Merge pull request #22 from bitwarden/PM-8752-CONTRIB-PM-7145-stop-ha…

…rdcoding-uv-values-sent-to-authenticator Stop hardcoding uv values sent to authenticator
1Password · Jun 11, 2024 · 8e5467b · 8e5467b
2 parents 1ae384f + 64afac7
commit 8e5467b
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 3 deletions.
diff --git a/passkey-client/src/lib.rs b/passkey-client/src/lib.rs
@@ -21,8 +21,11 @@ use coset::{iana::EnumI64, Algorithm};
 use passkey_authenticator::{Authenticator, CredentialStore, UserValidationMethod};
 use passkey_types::{
     crypto::sha256,
-    ctap2, encoding, webauthn,
-    webauthn::{AuthenticatorExtensionsClientOutputs, CredentialPropertiesOutput},
+    ctap2, encoding,
+    webauthn::{
+        self, AuthenticatorExtensionsClientOutputs, CredentialPropertiesOutput,
+        UserVerificationRequirement,
+    },
     Passkey,
 };
 use typeshare::typeshare;
@@ -209,6 +212,9 @@ where
                 None
             };
 
+        let uv = request.authenticator_selection.map(|s| s.user_verification)
+            != Some(UserVerificationRequirement::Discouraged);
+
         let ctap2_response = self
             .authenticator
             .make_credential(ctap2::make_credential::Request {
@@ -224,7 +230,7 @@ where
                 options: ctap2::make_credential::Options {
                     rk: true,
                     up: true,
-                    uv: true,
+                    uv,
                 },
                 pin_auth: None,
                 pin_protocol: None,

diff --git a/passkey-client/src/tests/mod.rs b/passkey-client/src/tests/mod.rs
@@ -287,3 +287,86 @@ fn validate_domain_with_private_list_provider() -> Result<(), ParseError> {
 
     Ok(())
 }
+
+fn user_mock_with_uv() -> MockUserValidationMethod {
+    let mut user_mock = MockUserValidationMethod::new();
+    user_mock
+        .expect_is_verification_enabled()
+        .returning(|| Some(true));
+    user_mock
+        .expect_check_user_verification()
+        .returning(|| Box::pin(async { true }));
+    // Always called by `get_info`
+    user_mock
+        .expect_is_verification_enabled()
+        .returning(|| Some(true));
+    user_mock.expect_is_presence_enabled().returning(|| true);
+    user_mock
+}
+
+fn user_mock_without_uv() -> MockUserValidationMethod {
+    let mut user_mock = MockUserValidationMethod::new();
+    user_mock
+        .expect_check_user_presence()
+        .returning(|| Box::pin(async { true }));
+    // Always called by `get_info`
+    user_mock
+        .expect_is_verification_enabled()
+        .returning(|| Some(true));
+    user_mock.expect_is_presence_enabled().returning(|| true);
+    user_mock
+}
+
+#[tokio::test]
+async fn client_register_triggers_uv_when_uv_is_required() {
+    // Arrange
+    let auth = Authenticator::new(
+        ctap2::Aaguid::new_empty(),
+        MemoryStore::new(),
+        user_mock_with_uv(),
+    );
+    let mut client = Client::new(auth);
+    let origin = Url::parse("https://future.1password.com").unwrap();
+    let mut options = webauthn::CredentialCreationOptions {
+        public_key: good_credential_creation_options(),
+    };
+    options.public_key.authenticator_selection = Some(webauthn::AuthenticatorSelectionCriteria {
+        user_verification: UserVerificationRequirement::Required,
+        authenticator_attachment: Default::default(),
+        resident_key: Default::default(),
+        require_resident_key: Default::default(),
+    });
+
+    // Act & Assert
+    client
+        .register(&origin, options, None)
+        .await
+        .expect("failed to register with options");
+}
+
+#[tokio::test]
+async fn client_register_does_not_trigger_uv_when_uv_is_discouraged() {
+    // Arrange
+    let auth = Authenticator::new(
+        ctap2::Aaguid::new_empty(),
+        MemoryStore::new(),
+        user_mock_without_uv(),
+    );
+    let mut client = Client::new(auth);
+    let origin = Url::parse("https://future.1password.com").unwrap();
+    let mut options = webauthn::CredentialCreationOptions {
+        public_key: good_credential_creation_options(),
+    };
+    options.public_key.authenticator_selection = Some(webauthn::AuthenticatorSelectionCriteria {
+        user_verification: UserVerificationRequirement::Discouraged,
+        authenticator_attachment: Default::default(),
+        resident_key: Default::default(),
+        require_resident_key: Default::default(),
+    });
+
+    // Act & Assert
+    client
+        .register(&origin, options, None)
+        .await
+        .expect("failed to register with options");
+}