Files
fizzy/test/lib/action_pack/passkey_test.rb
T
Stanko K.R. 017bcc9ce1 Polish up Passkey interface
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
2026-03-18 11:51:10 +01:00

93 lines
3.1 KiB
Ruby

require "test_helper"
class ActionPack::PasskeyTest < ActiveSupport::TestCase
setup do
@identity = identities(:kevin)
@private_key = OpenSSL::PKey::EC.generate("prime256v1")
ActionPack::WebAuthn::Current.host = "www.example.com"
ActionPack::WebAuthn::Current.origin = "http://www.example.com"
@passkey = @identity.passkeys.create!(
credential_id: Base64.urlsafe_encode64(SecureRandom.random_bytes(32), padding: false),
public_key: @private_key.public_to_der,
sign_count: 0,
transports: [ "internal" ]
)
end
test "authenticate with valid assertion" do
challenge = ActionPack::Passkey.request_options(credentials: [ @passkey ]).challenge
assertion = build_assertion(challenge: challenge)
result = @passkey.authenticate(assertion, challenge: challenge)
assert_equal @passkey, result
end
test "authenticate returns nil with invalid signature" do
challenge = ActionPack::Passkey.request_options(credentials: [ @passkey ]).challenge
assertion = build_assertion(challenge: challenge)
assertion[:signature] = Base64.urlsafe_encode64("invalid", padding: false)
assert_nil @passkey.authenticate(assertion, challenge: challenge)
end
test "authenticate updates sign count and backed_up" do
challenge = ActionPack::Passkey.request_options(credentials: [ @passkey ]).challenge
assertion = build_assertion(challenge: challenge, sign_count: 5, backed_up: true)
@passkey.authenticate(assertion, challenge: challenge)
assert_equal 5, @passkey.reload.sign_count
assert @passkey.backed_up?
end
test "to_public_key_credential" do
credential = @passkey.to_public_key_credential
assert_equal @passkey.credential_id, credential.id
assert_equal @passkey.sign_count, credential.sign_count
assert_equal @passkey.transports, credential.transports
end
private
def build_assertion(challenge:, sign_count: 1, backed_up: false)
origin = ActionPack::WebAuthn::Current.origin
client_data_json = {
challenge: challenge,
origin: origin,
type: "webauthn.get"
}.to_json
authenticator_data = build_authenticator_data(sign_count: sign_count, backed_up: backed_up)
signature = sign(authenticator_data, client_data_json)
{
id: @passkey.credential_id,
client_data_json: client_data_json,
authenticator_data: Base64.urlsafe_encode64(authenticator_data, padding: false),
signature: Base64.urlsafe_encode64(signature, padding: false)
}
end
def build_authenticator_data(sign_count:, backed_up: false)
rp_id_hash = Digest::SHA256.digest(ActionPack::WebAuthn::Current.host)
flags = 0x01 | 0x04 # user present + user verified
flags |= 0x08 | 0x10 if backed_up # backup eligible + backup state
bytes = []
bytes.concat(rp_id_hash.bytes)
bytes << flags
bytes.concat([ sign_count ].pack("N").bytes)
bytes.pack("C*")
end
def sign(authenticator_data, client_data_json)
client_data_hash = Digest::SHA256.digest(client_data_json)
signed_data = authenticator_data + client_data_hash
@private_key.sign("SHA256", signed_data)
end
end