Merge branch 'main' into readme

marius-se · web-flow · commit c83236eaa7c1 · 2023-02-08T16:51:30.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -1,90 +1,6 @@
-# Xcode
-#
-# gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore
-
-## User settings
-xcuserdata/
-
-## compatibility with Xcode 8 and earlier (ignoring not required starting Xcode 9)
-*.xcscmblueprint
-*.xccheckout
-
-## compatibility with Xcode 3 and earlier (ignoring not required starting Xcode 4)
-build/
-DerivedData/
-*.moved-aside
-*.pbxuser
-!default.pbxuser
-*.mode1v3
-!default.mode1v3
-*.mode2v3
-!default.mode2v3
-*.perspectivev3
-!default.perspectivev3
-
-## Obj-C/Swift specific
-*.hmap
-
-## App packaging
-*.ipa
-*.dSYM.zip
-*.dSYM
-
-## Playgrounds
-timeline.xctimeline
-playground.xcworkspace
-
-# Swift Package Manager
-#
-# Add this line if you want to avoid checking in source code from Swift Package Manager dependencies.
-# Packages/
-# Package.pins
 Package.resolved
-# *.xcodeproj
-#
-# Xcode automatically generates this directory with a .xcworkspacedata file and xcuserdata
-# hence it is not needed unless you have added a package configuration file to your project
-# .swiftpm
-
 .build/
-
-# CocoaPods
-#
-# We recommend against adding the Pods directory to your .gitignore. However
-# you should judge for yourself, the pros and cons are mentioned at:
-# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
-#
-# Pods/
-#
-# Add this line if you want to avoid checking in source code from the Xcode workspace
-# *.xcworkspace
-
-# Carthage
-#
-# Add this line if you want to avoid checking in source code from Carthage dependencies.
-# Carthage/Checkouts
-
-Carthage/Build/
-
-# Accio dependency management
-Dependencies/
-.accio/
-
-# fastlane
-#
-# It is recommended to not store the screenshots in the git repo.
-# Instead, use fastlane to re-generate the screenshots whenever they are needed.
-# For more information about the recommended setup visit:
-# https://docs.fastlane.tools/best-practices/source-control/#source-control
-
-fastlane/report.xml
-fastlane/Preview.html
-fastlane/screenshots/**/*.png
-fastlane/test_output
-
-# Code Injection
-#
-# After new code Injection tools there's a generated folder /iOSInjectionProject
-# https://github.com/johnno1962/injectionforxcode
-
-iOSInjectionProject/
+*.xcodeproj
+DerivedData
+.DS_Store
+.swiftpm/
diff --git a/Tests/WebAuthnTests/WebAuthnManagerTests.swift b/Tests/WebAuthnTests/WebAuthnManagerTests.swift
@@ -14,6 +14,7 @@
 
 @testable import WebAuthn
 import XCTest
+import SwiftCBOR
 
 // swiftlint:disable line_length
 
@@ -86,14 +87,30 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfAuthDataIsInvalid() async throws {
-        let hexAttestationObjectWithInvalidAuthData: URLEncodedBase64 = "A363666D74667061636B65646761747453746D74A263616C67266373696758473045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C68617574684461746101"
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": 1
+        // }
+        let hexAttestationObjectWithInvalidAuthData: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YQE"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectWithInvalidAuthData),
             expect: WebAuthnError.invalidAuthData
         )
     }
 
