fix(security): reject WebAuthn signature-counter rollback
Sign counters were stored but never checked, so a cloned authenticator or a replayed assertion with an equal/lower counter was accepted. Reject the authentication when the presented counter does not exceed the stored one, while allowing counter-less/synced passkeys that always report 0. Refs: porchlight-3cr Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg
parent
f03d509eb4
commit
1571706d21
2 changed files with 39 additions and 1 deletions
22
tests/test_authn/test_sign_count.py
Normal file
22
tests/test_authn/test_sign_count.py
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
from porchlight.authn.routes import _is_sign_count_rollback
|
||||
|
||||
|
||||
def test_increasing_counter_is_not_rollback() -> None:
|
||||
assert _is_sign_count_rollback(stored=5, presented=6) is False
|
||||
|
||||
|
||||
def test_equal_counter_is_rollback() -> None:
|
||||
assert _is_sign_count_rollback(stored=5, presented=5) is True
|
||||
|
||||
|
||||
def test_lower_counter_is_rollback() -> None:
|
||||
assert _is_sign_count_rollback(stored=5, presented=3) is True
|
||||
|
||||
|
||||
def test_both_zero_sync_passkey_is_allowed() -> None:
|
||||
# Sync passkeys (and counter-less authenticators) always report 0.
|
||||
assert _is_sign_count_rollback(stored=0, presented=0) is False
|
||||
|
||||
|
||||
def test_first_increment_from_zero_is_allowed() -> None:
|
||||
assert _is_sign_count_rollback(stored=0, presented=1) is False
|
||||
Loading…
Add table
Add a link
Reference in a new issue