From f2c9f8aaa83f187abdb957ccdaa0326dfd8e3bea Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Tue, 19 Mar 2024 18:13:35 +0100
Subject: [PATCH] Fix missing admin permissions on WebAuthn login - Closes #326

---
 .../Auth/WebAuthnLoginController.php          |  3 ++
 tests/Feature/Http/Auth/LoginTest.php         | 32 +++++++++--
 .../Http/Auth/WebAuthnLoginControllerTest.php | 53 +++++++++++++++++--
 3 files changed, 79 insertions(+), 9 deletions(-)

diff --git a/app/Http/Controllers/Auth/WebAuthnLoginController.php b/app/Http/Controllers/Auth/WebAuthnLoginController.php
index 2f8a1ed6..7bc4d817 100644
--- a/app/Http/Controllers/Auth/WebAuthnLoginController.php
+++ b/app/Http/Controllers/Auth/WebAuthnLoginController.php
@@ -147,8 +147,11 @@ class WebAuthnLoginController extends Controller
 
         return response()->json([
             'message'     => 'authenticated',
+            'id'          => $user->id,
             'name'        => $user->name,
+            'email'       => $user->email,
             'preferences' => $user->preferences,
+            'is_admin'    => $user->isAdministrator(),
         ], Response::HTTP_OK);
     }
 
diff --git a/tests/Feature/Http/Auth/LoginTest.php b/tests/Feature/Http/Auth/LoginTest.php
index f10ceea3..ca85c984 100644
--- a/tests/Feature/Http/Auth/LoginTest.php
+++ b/tests/Feature/Http/Auth/LoginTest.php
@@ -28,6 +28,11 @@ class LoginTest extends FeatureTestCase
      */
     protected $user;
 
+    /**
+     * @var \App\Models\User|\Illuminate\Contracts\Auth\Authenticatable
+     */
+    protected $admin;
+
     private const PASSWORD = 'password';
 
     private const WRONG_PASSWORD = 'wrong_password';
@@ -39,7 +44,8 @@ class LoginTest extends FeatureTestCase
     {
         parent::setUp();
 
-        $this->user = User::factory()->create();
+        $this->user  = User::factory()->create();
+        $this->admin = User::factory()->administrator()->create();
     }
 
     /**
@@ -53,16 +59,32 @@ class LoginTest extends FeatureTestCase
         ])
             ->assertOk()
             ->assertJsonFragment([
-                'message' => 'authenticated',
-                'name'    => $this->user->name,
+                'message'  => 'authenticated',
+                'id'       => $this->user->id,
+                'name'     => $this->user->name,
+                'email'    => $this->user->email,
+                'is_admin' => false,
             ])
             ->assertJsonStructure([
-                'message',
-                'name',
                 'preferences',
             ]);
     }
 
+    /**
+     * @test
+     */
+    public function test_admin_login_returns_admin_role()
+    {
+        $response = $this->json('POST', '/user/login', [
+            'email'    => $this->admin->email,
+            'password' => self::PASSWORD,
+        ])
+            ->assertOk()
+            ->assertJsonFragment([
+                'is_admin' => true,
+            ]);
+    }
+
     /**
      * @test
      *
diff --git a/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php b/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php
index 536cee50..5b0bc936 100644
--- a/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php
+++ b/tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php
@@ -25,6 +25,11 @@ class WebAuthnLoginControllerTest extends FeatureTestCase
      */
     protected $user;
 
+    /**
+     * @var \App\Models\User
+     */
+    protected $admin;
+
     const CREDENTIAL_ID = 's06aG41wsIYh5X1YUhB-SlH8y3F2RzdJZVse8iXRXOCd3oqQdEyCOsBawzxrYBtJRQA2azAMEN_q19TUp6iMgg';
 
     const CREDENTIAL_ID_ALT = '-VOLFKPY-_FuMI_sJ7gMllK76L3VoRUINj6lL_Z3qDg';
@@ -125,16 +130,56 @@ class WebAuthnLoginControllerTest extends FeatureTestCase
         $this->json('POST', '/webauthn/login', self::ASSERTION_RESPONSE)
             ->assertOk()
             ->assertJsonFragment([
-                'message' => 'authenticated',
-                'name'    => $this->user->name,
+                'message'  => 'authenticated',
+                'id'       => $this->user->id,
+                'name'     => $this->user->name,
+                'email'    => $this->user->email,
+                'is_admin' => false,
             ])
             ->assertJsonStructure([
-                'message',
-                'name',
                 'preferences',
             ]);
     }
 
+    /**
+     * @test
+     */
+    public function test_webauthn_admin_login_returns_admin_role()
+    {
+        $this->admin = User::factory()->administrator()->create(['email' => self::EMAIL]);
+
+        DB::table('webauthn_credentials')->insert([
+            'id'                   => self::CREDENTIAL_ID_ALT,
+            'authenticatable_type' => \App\Models\User::class,
+            'authenticatable_id'   => $this->admin->id,
+            'user_id'              => self::USER_ID_ALT,
+            'counter'              => 0,
+            'rp_id'                => 'http://localhost',
+            'origin'               => 'http://localhost',
+            'aaguid'               => '00000000-0000-0000-0000-000000000000',
+            'attestation_format'   => 'none',
+            'public_key'           => self::PUBLIC_KEY,
+            'updated_at'           => now(),
+            'created_at'           => now(),
+        ]);
+
+        $this->session(['_webauthn' => new \Laragear\WebAuthn\Challenge(
+            new \Laragear\WebAuthn\ByteBuffer(base64_decode(self::ASSERTION_CHALLENGE)),
+            60,
+            false,
+        )]);
+
+        $this->mock(AssertionValidator::class)
+            ->expects('send->thenReturn')
+            ->andReturn();
+
+        $this->json('POST', '/webauthn/login', self::ASSERTION_RESPONSE)
+            ->assertOk()
+            ->assertJsonFragment([
+                'is_admin' => true,
+            ]);
+    }
+
     /**
      * @test
      */