2 files changed, 45 insertions, 1 deletions
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
index 1273e89..86a4601 100644
--- a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
+++ b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
@@ -8,6 +8,7 @@ import {
   AuthenticatorDevice,
   AuthenticationCredentialJSON,
 } from '@simplewebauthn/typescript-types';
+import { anyExtendedKeyUsage } from '@peculiar/asn1-x509';
 
 let mockDecodeClientData: jest.SpyInstance;
 let mockParseAuthData: jest.SpyInstance;
@@ -308,6 +309,39 @@ test('should fail verification if custom challenge verifier returns false', () =
   }).toThrow(/custom challenge verifier returned false/i);
 });
 
+test('should return authenticator extension output', async () => {
+  const verification = verifyAuthenticationResponse({
+    credential: {
+      response: {
+        clientDataJSON: "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaVpzVkN6dHJEVzdEMlVfR0hDSWxZS0x3VjJiQ3NCVFJxVlFVbkpYbjlUayIsIm9yaWdpbiI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOmd4N3NxX3B4aHhocklRZEx5ZkcwcHhLd2lKN2hPazJESlE0eHZLZDQzOFEiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uZmlkby5leGFtcGxlLmZpZG8yYXBpZXhhbXBsZSJ9",
+        authenticatorData:"DXX8xWP9p3nbLjQ-6kiYiHWLeFSdSTpP2-oc2WqjHMSFAAAAAKFvZGV2aWNlUHVibGljS2V5pWNkcGtYTaUBAgMmIAEhWCCZGqvtneQnGp7erYgG-dyW1tzNDEdiU6VRBInsg3m-WyJYIKCXPP3tu3nif-9O50gWc_szElBN3KVDTP0jQx1q0p7aY3NpZ1hHMEUCIElSbNKK72tOYhp9WTbStQSVL8CuIxOk8DV6r_-uqWR0AiEAnVE6yu-wsyx2Wq5v66jClGhe_2P_HL8R7PIQevT-uPhlbm9uY2VAZXNjb3BlQQBmYWFndWlkULk_2WHy5kYvsSKCACJH3ng=",
+        signature:"MEYCIQDlRuxY7cYre0sb3T6TovQdfYIUb72cRZYOQv_zS9wN_wIhAOvN-fwjtyIhWRceqJV4SX74-z6oALERbC7ohk8EdVPO",
+        userHandle:"b2FPajFxcmM4MWo3QkFFel9RN2lEakh5RVNlU2RLNDF0Sl92eHpQYWV5UQ=="
+      },
+      id:"E_Pko4wN1BXE23S0ftN3eQ",
+      rawId:"E_Pko4wN1BXE23S0ftN3eQ",
+      type:"public-key",
+      clientExtensionResults: {}
+    },
+    expectedOrigin: 'android:apk-key-hash:gx7sq_pxhxhrIQdLyfG0pxKwiJ7hOk2DJQ4xvKd438Q',
+    expectedRPID: 'try-webauthn.appspot.com',
+    expectedChallenge: 'iZsVCztrDW7D2U_GHCIlYKLwV2bCsBTRqVQUnJXn9Tk',
+    authenticator: {
+      credentialID: base64url.toBuffer(
+        'AaIBxnYfL2pDWJmIii6CYgHBruhVvFGHheWamphVioG_TnEXxKA9MW4FWnJh21zsbmRpRJso9i2JmAtWOtXfVd4oXTgYVusXwhWWsA'
+      ),
+      credentialPublicKey: base64url.toBuffer(
+        'pQECAyYgASFYILTrxTUQv3X4DRM6L_pk65FSMebenhCx3RMsTKoBm-AxIlggEf3qk5552QLNSh1T1oQs7_2C2qysDwN4r4fCp52Hsqs'
+      ),
+      counter: 0,
+    }
+  });
+
+  expect(verification.authenticationInfo?.extensions).toMatchObject({
+    'devicePublicKey': expect.anything()
+  });
+});
+
 test('should return credential backup info', async () => {
   const verification = verifyAuthenticationResponse({
     credential: assertionResponse,
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts
index 264a2f2..1949449 100644
--- a/packages/server/src/authentication/verifyAuthenticationResponse.ts
+++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts
@@ -12,6 +12,7 @@ import verifySignature from '../helpers/verifySignature';
 import parseAuthenticatorData from '../helpers/parseAuthenticatorData';
 import isBase64URLString from '../helpers/isBase64URLString';
 import { parseBackupFlags } from '../helpers/parseBackupFlags';
+import decodeExtensionDataBuffer, { ExtensionsJSON } from '../helpers/decodeExtensions';
 
 export type VerifyAuthenticationResponseOpts = {
   credential: AuthenticationCredentialJSON;
@@ -134,7 +135,7 @@ export default function verifyAuthenticationResponse(
 
   const authDataBuffer = base64url.toBuffer(response.authenticatorData);
   const parsedAuthData = parseAuthenticatorData(authDataBuffer);
-  const { rpIdHash, flags, counter } = parsedAuthData;
+  const { rpIdHash, flags, counter, extensionsDataBuffer } = parsedAuthData;
 
   // Make sure the response's RP ID is ours
   if (typeof expectedRPID === 'string') {
@@ -159,6 +160,13 @@ export default function verifyAuthenticationResponse(
     throw new Error('User not present during authentication');
   }
 
+  let extensions = {};
+
+  // Parse authenticator extensions if available
+  if (flags.ed && extensionsDataBuffer) {
+    extensions = decodeExtensionDataBuffer(extensionsDataBuffer)
+  }
+
   // Enforce user verification if required
   if (requireUserVerification && !flags.uv) {
     throw new Error('User verification required, but user could not be verified');
@@ -189,6 +197,7 @@ export default function verifyAuthenticationResponse(
       credentialID: authenticator.credentialID,
       credentialDeviceType,
       credentialBackedUp,
+      extensions
     },
   };
 
@@ -218,5 +227,6 @@ export type VerifiedAuthenticationResponse = {
     newCounter: number;
     credentialDeviceType: CredentialDeviceType;
     credentialBackedUp: boolean;
+    extensions: ExtensionsJSON;
   };
 };