientServiceAbstraction {
  constructor(private authenticator: Fido2AuthenticatorService) {}

-  createCredential(
+  async createCredential(
    params: CreateCredentialParams,
-    abortController?: AbortController
+    abortController: AbortController = new AbortController()
  ): Promise<CreateCredentialResult> {
    if (!params.sameOriginWithAncestors) {
      throw new DOMException("Invalid 'sameOriginWithAncestors' value", "NotAllowedError");
@ -52,6 +53,24 @@ export class Fido2ClientService implements Fido2ClientServiceAbstraction {
    if (credTypesAndPubKeyAlgs.length === 0) {
      throw new DOMException("No supported key algorithms were found", "NotSupportedError");
    }
+
+    const collectedClientData = {
+      type: "webauthn.create",
+      challenge: params.challenge,
+      origin: params.origin,
+      crossOrigin: !params.sameOriginWithAncestors,
+      // tokenBinding: {} // Not currently supported
+    };
+    const clientDataJSON = JSON.stringify(collectedClientData);
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const clientDataHash = await crypto.subtle.digest(
+      { name: "SHA-256" },
+      Utils.fromByteStringToArray(clientDataJSON)
+    );
+
+    if (abortController.signal.aborted) {
+      throw new DOMException(undefined, "AbortError");
+    }
  }

  assertCredential(