From ac5d260dd130712a3e2934ee6792c498136ea62d Mon Sep 17 00:00:00 2001
From: Kirill Poletaev <k.poletaev@dodobrands.io>
Date: Fri, 22 Mar 2024 14:08:40 +0300
Subject: [PATCH 1/3] Explicit check on return type from getAuthenticatorData
 and getPublicKey

---
 demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js | 29 ++++++++++++++++----
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
index 970ea5c..d8fad63 100644
--- a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
+++ b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
@@ -107,7 +107,9 @@ const Alerts = {
     registerSuccess: () => alert("User registered!"),
     usernameInputEmpty: () => alert("Username input is empty"),
     credentialsGetApiNull: () => alert("navigator.credentials.get returned null"),
-    credentialsCreateApiNull: () => alert("navigator.credentials.create returned null")
+    credentialsCreateApiNull: () => alert("navigator.credentials.create returned null"),
+    getAuthenticatorDataInvalid: () => alert("Invalid data from getAuthenticatorData() method. Expected arraybuffer"),
+    getPublicKeyInvalid: () => alert("Invalid data from getPublicKey() method. Expected arraybuffer")
 };
 
 // API
@@ -127,12 +129,27 @@ const API = {
             const clientExtensionResults = newCredential.getClientExtensionResults ?
                 (newCredential.getClientExtensionResults() ?? {}) : {};
 
-            const authenticatorData = newCredential.response.getAuthenticatorData ?
-                coerceToBase64Url(newCredential.response.getAuthenticatorData()) : undefined;
+            let authenticatorData;
+            if (newCredential.response.getAuthenticatorData) {
+                const authData = newCredential.response.getAuthenticatorData();
+                const isValid = authData instanceof "arraybuffer";
+                if (!isValid){
+                    Alerts.getAuthenticatorDataInvalid();
+                    return;
+                }
+                authenticatorData = coerceToBase64Url(authData);
+            }
 
-            const responsePublicKey = newCredential.response.getPublicKey ?
-                newCredential.response.getPublicKey() : undefined;
-            const publicKey = responsePublicKey ? coerceToBase64Url(responsePublicKey) : undefined;
+            let publicKey;
+            if (newCredential.response.getPublicKey) {
+                const responsePublicKey = newCredential.response.getPublicKey();
+                const isValid = responsePublicKey instanceof "arraybuffer";
+                if (!isValid) {
+                    Alerts.getPublicKeyInvalid();
+                    return;
+                }
+                publicKey = coerceToBase64Url(responsePublicKey);
+            }
 
             const transports = newCredential.response.getTransports ?
                 newCredential.response.getTransports() : undefined;

From 24508adc36d7dba56f7f1c1d2afd6cd839976b41 Mon Sep 17 00:00:00 2001
From: Kirill Poletaev <k.poletaev@dodobrands.io>
Date: Fri, 22 Mar 2024 14:35:42 +0300
Subject: [PATCH 2/3] Invalid instanceof syntax usage

---
 demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
index d8fad63..121ee64 100644
--- a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
+++ b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
@@ -132,7 +132,7 @@ const API = {
             let authenticatorData;
             if (newCredential.response.getAuthenticatorData) {
                 const authData = newCredential.response.getAuthenticatorData();
-                const isValid = authData instanceof "arraybuffer";
+                const isValid = authData instanceof ArrayBuffer;
                 if (!isValid){
                     Alerts.getAuthenticatorDataInvalid();
                     return;
@@ -143,7 +143,7 @@ const API = {
             let publicKey;
             if (newCredential.response.getPublicKey) {
                 const responsePublicKey = newCredential.response.getPublicKey();
-                const isValid = responsePublicKey instanceof "arraybuffer";
+                const isValid = responsePublicKey instanceof ArrayBuffer;
                 if (!isValid) {
                     Alerts.getPublicKeyInvalid();
                     return;

From a9d024c6c1b7253b38cc684719c86a930b75a648 Mon Sep 17 00:00:00 2001
From: Roman Bukin <r.bukin@dodobrands.io>
Date: Sat, 23 Mar 2024 21:12:25 +0300
Subject: [PATCH 3/3] Apply formatting

---
 demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
index 121ee64..4d2ba57 100644
--- a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
+++ b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
@@ -133,7 +133,7 @@ const API = {
             if (newCredential.response.getAuthenticatorData) {
                 const authData = newCredential.response.getAuthenticatorData();
                 const isValid = authData instanceof ArrayBuffer;
-                if (!isValid){
+                if (!isValid) {
                     Alerts.getAuthenticatorDataInvalid();
                     return;
                 }