remove server-side error messages for webauthn

since we are hard-coding a generic error message on the front-end, we have no need to do anything on the back end. This is also nice as it standardises the two flows to behave more like each other (rather than previously where one would `flash` an error message and the other would return CBOR for the js to decode). Note that the register flow returns 400 while the auth flow returns 403. The js for both just checks `response.ok` so will handle both. The JS completely discards any body returned if the status isn't 200 now.
2026-05-02 23:20:56 -04:00 · 2021-09-14 14:31:45 +01:00
parent 2c55f4d0ce
commit a96bfdb16e
6 changed files with 41 additions and 75 deletions
--- a/tests/app/main/views/test_webauthn_credentials.py
+++ b/tests/app/main/views/test_webauthn_credentials.py
@@ -181,7 +181,6 @@ def test_complete_register_handles_library_errors(
    )

    assert response.status_code == 400
-    assert cbor.decode(response.data) == 'error'


 def test_complete_register_handles_missing_state(
@@ -289,8 +288,6 @@ def test_complete_authentication_403s_if_key_isnt_in_users_credentials(
        assert 'user_id' not in session
        # webauthn state reset so can't replay
        assert 'webauthn_authentication_state' not in session
-        # make sure there's an error message to show when the page reloads
-        assert '_flashes' in session

    assert mock_verify_webauthn_login.called is False
    # make sure we incremented the failed login count
@@ -370,10 +367,6 @@ def test_verify_webauthn_login_signs_user_in_doesnt_sign_user_in_if_api_rejects(

    resp = client.post(url_for('main.webauthn_complete_authentication'))

-    with client.session_transaction() as session:
-        # make sure there's an error message to show when the page reloads
-        assert '_flashes' in session
-
    assert resp.status_code == 403


--- a/tests/javascripts/authenticateSecurityKey.test.js
+++ b/tests/javascripts/authenticateSecurityKey.test.js
@@ -25,7 +25,7 @@ describe('Authenticate with security key', () => {
  beforeEach(() => {
    // disable console.error() so we don't see it in test output
    // you might need to comment this out to debug some failures
-    jest.spyOn(console, 'error').mockImplementation(() => { })
+    jest.spyOn(console, 'error').mockImplementation(() => {})

    document.body.innerHTML = `
      <button type="submit" data-module="authenticate-security-key" data-csrf-token="abc123"></button>`
@@ -133,10 +133,17 @@ describe('Authenticate with security key', () => {
        expect(url.toString()).toEqual(
          'https://www.notifications.service.gov.uk/webauthn/authenticate?next=%2Ffoo%3Fbar%3Dbaz'
        )
-
-        done()
+        return Promise.resolve({
+          ok: true, arrayBuffer: () => Promise.resolve(window.CBOR.encode({ redirect_url: '/foo' }))
+        })
      })

+    jest.spyOn(window.location, 'assign').mockImplementation((href) => {
+      // ensure that the fetch mock implementation above was called
+      expect.assertions(1)
+      done()
+    })
+
    button.click()
  })

@@ -181,8 +188,8 @@ describe('Authenticate with security key', () => {
  })

  test.each([
-    ['network error'],
-    ['internal server error'],
+    ['network'],
+    ['server'],
  ])('errors if POSTing WebAuthn credentials fails (%s)', (errorType, done) => {
    jest.spyOn(window, 'fetch')
      .mockImplementationOnce((_url) => {
@@ -210,12 +217,10 @@ describe('Authenticate with security key', () => {
    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
      // subsequent POST of credential data to server
      switch (errorType) {
-        case 'network error':
+        case 'network':
          return Promise.reject('error')
-        case 'internal server error':
-          // dont need this becuase we dont cbor return errors
-          const message = Promise.reject('encoding error')
-          return Promise.resolve({ ok: false, arrayBuffer: () => message, statusText: 'error' })
+        case 'server':
+          return Promise.resolve({ ok: false, statusText: 'FORBIDDEN' })
      }
    })

@@ -229,9 +234,8 @@ describe('Authenticate with security key', () => {


  test('reloads page if POSTing WebAuthn credentials returns 403', (done) => {
-    jest.spyOn(window, 'fetch')
-      .mockImplementationOnce((_url) => {
-        const webauthnOptions = window.CBOR.encode('someArbitraryOptions')
+    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
+      const webauthnOptions = window.CBOR.encode('someArbitraryOptions')

        return Promise.resolve({
          ok: true, arrayBuffer: () => webauthnOptions
--- a/tests/javascripts/registerSecurityKey.test.js
+++ b/tests/javascripts/registerSecurityKey.test.js
@@ -107,9 +107,8 @@ describe('Register security key', () => {
  })

  test.each([
-    ['network error'],
-    ['internal server error'],
-    ['bad request'],
+    ['network'],
+    ['server'],
  ])('errors if sending WebAuthn credentials fails (%s)', (errorType, done) => {

    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
@@ -129,14 +128,10 @@ describe('Register security key', () => {
    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
      // subsequent POST of credential data to server
      switch (errorType) {
-        case 'network error':
+        case 'network':
          return Promise.reject('error')
-        case 'bad request':
-          message = Promise.resolve(window.CBOR.encode('error'))
-          return Promise.resolve({ ok: false, arrayBuffer: () => message })
-        case 'internal server error':
-          message = Promise.reject('encoding error')
-          return Promise.resolve({ ok: false, arrayBuffer: () => message, statusText: 'error' })
+        case 'server':
+          return Promise.resolve({ ok: false, statusText: 'FORBIDDEN' })
      }
    })