Merge pull request #46 from dimitribouniol/dimitri/timout-ambiguity

Author: 0xTim

Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift

@@ -17,16 +17,20 @@ import Foundation
 /// The `PublicKeyCredentialRequestOptions` gets passed to the WebAuthn API (`navigator.credentials.get()`)
 ///
 /// When encoding using `Encodable`, the byte arrays are encoded as base64url.
+///
+/// - SeeAlso: https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options
 public struct PublicKeyCredentialRequestOptions: Encodable {
     /// A challenge that the authenticator signs, along with other data, when producing an authentication assertion
     ///
     /// When encoding using `Encodable` this is encoded as base64url.
     public let challenge: [UInt8]
 
-    /// The number of milliseconds that the Relying Party is willing to wait for the call to complete. The value is treated
-    /// as a hint, and may be overridden by the client.
+    /// A time, in seconds, that the caller is willing to wait for the call to complete. This is treated as a
+    /// hint, and may be overridden by the client.
+    ///
+    /// - Note: When encoded, this value is represented in milleseconds as a ``UInt32``.
     /// See https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options
-    public let timeout: UInt32?
+    public let timeout: Duration?
 
     /// The Relying Party ID.
     public let rpId: String?
@@ -43,7 +47,7 @@ public struct PublicKeyCredentialRequestOptions: Encodable {
         var container = encoder.container(keyedBy: CodingKeys.self)
 
         try container.encode(challenge.base64URLEncodedString(), forKey: .challenge)
-        try container.encodeIfPresent(timeout, forKey: .timeout)
+        try container.encodeIfPresent(timeout?.milliseconds, forKey: .timeout)
         try container.encodeIfPresent(rpId, forKey: .rpId)
         try container.encodeIfPresent(allowCredentials, forKey: .allowCredentials)
         try container.encodeIfPresent(userVerification, forKey: .userVerification)

Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift

@@ -12,10 +12,14 @@
 //
 //===----------------------------------------------------------------------===//
 
+import Foundation
+
 /// The `PublicKeyCredentialCreationOptions` gets passed to the WebAuthn API (`navigator.credentials.create()`)
 ///
 /// Generally this should not be created manually. Instead use `RelyingParty.beginRegistration()`. When encoding using
 /// `Encodable` byte arrays are base64url encoded.
+///
+/// - SeeAlso: https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions
 public struct PublicKeyCredentialCreationOptions: Encodable {
     /// A byte array randomly generated by the Relying Party. Should be at least 16 bytes long to ensure sufficient
     /// entropy.
@@ -34,9 +38,11 @@ public struct PublicKeyCredentialCreationOptions: Encodable {
     /// preferred.
     public let publicKeyCredentialParameters: [PublicKeyCredentialParameters]
 
-    /// A time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a
+    /// A time, in seconds, that the caller is willing to wait for the call to complete. This is treated as a
     /// hint, and may be overridden by the client.
-    public let timeoutInMilliseconds: UInt32?
+    ///
+    /// - Note: When encoded, this value is represented in milleseconds as a ``UInt32``.
+    public let timeout: Duration?
 
     /// Sets the Relying Party's preference for attestation conveyance. At the time of writing only `none` is
     /// supported.
@@ -49,7 +55,7 @@ public struct PublicKeyCredentialCreationOptions: Encodable {
         try container.encode(user, forKey: .user)
         try container.encode(relyingParty, forKey: .relyingParty)
         try container.encode(publicKeyCredentialParameters, forKey: .publicKeyCredentialParameters)
-        try container.encodeIfPresent(timeoutInMilliseconds, forKey: .timeoutInMilliseconds)
+        try container.encodeIfPresent(timeout?.milliseconds, forKey: .timeout)
         try container.encode(attestation, forKey: .attestation)
     }
 
