Skip to content

test(webauthn): cover assertion fields, self-attestation, label/challenge uniqueness#697

Merged
EffortlessSteven merged 1 commit into
mainfrom
claude/cov-webauthn-assertion
May 16, 2026
Merged

test(webauthn): cover assertion fields, self-attestation, label/challenge uniqueness#697
EffortlessSteven merged 1 commit into
mainfrom
claude/cov-webauthn-assertion

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Closes coverage gaps in uselesskey-webauthn where the existing inline tests only exercised the registration/Packed path or only checked one field of the assertion fixture. No production code changes.

Gaps closed

Area What was missing New test
webauthn_assertion fields beyond sign_count Only sign_count was asserted; client_data_json, authenticator_data, signature, rp_id_hash were never inspected assertion_fixture_fields_are_deterministic_and_consistent
AttestationMode::SelfAttestation build path Tag was checked in stable_bytes, but no test ever built a registration with SelfAttestation to verify fmt = "self" in the CBOR attestation_object self_attestation_registration_uses_self_fmt
Cross-mode uniqueness Same label+spec but different attestation_mode was never compared packed_and_self_attestation_objects_differ
Cache identity by label Different labels (alice vs bob) producing distinct registration objects/AAGUIDs was never validated distinct_labels_produce_distinct_registration_objects
Cache identity by challenge (assertion) Different challenges producing distinct signatures/clientDataJSON/sign_count was never validated distinct_challenges_produce_distinct_assertion_signatures
AsRef<[u8]> bound on WebAuthnSpec::packed challenge Tests only passed &[u8]; owned Vec<u8> not exercised webauthn_spec_packed_accepts_owned_challenge_vec
WebAuthnSpec PartialEq/Eq Derived but never used to compare specs webauthn_spec_partial_eq_distinguishes_fields

7 new tests, all using Factory::deterministic_from_str and assert!(matches!(...)) patterns so the no-panic-family check stays at zero new debt.

Test plan

  • cargo test -p uselesskey-webauthn --lib — 20/20 pass (7 new + 13 existing)
  • cargo clippy -p uselesskey-webauthn --tests --all-features -- -D warnings
  • cargo xtask check-no-panic-family — only the pre-existing xtask/src/user_path_smoke.rs:126 debt remains
  • cargo fmt --check -p uselesskey-webauthn

https://claude.ai/code/session_01R9SN1o9XoVTaVxj9w4VMzD


Generated by Claude Code

…enge uniqueness

Adds 7 inline tests to `uselesskey-webauthn` that close coverage gaps in
the registration/assertion paths:

- `webauthn_assertion` field-level determinism: client_data_json,
  authenticator_data, signature, rp_id_hash; rp_id_hash equals
  sha256(rp_id); first 32 bytes of authenticator_data equal rp_id_hash;
  type field is "webauthn.get"
- `AttestationMode::SelfAttestation` registration path actually emits
  fmt = "self" in the CBOR attestation_object
- Different attestation_mode for the same label/spec produces distinct
  attestation_object bytes
- Different labels (alice vs bob) produce distinct registration objects
  and AAGUIDs
- Different challenges in the assertion path produce distinct
  signatures, clientDataJSON, and sign_count
- `WebAuthnSpec::packed` accepts an owned `Vec<u8>` challenge (AsRef<[u8]>
  bound)
- `WebAuthnSpec` Eq/PartialEq distinguish attestation_mode,
  authenticator_model, and credential_id

No production code changes. All tests use `Factory::deterministic_from_str`
and avoid `.expect()`/`panic!`/etc., so the no-panic-family check stays at
zero new debt.

https://claude.ai/code/session_01R9SN1o9XoVTaVxj9w4VMzD
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 16, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5ef25b93-93c6-4488-932b-b66f0f7c2f5e

📥 Commits

Reviewing files that changed from the base of the PR and between fad488d and 805468f.

📒 Files selected for processing (1)
  • crates/uselesskey-webauthn/src/lib.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/cov-webauthn-assertion

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@EffortlessSteven EffortlessSteven marked this pull request as ready for review May 16, 2026 02:40
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@EffortlessSteven EffortlessSteven merged commit 9042b64 into main May 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants