PM-4877: Only allow replacing passkeys for the same userhandle (#9804)

* Initial draft * small cleanup * show vaul items without passkeys * Refactored a bit * tests run for me? * Fixed platform test * null and undefined * lint
2025-12-14 15:23:33 +00:00 · 2024-07-16 19:39:41 +02:00
parent aa8c5b1516
commit dbc9b9c90b
5 changed files with 28 additions and 2 deletions
--- a/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts
+++ b/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts
@@ -12,6 +12,11 @@ export interface NewCredentialParams {
   */
  userName: string;

+  /**
+   * The userhandle (userid) of the user.
+   */
+  userHandle: string;
+
  /**
   * Whether or not the user must be verified before completing the operation.
   */
--- a/libs/common/src/platform/services/fido2/fido2-authenticator.service.spec.ts
+++ b/libs/common/src/platform/services/fido2/fido2-authenticator.service.spec.ts
@@ -215,6 +215,7 @@ describe("FidoAuthenticatorService", () => {
          expect(userInterfaceSession.confirmNewCredential).toHaveBeenCalledWith({
            credentialName: params.rpEntity.name,
            userName: params.userEntity.name,
+            userHandle: Fido2Utils.bufferToString(params.userEntity.id),
            userVerification,
            rpId: params.rpEntity.id,
          } as NewCredentialParams);
--- a/libs/common/src/platform/services/fido2/fido2-authenticator.service.ts
+++ b/libs/common/src/platform/services/fido2/fido2-authenticator.service.ts
@@ -112,6 +112,7 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
      const response = await userInterfaceSession.confirmNewCredential({
        credentialName: params.rpEntity.name,
        userName: params.userEntity.name,
+        userHandle: Fido2Utils.bufferToString(params.userEntity.id),
        userVerification: params.requireUserVerification,
        rpId: params.rpEntity.id,
      });