GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Spring Security
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19896 Commits
61 Branches
369 Tags
120 MiB
 
 
 
 
Tree: a4810b7e15
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a4810b7e15'
${ noResults }
spring-security/javascript/test/webauthn-core.test.js

709 lines
25 KiB
Raw Blame History

/*
* Copyright 2004-present the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
"use strict";
import "./bootstrap.js";
import { expect } from "chai";
import { assert, fake, match, stub } from "sinon";
import http from "../lib/http.js";
import webauthn from "../lib/webauthn-core.js";
import base64url from "../lib/base64url.js";
describe("webauthn-core", () => {
beforeEach(() => {
global.window = {
btoa: (str) => Buffer.from(str, "binary").toString("base64"),
atob: (b64) => Buffer.from(b64, "base64").toString("binary"),
};
});
afterEach(() => {
delete global.window;
});
describe("isConditionalMediationAvailable", () => {
afterEach(() => {
delete global.window.PublicKeyCredential;
});
it("is available", async () => {
global.window = {
PublicKeyCredential: {
isConditionalMediationAvailable: fake.resolves(true),
},
};
const result = await webauthn.isConditionalMediationAvailable();
expect(result).to.be.true;
});
describe("is not available", async () => {
it("PublicKeyCredential does not exist", async () => {
global.window = {};
const result = await webauthn.isConditionalMediationAvailable();
expect(result).to.be.false;
});
it("PublicKeyCredential.isConditionalMediationAvailable undefined", async () => {
global.window = {
PublicKeyCredential: {},
};
const result = await webauthn.isConditionalMediationAvailable();
expect(result).to.be.false;
});
it("PublicKeyCredential.isConditionalMediationAvailable false", async () => {
global.window = {
PublicKeyCredential: {
isConditionalMediationAvailable: fake.resolves(false),
},
};
const result = await webauthn.isConditionalMediationAvailable();
expect(result).to.be.false;
});
});
});
describe("authenticate", () => {
let httpPostStub;
const contextPath = "/some/path";
const credentialsGetOptions = {
challenge: "nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA",
timeout: 300000,
rpId: "localhost",
allowCredentials: [
{
id: "nOsjw8eaaqSwVdTBBYE1FqfGdHs",
type: "public-key",
transports: [],
},
],
userVerification: "preferred",
extensions: {},
};
// This is kind of a self-fulfilling prophecy type of test: we produce array buffers by calling
// base64url.decode ; they will then be re-encoded to the same string in the production code.
// The ArrayBuffer API is not super friendly.
beforeEach(() => {
httpPostStub = stub(http, "post");
httpPostStub.withArgs(contextPath + "/webauthn/authenticate/options", match.any).resolves({
ok: true,
status: 200,
json: fake.resolves(credentialsGetOptions),
});
httpPostStub.withArgs(`${contextPath}/login/webauthn`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.resolves({
authenticated: true,
redirectUrl: "/success",
}),
});
const validAuthenticatorResponse = {
id: "UgghgP5QKozwsSUK1twCj8mpgZs",
rawId: base64url.decode("UgghgP5QKozwsSUK1twCj8mpgZs"),
response: {
authenticatorData: base64url.decode("y9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNgdAAAAAA"),
clientDataJSON: base64url.decode(
"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiUTdlR0NkNUw2cG9fa01meWNIQnBWRlR5dmd3RklCV0QxZWg5OUktRFhnWSIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyJ9",
),
signature: base64url.decode(
"MEUCIGT9PAWfU3lMicOXFMpHGcl033dY-sNSJvehlXvvoivyAiEA_D_yOsChERlXX2rFcK6Qx5BaAbx5qdU2hgYDVN6W770",
),
userHandle: base64url.decode("tyRDnKxdj7uWOT5jrchXu54lo6nf3bWOUvMQnGOXk7g"),
},
getClientExtensionResults: () => ({}),
authenticatorAttachment: "platform",
type: "public-key",
};
global.navigator = {
credentials: {
get: fake.resolves(validAuthenticatorResponse),
},
};
});
afterEach(() => {
http.post.restore();
delete global.navigator;
});
it("succeeds", async () => {
const redirectUrl = await webauthn.authenticate({ "x-custom": "some-value" }, contextPath, false);
expect(redirectUrl).to.equal("/success");
assert.calledWith(
httpPostStub.lastCall,
`${contextPath}/login/webauthn`,
{ "x-custom": "some-value" },
{
id: "UgghgP5QKozwsSUK1twCj8mpgZs",
rawId: "UgghgP5QKozwsSUK1twCj8mpgZs",
credType: "public-key",
response: {
authenticatorData: "y9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNgdAAAAAA",
clientDataJSON:
"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiUTdlR0NkNUw2cG9fa01meWNIQnBWRlR5dmd3RklCV0QxZWg5OUktRFhnWSIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyJ9",
