PM-4877: Only allow replacing passkeys for the same userhandle (#9804)

* Initial draft * small cleanup * show vaul items without passkeys * Refactored a bit * tests run for me? * Fixed platform test * null and undefined * lint
2025-12-14 23:33:31 +00:00 · 2024-07-16 19:39:41 +02:00
parent aa8c5b1516
commit dbc9b9c90b
5 changed files with 28 additions and 2 deletions
--- a/apps/browser/src/vault/fido2/browser-fido2-user-interface.service.ts
+++ b/apps/browser/src/vault/fido2/browser-fido2-user-interface.service.ts
@@ -65,6 +65,7 @@ export type BrowserFido2Message = { sessionId: string } & (
      type: "ConfirmNewCredentialRequest";
      credentialName: string;
      userName: string;
+      userHandle: string;
      userVerification: boolean;
      fallbackSupported: boolean;
      rpId: string;
@@ -242,6 +243,7 @@ export class BrowserFido2UserInterfaceSession implements Fido2UserInterfaceSessi
  async confirmNewCredential({
    credentialName,
    userName,
+    userHandle,
    userVerification,
    rpId,
  }: NewCredentialParams): Promise<{ cipherId: string; userVerified: boolean }> {
@@ -250,6 +252,7 @@ export class BrowserFido2UserInterfaceSession implements Fido2UserInterfaceSessi
      sessionId: this.sessionId,
      credentialName,
      userName,
+      userHandle,
      userVerification,
      fallbackSupported: this.fallbackSupported,
      rpId,
--- a/apps/browser/src/vault/popup/components/fido2/fido2.component.ts
+++ b/apps/browser/src/vault/popup/components/fido2/fido2.component.ts
@@ -143,8 +143,10 @@ export class Fido2Component implements OnInit, OnDestroy {
            this.ciphers = (await this.cipherService.getAllDecrypted()).filter(
              (cipher) => cipher.type === CipherType.Login && !cipher.isDeleted,
            );
-            this.displayedCiphers = this.ciphers.filter((cipher) =>
-              cipher.login.matchesUri(this.url, equivalentDomains),
+            this.displayedCiphers = this.ciphers.filter(
+              (cipher) =>
+                cipher.login.matchesUri(this.url, equivalentDomains) &&
+                this.hasNoOtherPasskeys(cipher, message.userHandle),
            );

            if (this.displayedCiphers.length > 0) {
@@ -405,4 +407,18 @@ export class Fido2Component implements OnInit, OnDestroy {
      ...msg,
    });
  }
+
+  /**
+   * This methods returns true if a cipher either has no passkeys, or has a passkey matching with userHandle
+   * @param userHandle
+   */
+  private hasNoOtherPasskeys(cipher: CipherView, userHandle: string): boolean {
+    if (cipher.login.fido2Credentials == null || cipher.login.fido2Credentials.length === 0) {
+      return true;
+    }
+
+    return cipher.login.fido2Credentials.some((passkey) => {
+      passkey.userHandle === userHandle;
+    });
+  }
 }