Patch soft_webauthn module bit flags with a dirty hack!

eidorb · eidorb · commit 0604f915eba2 · 2025-05-30T16:14:42.000+10:00
- i only need to patch 2 characters in the original source,
  so this has less overhead than overriding both methods.
- create tests directory
- tests patch applied by looking at compiled code objects
- new tests dir for more than one tests module
diff --git a/soft_webauthn_patched.py b/soft_webauthn_patched.py
@@ -0,0 +1,39 @@
+"""
+Patches the source of soft_webauthn module so that user verification (UV) bits
+are always set.
+
+"How to modify imported source code on-the-fly?": https://stackoverflow.com/a/41863728/1660046
+"""
+
+import sys
+from importlib import util
+
+
+def modify_and_import(module_name, package, modification_func):
+    spec = util.find_spec(module_name, package)
+    source = spec.loader.get_source(module_name)
+    new_source = modification_func(source)
+    module = util.module_from_spec(spec)
+    codeobj = compile(new_source, module.__spec__.origin, "exec")
+    exec(codeobj, module.__dict__)
+    sys.modules[module_name] = module
+    return module
+
+
+def patch_flags(source: str):
+    """Enables User Verification (UV) bit in create() and get() methods' bit flags.
+
+    Bit flag info: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Authenticator_data
+    """
+    source = (
+        source
+        # patch bit flags in .create()
+        .replace(r"flags = b'\x41'", r"flags = b'\x45'")
+        # and .get()
+        .replace(r"flags = b'\x01'", r"flags = b'\x05'")
+    )
+    return source
+
+
+soft_webauthn = modify_and_import("soft_webauthn", "soft_webauthn", patch_flags)
+SoftWebauthnDevice = soft_webauthn.SoftWebauthnDevice
diff --git a/tests/test_soft_webauthn_patched.py b/tests/test_soft_webauthn_patched.py
@@ -0,0 +1,7 @@
+from soft_webauthn_patched import SoftWebauthnDevice
+
+
+def test_patch():
+    """Asserts bit flags are patched as expected."""
+    assert b"\x45" in SoftWebauthnDevice.create.__code__.co_consts
+    assert b"\x05" in SoftWebauthnDevice.get.__code__.co_consts
diff --git a/tests/test_ubank.py b/tests/test_ubank.py
@@ -2,14 +2,13 @@
 from datetime import date
 
 import pytest
-from cryptography.hazmat.primitives import serialization
 from httpx import HTTPStatusError
 
 from ubank import (
     Api,
     Passkey,
+    SoftWebauthnDevice,
     TransactionsSearchBody,
-    UserVerifiedDevice,
     __version__,
     add_passkey,
     int8array_to_bytes,
@@ -144,7 +143,7 @@ def test_passkey_serialization(tmp_path):
         passkey.dump(f, password="")
     with (tmp_path / "passkey.txt").open("rb") as f:
         deserialized_passkey = Passkey.load(f, password="")
-    assert type(deserialized_passkey.soft_webauthn_device) is UserVerifiedDevice
+    assert type(deserialized_passkey.soft_webauthn_device) is SoftWebauthnDevice
 
 
 def test_add_passkey_bad_username():
diff --git a/ubank.py b/ubank.py
@@ -21,7 +21,6 @@
 from typing import IO, AnyStr, Optional
 
 import httpx
-import soft_webauthn
 from cryptography.fernet import Fernet
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
@@ -30,7 +29,8 @@
 from meatie import endpoint
 from meatie_httpx import Client as MeatieClient
 from pydantic import BaseModel, Field
-from soft_webauthn import SoftWebauthnDevice
+
+from soft_webauthn_patched import SoftWebauthnDevice
 
 __version__ = "2.1.0"
 
@@ -258,7 +258,7 @@ def __init__(self, name: str):
         self.device_id = device_id
         self.device_meta = device_meta
         self.username = username
-        self.soft_webauthn_device = UserVerifiedDevice()
+        self.soft_webauthn_device = SoftWebauthnDevice()
 
     def dump(self, file: IO[bytes], password: str = ""):
         """Serializes passkey to file, encrypted with a password.
@@ -306,118 +306,6 @@ def load(cls, file: IO[AnyStr], password: str = "") -> Passkey:
         return passkey
 
