Browse Source
- src/api/core/passkeys.rs: extract passkey-management endpoints into
their own module from api/core/mod.rs
- src/api/core/two_factor/webauthn.rs: add extensions field to the
PublicKeyCredentialCopy / RegisterPublicKeyCredentialCopy serde
wrappers with serde(default, alias = clientExtensionResults), and
propagate through the From impls
- src/api/core/two_factor/{authenticator,duo,email,protected_actions,yubikey}.rs:
propagate ? cascade for find_by_user_and_type's new
Result<Option<TwoFactor>, Error> signature
- src/api/core/{accounts,ciphers,mod}.rs: rotate-key PRF rewrap,
/sync webauthn_prf_options gating
- src/api/identity.rs: webauthn_login grant hardening + defensive
documentation justifying unauth-grant 503-vs-AUTH_FAILED asymmetries
- src/db/models/two_factor.rs: try_find_by_user, find_by_user_and_type
Result-ification, take_by_user_and_type, is_policy_provider*
predicates, POLICY_PROVIDER_TYPES const
- src/db/models/user.rs: try_find_by_uuid sibling, WebAuthnCredential
delete cascade in User::delete
- src/db/models/web_authn_credential.rs: model hardening
- migrations/*: schema additions for webauthn passkey credentials
- playwright/tests/passkey.spec.ts: passkey feature tests
- README.md, scss.hbs, config.rs: docs, UI hides, feature flag
pull/7297/head
Zaid Marji
2 weeks ago
17 changed files with 1980 additions and 1073 deletions
@ -0,0 +1,953 @@ |
|||||
|
use chrono::Utc; |
||||
|
use rocket::{Route, http::Status, serde::json::Json, serde::json::Value}; |
||||
|
use webauthn_rs::prelude::{ |
||||
|
CreationChallengeResponse, Credential as WebauthnCredentialData, Passkey, PasskeyAuthentication, |
||||
|
PasskeyRegistration, |
||||
|
}; |
||||
|
use webauthn_rs_proto::{ExtnState, RequestRegistrationExtensions, UserVerificationPolicy}; |
||||
|
|
||||
|
use crate::{ |
||||
|
CONFIG, |
||||
|
api::{ |
||||
|
ApiResult, JsonResult, Notify, PasswordOrOtpData, UpdateType, |
||||
|
core::two_factor::webauthn::{PublicKeyCredentialCopy, RegisterPublicKeyCredentialCopy, WEBAUTHN}, |
||||
|
}, |
||||
|
auth::Headers, |
||||
|
crypto, |
||||
|
db::{ |
||||
|
DbConn, |
||||
|
models::{TwoFactor, TwoFactorType, User, WebAuthnCredential, WebAuthnCredentialId}, |
||||
|
}, |
||||
|
error::Error, |
||||
|
util::get_uuid, |
||||
|
}; |
||||
|
|
||||
|
const WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS: i64 = 300; |
||||
|
const WEBAUTHN_PASSKEY_CHALLENGE_CLOCK_SKEW_SECONDS: i64 = 30; |
||||
|
// Bitwarden currently caps account-login passkeys at five per user.
|
||||
|
const MAX_WEBAUTHN_CREDENTIALS: usize = 5; |
||||
|
|
||||
|
pub fn routes() -> Vec<Route> { |
||||
|
routes![ |
||||
|
get_api_webauthn, |
||||
|
post_api_webauthn, |
||||
|
put_api_webauthn, |
||||
|
post_api_webauthn_assertion_options, |
||||
|
post_api_webauthn_attestation_options, |
||||
|
post_api_webauthn_delete, |
||||
|
] |
||||
|
} |
||||
|
|
||||
|
#[get("/webauthn")] |
||||
|
async fn get_api_webauthn(headers: Headers, conn: DbConn) -> JsonResult { |
||||
|
let user = headers.user; |
||||
|
|
||||
|
let data: Vec<Value> = WebAuthnCredential::find_by_user(&user.uuid, &conn) |
||||
|
.await? |
||||
|
.into_iter() |
||||
|
.map(|wac| { |
||||
|
json!({ |
||||
|
"id": wac.uuid, |
||||
|
"name": wac.name, |
||||
|
// 0 = Enabled, 1 = Supported (PRF-capable, keyset not set up), 2 = Unsupported.
|
||||
|
"prfStatus": wac.prf_status(), |
||||
|
"encryptedUserKey": wac.encrypted_user_key, |
||||
|
"encryptedPublicKey": wac.encrypted_public_key, |
||||
|
"object": "webauthnCredential", |
||||
|
}) |
||||
|
}) |
||||
|
.collect(); |
||||
|
|
||||
|
Ok(Json(json!({ |
||||
|
"object": "list", |
||||
|
"data": data, |
||||
|
"continuationToken": null |
||||
|
}))) |
||||
|
} |
||||
|
|
||||
|
#[derive(Debug, Serialize, Deserialize)] |
||||
|
#[serde(rename_all = "camelCase")] |
||||
|
struct WebAuthnPasskeyRegistrationChallenge { |
||||
|
token: String, |
||||
|
created_at: i64, |
||||
|
user_security_stamp: String, |
||||
|
state: PasskeyRegistration, |
||||
|
} |
||||
|
|
||||
|
#[derive(Debug, Serialize, Deserialize)] |
||||
|
#[serde(rename_all = "camelCase")] |
||||
|
struct WebAuthnPasskeyAssertionChallenge { |
||||
|
token: String, |
||||
|
created_at: i64, |
||||
|
user_security_stamp: String, |
||||
|
state: PasskeyAuthentication, |
||||
|
} |
||||
|
|
||||
|
fn passkey_management_challenge_is_fresh(created_at: i64) -> bool { |
||||
|
// The timestamp is server-stamped, so a future value only happens after a
|
||||
|
// clock step backwards or manual DB tampering. Allow a small skew window
|
||||
|
// for harmless corrections, but reject anything beyond it so a pre-step
|
||||
|
// challenge cannot remain valid for longer than the documented TTL.
