tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

federated-session.https.html (5030B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/device-bound-session-credentials/helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import {
      9    addCookieAndSessionCleanup,
     10    configureServer,
     11    documentHasCookie,
     12    expireCookie,
     13    setupShardedServerState,
     14    waitForCookie
     15  } from "/device-bound-session-credentials/helper.js";
     16 
     17  async function registerProviderSession(t) {
     18    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     19    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     20 
     21    // Prompt starting a session, and wait until registration completes.
     22    const loginResponse = await fetch('login.py');
     23    assert_equals(loginResponse.status, 200);
     24    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
     25  }
     26 
     27  async function getKey(id) {
     28    const keyResponse = await fetch(`get_key.py?${id}`);
     29    assert_equals(keyResponse.status, 200);
     30    return keyResponse.text();
     31  }
     32 
     33  async function getSessionIds() {
     34    const response = await fetch('get_session_ids.py');
     35    assert_equals(response.status, 200);
     36    return response.json();
     37  }
     38 
     39  async function registerRelyingSession(t, host, sessionId, key, expectSuccess) {
     40    const expectedCookieAndValue = "relying_auth_cookie=abcdef0123";
     41    const expectedCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
     42    const expectedCookieAndAttributes = `${expectedCookieAndValue};${expectedCookieAttributes}`;
     43 
     44    // Despite registration happening on a subdomain, make the session
     45    // visible on the parent domain. This makes it easier to test for
     46    // its presence.
     47    await configureServer({
     48      cookieDetails: [
     49        {
     50          nameAndValue: expectedCookieAndValue,
     51          attributes: expectedCookieAttributes,
     52        }
     53      ],
     54      scopeOrigin: location.origin,
     55      providerUrl: location.origin + "/",
     56      providerSessionId: sessionId,
     57      providerKey: key
     58    });
     59 
     60    // Prompt starting a session, and wait until registration completes.
     61    const loginResponse = await fetch(`https://${host}/device-bound-session-credentials/login.py`, {credentials: "include"});
     62    assert_equals(loginResponse.status, 200);
     63    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/expectSuccess);
     64 
     65    if (!expectSuccess) {
     66      return;
     67    }
     68 
     69    // Confirm that expiring the cookie still leads to a request with the cookie set (refresh occurs).
     70    expireCookie(expectedCookieAndAttributes);
     71    assert_false(documentHasCookie(expectedCookieAndValue));
     72    const authResponse = await fetch('verify_authenticated.py', {
     73      method: 'POST',
     74      body: expectedCookieAndValue
     75    });
     76    assert_equals(authResponse.status, 200);
     77    assert_true(documentHasCookie(expectedCookieAndValue));
     78 
     79    // Confirm that the relying session shares keys
     80    const sessionIds = await getSessionIds();
     81    const relyingSessionIds = sessionIds.filter(id => id !== sessionId);
     82    assert_equals(relyingSessionIds.length, 1);
     83    const relyingSessionId = relyingSessionIds[0];
     84 
     85    const newKey = await getKey(relyingSessionId);
     86    assert_equals(key, newKey);
     87  }
     88 
     89  promise_test(async t => {
     90    addCookieAndSessionCleanup(t);
     91 
     92    await setupShardedServerState();
     93 
     94    await registerProviderSession(t);
     95    const sessionIds = await getSessionIds();
     96    assert_equals(sessionIds.length, 1);
     97 
     98    const keyThumbprint = await getKey(sessionIds[0]);
     99    await registerRelyingSession(t, "www." + location.host, sessionIds[0], keyThumbprint, /*expect_success=*/true);
    100  }, "Successful federated session registration");
    101 
    102  promise_test(async t => {
    103    addCookieAndSessionCleanup(t);
    104 
    105    await setupShardedServerState();
    106 
    107    await registerProviderSession(t);
    108    const sessionIds = await getSessionIds();
    109    assert_equals(sessionIds.length, 1);
    110 
    111    await registerRelyingSession(t, "www." + location.host, sessionIds[0], "not-the-thumbprint", /*expect_success=*/false);
    112  }, "Invalid thumbprint")
    113 
    114  promise_test(async t => {
    115    addCookieAndSessionCleanup(t);
    116 
    117    await setupShardedServerState();
    118 
    119    await registerProviderSession(t);
    120    const sessionIds = await getSessionIds();
    121    assert_equals(sessionIds.length, 1);
    122 
    123    const keyThumbprint = await getKey(sessionIds[0]);
    124    await registerRelyingSession(t, "www." + location.host, "not-the-session-id", keyThumbprint, /*expect_success=*/false);
    125  }, "Invalid provider session id");
    126 
    127  promise_test(async t => {
    128    addCookieAndSessionCleanup(t);
    129 
    130    await setupShardedServerState();
    131 
    132    await registerProviderSession(t);
    133    const sessionIds = await getSessionIds();
    134    assert_equals(sessionIds.length, 1);
    135 
    136    const keyThumbprint = await getKey(sessionIds[0]);
    137    await registerRelyingSession(t, "www1." + location.host, sessionIds[0], keyThumbprint, /*expect_success=*/false);
    138  }, "Not authorized by .well-known");
    139 </script>