Tests for extensions validator

- fixed extensions validator
- added tests for extensions validation

Author: HSMDBC

lib/response.js

@@ -48,6 +48,7 @@ class Fido2Result {
 		await this.validateRawAuthnrData();
 		await this.validateRpIdHash();
 		await this.validateFlags();
+		await this.validateExtensions();
 	}
 
 	async create(req, exp) {

lib/validator.js

@@ -615,16 +615,23 @@ async function validatePublicKey() {
 
 function validateExtensions() {
 	const extensions = this.authnrData.get("webAuthnExtensions");
-
-	if (extensions === undefined ||
-		Array.isArray(extensions) &&
-		extensions.every(item => typeof item === "object")
-	) {
-		this.audit.journal.add("webAuthnExtensions");
-		return true;
+	const shouldHaveExtensions = this.authnrData.get("flags").has("ED");
+
+	if (shouldHaveExtensions) {
+		if (Array.isArray(extensions) && 
+			extensions.every(item => typeof item === "object")
+		) {
+			this.audit.journal.add("webAuthnExtensions");
+		} else {
+			throw new Error("webAuthnExtensions aren't valid");
+		}
+	} else {
+		if (extensions !== undefined) {
+			throw new Error("unexpected webAuthnExtensions found");
+		}
 	}
 
-	throw new Error("unable to validate webAuthnExtensions");
+	return true;
 }
 
 async function validateUserHandle() {

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "fido2-lib",
-	"version": "3.3.1",
+	"version": "3.3.2",
 	"description": "A library for performing FIDO 2.0 / WebAuthn functionality",
 	"type": "module",
 	"main": "dist/main.cjs",

test/validator.test.js

@@ -722,6 +722,34 @@ describe("attestation validation", function() {
 				});
 			});
 
+			describe("validateExtensions", function() {
+				// original test data does not contain extensions
+				it("returns true on validation without extensions", async function() {
+					const ret = attResp.validateExtensions();
+					assert.isTrue(ret);
+					assert.isFalse(attResp.audit.journal.has("webAuthnExtensions"));
+				});
+
+				it("returns true on validation with extensions", async function() {
+					attResp.authnrData.get("flags").add("ED");
+					attResp.authnrData.set("webAuthnExtensions", [{ credProtect: 1 }]);
+					const ret = attResp.validateExtensions();
+					assert.isTrue(ret);
+					assert.isTrue(attResp.audit.journal.has("webAuthnExtensions"));
+				});
+
+				it("throws on invalid extensions", async function() {
+					attResp.authnrData.get("flags").add("ED");
+					attResp.authnrData.set("webAuthnExtensions", [42]);
+					assert.throws(() => attResp.validateExtensions(), Error, "webAuthnExtensions aren't valid");
+				});
+
+				it("throws on unexpected extensions", async function() {
+					attResp.authnrData.set("webAuthnExtensions", [{ credProtect: 1 }]);
+					assert.throws(() => attResp.validateExtensions(), Error, "unexpected webAuthnExtensions found");
+				});
+			});
+
 			describe("validateTokenBinding", function() {
 				it("returns true if tokenBinding is undefined", async function() {
 					const ret = await attResp.validateTokenBinding();
@@ -828,6 +856,7 @@ describe("attestation validation", function() {
 					await attResp.validateAaguid();
 					await attResp.validateCredId();
 					await attResp.validatePublicKey();
+					await attResp.validateExtensions();
 					await attResp.validateFlags();
 					await attResp.validateInitialCounter();