Skip to content

Commit

Permalink
Update RPID validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@nsatragno
nsatragno committed Jul 24, 2024
1 parent 134c4c2 commit 2b6558d
Showing 1 changed file with 50 additions and 45 deletions.
95 changes: 50 additions & 45 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2953,7 +2953,7 @@ value and terminate the operation.

</div>

### Signal Credential Changes to the Authenticator - PublicKeyCredential's [=signal methods=] ### {#sctn-signalMethods}
### Signal Credential Changes to the Authenticator - PublicKeyCredential's [=signal methods=] ### {#sctn-signal-methods}

<xmp class="idl">
partial interface PublicKeyCredential {
Expand All @@ -2963,18 +2963,18 @@ value and terminate the operation.
};

dictionary UnknownCredentialIdOptions {
required USVString rpId;
required DOMString rpId;
required Base64URLString credentialId;
};

dictionary AllAcceptedCredentialIdsOptions {
required USVString rpId;
required DOMString rpId;
required Base64URLString userId;
required sequence<Base64URLString> allAcceptedCredentialIds;
};

dictionary CurrentUserDetailsOptions {
required USVString rpId;
required DOMString rpId;
required Base64URLString userId;
required DOMString name;
required DOMString displayName;
Expand Down Expand Up @@ -3008,6 +3008,28 @@ finish executing the [=signal method/authenticator actions=] to protect users
from [=[WRPS]=] gaining information about availability of their credentials
without [=user consent=] from the timing of the request.

#### <dfn abstract-op>Asynchronous RP ID validation algorithm</dfn> #### {#sctn-signal-methods-async-rp-id-validation}

The [$Asynchronous RP ID validation algorithm$] lets [=signal methods=] validate
[=RP IDs=] [=in parallel=]. The algorithm takes a {{DOMString}} |rpId| as input
and returns a promise that rejects if the validation fails. The steps are:

1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. If
[=effective domain=] is not a [=valid domain=], then return [=a promise
rejected with=] "{{SecurityError}}" {{DOMException}}.
1. If |rpId| [=is a registrable domain suffix of or is equal to=]
|effectiveDomain|, return [=a promise resolved with=] undefined.
1. If the client does not support [[#sctn-related-origins|related origin
requests]], return [=a promise rejected with=] a "{{SecurityError}}"
{{DOMException}}.
1. Let |p| be [=a new promise=].
1. Execute the following steps [=in parallel=]:
1. If the result of running the [$related origins validation procedure$]
with arguments |callerOrigin| and |rpId| is [TRUE], then [=resolve=]
|p|.
1. Otherwise, [=reject=] |p| with a "{{SecurityError}}" {{DOMException}}.
1. Return |p|.

#### {{PublicKeyCredential/signalUnknownCredentialId(options)}} #### {#sctn-signalUnknownCredentialId}

Signals that a [=credential id=] was not recognized by the [=[WRP]=], e.g.
Expand All @@ -3020,26 +3042,18 @@ and the [=userHandle=], avoiding a privacy leak to an unauthenticated caller
Upon execution of {{PublicKeyCredential/signalUnknownCredentialId(options)}},
the [=client=] executes these steps:

1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. If
[=effective domain=] is not a [=valid domain=], then throw a
"{{SecurityError}}" {{DOMException}}.
1. If <code>|options|.{{UnknownCredentialIdOptions/rpId}}</code> [=is not a
registrable domain suffix of and is not equal to=] |effectiveDomain|, then
throw a "{{SecurityError}}" {{DOMException}}.

TODO: this may require updating once #2040 lands.
1. If the result of [=base64url encoding | base64url decoding=]
<code>|options|.{{UnknownCredentialIdOptions/credentialId}}</code> is an
error, then throw a {{TypeError}}.
error, then return [=a promise rejected with=] a {{TypeError}}.
1. Let |p| be the result of executing the [$Asynchronous RP ID validation
algorithm$] with <code>|options|.{{UnknownCredentialIdOptions/rpId}}</code>.
1. [=Upon fulfillment=] of |p|, run the following steps [=in parallel=]:
1. For every [=authenticator=] presently available on this [=client
platform=], invoke the [=signal method/authenticator
action/unknownCredentialId=] [=authenticator action=] with |options| as
input.
1. Return |p|.

