fbe9252db1
- Use plain client data json everywhere - Expose AAGUID and backed_up on Credentials - Make attestation verifiers configurable - Auto-suggest names for passkeys and show icons
145 lines
4.2 KiB
Ruby
145 lines
4.2 KiB
Ruby
require "test_helper"
|
|
|
|
class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@identity = identities(:kevin)
|
|
@private_key = OpenSSL::PKey::EC.generate("prime256v1")
|
|
|
|
@credential = @identity.credentials.create!(
|
|
name: "Test Passkey",
|
|
credential_id: Base64.urlsafe_encode64(SecureRandom.random_bytes(32), padding: false),
|
|
public_key: @private_key.public_to_der,
|
|
sign_count: 0,
|
|
transports: [ "internal" ]
|
|
)
|
|
end
|
|
|
|
test "successful authentication" do
|
|
untenanted do
|
|
get new_session_url
|
|
challenge = session[:webauthn_challenge]
|
|
|
|
post session_passkey_url, params: assertion_params(challenge: challenge)
|
|
|
|
assert_response :redirect
|
|
assert cookies[:session_token].present?
|
|
assert_redirected_to landing_path
|
|
end
|
|
end
|
|
|
|
test "updates sign count" do
|
|
untenanted do
|
|
get new_session_url
|
|
challenge = session[:webauthn_challenge]
|
|
|
|
post session_passkey_url, params: assertion_params(challenge: challenge, sign_count: 1)
|
|
|
|
assert_equal 1, @credential.reload.sign_count
|
|
end
|
|
end
|
|
|
|
test "rejects invalid signature" do
|
|
untenanted do
|
|
get new_session_url
|
|
challenge = session[:webauthn_challenge]
|
|
|
|
params = assertion_params(challenge: challenge)
|
|
params[:passkey][:signature] = Base64.urlsafe_encode64("invalid", padding: false)
|
|
|
|
post session_passkey_url, params: params
|
|
|
|
assert_redirected_to new_session_path
|
|
assert_not cookies[:session_token].present?
|
|
assert_equal "That passkey didn't work. Try again.", flash[:alert]
|
|
end
|
|
end
|
|
|
|
test "rejects unknown credential" do
|
|
untenanted do
|
|
get new_session_url
|
|
|
|
post session_passkey_url, params: {
|
|
passkey: {
|
|
id: "nonexistent",
|
|
client_data_json: Base64.urlsafe_encode64("{}", padding: false),
|
|
authenticator_data: Base64.urlsafe_encode64("x", padding: false),
|
|
signature: Base64.urlsafe_encode64("x", padding: false)
|
|
}
|
|
}
|
|
|
|
assert_redirected_to new_session_path
|
|
assert_not cookies[:session_token].present?
|
|
end
|
|
end
|
|
|
|
test "successful authentication via JSON" do
|
|
untenanted do
|
|
get new_session_url
|
|
challenge = session[:webauthn_challenge]
|
|
|
|
post session_passkey_url(format: :json), params: assertion_params(challenge: challenge)
|
|
|
|
assert_response :success
|
|
assert @response.parsed_body["session_token"].present?
|
|
end
|
|
end
|
|
|
|
test "failed authentication via JSON" do
|
|
untenanted do
|
|
get new_session_url
|
|
|
|
post session_passkey_url(format: :json), params: {
|
|
passkey: {
|
|
id: "nonexistent",
|
|
client_data_json: Base64.urlsafe_encode64("{}", padding: false),
|
|
authenticator_data: Base64.urlsafe_encode64("x", padding: false),
|
|
signature: Base64.urlsafe_encode64("x", padding: false)
|
|
}
|
|
}
|
|
|
|
assert_response :unauthorized
|
|
assert_equal "That passkey didn't work. Try again.", @response.parsed_body["message"]
|
|
end
|
|
end
|
|
|
|
private
|
|
def assertion_params(challenge:, sign_count: 1)
|
|
origin = "http://www.example.com"
|
|
|
|
client_data_json = {
|
|
challenge: challenge,
|
|
origin: origin,
|
|
type: "webauthn.get"
|
|
}.to_json
|
|
|
|
authenticator_data = build_authenticator_data(sign_count: sign_count)
|
|
signature = sign(authenticator_data, client_data_json)
|
|
|
|
{
|
|
passkey: {
|
|
id: @credential.credential_id,
|
|
client_data_json: client_data_json,
|
|
authenticator_data: Base64.urlsafe_encode64(authenticator_data, padding: false),
|
|
signature: Base64.urlsafe_encode64(signature, padding: false)
|
|
}
|
|
}
|
|
end
|
|
|
|
def build_authenticator_data(sign_count:)
|
|
rp_id_hash = Digest::SHA256.digest("www.example.com")
|
|
flags = 0x01 | 0x04 # user present + user verified
|
|
|
|
bytes = []
|
|
bytes.concat(rp_id_hash.bytes)
|
|
bytes << flags
|
|
bytes.concat([ sign_count ].pack("N").bytes)
|
|
bytes.pack("C*")
|
|
end
|
|
|
|
def sign(authenticator_data, client_data_json)
|
|
client_data_hash = Digest::SHA256.digest(client_data_json)
|
|
signed_data = authenticator_data + client_data_hash
|
|
@private_key.sign("SHA256", signed_data)
|
|
end
|
|
end
|