feat(api/v2): implement U2F session check (#6339)

internal/api/grpc/session/v2/session_integration_test.go

@@ -69,7 +69,8 @@ type wantFactor int
 const (
 	wantUserFactor wantFactor = iota
 	wantPasswordFactor
-	wantPasskeyFactor
+	wantWebAuthNFactor
+	wantWebAuthNFactorUserVerified
 	wantIntentFactor
 )
 
@@ -85,10 +86,16 @@ func verifyFactors(t testing.TB, factors *session.Factors, window time.Duration,
 			pf := factors.GetPassword()
 			assert.NotNil(t, pf)
 			assert.WithinRange(t, pf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window))
-		case wantPasskeyFactor:
-			pf := factors.GetPasskey()
+		case wantWebAuthNFactor:
+			pf := factors.GetWebAuthN()
 			assert.NotNil(t, pf)
 			assert.WithinRange(t, pf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+			assert.False(t, pf.UserVerified)
+		case wantWebAuthNFactorUserVerified:
+			pf := factors.GetWebAuthN()
+			assert.NotNil(t, pf)
+			assert.WithinRange(t, pf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+			assert.True(t, pf.UserVerified)
 		case wantIntentFactor:
 			pf := factors.GetIntent()
 			assert.NotNil(t, pf)
@@ -127,7 +134,6 @@ func TestServer_CreateSession(t *testing.T) {
 					},
 				},
 				Metadata: map[string][]byte{"foo": []byte("bar")},
-				Domain:   "domain",
 			},
 			want: &session.CreateSessionResponse{
 				Details: &object.Details{
@@ -150,8 +156,11 @@ func TestServer_CreateSession(t *testing.T) {
 		{
 			name: "passkey without user error",
 			req: &session.CreateSessionRequest{
-				Challenges: []session.ChallengeKind{
-					session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+				Challenges: &session.RequestChallenges{
+					WebAuthN: &session.RequestChallenges_WebAuthN{
+						Domain:                      Tester.Config.ExternalDomain,
+						UserVerificationRequirement: session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_REQUIRED,
+					},
 				},
 			},
 			wantErr: true,
@@ -166,8 +175,10 @@ func TestServer_CreateSession(t *testing.T) {
 						},
 					},
 				},
-				Challenges: []session.ChallengeKind{
-					session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+				Challenges: &session.RequestChallenges{
+					WebAuthN: &session.RequestChallenges_WebAuthN{
+						UserVerificationRequirement: session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_REQUIRED,
+					},
 				},
 			},
 			wantErr: true,
@@ -188,8 +199,8 @@ func TestServer_CreateSession(t *testing.T) {
 	}
 }
 
-func TestServer_CreateSession_passkey(t *testing.T) {
-	// create new session with user and request the passkey challenge
+func TestServer_CreateSession_webauthn(t *testing.T) {
+	// create new session with user and request the webauthn challenge
 	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
 		Checks: &session.Checks{
 			User: &session.CheckUser{
@@ -198,29 +209,31 @@ func TestServer_CreateSession_passkey(t *testing.T) {
 				},
 			},
 		},
-		Challenges: []session.ChallengeKind{
-			session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+		Challenges: &session.RequestChallenges{
+			WebAuthN: &session.RequestChallenges_WebAuthN{
+				Domain:                      Tester.Config.ExternalDomain,
+				UserVerificationRequirement: session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_REQUIRED,
+			},
 		},
-		Domain: Tester.Config.ExternalDomain,
 	})
 	require.NoError(t, err)
 	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil)
 
-	assertionData, err := Tester.WebAuthN.CreateAssertionResponse(createResp.GetChallenges().GetPasskey().GetPublicKeyCredentialRequestOptions())
+	assertionData, err := Tester.WebAuthN.CreateAssertionResponse(createResp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
 	require.NoError(t, err)
 
-	// update the session with passkey assertion data
+	// update the session with webauthn assertion data
 	updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
 		SessionId:    createResp.GetSessionId(),
 		SessionToken: createResp.GetSessionToken(),
 		Checks: &session.Checks{
-			Passkey: &session.CheckPasskey{
+			WebAuthN: &session.CheckWebAuthN{
 				CredentialAssertionData: assertionData,
 			},
 		},
 	})
 	require.NoError(t, err)
-	verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, wantUserFactor, wantPasskeyFactor)
+	verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, wantUserFactor, wantWebAuthNFactorUserVerified)
 }
 
 func TestServer_CreateSession_successfulIntent(t *testing.T) {
@@ -326,16 +339,14 @@ func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
 }
 
 func TestServer_SetSession_flow(t *testing.T) {
-	var wantFactors []wantFactor
-
 	// create new, empty session
-	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{Domain: Tester.Config.ExternalDomain})
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
 	require.NoError(t, err)
-	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
 	sessionToken := createResp.GetSessionToken()
+	verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, createResp.GetDetails().GetSequence(), time.Minute, nil)
 
 	t.Run("check user", func(t *testing.T) {
-		wantFactors = append(wantFactors, wantUserFactor)
+		wantFactors := []wantFactor{wantUserFactor}
 		resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
 			SessionId:    createResp.GetSessionId(),
 			SessionToken: sessionToken,
@@ -348,43 +359,92 @@ func TestServer_SetSession_flow(t *testing.T) {
 			},
 		})
 		require.NoError(t, err)
-		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
 		sessionToken = resp.GetSessionToken()
+		verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
 	})
 
