PR feedback + a few tests

Author: MackinnonBuck

src/Identity/Core/src/DefaultPasskeyHandler.cs

@@ -147,5 +147,8 @@ public static PasskeyException NullClientDataJson()
 
         public static PasskeyException InvalidClientDataJsonFormat(JsonException ex)
             => new($"The client data JSON had an invalid format: {ex.Message}", ex);
+
+        public static PasskeyException InvalidCredentialPublicKey(Exception ex)
+            => new($"The credential public key was invalid.", ex);
     }
 }

src/Identity/Core/src/PasskeyExceptionExtensions.cs

@@ -3,6 +3,7 @@
 
 using System.Buffers.Binary;
 using System.Diagnostics;
+using System.Diagnostics.CodeAnalysis;
 using System.Formats.Cbor;
 
 namespace Microsoft.AspNetCore.Identity;
@@ -68,6 +69,7 @@ internal sealed class AuthenticatorData
     /// <summary>
     /// Gets whether the authenticator added attested credential data.
     /// </summary>
+    [MemberNotNullWhen(true, nameof(AttestedCredentialData))]
     public bool HasAttestedCredentialData => Flags.HasFlag(AuthenticatorDataFlags.HasAttestedCredentialData);
 
     public static AuthenticatorData Parse(ReadOnlyMemory<byte> bytes)

src/Identity/Core/src/Passkeys/AuthenticatorData.cs

@@ -2,7 +2,6 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Linq;
-using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json.Serialization;
 
@@ -78,15 +77,6 @@ public bool Equals(BufferSource? other)
         return other is not null && _bytes.Span.SequenceEqual(other._bytes.Span);
     }
 
-    /// <summary>
-    /// Performs a fixed-time value-based equality comparison with another <see cref="BufferSource"/> instance
-    /// using <see cref="CryptographicOperations.FixedTimeEquals"/>.
-    /// </summary>
-    public bool FixedTimeEquals(BufferSource? other)
-    {
-        return other is not null && CryptographicOperations.FixedTimeEquals(_bytes.Span, other._bytes.Span);
-    }
-
     /// <inheritdoc/>
     public override bool Equals(object? obj)
         => obj is BufferSource other && Equals(other);

src/Identity/Core/src/Passkeys/BufferSource.cs

@@ -16,7 +16,7 @@ internal sealed class CredentialPublicKey
 
     public COSEAlgorithmIdentifier Alg => _alg;
 
-    public CredentialPublicKey(ReadOnlyMemory<byte> bytes)
+    private CredentialPublicKey(ReadOnlyMemory<byte> bytes)
     {
         var reader = Ctap2CborReader.Create(bytes);
 
@@ -38,7 +38,30 @@ public CredentialPublicKey(ReadOnlyMemory<byte> bytes)
         }
 
         var keyLength = bytes.Length - reader.BytesRemaining;
-        _bytes = bytes.Slice(0, keyLength);
+        _bytes = bytes[..keyLength];
+    }
+
+    public static CredentialPublicKey Decode(ReadOnlyMemory<byte> bytes)
+    {
+        try
+        {
+            return new CredentialPublicKey(bytes);
+        }
+        catch (PasskeyException)
+        {
+            throw;
+        }
+        catch (Exception ex)
+        {
+            throw PasskeyException.InvalidCredentialPublicKey(ex);
+        }
+    }
+
+    public static CredentialPublicKey Decode(ReadOnlyMemory<byte> bytes, out int bytesRead)
+    {
+        var key = Decode(bytes);
+        bytesRead = key._bytes.Length;
+        return key;
     }
 
     public bool Verify(ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature)
@@ -187,13 +210,6 @@ private static HashAlgorithmName HashAlgFromCOSEAlg(COSEAlgorithmIdentifier alg)
         };
     }
 
-    public static CredentialPublicKey Decode(ReadOnlyMemory<byte> cpk, out int bytesRead)
-    {
-        var key = new CredentialPublicKey(cpk);
-        bytesRead = key._bytes.Length;
-        return key;
-    }
-
     public ReadOnlyMemory<byte> AsMemory() => _bytes;
 
     public byte[] ToArray() => _bytes.ToArray();

src/Identity/Core/src/Passkeys/CredentialPublicKey.cs

@@ -537,7 +537,7 @@ private void ThrowIfNoPasskeyHandler()
     }
 
     /// <summary>
-    /// Attempts to sign in the user with a passkey.
+    /// Performs a passkey assertion and attempts to sign in the user.
     /// </summary>
     /// <param name="credentialJson">The credentials obtained by JSON-serializing the result of the <c>navigator.credentials.get()</c> JavaScript function.</param>
     /// <param name="options">The original passkey request options provided to the browser.</param>
@@ -555,6 +555,8 @@ public virtual async Task<SignInResult> PasskeySignInAsync(string credentialJson
             return SignInResult.Failed;
         }
 