|
||||
|
passkey_management_challenge_is_fresh_at(created_at, Utc::now().timestamp()) |
||||
|
} |
||||
|
|
||||
|
fn passkey_management_challenge_is_fresh_at(created_at: i64, now: i64) -> bool { |
||||
|
crate::util::is_within_freshness_window( |
||||
|
created_at, |
||||
|
now, |
||||
|
WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS, |
||||
|
WEBAUTHN_PASSKEY_CHALLENGE_CLOCK_SKEW_SECONDS, |
||||
|
) |
||||
|
} |
||||
|
|
||||
|
fn passkey_registration_challenge_state( |
||||
|
data: &str, |
||||
|
token: Option<&str>, |
||||
|
user_security_stamp: &str, |
||||
|
) -> ApiResult<PasskeyRegistration> { |
||||
|
// Persisted challenge rows are always the `{token, state}` wrapper —
|
||||
|
// nothing in the current code path writes the bare `PasskeyRegistration`
|
||||
|
// shape. Reject a row that doesn't deserialise (corrupted, stale schema)
|
||||
|
// with the same generic message we use for token mismatch, rather than
|
||||
|
// falling through to an un-tokened legacy path.
|
||||
|
let Ok(saved) = serde_json::from_str::<WebAuthnPasskeyRegistrationChallenge>(data) else { |
||||
|
err!("Invalid registration challenge. Please try again.") |
||||
|
}; |
||||
|
if !token.is_some_and(|t| crypto::ct_eq(t, &saved.token)) { |
||||
|
err!("Invalid registration challenge. Please try again.") |
||||
|
} |
||||
|
if !passkey_management_challenge_is_fresh(saved.created_at) { |
||||
|
err!("Invalid registration challenge. Please try again.") |
||||
|
} |
||||
|
if !crypto::ct_eq(user_security_stamp, &saved.user_security_stamp) { |
||||
|
err!("Invalid registration challenge. Please try again.") |
||||
|
} |
||||
|
Ok(saved.state) |
||||
|
} |
||||
|
|
||||
|
fn passkey_assertion_challenge_state( |
||||
|
data: &str, |
||||
|
token: &str, |
||||
|
user_security_stamp: &str, |
||||
|
) -> ApiResult<PasskeyAuthentication> { |
||||
|
// Same shape contract as `passkey_registration_challenge_state` above —
|
||||
|
// reject undecodable rows with the generic message rather than leaking
|
||||
|
// the underlying serde error.
|
||||
|
let Ok(saved) = serde_json::from_str::<WebAuthnPasskeyAssertionChallenge>(data) else { |
||||
|
err!("Invalid assertion challenge. Please try again.") |
||||
|
}; |
||||
|
if !crypto::ct_eq(token, &saved.token) { |
||||
|
err!("Invalid assertion challenge. Please try again.") |
||||
|
} |
||||
|
if !passkey_management_challenge_is_fresh(saved.created_at) { |
||||
|
err!("Invalid assertion challenge. Please try again.") |
||||
|
} |
||||
|
if !crypto::ct_eq(user_security_stamp, &saved.user_security_stamp) { |
||||
|
err!("Invalid assertion challenge. Please try again.") |
||||
|
} |
||||
|
Ok(saved.state) |
||||
|
} |
||||
|
|
||||
|
pub(crate) fn passkey_credential_id_hash(credential_id: &[u8]) -> String { |
||||
|
crypto::sha256_hex(credential_id) |
||||
|
} |
||||
|
|
||||
|
fn passkey_count_limit_reached(count: usize) -> bool { |
||||
|
count >= MAX_WEBAUTHN_CREDENTIALS |
||||
|
} |
||||
|
|
||||
|
pub(crate) fn account_passkeys_allowed() -> bool { |
||||
|
!(CONFIG.sso_enabled() && CONFIG.sso_only()) && CONFIG.is_webauthn_2fa_supported() |
||||
|
} |
||||
|
|
||||
|
fn request_passkey_prf_extension( |
||||
|
mut challenge: CreationChallengeResponse, |
||||
|
state: &PasskeyRegistration, |
||||
|
) -> ApiResult<(CreationChallengeResponse, PasskeyRegistration)> { |
||||
|
challenge.public_key.extensions.get_or_insert_with(RequestRegistrationExtensions::default).hmac_create_secret = |
||||
|
Some(true); |
||||
|
|
||||
|
let mut state_value = serde_json::to_value(state)?; |
||||
|
let Some(extensions) = |
||||
|
state_value.get_mut("rs").and_then(|rs| rs.get_mut("extensions")).and_then(Value::as_object_mut) |
||||
|
else { |
||||
|
return Err(Error::new("Invalid passkey registration state", "Missing WebAuthn registration extensions")); |
||||
|
}; |
||||
|
extensions.insert("hmacCreateSecret".to_owned(), Value::Bool(true)); |
||||
|
|
||||
|
let state = serde_json::from_value(state_value)?; |
||||
|
Ok((challenge, state)) |
||||
|
} |
||||
|
|
||||
|
fn passkey_supports_prf(passkey: &Passkey) -> bool { |
||||
|
let credential: WebauthnCredentialData = passkey.clone().into(); |
||||
|
matches!(credential.extensions.hmac_create_secret, ExtnState::Set(true)) |
||||
|
} |
||||
|
|
||||
|
type PasskeyRegistrationPrfData = (bool, Option<String>, Option<String>, Option<String>); |
||||
|
|
||||
|
fn passkey_registration_prf_data( |
||||
|
client_supports_prf: bool, |
||||
|
encrypted_user_key: Option<String>, |
||||
|
encrypted_public_key: Option<String>, |
||||
|
encrypted_private_key: Option<String>, |
||||
|
server_supports_prf: bool, |
||||
|
) -> ApiResult<PasskeyRegistrationPrfData> { |
||||
|
let supports_prf = client_supports_prf || server_supports_prf; |
||||
|
let has_key_material = |
||||
|
encrypted_user_key.is_some() || encrypted_public_key.is_some() || encrypted_private_key.is_some(); |
||||
|
|
||||
|
if !supports_prf { |
||||
|
if has_key_material { |
||||
|
err!("Passkey does not support PRF") |
||||
|
} |
||||
|
return Ok((false, None, None, None)); |
||||
|
} |
||||
|
|
||||
|
// Chromium/CDP does not consistently reflect the registration PRF
|
||||
|
// extension in the attested credential, but the web vault still reports
|
||||
|
// whether the browser ceremony supports PRF. Store that client capability
|
||||
|
// signal; only the presence of wrapped key blobs controls unlock.