 
-class UserVerifiedDevice(SoftWebauthnDevice):
-    """Software webauthn device with UV bit flag ALWAYS set."""
-
-    def create(self, options, origin):
-        """IDENTICAL to super().create(), except User Verification flag set."""
-        if {"alg": -7, "type": "public-key"} not in options["publicKey"][
-            "pubKeyCredParams"
-        ]:
-            raise ValueError(
-                "Requested pubKeyCredParams does not contain supported type"
-            )
-
-        if ("attestation" in options["publicKey"]) and (
-            options["publicKey"]["attestation"] not in [None, "none"]
-        ):
-            raise ValueError("Only none attestation supported")
-
-        # prepare new key
-        self.cred_init(
-            options["publicKey"]["rp"]["id"], options["publicKey"]["user"]["id"]
-        )
-
-        # generate credential response
-        client_data = {
-            "type": "webauthn.create",
-            "challenge": soft_webauthn.urlsafe_b64encode(
-                options["publicKey"]["challenge"]
-            )
-            .decode("ascii")
-            .rstrip("="),
-            "origin": origin,
-        }
-
-        rp_id_hash = soft_webauthn.sha256(self.rp_id.encode("ascii"))
-        # Set Bit 2, User Verification (UV) also.
-        # https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Authenticator_data
-        flags = b"\x45"  # attested_data + user_present + user_verified
-        sign_count = soft_webauthn.pack(">I", self.sign_count)
-        credential_id_length = soft_webauthn.pack(">H", len(self.credential_id))
-        cose_key = soft_webauthn.cbor.encode(
-            soft_webauthn.ES256.from_cryptography_key(self.private_key.public_key())
-        )
-        attestation_object = {
-            "authData": rp_id_hash
-            + flags
-            + sign_count
-            + self.aaguid
-            + credential_id_length
-            + self.credential_id
-            + cose_key,
-            "fmt": "none",
-            "attStmt": {},
-        }
-
-        return {
-            "id": soft_webauthn.urlsafe_b64encode(self.credential_id),
-            "rawId": self.credential_id,
-            "response": {
-                "clientDataJSON": json.dumps(client_data).encode("utf-8"),
-                "attestationObject": soft_webauthn.cbor.encode(attestation_object),
-            },
-            "type": "public-key",
-        }
-
-    def get(self, options, origin):
-        """IDENTICAL to super().create(), except User Verification flag set."""
-
-        if self.rp_id != options["publicKey"]["rpId"]:
-            raise ValueError("Requested rpID does not match current credential")
-
-        self.sign_count += 1
-
-        # prepare signature
-        client_data = json.dumps(
-            {
-                "type": "webauthn.get",
-                "challenge": soft_webauthn.urlsafe_b64encode(
-                    options["publicKey"]["challenge"]
-                )
-                .decode("ascii")
-                .rstrip("="),
-                "origin": origin,
-            }
-        ).encode("utf-8")
-        client_data_hash = soft_webauthn.sha256(client_data)
-
-        rp_id_hash = soft_webauthn.sha256(self.rp_id.encode("ascii"))
-        # Set Bit 2, User Verification (UV) also.
-        # https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Authenticator_data
-        flags = b"\x05"
-        sign_count = soft_webauthn.pack(">I", self.sign_count)
-        authenticator_data = rp_id_hash + flags + sign_count
-
-        signature = self.private_key.sign(
-            authenticator_data + client_data_hash,
-            soft_webauthn.ec.ECDSA(soft_webauthn.hashes.SHA256()),
-        )
-
-        # generate assertion
-        return {
-            "id": soft_webauthn.urlsafe_b64encode(self.credential_id),
-            "rawId": self.credential_id,
-            "response": {
-                "authenticatorData": authenticator_data,
-                "clientDataJSON": client_data,
-                "signature": signature,
-                "userHandle": self.user_handle,
-            },
-            "type": "public-key",
-        }
-
-
 class Api(MeatieClient):
     """A ubank API client.
 
@@ -853,7 +741,7 @@ def add_passkey(username: str, password: str, passkey_name: str) -> Passkey:
         return passkey
 
 
-def to_dict(device: UserVerifiedDevice) -> dict:
+def to_dict(device: SoftWebauthnDevice) -> dict:
     """Converts SoftWebauthnDevice instance to dict with serialized private key."""
     serialized_private_key = (
         device.private_key.private_bytes(
@@ -874,9 +762,9 @@ def to_dict(device: UserVerifiedDevice) -> dict:
     }
 
 
-def from_dict(device_dict: dict) -> UserVerifiedDevice:
+def from_dict(device_dict: dict) -> SoftWebauthnDevice:
     """Returns device instantiated from dict."""
-    device = UserVerifiedDevice()
+    device = SoftWebauthnDevice()
     device.credential_id = device_dict["credential_id"]
     device.private_key = serialization.load_pem_private_key(
         device_dict["serialized_private_key"],
