Skip to content

Commit

Permalink
[PM-6413] feat: add http loophole for localhost
Browse files Browse the repository at this point in the history 
Fixes #6882
  • Loading branch information
@coroiu
coroiu committed May 17, 2024
1 parent ff19514 commit 07b69ed
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 2 deletions.
20 changes: 20 additions & 0 deletions libs/common/src/platform/services/fido2/fido2-client.service.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,16 @@ describe("FidoAuthenticatorService", () => {
await rejects.toBeInstanceOf(DOMException);
});

it("should not throw error if localhost is http", async () => {
const params = createParams({
origin: "http://localhost",
rp: { id: undefined, name: "localhost" },
});
authenticator.makeCredential.mockResolvedValue(createAuthenticatorMakeResult());

await client.createCredential(params, tab);
});

// Spec: If credTypesAndPubKeyAlgs is empty, return a DOMException whose name is "NotSupportedError", and terminate this algorithm.
it("should throw error if no support key algorithms were found", async () => {
const params = createParams({
Expand Down Expand Up @@ -506,6 +516,16 @@ describe("FidoAuthenticatorService", () => {
expect.anything(),
);
});

it("should not throw error if localhost is http", async () => {
const params = createParams({
origin: "http://localhost",
});
params.rpId = undefined;
authenticator.getAssertion.mockResolvedValue(createAuthenticatorAssertResult());

await client.assertCredential(params, tab);
});
});

describe("assert discoverable credential", () => {
Expand Down
10 changes: 8 additions & 2 deletions libs/common/src/platform/services/fido2/fido2-client.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,10 @@ export class Fido2ClientService implements Fido2ClientServiceAbstraction {
}

params.rp.id = params.rp.id ?? parsedOrigin.hostname;
if (parsedOrigin.hostname == undefined || !params.origin.startsWith("https://")) {
if (
parsedOrigin.hostname == undefined ||
(!params.origin.startsWith("https://") && parsedOrigin.hostname !== "localhost")

Check warning on line 108 in libs/common/src/platform/services/fido2/fido2-client.service.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

❌ New issue: Complex Conditional 

Fido2ClientService.createCredential has 1 complex conditionals with 2 branches, threshold = 2. A complex conditional is an expression inside a branch (e.g. if, for, while) which consists of multiple, logical operators such as AND/OR. The more logical operators in an expression, the more severe the code smell.
) {

Check notice on line 109 in libs/common/src/platform/services/fido2/fido2-client.service.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

ℹ Getting worse: Complex Method 

Fido2ClientService.createCredential increases in cyclomatic complexity from 45 to 46, threshold = 9. This function has many conditional statements (e.g. if, for, while), leading to lower code health. Avoid adding more conditionals and code to it without refactoring.
this.logService?.warning(`[Fido2Client] Invalid https origin: ${params.origin}`);
throw new DOMException("'origin' is not a valid https origin", "SecurityError");
}
Expand Down Expand Up @@ -238,7 +241,10 @@ export class Fido2ClientService implements Fido2ClientServiceAbstraction {

params.rpId = params.rpId ?? parsedOrigin.hostname;

if (parsedOrigin.hostname == undefined || !params.origin.startsWith("https://")) {
if (
parsedOrigin.hostname == undefined ||
(!params.origin.startsWith("https://") && parsedOrigin.hostname !== "localhost")

Check warning on line 246 in libs/common/src/platform/services/fido2/fido2-client.service.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

❌ New issue: Complex Conditional 

Fido2ClientService.assertCredential has 1 complex conditionals with 2 branches, threshold = 2. A complex conditional is an expression inside a branch (e.g. if, for, while) which consists of multiple, logical operators such as AND/OR. The more logical operators in an expression, the more severe the code smell.
) {

Check notice on line 247 in libs/common/src/platform/services/fido2/fido2-client.service.ts

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (main)

ℹ Getting worse: Complex Method 

Fido2ClientService.assertCredential increases in cyclomatic complexity from 29 to 30, threshold = 9. This function has many conditional statements (e.g. if, for, while), leading to lower code health. Avoid adding more conditionals and code to it without refactoring.
this.logService?.warning(`[Fido2Client] Invalid https origin: ${params.origin}`);
throw new DOMException("'origin' is not a valid https origin", "SecurityError");
}
Expand Down

0 comments on commit 07b69ed

Please sign in to comment.