[PM-5725] New passkeys should always return 0 as counter value (#8024)

* [PM-5725] feat: do not increment counter if is zero * [PM-5725] feat: skip save to server when counter is 0
2024-11-25 12:15:18 +01:00 · 2024-03-01 14:58:55 +01:00 · 2024-03-01 14:58:55 +01:00 · 7bbde647f4
commit 7bbde647f4
parent 8d528c2d4a
2 changed files with 21 additions and 5 deletions
--- a/libs/common/src/vault/services/fido2/fido2-authenticator.service.spec.ts
+++ b/libs/common/src/vault/services/fido2/fido2-authenticator.service.spec.ts
@ -656,14 +656,14 @@ describe("FidoAuthenticatorService", () => {
      beforeEach(init);

      /** Spec: Increment the credential associated signature counter */
-      it("should increment counter", async () => {
+      it("should increment counter and save to server when stored counter is larger than zero", async () => {
        const encrypted = Symbol();
        cipherService.encrypt.mockResolvedValue(encrypted as any);
+        ciphers[0].login.fido2Credentials[0].counter = 9000;

        await authenticator.getAssertion(params, tab);

        expect(cipherService.updateWithServer).toHaveBeenCalledWith(encrypted);
-
        expect(cipherService.encrypt).toHaveBeenCalledWith(
          expect.objectContaining({
            id: ciphers[0].id,
@ -678,6 +678,17 @@ describe("FidoAuthenticatorService", () => {
        );
      });

+      /** Spec: Authenticators that do not implement a signature counter leave the signCount in the authenticator data constant at zero. */
+      it("should not save to server when stored counter is zero", async () => {
+        const encrypted = Symbol();
+        cipherService.encrypt.mockResolvedValue(encrypted as any);
+        ciphers[0].login.fido2Credentials[0].counter = 0;
+
+        await authenticator.getAssertion(params, tab);
+
+        expect(cipherService.updateWithServer).not.toHaveBeenCalled();
+      });
+
      it("should return an assertion result", async () => {
        const result = await authenticator.getAssertion(params, tab);

--- a/libs/common/src/vault/services/fido2/fido2-authenticator.service.ts
+++ b/libs/common/src/vault/services/fido2/fido2-authenticator.service.ts
@ -257,14 +257,19 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
        const selectedFido2Credential = selectedCipher.login.fido2Credentials[0];
        const selectedCredentialId = selectedFido2Credential.credentialId;

-        ++selectedFido2Credential.counter;
+        if (selectedFido2Credential.counter > 0) {
+          ++selectedFido2Credential.counter;
+        }

        selectedCipher.localData = {
          ...selectedCipher.localData,
          lastUsedDate: new Date().getTime(),
        };
-        const encrypted = await this.cipherService.encrypt(selectedCipher);
-        await this.cipherService.updateWithServer(encrypted);
+
+        if (selectedFido2Credential.counter > 0) {
+          const encrypted = await this.cipherService.encrypt(selectedCipher);
+          await this.cipherService.updateWithServer(encrypted);
+        }

        const authenticatorData = await generateAuthData({
          rpId: selectedFido2Credential.rpId,