two_factor_auth 0.1.1

data/test/dummy/public/404.html

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <div>
+      <h1>The page you were looking for doesn't exist.</h1>
+      <p>You may have mistyped the address or the page may have moved.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/422.html

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <div>
+      <h1>The change you wanted was rejected.</h1>
+      <p>Maybe you tried to change something you didn't have access to.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/500.html

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <div>
+      <h1>We're sorry, but something went wrong.</h1>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/test/helpers/two_factor_auth/authentication_helper_test.rb

@@ -0,0 +1,54 @@
+require 'test_helper'
+
+module TwoFactorAuth
+  describe AuthenticationsHelper do
+    def current_user
+      @current_user ||= User.create! email: 'user@example.com', password: 'password'
+    end
+
+    before do
+      Registration.create!({
+        login: current_user,
+        key_handle: "key handle",
+        public_key: "public key",
+        certificate: "certificate",
+        counter: 0,
+        last_authenticated_at: Time.now,
+      })
+    end
+
+    after do
+      User.delete_all
+    end
+
+    describe "#authentication_request" do
+      def user_session
+        {}
+      end
+
+      it "creates AuthenticationRequests" do
+        authentication_request.must_be_instance_of AuthenticationRequest
+      end
+
+      it "persists the challenge in the request" do
+        ch1 = authentication_request.challenge
+        ch2 = authentication_request.challenge
+        ch1.must_equal ch2
+      end
+    end
+
+    describe "#authentication_request with pending challenge" do
+      let(:encoded_challenge) { TwoFactorAuth.websafe_base64_encode('0' * 32) }
+      def user_session
+        {
+          'pending_authentication_request_challenge' => encoded_challenge
+        }
+      end
+
+      it "uses pending challenge" do
+        authentication_request.challenge.must_equal encoded_challenge
+      end
+    end
+
+  end
+end

data/test/helpers/two_factor_auth/registrations_helper_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+
+module TwoFactorAuth
+  describe RegistrationsHelper do
+    describe "#registration_request" do
+      def user_session
+        {}
+      end
+
+      it "creates RegistrationRequests" do
+        registration_request.must_be_instance_of RegistrationRequest
+      end
+
+      it "persists the challenge in the request" do
+        ch1 = registration_request.challenge
+        ch2 = registration_request.challenge
+        ch1.must_equal ch2
+      end
+    end
+
+    describe "#registration_request with pending challenge" do
+      let(:encoded_challenge) { TwoFactorAuth.websafe_base64_encode('0' * 32) }
+      def user_session
+        {
+          'pending_registration_request_challenge' => encoded_challenge
+        }
+      end
+      it "uses pending challenge" do
+        registration_request.challenge.must_equal encoded_challenge
+      end
+    end
+
+  end
+end

data/test/integration/navigation_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+
+class NavigationTest < ActionDispatch::IntegrationTest
+  fixtures :all
+
+  # test "the truth" do
+  #   assert true
+  # end
+end
+