|
||||
|
if !has_key_material { |
||||
|
return Ok((true, None, None, None)); |
||||
|
} |
||||
|
|
||||
|
let Some(encrypted_user_key) = encrypted_user_key else { |
||||
|
err!("Encrypted user key is required") |
||||
|
}; |
||||
|
let Some(encrypted_public_key) = encrypted_public_key else { |
||||
|
err!("Encrypted public key is required") |
||||
|
}; |
||||
|
let Some(encrypted_private_key) = encrypted_private_key else { |
||||
|
err!("Encrypted private key is required") |
||||
|
}; |
||||
|
|
||||
|
Ok((true, Some(encrypted_user_key), Some(encrypted_public_key), Some(encrypted_private_key))) |
||||
|
} |
||||
|
|
||||
|
/// Gates every passkey-management entry point in this module on the same
|
||||
|
/// three preconditions:
|
||||
|
/// • `check_limit_login` — IP-level rate limit shared with the password
|
||||
|
/// login path. Runs FIRST so a misconfigured DOMAIN can't be turned
|
||||
|
/// into an uncapped error-log generator: every refused request would
|
||||
|
/// otherwise short-circuit on `is_webauthn_2fa_supported` without
|
||||
|
/// consuming a rate-limit token.
|
||||
|
/// • `is_webauthn_2fa_supported` — refuses cleanly when DOMAIN is
|
||||
|
/// incompatible with WebAuthn (must run before the `WEBAUTHN` LazyLock
|
||||
|
/// is touched, which would otherwise panic).
|
||||
|
/// • SSO_ONLY — refuses passkey mutations when the operator has required
|
||||
|
/// SSO sign-in.
|
||||
|
///
|
||||
|
/// `action_verb` parameterises the SSO refusal message between the create
|
||||
|
/// and update endpoints ("created" / "updated"). The delete endpoint is
|
||||
|
/// intentionally NOT gated — see the comment on `post_api_webauthn_delete`.
|
||||
|
pub(crate) fn check_passkey_endpoint_preconditions(ip: &std::net::IpAddr, action_verb: &str) -> ApiResult<()> { |
||||
|
crate::ratelimit::check_limit_login(ip)?; |
||||
|
if !CONFIG.is_webauthn_2fa_supported() { |
||||
|
err!("Webauthn is not supported on this server. Set `DOMAIN` to a valid URL with a parseable host.") |
||||
|
} |
||||
|
if CONFIG.sso_enabled() && CONFIG.sso_only() { |
||||
|
err!(format!("Passkeys cannot be {action_verb} when SSO sign-in is required")) |
||||
|
} |
||||
|
Ok(()) |
||||
|
} |
||||
|
|
||||
|
#[post("/webauthn/attestation-options", data = "<data>")] |
||||
|
async fn post_api_webauthn_attestation_options( |
||||
|
data: Json<PasswordOrOtpData>, |
||||
|
headers: Headers, |
||||
|
conn: DbConn, |
||||
|
) -> JsonResult { |
||||
|
check_passkey_endpoint_preconditions(&headers.ip.ip, "created")?; |
||||
|
|
||||
|
let data: PasswordOrOtpData = data.into_inner(); |
||||
|
let user = headers.user; |
||||
|
|
||||
|
data.validate(&user, true, &conn).await?; |
||||
|
|
||||
|
let all_creds = WebAuthnCredential::find_by_user(&user.uuid, &conn).await?; |
||||
|
if passkey_count_limit_reached(all_creds.len()) { |
||||
|
err!("Maximum number of passkeys reached") |
||||
|
} |
||||
|
|
||||
|
let existing_cred_ids: Vec<_> = all_creds |
||||
|
.into_iter() |
||||
|
.filter_map(|wac| { |
||||
|
let passkey: Passkey = serde_json::from_str(&wac.credential).ok()?; |
||||
|
Some(passkey.cred_id().to_owned()) |
||||
|
}) |
||||
|
.collect(); |
||||
|
|
||||
|
let user_uuid = uuid::Uuid::parse_str(&user.uuid) |
||||
|
.map_err(|_| Error::new("Invalid user", "Could not parse user UUID for passkey registration"))?; |
||||
|
|
||||
|
let (challenge, state) = |
||||
|
WEBAUTHN.start_passkey_registration(user_uuid, &user.email, user.display_name(), Some(existing_cred_ids))?; |
||||
|
let (mut challenge, state) = request_passkey_prf_extension(challenge, &state)?; |
||||
|
|
||||
|
// Ask the client for a discoverable (resident) credential with UV.
|
||||
|
// `start_passkey_registration` already pins UV=Required in `state`;
|
||||
|
// resident-key is NOT enforced server-side by webauthn-rs, so this is a
|
||||
|
// client-side hint on the challenge JSON only. A non-resident credential
|
||||
|
// would still be accepted here but later fail discoverable-login, so
|
||||
|
// tampering clients only hurt themselves.
|
||||
|
if let Some(asc) = challenge.public_key.authenticator_selection.as_mut() { |
||||
|
asc.user_verification = UserVerificationPolicy::Required; |
||||
|
asc.require_resident_key = true; |
||||
|
asc.resident_key = Some(webauthn_rs_proto::ResidentKeyRequirement::Required); |
||||
|
} |
||||
|
|
||||
|
// Atomically drop any abandoned challenge from a previous, unfinished
|
||||
|
// registration attempt so only one in-flight challenge state per user
|
||||
|
// exists at any time.
