On update, check that webauthn credential belongs to user

2025-12-24 01:11:38 -05:00 · 2021-05-11 16:04:39 +01:00
parent e6291187ba
commit d6fead7c04
2 changed files with 31 additions and 2 deletions
--- a/tests/app/webauthn/test_rest.py
+++ b/tests/app/webauthn/test_rest.py
@@ -131,6 +131,27 @@ def test_update_webauthn_credential_errors_if_webauthn_credential_doesnt_exist(a
    )


+def test_update_webauthn_credential_errors_if_user_id_doesnt_match(admin_request, notify_db_session):
+    user_1 = create_user(email='1')
+    user_2 = create_user(email='2')
+    cred_1a = create_webauthn_credential(user_1)  # noqa
+    cred_1b = create_webauthn_credential(user_1)  # noqa
+    cred_2a = create_webauthn_credential(user_2)
+    cred_2b = create_webauthn_credential(user_2)  # noqa
+
+    response = admin_request.post(
+        'webauthn.update_webauthn_credential',
+        user_id=user_1.id,
+        webauthn_credential_id=cred_2a.id,
+        _data={
+            'name': 'new key name',
+        },
+        _expected_status=400
+    )
+
+    assert response['message'] == 'Webauthn credential does not belong to this user'
+
+
 def test_delete_webauthn_credential_returns_204(admin_request, sample_user):
    cred1 = create_webauthn_credential(sample_user)
    cred2 = create_webauthn_credential(sample_user)