data/test/lib/two_factor_auth_test.rb

@@ -0,0 +1,169 @@
+require 'test_helper'
+
+describe TwoFactorAuth do
+  let(:pubkey) {  "\x049\xC6GC\xE6\xD3un;a\xD2\x04\e\x9B,vk\xEB\xDC\xB51\b\x14\x16\a\x92\x8D\xA1\xA92\xD7Z\x17\xB3D\xDF}P\xDA\x9Cg\xEB\xFD7h)N\xC4\xF2\xF1\x10\e\x8A\xC7\x88\x9AM\x17V\xEA\xBEX\x14\xAB" }
+
+  describe "U2F_VERSION" do
+    it "is the only version" do
+      TwoFactorAuth::U2F_VERSION.must_equal 'U2F_V2'
+    end
+  end
+
+  describe "setting facet_domain" do
+    it "remembers what is set" do
+      TwoFactorAuth.facet_domain = "https://www.example.net"
+      TwoFactorAuth.facet_domain.must_equal "https://www.example.net"
+    end
+
+    it "normalizes to remove trailing /" do
+      TwoFactorAuth.facet_domain = "https://www.example.net/"
+      TwoFactorAuth.facet_domain.must_equal "https://www.example.net"
+    end
+
+    # Yes, after 5 hours of debugging to solve the vague error caused by this,
+    # it deserves a redundant test.
+    it "doesn't let http domains end in a /" do
+      TwoFactorAuth.facet_domain = "http://www.example.net/"
+      TwoFactorAuth.facet_domain.must_equal "http://www.example.net"
+    end
+
+    it "raises if you try to use localhost" do
+      Proc.new {
+        TwoFactorAuth.facet_domain = "http://localhost:3000"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+      Proc.new {
+        TwoFactorAuth.facet_domain = "http://localhost:3000/"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+      Proc.new {
+        TwoFactorAuth.facet_domain = "http://localhost/"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+    end
+
+    it "raises if you try to use something.dev" do
+      Proc.new {
+        TwoFactorAuth.facet_domain = "http://local.dev:3000"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+      Proc.new {
+        TwoFactorAuth.facet_domain = "http://local.dev:3000/"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+      Proc.new {
+        TwoFactorAuth.facet_domain = "http://local.dev/"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+    end
+
+    it "raises if you use the default from the initializer" do
+      Proc.new {
+        TwoFactorAuth.facet_domain = "https://www.example.com"
+      }.must_raise(TwoFactorAuth::InvalidFacetDomain)
+    end
+  end
+
+  describe "setting trusted_facet_list_url" do
+    it "can be set explicitly" do
+      TwoFactorAuth.trusted_facet_list_url = "https://www.example.net/facets"
+      TwoFactorAuth.trusted_facet_list_url.must_equal "https://www.example.net/facets"
+    end
+
+    it "is based on facet_domain otherwise" do
+      # this value is persisted across tests...
+      TwoFactorAuth.trusted_facet_list_url = nil
+      TwoFactorAuth.facet_domain = "https://www.example.net"
+      TwoFactorAuth.trusted_facet_list_url.must_equal "https://www.example.net/two_factor_auth/trusted_facets"
+    end
+  end
+
+  describe "setting facets" do
+    it "can be set explicitly" do
+      TwoFactorAuth.facets = ["https://www.example.net", "https://staging.example.net"]
+      TwoFactorAuth.facets.must_equal ["https://www.example.net", "https://staging.example.net"]
+    end
+
+    it "is just the facet_domain by default" do
+      # this value is persisted across tests...
+      TwoFactorAuth.facets = nil
+      TwoFactorAuth.facet_domain = "https://www.example.net"
+      TwoFactorAuth.facets.must_equal ["https://www.example.net"]
+    end
+
+    it "is just the facet_domain if empty list" do
+      # this value is persisted across tests...
+      TwoFactorAuth.facets = []
+      TwoFactorAuth.facet_domain = "https://www.example.net"
+      TwoFactorAuth.facets.must_equal ["https://www.example.net"]
+    end
+  end
+
+  describe ".websafe_base64u_encode" do
+    it "encodes data" do
+      TwoFactorAuth.websafe_base64_encode("foo").must_equal "Zm9v"
+    end
+
+    it "does not include trailing =s" do
+      Base64.urlsafe_encode64("ab").must_equal "YWI="
+      TwoFactorAuth.websafe_base64_encode("ab").must_equal "YWI"
+    end
+  end
+  
+  describe ".websafe_base64u_decode" do
+    it "decodes data" do
+      TwoFactorAuth.websafe_base64_decode("Zm9v").must_equal "foo"
+    end
+
+    it "does not mind missing trailing =s" do
+      Base64.urlsafe_decode64("YWI=").must_equal "ab"
+      TwoFactorAuth.websafe_base64_decode("YWI").must_equal "ab"
+    end
+  end
+
+  describe "#random_encoded_challenge" do
+    it "is 32 bytes, encoded" do
+      challenge = TwoFactorAuth.random_encoded_challenge
+      decoded = TwoFactorAuth.websafe_base64_decode(challenge)
+      decoded.length.must_equal 32
+    end
+
+    it "is different every time" do
+      c1 = TwoFactorAuth.random_encoded_challenge
+      c2 = TwoFactorAuth.random_encoded_challenge
+      c1.wont_equal c2
+    end
+
+    it "raises if out of entropy" do
+      OpenSSL::Random.stub(:pseudo_bytes, Proc.new { raise OpenSSL::Random::RandomError }) do
+        Proc.new {
+          TwoFactorAuth.random_encoded_challenge
+        }.must_raise TwoFactorAuth::CantGenerateRandomNumbers
+      end
+    end
+  end
+
+  describe "#decode_pubkey" do
+    it "returns the Point" do
+      point = TwoFactorAuth.decode_pubkey pubkey
+      point.to_bn.to_i.must_equal 56657129115817956563260749049282610971311272788676140555509072492610442759820703941373942638593733546160471073247664666784884688116961061627926493680637099
+    end
+
+    it "raises if invalid" do
+      Proc.new {
+        TwoFactorAuth.decode_pubkey "invalid key"
+      }.must_raise TwoFactorAuth::InvalidPublicKey
+    end
+  end
+
+  describe "#pubkey_valid?" do
+    it "is if key is valid" do
+      b = TwoFactorAuth.pubkey_valid? pubkey
+      b.must_equal true
+    end
+
+    it "is not if key is not a valid key" do
+      b = TwoFactorAuth.pubkey_valid? "invalid key"
+      b.must_equal false
+    end
+
+    # I'd like a second test for a well-structured key that is not on the
+    # curve, but I can't see how to construct one; OpenSSL::PKey::EC::Point
+    # raises "OpenSSL::PKey::EC::Point::Error: point is not on curve" if I try
+    # to construct one.
+  end
+end

