tweak webauthn rest errors

simplify logic by changing the dao function to require a user id and a webauthn cred id. Note that this changes the response from a 400 to a 404 if the cred is for a different user than the supplied id. give a minimum length to the text fields in POSTS to create/update a credential to avoid surprising unexpected edge cases involving empty string names etc.
2026-01-16 07:31:14 -05:00 · 2021-05-12 15:34:37 +01:00
parent d6fead7c04
commit c190886bfe
4 changed files with 60 additions and 47 deletions
--- a/tests/app/webauthn/test_rest.py
+++ b/tests/app/webauthn/test_rest.py
@@ -1,6 +1,8 @@
 import uuid
 from unittest.mock import ANY

+import pytest
+
 from tests.app.db import create_user, create_webauthn_credential


@@ -67,20 +69,33 @@ def test_create_webauthn_credential_returns_201(admin_request, sample_user):
    assert response['data']['id'] == str(new_cred.id)


-def test_create_webauthn_credential_errors_if_schema_violation(admin_request, sample_user):
+@pytest.mark.parametrize('data, err_msg', [
+    # missing registration_response
+    (
+        {'name': 'my key', 'credential_data': 'ABC123'},
+        'registration_response is a required property'
+    ),
+    # name is null
+    (
+        {'name': None, 'credential_data': 'ABC123'},
+        'name None is not of type string'
+    ),
+    # name is empty
+    (
+        {'name': '', 'credential_data': 'ABC123'},
+        'name  is too short'
+    ),
+])
+def test_create_webauthn_credential_errors_if_schema_violation(admin_request, sample_user, data, err_msg):
    response = admin_request.post(
        'webauthn.create_webauthn_credential',
        user_id=sample_user.id,
-        _data={
-            'name': 'my key',
-            'credential_data': 'ABC123',
-            # missing registration_response
-        },
+        _data=data,
        _expected_status=400
    )
    assert response['errors'][0] == {
        'error': 'ValidationError',
-        'message': 'registration_response is a required property'
+        'message': err_msg
    }


@@ -100,22 +115,35 @@ def test_update_webauthn_credential_returns_200(admin_request, sample_user):
    assert response['data']['name'] == 'new name'


-def test_update_webauthn_credential_errors_if_schema_violation(admin_request, sample_user):
+@pytest.mark.parametrize('data, err_msg', [
+    # you can't update credential_data
+    (
+        {'name': 'my key', 'credential_data': 'NAUGHTY123'},
+        'Additional properties are not allowed (credential_data was unexpected)'
+    ),
+    # name is null
+    (
+        {'name': None},
+        'name None is not of type string'
+    ),
+    # name is empty
+    (
+        {'name': ''},
+        'name  is too short'
+    ),
+])
+def test_update_webauthn_credential_errors_if_schema_violation(admin_request, sample_user, data, err_msg):
    cred = create_webauthn_credential(sample_user)
    response = admin_request.post(
        'webauthn.update_webauthn_credential',
        user_id=sample_user.id,
        webauthn_credential_id=cred.id,
-        _data={
-            'name': 'my key',
-            # you can't update credential_data
-            'credential_data': 'NAUGHTY123'
-        },
+        _data=data,
        _expected_status=400
    )
    assert response['errors'][0] == {
        'error': 'ValidationError',
-        'message': 'Additional properties are not allowed (credential_data was unexpected)'
+        'message': err_msg
    }


@@ -134,22 +162,19 @@ def test_update_webauthn_credential_errors_if_webauthn_credential_doesnt_exist(a
 def test_update_webauthn_credential_errors_if_user_id_doesnt_match(admin_request, notify_db_session):
    user_1 = create_user(email='1')
    user_2 = create_user(email='2')
-    cred_1a = create_webauthn_credential(user_1)  # noqa
-    cred_1b = create_webauthn_credential(user_1)  # noqa
-    cred_2a = create_webauthn_credential(user_2)
-    cred_2b = create_webauthn_credential(user_2)  # noqa
+    cred_2 = create_webauthn_credential(user_2)

    response = admin_request.post(
        'webauthn.update_webauthn_credential',
        user_id=user_1.id,
-        webauthn_credential_id=cred_2a.id,
+        webauthn_credential_id=cred_2.id,
        _data={
            'name': 'new key name',
        },
-        _expected_status=400
+        _expected_status=404
    )

-    assert response['message'] == 'Webauthn credential does not belong to this user'
+    assert response['message'] == 'No result found'


 def test_delete_webauthn_credential_returns_204(admin_request, sample_user):
@@ -178,16 +203,13 @@ def test_delete_webauthn_credential_errors_if_last_key(admin_request, sample_use
 def test_delete_webauthn_credential_errors_if_user_id_doesnt_match(admin_request, notify_db_session):
    user_1 = create_user(email='1')
    user_2 = create_user(email='2')
-    cred_1a = create_webauthn_credential(user_1)  # noqa
-    cred_1b = create_webauthn_credential(user_1)  # noqa
    cred_2a = create_webauthn_credential(user_2)
-    cred_2b = create_webauthn_credential(user_2)  # noqa

    response = admin_request.delete(
        'webauthn.delete_webauthn_credential',
        user_id=user_1.id,
        webauthn_credential_id=cred_2a.id,
-        _expected_status=400
+        _expected_status=404
    )

-    assert response['message'] == 'Webauthn credential does not belong to this user'
+    assert response['message'] == 'No result found'