From 260ea22adbaa66d382aab6e14f96c61372f01afb Mon Sep 17 00:00:00 2001
From: Andreas Coroiu <andreas.coroiu@gmail.com>
Date: Wed, 22 Mar 2023 10:01:01 +0100
Subject: [PATCH] [EC-598] feat: handle unsupported pinAuth

---
 ...fido2-authenticator.service.abstraction.ts |  2 ++
 .../fido2-authenticator.service.spec.ts       | 20 +++++++++++++++++++
 .../services/fido2-authenticator.service.ts   |  4 ++++
 3 files changed, 26 insertions(+)

diff --git a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts
index e0cef763797..02825175525 100644
--- a/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts
+++ b/libs/common/src/webauthn/abstractions/fido2-authenticator.service.abstraction.ts
@@ -11,6 +11,7 @@ export enum Fido2AutenticatorErrorCode {
   CTAP2_ERR_CREDENTIAL_EXCLUDED,
   CTAP2_ERR_UNSUPPORTED_ALGORITHM,
   CTAP2_ERR_INVALID_OPTION,
+  CTAP2_ERR_PIN_AUTH_INVALID,
 }
 
 export class Fido2AutenticatorError extends Error {
@@ -59,4 +60,5 @@ export interface Fido2AuthenticatorMakeCredentialsParams {
     rk?: boolean;
     uv?: boolean;
   };
+  pinAuth?: unknown;
 }
diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
index ec3f02a8dd0..6d474f0400c 100644
--- a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
+++ b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
@@ -104,6 +104,25 @@ describe("FidoAuthenticatorService", () => {
         );
       });
     });
+
+    /**
+     * Spec: Optionally, if the extensions parameter is present, process any extensions that this authenticator supports.
+     * Currently not supported.
+     */
+    describe.skip("when extensions parameter is present", () => undefined);
+
+    /** Spec: If pinAuth parameter is present and the pinProtocol is not supported */
+    describe("when pinAuth parameter is present", () => {
+      it("should throw error", async () => {
+        const params = await createCredentialParams({ pinAuth: { key: "value" } });
+
+        const result = async () => await authenticator.makeCredential(params);
+
+        await expect(result).rejects.toThrowError(
+          Fido2AutenticatorErrorCode[Fido2AutenticatorErrorCode.CTAP2_ERR_PIN_AUTH_INVALID]
+        );
+      });
+    });
   });
 });
 
@@ -145,6 +164,7 @@ async function createCredentialParams(
       rk: false as boolean,
       uv: false as boolean,
     },
+    pinAuth: params.pinAuth,
   };
 }
 
diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.ts
index 7e435759c3d..4745f3e9e1a 100644
--- a/libs/common/src/webauthn/services/fido2-authenticator.service.ts
+++ b/libs/common/src/webauthn/services/fido2-authenticator.service.ts
@@ -49,6 +49,10 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
     if (params.options?.uv != undefined && typeof params.options.uv !== "boolean") {
       throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_INVALID_OPTION);
     }
+
+    if (params.pinAuth != undefined) {
+      throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_PIN_AUTH_INVALID);
+    }
   }
 
   private async vaultContainsId(ids: string[]): Promise<boolean> {