UNPKG

@simplewebauthn/server

Version:

SimpleWebAuthn for Servers

github.com/MasterKale/SimpleWebAuthn/tree/master/packages/server

MasterKale/SimpleWebAuthn

212 lines (211 loc) 9.96 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
import { decodeAttestationObject, } from '../helpers/decodeAttestationObject.js'; import { decodeClientDataJSON } from '../helpers/decodeClientDataJSON.js'; import { parseAuthenticatorData } from '../helpers/parseAuthenticatorData.js'; import { toHash } from '../helpers/toHash.js'; import { decodeCredentialPublicKey } from '../helpers/decodeCredentialPublicKey.js'; import { COSEKEYS } from '../helpers/cose.js'; import { convertAAGUIDToString } from '../helpers/convertAAGUIDToString.js'; import { parseBackupFlags } from '../helpers/parseBackupFlags.js'; import { matchExpectedRPID } from '../helpers/matchExpectedRPID.js'; import { isoBase64URL } from '../helpers/iso/index.js'; import { SettingsService } from '../services/settingsService.js'; import { supportedCOSEAlgorithmIdentifiers } from './generateRegistrationOptions.js'; import { verifyAttestationFIDOU2F } from './verifications/verifyAttestationFIDOU2F.js'; import { verifyAttestationPacked } from './verifications/verifyAttestationPacked.js'; import { verifyAttestationAndroidSafetyNet } from './verifications/verifyAttestationAndroidSafetyNet.js'; import { verifyAttestationTPM } from './verifications/tpm/verifyAttestationTPM.js'; import { verifyAttestationAndroidKey } from './verifications/verifyAttestationAndroidKey.js'; import { verifyAttestationApple } from './verifications/verifyAttestationApple.js'; /** * Verify that the user has legitimately completed the registration process * * **Options:** * * @param response - Response returned by **@simplewebauthn/browser**'s `startAuthentication()` * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateRegistrationOptions()` * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options * @param expectedType **(Optional)** - The response type expected ('webauthn.create') * @param requireUserPresence **(Optional)** - Enforce user presence by the authenticator (or skip it during auto registration) Defaults to `true` * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true` * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs */ export async function verifyRegistrationResponse(options) { const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserPresence = true, requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options; const { id, rawId, type: credentialType, response: attestationResponse } = response; // Ensure credential specified an ID if (!id) { throw new Error('Missing credential ID'); } // Ensure ID is base64url-encoded if (id !== rawId) { throw new Error('Credential ID was not base64url-encoded'); } // Make sure credential type is public-key if (credentialType !== 'public-key') { throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`); } const clientDataJSON = decodeClientDataJSON(attestationResponse.clientDataJSON); const { type, origin, challenge, tokenBinding } = clientDataJSON; // Make sure we're handling an registration if (Array.isArray(expectedType)) { if (!expectedType.includes(type)) { const joinedExpectedType = expectedType.join(', '); throw new Error(`Unexpected registration response type "${type}", expected one of: ${joinedExpectedType}`); } } else if (expectedType) { if (type !== expectedType) { throw new Error(`Unexpected registration response type "${type}", expected "${expectedType}"`); } } else if (type !== 'webauthn.create') { throw new Error(`Unexpected registration response type: ${type}`); } // Ensure the device provided the challenge we gave it if (typeof expectedChallenge === 'function') { if (!(await expectedChallenge(challenge))) { throw new Error(`Custom challenge verifier returned false for registration response challenge "${challenge}"`); } } else if (challenge !== expectedChallenge) { throw new Error(`Unexpected registration response challenge "${challenge}", expected "${expectedChallenge}"`); } // Check that the origin is our site if (Array.isArray(expectedOrigin)) { if (!expectedOrigin.includes(origin)) { throw new Error(`Unexpected registration response origin "${origin}", expected one of: ${expectedOrigin.join(', ')}`); } } else { if (origin !