-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
DO_NOT_AUTHENTICATE_BROWSER=False | ||
DO_NOT_SEND_MAIL=True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
INSERT INTO users | ||
(id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at, | ||
given_name, family_name, phone_number, job) | ||
VALUES | ||
(1, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'Jean', '0123456789', 'Sbire'); | ||
|
||
INSERT INTO organizations | ||
(id, siret, verified_email_domains, authorized_email_domains, created_at, updated_at) | ||
VALUES | ||
(1, '21340126800130', '{}', '{}', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP); | ||
|
||
INSERT INTO users_organizations | ||
(user_id, organization_id, is_external, verification_type, authentication_by_peers_type, has_been_greeted) | ||
VALUES | ||
(1, 1, false, 'verified_email_domain', 'all_members_notified', true); | ||
|
||
INSERT INTO oidc_clients | ||
(client_name, client_id, client_secret, redirect_uris, | ||
post_logout_redirect_uris, scope, client_uri, client_description, | ||
userinfo_signed_response_alg, id_token_signed_response_alg, | ||
authorization_signed_response_alg, introspection_signed_response_alg) | ||
VALUES | ||
('AgentConnect', | ||
'agentconnect_client_id', | ||
'agentconnect_client_secret', | ||
ARRAY [ | ||
'http://localhost:4001/login-callback' | ||
], | ||
ARRAY []::varchar[], | ||
'openid uid given_name usual_name email phone siret', | ||
'http://localhost:4001/', | ||
'Dispositif d’identification des agents de la fonction publique.', | ||
'ES256', 'ES256', 'ES256', 'ES256'); | ||
|
||
INSERT INTO authenticators | ||
(credential_id, credential_public_key, counter, credential_device_type, credential_backed_up, | ||
transports, user_id, display_name, created_at, last_used_at, usage_count, user_verified) | ||
VALUES | ||
('Bdf73ipOxFEpTjCr4FqGYnLsWAKU/s6eLh2a32GihKo=', | ||
'\xa401010327200621582015a9f4727d84c47413e94c4b5109aee81a0ec9d1e610ff5d522eb9f8e2af927a', | ||
-- '\x3059301306072a8648ce3d020106082a8648ce3d0301070342000495886e1804854510af5d8cb4943c0caa1ae25eef46226258e9175eb461783e000f67da1363dab497ea492d7fd5ffd855f5d34158d02c89999dce353dcd1b1dcd', | ||
-- '\xa50102032620012158203644bd38776918bb7d83059369ddbb634bd207df223153674c20994f91ca97bf2258203d6bd21d1da555db3eb6590a34e003642c9602670203d451b2adb9302ab1325a', | ||
0, 'singleDevice', false, ARRAY ['internal'], 1, null, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 1, true); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
// Passkey crypto elements where generated with Webauthn Chrome dev tools. | ||
// We create a virtual authenticator with these tools. | ||
// We used it on a local instance of MonComptePro. | ||
// We exported the private key from the dev tools. | ||
// We exported the record of the authenticator from MonComptePro local database. | ||
|
||
describe("sign-in with webauthn on untrusted browser", () => { | ||
before(async () => { | ||
await Cypress.automation("remote:debugger:protocol", { | ||
command: "WebAuthn.enable", | ||
}); | ||
}); | ||
|
||
it("should sign-in with webauthn", function () { | ||
Cypress.automation("remote:debugger:protocol", { | ||
command: "WebAuthn.addVirtualAuthenticator", | ||
params: { | ||
options: { | ||
protocol: "ctap2", | ||
transport: "internal", | ||
hasResidentKey: true, | ||
hasUserVerification: true, | ||
isUserVerified: true, | ||
}, | ||
}, | ||
}).then(({ authenticatorId }) => { | ||
Cypress.automation("remote:debugger:protocol", { | ||
command: "WebAuthn.addCredential", | ||
params: { | ||
authenticatorId, | ||
credential: { | ||
credentialId: "Bdf73ipOxFEpTjCr4FqGYnLsWAKU/s6eLh2a32GihKo=", | ||
isResidentCredential: true, | ||
userHandle: "MQ==", // [email protected] | ||
rpId: "localhost", | ||
privateKey: | ||
"MC4CAQAwBQYDK2VwBCIEIC5SpNCKBGOjrii3D7Ao5tsyPCiNdUHdZt78j6z2xQlR", | ||
signCount: 0, | ||
}, | ||
}, | ||
}); | ||
}); | ||
|
||
cy.visit(`http://localhost:4001`); | ||
cy.get("button.moncomptepro-button").click(); | ||
cy.get('[href="/users/sign-in-with-passkey"]') | ||
.contains("Se connecter avec une clé d’accès") | ||
.click(); | ||
|
||
cy.contains("Se connecter avec une clé d’accèss"); | ||
|
||
cy.get("#webauthn-btn-begin-authentication").contains("Continuer").click(); | ||
// This error is thrown here: | ||
// The 'publickey-credentials-get' feature is not enabled in this document. | ||
// See https://github.com/cypress-io/cypress/issues/6991#issuecomment-2168311131 | ||
|
||
cy.contains('"amr": [\n "pop",\n "mfa"\n ],'); | ||
}); | ||
}); | ||
|
||
// TODO test the amr result in the following cases | ||
// TODO login with webauthn and userVerified=true | ||
// TODO unable to login with webauthn and userVerified=false | ||
// TODO login with password + webauthn and userVerified=false | ||
// TODO login with password + webauthn and userVerified=true | ||
// TODO a second factor should not trigger email verification for untrusted browser reason |