Skip to content

test(native): cover the WebAuthn bridge — DER parsing + credential pinning#2394

Open
innolope-dev wants to merge 1 commit into
merge/mobile-release-into-mainfrom
test/native-webauthn-bridge
Open

test(native): cover the WebAuthn bridge — DER parsing + credential pinning#2394
innolope-dev wants to merge 1 commit into
merge/mobile-release-into-mainfrom
test/native-webauthn-bridge

Conversation

@innolope-dev

Copy link
Copy Markdown
Collaborator

What

Adds the missing test coverage for src/utils/native-webauthn.ts — the most security-critical native file (flagged as a known gap in the mobile-release requirements). 13 tests, no production code changes.

Stacked on #2393 (the file doesn't exist on main yet); GitHub will retarget this to main automatically when that merges.

Covered

  • DER signature parsing — ECDSA r/s extraction and the zerodev response tuple encoding (authenticatorData, clientDataJSON, responseTypeLocation via lastIndexOf('"type":"webauthn.get"'), RIP-7212 usePrecompiled flag per chain).
  • Low-S malleability normalization — a deliberately high-S signature comes back normalized to s ≤ N/2.
  • SPKI public-key extraction — P-256 X/Y coordinates from a real crypto.subtle-generated key, plus keccak hashing of the authenticator id.
  • Credential pinning (the multi-account fix) — pin applied when the caller supplies no allow-list, caller's allow-list never overridden, empty list falls back to the pin, and legacy behaviour (no pin, no list → undefined) preserved.
  • Challenge/rpId wiring, all three accepted message formats plus rejection of unsupported ones, and the no-credential error path.

Verification

  • pnpm test -- src/utils/__tests__/native-webauthn.test.ts ✅ 13/13
  • Prettier + ESLint clean on the new file

…nning

native-webauthn.ts is the most security-critical native file and had no
direct tests. Covers: DER ECDSA signature parsing and low-S malleability
normalization, SPKI public-key coordinate extraction and authenticator-id
hashing, the zerodev response tuple encoding (responseTypeLocation,
RIP-7212 precompile flag), challenge/rpId wiring, message format handling,
and the multi-account credential pinning fix (pin used when no allow-list,
caller list never overridden, empty list falls back to pin).
@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
peanut-wallet Error Error Jul 10, 2026 10:11am

Request Review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ea34ed93-a5cd-445b-991e-afb4478ddbf2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch test/native-webauthn-bridge

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant