tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

registration-sends-challenge.https.html (3271B)

      1 <!DOCTYPE html>
      2 <meta charset="utf-8">
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="helper.js" type="module"></script>
      6 
      7 <script type="module">
      8  import { expireCookie, waitForCookie, addCookieAndSessionCleanup, configureServer, setupShardedServerState, documentHasCookie } from "./helper.js";
      9 
     10  promise_test(async t => {
     11    await setupShardedServerState();
     12    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     13    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     14    addCookieAndSessionCleanup(t);
     15 
     16    // Configure server to send back a challenge before the session instructions.
     17    await configureServer({
     18      registrationSendsChallengeBeforeInstructions: true,
     19      // Since registration fails, we use a cookie to tell us that the
     20      // response was received.
     21      registrationExtraCookies: [
     22        {
     23          nameAndValue: "dbsc_registration=done",
     24        }
     25      ]
     26    });
     27 
     28    // Prompt starting a session, and wait until registration completes.
     29    const loginResponse = await fetch('login.py');
     30    assert_equals(loginResponse.status, 200);
     31    await waitForCookie("dbsc_registration=done", /*expectCookie=*/true);
     32 
     33    // Confirm that expiring the cookie does not refresh because registration failed.
     34    expireCookie(expectedCookieAndAttributes);
     35    assert_false(documentHasCookie(expectedCookieAndValue));
     36    const authResponseAfterExpiry = await fetch('verify_authenticated.py');
     37    assert_equals(authResponseAfterExpiry.status, 403);
     38    assert_false(documentHasCookie(expectedCookieAndValue));
     39  }, "Registration can't send back 403 with challenge");
     40 
     41  promise_test(async t => {
     42    await setupShardedServerState();
     43    const expectedCookieAndValue = "auth_cookie=abcdef0123";
     44    const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     45    addCookieAndSessionCleanup(t);
     46 
     47    // Configure server to send back a challenge alongside the session instructions.
     48    await configureServer({
     49      registrationSendsChallengeWithInstructions: true,
     50      // Since registration fails, we use a cookie to tell us that the
     51      // response was received.
     52      registrationExtraCookies: [
     53        {
     54          nameAndValue: "dbsc_registration=done",
     55        }
     56      ]
     57    });
     58 
     59    // Prompt starting a session, and wait until registration completes.
     60    const loginResponse = await fetch('login.py');
     61    assert_equals(loginResponse.status, 200);
     62    await waitForCookie("dbsc_registration=done", /*expectCookie=*/true);
     63 
     64    // Confirm that expiring the cookie does a refresh because registration succeeded.
     65    expireCookie(expectedCookieAndAttributes);
     66    assert_false(documentHasCookie(expectedCookieAndValue));
     67    const authResponseAfterExpiry = await fetch('verify_authenticated.py');
     68    // The server verifies during refresh that the challenge value is the custom
     69    // one set at registration time.
     70    assert_equals(authResponseAfterExpiry.status, 200);
     71    assert_true(documentHasCookie(expectedCookieAndValue));
     72  }, "Registration can send back challenge with session instructions");
     73 </script>