-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
fido2-page-script.ts
279 lines (244 loc) · 9.55 KB
/
fido2-page-script.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
import { WebauthnUtils } from "../utils/webauthn-utils";
import { MessageType } from "./messaging/message";
import { Messenger } from "./messaging/messenger";
(function (globalContext) {
const shouldExecuteContentScript =
globalContext.document.contentType === "text/html" &&
(globalContext.document.location.protocol === "https:" ||
(globalContext.document.location.protocol === "http:" &&
globalContext.document.location.hostname === "localhost"));
if (!shouldExecuteContentScript) {
return;
}
const BrowserPublicKeyCredential = globalContext.PublicKeyCredential;
const BrowserNavigatorCredentials = navigator.credentials;
const BrowserAuthenticatorAttestationResponse = globalContext.AuthenticatorAttestationResponse;
const browserNativeWebauthnSupport = globalContext.PublicKeyCredential != undefined;
let browserNativeWebauthnPlatformAuthenticatorSupport = false;
if (!browserNativeWebauthnSupport) {
// Polyfill webauthn support
try {
// credentials are read-only if supported, use type-casting to force assignment
(navigator as any).credentials = {
async create() {
throw new Error("Webauthn not supported in this browser.");
},
async get() {
throw new Error("Webauthn not supported in this browser.");
},
};
globalContext.PublicKeyCredential = class PolyfillPublicKeyCredential {
static isUserVerifyingPlatformAuthenticatorAvailable() {
return Promise.resolve(true);
}
} as any;
globalContext.AuthenticatorAttestationResponse =
class PolyfillAuthenticatorAttestationResponse {} as any;
} catch {
/* empty */
}
} else {
void BrowserPublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then(
(available) => {
browserNativeWebauthnPlatformAuthenticatorSupport = available;
if (!available) {
// Polyfill platform authenticator support
globalContext.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable = () =>
Promise.resolve(true);
}
},
);
}
const browserCredentials = {
create: navigator.credentials.create.bind(
navigator.credentials,
) as typeof navigator.credentials.create,
get: navigator.credentials.get.bind(navigator.credentials) as typeof navigator.credentials.get,
};
const messenger = Messenger.forDOMCommunication(window);
let waitForFocusTimeout: number | NodeJS.Timeout;
let focusListenerHandler: () => void;
navigator.credentials.create = createWebAuthnCredential;
navigator.credentials.get = getWebAuthnCredential;
/**
* Creates a new webauthn credential.
*
* @param options Options for creating new credentials.
* @returns Promise that resolves to the new credential object.
*/
async function createWebAuthnCredential(
options?: CredentialCreationOptions,
): Promise<Credential> {
if (!isWebauthnCall(options)) {
return await browserCredentials.create(options);
}
const authenticatorAttachmentIsPlatform =
options?.publicKey?.authenticatorSelection?.authenticatorAttachment === "platform";
const fallbackSupported =
(authenticatorAttachmentIsPlatform && browserNativeWebauthnPlatformAuthenticatorSupport) ||
(!authenticatorAttachmentIsPlatform && browserNativeWebauthnSupport);
try {
const response = await messenger.request(
{
type: MessageType.CredentialCreationRequest,
data: WebauthnUtils.mapCredentialCreationOptions(options, fallbackSupported),
},
options?.signal,
);
if (response.type !== MessageType.CredentialCreationResponse) {
throw new Error("Something went wrong.");
}
return WebauthnUtils.mapCredentialRegistrationResult(response.result);
} catch (error) {
if (error && error.fallbackRequested && fallbackSupported) {
await waitForFocus();
return await browserCredentials.create(options);
}
throw error;
}
}
/**
* Retrieves a webauthn credential.
*
* @param options Options for creating new credentials.
* @returns Promise that resolves to the new credential object.
