remove server-side error messages for webauthn

since we are hard-coding a generic error message on the front-end, we have no need to do anything on the back end. This is also nice as it standardises the two flows to behave more like each other (rather than previously where one would `flash` an error message and the other would return CBOR for the js to decode). Note that the register flow returns 400 while the auth flow returns 403. The js for both just checks `response.ok` so will handle both. The JS completely discards any body returned if the status isn't 200 now.
2026-02-06 11:23:48 -05:00 · 2021-09-14 14:31:45 +01:00
parent 2c55f4d0ce
commit a96bfdb16e
6 changed files with 41 additions and 75 deletions
--- a/tests/javascripts/authenticateSecurityKey.test.js
+++ b/tests/javascripts/authenticateSecurityKey.test.js
@@ -25,7 +25,7 @@ describe('Authenticate with security key', () => {
  beforeEach(() => {
    // disable console.error() so we don't see it in test output
    // you might need to comment this out to debug some failures
-    jest.spyOn(console, 'error').mockImplementation(() => { })
+    jest.spyOn(console, 'error').mockImplementation(() => {})

    document.body.innerHTML = `
      <button type="submit" data-module="authenticate-security-key" data-csrf-token="abc123"></button>`
@@ -133,10 +133,17 @@ describe('Authenticate with security key', () => {
        expect(url.toString()).toEqual(
          'https://www.notifications.service.gov.uk/webauthn/authenticate?next=%2Ffoo%3Fbar%3Dbaz'
        )
-
-        done()
+        return Promise.resolve({
+          ok: true, arrayBuffer: () => Promise.resolve(window.CBOR.encode({ redirect_url: '/foo' }))
+        })
      })

+    jest.spyOn(window.location, 'assign').mockImplementation((href) => {
+      // ensure that the fetch mock implementation above was called
+      expect.assertions(1)
+      done()
+    })
+
    button.click()
  })

@@ -181,8 +188,8 @@ describe('Authenticate with security key', () => {
  })

  test.each([
-    ['network error'],
-    ['internal server error'],
+    ['network'],
+    ['server'],
  ])('errors if POSTing WebAuthn credentials fails (%s)', (errorType, done) => {
    jest.spyOn(window, 'fetch')
      .mockImplementationOnce((_url) => {
@@ -210,12 +217,10 @@ describe('Authenticate with security key', () => {
    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
      // subsequent POST of credential data to server
      switch (errorType) {
-        case 'network error':
+        case 'network':
          return Promise.reject('error')
-        case 'internal server error':
-          // dont need this becuase we dont cbor return errors
-          const message = Promise.reject('encoding error')
-          return Promise.resolve({ ok: false, arrayBuffer: () => message, statusText: 'error' })
+        case 'server':
+          return Promise.resolve({ ok: false, statusText: 'FORBIDDEN' })
      }
    })

@@ -229,9 +234,8 @@ describe('Authenticate with security key', () => {


  test('reloads page if POSTing WebAuthn credentials returns 403', (done) => {
-    jest.spyOn(window, 'fetch')
-      .mockImplementationOnce((_url) => {
-        const webauthnOptions = window.CBOR.encode('someArbitraryOptions')
+    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
+      const webauthnOptions = window.CBOR.encode('someArbitraryOptions')

        return Promise.resolve({
          ok: true, arrayBuffer: () => webauthnOptions
--- a/tests/javascripts/registerSecurityKey.test.js
+++ b/tests/javascripts/registerSecurityKey.test.js
@@ -107,9 +107,8 @@ describe('Register security key', () => {
  })

  test.each([
-    ['network error'],
-    ['internal server error'],
-    ['bad request'],
+    ['network'],
+    ['server'],
  ])('errors if sending WebAuthn credentials fails (%s)', (errorType, done) => {

    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
@@ -129,14 +128,10 @@ describe('Register security key', () => {
    jest.spyOn(window, 'fetch').mockImplementationOnce((_url) => {
      // subsequent POST of credential data to server
      switch (errorType) {
-        case 'network error':
+        case 'network':
          return Promise.reject('error')
-        case 'bad request':
-          message = Promise.resolve(window.CBOR.encode('error'))
-          return Promise.resolve({ ok: false, arrayBuffer: () => message })
-        case 'internal server error':
-          message = Promise.reject('encoding error')
-          return Promise.resolve({ ok: false, arrayBuffer: () => message, statusText: 'error' })
+        case 'server':
+          return Promise.resolve({ ok: false, statusText: 'FORBIDDEN' })
      }
    })