signature:
"MEUCIGT9PAWfU3lMicOXFMpHGcl033dY-sNSJvehlXvvoivyAiEA_D_yOsChERlXX2rFcK6Qx5BaAbx5qdU2hgYDVN6W770",
userHandle: "tyRDnKxdj7uWOT5jrchXu54lo6nf3bWOUvMQnGOXk7g",
},
clientExtensionResults: {},
authenticatorAttachment: "platform",
},
);
});
it("calls the authenticator with the correct options", async () => {
await webauthn.authenticate({}, contextPath, false);
assert.calledOnceWithMatch(global.navigator.credentials.get, {
publicKey: {
challenge: base64url.decode("nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA"),
timeout: 300000,
rpId: "localhost",
allowCredentials: [
{
id: base64url.decode("nOsjw8eaaqSwVdTBBYE1FqfGdHs"),
type: "public-key",
transports: [],
},
],
userVerification: "preferred",
extensions: {},
},
signal: match.any,
});
});
describe("authentication failures", () => {
it("when authentication options call", async () => {
httpPostStub
.withArgs(`${contextPath}/webauthn/authenticate/options`, match.any)
.rejects(new Error("Connection refused"));
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Authentication failed. Could not fetch authentication options: Connection refused",
);
return;
}
expect.fail("authenticate should throw");
});
it("when authentication options call returns does not return HTTP 200 OK", async () => {
httpPostStub.withArgs(`${contextPath}/webauthn/authenticate/options`, match.any).resolves({
ok: false,
status: 400,
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal("Authentication failed. Could not fetch authentication options: HTTP 400");
return;
}
expect.fail("authenticate should throw");
});
it("when authentication options are not valid json", async () => {
httpPostStub.withArgs(`${contextPath}/webauthn/authenticate/options`, match.any).resolves({
ok: true,
status: 200,
json: fake.rejects(new Error("Not valid JSON")),
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal("Authentication failed. Could not fetch authentication options: Not valid JSON");
return;
}
expect.fail("authenticate should throw");
});
it("when navigator.credentials.get fails", async () => {
global.navigator.credentials.get = fake.rejects(new Error("Operation was aborted"));
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Authentication failed. Call to navigator.credentials.get failed: Operation was aborted",
);
return;
}
expect.fail("authenticate should throw");
});
it("when authentication call fails", async () => {
httpPostStub
.withArgs(`${contextPath}/login/webauthn`, match.any, match.any)
.rejects(new Error("Connection refused"));
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Authentication failed. Could not process the authentication request: Connection refused",
);
return;
}
expect.fail("authenticate should throw");
});
it("when authentication call does not return HTTP 200 OK", async () => {
httpPostStub.withArgs(`${contextPath}/login/webauthn`, match.any, match.any).resolves({
ok: false,
status: 400,
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal("Authentication failed. Could not process the authentication request: HTTP 400");
return;
}
expect.fail("authenticate should throw");
});
it("when authentication call does not return JSON", async () => {
httpPostStub.withArgs(`${contextPath}/login/webauthn`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.rejects(new Error("Not valid JSON")),
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Authentication failed. Could not process the authentication request: Not valid JSON",
);
return;
}
expect.fail("authenticate should throw");
});
it("when authentication call returns null", async () => {
httpPostStub.withArgs(`${contextPath}/login/webauthn`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.resolves(null),
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
'Authentication failed. Expected {"authenticated": true, "redirectUrl": "..."}, server responded with: null',
);
return;
}
expect.fail("authenticate should throw");
});
it('when authentication call returns {"authenticated":false}', async () => {
httpPostStub.withArgs(`${contextPath}/login/webauthn`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.resolves({
authenticated: false,
}),
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
'Authentication failed. Expected {"authenticated": true, "redirectUrl": "..."}, server responded with: {"authenticated":false}',
);
return;
}
expect.fail("authenticate should throw");
});
it("when authentication call returns no redirectUrl", async () => {
