Skip to content

Commit

Permalink
WIP: first attempt to test webauthn
Browse files Browse the repository at this point in the history
  • Loading branch information
rdubigny committed Sep 23, 2024
1 parent be6e3fd commit bf49f89
Show file tree
Hide file tree
Showing 4 changed files with 114 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/end-to-end.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ jobs:
- signin_with_email_verification_renewal
- signin_with_magic_link
- signin_with_totp
- signin_with_webauthn
- signup_entreprise_unipersonnelle
- update_personal_information
- update_totp_application
Expand Down
2 changes: 2 additions & 0 deletions cypress/e2e/signin_with_webauthn/env.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
DO_NOT_AUTHENTICATE_BROWSER=False
DO_NOT_SEND_MAIL=True
45 changes: 45 additions & 0 deletions cypress/e2e/signin_with_webauthn/fixtures.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
INSERT INTO users
(id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at,
given_name, family_name, phone_number, job)
VALUES
(1, '[email protected]', true, CURRENT_TIMESTAMP,
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP,
'Jean', 'Jean', '0123456789', 'Sbire');

INSERT INTO organizations
(id, siret, verified_email_domains, authorized_email_domains, created_at, updated_at)
VALUES
(1, '21340126800130', '{}', '{}', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP);

INSERT INTO users_organizations
(user_id, organization_id, is_external, verification_type, authentication_by_peers_type, has_been_greeted)
VALUES
(1, 1, false, 'verified_email_domain', 'all_members_notified', true);

INSERT INTO oidc_clients
(client_name, client_id, client_secret, redirect_uris,
post_logout_redirect_uris, scope, client_uri, client_description,
userinfo_signed_response_alg, id_token_signed_response_alg,
authorization_signed_response_alg, introspection_signed_response_alg)
VALUES
('AgentConnect',
'agentconnect_client_id',
'agentconnect_client_secret',
ARRAY [
'http://localhost:4001/login-callback'
],
ARRAY []::varchar[],
'openid uid given_name usual_name email phone siret',
'http://localhost:4001/',
'Dispositif d’identification des agents de la fonction publique.',
'ES256', 'ES256', 'ES256', 'ES256');

INSERT INTO authenticators
(credential_id, credential_public_key, counter, credential_device_type, credential_backed_up,
transports, user_id, display_name, created_at, last_used_at, usage_count, user_verified)
VALUES
('Bdf73ipOxFEpTjCr4FqGYnLsWAKU/s6eLh2a32GihKo=',
'\xa401010327200621582015a9f4727d84c47413e94c4b5109aee81a0ec9d1e610ff5d522eb9f8e2af927a',
-- '\x3059301306072a8648ce3d020106082a8648ce3d0301070342000495886e1804854510af5d8cb4943c0caa1ae25eef46226258e9175eb461783e000f67da1363dab497ea492d7fd5ffd855f5d34158d02c89999dce353dcd1b1dcd',
-- '\xa50102032620012158203644bd38776918bb7d83059369ddbb634bd207df223153674c20994f91ca97bf2258203d6bd21d1da555db3eb6590a34e003642c9602670203d451b2adb9302ab1325a',
0, 'singleDevice', false, ARRAY ['internal'], 1, null, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 1, true);
66 changes: 66 additions & 0 deletions cypress/e2e/signin_with_webauthn/index.cy.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
// Passkey crypto elements where generated with Webauthn Chrome dev tools.
// We create a virtual authenticator with these tools.
// We used it on a local instance of MonComptePro.
// We exported the private key from the dev tools.
// We exported the record of the authenticator from MonComptePro local database.

describe("sign-in with webauthn on untrusted browser", () => {
before(async () => {
await Cypress.automation("remote:debugger:protocol", {
command: "WebAuthn.enable",
});
});

it("should sign-in with webauthn", function () {
Cypress.automation("remote:debugger:protocol", {
command: "WebAuthn.addVirtualAuthenticator",
params: {
options: {
protocol: "ctap2",
transport: "internal",
hasResidentKey: true,
hasUserVerification: true,
isUserVerified: true,
},
},
}).then(({ authenticatorId }) => {
Cypress.automation("remote:debugger:protocol", {
command: "WebAuthn.addCredential",
params: {
authenticatorId,
credential: {
credentialId: "Bdf73ipOxFEpTjCr4FqGYnLsWAKU/s6eLh2a32GihKo=",
isResidentCredential: true,
userHandle: "MQ==", // [email protected]
rpId: "localhost",
privateKey:
"MC4CAQAwBQYDK2VwBCIEIC5SpNCKBGOjrii3D7Ao5tsyPCiNdUHdZt78j6z2xQlR",
signCount: 0,
},
},
});
});

cy.visit(`http://localhost:4001`);
cy.get("button.moncomptepro-button").click();
cy.get('[href="/users/sign-in-with-passkey"]')
.contains("Se connecter avec une clé d’accès")
.click();

cy.contains("Se connecter avec une clé d’accèss");

cy.get("#webauthn-btn-begin-authentication").contains("Continuer").click();
// This error is thrown here:
// The 'publickey-credentials-get' feature is not enabled in this document.
// See https://github.com/cypress-io/cypress/issues/6991#issuecomment-2168311131

cy.contains('"amr": [\n "pop",\n "mfa"\n ],');
});
});

// TODO test the amr result in the following cases
// TODO login with webauthn and userVerified=true
// TODO unable to login with webauthn and userVerified=false
// TODO login with password + webauthn and userVerified=false
// TODO login with password + webauthn and userVerified=true
// TODO a second factor should not trigger email verification for untrusted browser reason

0 comments on commit bf49f89

Please sign in to comment.