Add matched RPID to verify response

5 files changed, 41 insertions, 6 deletions

diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
index 5547224..c996991 100644
--- a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
+++ b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
@@ -45,6 +45,7 @@ test('should return authenticator info after verification', async () => {
   expect(verification.authenticationInfo.newCounter).toEqual(144);
   expect(verification.authenticationInfo.credentialID).toEqual(authenticator.credentialID);
   expect(verification.authenticationInfo?.origin).toEqual(assertionOrigin);
+  expect(verification.authenticationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should throw when response challenge is not expected value', async () => {
@@ -226,6 +227,7 @@ test('should support multiple possible origins', async () => {
 
   expect(verification.verified).toEqual(true);
   expect(verification.authenticationInfo?.origin).toEqual(assertionOrigin);
+  expect(verification.authenticationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should throw an error if origin not in list of expected origins', async () => {
@@ -375,6 +377,7 @@ test('should return credential backup info', async () => {
   expect(verification.authenticationInfo?.credentialDeviceType).toEqual('singleDevice');
   expect(verification.authenticationInfo?.credentialBackedUp).toEqual(false);
   expect(verification.authenticationInfo?.origin).toEqual(assertionOrigin);
+  expect(verification.authenticationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 /**
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts
index bfc5bf5..c9f23ca 100644
--- a/packages/server/src/authentication/verifyAuthenticationResponse.ts
+++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts
@@ -154,7 +154,7 @@ export async function verifyAuthenticationResponse(
     expectedRPIDs = expectedRPID;
   }
 
-  await matchExpectedRPID(rpIdHash, expectedRPIDs);
+  const matchedRPID = await matchExpectedRPID(rpIdHash, expectedRPIDs);
 
   if (advancedFIDOConfig !== undefined) {
     const { userVerification: fidoUserVerification } = advancedFIDOConfig;
@@ -216,6 +216,7 @@ export async function verifyAuthenticationResponse(
       credentialBackedUp,
       authenticatorExtensionResults: extensionsData,
       origin: clientDataJSON.origin,
+      rpID: matchedRPID,
     },
   };
 
@@ -238,6 +239,7 @@ export async function verifyAuthenticationResponse(
  * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
  * reference!**
  * @param authenticationInfo.origin The origin of the website that the authentication occurred on
+ * @param authenticationInfo.rpID The RP ID that the authentication occurred on
  * @param authenticationInfo?.authenticatorExtensionResults The authenticator extensions returned
  * by the browser
  */
@@ -250,6 +252,7 @@ export type VerifiedAuthenticationResponse = {
     credentialDeviceType: CredentialDeviceType;
     credentialBackedUp: boolean;
     origin: string;
+    rpID: string;
     authenticatorExtensionResults?: AuthenticationExtensionsAuthenticatorOutputs;
   };
 };
diff --git a/packages/server/src/helpers/matchExpectedRPID.ts b/packages/server/src/helpers/matchExpectedRPID.ts
index be49fc2..c08c223 100644
--- a/packages/server/src/helpers/matchExpectedRPID.ts
+++ b/packages/server/src/helpers/matchExpectedRPID.ts
@@ -2,19 +2,22 @@ import { toHash } from './toHash';
 import { isoUint8Array } from './iso';
 
 /**
- * Go through each expected RP ID and try to find one that matches. Raises an Error if no
+ * Go through each expected RP ID and try to find one that matches. Returns the unhashed RP ID
+ * that matched the hash in the response.
+ *
+ * Raises an `UnexpectedRPIDHash` error if no match is found
  */
 export async function matchExpectedRPID(
   rpIDHash: Uint8Array,
   expectedRPIDs: string[],
-): Promise<void> {
+): Promise<string> {
   try {
-    await Promise.any(
+    const matchedRPID = await Promise.any<string>(
       expectedRPIDs.map(expected => {
         return new Promise((resolve, reject) => {
           toHash(isoUint8Array.fromASCIIString(expected)).then(expectedRPIDHash => {
             if (isoUint8Array.areEqual(rpIDHash, expectedRPIDHash)) {
-              resolve(true);
+              resolve(expected);
             } else {
               reject();
             }
@@ -22,6 +25,8 @@ export async function matchExpectedRPID(
         });
       }),
     );
+
+    return matchedRPID;
   } catch (err) {
     const _err = err as Error;
 
