From d6fead7c0483b84ad9771cb76f74b58055023e66 Mon Sep 17 00:00:00 2001
From: Pea Tyczynska <CrystalPea@users.noreply.github.com>
Date: Tue, 11 May 2021 16:04:39 +0100
Subject: [PATCH] On update, check that webauthn credential belongs to user

---
 app/webauthn/rest.py            | 12 ++++++++++--
 tests/app/webauthn/test_rest.py | 21 +++++++++++++++++++++
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/app/webauthn/rest.py b/app/webauthn/rest.py
index 0342a1523..6ce7bb6bf 100644
--- a/app/webauthn/rest.py
+++ b/app/webauthn/rest.py
@@ -45,6 +45,10 @@ def update_webauthn_credential(user_id, webauthn_credential_id):
 
     webauthn_credential = dao_get_webauthn_credential_by_id(webauthn_credential_id)
 
+    user = get_user_by_id(user_id)
+
+    check_credential_belongs_to_user(webauthn_credential.user_id, user.id)
+
     dao_update_webauthn_credential_name(webauthn_credential, data['name'])
 
     return jsonify(data=webauthn_credential.serialize()), 200
@@ -55,8 +59,7 @@ def delete_webauthn_credential(user_id, webauthn_credential_id):
     webauthn_credential = dao_get_webauthn_credential_by_id(webauthn_credential_id)
     user = get_user_by_id(user_id)
 
-    if webauthn_credential.user_id != user.id:
-        raise InvalidRequest('Webauthn credential does not belong to this user', status_code=400)
+    check_credential_belongs_to_user(webauthn_credential.user_id, user.id)
 
     if len(user.webauthn_credentials) == 1:
         raise InvalidRequest('Cannot delete last remaining webauthn credential for user', status_code=400)
@@ -64,3 +67,8 @@ def delete_webauthn_credential(user_id, webauthn_credential_id):
     dao_delete_webauthn_credential(webauthn_credential)
 
     return '', 204
+
+
+def check_credential_belongs_to_user(credential_user_id, user_id):
+    if credential_user_id != user_id:
+        raise InvalidRequest('Webauthn credential does not belong to this user', status_code=400)
diff --git a/tests/app/webauthn/test_rest.py b/tests/app/webauthn/test_rest.py
index 0838e52e2..7c9404271 100644
--- a/tests/app/webauthn/test_rest.py
+++ b/tests/app/webauthn/test_rest.py
@@ -131,6 +131,27 @@ def test_update_webauthn_credential_errors_if_webauthn_credential_doesnt_exist(a
     )
 
 
+def test_update_webauthn_credential_errors_if_user_id_doesnt_match(admin_request, notify_db_session):
+    user_1 = create_user(email='1')
+    user_2 = create_user(email='2')
+    cred_1a = create_webauthn_credential(user_1)  # noqa
+    cred_1b = create_webauthn_credential(user_1)  # noqa
+    cred_2a = create_webauthn_credential(user_2)
+    cred_2b = create_webauthn_credential(user_2)  # noqa
+
+    response = admin_request.post(
+        'webauthn.update_webauthn_credential',
+        user_id=user_1.id,
+        webauthn_credential_id=cred_2a.id,
+        _data={
+            'name': 'new key name',
+        },
+        _expected_status=400
+    )
+
+    assert response['message'] == 'Webauthn credential does not belong to this user'
+
+
 def test_delete_webauthn_credential_returns_204(admin_request, sample_user):
     cred1 = create_webauthn_credential(sample_user)
     cred2 = create_webauthn_credential(sample_user)