[PM-5731] feat: add support for specifying user presence requirement

2026-01-08 03:23:23 +00:00 · 2024-01-30 14:19:41 +01:00
parent 6bb724ff06
commit ca250c53ad
3 changed files with 86 additions and 22 deletions
--- a/src/Core/Services/Fido2AuthenticatorService.cs
+++ b/src/Core/Services/Fido2AuthenticatorService.cs
@@ -126,14 +126,27 @@ namespace Bit.Core.Services
                throw new NotAllowedError();
            }

-            var response = await _userInterface.PickCredentialAsync(new Fido2PickCredentialParams {
-                CipherIds = cipherOptions.Select((cipher) => cipher.Id).ToArray(),
-                UserVerification = assertionParams.RequireUserVerification
-            });
-            var selectedCipherId = response.CipherId;
-            var userVerified = response.UserVerified;
-            var selectedCipher = cipherOptions.FirstOrDefault((c) => c.Id == selectedCipherId);
+            string selectedCipherId;
+            bool userVerified;
+            bool userPresence;
+            if (assertionParams.AllowCredentialDescriptorList?.Length == 1 && assertionParams.RequireUserPresence == false)
+            {
+                selectedCipherId = cipherOptions[0].Id;
+                userVerified = false;
+                userPresence = false;
+            }
+            else
+            {
+                var response = await _userInterface.PickCredentialAsync(new Fido2PickCredentialParams {
+                    CipherIds = cipherOptions.Select((cipher) => cipher.Id).ToArray(),
+                    UserVerification = assertionParams.RequireUserVerification
+                });
+                selectedCipherId = response.CipherId;
+                userVerified = response.UserVerified;
+                userPresence = true;
+            }

+            var selectedCipher = cipherOptions.FirstOrDefault((c) => c.Id == selectedCipherId);
            if (selectedCipher == null) {
                // _logService.Info(
                //     "[Fido2Authenticator] Aborting because the selected credential could not be found."
@@ -142,6 +155,14 @@ namespace Bit.Core.Services
                throw new NotAllowedError();
            }

+            if (!userPresence && assertionParams.RequireUserPresence) {
+                // _logService.Info(
+                //     "[Fido2Authenticator] Aborting because user presence was required but not detected."
+                // );
+
+                throw new NotAllowedError();
+            }
+
            if (!userVerified && (assertionParams.RequireUserVerification || selectedCipher.Reprompt != CipherRepromptType.None)) {
                // _logService.Info(
                //     "[Fido2Authenticator] Aborting because user verification was unsuccessful."
@@ -164,14 +185,14 @@ namespace Bit.Core.Services

                var authenticatorData = await GenerateAuthDataAsync(
                    rpId: selectedFido2Credential.RpId,
-                    userPresence: true,
+                    userPresence: userPresence,
                    userVerification: userVerified,
                    counter: selectedFido2Credential.CounterValue
                );

                var signature = GenerateSignature(
                    authData: authenticatorData,
-                    clientDataHash: assertionParams.Hash,
+                    clientDataHash: assertionParams.ClientDataHash,
                    privateKey: selectedFido2Credential.KeyBytes
                );

@@ -207,9 +228,9 @@ namespace Bit.Core.Services
            return credentials;
        }

-        ///<summary>
+        /// <summary>
        /// Finds existing crendetials and returns the `CipherId` for each one
-        ///</summary>
+        /// </summary>
        private async Task<string[]> FindExcludedCredentialsAsync(
            PublicKeyCredentialDescriptor[] credentials
        ) {
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionParams.cs
@@ -6,17 +6,21 @@
        public string RpId { get; set; }

        /** The hash of the serialized client data, provided by the client. */
-        public byte[] Hash {get; set;}
+        public byte[] ClientDataHash { get; set; }

-        public PublicKeyCredentialDescriptor[] AllowCredentialDescriptorList {get; set;}
+        public PublicKeyCredentialDescriptor[] AllowCredentialDescriptorList { get; set; }

-        /** The effective user verification requirement for assertion, a Boolean value provided by the client. */
-        public bool RequireUserVerification {get; set;}
+        /// <summary>
+        /// Instructs the authenticator to require a user-verifying gesture in order to complete the request. Examples of such gestures are fingerprint scan or a PIN.
+        /// </summary>
+        public bool RequireUserVerification { get; set; }
        
-        /** CTAP2 authenticators support setting this to false, but we only support the WebAuthn authenticator model which does not have that option. */
-        // public bool RequireUserPresence {get; set;} // Always required
+        /// <summary>
+        /// Instructs the authenticator to require user consent to complete the operation.
+        /// </summary>
+        public bool RequireUserPresence { get; set; }

-        public object Extensions {get; set;}
+        public object Extensions { get; set; }
    }
 }