+        // After a successful assertion, we need to update the passkey so that it has the latest
+        // sign count and authenticator data.
         var setPasskeyResult = await UserManager.SetPasskeyAsync(assertionResult.User, assertionResult.Passkey);
         if (!setPasskeyResult.Succeeded)
         {
@@ -568,6 +570,10 @@ public virtual async Task<SignInResult> PasskeySignInAsync(string credentialJson
     /// Generates a <see cref="PasskeyCreationOptions"/> and stores it in the current <see cref="HttpContext"/> for later retrieval.
     /// </summary>
     /// <param name="creationArgs">Args for configuring the <see cref="PasskeyCreationOptions"/>.</param>
+    /// <remarks>
+    /// The returned options should be passed to the <c>navigator.credentials.create()</c> JavaScript function.
+    /// The credentials returned from that function can then be passed to the <see cref="PerformPasskeyAttestationAsync"/>.
+    /// </remarks>
     /// <returns>
     /// A task object representing the asynchronous operation containing the <see cref="PasskeyCreationOptions"/>.
     /// </returns>
@@ -593,6 +599,10 @@ public virtual async Task<PasskeyCreationOptions> ConfigurePasskeyCreationOption
     /// Generates a <see cref="PasskeyCreationOptions"/> to create a new passkey for a user.
     /// </summary>
     /// <param name="creationArgs">Args for configuring the <see cref="PasskeyCreationOptions"/>.</param>
+    /// <remarks>
+    /// The returned options should be passed to the <c>navigator.credentials.create()</c> JavaScript function.
+    /// The credentials returned from that function can then be passed to the <see cref="PerformPasskeyAttestationAsync"/>.
+    /// </remarks>
     /// <returns>
     /// A task object representing the asynchronous operation containing the <see cref="PasskeyCreationOptions"/>.
     /// </returns>
@@ -653,6 +663,11 @@ async Task<PublicKeyCredentialDescriptor[]> GetExcludeCredentialsAsync()
     /// Generates a <see cref="PasskeyRequestOptions"/> and stores it in the current <see cref="HttpContext"/> for later retrieval.
     /// </summary>
     /// <param name="requestArgs">Args for configuring the <see cref="PasskeyRequestOptions"/>.</param>
+    /// <remarks>
+    /// The returned options should be passed to the <c>navigator.credentials.get()</c> JavaScript function.
+    /// The credentials returned from that function can then be passed to the <see cref="PasskeySignInAsync"/> or
+    /// <see cref="PerformPasskeyAssertionAsync"/> methods.
+    /// </remarks>
     /// <returns>
     /// A task object representing the asynchronous operation containing the <see cref="PasskeyRequestOptions"/>.
     /// </returns>
@@ -680,6 +695,10 @@ public virtual async Task<PasskeyRequestOptions> ConfigurePasskeyRequestOptionsA
     /// Generates a <see cref="PasskeyRequestOptions"/> to request an existing passkey for a user.
     /// </summary>
     /// <param name="requestArgs">Args for configuring the <see cref="PasskeyRequestOptions"/>.</param>
+    /// <remarks>
+    /// The returned options should be passed to the <c>navigator.credentials.get()</c> JavaScript function.
+    /// The credentials returned from that function can then be passed to the <see cref="PerformPasskeyAssertionAsync"/> method.
+    /// </remarks>
     /// <returns>
     /// A task object representing the asynchronous operation containing the <see cref="PasskeyRequestOptions"/>.
     /// </returns>

src/Identity/Core/src/SignInManager.cs

@@ -32,6 +32,12 @@ public void VerifyDefaultOptions()
         Assert.Equal(ClaimTypes.Name, options.ClaimsIdentity.UserNameClaimType);
         Assert.Equal(ClaimTypes.NameIdentifier, options.ClaimsIdentity.UserIdClaimType);
         Assert.Equal("AspNet.Identity.SecurityStamp", options.ClaimsIdentity.SecurityStampClaimType);
+
+        Assert.Equal(TimeSpan.FromMinutes(1), options.Passkey.Timeout);
+        Assert.Equal(16, options.Passkey.ChallengeSize);
+        Assert.True(options.Passkey.AllowCurrentOrigin);
+        Assert.Equal(PasskeyOptions.CredentialBackupPolicy.Allowed, options.Passkey.BackupEligibleCredentialPolicy);
+        Assert.Equal(PasskeyOptions.CredentialBackupPolicy.Allowed, options.Passkey.BackedUpCredentialPolicy);
     }
 
