[EC-598] feat: add support for user verifiction using MP during attestation

2025-12-17 08:43:33 +00:00 · 2023-04-20 15:43:49 +02:00
parent 9b2f8b9462
commit 757050430d
6 changed files with 152 additions and 69 deletions
--- a/apps/browser/src/fido2/content/page-script.ts
+++ b/apps/browser/src/fido2/content/page-script.ts
@@ -65,6 +65,7 @@ navigator.credentials.get = async (
  abortController?: AbortController
 ): Promise<Credential> => {
  console.log("navigator.credentials.get()", options);
+
  try {
    const response = await messenger.request(
      {
--- a/apps/browser/src/fido2/popup/fido2/fido2.component.ts
+++ b/apps/browser/src/fido2/popup/fido2/fido2.component.ts
@@ -11,10 +11,11 @@ import {
  takeUntil,
 } from "rxjs";

+import { Fido2KeyView } from "@bitwarden/common/fido2/models/view/fido2-key.view";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
+import { PasswordRepromptService } from "@bitwarden/common/vault/abstractions/password-reprompt.service";
 import { CipherType } from "@bitwarden/common/vault/enums/cipher-type";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
-import { Fido2KeyView } from "@bitwarden/common/fido2/models/view/fido2-key.view";

 import { BrowserApi } from "../../../browser/browserApi";
 import {
@@ -35,7 +36,11 @@ export class Fido2Component implements OnInit, OnDestroy {
  protected ciphers?: CipherView[] = [];
  protected loading = false;

-  constructor(private activatedRoute: ActivatedRoute, private cipherService: CipherService) {}
+  constructor(
+    private activatedRoute: ActivatedRoute,
+    private cipherService: CipherService,
+    private passwordRepromptService: PasswordRepromptService
+  ) {}

  ngOnInit(): void {
    const sessionId$ = this.activatedRoute.queryParamMap.pipe(
@@ -118,10 +123,16 @@ export class Fido2Component implements OnInit, OnDestroy {
        type: "PickCredentialResponse",
      });
    } else if (data?.type === "ConfirmNewNonDiscoverableCredentialRequest") {
+      let userVerified = false;
+      if (data.userVerification) {
+        userVerified = await this.passwordRepromptService.showPasswordPrompt();
+      }
+
      this.send({
        sessionId: this.sessionId,
        cipherId: cipher.id,
        type: "ConfirmNewNonDiscoverableCredentialResponse",
+        userVerified,
      });
    }

@@ -136,10 +147,21 @@ export class Fido2Component implements OnInit, OnDestroy {
    this.loading = true;
  }

-  confirmNew() {
+  async confirmNew() {
+    const data = this.data$.value;
+    if (data.type !== "ConfirmNewCredentialRequest") {
+      return;
+    }
+
+    let userVerified = false;
+    if (data.userVerification) {
+      userVerified = await this.passwordRepromptService.showPasswordPrompt();
+    }
+
    this.send({
      sessionId: this.sessionId,
      type: "ConfirmNewCredentialResponse",
+      userVerified,
    });
    this.loading = true;
  }
--- a/apps/browser/src/services/fido2/browser-fido2-user-interface.service.ts
+++ b/apps/browser/src/services/fido2/browser-fido2-user-interface.service.ts
@@ -62,18 +62,22 @@ export type BrowserFido2Message = { sessionId: string } & (
      type: "ConfirmNewCredentialRequest";
      credentialName: string;
      userName: string;
+      userVerification: boolean;
    }
  | {
      type: "ConfirmNewCredentialResponse";
+      userVerified: boolean;
    }
  | {
      type: "ConfirmNewNonDiscoverableCredentialRequest";
      credentialName: string;
      userName: string;
+      userVerification: boolean;
    }
  | {
      type: "ConfirmNewNonDiscoverableCredentialResponse";
      cipherId: string;
+      userVerified: boolean;
    }
  | {
      type: "InformExcludedCredentialRequest";
@@ -201,35 +205,42 @@ export class BrowserFido2UserInterfaceSession implements Fido2UserInterfaceSessi
    return response.cipherId;
  }

-  async confirmNewCredential({ credentialName, userName }: NewCredentialParams): Promise<boolean> {
+  async confirmNewCredential({
+    credentialName,
+    userName,
+    userVerification,
+  }: NewCredentialParams): Promise<{ confirmed: boolean; userVerified: boolean }> {
    const data: BrowserFido2Message = {
      type: "ConfirmNewCredentialRequest",
      sessionId: this.sessionId,
      credentialName,
      userName,
+      userVerification,
    };

    await this.send(data);
-    await this.receive("ConfirmNewCredentialResponse");
+    const response = await this.receive("ConfirmNewCredentialResponse");

-    return true;
+    return { confirmed: true, userVerified: response.userVerified };
  }

  async confirmNewNonDiscoverableCredential({
    credentialName,
    userName,
-  }: NewCredentialParams): Promise<string> {
+    userVerification,
+  }: NewCredentialParams): Promise<{ cipherId: string; userVerified: boolean }> {
    const data: BrowserFido2Message = {
      type: "ConfirmNewNonDiscoverableCredentialRequest",
      sessionId: this.sessionId,
      credentialName,
      userName,
+      userVerification,
    };

    await this.send(data);
    const response = await this.receive("ConfirmNewNonDiscoverableCredentialResponse");

-    return response.cipherId;
+    return { cipherId: response.cipherId, userVerified: response.userVerified };
  }

  async informExcludedCredential(existingCipherIds: string[]): Promise<void> {