test(webauthn): cover assertion fields, self-attestation, label/challenge uniqueness#697
Conversation
…enge uniqueness Adds 7 inline tests to `uselesskey-webauthn` that close coverage gaps in the registration/assertion paths: - `webauthn_assertion` field-level determinism: client_data_json, authenticator_data, signature, rp_id_hash; rp_id_hash equals sha256(rp_id); first 32 bytes of authenticator_data equal rp_id_hash; type field is "webauthn.get" - `AttestationMode::SelfAttestation` registration path actually emits fmt = "self" in the CBOR attestation_object - Different attestation_mode for the same label/spec produces distinct attestation_object bytes - Different labels (alice vs bob) produce distinct registration objects and AAGUIDs - Different challenges in the assertion path produce distinct signatures, clientDataJSON, and sign_count - `WebAuthnSpec::packed` accepts an owned `Vec<u8>` challenge (AsRef<[u8]> bound) - `WebAuthnSpec` Eq/PartialEq distinguish attestation_mode, authenticator_model, and credential_id No production code changes. All tests use `Factory::deterministic_from_str` and avoid `.expect()`/`panic!`/etc., so the no-panic-family check stays at zero new debt. https://claude.ai/code/session_01R9SN1o9XoVTaVxj9w4VMzD
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary
Closes coverage gaps in
uselesskey-webauthnwhere the existing inline tests only exercised the registration/Packed path or only checked one field of the assertion fixture. No production code changes.Gaps closed
webauthn_assertionfields beyondsign_countclient_data_json,authenticator_data,signature,rp_id_hashwere never inspectedassertion_fixture_fields_are_deterministic_and_consistentAttestationMode::SelfAttestationbuild pathstable_bytes, but no test ever built a registration withSelfAttestationto verifyfmt = "self"in the CBORattestation_objectself_attestation_registration_uses_self_fmtattestation_modewas never comparedpacked_and_self_attestation_objects_differalicevsbob) producing distinct registration objects/AAGUIDs was never validateddistinct_labels_produce_distinct_registration_objectsdistinct_challenges_produce_distinct_assertion_signaturesAsRef<[u8]>bound onWebAuthnSpec::packedchallenge&[u8]; ownedVec<u8>not exercisedwebauthn_spec_packed_accepts_owned_challenge_vecWebAuthnSpecPartialEq/Eqwebauthn_spec_partial_eq_distinguishes_fields7 new tests, all using
Factory::deterministic_from_strandassert!(matches!(...))patterns so the no-panic-family check stays at zero new debt.Test plan
cargo test -p uselesskey-webauthn --lib— 20/20 pass (7 new + 13 existing)cargo clippy -p uselesskey-webauthn --tests --all-features -- -D warningscargo xtask check-no-panic-family— only the pre-existingxtask/src/user_path_smoke.rs:126debt remainscargo fmt --check -p uselesskey-webauthnhttps://claude.ai/code/session_01R9SN1o9XoVTaVxj9w4VMzD
Generated by Claude Code