httpPostStub.withArgs(`${contextPath}/login/webauthn`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.resolves({
authenticated: true,
}),
});
try {
await webauthn.authenticate({}, contextPath, false);
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
'Authentication failed. Expected {"authenticated": true, "redirectUrl": "..."}, server responded with: {"authenticated":true}',
);
return;
}
expect.fail("authenticate should throw");
});
});
});
describe("register", () => {
let httpPostStub;
const contextPath = "/some/path";
beforeEach(() => {
const credentialsCreateOptions = {
rp: {
name: "Spring Security Relying Party",
id: "example.localhost",
},
user: {
name: "user",
id: "eatPy60xmXG_58JrIiIBa5wq8Y76c7MD6mnY5vW8yP8",
displayName: "user",
},
challenge: "s0hBOfkSaVLXdsbyD8jii6t2IjUd-eiTP1Cmeuo1qUo",
pubKeyCredParams: [
{
type: "public-key",
alg: -8,
},
{
type: "public-key",
alg: -7,
},
{
type: "public-key",
alg: -257,
},
],
timeout: 300000,
excludeCredentials: [
{
id: "nOsjw8eaaqSwVdTBBYE1FqfGdHs",
type: "public-key",
transports: [],
},
],
authenticatorSelection: {
residentKey: "required",
userVerification: "preferred",
},
attestation: "direct",
extensions: { credProps: true },
};
const validAuthenticatorResponse = {
authenticatorAttachment: "platform",
id: "9wAuex_025BgEQrs7fOypo5SGBA",
rawId: base64url.decode("9wAuex_025BgEQrs7fOypo5SGBA"),
response: {
attestationObject: base64url.decode(
"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAAPv8MAcVTk7MjAtuAgVX170AFPcALnsf9NuQYBEK7O3zsqaOUhgQpQECAyYgASFYIMB9pM2BeSeEG83fAKFVSLKIfvDBBVoyGgMoiGxE-6WgIlggazAojM5sduQy2M7rz1do55nVaNLGXh8k4xBHz-Oy91E",
),
getAuthenticatorData: () =>
base64url.decode(
"y9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAAPv8MAcVTk7MjAtuAgVX170AFPcALnsf9NuQYBEK7O3zsqaOUhgQpQECAyYgASFYIMB9pM2BeSeEG83fAKFVSLKIfvDBBVoyGgMoiGxE-6WgIlggazAojM5sduQy2M7rz1do55nVaNLGXh8k4xBHz-Oy91E",
),
clientDataJSON: base64url.decode(
"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiUVdwd3lUcXJpYVlqbVdnOWFvZ0FxUlRKNVFYMFBGV2JWR2xNeGNsVjZhcyIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyJ9",
),
getPublicKey: () =>
base64url.decode(
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwH2kzYF5J4Qbzd8AoVVIsoh-8MEFWjIaAyiIbET7paBrMCiMzmx25DLYzuvPV2jnmdVo0sZeHyTjEEfP47L3UQ",
),
getPublicKeyAlgorithm: () => -7,
getTransports: () => ["internal"],
},
type: "public-key",
getClientExtensionResults: () => ({}),
};
global.navigator = {
credentials: {
create: fake.resolves(validAuthenticatorResponse),
},
};
httpPostStub = stub(http, "post");
httpPostStub.withArgs(contextPath + "/webauthn/register/options", match.any).resolves({
ok: true,
status: 200,
json: fake.resolves(credentialsCreateOptions),
});
httpPostStub.withArgs(`${contextPath}/webauthn/register`, match.any, match.any).resolves({
ok: true,
json: fake.resolves({
success: true,
}),
});
});
afterEach(() => {
httpPostStub.restore();
delete global.navigator;
});
it("succeeds", async () => {
const contextPath = "/some/path";
const headers = { _csrf: "csrf-value" };
await webauthn.register(headers, contextPath, "my passkey");
assert.calledWithExactly(
httpPostStub.lastCall,
`${contextPath}/webauthn/register`,
headers,
match({
publicKey: {
credential: {
id: "9wAuex_025BgEQrs7fOypo5SGBA",
rawId: "9wAuex_025BgEQrs7fOypo5SGBA",
response: {
attestationObject:
"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAAPv8MAcVTk7MjAtuAgVX170AFPcALnsf9NuQYBEK7O3zsqaOUhgQpQECAyYgASFYIMB9pM2BeSeEG83fAKFVSLKIfvDBBVoyGgMoiGxE-6WgIlggazAojM5sduQy2M7rz1do55nVaNLGXh8k4xBHz-Oy91E",
clientDataJSON:
"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiUVdwd3lUcXJpYVlqbVdnOWFvZ0FxUlRKNVFYMFBGV2JWR2xNeGNsVjZhcyIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyJ9",
transports: ["internal"],
},
type: "public-key",
clientExtensionResults: {},
authenticatorAttachment: "platform",
},
label: "my passkey",
},
}),
);
});
it("calls the authenticator with the correct options", async () => {
await webauthn.register({}, contextPath, "my passkey");
assert.calledOnceWithExactly(
global.navigator.credentials.create,
match({
publicKey: {
rp: {
name: "Spring Security Relying Party",
id: "example.localhost",
},
user: {
name: "user",
id: base64url.decode("eatPy60xmXG_58JrIiIBa5wq8Y76c7MD6mnY5vW8yP8"),
displayName: "user",
},
challenge: base64url.decode("s0hBOfkSaVLXdsbyD8jii6t2IjUd-eiTP1Cmeuo1qUo"),
pubKeyCredParams: [
{
type: "public-key",
alg: -8,
},
{
type: "public-key",
alg: -7,
},
{
type: "public-key",
alg: -257,
},
],
timeout: 300000,
excludeCredentials: [
{
