Closed WatameBytes closed 4 weeks ago
What is it you want to test? Just your backend API (internal or external), or the entire end-to-end user journey including the frontend?
The library itself is stateless, so you can have tests with hard-coded challenges and corresponding responses. If you're also including an HTTP server layer in the test, you'll need a way to inject the appropriate state into the server, but if you have that, these tests should be easy to do. See RelyingPartyRegistrationSpec
and RelyingPartyAssertionSpec
for some examples.
If you want to test a pair of challenge and response, with randomly generated challenges, you'll need to sign the challenge as part of the test. With default settings, the library doesn't verify attestation and thus doesn't require that you use any particular kind of authenticator - so in your tests you can use a software implementation of an authenticator to generate the signature. There are some tests in the demo application that do this, using some utilities defined in the TestAuthenticator
class in the core module's test suite. TestAuthenticator
isn't exposed as part of the library API, but you're welcome to use it as inspiration if you'd like to make your own software authenticator.
Also, if you do want to require attestation, you can configure the library with your own trust resolver - so you could have your test authenticator generate its own attestation certificate and configure the server with that as a trusted attestation root certificate.
If you want to test the entire end-to-end application, you may want to try the user agent automation for virtual authenticators.
I'm having some trouble with this and hope to get some clarification. Assume we're working directly with the actual application here, without any mocking or stubbing.
Here’s the flow we're working with for creating a Passkey:
My main question is about step 2, signing the challenge. I don't believe this can be done within Postman alone. While I could use an external script or tool to perform the signing and manually input the signed values back into Postman, it seems that Postman itself lacks the capability for these cryptographic operations.
Could you please provide explicit confirmation that Postman alone cannot accomplish this entire flow, given the need for a FIDO authenticator or similar functionality?
Just want to know if I'm wasting my time trying to accomplish the entire flow in Postman or not.
I've not used Postman much and it's been a long time since last I did, so I'm not at all sure about this, but it seems like Postman has some support for scripting in a Node.js sandbox. This sandbox is supposed to include the crypto-js library (maybe also the native Crypto module?), so it seems to me like it should be possible to do this in Postman. You'd need to implement the assertion signing procedure at least. If your application requires attestation, you'll also need to implement an attestation signing procedure and configure the application to trust your test attestation certificate. Beware that Web Crypto (so perhaps also crypto-js and/or node-Crypto) outputs signatures in a different format than that expected in WebAuthn, so you may need to convert them.
If this cannot be done with Postman, or it's not worth the effort, then as noted above a possible workaround could be to somehow inject the challenge state into the application and then submit a hard-coded response to that challenge (one recorded manually, for example).
At the moment, I made a React fronted to test the entire flow, using webautn-json.
I was wondering if there is an easier way of testing the entire flow without me needing to make a frontend? Since we need an authenticator to sign the challenge and the domain has to be set up, so not sure how to go around to achieve this.