     func testFinishRegistrationFailsIfFmtIsInvalid() async throws {
+        // {
+        //   "fmt": 1,
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'49960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D97634500000000ADCE000235BCC60A648B0B25F1F0550300203A3EE56DCABABEC0EF2F4B7F0EE28E11317C2CF7FF972830440D63FCBAA7E26BA50102032620012158209AFFC8BA186D85A071FEDA41C77BA5C8D48FEDE8F1B89A7D6407DBC5A28D04AF2258203C8D8AAAA450DBA28AB85689D321FB9E8B8206BCC7BBCA9138D5BE08F6BD5433'
+        // }
         let hexAttestationObjectWithInvalidFmt: URLEncodedBase64 = "o2NmbXQBZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIDo-5W3Kur7A7y9Lfw7ijhExfCz3_5coMEQNY_y6p-JrpQECAyYgASFYIJr_yLoYbYWgcf7aQcd7pcjUj-3o8biafWQH28WijQSvIlggPI2KqqRQ26KKuFaJ0yH7nouCBrzHu8qRONW-CPa9VDM"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectWithInvalidFmt),
@@ -102,6 +119,10 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfAttStmtIsMissing() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "authData": h'49960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D97634500000000ADCE000235BCC60A648B0B25F1F0550300203A3EE56DCABABEC0EF2F4B7F0EE28E11317C2CF7FF972830440D63FCBAA7E26BA50102032620012158209AFFC8BA186D85A071FEDA41C77BA5C8D48FEDE8F1B89A7D6407DBC5A28D04AF2258203C8D8AAAA450DBA28AB85689D321FB9E8B8206BCC7BBCA9138D5BE08F6BD5433'
+        // }
         let hexAttestationObjectWithMissingAttStmt: URLEncodedBase64 = "omNmbXRmcGFja2VkaGF1dGhEYXRhWKRJlg3liA6MaHQ0Fw9kdmBbj-SuuaKGMseZXPO6gx2XY0UAAAAArc4AAjW8xgpkiwsl8fBVAwAgOj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4mulAQIDJiABIVggmv_IuhhthaBx_tpBx3ulyNSP7ejxuJp9ZAfbxaKNBK8iWCA8jYqqpFDbooq4VonTIfuei4IGvMe7ypE41b4I9r1UMw"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectWithMissingAttStmt),
@@ -110,6 +131,14 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfAuthDataIsTooShort() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'49960D'
+        // }
         let hexAttestationObjectInvalidAuthData: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YUNJlg0"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectInvalidAuthData),
@@ -118,6 +147,14 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfAttestedCredentialDataFlagIsSetButThereIsNotCredentialData() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //       "alg": -7,
+        //       "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //    },
+        //    "authData": h'5647686C5647686C5647686C5647686C5647686C5647686C686C5647686C686C4000000000'
+        // }
         let hexAttestationObjectMissingCredentialData: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVglVkdobFZHaGxWR2hsVkdobFZHaGxWR2hsaGxWR2hsaGxAAAAAAA"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectMissingCredentialData),
@@ -126,6 +163,14 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfAttestedCredentialDataFlagIsNotSetButThereIsCredentialData() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'5647686C5647686C5647686C5647686C5647686C5647686C686C5647686C686C000000000000'
+        // }
         let hexAttestationObjectWithCredentialData: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVgmVkdobFZHaGxWR2hsVkdobFZHaGxWR2hsaGxWR2hsaGwAAAAAAAA"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectWithCredentialData),
@@ -134,6 +179,14 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfExtensionDataFlagIsSetButThereIsNoExtensionData() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'5647686C5647686C5647686C5647686C5647686C5647686C686C5647686C686C8000000000'
+        // }
         let hexAttestationObjectMissingExtensionData: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVglVkdobFZHaGxWR2hsVkdobFZHaGxWR2hsaGxWR2hsaGyAAAAAAA"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectMissingExtensionData),
@@ -142,6 +195,14 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfCredentialIdIsTooShort() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'5647686C5647686C5647686C5647686C5647686C5647686C686C5647686C686C40000000005647686C5647686C5647686C5647686C00022A'
+        // }
         let hexAttestationShortCredentialID: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVg4VkdobFZHaGxWR2hsVkdobFZHaGxWR2hsaGxWR2hsaGxAAAAAAFZHaGxWR2hsVkdobFZHaGwAAio"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationShortCredentialID),
@@ -150,15 +211,31 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfCeremonyTypeDoesNotMatch() async throws {
-        let clientDataJSONWrongCeremonyType: URLEncodedBase64 = "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0"
+        let clientDataJSONWrongCeremonyType = String.base64URL(fromBase64: """
+        {
+            "type": "webauthn.get",
+            "challenge": "cmFuZG9tU3RyaW5nRnJvbVNlcnZlcg",
+            "origin": "http://localhost:8080",
+            "crossOrigin": false,
+            "other_keys_can_be_added_here": "do not compare clientDataJSON against a template. See https://goo.gl/yabPex"
+        }
+        """.toBase64())
         try await assertThrowsError(
             await finishRegistration(clientDataJSON: clientDataJSONWrongCeremonyType),
             expect: CollectedClientData.CollectedClientDataVerifyError.ceremonyTypeDoesNotMatch
         )
     }
 
