Clean up get credential

Blobonat · Blobonat · commit 102fc8197292 · 2020-09-05T19:07:48.000+02:00
diff --git a/src/webauthn_authenticator.ts b/src/webauthn_authenticator.ts
@@ -50,6 +50,7 @@ export class Authenticator {
         let isRecovery: [boolean, string] = [false, ""];
         let credentialOptions: PublicKeyCredentialSource[] = [];
         if (allowCredentialDescriptorList) {
+            // Simplified credential lookup
             for (let i = 0; i < allowCredentialDescriptorList.length; i++) {
                 const rawCredId = allowCredentialDescriptorList[i].id as ArrayBuffer;
                 const credId = byteArrayToBase64(new Uint8Array(rawCredId), true);
@@ -59,6 +60,7 @@ export class Authenticator {
                 }
             }
         } else {
+            // If no credentials were supplied, load all credentials associated to the RPID
             credentialOptions = credentialOptions.concat(await CredentialsMap.load(rpId));
         }
         if (credentialOptions.length == 0) {
@@ -75,6 +77,7 @@ export class Authenticator {
                 }
             }
             if (!isRecovery[0]) {
+                // No recovery and no associated credential found
                 throw new Error(`Container does not manage any related credentials`);
             }
         }
@@ -84,7 +87,6 @@ export class Authenticator {
             credSource = credentialOptions[0];
         }
 
-
         const userConsent = await userConsentCallback;
         if (!userConsent) {
             throw new Error(`no user consent`);
@@ -93,15 +95,13 @@ export class Authenticator {
         // Step 8
         let processedExtensions = undefined;
         if (extensions) {
-            log.debug(extensions);
             if (extensions.has(PSK_EXTENSION_IDENTIFIER)) {
                 log.debug('Get: PSK requested');
                 if (!isRecovery[0]) {
                     throw new Error('PSK extension requested, but no matching recovery key available');
                 }
                 const rawPskInput = base64ToByteArray(extensions.get(PSK_EXTENSION_IDENTIFIER), true);
                 const pskInput = await CBOR.decode(new Buffer(rawPskInput));
-                log.debug('Get: PSK input', pskInput);
                 const [newCredId, pskOutput] = await PSK.authenticatorGetCredentialExtensionOutput(isRecovery[1], pskInput.hash, rpId);
                 processedExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, pskOutput]]);
                 credSource = await CredentialsMap.lookup(rpId, newCredId);
diff --git a/src/webauthn_client.ts b/src/webauthn_client.ts
@@ -113,11 +113,18 @@ export async function createPublicKeyCredential(origin: string, options: Credent
 }
 
 export async function getPublicKeyCredential(origin: string, options: CredentialRequestOptions, sameOriginWithAncestors: boolean, userConsentCallback: Promise<boolean>) {
+    // Step 1
+    if (!options.publicKey) {
+        throw new Error('options missing');
+    }
+
     // Step 2
     if (!sameOriginWithAncestors) {
         throw new Error(`sameOriginWithAncestors has to be true`);
     }
 
+    // No timeout
+
     // Step 7
     const rpID = options.publicKey.rpId || getDomainFromOrigin(origin);
 
@@ -136,6 +143,8 @@ export async function getPublicKeyCredential(origin: string, options: Credential
                 const authenticatorExtensionInput = new Uint8Array(CBOR.encodeCanonical({hash: customClientDataHash}));
                 authenticatorExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, byteArrayToBase64(authenticatorExtensionInput, true)]]);
                 // clientExtensions = {[PSK_EXTENSION_IDENTIFIER]: {clientDataJSON: customClientDataJSON}}; // ToDo  Add to response
+            } else {
+                log.warn('PSK client extension processing failed. Wrong input.');
             }
         }
     }
@@ -147,21 +156,29 @@ export async function getPublicKeyCredential(origin: string, options: Credential
     const clientDataHashDigest = await window.crypto.subtle.digest('SHA-256', new TextEncoder().encode(JSON.stringify(clientDataJSON)));
     const clientDataHash = new Uint8Array(clientDataHashDigest);
 