@@ -58,7 +64,7 @@ public struct PublicKeyCredentialCreationOptions: Encodable {
         case user
         case relyingParty = "rp"
         case publicKeyCredentialParameters = "pubKeyCredParams"
-        case timeoutInMilliseconds = "timeout"
+        case timeout
         case attestation
     }
 }

Sources/WebAuthn/Helpers/Duration+Milliseconds.swift

@@ -0,0 +1,21 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+extension Duration {
+    /// The value of a positive duration in milliseconds, suitable to be encoded in WebAuthn types.
+    var milliseconds: Int64 {
+        let (seconds, attoseconds) = self.components
+        return Int64(seconds * 1000) + Int64(attoseconds/1_000_000_000_000_000)
+    }
+}

Sources/WebAuthn/WebAuthnManager.swift

@@ -47,31 +47,26 @@ public struct WebAuthnManager {
     /// This method will use the Relying Party information from the WebAuthnManager's config  to create ``PublicKeyCredentialCreationOptions``
     /// - Parameters:
     ///   - user: The user to register.
-    ///   - timeoutInSeconds: How long the browser should give the user to choose an authenticator. This value
+    ///   - timeout: How long the browser should give the user to choose an authenticator. This value
     ///     is a *hint* and may be ignored by the browser. Defaults to 60 seconds.
     ///   - attestation: The Relying Party's preference regarding attestation. Defaults to `.none`.
     ///   - publicKeyCredentialParameters: A list of public key algorithms the Relying Party chooses to restrict
     ///     support to. Defaults to all supported algorithms.
     /// - Returns: Registration options ready for the browser.
     public func beginRegistration(
         user: PublicKeyCredentialUserEntity,
-        timeoutInSeconds: TimeInterval? = 3600,
+        timeout: Duration? = .seconds(3600),
         attestation: AttestationConveyancePreference = .none,
         publicKeyCredentialParameters: [PublicKeyCredentialParameters] = .supported
     ) -> PublicKeyCredentialCreationOptions {
         let challenge = challengeGenerator.generate()
 
-        var timeoutInMilliseconds: UInt32?
-        if let timeoutInSeconds {
-            timeoutInMilliseconds = UInt32(timeoutInSeconds * 1000)
-        }
-
         return PublicKeyCredentialCreationOptions(
             challenge: challenge,
             user: user,
             relyingParty: .init(id: config.relyingPartyID, name: config.relyingPartyName),
             publicKeyCredentialParameters: publicKeyCredentialParameters,
-            timeoutInMilliseconds: timeoutInMilliseconds,
+            timeout: timeout,
             attestation: attestation
         )
     }
@@ -139,18 +134,15 @@ public struct WebAuthnManager {
     ///     "user verified" flag.
     /// - Returns: Authentication options ready for the browser.
     public func beginAuthentication(
-        timeout: TimeInterval? = 60,
+        timeout: Duration? = .seconds(60),
         allowCredentials: [PublicKeyCredentialDescriptor]? = nil,
         userVerification: UserVerificationRequirement = .preferred
     ) throws -> PublicKeyCredentialRequestOptions {
         let challenge = challengeGenerator.generate()
-        var timeoutInMilliseconds: UInt32? = nil
-        if let timeout {
-            timeoutInMilliseconds = UInt32(timeout * 1000)
-        }
+
         return PublicKeyCredentialRequestOptions(
             challenge: challenge,
-            timeout: timeoutInMilliseconds,
+            timeout: timeout,
             rpId: config.relyingPartyID,
             allowCredentials: allowCredentials,
             userVerification: userVerification

Tests/WebAuthnTests/DurationTests.swift

@@ -0,0 +1,25 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import XCTest
+@testable import WebAuthn
+
+final class DurationTests: XCTestCase {
+    func testMilliseconds() throws {
+        XCTAssertEqual(Duration.milliseconds(1234).milliseconds, 1234)
+        XCTAssertEqual(Duration.milliseconds(-1234).milliseconds, -1234)
+        XCTAssertEqual(Duration.microseconds(12345).milliseconds, 12)
+        XCTAssertEqual(Duration.microseconds(-12345).milliseconds, -12)
+    }
+}