     func testFinishRegistrationFailsIfChallengeDoesNotMatch() async throws {
-        let clientDataJSONWrongChallenge: URLEncodedBase64 = "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0"
+        let clientDataJSONWrongChallenge = String.base64URL(fromBase64: """
+        {
+            "type": "webauthn.create",
+            "challenge": "cmFuZG9tU3RyaW5nRnJvbVNlcnZlcg",
+            "origin": "http://localhost:8080",
+            "crossOrigin": false,
+            "other_keys_can_be_added_here": "do not compare clientDataJSON against a template. See https://goo.gl/yabPex"
+        }
+        """.toBase64())
         try await assertThrowsError(
             await finishRegistration(
                 challenge: "definitelyAnotherChallenge",
@@ -169,9 +246,15 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfOriginDoesNotMatch() async throws {
-        // origin = http://johndoe.com
-        let clientDataJSONWrongOrigin: URLEncodedBase64 = "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2pvaG5kb2UuY29tIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0"
-
+        let clientDataJSONWrongOrigin: URLEncodedBase64 = String.base64URL(fromBase64: """
+        {
+            "type": "webauthn.create",
+            "challenge": "cmFuZG9tU3RyaW5nRnJvbVNlcnZlcg",
+            "origin": "http://johndoe.com",
+            "crossOrigin": false,
+            "other_keys_can_be_added_here": "do not compare clientDataJSON against a template. See https://goo.gl/yabPex"
+        }
+        """.toBase64())
         // `webAuthnManager` is configured with origin = https://example.com
         try await assertThrowsError(
             await finishRegistration(
@@ -190,6 +273,14 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfRelyingPartyIDHashDoesNotMatch() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'49960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D97634500000000ADCE000235BCC60A648B0B25F1F0550300013A'
+        // }
         let hexAttestationObjectMismatchingRpId: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVg4SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAATo"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectMismatchingRpId),
@@ -198,14 +289,30 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfUserPresentFlagIsNotSet() async throws {
-        let hexAttestationObjectMismatchingRpId: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVg4o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdAAAAAAK3OAAI1vMYKZIsLJfHwVQMAATo"
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'A379A6F6EEAFB9A55E378C118034E2751E682FAB9F2D30AB13D2125586CE19474000000000ADCE000235BCC60A648B0B25F1F0550300013A'
+        // }
+        let hexAttestationObjectUPFlagNotSet: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVg4o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdAAAAAAK3OAAI1vMYKZIsLJfHwVQMAATo"
         try await assertThrowsError(
-            await finishRegistration(attestationObject: hexAttestationObjectMismatchingRpId),
+            await finishRegistration(attestationObject: hexAttestationObjectUPFlagNotSet),
             expect: WebAuthnError.userPresentFlagNotSet
         )
     }
 
     func testFinishRegistrationFailsIfUserVerificationFlagIsNotSetButRequired() async throws {
+        // {
+        //   "fmt": "packed",
+        //   "attStmt": {
+        //     "alg": -7,
+        //     "sig": h'3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C'
+        //   },
+        //   "authData": h'A379A6F6EEAFB9A55E378C118034E2751E682FAB9F2D30AB13D2125586CE19474100000000ADCE000235BCC60A648B0B25F1F0550300013A'
+        // }
         let hexAttestationObjectUVFlagNotSet: URLEncodedBase64 = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVg4o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdBAAAAAK3OAAI1vMYKZIsLJfHwVQMAATo"
         try await assertThrowsError(
             await finishRegistration(
@@ -217,6 +324,13 @@ final class WebAuthnManagerTests: XCTestCase {
     }
 
     func testFinishRegistrationFailsIfAttFmtIsNoneButAttStmtIsIncluded() async throws {
+        // {
+        //   "fmt": "none",
+        //   "attStmt": {
+        //     "hello": "world"
+        //   },
+        //   "authData": h'A379A6F6EEAFB9A55E378C118034E2751E682FAB9F2D30AB13D2125586CE19474100000000A379A6F6EEAFB9A55E378C118034E27500010000'
+        // }
         let hexAttestationObjectAttStmtNoneWithAttStmt: URLEncodedBase64 = "o2NmbXRkbm9uZWdhdHRTdG10oWVoZWxsb2V3b3JsZGhhdXRoRGF0YVg5o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUdBAAAAAKN5pvbur7mlXjeMEYA04nUAAQAA"
         try await assertThrowsError(
             await finishRegistration(attestationObject: hexAttestationObjectAttStmtNoneWithAttStmt),
