diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-07-07 12:59:28 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-07-07 12:59:28 -0700 |
| commit | b0b061b326b80b02f68a33ca337c8e585fec7b59 (patch) | |
| tree | f8ca9d5782c3bdeecd69dd304dafa0343d8363ec | |
| parent | af287ffa3d2f740f5005ab00ffa5d1557b4bb9f7 (diff) | |
Update verifyAssertionRespones to pass conformance
| -rw-r--r-- | packages/server/src/assertion/verifyAssertionResponse.ts | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/packages/server/src/assertion/verifyAssertionResponse.ts b/packages/server/src/assertion/verifyAssertionResponse.ts index d0993f7..d4fc97a 100644 --- a/packages/server/src/assertion/verifyAssertionResponse.ts +++ b/packages/server/src/assertion/verifyAssertionResponse.ts @@ -14,7 +14,7 @@ type Options = { expectedOrigin: string; expectedRPID: string; authenticator: AuthenticatorDevice; - requireUserVerification?: boolean; + fidoUserVerification?: UserVerificationRequirement; }; /** @@ -28,8 +28,9 @@ type Options = { * @param expectedOrigin Website URL that the attestation should have occurred on * @param expectedRPID RP ID that was specified in the attestation options * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID - * @param requireUserVerification (Optional) Enforce user verification by the authenticator - * (via PIN, fingerprint, etc...) + * @param fidoUserVerification (Optional) The value specified for `userVerification` when calling + * `generateAssertionOptions()`. Activates FIDO-specific user presence and verification checks. + * Omitting this value defaults verification to a WebAuthn-specific user presence requirement. */ export default function verifyAssertionResponse(options: Options): VerifiedAssertion { const { @@ -38,7 +39,7 @@ export default function verifyAssertionResponse(options: Options): VerifiedAsser expectedOrigin, expectedRPID, authenticator, - requireUserVerification = false, + fidoUserVerification, } = options; const { id, rawId, type: credentialType, response } = credential; @@ -119,14 +120,21 @@ export default function verifyAssertionResponse(options: Options): VerifiedAsser throw new Error(`Unexpected RP ID hash`); } - // Make sure someone was physically present - if (!flags.up) { - throw new Error('User not present during assertion'); - } - - // Enforce user verification if specified - if (requireUserVerification && !flags.uv) { - throw new Error('User verification required, but user could not be verified'); + // Enforce user verification if required + if (fidoUserVerification) { + if (fidoUserVerification === 'required') { + // Require `flags.uv` be true (implies `flags.up` is true) + if (!flags.uv) { + throw new Error('User verification required, but user could not be verified'); + } + } else if (fidoUserVerification === 'preferred' || fidoUserVerification === 'discouraged') { + // Ignore `flags.uv` + } + } else { + // WebAuthn only requires the user presence flag be true + if (!flags.up) { + throw new Error('User not present during assertion'); + } } const clientDataHash = toHash(base64url.toBuffer(response.clientDataJSON)); |