From f2c9f8aaa83f187abdb957ccdaa0326dfd8e3bea Mon Sep 17 00:00:00 2001 From: Bubka <858858+Bubka@users.noreply.github.com> Date: Tue, 19 Mar 2024 18:13:35 +0100 Subject: [PATCH] Fix missing admin permissions on WebAuthn login - Closes #326 --- .../Auth/WebAuthnLoginController.php | 3 ++ tests/Feature/Http/Auth/LoginTest.php | 32 +++++++++-- .../Http/Auth/WebAuthnLoginControllerTest.php | 53 +++++++++++++++++-- 3 files changed, 79 insertions(+), 9 deletions(-) diff --git a/app/Http/Controllers/Auth/WebAuthnLoginController.php b/app/Http/Controllers/Auth/WebAuthnLoginController.php index 2f8a1ed6..7bc4d817 100644 --- a/app/Http/Controllers/Auth/WebAuthnLoginController.php +++ b/app/Http/Controllers/Auth/WebAuthnLoginController.php @@ -147,8 +147,11 @@ protected function sendLoginResponse(WebauthnAssertedRequest $request) return response()->json([ 'message' => 'authenticated', + 'id' => $user->id, 'name' => $user->name, + 'email' => $user->email, 'preferences' => $user->preferences, + 'is_admin' => $user->isAdministrator(), ], Response::HTTP_OK); } diff --git a/tests/Feature/Http/Auth/LoginTest.php b/tests/Feature/Http/Auth/LoginTest.php index f10ceea3..ca85c984 100644 --- a/tests/Feature/Http/Auth/LoginTest.php +++ b/tests/Feature/Http/Auth/LoginTest.php @@ -28,6 +28,11 @@ class LoginTest extends FeatureTestCase */ protected $user; + /** + * @var \App\Models\User|\Illuminate\Contracts\Auth\Authenticatable + */ + protected $admin; + private const PASSWORD = 'password'; private const WRONG_PASSWORD = 'wrong_password'; @@ -39,7 +44,8 @@ public function setUp() : void { parent::setUp(); - $this->user = User::factory()->create(); + $this->user = User::factory()->create(); + $this->admin = User::factory()->administrator()->create(); } /** @@ -53,16 +59,32 @@ public function test_user_login_returns_success() ]) ->assertOk() ->assertJsonFragment([ - 'message' => 'authenticated', - 'name' => $this->user->name, + 'message' => 'authenticated', + 'id' => $this->user->id, + 'name' => $this->user->name, + 'email' => $this->user->email, + 'is_admin' => false, ]) ->assertJsonStructure([ - 'message', - 'name', 'preferences', ]); } + /** + * @test + */ + public function test_admin_login_returns_admin_role() + { + $response = $this->json('POST', '/user/login', [ + 'email' => $this->admin->email, + 'password' => self::PASSWORD, + ]) + ->assertOk() + ->assertJsonFragment([ + 'is_admin' => true, + ]); + } + /** * @test * diff --git a/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php b/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php index 536cee50..5b0bc936 100644 --- a/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php +++ b/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php @@ -25,6 +25,11 @@ class WebAuthnLoginControllerTest extends FeatureTestCase */ protected $user; + /** + * @var \App\Models\User + */ + protected $admin; + const CREDENTIAL_ID = 's06aG41wsIYh5X1YUhB-SlH8y3F2RzdJZVse8iXRXOCd3oqQdEyCOsBawzxrYBtJRQA2azAMEN_q19TUp6iMgg'; const CREDENTIAL_ID_ALT = '-VOLFKPY-_FuMI_sJ7gMllK76L3VoRUINj6lL_Z3qDg'; @@ -125,16 +130,56 @@ public function test_webauthn_login_returns_success() $this->json('POST', '/webauthn/login', self::ASSERTION_RESPONSE) ->assertOk() ->assertJsonFragment([ - 'message' => 'authenticated', - 'name' => $this->user->name, + 'message' => 'authenticated', + 'id' => $this->user->id, + 'name' => $this->user->name, + 'email' => $this->user->email, + 'is_admin' => false, ]) ->assertJsonStructure([ - 'message', - 'name', 'preferences', ]); } + /** + * @test + */ + public function test_webauthn_admin_login_returns_admin_role() + { + $this->admin = User::factory()->administrator()->create(['email' => self::EMAIL]); + + DB::table('webauthn_credentials')->insert([ + 'id' => self::CREDENTIAL_ID_ALT, + 'authenticatable_type' => \App\Models\User::class, + 'authenticatable_id' => $this->admin->id, + 'user_id' => self::USER_ID_ALT, + 'counter' => 0, + 'rp_id' => 'http://localhost', + 'origin' => 'http://localhost', + 'aaguid' => '00000000-0000-0000-0000-000000000000', + 'attestation_format' => 'none', + 'public_key' => self::PUBLIC_KEY, + 'updated_at' => now(), + 'created_at' => now(), + ]); + + $this->session(['_webauthn' => new \Laragear\WebAuthn\Challenge( + new \Laragear\WebAuthn\ByteBuffer(base64_decode(self::ASSERTION_CHALLENGE)), + 60, + false, + )]); + + $this->mock(AssertionValidator::class) + ->expects('send->thenReturn') + ->andReturn(); + + $this->json('POST', '/webauthn/login', self::ASSERTION_RESPONSE) + ->assertOk() + ->assertJsonFragment([ + 'is_admin' => true, + ]); + } + /** * @test */