|
||||
|
TwoFactor::take_by_user_and_type(&user.uuid, TwoFactorType::WebauthnPasskeyRegisterChallenge as i32, &conn).await?; |
||||
|
|
||||
|
let token = get_uuid(); |
||||
|
let saved_challenge = WebAuthnPasskeyRegistrationChallenge { |
||||
|
token: token.clone(), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: user.security_stamp, |
||||
|
state, |
||||
|
}; |
||||
|
|
||||
|
// Persist the registration state in the database (same pattern as 2FA webauthn)
|
||||
|
TwoFactor::new( |
||||
|
user.uuid, |
||||
|
TwoFactorType::WebauthnPasskeyRegisterChallenge, |
||||
|
serde_json::to_string(&saved_challenge)?, |
||||
|
) |
||||
|
.save(&conn) |
||||
|
.await?; |
||||
|
|
||||
|
let mut options = serde_json::to_value(challenge.public_key)?; |
||||
|
options["status"] = "ok".into(); |
||||
|
options["errorMessage"] = "".into(); |
||||
|
|
||||
|
Ok(Json(json!({ |
||||
|
"options": options, |
||||
|
"token": token, |
||||
|
"object": "webauthnCredentialCreateOptions" |
||||
|
}))) |
||||
|
} |
||||
|
|
||||
|
#[post("/webauthn/assertion-options", data = "<data>")] |
||||
|
async fn post_api_webauthn_assertion_options( |
||||
|
data: Json<PasswordOrOtpData>, |
||||
|
headers: Headers, |
||||
|
conn: DbConn, |
||||
|
) -> JsonResult { |
||||
|
check_passkey_endpoint_preconditions(&headers.ip.ip, "updated")?; |
||||
|
|
||||
|
let data: PasswordOrOtpData = data.into_inner(); |
||||
|
let user = headers.user; |
||||
|
|
||||
|
data.validate(&user, true, &conn).await?; |
||||
|
|
||||
|
let credentials: Vec<Passkey> = WebAuthnCredential::find_by_user(&user.uuid, &conn) |
||||
|
.await? |
||||
|
.into_iter() |
||||
|
.filter(|wac| wac.supports_prf) |
||||
|
.filter_map(|wac| serde_json::from_str(&wac.credential).ok()) |
||||
|
.collect(); |
||||
|
|
||||
|
if credentials.is_empty() { |
||||
|
err!("No PRF-capable passkeys registered") |
||||
|
} |
||||
|
|
||||
|
let (response, state) = WEBAUTHN.start_passkey_authentication(&credentials)?; |
||||
|
|
||||
|
// Atomically drop any abandoned challenge from a previous attempt — see
|
||||
|
// the comment on `post_api_webauthn_attestation_options`.
|
||||
|
TwoFactor::take_by_user_and_type(&user.uuid, TwoFactorType::WebauthnPasskeyAssertionChallenge as i32, &conn) |
||||
|
.await?; |
||||
|
|
||||
|
let token = get_uuid(); |
||||
|
let saved_challenge = WebAuthnPasskeyAssertionChallenge { |
||||
|
token: token.clone(), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: user.security_stamp, |
||||
|
state, |
||||
|
}; |
||||
|
TwoFactor::new( |
||||
|
user.uuid, |
||||
|
TwoFactorType::WebauthnPasskeyAssertionChallenge, |
||||
|
serde_json::to_string(&saved_challenge)?, |
||||
|
) |
||||
|
.save(&conn) |
||||
|
.await?; |
||||
|
|
||||
|
Ok(Json(json!({ |
||||
|
"options": response.public_key, |
||||
|
"token": token, |
||||
|
"object": "webAuthnLoginAssertionOptions" |
||||
|
}))) |
||||
|
} |
||||
|
|
||||
|
#[derive(Debug, Deserialize)] |
||||
|
#[serde(rename_all = "camelCase")] |
||||
|
struct WebAuthnLoginCredentialCreateRequest { |
||||
|
device_response: RegisterPublicKeyCredentialCopy, |
||||
|
name: String, |
||||
|
token: Option<String>, |
||||
|
supports_prf: bool, |
||||
|
encrypted_user_key: Option<String>, |
||||
|
encrypted_public_key: Option<String>, |
||||
|
encrypted_private_key: Option<String>, |
||||
|
} |
||||
|
|
||||
|
#[post("/webauthn", data = "<data>")] |
||||
|
async fn post_api_webauthn( |
||||
|
data: Json<WebAuthnLoginCredentialCreateRequest>, |
||||
|
headers: Headers, |
||||
|
conn: DbConn, |
||||
|
nt: Notify<'_>, |
||||
|
) -> ApiResult<Status> { |
||||
|
check_passkey_endpoint_preconditions(&headers.ip.ip, "created")?; |
||||
|
|
||||
|
let data: WebAuthnLoginCredentialCreateRequest = data.into_inner(); |
||||
|
let user = headers.user; |
||||
|
|
||||
|
// Atomically take the saved challenge state (single-use): concurrent
|
||||
|
// finishes for the same registration row cannot both succeed and create
|
||||
|
// duplicate `web_authn_credentials` entries — only the caller whose DELETE
|
||||
|
// removes the row proceeds.
|
||||
|
let Some(mut current_user) = User::try_find_by_uuid(&user.uuid, &conn).await? else { |
||||
|
err!("User not found") |
||||
|
}; |
||||
|
|
||||
|
if passkey_count_limit_reached(WebAuthnCredential::count_by_user(¤t_user.uuid, &conn).await?) { |
||||
|
err!("Maximum number of passkeys reached") |
||||
|
} |
||||
|
|
||||
|
let type_ = TwoFactorType::WebauthnPasskeyRegisterChallenge as i32; |
||||
|
let Some(tf) = TwoFactor::take_by_user_and_type(&user.uuid, type_, &conn).await? else { |
||||
|
err!("No registration challenge found. Please try again.") |
||||
|
}; |
||||
|
let state = passkey_registration_challenge_state(&tf.data, data.token.as_deref(), ¤t_user.security_stamp)?; |
||||
|
let credential = WEBAUTHN.finish_passkey_registration(&data.device_response.into(), &state)?; |
||||
|
let credential_id_hash = passkey_credential_id_hash(credential.cred_id().as_slice()); |
||||
|
let (supports_prf, encrypted_user_key, encrypted_public_key, encrypted_private_key) = |
||||
|
passkey_registration_prf_data( |
||||
|
data.supports_prf, |
||||
|
data.encrypted_user_key, |
||||
|
data.encrypted_public_key, |
||||
|
data.encrypted_private_key, |
||||
|
passkey_supports_prf(&credential), |
||||
|
)?; |
||||
|
|
||||
|
// Duplicate detection rests on the UNIQUE `(user_uuid, credential_id_hash)`
|
||||
|
// index: `save_with_user_limit` below maps the `UniqueViolation` to
|
||||
|
// "Passkey is already registered". Scoping it per-user means a cross-account
|
||||
|
// hash collision (trivial if an attacker echoes an observed cred_id) inserts
|
||||
|
// cleanly without signalling that another account holds that hash.
