Bug 1537552 - Web Authentication - isUserVerifyingPlatformAuthenticatorAvailable should return false r=keeler

The WebAuthn spec changed from the days of https://bugzilla.mozilla.org/show_bug.cgi?id=1406468#c1.

Now the spec says, if there are no user-verifying platform authenticators available [0]:

>  Otherwise, the promise is resolved with the value of `false`

...so we should resolve false instead of never resolving.

[0] https://w3c.github.io/webauthn/#abortoperation

Differential Revision: https://phabricator.services.mozilla.com/D24266

--HG--
extra : moz-landing-system : lando
This commit is contained in:
J.C. Jones 2019-03-26 23:42:28 +00:00
parent 349f8a0865
commit ee356ad019
2 changed files with 10 additions and 26 deletions

View File

@ -89,27 +89,18 @@ PublicKeyCredential::IsUserVerifyingPlatformAuthenticatorAvailable(
// https://w3c.github.io/webauthn/#isUserVerifyingPlatformAuthenticatorAvailable
//
// If on latest windows, call system APIs, otherwise
// We currently implement no platform authenticators, so this would always
// resolve to false. For those cases, the spec recommends a resolve timeout
// on the order of 10 minutes to avoid fingerprinting.
//
// A simple solution is thus to never resolve the promise, otherwise we'd
// have to track every single call to this method along with a promise
// and timer to resolve it after exactly X minutes.
//
// A Relying Party has to deal with a non-response in a timely fashion, so
// we can keep this as-is (and not resolve) even when we support platform
// authenticators but they're not available, or a user rejects a website's
// request to use them.
// If on latest windows, call system APIs, otherwise return false, as we don't
// have other UVPAAs available at this time.
#ifdef OS_WIN
if (WinWebAuthnManager::IsUserVerifyingPlatformAuthenticatorAvailable()) {
promise->MaybeResolve(true);
return promise.forget();
}
#endif
promise->MaybeResolve(false);
return promise.forget();
}

View File

@ -24,26 +24,19 @@ SimpleTest.waitForExplicitFinish();
SpecialPowers.pushPrefEnv({"set": [["security.webauth.webauthn", true],
["security.webauth.webauthn_enable_softtoken", true],
["security.webauth.webauthn_enable_usbtoken", false]]},
function() {
async function() {
// This test ensures that isUserVerifyingPlatformAuthenticatorAvailable()
// is a callable method, but we currently can't test that it works in an
// automated way. If it resolves to false, per spec, we SHOULD wait
// ~10 minutes before resolving.
let p1 = PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
// is a callable method, but with the softtoken enabled, it's not useful to
// figure out what it actually returns, so we'll just make sure it runs.
await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
.then(function(aResult) {
ok(false, "We shouldn't get here.");
ok(true, "Resolved: " + aResult);
})
.catch(function(aProblem) {
ok(false, "Problem encountered: " + aProblem);
});
// Finish on the next tick.
let p2 = Promise.resolve();
Promise.race([p1, p2]).then(function() {
ok(true, "isUserVerifyingPlatformAuthenticatorAvailable() is callable");
SimpleTest.finish();
});
SimpleTest.finish();
});
</script>