data/test/models/two_factor_auth/authentication_request_test.rb

@@ -0,0 +1,35 @@
+require 'test_helper'
+
+module TwoFactorAuth
+  describe AuthenticationRequest do
+    let(:app_id) { 'http://twofactorauth.example.com' }
+    let(:key_handle) { TwoFactorAuth.websafe_base64_decode "W9G8D38l_29TSKdejU57l4YZsTVeRUUHSuBenSHZ-J_hwL7YI1R_MN20OQETXmWy_tdVDBAnxAct8ys_R-h7cw" }
+
+    it "holds app id" do
+      ar = AuthenticationRequest.new('http://id.example.com', key_handle)
+      ar.app_id.must_equal 'http://id.example.com'
+    end
+
+    it 'holds key handle' do
+      ar = AuthenticationRequest.new('http://id.example.com', 'key handle')
+      ar.key_handle.must_equal 'key handle'
+    end
+
+    it "creates random challenges" do
+      ar1 = AuthenticationRequest.new(app_id, key_handle)
+      ar2 = AuthenticationRequest.new(app_id, key_handle)
+      ar1.challenge.wont_equal ar2.challenge
+    end
+
+    it "uses the challenge given" do
+      encoded_challenge = TwoFactorAuth.websafe_base64_encode('0' * 32)
+      ar = AuthenticationRequest.new(app_id, key_handle, encoded_challenge)
+      ar.challenge.must_equal encoded_challenge
+    end
+
+    it 'encodes the key handle when serialized' do
+      ar = AuthenticationRequest.new('http://id.example.com', 'key handle')
+      ar.serialized.must_include '"a2V5IGhhbmRsZQ"'
+    end
+  end
+end

data/test/models/two_factor_auth/authentication_response_test.rb

@@ -0,0 +1,44 @@
+require 'test_helper'
+
+module TwoFactorAuth
+  describe AuthenticationResponse do
+    #parallelize_me!
+
+    let(:app_id) { "http://local.twofactorauth.io:3000" }
+    let(:signatureData) { "AQAAAAUwRQIgaeZw29qOaQ50Wb4a7LjxV32_JR-Bru_0bPm0lIdrK1kCIQCl5_-Lssd4pzZ3tyaLIWIZEKhwZzwhceV2mHN2qzH3mw" }
+    let(:response) { AuthenticationResponse.new(encoded: signatureData) }
+
+    describe "decomposing fields" do
+      it "extracts bitfield byte" do
+        response.bitfield.must_equal 1
+      end
+
+      it "extracts counter" do
+        response.counter.must_equal 5
+      end
+
+      it "extracts signature" do
+        response.signature.must_equal "0E\x02 i\xE6p\xDB\xDA\x8Ei\x0EtY\xBE\x1A\xEC\xB8\xF1W}\xBF%\x1F\x81\xAE\xEF\xF4l\xF9\xB4\x94\x87k+Y\x02!\x00\xA5\xE7\xFF\x8B\xB2\xC7x\xA76w\xB7&\x8B!b\x19\x10\xA8pg<!q\xE5v\x98sv\xAB1\xF7\x9B".force_encoding('ASCII-8BIT')
+        response.signature.length.must_equal 71
+      end
+
+      it "starts with signatureData a known size" do
+        raw = TwoFactorAuth.websafe_base64_decode signatureData
+        raw.length.must_equal 76
+      end
+    end
+
+    describe "validation" do
+      it "is when correct" do
+        response.valid?.must_equal true
+      end
+
+      it "is not when bitfield is wrong" do
+        response.bitfield = 8
+        response.valid?.must_equal false
+        response.errors[:bitfield].wont_be_empty
+      end
+    end
+
+  end
+end