== expectedOrigin) { throw new Error(`Unexpected registration response origin "${origin}", expected "${expectedOrigin}"`); } } if (tokenBinding) { if (typeof tokenBinding !== 'object') { throw new Error(`Unexpected value for TokenBinding "${tokenBinding}"`); } if (['present', 'supported', 'not-supported'].indexOf(tokenBinding.status) < 0) { throw new Error(`Unexpected tokenBinding.status value of "${tokenBinding.status}"`); } } const attestationObject = isoBase64URL.toBuffer(attestationResponse.attestationObject); const decodedAttestationObject = decodeAttestationObject(attestationObject); const fmt = decodedAttestationObject.get('fmt'); const authData = decodedAttestationObject.get('authData'); const attStmt = decodedAttestationObject.get('attStmt'); const parsedAuthData = parseAuthenticatorData(authData); const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey, extensionsData, } = parsedAuthData; // Make sure the response's RP ID is ours let matchedRPID; if (expectedRPID) { let expectedRPIDs = []; if (typeof expectedRPID === 'string') { expectedRPIDs = [expectedRPID]; } else { expectedRPIDs = expectedRPID; } matchedRPID = await matchExpectedRPID(rpIdHash, expectedRPIDs); } // Make sure someone was physically present if (requireUserPresence && !flags.up) { throw new Error('User presence was required, but user was not present'); } // Enforce user verification if specified if (requireUserVerification && !flags.uv) { throw new Error('User verification was required, but user could not be verified'); } if (!credentialID) { throw new Error('No credential ID was provided by authenticator'); } if (!credentialPublicKey) { throw new Error('No public key was provided by authenticator'); } if (!aaguid) { throw new Error('No AAGUID was present during registration'); } const decodedPublicKey = decodeCredentialPublicKey(credentialPublicKey); const alg = decodedPublicKey.get(COSEKEYS.alg); if (typeof alg !== 'number') { throw new Error('Credential public key was missing numeric alg'); } // Make sure the key algorithm is one we specified within the registration options if (!supportedAlgorithmIDs.includes(alg)) { const supported = supportedAlgorithmIDs.join(', '); throw new Error(`Unexpected public key alg "${alg}", expected one of "${supported}"`); } const clientDataHash = await toHash(isoBase64URL.toBuffer(attestationResponse.clientDataJSON)); const rootCertificates = SettingsService.getRootCertificates({ identifier: fmt, }); // Prepare arguments to pass to the relevant verification method const verifierOpts = { aaguid, attStmt, authData, clientDataHash, credentialID, credentialPublicKey, rootCertificates, rpIdHash, }; /** * Verification can only be performed when attestation = 'direct' */ let verified = false; if (fmt === 'fido-u2f') { verified = await verifyAttestationFIDOU2F(verifierOpts); } else if (fmt === 'packed') { verified = await verifyAttestationPacked(verifierOpts); } else if (fmt === 'android-safetynet') { verified = await verifyAttestationAndroidSafetyNet(verifierOpts); } else if (fmt === 'android-key') { verified = await verifyAttestationAndroidKey(verifierOpts); } else if (fmt === 'tpm') { verified = await verifyAttestationTPM(verifierOpts); } else if (fmt === 'apple') { verified = await verifyAttestationApple(verifierOpts); } else if (fmt === 'none') { if (attStmt.size > 0) { throw new Error('None attestation had unexpected attestation statement'); } // This is the weaker of the attestations, so there's nothing else to really check verified = true; } else { throw new Error(`Unsupported Attestation Format: ${fmt}`); } const toReturn = { verified, }; if (toReturn.verified) { const { credentialDeviceType, credentialBackedUp } = parseBackupFlags(flags); toReturn.registrationInfo = { fmt, aaguid: convertAAGUIDToString(aaguid), credentialType, credential: { id: isoBase64URL.fromBuffer(credentialID), publicKey: credentialPublicKey, counter, transports: response.response.transports, }, attestationObject, userVerified: flags.uv, credentialDeviceType, credentialBackedUp, origin: clientDataJSON.origin, rpID: matchedRPID, authenticatorExtensionResults: extensionsData, }; } return toReturn; }