1. Run the following steps [=in parallel=]:
1. For every [=authenticator=] presently available on this [=client
platform=], invoke the [=signal method/authenticator
action/unknownCredentialId=] [=authenticator action=] with |options|
as input.

1. Return [=a promise resolved with=] `undefined`.

The <dfn for="signal method/authenticator action">unknownCredentialId</dfn>
[=signal method/authenticator action=] takes an {{UnknownCredentialIdOptions}}
|options| and is as follows:
Expand Down Expand Up @@ -3082,27 +3096,23 @@ Upon execution of
{{PublicKeyCredential/signalAllAcceptedCredentialIds(options)}}, the [=client=]
executes these steps:

1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. If
[=effective domain=] is not a [=valid domain=], then throw a
"{{SecurityError}}" {{DOMException}}.
1. If <code>|options|.{{AllAcceptedCredentialIdsOptions/rpId}}</code> [=is not a
registrable domain suffix of and is not equal to=] |effectiveDomain|, then
throw a "{{SecurityError}}" {{DOMException}}.

TODO: this may require updating once #2040 lands.
1. If the result of [=base64url encoding | base64url decoding=]
<code>|options|.{{AllAcceptedCredentialIdsOptions/userId}}</code> is an
error, then throw a {{TypeError}}.
error, then return [=a promise rejected with=] a {{TypeError}}.
1. [=list/For each=] |credentialId| in
<code>|options|.{{AllAcceptedCredentialIdsOptions/allAcceptedCredentialIds}}</code>:
1. If the result of [=base64url encoding | base64url decoding=]
|credentialId| is an error, then throw a {{TypeError}}.

1. Run the following steps [=in parallel=]:
|credentialId| is an error, then return [=a promise rejected with=] a
{{TypeError}}.
1. Let |p| be the result of executing the [$Asynchronous RP ID validation
algorithm$] with
<code>|options|.{{AllAcceptedCredentialIdsOptions/rpId}}</code>.
1. [=Upon fulfillment=] of |p|, run the following steps [=in parallel=]:
1. For every [=authenticator=] presently available on this [=client
platform=], invoke the [=signal method/authenticator
actions/allAcceptedCredentialIds=] [=authenticator action=] with
|options| as input.
1. Return |p|.

The <dfn for="signal method/authenticator
actions">allAcceptedCredentialIds</dfn> [=signal method/authenticator
Expand Down Expand Up @@ -3169,23 +3179,18 @@ Signals the user's current {{PublicKeyCredentialEntity/name}} and
Upon execution of {{PublicKeyCredential/signalCurrentUserDetails(options)}}, the
[=client=] executes these steps:

1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. If
[=effective domain=] is not a [=valid domain=], then throw a
"{{SecurityError}}" {{DOMException}}.
1. If <code>|options|.{{CurrentUserDetailsOptions/rpId}}</code> [=is not a
registrable domain suffix of and is not equal to=] |effectiveDomain|, then
throw a "{{SecurityError}}" {{DOMException}}.

TODO: this may require updating once #2040 lands.
1. If the result of [=base64url encoding | base64url decoding=]
<code>|options|.{{CurrentUserDetailsOptions/userId}}</code> is an error, then
throw a {{TypeError}}.

1. Run the following steps [=in parallel=]:
<code>|options|.{{CurrentUserDetailsOptions/userId}}</code> is an error,
then return [=a promise rejected with=] a {{TypeError}}.
1. Let |p| be the result of executing the [$Asynchronous RP ID validation
algorithm$] with
<code>|options|.{{CurrentUserDetailsOptions/rpId}}</code>.
1. [=Upon fulfillment=] of |p|, run the following steps [=in parallel=]:
1. For every [=authenticator=] presently available on this [=client
platform=], invoke the [=signal method/authenticator
actions/currentUserDetails=] [=authenticator action=] with |options|
as input.
1. Return |p|.

The <dfn for="signal method/authenticator actions">currentUserDetails</dfn>
[=signal method/authenticator action=] takes a {{CurrentUserDetailsOptions}}
Expand Down

0 comments on commit 2b6558d

Please sign in to comment.