|
||||
|
|
||||
|
WebAuthnCredential::new( |
||||
|
current_user.uuid.clone(), |
||||
|
data.name, |
||||
|
serde_json::to_string(&credential)?, |
||||
|
credential_id_hash, |
||||
|
supports_prf, |
||||
|
encrypted_user_key, |
||||
|
encrypted_public_key, |
||||
|
encrypted_private_key, |
||||
|
) |
||||
|
.save_with_user_limit(MAX_WEBAUTHN_CREDENTIALS, &conn) |
||||
|
.await?; |
||||
|
|
||||
|
current_user.update_revision(&conn).await?; |
||||
|
nt.send_user_update(UpdateType::SyncVault, ¤t_user, headers.device.push_uuid.as_ref(), &conn).await; |
||||
|
|
||||
|
Ok(Status::Ok) |
||||
|
} |
||||
|
|
||||
|
#[derive(Debug, Deserialize)] |
||||
|
#[serde(rename_all = "camelCase")] |
||||
|
struct WebAuthnLoginCredentialUpdateRequest { |
||||
|
device_response: PublicKeyCredentialCopy, |
||||
|
token: String, |
||||
|
encrypted_user_key: Option<String>, |
||||
|
encrypted_public_key: Option<String>, |
||||
|
encrypted_private_key: Option<String>, |
||||
|
} |
||||
|
|
||||
|
#[put("/webauthn", data = "<data>")] |
||||
|
async fn put_api_webauthn( |
||||
|
data: Json<WebAuthnLoginCredentialUpdateRequest>, |
||||
|
headers: Headers, |
||||
|
conn: DbConn, |
||||
|
nt: Notify<'_>, |
||||
|
) -> ApiResult<Status> { |
||||
|
check_passkey_endpoint_preconditions(&headers.ip.ip, "updated")?; |
||||
|
|
||||
|
let data: WebAuthnLoginCredentialUpdateRequest = data.into_inner(); |
||||
|
let user = headers.user; |
||||
|
|
||||
|
let Some(encrypted_user_key) = data.encrypted_user_key else { |
||||
|
err!("Encrypted user key is required") |
||||
|
}; |
||||
|
let Some(encrypted_public_key) = data.encrypted_public_key else { |
||||
|
err!("Encrypted public key is required") |
||||
|
}; |
||||
|
let Some(encrypted_private_key) = data.encrypted_private_key else { |
||||
|
err!("Encrypted private key is required") |
||||
|
}; |
||||
|
|
||||
|
// Atomically take the saved challenge state (single-use): concurrent
|
||||
|
// updates for the same assertion row cannot both succeed and apply
|
||||
|
// different blob payloads — only the caller whose DELETE removes the row
|
||||
|
// proceeds.
|
||||
|
let Some(mut current_user) = User::try_find_by_uuid(&user.uuid, &conn).await? else { |
||||
|
err!("User not found") |
||||
|
}; |
||||
|
|
||||
|
let type_ = TwoFactorType::WebauthnPasskeyAssertionChallenge as i32; |
||||
|
let Some(tf) = TwoFactor::take_by_user_and_type(&user.uuid, type_, &conn).await? else { |
||||
|
err!("No assertion challenge found. Please try again.") |
||||
|
}; |
||||
|
let state = passkey_assertion_challenge_state(&tf.data, &data.token, ¤t_user.security_stamp)?; |
||||
|
|
||||
|
let credential_response = data.device_response.into(); |
||||
|
|
||||
|
// Verify the assertion against the saved challenge state. `state`
|
||||
|
// already carries the credential set the challenge was issued against,
|
||||
|
// so we don't need to pass credentials again here. After verification
|
||||
|
// we know the exact cred_id and can index directly into the
|
||||
|
// credential table via the per-user UNIQUE on credential_id_hash —
|
||||
|
// avoiding the full passkey-set scan + N JSON parses the previous
|
||||
|
// shape did.
|
||||
|
let authentication_result = WEBAUTHN.finish_passkey_authentication(&credential_response, &state)?; |
||||
|
let credential_id_hash = passkey_credential_id_hash(authentication_result.cred_id().as_slice()); |
||||
|
let Some(mut matched_wac) = |
||||
|
WebAuthnCredential::find_by_user_and_credential_id_hash(¤t_user.uuid, &credential_id_hash, &conn).await? |
||||
|
else { |
||||
|
err!("Verified credential is not registered") |
||||
|
}; |
||||
|
|
||||
|
if !matched_wac.supports_prf { |
||||
|
err!("Passkey does not support PRF") |
||||
|
} |
||||
|
|
||||
|
let mut passkey: Passkey = serde_json::from_str(&matched_wac.credential)?; |
||||
|
|
||||
|
// Persist the (optional) signature-counter advance and the PRF keyset
|
||||
|
// together. The assertion challenge was atomically consumed via
|
||||
|
// `take_by_user_and_type` above, so a half-applied state would block
|
||||
|
// any retry — the helper folds both writes into a single UPDATE.
|
||||
|
//
|
||||
|
// `advanced_counter` gates the `credential` column write. Passing `false`
|
||||
|
// when the counter did not advance avoids clobbering a counter blob a
|
||||
|
// parallel replica may have just persisted via `webauthn_login`'s
|
||||
|
// counter advance (the per-process DashMap lock does not serialise
|
||||
|
// across replicas). The helper surfaces 0-rows as a Simple error so a
|
||||
|
// concurrent DELETE doesn't yield a misleading 200 OK with no row.
