On update, check that webauthn credential belongs to user

This commit is contained in:
Pea Tyczynska
2021-05-11 16:04:39 +01:00
committed by Leo Hemsted
parent e6291187ba
commit d6fead7c04
2 changed files with 31 additions and 2 deletions

View File

@@ -45,6 +45,10 @@ def update_webauthn_credential(user_id, webauthn_credential_id):
webauthn_credential = dao_get_webauthn_credential_by_id(webauthn_credential_id)
user = get_user_by_id(user_id)
check_credential_belongs_to_user(webauthn_credential.user_id, user.id)
dao_update_webauthn_credential_name(webauthn_credential, data['name'])
return jsonify(data=webauthn_credential.serialize()), 200
@@ -55,8 +59,7 @@ def delete_webauthn_credential(user_id, webauthn_credential_id):
webauthn_credential = dao_get_webauthn_credential_by_id(webauthn_credential_id)
user = get_user_by_id(user_id)
if webauthn_credential.user_id != user.id:
raise InvalidRequest('Webauthn credential does not belong to this user', status_code=400)
check_credential_belongs_to_user(webauthn_credential.user_id, user.id)
if len(user.webauthn_credentials) == 1:
raise InvalidRequest('Cannot delete last remaining webauthn credential for user', status_code=400)
@@ -64,3 +67,8 @@ def delete_webauthn_credential(user_id, webauthn_credential_id):
dao_delete_webauthn_credential(webauthn_credential)
return '', 204
def check_credential_belongs_to_user(credential_user_id, user_id):
if credential_user_id != user_id:
raise InvalidRequest('Webauthn credential does not belong to this user', status_code=400)

View File

@@ -131,6 +131,27 @@ def test_update_webauthn_credential_errors_if_webauthn_credential_doesnt_exist(a
)
def test_update_webauthn_credential_errors_if_user_id_doesnt_match(admin_request, notify_db_session):
user_1 = create_user(email='1')
user_2 = create_user(email='2')
cred_1a = create_webauthn_credential(user_1) # noqa
cred_1b = create_webauthn_credential(user_1) # noqa
cred_2a = create_webauthn_credential(user_2)
cred_2b = create_webauthn_credential(user_2) # noqa
response = admin_request.post(
'webauthn.update_webauthn_credential',
user_id=user_1.id,
webauthn_credential_id=cred_2a.id,
_data={
'name': 'new key name',
},
_expected_status=400
)
assert response['message'] == 'Webauthn credential does not belong to this user'
def test_delete_webauthn_credential_returns_204(admin_request, sample_user):
cred1 = create_webauthn_credential(sample_user)
cred2 = create_webauthn_credential(sample_user)