Merge pull request Expensify#86292 from Expensify/passkey-transport-aaguid

Collect and persist aaguid and transports

Author: chuckdries

src/components/MultifactorAuthentication/biometrics/usePasskeys.ts

@@ -8,6 +8,7 @@ import {
     buildPublicKeyCredentialRequestOptions,
     createPasskeyCredential,
     decodeWebAuthnError,
+    extractAAGUID,
     isSupportedTransport,
     isWebAuthnSupported,
     PASSKEY_AUTH_TYPE,
@@ -76,12 +77,17 @@ function usePasskeys(): UseBiometricsReturn {
 
         const transports = attestationResponse.getTransports?.().filter(isSupportedTransport);
 
+        // getAuthenticatorData() is a WebAuthn Level 2 method — not available in older browsers.
+        // NOTE: A value of "00000000-0000-0000-0000-000000000000" is expected for Apple iCloud Keychain
+        const aaguid = attestationResponse.getAuthenticatorData ? extractAAGUID(attestationResponse.getAuthenticatorData()) : undefined;
+
         addLocalPasskeyCredential({
             userId,
             credential: {
                 id: credentialId,
                 type: CONST.PASSKEY_CREDENTIAL_TYPE,
                 transports,
+                aaguid,
             },
             existingCredentials: localPasskeyCredentials ?? null,
         });
@@ -92,6 +98,8 @@ function usePasskeys(): UseBiometricsReturn {
             keyInfo: {
                 rawId: credentialId,
                 type: CONST.PASSKEY_CREDENTIAL_TYPE,
+                transports,
+                aaguid,
                 response: {
                     clientDataJSON,
                     attestationObject,

src/libs/MultifactorAuthentication/Passkeys/WebAuthn.ts

@@ -1,4 +1,5 @@
 import type {ValueOf} from 'type-fest';
+import Log from '@libs/Log';
 import type {AuthenticationChallenge, RegistrationChallenge} from '@libs/MultifactorAuthentication/shared/challengeTypes';
 import MARQETA_VALUES from '@libs/MultifactorAuthentication/shared/MarqetaValues';
 import type {MultifactorAuthenticationReason} from '@libs/MultifactorAuthentication/shared/types';
@@ -111,13 +112,28 @@ function buildAllowedCredentialDescriptors(credentials: Array<{id: string; trans
         transports: c.transports?.filter(isSupportedTransport),
     }));
 }
+/**
+ * Extracts the AAGUID (Authenticator Attestation Globally Unique Identifier) from WebAuthn authenticatorData.
+ * The AAGUID occupies bytes 37-52: after rpIdHash (32 bytes), flags (1 byte), and signCount (4 bytes).
+ * Returns a UUID-formatted string, or empty string if authenticatorData is too short.
+ */
+function extractAAGUID(authData: ArrayBuffer): string | undefined {
+    const bytes = new Uint8Array(authData);
+    if (bytes.length < 53) {
+        return undefined;
+    }
+    const aaguidBytes = bytes.slice(37, 53);
+    const hex = Array.from(aaguidBytes, (b) => b.toString(16).padStart(2, '0')).join('');
+    return [hex.slice(0, 8), hex.slice(8, 12), hex.slice(12, 16), hex.slice(16, 20), hex.slice(20, 32)].join('-');
+}
 
 function isWebAuthnReason(name: string): name is MultifactorAuthenticationReason {
     return Object.values<string>(VALUES.REASON.WEBAUTHN).includes(name);
 }
 
