Merge pull request #20362 from mozilla/FXA-13343.2

fix(passkeys): pass challenge as Buffer to simplewebauthn to fix lookup

Author: dschom

libs/accounts/passkey/src/index.ts

@@ -26,3 +26,4 @@ export * from './lib/passkey.config';
 export * from './lib/passkey.provider';
 export * from './lib/passkey.challenge.manager';
 export * from './lib/webauthn-adapter';
+export * from './lib/virtual-authenticator';

libs/accounts/passkey/src/lib/virtual-authenticator.ts

@@ -0,0 +1,194 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/**
+ * Minimal virtual WebAuthn authenticator for tests.
+ *
+ * Builds cryptographically valid "none"-format attestation and signed
+ * assertion responses so that tests can exercise the real
+ * @simplewebauthn/server library without a browser.
+ */
+
+import {
+  createHash,
+  createSign,
+  generateKeyPairSync,
+  randomBytes,
+  type KeyObject,
+} from 'crypto';
+import type {
+  RegistrationResponseJSON,
+  AuthenticationResponseJSON,
+} from '@simplewebauthn/server';
+
+// ---------------------------------------------------------------------------
+// Minimal CBOR encoder – just enough for attestationObject + COSE keys
+// ---------------------------------------------------------------------------
+
+function cborEncodeLength(majorType: number, length: number): Buffer {
+  const major = majorType << 5;
+  if (length < 24) return Buffer.from([major | length]);
+  if (length < 256) return Buffer.from([major | 24, length]);
+  if (length < 65536) {
+    const buf = Buffer.alloc(3);
+    buf[0] = major | 25;
+    buf.writeUInt16BE(length, 1);
+    return buf;
+  }
+  throw new Error('CBOR length > 65535 not supported');
+}
+
+function cborEncodeValue(value: unknown): Buffer {
+  if (typeof value === 'number' && Number.isInteger(value)) {
+    if (value >= 0) return cborEncodeLength(0, value);
+    return cborEncodeLength(1, -1 - value);
+  }
+  if (typeof value === 'string') {
+    const strBuf = Buffer.from(value, 'utf8');
+    return Buffer.concat([cborEncodeLength(3, strBuf.length), strBuf]);
+  }
+  if (Buffer.isBuffer(value) || value instanceof Uint8Array) {
+    const bytes = Buffer.from(value);
+    return Buffer.concat([cborEncodeLength(2, bytes.length), bytes]);
+  }
+  if (value instanceof Map) {
+    const header = cborEncodeLength(5, value.size);
+    const entries: Buffer[] = [header];
+    for (const [k, v] of value) {
+      entries.push(cborEncodeValue(k), cborEncodeValue(v));
+    }
+    return Buffer.concat(entries);
+  }
+  throw new Error(`Unsupported CBOR value: ${typeof value}`);
+}
+
+// ---------------------------------------------------------------------------
+// Virtual authenticator
+// ---------------------------------------------------------------------------
+
+export interface VirtualCredential {
+  id: Buffer;
+  privateKey: KeyObject;
+  publicKey: KeyObject;
+  signCount: number;
+}
+
+/**
+ * Test-only virtual WebAuthn authenticator.
+ *
+ * Generates ES256 key pairs and builds cryptographically valid WebAuthn
+ * attestation and assertion responses for use in tests.
+ */
+export class VirtualAuthenticator {
+  /** Create a fresh ES256 credential with a random 32-byte ID. */
+  static createCredential(): VirtualCredential {
+    const { privateKey, publicKey } = generateKeyPairSync('ec', {
+      namedCurve: 'P-256',
+    });
