bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2026-02-12 06:23:38 +00:00
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'origin/anders/exclude-credentials' into autofill/PM-19511-with-exclude

Browse Source
This commit is contained in:
Jeffrey Holland
2025-04-04 20:20:48 +02:00
parent 7996385d5f 0c836e10c8
commit 09610d554f
5 changed files with 83 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/desktop/desktop_native/macos_provider/src/registration.rs
View File

@@ -14,6 +14,7 @@ pub struct PasskeyRegistrationRequest {
user_verification: UserVerification,
supported_algorithms: Vec<i32>,
window_xy: Position,
excluded_credentials: Vec<Vec<u8>>,
}
#[derive(uniffi::Record, Serialize, Deserialize)]

1
apps/desktop/desktop_native/napi/index.d.ts vendored
View File

@@ -130,6 +130,7 @@ export declare namespace autofill {
userVerification: UserVerification
supportedAlgorithms: Array<number>
windowXy: Position
excludedCredentials: Array<Array<number>>
}
export interface PasskeyRegistrationResponse {
rpId: string

1
apps/desktop/desktop_native/napi/src/lib.rs
View File

@@ -534,6 +534,7 @@ pub mod autofill {
pub user_verification: UserVerification,
pub supported_algorithms: Vec<i32>,
pub window_xy: Position,
pub excluded_credentials: Vec<Vec<u8>>,
}
#[napi(object)]

11
apps/desktop/macos/autofill-extension/CredentialProviderViewController.swift
View File

@@ -246,6 +246,14 @@ class CredentialProviderViewController: ASCredentialProviderViewController {
UserVerification.discouraged
}
// Convert excluded credentials to an array of credential IDs
var excludedCredentialIds: [Data] = []
if #available(macOSApplicationExtension 15.0, *) {
if let excludedCreds = request.excludedCredentials {
excludedCredentialIds = excludedCreds.map { $0.credentialID }
}
}
let req = PasskeyRegistrationRequest(
rpId: passkeyIdentity.relyingPartyIdentifier,
userName: passkeyIdentity.userName,
@@ -253,7 +261,8 @@ class CredentialProviderViewController: ASCredentialProviderViewController {
clientDataHash: request.clientDataHash,
userVerification: userVerification,
supportedAlgorithms: request.supportedAlgorithms.map{ Int32($0.rawValue) },
windowXy: self.getWindowPosition()
windowXy: self.getWindowPosition(),
excludedCredentials: excludedCredentialIds
)
logger.log("[autofill-extension] prepareInterface(passkey) calling preparePasskeyRegistration")

