From e1833ca35213dc7b6f82af6e2467c95370d50ffe Mon Sep 17 00:00:00 2001 From: Andreas Coroiu Date: Tue, 21 Mar 2023 17:27:52 +0100 Subject: [PATCH] [EC-598] feat: add check for invalid option values --- ...fido2-authenticator.service.abstraction.ts | 1 + .../fido2-authenticator.service.spec.ts | 24 +++++++++++++++++++ .../services/fido2-authenticator.service.ts | 8 +++++++ 3 files changed, 33 insertions(+) diff --git a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts index 3effd99302..e0cef76379 100644 --- a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts +++ b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts @@ -10,6 +10,7 @@ export enum Fido2AlgorithmIdentifier { export enum Fido2AutenticatorErrorCode { CTAP2_ERR_CREDENTIAL_EXCLUDED, CTAP2_ERR_UNSUPPORTED_ALGORITHM, + CTAP2_ERR_INVALID_OPTION, } export class Fido2AutenticatorError extends Error { diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts index 48e68a6c9c..ec3f02a8dd 100644 --- a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts +++ b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts @@ -80,6 +80,30 @@ describe("FidoAuthenticatorService", () => { Fido2AutenticatorErrorCode[Fido2AutenticatorErrorCode.CTAP2_ERR_UNSUPPORTED_ALGORITHM] ); }); + + describe("when options parameter is present", () => { + /** Spec: If the option is known but not valid for this command, terminate this procedure */ + it("should throw error when rk has invalid value", async () => { + const params = await createCredentialParams({ options: { rk: "invalid-value" as any } }); + + const result = async () => await authenticator.makeCredential(params); + + await expect(result).rejects.toThrowError( + Fido2AutenticatorErrorCode[Fido2AutenticatorErrorCode.CTAP2_ERR_INVALID_OPTION] + ); + }); + + /** Spec: If the option is known but not valid for this command, terminate this procedure */ + it("should throw error when uv has invalid value", async () => { + const params = await createCredentialParams({ options: { uv: "invalid-value" as any } }); + + const result = async () => await authenticator.makeCredential(params); + + await expect(result).rejects.toThrowError( + Fido2AutenticatorErrorCode[Fido2AutenticatorErrorCode.CTAP2_ERR_INVALID_OPTION] + ); + }); + }); }); }); diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.ts index 9a63f3199d..7e435759c3 100644 --- a/libs/common/src/webauthn/services/fido2-authenticator.service.ts +++ b/libs/common/src/webauthn/services/fido2-authenticator.service.ts @@ -41,6 +41,14 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr if (params.pubKeyCredParams.every((p) => p.alg !== Fido2AlgorithmIdentifier.ES256)) { throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_UNSUPPORTED_ALGORITHM); } + + if (params.options?.rk != undefined && typeof params.options.rk !== "boolean") { + throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_INVALID_OPTION); + } + + if (params.options?.uv != undefined && typeof params.options.uv !== "boolean") { + throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_INVALID_OPTION); + } } private async vaultContainsId(ids: string[]): Promise {