 /** Decodes WebAuthn DOMException errors and maps them to authentication error reasons. */
 function decodeWebAuthnError(error: unknown): MultifactorAuthenticationReason {
+    Log.info('[Passkey] WebAuthn error', false, {error: error instanceof Error ? error.message : String(error)});
     if (error instanceof DOMException && isWebAuthnReason(error.name)) {
         return error.name;
     }
@@ -136,5 +152,6 @@ export {
     authenticateWithPasskey,
     buildAllowedCredentialDescriptors,
     isSupportedTransport,
+    extractAAGUID,
     decodeWebAuthnError,
 };

src/libs/MultifactorAuthentication/Passkeys/types.ts

@@ -4,6 +4,8 @@
 type PasskeyRegistrationKeyInfo = {
     rawId: string;
     type: 'public-key';
+    transports?: string[];
+    aaguid?: string;
     response: {
         clientDataJSON: string;
         attestationObject: string;

src/libs/MultifactorAuthentication/shared/challengeTypes.ts

@@ -55,6 +55,7 @@ type AuthenticationChallenge = {
     allowCredentials: Array<{
         type: string;
         id: string;
+        transports?: string[];
     }>;
     userVerification: UserVerificationRequirement;
     timeout: number;

src/types/onyx/LocalPasskeyCredentialsEntry.ts

@@ -14,6 +14,9 @@ type PasskeyCredential = {
 
     /** Optional array of transport methods that can be used to communicate with the authenticator */
     transports?: PasskeyTransport[];
+
+    /** Authenticator model identifier (UUID). Identifies the authenticator provider (e.g. Apple Passwords, Google Password Manager). */
+    aaguid?: string;
 };
 
 /**

tests/actions/PasskeyTest.ts

@@ -64,6 +64,24 @@ describe('actions/Passkey', () => {
             expect(value).toEqual([{id: 'existing', type: CONST.PASSKEY_CREDENTIAL_TYPE, transports: [CONST.PASSKEY_TRANSPORT.INTERNAL]}, credential]);
         });
 
+        it('should store credential with aaguid field', async () => {
+            // Given a credential with an AAGUID
+            const credentialWithAAGUID: PasskeyCredential = {
+                id: 'cred-aaguid',
+                type: CONST.PASSKEY_CREDENTIAL_TYPE,
+                transports: [CONST.PASSKEY_TRANSPORT.INTERNAL],
+                aaguid: 'fbfc3007-154e-4ecc-8c0b-6e020557d7bd',
+            };
+
+            // When adding it to Onyx
+            addLocalPasskeyCredential({userId, credential: credentialWithAAGUID, existingCredentials: null});
+            await waitForBatchedUpdates();
+
+            // Then the AAGUID should be preserved in Onyx storage
+            const value = await getOnyxValue(getPasskeyOnyxKey(userId));
+            expect(value).toEqual([credentialWithAAGUID]);
+        });
+
         it('should throw error when credential with same id already exists', () => {
             // Given an existing entry that already contains a credential with the same id
             const existingCredentials: LocalPasskeyCredentialsEntry = [{id: 'cred-1', type: CONST.PASSKEY_CREDENTIAL_TYPE, transports: [CONST.PASSKEY_TRANSPORT.INTERNAL]}];
@@ -188,6 +206,20 @@ describe('actions/Passkey', () => {
             expect(value).toEqual([]);
         });
 
+        it('should preserve aaguid from local credentials', () => {
+            // Given a local credential with an AAGUID and a backend credential without it
+            const localCredentials: PasskeyCredential[] = [
+                {id: 'cred-1', type: CONST.PASSKEY_CREDENTIAL_TYPE, transports: [CONST.PASSKEY_TRANSPORT.INTERNAL], aaguid: 'fbfc3007-154e-4ecc-8c0b-6e020557d7bd'},
+            ];
+            const backendCredentials: BackendPasskeyCredential[] = [{id: 'cred-1', type: CONST.PASSKEY_CREDENTIAL_TYPE}];
+
+            // When reconciling with backend
+            const result = reconcileLocalPasskeysWithBackend({userId, backendCredentials, localCredentials});
+
+            // Then the local AAGUID should be preserved in the result
+            expect(result).toEqual(localCredentials);
+        });
+
         it('should preserve transports from local credentials', () => {
             // Given a local credential with multiple transports and a backend credential without transports
             const localCredentials: PasskeyCredential[] = [