137
apps/desktop/src/autofill/services/desktop-autofill.service.ts
View File

@@ -143,7 +143,7 @@ export class DesktopAutofillService implements OnDestroy {
}
listenIpc() {
ipc.autofill.listenPasskeyRegistration((clientId, sequenceNumber, request, callback) => {
ipc.autofill.listenPasskeyRegistration(async (clientId, sequenceNumber, request, callback) => {
this.logService.warning("listenPasskeyRegistration", clientId, sequenceNumber, request);
this.logService.warning(
"listenPasskeyRegistration2",
@@ -151,19 +151,19 @@ export class DesktopAutofillService implements OnDestroy {
);
const controller = new AbortController();
void this.fido2AuthenticatorService
.makeCredential(
try {
const response = await this.fido2AuthenticatorService.makeCredential(
this.convertRegistrationRequest(request),
{ windowXy: request.windowXy },
controller,
)
.then((response) => {
callback(null, this.convertRegistrationResponse(request, response));
})
.catch((error) => {
this.logService.error("listenPasskeyRegistration error", error);
callback(error, null);
});
);
callback(null, this.convertRegistrationResponse(request, response));
} catch (error) {
this.logService.error("listenPasskeyRegistration error", error);
callback(error, null);
}
});
ipc.autofill.listenPasskeyAssertionWithoutUserInterface(
@@ -175,55 +175,56 @@ export class DesktopAutofillService implements OnDestroy {
request,
);
// For some reason the credentialId is passed as an empty array in the request, so we need to
// get it from the cipher. For that we use the recordIdentifier, which is the cipherId.
if (request.recordIdentifier && request.credentialId.length === 0) {
const activeUserId = await firstValueFrom(
this.accountService.activeAccount$.pipe(getOptionalUserId),
);
if (!activeUserId) {
this.logService.error("listenPasskeyAssertion error", "Active user not found");
callback(new Error("Active user not found"), null);
return;
}
const cipher = await this.cipherService.get(request.recordIdentifier, activeUserId);
if (!cipher) {
this.logService.error("listenPasskeyAssertion error", "Cipher not found");
callback(new Error("Cipher not found"), null);
return;
}
const decrypted = await cipher.decrypt(
await this.cipherService.getKeyForCipherKeyDecryption(cipher, activeUserId),
);
const fido2Credential = decrypted.login.fido2Credentials?.[0];
if (!fido2Credential) {
this.logService.error("listenPasskeyAssertion error", "Fido2Credential not found");
callback(new Error("Fido2Credential not found"), null);
return;
}
request.credentialId = Array.from(
parseCredentialId(decrypted.login.fido2Credentials?.[0].credentialId),
);
}
const controller = new AbortController();
void this.fido2AuthenticatorService
.getAssertion(
try {
// For some reason the credentialId is passed as an empty array in the request, so we need to
// get it from the cipher. For that we use the recordIdentifier, which is the cipherId.
if (request.recordIdentifier && request.credentialId.length === 0) {
const activeUserId = await firstValueFrom(
this.accountService.activeAccount$.pipe(getOptionalUserId),
);
if (!activeUserId) {
this.logService.error("listenPasskeyAssertion error", "Active user not found");
callback(new Error("Active user not found"), null);
return;
}
const cipher = await this.cipherService.get(request.recordIdentifier, activeUserId);
if (!cipher) {
this.logService.error("listenPasskeyAssertion error", "Cipher not found");
callback(new Error("Cipher not found"), null);
return;
}
const decrypted = await cipher.decrypt(
await this.cipherService.getKeyForCipherKeyDecryption(cipher, activeUserId),
);
const fido2Credential = decrypted.login.fido2Credentials?.[0];
if (!fido2Credential) {
this.logService.error("listenPasskeyAssertion error", "Fido2Credential not found");
callback(new Error("Fido2Credential not found"), null);
return;
}
request.credentialId = Array.from(
parseCredentialId(decrypted.login.fido2Credentials?.[0].credentialId),
);
}
const response = await this.fido2AuthenticatorService.getAssertion(
this.convertAssertionRequest(request),
{ windowXy: request.windowXy },
controller,
)
.then((response) => {
callback(null, this.convertAssertionResponse(request, response));
})
.catch((error) => {
this.logService.error("listenPasskeyAssertion error", error);
callback(error, null);
});
);
callback(null, this.convertAssertionResponse(request, response));
} catch (error) {
this.logService.error("listenPasskeyAssertion error", error);
callback(error, null);
return;
}
},
);
@@ -231,19 +232,18 @@ export class DesktopAutofillService implements OnDestroy {
this.logService.warning("listenPasskeyAssertion", clientId, sequenceNumber, request);
const controller = new AbortController();
void this.fido2AuthenticatorService
.getAssertion(
try {
const response = await this.fido2AuthenticatorService.getAssertion(
this.convertAssertionRequest(request),
{ windowXy: request.windowXy },
controller,
)
.then((response) => {
callback(null, this.convertAssertionResponse(request, response));
})
.catch((error) => {
this.logService.error("listenPasskeyAssertion error", error);
callback(error, null);
});
);
callback(null, this.convertAssertionResponse(request, response));
} catch (error) {
this.logService.error("listenPasskeyAssertion error", error);
callback(error, null);
}
});
}
@@ -266,7 +266,10 @@ export class DesktopAutofillService implements OnDestroy {
alg,
type: "public-key",
})),
excludeCredentialDescriptorList: [],
excludeCredentialDescriptorList: request.excludedCredentials.map((credentialId) => ({
id: new Uint8Array(credentialId),
type: "public-key" as const,
})),
requireResidentKey: true,
requireUserVerification:
request.userVerification === "required" || request.userVerification === "preferred",