feat: Allow specifying allow_credentials for FakeClient#get (#335)

kingjan1999 · web-flow · commit 781f100d6222 · 2021-02-28T16:53:09.000-03:00
* feat: Allow specifying allow_credentials for FakeClient#get

* Improve error message, simplify parameter for allow_credentials

* Fix too long string
diff --git a/lib/webauthn/fake_authenticator.rb b/lib/webauthn/fake_authenticator.rb
@@ -50,12 +50,20 @@ def get_assertion(
       user_verified: false,
       aaguid: AuthenticatorData::AAGUID,
       sign_count: nil,
-      extensions: nil
+      extensions: nil,
+      allow_credentials: nil
     )
       credential_options = credentials[rp_id]
 
       if credential_options
-        credential_id, credential = credential_options.first
+        allow_credentials ||= credential_options.keys
+        credential_id = (credential_options.keys & allow_credentials).first
+        unless credential_id
+          raise "No matching credentials (allowed=#{allow_credentials}) " \
+                "found for RP #{rp_id} among credentials=#{credential_options}"
+        end
+
+        credential = credential_options[credential_id]
         credential_key = credential[:credential_key]
         credential_sign_count = credential[:sign_count]
 
diff --git a/lib/webauthn/fake_client.rb b/lib/webauthn/fake_client.rb
@@ -74,19 +74,25 @@ def get(challenge: fake_challenge,
             user_verified: false,
             sign_count: nil,
             extensions: nil,
-            user_handle: nil)
+            user_handle: nil,
+            allow_credentials: nil)
       rp_id ||= URI.parse(origin).host
 
       client_data_json = data_json_for(:get, encoder.decode(challenge))
       client_data_hash = hashed(client_data_json)
 
+      if allow_credentials
+        allow_credentials = allow_credentials.map { |credential| encoder.decode(credential) }
+      end
+
       assertion = authenticator.get_assertion(
         rp_id: rp_id,
         client_data_hash: client_data_hash,
         user_present: user_present,
         user_verified: user_verified,
         sign_count: sign_count,
-        extensions: extensions
+        extensions: extensions,
+        allow_credentials: allow_credentials
       )
 
       {
diff --git a/spec/webauthn/fake_client_spec.rb b/spec/webauthn/fake_client_spec.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe "FakeClient" do
+  let(:client) { WebAuthn::FakeClient.new }
+
+  context "#get" do
+    let!(:credential_1) { client.create }
+    let!(:credential_2) { client.create }
+
+    it "returns the first matching credential when allow_credentials is nil" do
+      assertion = client.get
+      expect(assertion["id"]).to eq(credential_1["id"])
+    end
+
+    it "returns the matching credential when allow_credentials is passed" do
+      allow_credentials = [credential_2["id"]]
+      assertion = client.get(allow_credentials: allow_credentials)
+      expect(assertion["id"]).to eq(credential_2["id"])
+    end
+
+    it "raises an error when no matching allow_credential can be found" do
+      # base64(abc) is surely not a valid credential id (too short)
+      allow_credentials = ["YWJj"]
+      expect { client.get(allow_credentials: allow_credentials) }.to \
+        raise_error(RuntimeError, /No matching credentials \(allowed=\["abc"\]\) found for RP/)
+    end
+  end
+end