tests/unit/libs/MultifactorAuthentication/Passkeys/WebAuthn.test.ts

@@ -0,0 +1,89 @@
+import {extractAAGUID} from '@libs/MultifactorAuthentication/Passkeys/WebAuthn';
+
+describe('MultifactorAuthentication Passkeys WebAuthn', () => {
+    describe('extractAAGUID', () => {
+        it('should return empty string when authenticatorData is too short', () => {
+            // Given authenticatorData shorter than 53 bytes (rpIdHash[32] + flags[1] + signCount[4] + AAGUID[16])
+            const shortData = new Uint8Array(37).buffer;
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(shortData);
+
+            // Then it should return undefined
+            expect(result).toBeUndefined();
+        });
+
+        it('should extract all-zeros AAGUID from authenticatorData with zeroed AAGUID bytes', () => {
+            // Given authenticatorData with all-zero AAGUID at bytes 37-52
+            const authData = new Uint8Array(53);
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(authData.buffer);
+
+            // Then it should return the all-zeros UUID
+            expect(result).toBe('00000000-0000-0000-0000-000000000000');
+        });
+
+        it('should extract Apple Passwords AAGUID correctly', () => {
+            // Given authenticatorData with Apple Passwords AAGUID (fbfc3007-154e-4ecc-8c0b-6e020557d7bd) at bytes 37-52
+            const authData = new Uint8Array(53);
+            const appleAAGUIDBytes = [0xfb, 0xfc, 0x30, 0x07, 0x15, 0x4e, 0x4e, 0xcc, 0x8c, 0x0b, 0x6e, 0x02, 0x05, 0x57, 0xd7, 0xbd];
+            authData.set(appleAAGUIDBytes, 37);
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(authData.buffer);
+
+            // Then it should return the correctly formatted Apple Passwords UUID
+            expect(result).toBe('fbfc3007-154e-4ecc-8c0b-6e020557d7bd');
+        });
+
+        it('should extract Google Password Manager AAGUID correctly', () => {
+            // Given authenticatorData with Google Password Manager AAGUID (ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4)
+            const authData = new Uint8Array(53);
+            const googleAAGUIDBytes = [0xea, 0x9b, 0x8d, 0x66, 0x4d, 0x01, 0x1d, 0x21, 0x3c, 0xe4, 0xb6, 0xb4, 0x8c, 0xb5, 0x75, 0xd4];
+            authData.set(googleAAGUIDBytes, 37);
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(authData.buffer);
+
+            // Then it should return the correctly formatted Google Password Manager UUID
+            expect(result).toBe('ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4');
+        });
+
+        it('should work with authenticatorData longer than 53 bytes', () => {
+            // Given authenticatorData that is much longer than the minimum (e.g., includes attested credential data)
+            const authData = new Uint8Array(200);
+            const aaguidBytes = [0xfb, 0xfc, 0x30, 0x07, 0x15, 0x4e, 0x4e, 0xcc, 0x8c, 0x0b, 0x6e, 0x02, 0x05, 0x57, 0xd7, 0xbd];
+            authData.set(aaguidBytes, 37);
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(authData.buffer);
+
+            // Then it should still correctly extract the AAGUID
+            expect(result).toBe('fbfc3007-154e-4ecc-8c0b-6e020557d7bd');
+        });
+
+        it('should return empty string for exactly 52 bytes (one byte short)', () => {
+            // Given authenticatorData that is exactly one byte too short for AAGUID extraction
+            const authData = new Uint8Array(52).buffer;
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(authData);
+
+            // Then it should return undefined
+            expect(result).toBeUndefined();
+        });
+
+        it('should handle exactly 53 bytes (minimum valid length)', () => {
+            // Given authenticatorData that is exactly 53 bytes (the minimum to contain a full AAGUID)
+            const authData = new Uint8Array(53);
+            authData.set([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10], 37);
+
+            // When extracting the AAGUID
+            const result = extractAAGUID(authData.buffer);
+
+            // Then it should return the correctly formatted UUID
+            expect(result).toBe('01020304-0506-0708-090a-0b0c0d0e0f10');
+        });
+    });
+});