Tests/WebAuthnTests/WebAuthnManagerAuthenticationTests.swift

@@ -37,13 +37,13 @@ final class WebAuthnManagerAuthenticationTests: XCTestCase {
     func testBeginAuthentication() async throws {
         let allowCredentials: [PublicKeyCredentialDescriptor] = [.init(type: "public-key", id: [1, 0, 2, 30])]
         let options = try webAuthnManager.beginAuthentication(
-            timeout: 1234,
+            timeout: .seconds(1234),
             allowCredentials: allowCredentials,
             userVerification: .preferred
         )
 
         XCTAssertEqual(options.challenge, challenge)
-        XCTAssertEqual(options.timeout, 1234000)    // timeout converted to milliseconds
+        XCTAssertEqual(options.timeout, .seconds(1234))
         XCTAssertEqual(options.rpId, relyingPartyID)
         XCTAssertEqual(options.allowCredentials, allowCredentials)
         XCTAssertEqual(options.userVerification, .preferred)

Tests/WebAuthnTests/WebAuthnManagerIntegrationTests.swift

@@ -31,13 +31,13 @@ final class WebAuthnManagerIntegrationTests: XCTestCase {
 
         // Step 1.: Begin Registration
         let mockUser = PublicKeyCredentialUserEntity.mock
-        let timeout: TimeInterval = 1234
+        let timeout: Duration = .seconds(1234)
         let attestationPreference = AttestationConveyancePreference.none
         let publicKeyCredentialParameters: [PublicKeyCredentialParameters] = .supported
 
         let registrationOptions = webAuthnManager.beginRegistration(
             user: mockUser,
-            timeoutInSeconds: timeout,
+            timeout: timeout,
             attestation: attestationPreference,
             publicKeyCredentialParameters: publicKeyCredentialParameters
         )
@@ -49,7 +49,7 @@ final class WebAuthnManagerIntegrationTests: XCTestCase {
         XCTAssertEqual(registrationOptions.attestation, attestationPreference)
         XCTAssertEqual(registrationOptions.relyingParty.id, config.relyingPartyID)
         XCTAssertEqual(registrationOptions.relyingParty.name, config.relyingPartyName)
-        XCTAssertEqual(registrationOptions.timeoutInMilliseconds, UInt32(timeout * 1000))
+        XCTAssertEqual(registrationOptions.timeout, timeout)
         XCTAssertEqual(registrationOptions.publicKeyCredentialParameters, publicKeyCredentialParameters)
 
         // Now send `registrationOptions` to client, which in turn will send the authenticator's response back to us:
@@ -93,7 +93,7 @@ final class WebAuthnManagerIntegrationTests: XCTestCase {
         XCTAssertEqual(credential.publicKey, mockCredentialPublicKey)
 
         // Step 3.: Begin Authentication
-        let authenticationTimeout: TimeInterval = 4567
+        let authenticationTimeout: Duration = .seconds(4567)
         let userVerification: UserVerificationRequirement = .preferred
         let rememberedCredentials = [PublicKeyCredentialDescriptor(
             type: "public-key",
@@ -107,7 +107,7 @@ final class WebAuthnManagerIntegrationTests: XCTestCase {
         )
 
         XCTAssertEqual(authenticationOptions.rpId, config.relyingPartyID)
-        XCTAssertEqual(authenticationOptions.timeout, UInt32(authenticationTimeout * 1000)) // timeout is in milliseconds
+        XCTAssertEqual(authenticationOptions.timeout, authenticationTimeout)
         XCTAssertEqual(authenticationOptions.challenge, mockChallenge)
         XCTAssertEqual(authenticationOptions.userVerification, userVerification)
         XCTAssertEqual(authenticationOptions.allowCredentials, rememberedCredentials)