From f26bb73d3d620b68b902bb5f6110cf025fcb4571 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 11 Apr 2022 22:51:18 -0700 Subject: Improve readability of flag parsing --- packages/server/src/helpers/parseAuthenticatorData.ts | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'packages/server/src/helpers/parseAuthenticatorData.ts') diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts index 911c9e0..a816d15 100644 --- a/packages/server/src/helpers/parseAuthenticatorData.ts +++ b/packages/server/src/helpers/parseAuthenticatorData.ts @@ -18,11 +18,13 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti const flagsBuf = authData.slice(pointer, (pointer += 1)); const flagsInt = flagsBuf[0]; + // Bit positions can be referenced here: + // https://www.w3.org/TR/webauthn-2/#flags const flags = { - up: !!(flagsInt & 0x01), - uv: !!(flagsInt & 0x04), - at: !!(flagsInt & 0x40), - ed: !!(flagsInt & 0x80), + up: !!(flagsInt & 1 << 0), // User Presence + uv: !!(flagsInt & 1 << 2), // User Verified + at: !!(flagsInt & 1 << 6), // Attested Credential Data Present + ed: !!(flagsInt & 1 << 7), // Extension Data Present flagsInt, }; -- cgit v1.2.3 From 6021105753741a33d40a4fa3e8948e893d6501db Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 11 Apr 2022 22:51:37 -0700 Subject: Parse bits 3 and 4 for backup info --- packages/server/src/helpers/parseAuthenticatorData.ts | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'packages/server/src/helpers/parseAuthenticatorData.ts') diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts index a816d15..d4b0646 100644 --- a/packages/server/src/helpers/parseAuthenticatorData.ts +++ b/packages/server/src/helpers/parseAuthenticatorData.ts @@ -23,6 +23,8 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti const flags = { up: !!(flagsInt & 1 << 0), // User Presence uv: !!(flagsInt & 1 << 2), // User Verified + be: !!(flagsInt & 1 << 3), // Backup Eligible + bs: !!(flagsInt & 1 << 4), // Backup State at: !!(flagsInt & 1 << 6), // Attested Credential Data Present ed: !!(flagsInt & 1 << 7), // Extension Data Present flagsInt, @@ -82,6 +84,8 @@ export type ParsedAuthenticatorData = { flags: { up: boolean; uv: boolean; + be: boolean; + bs: boolean; at: boolean; ed: boolean; flagsInt: number; -- cgit v1.2.3 From ecbc0faeb9cab5f2b3e2efb6c52ae817ac3fd9af Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 13 Apr 2022 09:21:40 -0700 Subject: Tweak wording to reflect related spec diff --- packages/server/src/authentication/verifyAuthenticationResponse.ts | 5 +++-- packages/server/src/helpers/parseAuthenticatorData.ts | 2 +- packages/server/src/registration/verifyRegistrationResponse.ts | 5 +++-- 3 files changed, 7 insertions(+), 5 deletions(-) (limited to 'packages/server/src/helpers/parseAuthenticatorData.ts') diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts index a816c90..264a2f2 100644 --- a/packages/server/src/authentication/verifyAuthenticationResponse.ts +++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts @@ -206,9 +206,10 @@ export default function verifyAuthenticationResponse( * reported it has been used. **Should be kept in a DB for later reference to help prevent replay * attacks!** * @param authenticationInfo.credentialDeviceType Whether this is a single-device or multi-device - * credential + * credential. **Should be kept in a DB for later reference!** * @param authenticationInfo.credentialBackedUp Whether or not the multi-device credential has been - * backed up. Always `false` for single-device credentials + * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later + * reference!** */ export type VerifiedAuthenticationResponse = { verified: boolean; diff --git a/packages/server/src/helpers/parseAuthenticatorData.ts b/packages/server/src/helpers/parseAuthenticatorData.ts index d4b0646..6bf5b9a 100644 --- a/packages/server/src/helpers/parseAuthenticatorData.ts +++ b/packages/server/src/helpers/parseAuthenticatorData.ts @@ -23,7 +23,7 @@ export default function parseAuthenticatorData(authData: Buffer): ParsedAuthenti const flags = { up: !!(flagsInt & 1 << 0), // User Presence uv: !!(flagsInt & 1 << 2), // User Verified - be: !!(flagsInt & 1 << 3), // Backup Eligible + be: !!(flagsInt & 1 << 3), // Backup Eligibility bs: !!(flagsInt & 1 << 4), // Backup State at: !!(flagsInt & 1 << 6), // Attested Credential Data Present ed: !!(flagsInt & 1 << 7), // Extension Data Present diff --git a/packages/server/src/registration/verifyRegistrationResponse.ts b/packages/server/src/registration/verifyRegistrationResponse.ts index 86a9730..3a20249 100644 --- a/packages/server/src/registration/verifyRegistrationResponse.ts +++ b/packages/server/src/registration/verifyRegistrationResponse.ts @@ -270,9 +270,10 @@ export default async function verifyRegistrationResponse( * @param registrationInfo.attestationObject The raw `response.attestationObject` Buffer returned by * the authenticator * @param registrationInfo.credentialDeviceType Whether this is a single-device or multi-device - * credential + * credential. **Should be kept in a DB for later reference!** * @param registrationInfo.credentialBackedUp Whether or not the multi-device credential has been - * backed up. Always `false` for single-device credentials + * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later + * reference!** */ export type VerifiedRegistrationResponse = { verified: boolean; -- cgit v1.2.3