id: base64url.decode("nOsjw8eaaqSwVdTBBYE1FqfGdHs"),
type: "public-key",
transports: [],
},
],
authenticatorSelection: {
residentKey: "required",
userVerification: "preferred",
},
attestation: "direct",
extensions: { credProps: true },
},
signal: match.any,
}),
);
});
describe("registration failures", () => {
it("when label is missing", async () => {
try {
await webauthn.register({}, "/", "");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal("Error: Passkey Label is required");
return;
}
expect.fail("register should throw");
});
it("when cannot get the registration options", async () => {
httpPostStub.withArgs(match.any, match.any).rejects(new Error("Server threw an error"));
try {
await webauthn.register({}, "/", "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Registration failed. Could not fetch registration options: Server threw an error",
);
return;
}
expect.fail("register should throw");
});
it("when registration options call does not return HTTP 200 OK", async () => {
httpPostStub.withArgs(match.any, match.any).resolves({
ok: false,
status: 400,
});
try {
await webauthn.register({}, "/", "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Registration failed. Could not fetch registration options: Server responded with HTTP 400",
);
return;
}
expect.fail("register should throw");
});
it("when registration options are not valid JSON", async () => {
httpPostStub.withArgs(match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.rejects(new Error("Not a JSON response")),
});
try {
await webauthn.register({}, "/", "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Registration failed. Could not fetch registration options: Not a JSON response",
);
return;
}
expect.fail("register should throw");
});
it("when navigator.credentials.create fails", async () => {
global.navigator = {
credentials: {
create: fake.rejects(new Error("authenticator threw an error")),
},
};
try {
await webauthn.register({}, contextPath, "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Registration failed. Call to navigator.credentials.create failed: authenticator threw an error",
);
expect(err.cause).to.deep.equal(new Error("authenticator threw an error"));
return;
}
expect.fail("register should throw");
});
it("when registration call fails", async () => {
httpPostStub
.withArgs(`${contextPath}/webauthn/register`, match.any, match.any)
.rejects(new Error("Connection refused"));
try {
await webauthn.register({}, contextPath, "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Registration failed. Could not process the registration request: Connection refused",
);
expect(err.cause).to.deep.equal(new Error("Connection refused"));
return;
}
expect.fail("register should throw");
});
it("when registration call does not return HTTP 200 OK", async () => {
httpPostStub.withArgs(`${contextPath}/webauthn/register`, match.any, match.any).resolves({
ok: false,
status: 400,
});
try {
await webauthn.register({}, contextPath, "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal("Registration failed. Could not process the registration request: HTTP 400");
return;
}
expect.fail("register should throw");
});
it("when registration call does not return JSON", async () => {
httpPostStub.withArgs(`${contextPath}/webauthn/register`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.rejects(new Error("Not valid JSON")),
});
try {
await webauthn.register({}, contextPath, "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal(
"Registration failed. Could not process the registration request: Not valid JSON",
);
expect(err.cause).to.deep.equal(new Error("Not valid JSON"));
return;
}
expect.fail("register should throw");
});
it("when registration call returns null", async () => {
httpPostStub.withArgs(`${contextPath}/webauthn/register`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.resolves(null),
});
try {
await webauthn.register({}, contextPath, "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal("Registration failed. Server responded with: null");
return;
}
expect.fail("register should throw");
});
it('when registration call returns {"success":false}', async () => {
httpPostStub.withArgs(`${contextPath}/webauthn/register`, match.any, match.any).resolves({
ok: true,
status: 200,
json: fake.resolves({ success: false }),
});
try {
await webauthn.register({}, contextPath, "my passkey");
} catch (err) {
expect(err).to.be.an("error");
expect(err.message).to.equal('Registration failed. Server responded with: {"success":false}');
return;
}
expect.fail("register should throw");
});
});
});
});