[EC-598] feat: remove ability to duplicate excluded credentials

libs/common/src/webauthn/services/fido2-authenticator.service.ts

@@ -41,33 +41,28 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
       throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_PIN_AUTH_INVALID);
     }
 
-    // In the spec the `excludeList` is checked first.
-    // We deviate from this because we allow duplicates to be created if the user confirms it,
-    // and we don't want to ask the user for confirmation if the input params haven't already
-    // been verified.
     const isExcluded = await this.vaultContainsId(
       params.excludeList.map((key) => Fido2Utils.bufferToString(key.id))
     );
-    let userVerification = false;
 
     if (isExcluded) {
-      userVerification = await this.userInterface.confirmDuplicateCredential(
+      await this.userInterface.informExcludedCredential(
         [Fido2Utils.bufferToString(params.excludeList[0].id)],
         {
           credentialName: params.rp.name,
           userName: params.user.name,
         }
       );
-    } else {
-      userVerification = await this.userInterface.confirmNewCredential({
-        credentialName: params.rp.name,
-        userName: params.user.name,
-      });
+
+      throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_CREDENTIAL_EXCLUDED);
     }
 
-    if (!userVerification && isExcluded) {
-      throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_CREDENTIAL_EXCLUDED);
-    } else if (!userVerification && !isExcluded) {
+    const userVerification = await this.userInterface.confirmNewCredential({
+      credentialName: params.rp.name,
+      userName: params.user.name,
+    });
+
+    if (!userVerification) {
       throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_OPERATION_DENIED);
     }