     [Fact]
@@ -89,5 +95,4 @@ public void CanConfigureCookieOptions()
         Assert.Equal("c", options.Get(IdentityConstants.TwoFactorRememberMeScheme).Cookie.Name);
         Assert.Equal("d", options.Get(IdentityConstants.TwoFactorUserIdScheme).Cookie.Name);
     }
-
 }

src/Identity/test/Identity.Test/IdentityOptionsTest.cs

@@ -97,7 +97,13 @@ private static Mock<UserManager<PocoUser>> SetupUserManager(PocoUser user)
         return manager;
     }
 
-    private static SignInManager<PocoUser> SetupSignInManager(UserManager<PocoUser> manager, HttpContext context, ILogger logger = null, IdentityOptions identityOptions = null, IAuthenticationSchemeProvider schemeProvider = null)
+    private static SignInManager<PocoUser> SetupSignInManager(
+        UserManager<PocoUser> manager,
+        HttpContext context,
+        ILogger logger = null,
+        IdentityOptions identityOptions = null,
+        IAuthenticationSchemeProvider schemeProvider = null,
+        IPasskeyHandler<PocoUser> passkeyHandler = null)
     {
         var contextAccessor = new Mock<IHttpContextAccessor>();
         contextAccessor.Setup(a => a.HttpContext).Returns(context);
@@ -107,7 +113,16 @@ private static SignInManager<PocoUser> SetupSignInManager(UserManager<PocoUser>
         options.Setup(a => a.Value).Returns(identityOptions);
         var claimsFactory = new UserClaimsPrincipalFactory<PocoUser, PocoRole>(manager, roleManager.Object, options.Object);
         schemeProvider = schemeProvider ?? new MockSchemeProvider();
-        var sm = new SignInManager<PocoUser>(manager, contextAccessor.Object, claimsFactory, options.Object, null, schemeProvider, new DefaultUserConfirmation<PocoUser>());
+        passkeyHandler = passkeyHandler ?? Mock.Of<IPasskeyHandler<PocoUser>>();
+        var sm = new SignInManager<PocoUser>(
+            manager,
+            contextAccessor.Object,
+            claimsFactory,
+            options.Object,
+            null,
+            schemeProvider,
+            new DefaultUserConfirmation<PocoUser>(),
+            passkeyHandler);
         sm.Logger = logger ?? NullLogger<SignInManager<PocoUser>>.Instance;
         return sm;
     }
@@ -339,6 +354,38 @@ public async Task ExternalSignInRequiresVerificationIfNotBypassed(bool bypass)
         auth.Verify();
     }
 
+    [Fact]
+    public async Task CanPasskeySignIn()
+    {
+        // Setup
+        var user = new PocoUser { UserName = "Foo" };
+        var passkey = new UserPasskeyInfo(null, null, null, default, 0, null, false, false, false, null, null);
+        var assertionResult = PasskeyAssertionResult.Success(passkey, user);
+        var passkeyHandler = new Mock<IPasskeyHandler<PocoUser>>();
+        passkeyHandler
+            .Setup(h => h.PerformAssertionAsync(It.IsAny<PasskeyAssertionContext<PocoUser>>()))
+            .Returns(Task.FromResult(assertionResult));
+        var manager = SetupUserManager(user);
+        manager
+            .Setup(m => m.SetPasskeyAsync(user, passkey))
+            .Returns(Task.FromResult(IdentityResult.Success))
+            .Verifiable();
+        var context = new DefaultHttpContext();
+        var auth = MockAuth(context);
+        SetupSignIn(context, auth, user.Id, isPersistent: false, loginProvider: null);
+        var helper = SetupSignInManager(manager.Object, context, passkeyHandler: passkeyHandler.Object);
+
+        // Act
+        var passkeyRequestOptions = new PasskeyRequestOptions(userId: user.Id, "<some-options>");
+        var signInResult = await helper.PasskeySignInAsync(credentialJson: "<some-passkey>", passkeyRequestOptions);
+
+        // Assert
+        Assert.True(assertionResult.Succeeded);
+        Assert.Same(SignInResult.Success, signInResult);
+        manager.Verify();
+        auth.Verify();
+    }
+
     private class GoodTokenProvider : AuthenticatorTokenProvider<PocoUser>
     {
         public override Task<bool> ValidateAsync(string purpose, string token, UserManager<PocoUser> manager, PocoUser user)