From fbfaa06cbb143ca71b224b0c327b1f96eee8b227 Mon Sep 17 00:00:00 2001 From: Andreas Coroiu Date: Wed, 22 Mar 2023 10:28:28 +0100 Subject: [PATCH] [EC-598] feat: confirm new credentials --- ...fido2-authenticator.service.abstraction.ts | 1 + .../fido2-authenticator.service.spec.ts | 32 ++++++++++++++++++- .../services/fido2-authenticator.service.ts | 11 +++++++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts index 0282517552..79f3344769 100644 --- a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts +++ b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts @@ -12,6 +12,7 @@ export enum Fido2AutenticatorErrorCode { CTAP2_ERR_UNSUPPORTED_ALGORITHM, CTAP2_ERR_INVALID_OPTION, CTAP2_ERR_PIN_AUTH_INVALID, + CTAP2_ERR_OPERATION_DENIED, } export class Fido2AutenticatorError extends Error { diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts index 6d474f0400..20c9189fbe 100644 --- a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts +++ b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts @@ -11,7 +11,10 @@ import { Fido2AutenticatorErrorCode, Fido2AuthenticatorMakeCredentialsParams, } from "../abstractions/fido2-authenticator.service.abstraction"; -import { Fido2UserInterfaceService } from "../abstractions/fido2-user-interface.service.abstraction"; +import { + Fido2UserInterfaceService, + NewCredentialParams, +} from "../abstractions/fido2-user-interface.service.abstraction"; import { Fido2Utils } from "../abstractions/fido2-utils"; import { Fido2Key } from "../models/domain/fido2-key"; @@ -123,6 +126,33 @@ describe("FidoAuthenticatorService", () => { ); }); }); + + describe("when input passes all initial checks", () => { + /** Spec: show the items contained within the user and rp parameter structures to the user. */ + it("should request confirmation from user", async () => { + userInterface.confirmNewCredential.mockResolvedValue(true); + const params = await createCredentialParams(); + + await authenticator.makeCredential(params); + + expect(userInterface.confirmNewCredential).toHaveBeenCalledWith({ + credentialName: params.rp.name, + userName: params.user.name, + } as NewCredentialParams); + }); + + /** Spec: If the user declines permission */ + it("should throw error if user denies creation request", async () => { + userInterface.confirmNewCredential.mockResolvedValue(false); + const params = await createCredentialParams(); + + const result = async () => await authenticator.makeCredential(params); + + await expect(result).rejects.toThrowError( + Fido2AutenticatorErrorCode[Fido2AutenticatorErrorCode.CTAP2_ERR_OPERATION_DENIED] + ); + }); + }); }); }); diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.ts index 4745f3e9e1..1abfb062d5 100644 --- a/libs/common/src/webauthn/services/fido2-authenticator.service.ts +++ b/libs/common/src/webauthn/services/fido2-authenticator.service.ts @@ -53,6 +53,17 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr if (params.pinAuth != undefined) { throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_PIN_AUTH_INVALID); } + + if (!duplicateExists) { + const userVerification = await this.userInterface.confirmNewCredential({ + credentialName: params.rp.name, + userName: params.user.name, + }); + + if (!userVerification) { + throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_OPERATION_DENIED); + } + } } private async vaultContainsId(ids: string[]): Promise {