mirror of
https://github.com/GSA/notifications-api.git
synced 2026-07-09 02:43:55 -04:00
On update, check that webauthn credential belongs to user
This commit is contained in:
committed by
Leo Hemsted
parent
e6291187ba
commit
d6fead7c04
@@ -45,6 +45,10 @@ def update_webauthn_credential(user_id, webauthn_credential_id):
|
||||
|
||||
webauthn_credential = dao_get_webauthn_credential_by_id(webauthn_credential_id)
|
||||
|
||||
user = get_user_by_id(user_id)
|
||||
|
||||
check_credential_belongs_to_user(webauthn_credential.user_id, user.id)
|
||||
|
||||
dao_update_webauthn_credential_name(webauthn_credential, data['name'])
|
||||
|
||||
return jsonify(data=webauthn_credential.serialize()), 200
|
||||
@@ -55,8 +59,7 @@ def delete_webauthn_credential(user_id, webauthn_credential_id):
|
||||
webauthn_credential = dao_get_webauthn_credential_by_id(webauthn_credential_id)
|
||||
user = get_user_by_id(user_id)
|
||||
|
||||
if webauthn_credential.user_id != user.id:
|
||||
raise InvalidRequest('Webauthn credential does not belong to this user', status_code=400)
|
||||
check_credential_belongs_to_user(webauthn_credential.user_id, user.id)
|
||||
|
||||
if len(user.webauthn_credentials) == 1:
|
||||
raise InvalidRequest('Cannot delete last remaining webauthn credential for user', status_code=400)
|
||||
@@ -64,3 +67,8 @@ def delete_webauthn_credential(user_id, webauthn_credential_id):
|
||||
dao_delete_webauthn_credential(webauthn_credential)
|
||||
|
||||
return '', 204
|
||||
|
||||
|
||||
def check_credential_belongs_to_user(credential_user_id, user_id):
|
||||
if credential_user_id != user_id:
|
||||
raise InvalidRequest('Webauthn credential does not belong to this user', status_code=400)
|
||||
|
||||
@@ -131,6 +131,27 @@ def test_update_webauthn_credential_errors_if_webauthn_credential_doesnt_exist(a
|
||||
)
|
||||
|
||||
|
||||
def test_update_webauthn_credential_errors_if_user_id_doesnt_match(admin_request, notify_db_session):
|
||||
user_1 = create_user(email='1')
|
||||
user_2 = create_user(email='2')
|
||||
cred_1a = create_webauthn_credential(user_1) # noqa
|
||||
cred_1b = create_webauthn_credential(user_1) # noqa
|
||||
cred_2a = create_webauthn_credential(user_2)
|
||||
cred_2b = create_webauthn_credential(user_2) # noqa
|
||||
|
||||
response = admin_request.post(
|
||||
'webauthn.update_webauthn_credential',
|
||||
user_id=user_1.id,
|
||||
webauthn_credential_id=cred_2a.id,
|
||||
_data={
|
||||
'name': 'new key name',
|
||||
},
|
||||
_expected_status=400
|
||||
)
|
||||
|
||||
assert response['message'] == 'Webauthn credential does not belong to this user'
|
||||
|
||||
|
||||
def test_delete_webauthn_credential_returns_204(admin_request, sample_user):
|
||||
cred1 = create_webauthn_credential(sample_user)
|
||||
cred2 = create_webauthn_credential(sample_user)
|
||||
|
||||
Reference in New Issue
Block a user