[EC-598] feat: confirm new credentials

2025-01-31 22:51:28 +01:00 · 2023-03-22 10:28:28 +01:00 · 2023-03-22 10:28:28 +01:00 · fbfaa06cbb
commit fbfaa06cbb
parent 260ea22adb
3 changed files with 43 additions and 1 deletions
--- a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts
+++ b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts
@ -12,6 +12,7 @@ export enum Fido2AutenticatorErrorCode {
  CTAP2_ERR_UNSUPPORTED_ALGORITHM,
  CTAP2_ERR_INVALID_OPTION,
  CTAP2_ERR_PIN_AUTH_INVALID,
+  CTAP2_ERR_OPERATION_DENIED,
 }

 export class Fido2AutenticatorError extends Error {
--- a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
+++ b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
@ -11,7 +11,10 @@ import {
  Fido2AutenticatorErrorCode,
  Fido2AuthenticatorMakeCredentialsParams,
 } from "../abstractions/fido2-authenticator.service.abstraction";
-import { Fido2UserInterfaceService } from "../abstractions/fido2-user-interface.service.abstraction";
+import {
+  Fido2UserInterfaceService,
+  NewCredentialParams,
+} from "../abstractions/fido2-user-interface.service.abstraction";
 import { Fido2Utils } from "../abstractions/fido2-utils";
 import { Fido2Key } from "../models/domain/fido2-key";

@ -123,6 +126,33 @@ describe("FidoAuthenticatorService", () => {
        );
      });
    });
+
+    describe("when input passes all initial checks", () => {
+      /** Spec: show the items contained within the user and rp parameter structures to the user. */
+      it("should request confirmation from user", async () => {
+        userInterface.confirmNewCredential.mockResolvedValue(true);
+        const params = await createCredentialParams();
+
+        await authenticator.makeCredential(params);
+
+        expect(userInterface.confirmNewCredential).toHaveBeenCalledWith({
+          credentialName: params.rp.name,
+          userName: params.user.name,
+        } as NewCredentialParams);
+      });
+
+      /** Spec: If the user declines permission */
+      it("should throw error if user denies creation request", async () => {
+        userInterface.confirmNewCredential.mockResolvedValue(false);
+        const params = await createCredentialParams();
+
+        const result = async () => await authenticator.makeCredential(params);
+
+        await expect(result).rejects.toThrowError(
+          Fido2AutenticatorErrorCode[Fido2AutenticatorErrorCode.CTAP2_ERR_OPERATION_DENIED]
+        );
+      });
+    });
  });
 });

--- a/libs/common/src/webauthn/services/fido2-authenticator.service.ts
+++ b/libs/common/src/webauthn/services/fido2-authenticator.service.ts
@ -53,6 +53,17 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
    if (params.pinAuth != undefined) {
      throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_PIN_AUTH_INVALID);
    }
+
+    if (!duplicateExists) {
+      const userVerification = await this.userInterface.confirmNewCredential({
+        credentialName: params.rp.name,
+        userName: params.user.name,
+      });
+
+      if (!userVerification) {
+        throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_OPERATION_DENIED);
+      }
+    }
  }

  private async vaultContainsId(ids: string[]): Promise<boolean> {