From 6d969439efc85d742ec0634e0a2defd4c670a265 Mon Sep 17 00:00:00 2001 From: Andreas Coroiu Date: Wed, 12 Apr 2023 13:53:00 +0200 Subject: [PATCH] [EC-598] feat: do not exclude organization credentials --- .../fido2-authenticator.service.spec.ts | 26 +++++++++++++++++++ .../services/fido2-authenticator.service.ts | 9 ++++--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts index de9798853c0..8c25857656c 100644 --- a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts +++ b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts @@ -143,6 +143,19 @@ describe("FidoAuthenticatorService", () => { await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed); }); + /** Devation: Organization ciphers are not checked against excluded credentials, even if the user has access to them. */ + it("should not inform user of duplication when the excluded credential belongs to an organization", async () => { + userInterfaceSession.informExcludedCredential.mockResolvedValue(); + excludedCipher.organizationId = "someOrganizationId"; + + try { + await authenticator.makeCredential(params); + // eslint-disable-next-line no-empty + } catch {} + + expect(userInterfaceSession.informExcludedCredential).not.toHaveBeenCalled(); + }); + it("should not inform user of duplication when input data does not pass checks", async () => { userInterfaceSession.informExcludedCredential.mockResolvedValue(); const invalidParams = await createInvalidParams(); @@ -204,6 +217,19 @@ describe("FidoAuthenticatorService", () => { await expect(result).rejects.toThrowError(Fido2AutenticatorErrorCode.NotAllowed); }); + /** Devation: Organization ciphers are not checked against excluded credentials, even if the user has access to them. */ + it.only("should not inform user of duplication when the excluded credential belongs to an organization", async () => { + userInterfaceSession.informExcludedCredential.mockResolvedValue(); + excludedCipherView.organizationId = "someOrganizationId"; + + try { + await authenticator.makeCredential(params); + // eslint-disable-next-line no-empty + } catch {} + + expect(userInterfaceSession.informExcludedCredential).not.toHaveBeenCalled(); + }); + it("should not inform user of duplication when input data does not pass checks", async () => { userInterfaceSession.informExcludedCredential.mockResolvedValue(); const invalidParams = await createInvalidParams(); diff --git a/libs/common/src/webauthn/services/fido2-authenticator.service.ts b/libs/common/src/webauthn/services/fido2-authenticator.service.ts index 99959b00800..fb8125b2442 100644 --- a/libs/common/src/webauthn/services/fido2-authenticator.service.ts +++ b/libs/common/src/webauthn/services/fido2-authenticator.service.ts @@ -273,10 +273,11 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr return ciphers .filter( (cipher) => - (cipher.type === CipherType.Fido2Key && ids.includes(cipher.id)) || - (cipher.type === CipherType.Login && - cipher.login.fido2Key != undefined && - ids.includes(cipher.login.fido2Key.nonDiscoverableId)) + cipher.organizationId == undefined && + ((cipher.type === CipherType.Fido2Key && ids.includes(cipher.id)) || + (cipher.type === CipherType.Login && + cipher.login.fido2Key != undefined && + ids.includes(cipher.login.fido2Key.nonDiscoverableId))) ) .map((cipher) => cipher.id); }