diff --git a/packages/server/src/registration/verifyRegistrationResponse.test.ts b/packages/server/src/registration/verifyRegistrationResponse.test.ts
index 2b973e5..e6acd2a 100644
--- a/packages/server/src/registration/verifyRegistrationResponse.test.ts
+++ b/packages/server/src/registration/verifyRegistrationResponse.test.ts
@@ -70,6 +70,7 @@ test('should verify FIDO U2F attestation', async () => {
     isoBase64URL.toBuffer(attestationFIDOU2F.response.attestationObject),
   );
   expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should verify Packed (EC2) attestation', async () => {
@@ -177,6 +178,7 @@ test('should verify None attestation w/RSA public key', async () => {
     isoBase64URL.toBuffer('kGXv4RJWLeXRw8Yf3T22K3Gq_GGeDv9OKYmAHLm0Ylo'),
   );
   expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should throw when response challenge is not expected value', async () => {
@@ -419,6 +421,7 @@ test('should validate TPM RSA response (SHA256)', async () => {
     isoBase64URL.toBuffer('lGkWHPe88VpnNYgVBxzon_MRR9-gmgODveQ16uM_bPM'),
   );
   expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should validate TPM RSA response (SHA1)', async () => {
@@ -455,6 +458,7 @@ test('should validate TPM RSA response (SHA1)', async () => {
     isoBase64URL.toBuffer('oELnad0f6-g2BtzEn_78iLNoubarlq0xFtOtAMXnflU'),
   );
   expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should validate Android-Key response', async () => {
@@ -491,6 +495,7 @@ test('should validate Android-Key response', async () => {
     isoBase64URL.toBuffer('PPa1spYTB680cQq5q6qBtFuPLLdG1FQ73EastkT8n0o'),
   );
   expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toEqual('dev.dontneeda.pw');
 });
 
 test('should support multiple possible origins', async () => {
@@ -503,6 +508,20 @@ test('should support multiple possible origins', async () => {
 
   expect(verification.verified).toBe(true);
   expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toEqual('dev.dontneeda.pw');
+});
+
+test('should not set RPID in registrationInfo when not expected', async () => {
+  const verification = await verifyRegistrationResponse({
+    response: attestationNone,
+    expectedChallenge: attestationNoneChallenge,
+    expectedOrigin: 'https://dev.dontneeda.pw',
+    expectedRPID: undefined,
+  });
+
+  expect(verification.verified).toBe(true);
+  expect(verification.registrationInfo?.origin).toEqual('https://dev.dontneeda.pw');
+  expect(verification.registrationInfo?.rpID).toBeUndefined();
 });
 
 test('should throw an error if origin not in list of expected origins', async () => {
diff --git a/packages/server/src/registration/verifyRegistrationResponse.ts b/packages/server/src/registration/verifyRegistrationResponse.ts
index 5a52f6a..d33cdea 100644
--- a/packages/server/src/registration/verifyRegistrationResponse.ts
+++ b/packages/server/src/registration/verifyRegistrationResponse.ts
@@ -141,6 +141,7 @@ export async function verifyRegistrationResponse(
     parsedAuthData;
 
   // Make sure the response's RP ID is ours
+  let matchedRPID: string | undefined;
   if (expectedRPID) {
     let expectedRPIDs: string[] = [];
     if (typeof expectedRPID === 'string') {
@@ -149,7 +150,7 @@ export async function verifyRegistrationResponse(
       expectedRPIDs = expectedRPID;
     }
 
-    await matchExpectedRPID(rpIdHash, expectedRPIDs);
+    matchedRPID = await matchExpectedRPID(rpIdHash, expectedRPIDs);
   }
 
   // Make sure someone was physically present
@@ -247,6 +248,7 @@ export async function verifyRegistrationResponse(
       credentialDeviceType,
       credentialBackedUp,
       origin: clientDataJSON.origin,
+      rpID: matchedRPID,
       authenticatorExtensionResults: extensionsData,
     };
   }
@@ -275,6 +277,8 @@ export async function verifyRegistrationResponse(
  * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
  * reference!**
  * @param registrationInfo.origin The origin of the website that the registration occurred on
+ * @param registrationInfo?.rpID The RP ID that the registration occurred on, if one or more were
+ * specified in the registration options
  * @param registrationInfo?.authenticatorExtensionResults The authenticator extensions returned
  * by the browser
  */
@@ -292,6 +296,7 @@ export type VerifiedRegistrationResponse = {
     credentialDeviceType: CredentialDeviceType;
     credentialBackedUp: boolean;
     origin: string;
+    rpID?: string;
     authenticatorExtensionResults?: AuthenticationExtensionsAuthenticatorOutputs;
   };
 };