Writing integration test

[mitar]

I am using this library to implement the server side API to authenticate using webauthn in the browser. I would like to write a server-side test in Go to test my HTTP handlers: one which returns CredentialCreation struct and then another which accepts CredentialCreationResponse struct. Now, the question I have is there any existing code which would generate a suitable fake CredentialCreationResponse struct given the CredentialCreation which would pass the validation? It looks to me like I should be able to generate a keypair and then generate CredentialCreationResponse by signing the challenge, add the public key and other data, and this would make the CredentialCreationResponse. Is there already existing code for all this?

[james-d-elliott]

I would encourage anyone wanting to write integration tests to leverage the DevTools Protocol with Chrome to create a developer authenticator and credentials. See here. Then I'd leverage a client library or your own implementation to perform the relevant API requests to start/finish each ceremony.

The github.com/go-rod/rod module has tooling for this. It also allows interacting with a web UI.

I believe you are correct about the process for generating a creation, however it is also probably not an idea integration test.

[mitar]

Yes, I want tests at two levels. I am planing to use Chrome for E2E tests where I test also UI itself. But here I wanted to test just the API, from Go tests. So to test just the backend (it can be faster during development to run those tests only).

So there is no code yet written for this?

[james-d-elliott]

Ah was confused about your intention. There is nothing specific made to perform this kind of testing no, this is an RP library. To perform integration testing it would require a third party system to integrate with which I'm not aware of any made for this purpose.

The way the library is designed realistically allows you to fairly easily do this, as the methods exposed give you a lot of control over how you interact with it, and the existing tests would easily serve as template for how to interact with the library in this way. Only thing I can think of that may be a stopper is there is no way to mock the challenge generation other than to manually creating the session.

[mitar]

I managed to do it. There are few missing pieces in this library to make this easier:

• There is ParsePublicKey, but not serialization.
• There is code to parse RawAuthData, but not to create one from AuthenticatorData.
• There is code to verify assertion signature, but not to create it.