-    // Step 18: Simplified, just for 1 authenticator
+    // Handle only 1 authenticator
+    // Step 18
+    if (options.publicKey.userVerification && (options.publicKey.userVerification === 'required')) {
+        throw new Error(`cKey does not support user verification`);
+    }
+
     const userVerification = options.publicKey.userVerification === "required";
     const userPresence = !userVerification;
+
+    const allowCredentialDescriptorList = options.publicKey.allowCredentials; // No filtering
+
     const assertionCreationData = await Authenticator.authenticatorGetAssertion(userConsentCallback,
         rpID,
         clientDataHash,
         userPresence,
         userVerification,
-        options.publicKey.allowCredentials,
+        allowCredentialDescriptorList,
         authenticatorExtensions);
 
     log.debug('Received assertion response');
 
     return {
-        getClientExtensionResults: () => ({}),
+        getClientExtensionResults: () => (clientExtensions), // ToDo Add client extension output
         id: assertionCreationData.credentialId,
         rawId: base64ToByteArray(assertionCreationData.credentialId, true),
         response: {

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ export class Authenticator {`
`50`	`50`	`let isRecovery: [boolean, string] = [false, ""];`
`51`	`51`	`let credentialOptions: PublicKeyCredentialSource[] = [];`
`52`	`52`	`if (allowCredentialDescriptorList) {`
	`53`	`+ // Simplified credential lookup`
`53`	`54`	`for (let i = 0; i < allowCredentialDescriptorList.length; i++) {`
`54`	`55`	`const rawCredId = allowCredentialDescriptorList[i].id as ArrayBuffer;`
`55`	`56`	`const credId = byteArrayToBase64(new Uint8Array(rawCredId), true);`
`@@ -59,6 +60,7 @@ export class Authenticator {`
`59`	`60`	`}`
`60`	`61`	`}`
`61`	`62`	`} else {`
	`63`	`+ // If no credentials were supplied, load all credentials associated to the RPID`
`62`	`64`	`credentialOptions = credentialOptions.concat(await CredentialsMap.load(rpId));`
`63`	`65`	`}`
`64`	`66`	`if (credentialOptions.length == 0) {`
`@@ -75,6 +77,7 @@ export class Authenticator {`
`75`	`77`	`}`
`76`	`78`	`}`
`77`	`79`	`if (!isRecovery[0]) {`
	`80`	`+ // No recovery and no associated credential found`
`78`	`81`	throw new Error(`Container does not manage any related credentials`);
`79`	`82`	`}`
`80`	`83`	`}`
`@@ -84,7 +87,6 @@ export class Authenticator {`
`84`	`87`	`credSource = credentialOptions[0];`
`85`	`88`	`}`
`86`	`89`
`87`		`-`
`88`	`90`	`const userConsent = await userConsentCallback;`
`89`	`91`	`if (!userConsent) {`
`90`	`92`	throw new Error(`no user consent`);
`@@ -93,15 +95,13 @@ export class Authenticator {`
`93`	`95`	`// Step 8`
`94`	`96`	`let processedExtensions = undefined;`
`95`	`97`	`if (extensions) {`
`96`		`- log.debug(extensions);`
`97`	`98`	`if (extensions.has(PSK_EXTENSION_IDENTIFIER)) {`
`98`	`99`	`log.debug('Get: PSK requested');`
`99`	`100`	`if (!isRecovery[0]) {`
`100`	`101`	`throw new Error('PSK extension requested, but no matching recovery key available');`
`101`	`102`	`}`
`102`	`103`	`const rawPskInput = base64ToByteArray(extensions.get(PSK_EXTENSION_IDENTIFIER), true);`
`103`	`104`	`const pskInput = await CBOR.decode(new Buffer(rawPskInput));`
`104`		`- log.debug('Get: PSK input', pskInput);`
`105`	`105`	`const [newCredId, pskOutput] = await PSK.authenticatorGetCredentialExtensionOutput(isRecovery[1], pskInput.hash, rpId);`
`106`	`106`	`processedExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, pskOutput]]);`
`107`	`107`	`credSource = await CredentialsMap.lookup(rpId, newCredId);`