[PM-5731] feat: add sameOriginWithAncestor and user id length checks

2026-01-08 03:23:23 +00:00 · 2024-02-07 11:39:13 +01:00
parent 3223ceb9a8
commit ad8faec200
4 changed files with 128 additions and 1 deletions
--- a/src/Core/Services/Fido2ClientService.cs
+++ b/src/Core/Services/Fido2ClientService.cs
@@ -5,7 +5,25 @@ namespace Bit.Core.Services
 {
    public class Fido2ClientService : IFido2ClientService
    {
-        public Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams) => throw new NotImplementedException();
+        public Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2ClientCreateCredentialParams createCredentialParams) 
+        {
+            if (!createCredentialParams.SameOriginWithAncestors)
+            {
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.NotAllowedError,
+                    "Credential creation is now allowed from embedded contexts with different origins.");
+            }
+
+            if (createCredentialParams.User.Id.Length < 1 || createCredentialParams.User.Id.Length > 64)
+            {
+                // TODO: Should we use ArgumentException here instead?
+                throw new Fido2ClientException(
+                    Fido2ClientException.ErrorCode.TypeError,
+                    "The length of user.id is not between 1 and 64 bytes (inclusive).");
+            }
+
+            throw new NotImplementedException();
+        }

        public Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2ClientAssertCredentialParams assertCredentialParams) => throw new NotImplementedException();
    }
--- a/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialParams.cs
@@ -12,6 +12,7 @@ namespace Bit.Core.Utilities.Fido2
        /// </summary>
        public required string Origin { get; set; }

+        // TODO: Check if we actually need this
        /// <summary>
        /// A value which is true if and only if the caller’s environment settings object is same-origin with its ancestors.
        /// It is false if caller is cross-origin.
--- a/src/Core/Utilities/Fido2/Fido2ClientException.cs
+++ b/src/Core/Utilities/Fido2/Fido2ClientException.cs
@@ -0,0 +1,22 @@
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2ClientException : Exception
+    {
+        public enum ErrorCode 
+        {
+            NotAllowedError,
+            TypeError,
+            SecurityError,
+            UnknownError
+        }
+
+        public readonly ErrorCode Code;
+        public readonly string Reason;
+
+        public Fido2ClientException(ErrorCode code, string reason) : base($"{code} ({reason})")
+        {
+            Code = code;
+            Reason = reason;
+        }
+    }
+}