diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-06-07 22:41:02 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-06-07 22:41:02 -0700 |
| commit | a2b231566244e25361f788cc4eb4321cfecdec01 (patch) | |
| tree | 70862ca9e53f71bc919df3af2216aa82c43505ea | |
| parent | 14aa5d112146113fa155e4e8dbca09fa6e46512c (diff) | |
Add additional checks for ID, RawID, CredType
| -rw-r--r-- | packages/server/src/attestation/verifyAttestationResponse.ts | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts index e696027..374b79b 100644 --- a/packages/server/src/attestation/verifyAttestationResponse.ts +++ b/packages/server/src/attestation/verifyAttestationResponse.ts @@ -42,7 +42,23 @@ export default function verifyAttestationResponse(options: Options): VerifiedAtt expectedRPID, requireUserVerification = false, } = options; - const { response } = credential; + const { id, rawId, type: credentialType, response } = credential; + + // Ensure credential specified an ID + if (!id) { + throw new Error('Missing credential ID'); + } + + // Ensure ID is base64url-encoded + if (id !== rawId) { + throw new Error('Credential ID was not base64url-encoded'); + } + + // Make sure credential type is public-key + if (credentialType !== 'public-key') { + throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`); + } + const clientDataJSON = decodeClientDataJSON(response.clientDataJSON); const { type, origin, challenge } = clientDataJSON; |