From d088c064064c4612d7c8549354c8b47a7ba9abe5 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 28 Feb 2023 22:00:44 -0800 Subject: Prepare to expand WebAuthnError --- packages/browser/src/helpers/identifyAuthenticationError.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'packages/browser/src/helpers/identifyAuthenticationError.ts') diff --git a/packages/browser/src/helpers/identifyAuthenticationError.ts b/packages/browser/src/helpers/identifyAuthenticationError.ts index 600a2d6..4c0cfe2 100644 --- a/packages/browser/src/helpers/identifyAuthenticationError.ts +++ b/packages/browser/src/helpers/identifyAuthenticationError.ts @@ -1,5 +1,5 @@ import { isValidDomain } from './isValidDomain'; -import { WebAuthnError } from './structs'; +import { WebAuthnError } from './webAuthnError'; /** * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.get()` -- cgit v1.2.3 From 04d49d9cc03cb6342d5073c20d0e139baba3541c Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 28 Feb 2023 22:02:01 -0800 Subject: Pass in original errors as `cause` --- .../src/helpers/identifyAuthenticationError.ts | 8 ++++---- .../browser/src/helpers/identifyRegistrationError.ts | 20 ++++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) (limited to 'packages/browser/src/helpers/identifyAuthenticationError.ts') diff --git a/packages/browser/src/helpers/identifyAuthenticationError.ts b/packages/browser/src/helpers/identifyAuthenticationError.ts index 4c0cfe2..d5ba5fa 100644 --- a/packages/browser/src/helpers/identifyAuthenticationError.ts +++ b/packages/browser/src/helpers/identifyAuthenticationError.ts @@ -20,7 +20,7 @@ export function identifyAuthenticationError({ if (error.name === 'AbortError') { if (options.signal === new AbortController().signal) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16) - return new WebAuthnError('Authentication ceremony was sent an abort signal', 'AbortError'); + return new WebAuthnError('Authentication ceremony was sent an abort signal', error); } } else if (error.name === 'NotAllowedError') { /** @@ -31,12 +31,12 @@ export function identifyAuthenticationError({ const effectiveDomain = window.location.hostname; if (!isValidDomain(effectiveDomain)) { // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 5) - return new WebAuthnError(`${window.location.hostname} is an invalid domain`, 'SecurityError'); + return new WebAuthnError(`${window.location.hostname} is an invalid domain`, error); } else if (publicKey.rpId !== effectiveDomain) { // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 6) return new WebAuthnError( `The RP ID "${publicKey.rpId}" is invalid for this domain`, - 'SecurityError', + error, ); } } else if (error.name === 'UnknownError') { @@ -44,7 +44,7 @@ export function identifyAuthenticationError({ // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 12) return new WebAuthnError( 'The authenticator was unable to process the specified options, or could not create a new assertion signature', - 'UnknownError', + error, ); } diff --git a/packages/browser/src/helpers/identifyRegistrationError.ts b/packages/browser/src/helpers/identifyRegistrationError.ts index 6134227..57bfe51 100644 --- a/packages/browser/src/helpers/identifyRegistrationError.ts +++ b/packages/browser/src/helpers/identifyRegistrationError.ts @@ -20,26 +20,26 @@ export function identifyRegistrationError({ if (error.name === 'AbortError') { if (options.signal === new AbortController().signal) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16) - return new WebAuthnError('Registration ceremony was sent an abort signal', 'AbortError'); + return new WebAuthnError('Registration ceremony was sent an abort signal', error); } } else if (error.name === 'ConstraintError') { if (publicKey.authenticatorSelection?.requireResidentKey === true) { // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 4) return new WebAuthnError( 'Discoverable credentials were required but no available authenticator supported it', - 'ConstraintError', + error, ); } else if (publicKey.authenticatorSelection?.userVerification === 'required') { // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 5) return new WebAuthnError( 'User verification was required but no available authenticator supported it', - 'ConstraintError', + error, ); } } else if (error.name === 'InvalidStateError') { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 20) // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 3) - return new WebAuthnError('The authenticator was previously registered', 'InvalidStateError'); + return new WebAuthnError('The authenticator was previously registered', error); } else if (error.name === 'NotAllowedError') { /** * Pass the error directly through. Platforms are overloading this error beyond what the spec @@ -54,38 +54,38 @@ export function identifyRegistrationError({ // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 10) return new WebAuthnError( 'No entry in pubKeyCredParams was of type "public-key"', - 'NotSupportedError', + error, ); } // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 2) return new WebAuthnError( 'No available authenticator supported any of the specified pubKeyCredParams algorithms', - 'NotSupportedError', + error, ); } else if (error.name === 'SecurityError') { const effectiveDomain = window.location.hostname; if (!isValidDomain(effectiveDomain)) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 7) - return new WebAuthnError(`${window.location.hostname} is an invalid domain`, 'SecurityError'); + return new WebAuthnError(`${window.location.hostname} is an invalid domain`, error); } else if (publicKey.rp.id !== effectiveDomain) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 8) return new WebAuthnError( `The RP ID "${publicKey.rp.id}" is invalid for this domain`, - 'SecurityError', + error, ); } } else if (error.name === 'TypeError') { if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 5) - return new WebAuthnError('User ID was not between 1 and 64 characters', 'TypeError'); + return new WebAuthnError('User ID was not between 1 and 64 characters', error); } } else if (error.name === 'UnknownError') { // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 1) // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 8) return new WebAuthnError( 'The authenticator was unable to process the specified options, or could not create a new credential', - 'UnknownError', + error, ); } -- cgit v1.2.3 From edd8e54f6d1c52e0315cd25d82e943348a9bd622 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 28 Feb 2023 22:30:56 -0800 Subject: Update error identification with error codes --- .../src/helpers/identifyAuthenticationError.ts | 35 ++++++--- .../src/helpers/identifyRegistrationError.ts | 83 ++++++++++++++-------- 2 files changed, 80 insertions(+), 38 deletions(-) (limited to 'packages/browser/src/helpers/identifyAuthenticationError.ts') diff --git a/packages/browser/src/helpers/identifyAuthenticationError.ts b/packages/browser/src/helpers/identifyAuthenticationError.ts index d5ba5fa..e617a7d 100644 --- a/packages/browser/src/helpers/identifyAuthenticationError.ts +++ b/packages/browser/src/helpers/identifyAuthenticationError.ts @@ -20,32 +20,47 @@ export function identifyAuthenticationError({ if (error.name === 'AbortError') { if (options.signal === new AbortController().signal) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16) - return new WebAuthnError('Authentication ceremony was sent an abort signal', error); + return new WebAuthnError({ + message: 'Authentication ceremony was sent an abort signal', + code: 'ERROR_CEREMONY_ABORTED', + cause: error, + }); } } else if (error.name === 'NotAllowedError') { /** * Pass the error directly through. Platforms are overloading this error beyond what the spec * defines and we don't want to overwrite potentially useful error messages. */ + return new WebAuthnError({ + message: error.message, + code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY', + cause: error, + }); } else if (error.name === 'SecurityError') { const effectiveDomain = window.location.hostname; if (!isValidDomain(effectiveDomain)) { // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 5) - return new WebAuthnError(`${window.location.hostname} is an invalid domain`, error); + return new WebAuthnError({ + message: `${window.location.hostname} is an invalid domain`, + code: 'ERROR_INVALID_DOMAIN', + cause: error, + }); } else if (publicKey.rpId !== effectiveDomain) { // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 6) - return new WebAuthnError( - `The RP ID "${publicKey.rpId}" is invalid for this domain`, - error, - ); + return new WebAuthnError({ + message: `The RP ID "${publicKey.rpId}" is invalid for this domain`, + code: 'ERROR_INVALID_RP_ID', + cause: error, + }); } } else if (error.name === 'UnknownError') { // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 1) // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 12) - return new WebAuthnError( - 'The authenticator was unable to process the specified options, or could not create a new assertion signature', - error, - ); + return new WebAuthnError({ + message: 'The authenticator was unable to process the specified options, or could not create a new assertion signature', + code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR', + cause: error, + }); } return error; diff --git a/packages/browser/src/helpers/identifyRegistrationError.ts b/packages/browser/src/helpers/identifyRegistrationError.ts index 57bfe51..4649fb9 100644 --- a/packages/browser/src/helpers/identifyRegistrationError.ts +++ b/packages/browser/src/helpers/identifyRegistrationError.ts @@ -20,31 +20,46 @@ export function identifyRegistrationError({ if (error.name === 'AbortError') { if (options.signal === new AbortController().signal) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16) - return new WebAuthnError('Registration ceremony was sent an abort signal', error); + return new WebAuthnError({ + message: 'Registration ceremony was sent an abort signal', + code: 'ERROR_CEREMONY_ABORTED', + cause: error, + }); } } else if (error.name === 'ConstraintError') { if (publicKey.authenticatorSelection?.requireResidentKey === true) { // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 4) - return new WebAuthnError( - 'Discoverable credentials were required but no available authenticator supported it', - error, - ); + return new WebAuthnError({ + message: 'Discoverable credentials were required but no available authenticator supported it', + code: 'ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT', + cause: error, + }); } else if (publicKey.authenticatorSelection?.userVerification === 'required') { // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 5) - return new WebAuthnError( - 'User verification was required but no available authenticator supported it', - error, - ); + return new WebAuthnError({ + message: 'User verification was required but no available authenticator supported it', + code: 'ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT', + cause: error, + }); } } else if (error.name === 'InvalidStateError') { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 20) // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 3) - return new WebAuthnError('The authenticator was previously registered', error); + return new WebAuthnError({ + message: 'The authenticator was previously registered', + code: 'ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED', + cause: error + }); } else if (error.name === 'NotAllowedError') { /** * Pass the error directly through. Platforms are overloading this error beyond what the spec * defines and we don't want to overwrite potentially useful error messages. */ + return new WebAuthnError({ + message: error.message, + code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY', + cause: error, + }); } else if (error.name === 'NotSupportedError') { const validPubKeyCredParams = publicKey.pubKeyCredParams.filter( param => param.type === 'public-key', @@ -52,41 +67,53 @@ export function identifyRegistrationError({ if (validPubKeyCredParams.length === 0) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 10) - return new WebAuthnError( - 'No entry in pubKeyCredParams was of type "public-key"', - error, - ); + return new WebAuthnError({ + message: 'No entry in pubKeyCredParams was of type "public-key"', + code: 'ERROR_MALFORMED_PUBKEYCREDPARAMS', + cause: error, + }); } // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 2) - return new WebAuthnError( - 'No available authenticator supported any of the specified pubKeyCredParams algorithms', - error, - ); + return new WebAuthnError({ + message: 'No available authenticator supported any of the specified pubKeyCredParams algorithms', + code: 'ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG', + cause: error, + }); } else if (error.name === 'SecurityError') { const effectiveDomain = window.location.hostname; if (!isValidDomain(effectiveDomain)) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 7) - return new WebAuthnError(`${window.location.hostname} is an invalid domain`, error); + return new WebAuthnError({ + message: `${window.location.hostname} is an invalid domain`, + code: 'ERROR_INVALID_DOMAIN', + cause: error + }); } else if (publicKey.rp.id !== effectiveDomain) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 8) - return new WebAuthnError( - `The RP ID "${publicKey.rp.id}" is invalid for this domain`, - error, - ); + return new WebAuthnError({ + message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`, + code: 'ERROR_INVALID_RP_ID', + cause: error, + }); } } else if (error.name === 'TypeError') { if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) { // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 5) - return new WebAuthnError('User ID was not between 1 and 64 characters', error); + return new WebAuthnError({ + message: 'User ID was not between 1 and 64 characters', + code: 'ERROR_INVALID_USER_ID_LENGTH', + cause: error, + }); } } else if (error.name === 'UnknownError') { // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 1) // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 8) - return new WebAuthnError( - 'The authenticator was unable to process the specified options, or could not create a new credential', - error, - ); + return new WebAuthnError({ + message: 'The authenticator was unable to process the specified options, or could not create a new credential', + code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR', + cause: error, + }); } return error; -- cgit v1.2.3