|
||||
|
let advanced_counter = passkey.update_credential(&authentication_result) == Some(true); |
||||
|
if advanced_counter { |
||||
|
matched_wac.credential = serde_json::to_string(&passkey)?; |
||||
|
} |
||||
|
matched_wac.encrypted_user_key = Some(encrypted_user_key); |
||||
|
matched_wac.encrypted_public_key = Some(encrypted_public_key); |
||||
|
matched_wac.encrypted_private_key = Some(encrypted_private_key); |
||||
|
matched_wac.update_credential_and_prf_keyset(advanced_counter, &conn).await?; |
||||
|
|
||||
|
current_user.update_revision(&conn).await?; |
||||
|
nt.send_user_update(UpdateType::SyncVault, ¤t_user, headers.device.push_uuid.as_ref(), &conn).await; |
||||
|
|
||||
|
Ok(Status::Ok) |
||||
|
} |
||||
|
|
||||
|
// Intentionally NOT gated on SSO_ONLY or DOMAIN-misconfigured: delete
|
||||
|
// narrows capability (revokes, never grants), the session is still
|
||||
|
// SSO-authenticated when this handler runs, and delete never touches the
|
||||
|
// `WEBAUTHN` LazyLock so DOMAIN parseability is irrelevant. Lets users
|
||||
|
// clean up credentials regardless of later deployment-config changes.
|
||||
|
#[post("/webauthn/<uuid>/delete", data = "<data>")] |
||||
|
async fn post_api_webauthn_delete( |
||||
|
data: Json<PasswordOrOtpData>, |
||||
|
uuid: WebAuthnCredentialId, |
||||
|
headers: Headers, |
||||
|
conn: DbConn, |
||||
|
nt: Notify<'_>, |
||||
|
) -> ApiResult<Status> { |
||||
|
crate::ratelimit::check_limit_login(&headers.ip.ip)?; |
||||
|
|
||||
|
let data: PasswordOrOtpData = data.into_inner(); |
||||
|
let mut user = headers.user; |
||||
|
|
||||
|
data.validate(&user, true, &conn).await?; |
||||
|
|
||||
|
WebAuthnCredential::delete_by_uuid_and_user(&uuid, &user.uuid, &conn).await?; |
||||
|
|
||||
|
user.update_revision(&conn).await?; |
||||
|
nt.send_user_update(UpdateType::SyncVault, &user, headers.device.push_uuid.as_ref(), &conn).await; |
||||
|
|
||||
|
Ok(Status::Ok) |
||||
|
} |
||||
|
|
||||
|
#[cfg(test)] |
||||
|
mod tests { |
||||
|
use super::*; |
||||
|
use webauthn_rs::prelude::{ |
||||
|
AttestationFormat, COSEAlgorithm, COSEEC2Key, COSEKey, COSEKeyType, Credential, ECDSACurve, ParsedAttestation, |
||||
|
Url, Webauthn, WebauthnBuilder, |
||||
|
}; |
||||
|
use webauthn_rs_proto::{AuthenticatorTransport, RegisteredExtensions}; |
||||
|
|
||||
|
fn webauthn() -> Webauthn { |
||||
|
let origin = Url::parse("http://localhost").unwrap(); |
||||
|
WebauthnBuilder::new("localhost", &origin).unwrap().rp_name("localhost").build().unwrap() |
||||
|
} |
||||
|
|
||||
|
fn passkey() -> Passkey { |
||||
|
Credential { |
||||
|
cred_id: [1, 2, 3, 4].into(), |
||||
|
cred: COSEKey { |
||||
|
type_: COSEAlgorithm::ES256, |
||||
|
key: COSEKeyType::EC_EC2(COSEEC2Key { |
||||
|
curve: ECDSACurve::SECP256R1, |
||||
|
x: [1; 32].into(), |
||||
|
y: [2; 32].into(), |
||||
|
}), |
||||
|
}, |
||||
|
counter: 0, |
||||
|
transports: Some(vec![AuthenticatorTransport::Internal, AuthenticatorTransport::Hybrid]), |
||||
|
user_verified: true, |
||||
|
backup_eligible: false, |
||||
|
backup_state: false, |
||||
|
registration_policy: UserVerificationPolicy::Required, |
||||
|
extensions: RegisteredExtensions::none(), |
||||
|
attestation: ParsedAttestation::default(), |
||||
|
attestation_format: AttestationFormat::None, |
||||
|
} |
||||
|
.into() |
||||
|
} |
||||
|
|
||||
|
fn registration_state() -> PasskeyRegistration { |
||||
|
let user_uuid = uuid::Uuid::parse_str("00000000-0000-0000-0000-000000000000").unwrap(); |
||||
|
let (_challenge, state) = |
||||
|
webauthn().start_passkey_registration(user_uuid, "user@example.com", "user", None).unwrap(); |
||||
|
state |
||||
|
} |
||||
|
|
||||
|
fn passkey_with_hmac_secret_state(hmac_create_secret: ExtnState<bool>) -> Passkey { |
||||
|
let mut extensions = RegisteredExtensions::none(); |
||||
|
extensions.hmac_create_secret = hmac_create_secret; |
||||
|
|
||||
|
Credential { |
||||
|
cred_id: [1, 2, 3, 4].into(), |
||||
|
cred: COSEKey { |
||||
|
type_: COSEAlgorithm::ES256, |
||||
|
key: COSEKeyType::EC_EC2(COSEEC2Key { |
||||
|
curve: ECDSACurve::SECP256R1, |
||||
|
x: [1; 32].into(), |
||||
|
y: [2; 32].into(), |
||||
|
}), |
||||
|
}, |
||||
|
counter: 0, |
||||
|
transports: None, |
||||
|
user_verified: true, |
||||
|
backup_eligible: false, |
||||
|
backup_state: false, |
||||
|
registration_policy: UserVerificationPolicy::Required, |
||||
|
extensions, |
||||
|
attestation: ParsedAttestation::default(), |
||||
|
attestation_format: AttestationFormat::None, |
||||
|
} |
||||
|
.into() |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn request_passkey_prf_extension_marks_challenge_and_stored_state() { |
||||
|
let user_uuid = uuid::Uuid::parse_str("00000000-0000-0000-0000-000000000000").unwrap(); |
||||
|
let (challenge, state) = |
||||
|
webauthn().start_passkey_registration(user_uuid, "user@example.com", "user", None).unwrap(); |
||||
|
|
||||
|
let (challenge, state) = request_passkey_prf_extension(challenge, &state).unwrap(); |
||||
|
|
||||
|
assert_eq!(challenge.public_key.extensions.as_ref().and_then(|e| e.hmac_create_secret), Some(true)); |
||||
|
assert_eq!(serde_json::to_value(&state).unwrap()["rs"]["extensions"]["hmacCreateSecret"], Value::Bool(true)); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_supports_prf_only_when_requested_extension_was_set() { |
||||
|
assert!(passkey_supports_prf(&passkey_with_hmac_secret_state(ExtnState::Set(true)))); |
||||
|
