diff options
6 files changed, 26 insertions, 3 deletions
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts index 547d953..79655b8 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts @@ -29,6 +29,7 @@ test('should verify an assertion response', async () => { expectedOrigin: assertionOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: authenticator, + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -41,6 +42,7 @@ test('should return authenticator info after verification', async () => { expectedOrigin: assertionOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: authenticator, + requireUserVerification: false, }); expect(verification.authenticationInfo.newCounter).toEqual(144); @@ -122,6 +124,7 @@ test('should throw error if previous counter value is not less than in response' expectedOrigin: assertionOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: badDevice, + requireUserVerification: false, }), ).rejects.toThrow(/counter value/i); }); @@ -150,6 +153,7 @@ test('should not compare counters if both are 0', async () => { expectedOrigin: assertionFirstTimeUsedOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: authenticatorFirstTimeUsed, + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -220,6 +224,7 @@ test('should support multiple possible origins', async () => { expectedOrigin: ['https://simplewebauthn.dev', assertionOrigin], expectedRPID: 'dev.dontneeda.pw', authenticator: authenticator, + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -244,6 +249,7 @@ test('should support multiple possible RP IDs', async () => { expectedOrigin: assertionOrigin, expectedRPID: ['dev.dontneeda.pw', 'simplewebauthn.dev'], authenticator: authenticator, + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -367,6 +373,7 @@ test('should return credential backup info', async () => { expectedOrigin: assertionOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: authenticator, + requireUserVerification: false, }); expect(verification.authenticationInfo?.credentialDeviceType).toEqual('singleDevice'); @@ -443,6 +450,7 @@ test('should return user verified flag after successful auth', async () => { expectedOrigin: assertionOrigin, expectedRPID: 'dev.dontneeda.pw', authenticator: authenticator, + requireUserVerification: false, }); expect(verification.authenticationInfo?.userVerified).toBeDefined(); diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts index c99013e..1506d8d 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts @@ -54,7 +54,7 @@ export async function verifyAuthenticationResponse( expectedOrigin, expectedRPID, authenticator, - requireUserVerification, + requireUserVerification = true, advancedFIDOConfig, } = options; const { id, rawId, type: credentialType, response } = credential; diff --git a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.test.ts b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.test.ts index 0625b9e..228869d 100644 --- a/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.test.ts +++ b/packages/server/src/registration/verifications/tpm/verifyAttestationTPM.test.ts @@ -21,6 +21,7 @@ test('should verify TPM response', async () => { expectedChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -52,6 +53,7 @@ test('should verify SHA1 TPM response', async () => { expectedChallenge, expectedOrigin: 'https://localhost:44329', expectedRPID: 'localhost', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -83,6 +85,7 @@ test('should verify SHA256 TPM response', async () => { expectedChallenge, expectedOrigin: 'https://localhost:44329', expectedRPID: 'localhost', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); diff --git a/packages/server/src/registration/verifications/verifyAttestationAndroidKey.test.ts b/packages/server/src/registration/verifications/verifyAttestationAndroidKey.test.ts index dd0a488..20d19f4 100644 --- a/packages/server/src/registration/verifications/verifyAttestationAndroidKey.test.ts +++ b/packages/server/src/registration/verifications/verifyAttestationAndroidKey.test.ts @@ -29,6 +29,7 @@ test('should verify Android KeyStore response', async () => { expectedChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); diff --git a/packages/server/src/registration/verifyRegistrationResponse.test.ts b/packages/server/src/registration/verifyRegistrationResponse.test.ts index df4b1dd..aa0011e 100644 --- a/packages/server/src/registration/verifyRegistrationResponse.test.ts +++ b/packages/server/src/registration/verifyRegistrationResponse.test.ts @@ -47,6 +47,7 @@ test('should verify FIDO U2F attestation', async () => { expectedChallenge: attestationFIDOU2FChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -89,7 +90,7 @@ test('should verify Packed (EC2) attestation', async () => { expect(verification.registrationInfo?.credentialID).toEqual( isoBase64URL.toBuffer( 'AYThY1csINY4JrbHyGmqTl1nL_F1zjAF3hSAIngz8kAcjugmAMNVvxZRwqpEH-bNHHAIv291OX5ko9eDf_5mu3U' + - 'B2BvsScr2K-ppM4owOpGsqwg5tZglqqmxIm1Q', + 'B2BvsScr2K-ppM4owOpGsqwg5tZglqqmxIm1Q', ), ); }); @@ -100,6 +101,7 @@ test('should verify Packed (X5C) attestation', async () => { expectedChallenge: attestationPackedX5CChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -290,6 +292,7 @@ test('should throw if the authenticator does not give back credential ID', async expectedChallenge: attestationNoneChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }), ).rejects.toThrow(/credential id/i); }); @@ -310,6 +313,7 @@ test('should throw if the authenticator does not give back credential public key expectedChallenge: attestationNoneChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }), ).rejects.toThrow(/public key/i); }); @@ -351,6 +355,7 @@ test('should not include authenticator info if not verified', async () => { expectedChallenge: attestationFIDOU2FChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toBe(false); @@ -396,6 +401,7 @@ test('should validate TPM RSA response (SHA256)', async () => { expectedChallenge: expectedChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -430,6 +436,7 @@ test('should validate TPM RSA response (SHA1)', async () => { expectedChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -464,6 +471,7 @@ test('should validate Android-Key response', async () => { expectedChallenge, expectedOrigin: 'https://dev.dontneeda.pw', expectedRPID: 'dev.dontneeda.pw', + requireUserVerification: false, }); expect(verification.verified).toEqual(true); @@ -632,6 +640,7 @@ test('should verify FIDO U2F attestation that specifies SHA-1 in its leaf cert p expectedChallenge: 'wJ6mrZnkb69GD5d9_fUz9-NgRHE0z10quXUBSa9xK5o', expectedOrigin: 'http://localhost:8000', expectedRPID: 'localhost', + requireUserVerification: false, }); }); @@ -653,6 +662,7 @@ test('should verify Packed attestation with RSA-PSS SHA-256 public key', async ( expectedChallenge: '40v_izMpzX-LONIGzGq0YbxDwMKMfd_XxQzpe6Wv64Y', expectedOrigin: 'http://localhost:8000', expectedRPID: 'localhost', + requireUserVerification: false, }); }); @@ -674,6 +684,7 @@ test('should verify Packed attestation with RSA-PSS SHA-384 public key', async ( expectedChallenge: 'p-jaXHfYJdld6y5nrIsa6rnZf6rgSC-Fo1q7ASMU7k8', expectedOrigin: 'http://localhost:8000', expectedRPID: 'localhost', + requireUserVerification: false, }); }); diff --git a/packages/server/src/registration/verifyRegistrationResponse.ts b/packages/server/src/registration/verifyRegistrationResponse.ts index 0c1351f..37debfa 100644 --- a/packages/server/src/registration/verifyRegistrationResponse.ts +++ b/packages/server/src/registration/verifyRegistrationResponse.ts @@ -61,7 +61,7 @@ export async function verifyRegistrationResponse( expectedChallenge, expectedOrigin, expectedRPID, - requireUserVerification = false, + requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options; const { id, rawId, type: credentialType, response } = credential; |