+    return { id: randomBytes(32), privateKey, publicKey, signCount: 0 };
+  }
+
+  /** Build a valid "none"-format attestation response for registration. */
+  static createAttestationResponse(
+    cred: VirtualCredential,
+    input: { challenge: string; origin: string; rpId: string }
+  ): RegistrationResponseJSON {
+    const jwk = cred.publicKey.export({ format: 'jwk' });
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    const x = Buffer.from(jwk.x!, 'base64url');
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    const y = Buffer.from(jwk.y!, 'base64url');
+
+    const coseKey = new Map<number, unknown>([
+      [1, 2], // kty: EC2
+      [3, -7], // alg: ES256
+      [-1, 1], // crv: P-256
+      [-2, x],
+      [-3, y],
+    ]);
+
+    const rpIdHash = createHash('sha256').update(input.rpId).digest();
+    const flags = Buffer.from([0x45]); // UP + UV + AT
+    const signCountBuf = Buffer.alloc(4);
+    const credIdLen = Buffer.alloc(2);
+    credIdLen.writeUInt16BE(cred.id.length, 0);
+
+    const authData = Buffer.concat([
+      rpIdHash,
+      flags,
+      signCountBuf,
+      Buffer.alloc(16), // aaguid (zeros)
+      credIdLen,
+      cred.id,
+      cborEncodeValue(coseKey),
+    ]);
+
+    const attestationObject = cborEncodeValue(
+      new Map<string, unknown>([
+        ['fmt', 'none'],
+        ['attStmt', new Map()],
+        ['authData', authData],
+      ])
+    );
+
+    const clientDataJSON = JSON.stringify({
+      type: 'webauthn.create',
+      challenge: input.challenge,
+      origin: input.origin,
+    });
+
+    return {
+      id: cred.id.toString('base64url'),
+      rawId: cred.id.toString('base64url'),
+      response: {
+        clientDataJSON: Buffer.from(clientDataJSON).toString('base64url'),
+        attestationObject: attestationObject.toString('base64url'),
+        transports: ['internal'],
+      },
+      type: 'public-key',
+      clientExtensionResults: {},
+      authenticatorAttachment: 'platform',
+    };
+  }
+
+  /** Build a valid signed assertion response for authentication. */
+  static createAssertionResponse(
+    cred: VirtualCredential,
+    input: { challenge: string; origin: string; rpId: string }
+  ): AuthenticationResponseJSON {
+    cred.signCount++;
+
+    const rpIdHash = createHash('sha256').update(input.rpId).digest();
+    const flags = Buffer.from([0x05]); // UP + UV
+    const signCountBuf = Buffer.alloc(4);
+    signCountBuf.writeUInt32BE(cred.signCount, 0);
+
+    const authenticatorData = Buffer.concat([rpIdHash, flags, signCountBuf]);
+
+    const clientDataJSON = Buffer.from(
+      JSON.stringify({
+        type: 'webauthn.get',
+        challenge: input.challenge,
+        origin: input.origin,
+      })
+    );
+    const clientDataHash = createHash('sha256').update(clientDataJSON).digest();
+
+    const signature = createSign('SHA256')
+      .update(Buffer.concat([authenticatorData, clientDataHash]))
+      .sign(cred.privateKey);
+
+    return {
+      id: cred.id.toString('base64url'),
+      rawId: cred.id.toString('base64url'),
+      response: {
+        clientDataJSON: clientDataJSON.toString('base64url'),
+        authenticatorData: authenticatorData.toString('base64url'),
+        signature: signature.toString('base64url'),
+      },
+      type: 'public-key',
+      clientExtensionResults: {},
+    };
+  }
+}

