File: federated-session.https.html

package info (click to toggle)
firefox 147.0-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,683,324 kB
  • sloc: cpp: 7,607,156; javascript: 6,532,492; ansic: 3,775,158; python: 1,415,368; xml: 634,556; asm: 438,949; java: 186,241; sh: 62,751; makefile: 18,079; objc: 13,092; perl: 12,808; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10; exp: 6
file content (139 lines) | stat: -rw-r--r-- 5,030 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
<!DOCTYPE html>
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/device-bound-session-credentials/helper.js" type="module"></script>

<script type="module">
  import {
    addCookieAndSessionCleanup,
    configureServer,
    documentHasCookie,
    expireCookie,
    setupShardedServerState,
    waitForCookie
  } from "/device-bound-session-credentials/helper.js";

  async function registerProviderSession(t) {
    const expectedCookieAndValue = "auth_cookie=abcdef0123";
    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;

    // Prompt starting a session, and wait until registration completes.
    const loginResponse = await fetch('login.py');
    assert_equals(loginResponse.status, 200);
    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
  }

  async function getKey(id) {
    const keyResponse = await fetch(`get_key.py?${id}`);
    assert_equals(keyResponse.status, 200);
    return keyResponse.text();
  }

  async function getSessionIds() {
    const response = await fetch('get_session_ids.py');
    assert_equals(response.status, 200);
    return response.json();
  }

  async function registerRelyingSession(t, host, sessionId, key, expectSuccess) {
    const expectedCookieAndValue = "relying_auth_cookie=abcdef0123";
    const expectedCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
    const expectedCookieAndAttributes = `${expectedCookieAndValue};${expectedCookieAttributes}`;

    // Despite registration happening on a subdomain, make the session
    // visible on the parent domain. This makes it easier to test for
    // its presence.
    await configureServer({
      cookieDetails: [
        {
          nameAndValue: expectedCookieAndValue,
          attributes: expectedCookieAttributes,
        }
      ],
      scopeOrigin: location.origin,
      providerUrl: location.origin + "/",
      providerSessionId: sessionId,
      providerKey: key
    });

    // Prompt starting a session, and wait until registration completes.
    const loginResponse = await fetch(`https://${host}/device-bound-session-credentials/login.py`, {credentials: "include"});
    assert_equals(loginResponse.status, 200);
    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/expectSuccess);

    if (!expectSuccess) {
      return;
    }

    // Confirm that expiring the cookie still leads to a request with the cookie set (refresh occurs).
    expireCookie(expectedCookieAndAttributes);
    assert_false(documentHasCookie(expectedCookieAndValue));
    const authResponse = await fetch('verify_authenticated.py', {
      method: 'POST',
      body: expectedCookieAndValue
    });
    assert_equals(authResponse.status, 200);
    assert_true(documentHasCookie(expectedCookieAndValue));

    // Confirm that the relying session shares keys
    const sessionIds = await getSessionIds();
    const relyingSessionIds = sessionIds.filter(id => id !== sessionId);
    assert_equals(relyingSessionIds.length, 1);
    const relyingSessionId = relyingSessionIds[0];

    const newKey = await getKey(relyingSessionId);
    assert_equals(key, newKey);
  }

  promise_test(async t => {
    addCookieAndSessionCleanup(t);

    await setupShardedServerState();

    await registerProviderSession(t);
    const sessionIds = await getSessionIds();
    assert_equals(sessionIds.length, 1);

    const keyThumbprint = await getKey(sessionIds[0]);
    await registerRelyingSession(t, "www." + location.host, sessionIds[0], keyThumbprint, /*expect_success=*/true);
  }, "Successful federated session registration");

  promise_test(async t => {
    addCookieAndSessionCleanup(t);

    await setupShardedServerState();

    await registerProviderSession(t);
    const sessionIds = await getSessionIds();
    assert_equals(sessionIds.length, 1);

    await registerRelyingSession(t, "www." + location.host, sessionIds[0], "not-the-thumbprint", /*expect_success=*/false);
  }, "Invalid thumbprint")

  promise_test(async t => {
    addCookieAndSessionCleanup(t);

    await setupShardedServerState();

    await registerProviderSession(t);
    const sessionIds = await getSessionIds();
    assert_equals(sessionIds.length, 1);

    const keyThumbprint = await getKey(sessionIds[0]);
    await registerRelyingSession(t, "www." + location.host, "not-the-session-id", keyThumbprint, /*expect_success=*/false);
  }, "Invalid provider session id");

  promise_test(async t => {
    addCookieAndSessionCleanup(t);

    await setupShardedServerState();

    await registerProviderSession(t);
    const sessionIds = await getSessionIds();
    assert_equals(sessionIds.length, 1);

    const keyThumbprint = await getKey(sessionIds[0]);
    await registerRelyingSession(t, "www1." + location.host, sessionIds[0], keyThumbprint, /*expect_success=*/false);
  }, "Not authorized by .well-known");
</script>