data/test/models/two_factor_auth/authentication_verifier_test.rb

@@ -0,0 +1,83 @@
+require 'test_helper'
+
+module TwoFactorAuth
+  describe AuthenticationVerifier do
+    #parallelize_me!
+
+    let(:app_id) { "http://local.fidologin.com:3000" }
+    let(:key_handle) { TwoFactorAuth.websafe_base64_decode "fNKqlc0cHr7CcAScmiwJF3qL5WP5YY9vSZR5i474rPWmg8qjTHIckZA_v2Xioj6RB6BNJqzxUVUwG6wfksKXtA" }
+    let(:challenge) { "i6M5PrWJbrwwn_25MqHJzbWVdILVCBfg1nLIiVJ_zOs" }
+    let(:request) { AuthenticationRequest.new(app_id, key_handle, challenge) }
+    let(:registration) { Registration.new({
+      key_handle: key_handle,
+      public_key: "\x049\xC6GC\xE6\xD3un;a\xD2\x04\e\x9B,vk\xEB\xDC\xB51\b\x14\x16\a\x92\x8D\xA1\xA92\xD7Z\x17\xB3D\xDF}P\xDA\x9Cg\xEB\xFD7h)N\xC4\xF2\xF1\x10\e\x8A\xC7\x88\x9AM\x17V\xEA\xBEX\x14\xAB".force_encoding('ASCII-8BIT'),
+      certificate: "0\x82\x02\x1C0\x82\x01\x06\xA0\x03\x02\x01\x02\x02\x04$\xDB\xAB@0\v\x06\t*\x86H\x86\xF7\r\x01\x01\v0.1,0*\x06\x03U\x04\x03\x13#Yubico U2F Root CA Serial 4572006310 \x17\r140801000000Z\x18\x0F20500904000000Z0+1)0'\x06\x03U\x04\x03\f Yubico U2F EE Serial 135032778880Y0\x13\x06\a*\x86H\xCE=\x02\x01\x06\b*\x86H\xCE=\x03\x01\a\x03B\x00\x04\x02\xB0\x94\xBE4}GyA\xC4w\x8E\xBE\xC5\xCAM\xED*G\x9F\xAA\x1Eo\xEC9\xAF\xEB\xDE\f p\xCB[\xD4\xBDi\xC9jx\xE3\xBF\x87Q\xFE\xB5y\e\x8D\xFA\xCA\xC2\x94\x01u\x1C\xB1W\xB9|\t\xE49\x1A6\xA3\x120\x100\x0E\x06\n+\x06\x01\x04\x01\x82\xC4\n\x01\x01\x04\x000\v\x06\t*\x86H\x86\xF7\r\x01\x01\v\x03\x82\x01\x01\x00\xA3c\xAE\x0E\x98:\xF3\v\xBA\xF1,\x8B-\xF3ZY\xBF\x1C\xBBJ\e\x0F\xCBh\xC4\x84U\x84\x90\xF6\x874Xe\xB8\xDB\x02i\xC3F\xE5S\x88L,V\a\xAF\x0E\xA2{\x90\xAC\x8C\xF1\xEFC\x1Fr\xAC\x18\x9D\xB2\x1C\x82I\x14\xBF\x17\x88\xA5Q\x1A3\xD0{L\x8E4d|\xE9\xF6\x1E\x15\x16\xA9\xA9\xB3n\x90\n@ a\xF6\x9A\xA4n\x12\xC52\xB9\x93\xF9B>\xFA\xAAL\xF9\xA3\xB6T\xB4\xDD\xDE\xF2\x92JT\x8F\xD5\x99\x95Q\r\xD4\xF7\xF4\xD9\xA4\xD5!\x93\x87<q\xC9\xB8~\x86\x85>\x9E-\xA7^\x8F\fm(0St\xD4\xEF\xDD^\x14\x96\xF8\xC39\x06\x10{\xD6\x8B\xD65\r\xAA\xD2\xC3x\x11\xEC\xA3\xCAC\xBC\x93\vs@\x97\xDE\xF6\x9Dh\x8D\x94U\fL\xFB\x18\xA9\xE2K\x86\xA2\xE5\xD8\x8FI\x98\x99\xA0\x9B\xCE[\x81\fSl\xAF9\r\xC8\xBD\xDE\x96\r\xF30\xCA\xCA\xBC\x05!\xA1\x83#\x95\x7F\xFE\xBC\xA5\x9C\xA9\v \xB1\r\t\xB5#\x1CX\xC2~\xBAg\x83".force_encoding('ASCII-8BIT'),
+      counter: 0,
+    }) }
+    let(:client_data) { ClientData.new encoded: "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiaTZNNVByV0picnd3bl8yNU1xSEp6YldWZElMVkNCZmcxbkxJaVZKX3pPcyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbC5maWRvbG9naW4uY29tOjMwMDAiLCJjaWRfcHVia2V5IjoiIn0", correct_typ: 'navigator.id.getAssertion' }