assert!(!passkey_supports_prf(&passkey_with_hmac_secret_state(ExtnState::Set(false)))); |
||||
|
assert!(!passkey_supports_prf(&passkey_with_hmac_secret_state(ExtnState::Ignored))); |
||||
|
assert!(!passkey_supports_prf(&passkey_with_hmac_secret_state(ExtnState::Unsolicited(true)))); |
||||
|
assert!(!passkey_supports_prf(&passkey_with_hmac_secret_state(ExtnState::NotRequested))); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_registration_prf_data_trusts_client_prf_support_when_keyset_is_complete() { |
||||
|
assert_eq!( |
||||
|
passkey_registration_prf_data( |
||||
|
true, |
||||
|
Some("user-key".to_owned()), |
||||
|
Some("public-key".to_owned()), |
||||
|
Some("private-key".to_owned()), |
||||
|
false, |
||||
|
) |
||||
|
.unwrap(), |
||||
|
(true, Some("user-key".to_owned()), Some("public-key".to_owned()), Some("private-key".to_owned()),) |
||||
|
); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_registration_prf_data_requires_complete_keyset_when_any_prf_key_is_sent() { |
||||
|
assert!( |
||||
|
passkey_registration_prf_data( |
||||
|
true, |
||||
|
None, |
||||
|
Some("public-key".to_owned()), |
||||
|
Some("private-key".to_owned()), |
||||
|
true |
||||
|
) |
||||
|
.is_err() |
||||
|
); |
||||
|
assert!( |
||||
|
passkey_registration_prf_data( |
||||
|
true, |
||||
|
Some("user-key".to_owned()), |
||||
|
None, |
||||
|
Some("private-key".to_owned()), |
||||
|
true |
||||
|
) |
||||
|
.is_err() |
||||
|
); |
||||
|
assert!( |
||||
|
passkey_registration_prf_data(true, Some("user-key".to_owned()), Some("public-key".to_owned()), None, true) |
||||
|
.is_err() |
||||
|
); |
||||
|
|
||||
|
assert_eq!( |
||||
|
passkey_registration_prf_data( |
||||
|
true, |
||||
|
Some("user-key".to_owned()), |
||||
|
Some("public-key".to_owned()), |
||||
|
Some("private-key".to_owned()), |
||||
|
true, |
||||
|
) |
||||
|
.unwrap(), |
||||
|
(true, Some("user-key".to_owned()), Some("public-key".to_owned()), Some("private-key".to_owned()),) |
||||
|
); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_registration_prf_data_records_prf_support_even_without_client_keyset() { |
||||
|
assert_eq!(passkey_registration_prf_data(false, None, None, None, true).unwrap(), (true, None, None, None)); |
||||
|
assert_eq!(passkey_registration_prf_data(true, None, None, None, false).unwrap(), (true, None, None, None)); |
||||
|
assert_eq!(passkey_registration_prf_data(false, None, None, None, false).unwrap(), (false, None, None, None)); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_registration_prf_data_rejects_key_material_without_prf_support() { |
||||
|
assert!( |
||||
|
passkey_registration_prf_data( |
||||
|
false, |
||||
|
Some("user-key".to_owned()), |
||||
|
Some("public-key".to_owned()), |
||||
|
Some("private-key".to_owned()), |
||||
|
false, |
||||
|
) |
||||
|
.is_err() |
||||
|
); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_count_limit_matches_bitwarden_account_passkey_cap() { |
||||
|
assert!(!passkey_count_limit_reached(MAX_WEBAUTHN_CREDENTIALS - 1)); |
||||
|
assert!(passkey_count_limit_reached(MAX_WEBAUTHN_CREDENTIALS)); |
||||
|
assert!(passkey_count_limit_reached(MAX_WEBAUTHN_CREDENTIALS + 1)); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn registration_challenge_accepts_wrapped_state_with_matching_token() { |
||||
|
let saved = WebAuthnPasskeyRegistrationChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: String::from("stamp"), |
||||
|
state: registration_state(), |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_registration_challenge_state(&data, Some("token"), "stamp").is_ok()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn registration_challenge_rejects_wrapped_state_without_matching_token() { |
||||
|
let saved = WebAuthnPasskeyRegistrationChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: String::from("stamp"), |
||||
|
state: registration_state(), |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_registration_challenge_state(&data, Some("wrong"), "stamp").is_err()); |
||||
|
assert!(passkey_registration_challenge_state(&data, None, "stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn registration_challenge_rejects_expired_state() { |
||||
|
let saved = WebAuthnPasskeyRegistrationChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp() - WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS - 1, |
||||
|
user_security_stamp: String::from("stamp"), |
||||
|
state: registration_state(), |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_registration_challenge_state(&data, Some("token"), "stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn registration_challenge_rejects_stale_account_revision() { |
||||
|
let saved = WebAuthnPasskeyRegistrationChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: String::from("old-stamp"), |
||||
|
state: registration_state(), |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_registration_challenge_state(&data, Some("token"), "new-stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
/// `passkey_registration_challenge_state` has no legacy unwrapped fallback —
|
||||
|
/// the only writer is the attestation-options endpoint, and it always
|
||||
|
/// persists the `{token, state}` wrapper. A bare `PasskeyRegistration`
|
||||
|
/// blob in `twofactor.data` (corrupted row, hand-crafted attack) must
|
||||
|
/// be rejected regardless of whether a token is sent — accepting it
|
||||
|
/// without a token would let an attacker bypass the token-binding
|
||||
|
/// check by writing the wrong shape.
