diff options
| author | Matthew Miller <matthew@millerti.me> | 2023-09-27 22:51:38 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-27 22:51:38 -0700 |
| commit | d9f85dbbffda27f27fbf8fa2341fb67aca93e201 (patch) | |
| tree | 5ac4de6ef7fe0613e55ea7f40356f1518645f26e /packages/server/src/authentication/verifyAuthenticationResponse.ts | |
| parent | 75fb63dc3de2cb9dede7e31c88f5ec29d3db1a29 (diff) | |
| parent | bf6c633aaea16235ef8c16f3d85ccbb0b2b03227 (diff) | |
Merge pull request #436 from opennetwork/expected-type
Add `expectedType` for verifyAuthenticationResponse and verifyRegistrationResponse
Diffstat (limited to 'packages/server/src/authentication/verifyAuthenticationResponse.ts')
| -rw-r--r-- | packages/server/src/authentication/verifyAuthenticationResponse.ts | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts index 41370a0..c938598 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts @@ -18,6 +18,7 @@ export type VerifyAuthenticationResponseOpts = { expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>); expectedOrigin: string | string[]; expectedRPID: string | string[]; + expectedType?: string | string[]; authenticator: AuthenticatorDevice; requireUserVerification?: boolean; advancedFIDOConfig?: { @@ -35,6 +36,7 @@ export type VerifyAuthenticationResponseOpts = { * `generateAuthenticationOptions()` * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options + * @param expectedType (Optional) The response type expected ('webauthn.get') * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID * @param requireUserVerification (Optional) Enforce user verification by the authenticator * (via PIN, fingerprint, etc...) @@ -52,6 +54,7 @@ export async function verifyAuthenticationResponse( expectedChallenge, expectedOrigin, expectedRPID, + expectedType, authenticator, requireUserVerification = true, advancedFIDOConfig, @@ -88,7 +91,16 @@ export async function verifyAuthenticationResponse( const { type, origin, challenge, tokenBinding } = clientDataJSON; // Make sure we're handling an authentication - if (type !== 'webauthn.get') { + if (Array.isArray(expectedType)) { + if (!expectedType.includes(type)) { + const joinedExpectedType = expectedType.join(', '); + throw new Error(`Unexpected authentication response type "${type}", expected one of: ${joinedExpectedType}`); + } + } else if (expectedType) { + if (type !== expectedType) { + throw new Error(`Unexpected authentication response type "${type}", expected "${expectedType}"`); + } + } else if (type !== 'webauthn.get') { throw new Error(`Unexpected authentication response type: ${type}`); } |