Merge pull request #38 from cartridge-gg/fix-webauthn-set

Auth check `set_webauthn_pub_key`

crates/account_sdk/src/tests/webauthn/mod.rs

@@ -9,7 +9,7 @@ use starknet::{
 use crate::abigen::account::WebauthnPubKey;
 use crate::abigen::account::WebauthnSignature;
 use crate::{
-    tests::runners::devnet_runner::DevnetRunner,
+    tests::runners::katana_runner::KatanaRunner,
     webauthn_signer::{cairo_args::VerifyWebauthnSignerArgs, P256r1Signer},
 };
 
@@ -19,7 +19,7 @@ async fn test_set_webauthn_public_key() {
     let origin = "localhost".to_string();
     let signer = P256r1Signer::random(origin.clone());
 
-    let data = utils::WebauthnTestData::<DevnetRunner>::new(private_key, signer).await;
+    let data = utils::WebauthnTestData::<KatanaRunner>::new(private_key, signer).await;
     let reader = data.account_reader();
 
     let public_key = reader
@@ -29,11 +29,9 @@ async fn test_set_webauthn_public_key() {
         .await
         .unwrap();
 
-    match public_key {
-        Option::Some(_) => panic!("Public key already set"),
-        Option::None => (),
-    }
+    assert!(public_key.is_none(), "Public key already set");
 
+    let target_key = data.webauthn_public_key();
     data.set_webauthn_public_key().await;
 
     let public_key = reader
@@ -43,10 +41,14 @@ async fn test_set_webauthn_public_key() {
         .await
         .unwrap();
 
-    match public_key {
-        Option::Some(_) => (),
-        Option::None => panic!("Public key not set"),
-    }
+    assert!(
+        public_key
+            == Some(WebauthnPubKey {
+                x: target_key.0.into(),
+                y: target_key.1.into(),
+            }),
+        "Public key mismatch"
+    )
 }
 
 #[tokio::test]
@@ -55,7 +57,7 @@ async fn test_verify_webauthn_explicit() {
     let origin = "localhost".to_string();
     let signer = P256r1Signer::random(origin.clone());
 
-    let data = utils::WebauthnTestData::<DevnetRunner>::new(private_key, signer).await;
+    let data = utils::WebauthnTestData::<KatanaRunner>::new(private_key, signer).await;
     data.set_webauthn_public_key().await;
     let reader = data.account_reader();
 
@@ -93,7 +95,7 @@ async fn test_verify_webauthn_execute() {
     let origin = "localhost".to_string();
     let signer = P256r1Signer::random(origin.clone());
 
-    let data = utils::WebauthnTestData::<DevnetRunner>::new(private_key, signer).await;
+    let data = utils::WebauthnTestData::<KatanaRunner>::new(private_key, signer).await;
     data.set_webauthn_public_key().await;
 
     let webauthn_executor = data.webauthn_executor().await;

crates/webauthn/auth/src/component.cairo

@@ -28,6 +28,8 @@ mod webauthn_component {
     use core::result::ResultTrait;
     use starknet::info::{TxInfo, get_tx_info, get_block_timestamp};
     use starknet::account::Call;
+    use starknet::get_caller_address;
+    use starknet::get_contract_address;
     use core::ecdsa::check_ecdsa_signature;
     use starknet::secp256r1::{Secp256r1Point, Secp256r1Impl};
     use webauthn_auth::webauthn::verify;
@@ -40,6 +42,7 @@ mod webauthn_component {
 
     mod Errors {
         const INVALID_SIGNATURE: felt252 = 'Account: invalid signature';
+        const UNAUTHORIZED: felt252 = 'Account: unauthorized';
     }
 
     #[embeddable_as(Webauthn)]
@@ -49,6 +52,8 @@ mod webauthn_component {
         fn set_webauthn_pub_key(
             ref self: ComponentState<TContractState>, public_key: WebauthnPubKey,
         ) {
+            assert_only_self();
+
             self.public_key.write(Option::Some(public_key));
         }
         fn get_webauthn_pub_key(self: @ComponentState<TContractState>,) -> Option<WebauthnPubKey> {
@@ -95,4 +100,10 @@ mod webauthn_component {
             }
         }
     }
+
+    fn assert_only_self() {
+        let caller = get_caller_address();
+        let self = get_contract_address();
+        assert(self == caller, Errors::UNAUTHORIZED);
+    }
 }