*/
async function getWebAuthnCredential(options?: CredentialRequestOptions): Promise<Credential> {
if (!isWebauthnCall(options)) {
return await browserCredentials.get(options);
}
const abortSignal = options?.signal || new AbortController().signal;
const fallbackSupported = browserNativeWebauthnSupport;
if (options?.mediation && options.mediation === "conditional") {
const internalAbortControllers = [new AbortController(), new AbortController()];
const bitwardenResponse = async (internalAbortController: AbortController) => {
try {
const abortListener = () =>
messenger.request({
type: MessageType.AbortRequest,
abortedRequestId: abortSignal.toString(),
});
internalAbortController.signal.addEventListener("abort", abortListener);
const response = await messenger.request(
{
type: MessageType.CredentialGetRequest,
data: WebauthnUtils.mapCredentialRequestOptions(options, fallbackSupported),
},
internalAbortController.signal,
);
internalAbortController.signal.removeEventListener("abort", abortListener);
if (response.type !== MessageType.CredentialGetResponse) {
throw new Error("Something went wrong.");
}
return WebauthnUtils.mapCredentialAssertResult(response.result);
} catch {
// Ignoring error
}
};
const browserResponse = (internalAbortController: AbortController) =>
browserCredentials.get({ ...options, signal: internalAbortController.signal });
const abortListener = () => {
internalAbortControllers.forEach((controller) => controller.abort());
};
abortSignal.addEventListener("abort", abortListener);
const response = await Promise.race([
bitwardenResponse(internalAbortControllers[0]),
browserResponse(internalAbortControllers[1]),
]);
abortSignal.removeEventListener("abort", abortListener);
internalAbortControllers.forEach((controller) => controller.abort());
return response;
}
try {
const response = await messenger.request(
{
type: MessageType.CredentialGetRequest,
data: WebauthnUtils.mapCredentialRequestOptions(options, fallbackSupported),
},
options?.signal,
);
if (response.type !== MessageType.CredentialGetResponse) {
throw new Error("Something went wrong.");
}
return WebauthnUtils.mapCredentialAssertResult(response.result);
} catch (error) {
if (error && error.fallbackRequested && fallbackSupported) {
await waitForFocus();
return await browserCredentials.get(options);
}
throw error;
}
}
function isWebauthnCall(options?: CredentialCreationOptions | CredentialRequestOptions) {
return options && "publicKey" in options;
}
/**
* Wait for window to be focused.
* Safari doesn't allow scripts to trigger webauthn when window is not focused.
*
* @param fallbackWait How long to wait when the script is not able to add event listeners to `window.top`. Defaults to 500ms.
* @param timeout Maximum time to wait for focus in milliseconds. Defaults to 5 minutes.
* @returns Promise that resolves when window is focused, or rejects if timeout is reached.
*/
async function waitForFocus(fallbackWait = 500, timeout = 5 * 60 * 1000) {
try {
if (globalContext.top.document.hasFocus()) {
return;
}
} catch {
// Cannot access window.top due to cross-origin frame, fallback to waiting
return await new Promise((resolve) => globalContext.setTimeout(resolve, fallbackWait));
}
const focusPromise = new Promise<void>((resolve) => {
focusListenerHandler = () => resolve();
globalContext.top.addEventListener("focus", focusListenerHandler);
});
const timeoutPromise = new Promise<void>((_, reject) => {
waitForFocusTimeout = globalContext.setTimeout(
() =>
reject(
new DOMException("The operation either timed out or was not allowed.", "AbortError"),
),
timeout,
);
});
try {
await Promise.race([focusPromise, timeoutPromise]);
} finally {
clearWaitForFocus();
}
}
function clearWaitForFocus() {
globalContext.top.removeEventListener("focus", focusListenerHandler);
if (waitForFocusTimeout) {
globalContext.clearTimeout(waitForFocusTimeout);
}
}
function destroy() {
try {
if (browserNativeWebauthnSupport) {
navigator.credentials.create = browserCredentials.create;
navigator.credentials.get = browserCredentials.get;
} else {
(navigator as any).credentials = BrowserNavigatorCredentials;
globalContext.PublicKeyCredential = BrowserPublicKeyCredential;
globalContext.AuthenticatorAttestationResponse = BrowserAuthenticatorAttestationResponse;
}
clearWaitForFocus();
void messenger.destroy();
} catch (e) {
/** empty */
}
}
/**
* Sets up a listener to handle cleanup or reconnection when the extension's
* context changes due to being reloaded or unloaded.
*/
messenger.handler = (message) => {
const type = message.type;
// Handle cleanup for disconnect request
if (type === MessageType.DisconnectRequest) {
destroy();
}
};
})(globalThis);