feature: add support for backup_eligibility AD flag

hagould · Nov 14, 2022 · 1a5c528 · 1a5c528
1 parent b90c6fd
commit 1a5c528
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 5 deletions.
diff --git a/lib/webauthn/authenticator_data.rb b/lib/webauthn/authenticator_data.rb
@@ -19,9 +19,9 @@ class AuthenticatorData < BinData::Record
  struct :flags do
  bit1 :extension_data_included
  bit1 :attested_credential_data_included
- bit1 :reserved_for_future_use_4
  bit1 :reserved_for_future_use_3
  bit1 :reserved_for_future_use_2
+ bit1 :backup_eligibility
  bit1 :user_verified
  bit1 :reserved_for_future_use_1
  bit1 :user_present
@@ -58,6 +58,10 @@ def user_verified?
  flags.user_verified == 1
  end
 
+ def credential_backup_eligible?
+ flags.backup_eligibility == 1
+ end
+
  def attested_credential_data_included?
  flags.attested_credential_data_included == 1
  end

diff --git a/lib/webauthn/fake_authenticator/authenticator_data.rb b/lib/webauthn/fake_authenticator/authenticator_data.rb
@@ -20,6 +20,7 @@ def initialize(
  sign_count: 0,
  user_present: true,
  user_verified: !user_present,
+ backup_eligibility: false,
  aaguid: AAGUID,
  extensions: { "fakeExtension" => "fakeExtensionValue" }
  )
@@ -28,6 +29,7 @@ def initialize(
  @sign_count = sign_count
  @user_present = user_present
  @user_verified = user_verified
+ @backup_eligibility = backup_eligibility
  @aaguid = aaguid
  @extensions = extensions
  end
@@ -38,15 +40,15 @@ def serialize
 
  private
 
- attr_reader :rp_id_hash, :credential, :user_present, :user_verified, :extensions
+ attr_reader :rp_id_hash, :credential, :user_present, :user_verified, :extensions, :backup_eligibility
 
  def flags
  [
  [
  bit(:user_present),
  reserved_for_future_use_bit,
  bit(:user_verified),
- reserved_for_future_use_bit,
+ bit(:backup_eligibility),
  reserved_for_future_use_bit,
  reserved_for_future_use_bit,
  attested_credential_data_included_bit,
@@ -108,7 +110,7 @@ def reserved_for_future_use_bit
  end
 
  def context
- { user_present: user_present, user_verified: user_verified }
+ { user_present: user_present, user_verified: user_verified, backup_eligibility: backup_eligibility }
  end
 
  def cose_credential_public_key

diff --git a/lib/webauthn/public_key_credential.rb b/lib/webauthn/public_key_credential.rb
@@ -48,6 +48,10 @@ def authenticator_extension_outputs
  authenticator_data.extension_data if authenticator_data&.extension_data_included?
  end
 
+ def backup_eligible?
+ authenticator_data&.credential_backup_eligible?
+ end
+
  private
 
  attr_reader :relying_party

diff --git a/spec/webauthn/authenticator_data_spec.rb b/spec/webauthn/authenticator_data_spec.rb
@@ -8,14 +8,16 @@
  rp_id_hash: rp_id_hash,
  sign_count: sign_count,
  user_present: user_present,
- user_verified: user_verified
+ user_verified: user_verified,
+ backup_eligibility: backup_eligibility
  ).serialize
  end
 
  let(:rp_id_hash) { OpenSSL::Digest.digest("SHA256", "localhost") }
  let(:sign_count) { 42 }
  let(:user_present) { true }
  let(:user_verified) { false }
+ let(:backup_eligibility) { false }
 
  let(:authenticator_data) { described_class.deserialize(serialized_authenticator_data) }
 
@@ -114,4 +116,20 @@
  it { is_expected.to be_falsy }
  end
  end
+
+ describe "#credential_backup_eligible?" do
+ subject { authenticator_data.credential_backup_eligible? }
+
+ context "when BE flag is set" do
+ let(:backup_eligibility) { true }
+
+ it { is_expected.to be_truthy }
+ end
+
+ context "when BE flag is not set" do
+ let(:backup_eligibility) { false }
+
+ it { is_expected.to be_falsy }
+ end
+ end
 end