-	t.Run("check passkey", func(t *testing.T) {
+	t.Run("check webauthn, user verified (passkey)", func(t *testing.T) {
 		resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
 			SessionId:    createResp.GetSessionId(),
 			SessionToken: sessionToken,
-			Challenges: []session.ChallengeKind{
-				session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+			Challenges: &session.RequestChallenges{
+				WebAuthN: &session.RequestChallenges_WebAuthN{
+					Domain:                      Tester.Config.ExternalDomain,
+					UserVerificationRequirement: session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_REQUIRED,
+				},
 			},
 		})
 		require.NoError(t, err)
-		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil)
 		sessionToken = resp.GetSessionToken()
 
-		wantFactors = append(wantFactors, wantPasskeyFactor)
-		assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetPasskey().GetPublicKeyCredentialRequestOptions())
+		wantFactors := []wantFactor{wantUserFactor, wantWebAuthNFactorUserVerified}
+		assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), true)
 		require.NoError(t, err)
 
 		resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
 			SessionId:    createResp.GetSessionId(),
 			SessionToken: sessionToken,
 			Checks: &session.Checks{
-				Passkey: &session.CheckPasskey{
+				WebAuthN: &session.CheckWebAuthN{
 					CredentialAssertionData: assertionData,
 				},
 			},
 		})
 		require.NoError(t, err)
-		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+		sessionToken = resp.GetSessionToken()
+		verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+	})
+
+	t.Run("check webauthn, user not verified (U2F)", func(t *testing.T) {
+		Tester.RegisterUserU2F(
+			Tester.WithAuthorizationToken(context.Background(), sessionToken),
+			User.GetUserId(),
+		)
+
+		for _, userVerificationRequirement := range []session.UserVerificationRequirement{
+			session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_PREFERRED,
+			session.UserVerificationRequirement_USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
+		} {
+			t.Run(userVerificationRequirement.String(), func(t *testing.T) {
+				resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
+					SessionId:    createResp.GetSessionId(),
+					SessionToken: sessionToken,
+					Challenges: &session.RequestChallenges{
+						WebAuthN: &session.RequestChallenges_WebAuthN{
+							Domain:                      Tester.Config.ExternalDomain,
+							UserVerificationRequirement: userVerificationRequirement,
+						},
+					},
+				})
+				require.NoError(t, err)
+				verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil)
+				sessionToken = resp.GetSessionToken()
+
+				wantFactors := []wantFactor{wantUserFactor, wantWebAuthNFactor}
+				assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetWebAuthN().GetPublicKeyCredentialRequestOptions(), false)
+				require.NoError(t, err)
+
+				resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
+					SessionId:    createResp.GetSessionId(),
+					SessionToken: sessionToken,
+					Checks: &session.Checks{
+						WebAuthN: &session.CheckWebAuthN{
+							CredentialAssertionData: assertionData,
+						},
+					},
+				})
+				require.NoError(t, err)
+				sessionToken = resp.GetSessionToken()
+				verifyCurrentSession(t, createResp.GetSessionId(), sessionToken, resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+			})
+		}
 	})
 }
 
 func Test_ZITADEL_API_missing_authentication(t *testing.T) {
 	// create new, empty session
-	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{Domain: Tester.Config.ExternalDomain})
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
 	require.NoError(t, err)
 
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken()))
@@ -403,16 +463,19 @@ func Test_ZITADEL_API_missing_mfa(t *testing.T) {
 }
 
 func Test_ZITADEL_API_success(t *testing.T) {
-	id, token, _, _ := Tester.CreatePasskeySession(t, CTX, User.GetUserId())
+	id, token, _, _ := Tester.CreateVerfiedWebAuthNSession(t, CTX, User.GetUserId())
 
 	ctx := Tester.WithAuthorizationToken(context.Background(), token)
 	sessionResp, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
 	require.NoError(t, err)
-	require.NotNil(t, id, sessionResp.GetSession().GetFactors().GetPasskey().GetVerifiedAt().AsTime())
+
+	webAuthN := sessionResp.GetSession().GetFactors().GetWebAuthN()
+	require.NotNil(t, id, webAuthN.GetVerifiedAt().AsTime())
+	require.True(t, webAuthN.GetUserVerified())
 }
 
 func Test_ZITADEL_API_session_not_found(t *testing.T) {
-	id, token, _, _ := Tester.CreatePasskeySession(t, CTX, User.GetUserId())
+	id, token, _, _ := Tester.CreateVerfiedWebAuthNSession(t, CTX, User.GetUserId())
 
 	// test session token works
 	ctx := Tester.WithAuthorizationToken(context.Background(), token)