|
||||
|
#[test] |
||||
|
fn registration_challenge_rejects_unwrapped_legacy_state() { |
||||
|
let data = serde_json::to_string(®istration_state()).unwrap(); |
||||
|
|
||||
|
assert!(passkey_registration_challenge_state(&data, None, "stamp").is_err()); |
||||
|
assert!(passkey_registration_challenge_state(&data, Some("any-token"), "stamp").is_err()); |
||||
|
assert!(passkey_registration_challenge_state(&data, Some(""), "stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn assertion_challenge_rejects_mismatched_token() { |
||||
|
let (_response, state) = webauthn().start_passkey_authentication(&[passkey()]).unwrap(); |
||||
|
let saved = WebAuthnPasskeyAssertionChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: String::from("stamp"), |
||||
|
state, |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_assertion_challenge_state(&data, "token", "stamp").is_ok()); |
||||
|
assert!(passkey_assertion_challenge_state(&data, "wrong", "stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn assertion_challenge_rejects_expired_state() { |
||||
|
let (_response, state) = webauthn().start_passkey_authentication(&[passkey()]).unwrap(); |
||||
|
let saved = WebAuthnPasskeyAssertionChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp() - WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS - 1, |
||||
|
user_security_stamp: String::from("stamp"), |
||||
|
state, |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_assertion_challenge_state(&data, "token", "stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn assertion_challenge_rejects_stale_account_revision() { |
||||
|
let (_response, state) = webauthn().start_passkey_authentication(&[passkey()]).unwrap(); |
||||
|
let saved = WebAuthnPasskeyAssertionChallenge { |
||||
|
token: String::from("token"), |
||||
|
created_at: Utc::now().timestamp(), |
||||
|
user_security_stamp: String::from("old-stamp"), |
||||
|
state, |
||||
|
}; |
||||
|
let data = serde_json::to_string(&saved).unwrap(); |
||||
|
|
||||
|
assert!(passkey_assertion_challenge_state(&data, "token", "new-stamp").is_err()); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_credential_id_hash_uses_raw_credential_id_bytes() { |
||||
|
assert_eq!( |
||||
|
passkey_credential_id_hash(passkey().cred_id().as_slice()), |
||||
|
"9f64a747e1b97f131fabb6b447296c9b6f0201e79fb3c5356e6c77e89b6a806a" |
||||
|
); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_credential_id_hash_is_deterministic() { |
||||
|
let cred_id: &[u8] = &[10, 20, 30, 40, 50]; |
||||
|
assert_eq!(passkey_credential_id_hash(cred_id), passkey_credential_id_hash(cred_id)); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_credential_id_hash_distinguishes_different_credentials() { |
||||
|
let a = passkey_credential_id_hash(&[1, 2, 3, 4]); |
||||
|
let b = passkey_credential_id_hash(&[4, 3, 2, 1]); |
||||
|
let c = passkey_credential_id_hash(&[1, 2, 3]); |
||||
|
assert_ne!(a, b, "different bytes must produce different hashes"); |
||||
|
assert_ne!(a, c, "different lengths must produce different hashes"); |
||||
|
assert_ne!(b, c); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_management_challenge_freshness_allows_current_window() { |
||||
|
let now = Utc::now().timestamp(); |
||||
|
|
||||
|
assert!(passkey_management_challenge_is_fresh(now)); |
||||
|
assert!(passkey_management_challenge_is_fresh(now - WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS + 5)); |
||||
|
assert!(passkey_management_challenge_is_fresh(now + WEBAUTHN_PASSKEY_CHALLENGE_CLOCK_SKEW_SECONDS - 5)); |
||||
|
} |
||||
|
|
||||
|
#[test] |
||||
|
fn passkey_management_challenge_freshness_rejects_old_or_far_future_rows() { |
||||
|
let now = Utc::now().timestamp(); |
||||
|
|
||||
|
assert!(!passkey_management_challenge_is_fresh(now - WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS - 1)); |
||||
|
assert!(!passkey_management_challenge_is_fresh(now + WEBAUTHN_PASSKEY_CHALLENGE_CLOCK_SKEW_SECONDS + 1)); |
||||
|
} |
||||
|
|
||||
|
/// Exact-boundary coverage. The production wrapper reads `Utc::now()`
|
||||
|
/// inside the function, so a test against `now - TTL` would race the
|
||||
|
/// internal clock read and assert FALSE for the row that should be
|
||||
|
/// inclusive. `_is_fresh_at` takes `now` as a parameter so the inclusive
|
||||
|
/// `>=` / `<=` boundaries are exercised deterministically.
|
||||
|
#[test] |
||||
|
fn passkey_management_challenge_freshness_inclusive_at_both_boundaries() { |
||||
|
let now = Utc::now().timestamp(); |
||||
|
|
||||
|
assert!( |
||||
|
passkey_management_challenge_is_fresh_at(now - WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS, now), |
||||
|
"created_at exactly TTL old must remain fresh (`>=` is inclusive)" |
||||
|
); |
||||
|
assert!( |
||||
|
passkey_management_challenge_is_fresh_at(now + WEBAUTHN_PASSKEY_CHALLENGE_CLOCK_SKEW_SECONDS, now), |
||||
|
"created_at exactly skew seconds ahead must remain fresh (`<=` is inclusive)" |
||||
|
); |
||||
|
assert!( |
||||
|
!passkey_management_challenge_is_fresh_at(now - WEBAUTHN_PASSKEY_CHALLENGE_TTL_SECONDS - 1, now), |
||||
|
"one second past TTL must reject" |
||||
|
); |
||||
|
assert!( |
||||
|
!passkey_management_challenge_is_fresh_at(now + WEBAUTHN_PASSKEY_CHALLENGE_CLOCK_SKEW_SECONDS + 1, now), |
||||
|
"one second past skew must reject" |
||||
|
); |
||||
|
} |
||||
|
|
||||
|
/// `passkey_assertion_challenge_state` has no legacy unwrapped fallback —
|
||||
|
/// the assertion-options endpoint was introduced together with the
|
||||
|
/// wrapping struct, so any persisted state must carry the binding token.
|
||||
|
#[test] |
||||
|
fn assertion_challenge_rejects_unwrapped_legacy_state() { |
||||
|
let (_response, state) = webauthn().start_passkey_authentication(&[passkey()]).unwrap(); |
||||
|
let bare = serde_json::to_string(&state).unwrap(); |
||||
|
|
||||
|
assert!(passkey_assertion_challenge_state(&bare, "any-token", "stamp").is_err()); |
||||
|
assert!(passkey_assertion_challenge_state(&bare, "", "stamp").is_err()); |
||||
|
} |
||||
|
} |
||||
Loading…
Reference in new issue