Add tokenBinding checks

1 files changed, 11 insertions, 1 deletions

diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts
index 374b79b..2ebf8d5 100644
--- a/packages/server/src/attestation/verifyAttestationResponse.ts
+++ b/packages/server/src/attestation/verifyAttestationResponse.ts
@@ -61,7 +61,7 @@ export default function verifyAttestationResponse(options: Options): VerifiedAtt
 
   const clientDataJSON = decodeClientDataJSON(response.clientDataJSON);
 
-  const { type, origin, challenge } = clientDataJSON;
+  const { type, origin, challenge, tokenBinding } = clientDataJSON;
 
   // Make sure we're handling an attestation
   if (type !== 'webauthn.create') {
@@ -81,6 +81,16 @@ export default function verifyAttestationResponse(options: Options): VerifiedAtt
     throw new Error(`Unexpected attestation origin "${origin}", expected "${expectedOrigin}"`);
   }
 
+  if (tokenBinding) {
+    if (!(tokenBinding instanceof Object)) {
+      throw new Error(`Unexpected value for TokenBinding "${tokenBinding}"`);
+    }
+
+    if (['present', 'supported', 'not-supported'].indexOf(tokenBinding.status) < 0) {
+      throw new Error(`Unexpected tokenBinding.status value of "${tokenBinding.status}"`);
+    }
+  }
+
   const attestationObject = decodeAttestationObject(response.attestationObject);
   const { fmt, authData, attStmt } = attestationObject;