diff options
| author | Fabian Cook <hello@fabiancook.dev> | 2023-09-13 14:26:10 +1200 |
|---|---|---|
| committer | Fabian Cook <hello@fabiancook.dev> | 2023-09-13 14:26:10 +1200 |
| commit | bf6c633aaea16235ef8c16f3d85ccbb0b2b03227 (patch) | |
| tree | 510820e0340545df5d80319670a6c067ad0a578e | |
| parent | 24fe104eba8ed6d1d694abf8a0b81224aa796941 (diff) | |
Add tests for expectedType
3 files changed, 94 insertions, 2 deletions
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts index 822bdd9..b150aff 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts @@ -335,6 +335,40 @@ Deno.test('should throw an error if RP ID not in list of possible RP IDs', async ); }); +Deno.test('should throw an error if type not the expected type', async () => { + await assertRejects( + () => + verifyAuthenticationResponse({ + response: assertionResponse, + expectedChallenge: assertionChallenge, + expectedOrigin: assertionOrigin, + // assertionResponse contains webauthn.get, this should produce an error + expectedType: 'payment.get', + expectedRPID: 'localhost', + authenticator: authenticator, + }), + Error, + 'Unexpected authentication response type', + ); +}); + +Deno.test('should throw an error if type not in list of expected types', async () => { + await assertRejects( + () => + verifyAuthenticationResponse({ + response: assertionResponse, + expectedChallenge: assertionChallenge, + expectedOrigin: assertionOrigin, + // assertionResponse contains webauthn.get, this should produce an error + expectedType: ['payment.get', 'something.get'], + expectedRPID: 'localhost', + authenticator: authenticator, + }), + Error, + 'Unexpected authentication response type', + ); +}); + Deno.test('should pass verification if custom challenge verifier returns true', async () => { const verification = await verifyAuthenticationResponse({ response: { diff --git a/packages/server/src/registration/verifyRegistrationResponse.test.ts b/packages/server/src/registration/verifyRegistrationResponse.test.ts index 59dbd13..fbe7aed 100644 --- a/packages/server/src/registration/verifyRegistrationResponse.test.ts +++ b/packages/server/src/registration/verifyRegistrationResponse.test.ts @@ -219,6 +219,36 @@ Deno.test('should throw when response origin is not expected value', async () => ); }); +Deno.test('should throw when response type is not expected value', async () => { + await assertRejects( + () => + verifyRegistrationResponse({ + response: attestationNone, + expectedChallenge: attestationNoneChallenge, + expectedOrigin: 'https://dev.dontneeda.pw', + expectedRPID: 'dev.dontneeda.pw', + expectedType: 'something.get' + }), + Error, + 'registration response type', + ); +}); + +Deno.test('should throw when response type is not in list of expected types', async () => { + await assertRejects( + () => + verifyRegistrationResponse({ + response: attestationNone, + expectedChallenge: attestationNoneChallenge, + expectedOrigin: 'https://dev.dontneeda.pw', + expectedRPID: 'dev.dontneeda.pw', + expectedType: ['something.create', 'something.else.create'] + }), + Error, + 'registration response type', + ); +}); + Deno.test('should throw when attestation type is not webauthn.create', async () => { const origin = 'https://dev.dontneeda.pw'; const challenge = attestationNoneChallenge; @@ -250,6 +280,34 @@ Deno.test('should throw when attestation type is not webauthn.create', async () mockDecodeClientData.restore(); }); +Deno.test('should validate when attestation type is not webauthn.create and expected type provided', async () => { + const origin = 'https://dev.dontneeda.pw'; + const challenge = attestationNoneChallenge; + + const mockDecodeClientData = stub( + _decodeClientDataJSONInternals, + 'stubThis', + returnsNext([ + { + origin, + type: 'webauthn.goodtype', + challenge: attestationNoneChallenge, + }, + ]), + ); + + const verification = await verifyRegistrationResponse({ + response: attestationNone, + expectedChallenge: challenge, + expectedOrigin: origin, + expectedRPID: 'dev.dontneeda.pw', + expectedType: 'webauthn.goodtype' + }); + assert(verification.verified); + + mockDecodeClientData.restore(); +}); + Deno.test('should throw if an unexpected attestation format is specified', async () => { const realAtteObj = decodeAttestationObject( isoBase64URL.toBuffer(attestationNone.response.attestationObject), diff --git a/packages/server/src/registration/verifyRegistrationResponse.ts b/packages/server/src/registration/verifyRegistrationResponse.ts index 842e7ee..d2399e8 100644 --- a/packages/server/src/registration/verifyRegistrationResponse.ts +++ b/packages/server/src/registration/verifyRegistrationResponse.ts @@ -95,11 +95,11 @@ export async function verifyRegistrationResponse( if (Array.isArray(expectedType)) { if (!expectedType.includes(type)) { const joinedExpectedType = expectedType.join(', '); - throw new Error(`Unexpected authentication response type "${type}", expected one of: ${joinedExpectedType}`); + throw new Error(`Unexpected registration response type "${type}", expected one of: ${joinedExpectedType}`); } } else if (expectedType) { if (type !== expectedType) { - throw new Error(`Unexpected authentication response type "${type}", expected "${expectedType}"`); + throw new Error(`Unexpected registration response type "${type}", expected "${expectedType}"`); } } else if (type !== 'webauthn.create') { throw new Error(`Unexpected registration response type: ${type}`); |