diff options
| -rw-r--r-- | packages/server/src/authentication/verifyAuthenticationResponse.test.ts | 2 | ||||
| -rw-r--r-- | packages/server/src/authentication/verifyAuthenticationResponse.ts | 30 |
2 files changed, 12 insertions, 20 deletions
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts index b78a5c4..57d9613 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts @@ -175,7 +175,7 @@ test('should throw an error if user verification is required but user was not ve expectedOrigin: assertionOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: authenticator, - fidoUserVerification: 'required', + requireUserVerification: true, }); }).toThrow(/user could not be verified/i); }); diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts index c1ccc65..60ae807 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts @@ -18,7 +18,7 @@ export type VerifyAuthenticationResponseOpts = { expectedOrigin: string | string[]; expectedRPID: string | string[]; authenticator: AuthenticatorDevice; - fidoUserVerification?: UserVerificationRequirement; + requireUserVerification?: boolean; }; /** @@ -32,9 +32,8 @@ export type VerifyAuthenticationResponseOpts = { * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID - * @param fidoUserVerification (Optional) The value specified for `userVerification` when calling - * `generateAssertionOptions()`. Activates FIDO-specific user presence and verification checks. - * Omitting this value defaults verification to a WebAuthn-specific user presence requirement. + * @param requireUserVerification (Optional) Enforce user verification by the authenticator + * (via PIN, fingerprint, etc...) */ export default function verifyAuthenticationResponse( options: VerifyAuthenticationResponseOpts, @@ -45,7 +44,7 @@ export default function verifyAuthenticationResponse( expectedOrigin, expectedRPID, authenticator, - fidoUserVerification, + requireUserVerification, } = options; const { id, rawId, type: credentialType, response } = credential; @@ -154,21 +153,14 @@ export default function verifyAuthenticationResponse( } } + // WebAuthn only requires the user presence flag be true + if (!flags.up) { + throw new Error('User not present during authentication'); + } + // Enforce user verification if required - if (fidoUserVerification) { - if (fidoUserVerification === 'required') { - // Require `flags.uv` be true (implies `flags.up` is true) - if (!flags.uv) { - throw new Error('User verification required, but user could not be verified'); - } - } else if (fidoUserVerification === 'preferred' || fidoUserVerification === 'discouraged') { - // Ignore `flags.uv` - } - } else { - // WebAuthn only requires the user presence flag be true - if (!flags.up) { - throw new Error('User not present during authentication'); - } + if (requireUserVerification && !flags.uv) { + throw new Error('User verification required, but user could not be verified'); } const clientDataHash = toHash(base64url.toBuffer(response.clientDataJSON)); |