libs/accounts/passkey/src/lib/webauthn-adapter.in.spec.ts

@@ -0,0 +1,180 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/**
+ * Integration tests for the webauthn-adapter that exercise the real
+ * @simplewebauthn/server library (no mocking). A minimal virtual
+ * authenticator builds valid "none"-format attestation responses so
+ * we can verify the full challenge roundtrip through generate → verify.
+ */
+
+import { randomBytes } from 'crypto';
+import {
+  generateWebauthnRegistrationOptions,
+  verifyWebauthnRegistrationResponse,
+} from './webauthn-adapter';
+import { PasskeyConfig } from './passkey.config';
+import { VirtualAuthenticator } from './virtual-authenticator';
+
+const TEST_RP_ID = 'accounts.firefox.com';
+const TEST_ORIGIN = 'https://accounts.firefox.com';
+
+function testConfig(): PasskeyConfig {
+  return new PasskeyConfig({
+    enabled: true,
+    rpId: TEST_RP_ID,
+    allowedOrigins: [TEST_ORIGIN],
+    maxPasskeysPerUser: 10,
+    challengeTimeout: 30_000,
+    userVerification: 'required',
+    residentKey: 'required',
+  });
+}
+
+describe('webauthn-adapter (real @simplewebauthn/server)', () => {
+  const config = testConfig();
+
+  describe('challenge roundtrip', () => {
+    it('generateWebauthnRegistrationOptions returns the original base64url challenge unchanged', async () => {
+      const challenge = randomBytes(32).toString('base64url');
+
+      const options = await generateWebauthnRegistrationOptions(config, {
+        uid: Buffer.alloc(16, 0xaa),
+        email: '[email protected]',
+        challenge,
+      });
+
+      expect(options.challenge).toBe(challenge);
+    });
+
+    it('verifyWebauthnRegistrationResponse succeeds when the challenge matches', async () => {
+      const cred = VirtualAuthenticator.createCredential();
+      const challenge = randomBytes(32).toString('base64url');
+
+      const options = await generateWebauthnRegistrationOptions(config, {
+        uid: Buffer.alloc(16, 0xaa),
+        email: '[email protected]',
+        challenge,
+      });
+
+      const response = VirtualAuthenticator.createAttestationResponse(cred, {
+        challenge: options.challenge,
+        origin: TEST_ORIGIN,
+        rpId: TEST_RP_ID,
+      });
+
+      const result = await verifyWebauthnRegistrationResponse(config, {
+        response,
+        challenge,
+      });
+
+      expect(result.verified).toBe(true);
+      if (!result.verified) throw new Error('narrowing');
+      expect(result.data.credentialId).toBeInstanceOf(Buffer);
+      expect(result.data.publicKey).toBeInstanceOf(Buffer);
+      expect(result.data.signCount).toBe(0);
+      expect(result.data.aaguid).toBeInstanceOf(Buffer);
+      expect(result.data.aaguid.length).toBe(16);
+    });
+
+    it('verifyWebauthnRegistrationResponse rejects a mismatched challenge', async () => {
+      const cred = VirtualAuthenticator.createCredential();
+      const realChallenge = randomBytes(32).toString('base64url');
+      const wrongChallenge = randomBytes(32).toString('base64url');
+
+      const options = await generateWebauthnRegistrationOptions(config, {
+        uid: Buffer.alloc(16, 0xaa),
+        email: '[email protected]',
+        challenge: realChallenge,
+      });
+
+      const response = VirtualAuthenticator.createAttestationResponse(cred, {
+        challenge: options.challenge,
+        origin: TEST_ORIGIN,
+        rpId: TEST_RP_ID,
+      });
+
+      // Verify with a different challenge — should fail
+      await expect(
+        verifyWebauthnRegistrationResponse(config, {
+          response,
+          challenge: wrongChallenge,
+        })
+      ).rejects.toThrow();
+    });
+
+    it('verifyWebauthnRegistrationResponse rejects a wrong origin', async () => {
+      const cred = VirtualAuthenticator.createCredential();
+      const challenge = randomBytes(32).toString('base64url');
+
+      const options = await generateWebauthnRegistrationOptions(config, {
+        uid: Buffer.alloc(16, 0xaa),
+        email: '[email protected]',
+        challenge,
+      });
+
+      const response = VirtualAuthenticator.createAttestationResponse(cred, {
+        challenge: options.challenge,
+        origin: 'https://evil.example.com',
+        rpId: TEST_RP_ID,
+      });
+
+      await expect(
+        verifyWebauthnRegistrationResponse(config, { response, challenge })
+      ).rejects.toThrow();
+    });
+
+    it('verifyWebauthnRegistrationResponse rejects a wrong rpId', async () => {
+      const cred = VirtualAuthenticator.createCredential();
+      const challenge = randomBytes(32).toString('base64url');
+
+      const options = await generateWebauthnRegistrationOptions(config, {
+        uid: Buffer.alloc(16, 0xaa),
+        email: '[email protected]',
+        challenge,
+      });
+
+      const response = VirtualAuthenticator.createAttestationResponse(cred, {
+        challenge: options.challenge,
+        origin: TEST_ORIGIN,
+        rpId: 'evil.example.com',
+      });
+
+      await expect(
+        verifyWebauthnRegistrationResponse(config, { response, challenge })
+      ).rejects.toThrow();
+    });
+  });
+
+  describe('credential data extraction', () => {
+    it('extracts transports and backup flags from a verified response', async () => {
+      const cred = VirtualAuthenticator.createCredential();
+      const challenge = randomBytes(32).toString('base64url');
+
+      const options = await generateWebauthnRegistrationOptions(config, {
+        uid: Buffer.alloc(16, 0xaa),
+        email: '[email protected]',
+        challenge,
+      });
+
+      const response = VirtualAuthenticator.createAttestationResponse(cred, {
+        challenge: options.challenge,
+        origin: TEST_ORIGIN,
+        rpId: TEST_RP_ID,
+      });
+
+      const result = await verifyWebauthnRegistrationResponse(config, {
+        response,
+        challenge,
+      });
+
+      expect(result.verified).toBe(true);
+      if (!result.verified) throw new Error('narrowing');
+      expect(result.data.credentialId.equals(cred.id)).toBe(true);
+      expect(result.data.transports).toEqual(['internal']);
+      expect(typeof result.data.backupEligible).toBe('boolean');
+      expect(typeof result.data.backupState).toBe('boolean');
+    });
+  });
+});