Bug 1537552 - Web Authentication - isUserVerifyingPlatformAuthenticatorAvailable should return false r=keeler

The WebAuthn spec changed from the days of https://bugzilla.mozilla.org/show_bug.cgi?id=1406468#c1. Now the spec says, if there are no user-verifying platform authenticators available [0]: > Otherwise, the promise is resolved with the value of `false` ...so we should resolve false instead of never resolving. [0] https://w3c.github.io/webauthn/#abortoperation Differential Revision: https://phabricator.services.mozilla.com/D24266 --HG-- extra : moz-landing-system : lando
2019-03-26 23:42:28 +00:00 · 2019-03-26 23:42:28 +00:00 · ee356ad019
--- a/dom/webauthn/PublicKeyCredential.cpp
+++ b/dom/webauthn/PublicKeyCredential.cpp
@ -89,27 +89,18 @@ PublicKeyCredential::IsUserVerifyingPlatformAuthenticatorAvailable(

 // https://w3c.github.io/webauthn/#isUserVerifyingPlatformAuthenticatorAvailable
 //
-// If on latest windows, call system APIs, otherwise
-// We currently implement no platform authenticators, so this would always
-// resolve to false. For those cases, the spec recommends a resolve timeout
-// on the order of 10 minutes to avoid fingerprinting.
-//
-// A simple solution is thus to never resolve the promise, otherwise we'd
-// have to track every single call to this method along with a promise
-// and timer to resolve it after exactly X minutes.
-//
-// A Relying Party has to deal with a non-response in a timely fashion, so
-// we can keep this as-is (and not resolve) even when we support platform
-// authenticators but they're not available, or a user rejects a website's
-// request to use them.
+// If on latest windows, call system APIs, otherwise return false, as we don't
+// have other UVPAAs available at this time.
 #ifdef OS_WIN

  if (WinWebAuthnManager::IsUserVerifyingPlatformAuthenticatorAvailable()) {
    promise->MaybeResolve(true);
+    return promise.forget();
  }

 #endif

+  promise->MaybeResolve(false);
  return promise.forget();
 }

--- a/dom/webauthn/tests/test_webauthn_isplatformauthenticatoravailable.html
+++ b/dom/webauthn/tests/test_webauthn_isplatformauthenticatoravailable.html
@ -24,26 +24,19 @@ SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPrefEnv({"set": [["security.webauth.webauthn", true],
                                   ["security.webauth.webauthn_enable_softtoken", true],
                                   ["security.webauth.webauthn_enable_usbtoken", false]]},
-function() {
+async function() {
  // This test ensures that isUserVerifyingPlatformAuthenticatorAvailable()
-  // is a callable method, but we currently can't test that it works in an
-  // automated way. If it resolves to false, per spec, we SHOULD wait
-  // ~10 minutes before resolving.
-  let p1 = PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
+  // is a callable method, but with the softtoken enabled, it's not useful to
+  // figure out what it actually returns, so we'll just make sure it runs.
+  await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
  .then(function(aResult) {
-    ok(false, "We shouldn't get here.");
+    ok(true, "Resolved: " + aResult);
  })
  .catch(function(aProblem) {
    ok(false, "Problem encountered: " + aProblem);
  });

-  // Finish on the next tick.
-  let p2 = Promise.resolve();
-
-  Promise.race([p1, p2]).then(function() {
-    ok(true, "isUserVerifyingPlatformAuthenticatorAvailable() is callable");
-    SimpleTest.finish();
-  });
+  SimpleTest.finish();
 });

 </script>