Kyle Isom
25417b24f4
Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
76 lines
1.8 KiB
Go
76 lines
1.8 KiB
Go
package webauthn
|
|
|
|
import (
|
|
"testing"
|
|
|
|
libwebauthn "github.com/go-webauthn/webauthn/webauthn"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/config"
|
|
)
|
|
|
|
func TestNewWebAuthn(t *testing.T) {
|
|
cfg := &config.WebAuthnConfig{
|
|
RPID: "example.com",
|
|
RPOrigin: "https://example.com",
|
|
DisplayName: "Test App",
|
|
}
|
|
wa, err := NewWebAuthn(cfg)
|
|
if err != nil {
|
|
t.Fatalf("NewWebAuthn: %v", err)
|
|
}
|
|
if wa == nil {
|
|
t.Fatal("expected non-nil WebAuthn instance")
|
|
}
|
|
}
|
|
|
|
func TestNewWebAuthnMissingFields(t *testing.T) {
|
|
_, err := NewWebAuthn(&config.WebAuthnConfig{})
|
|
if err == nil {
|
|
t.Error("expected error for empty config")
|
|
}
|
|
|
|
_, err = NewWebAuthn(&config.WebAuthnConfig{RPID: "example.com"})
|
|
if err == nil {
|
|
t.Error("expected error for missing RPOrigin")
|
|
}
|
|
}
|
|
|
|
func TestNewWebAuthnDefaultDisplayName(t *testing.T) {
|
|
cfg := &config.WebAuthnConfig{
|
|
RPID: "example.com",
|
|
RPOrigin: "https://example.com",
|
|
}
|
|
wa, err := NewWebAuthn(cfg)
|
|
if err != nil {
|
|
t.Fatalf("NewWebAuthn: %v", err)
|
|
}
|
|
if wa == nil {
|
|
t.Fatal("expected non-nil WebAuthn instance")
|
|
}
|
|
}
|
|
|
|
func TestAccountUserInterface(t *testing.T) {
|
|
uuidBytes := []byte("12345678-1234-1234-1234-123456789abc")
|
|
creds := []libwebauthn.Credential{
|
|
{ID: []byte("cred1")},
|
|
{ID: []byte("cred2")},
|
|
}
|
|
user := NewAccountUser(uuidBytes, "alice", creds)
|
|
|
|
// Verify interface compliance.
|
|
var _ libwebauthn.User = user
|
|
|
|
if string(user.WebAuthnID()) != string(uuidBytes) {
|
|
t.Error("WebAuthnID mismatch")
|
|
}
|
|
if user.WebAuthnName() != "alice" {
|
|
t.Errorf("WebAuthnName = %q, want %q", user.WebAuthnName(), "alice")
|
|
}
|
|
if user.WebAuthnDisplayName() != "alice" {
|
|
t.Errorf("WebAuthnDisplayName = %q, want %q", user.WebAuthnDisplayName(), "alice")
|
|
}
|
|
if len(user.WebAuthnCredentials()) != 2 {
|
|
t.Errorf("WebAuthnCredentials len = %d, want 2", len(user.WebAuthnCredentials()))
|
|
}
|
|
}
|