+    let(:signatureData) { "AQAAAAcwRQIhAKCimZ21ZEsqVRLkDW2MRlDVFLFFAdCsvCPRTRCzD_brAiBDrE3KuTNanagb1UtW2YM7tUqwIS-D_MK_EWvVsA-8xQ" }
+    let(:response) { AuthenticationResponse.new(encoded: signatureData) }
+    let(:verifier) { AuthenticationVerifier.new({
+      registration: registration,
+      request: request,
+      client_data: client_data,
+      response: response,
+    }) }
+
+    describe '#application_parameter' do
+      it "is the sha256 hash of the app id" do
+        verifier.application_parameter.must_equal "Nh\xA3j\x7F\xB2\xEE\xD6D\x1F\x18\t\xF1\xAEL\t\x7F\fjo\n\x80\xDE\xAD{\x9E\x13\x04\xAE\xFD.\xD6".force_encoding('ASCII-8BIT')
+      end
+    end
+
+    describe '#challenge_parameter' do
+      it "is the sha256 hash of the base64 decoded json string" do
+        verifier.challenge_parameter.must_equal "\x92F\xAAS\t\x88Cxe\xD04E\xD7R\xCA)\x05\x1E\xAA\xCA\x18w\xC3\xBFfl\x17V1M\xC0\x95".force_encoding('ASCII-8BIT')
+      end
+    end
+
+    describe '#digest' do
+      it "combines fields to spec" do
+        verifier.digest.must_equal "\fH\xF7\x81n41uT6kr\x7F$(\x06A\xF0\xE4\x96\xD6\x12\xB1U\x90\xA2\xB7\a\xBE]\xDF\xFA".force_encoding('ASCII-8BIT')
+      end
+    end
+
+  #  describe '#signature_verified?' do
+  #    it "is if the user's public key signed the digest to produce the signature" do
+  #      verifier.signature_verified?(registration).must_equal true
+  #    end
+  #
+  #    it "is not otherwise" do
+  #      request = AuthenticationRequest.new "http://different.app.id", key_handle, challenge
+  #      verifier = AuthenticationVerifier.new(request, clientData, response)
+  #      verifier.signature_verified?(registration).must_equal false
+  #    end
+  #  end
+
+    describe "validations" do
+      it "is valid if everything is right" do
+        verifier.valid?.must_equal true
+      end
+
+      it "is not if challenge doesn't match" do
+        verifier.client_data.challenge = "different challenge"
+        verifier.valid?.must_equal false
+        verifier.errors.full_messages.join(' ').must_include 'challenge'
+      end
+
+      it "is not if origin doesn't match" do
+        verifier.client_data.origin = "http://different.origin"
+        verifier.valid?.must_equal false
+        verifier.errors.full_messages.join(' ').must_include 'origin'
+      end
+
+      it "is not if counter doesn't advance" do
+        verifier.registration.counter = 1
+        verifier.response.counter = 1
+        verifier.valid?.must_equal false
+        verifier.errors.full_messages.join(' ').must_include 'counter'
+      end
+    end
+
+  end
+end