Skip to content

test(golden): WebAuthn ceremony response-envelope parity fixtures#229

Open
rado0x54 wants to merge 1 commit into
developfrom
test/webauthn-ceremony-goldens
Open

test(golden): WebAuthn ceremony response-envelope parity fixtures#229
rado0x54 wants to merge 1 commit into
developfrom
test/webauthn-ceremony-goldens

Conversation

@rado0x54

@rado0x54 rado0x54 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

Extends the golden parity oracle (#227) to the WebAuthn ceremony response envelopes — the ShellWatch-owned bodies returned once the crypto verifies. This was the coverage explicitly deferred in #227 (the ceremonies weren't reproducible then); #162's fake authenticator unblocked it. Part of #225.

What's included

6 new golden fixtures / 5 cases (golden-webauthn.test.ts), driving the real attestation/assertion crypto end-to-end:

  • webauthn-self-registerPOST /api/auth/register{ verified, accountId, id, credentialId, label }
  • webauthn-login-verifyPOST /api/hydra/login/verify{ redirectTo }
  • webauthn-stepup-verifyPOST /api/webauthn/stepup/verify{ stepUpToken, expiresAt, action }
  • webauthn-registerPOST /api/webauthn/register{ verified, credentialId, id, label, authorizedKeysEntry, sshdConfig }
  • webauthn-invite-mint + webauthn-invite-redeem — invite { token, createdAt, expiresAt } and { status, label, fingerprint }

Determinism without new normalizer rules. The fake authenticator gained privateKeyPem + credentialId options; the golden suite pins two fixed keys so credentialId / the OpenSSH webauthn-sk line / fingerprint are stable. Everything else folds via the existing normalizer (challenge/token → <REDACTED>, timestamps → <TS>, account/credential-row UUIDs → <UUID>). No changes to golden.ts — so #227's audit/REST/MCP/WS fixtures are byte-for-byte untouched (verified).

Scope note: the /options bodies are @simplewebauthn passthroughs (documented loosely in openapi.yaml); this suite pins the response shapes ShellWatch itself constructs.

Refactor: extracted the thin-app + enroll/stepUp helpers into src/test/helpers/webauthn-app.ts, shared by the ceremony behavior test and this golden test (one source of truth; the ceremony test's 9 assertions are unchanged).

Validation

  • pnpm test:golden 26/26 (5 suites); stable across repeated runs (fixed keys → fully deterministic).
  • Full pnpm test:integration 158/158; pnpm typecheck ✓; pnpm spdx:check ✓.
  • Existing __goldens__/* unchanged on disk.

Relates to #210, #225; builds on #227 and #162/#228.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant