refactor(webauthn): improve error handling and reduce code duplication

- Add getCDPSession() helper to centralize CDP session access
- Add handleWebAuthnError() for user-friendly error messages
- Wrap all CDP calls in try/catch blocks
- Add specific error handling for addCredential (userHandle, privateKey)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: ed-lepedus-thenvoi

src/tools/webauthn.ts

@@ -8,8 +8,37 @@ import type {CDPSession} from '../third_party/index.js';
 import {zod} from '../third_party/index.js';
 
 import {ToolCategory} from './categories.js';
+import type {Context} from './ToolDefinition.js';
 import {defineTool} from './ToolDefinition.js';
 
+/**
+ * Gets the CDP session from the current page context.
+ */
+function getCDPSession(context: Context): CDPSession {
+  const page = context.getSelectedPage();
+  // @ts-expect-error _client is internal Puppeteer API
+  return page._client() as CDPSession;
+}
+
+/**
+ * Wraps CDP errors with more helpful messages.
+ */
+function handleWebAuthnError(error: unknown): never {
+  const message = error instanceof Error ? error.message : String(error);
+
+  if (message.includes('not been enabled')) {
+    throw new Error(
+      'WebAuthn virtual authenticator environment not enabled. Call webauthn_enable first.',
+    );
+  }
+  if (message.includes('authenticator')) {
+    throw new Error(
+      `Invalid or unknown authenticator ID. Use webauthn_add_authenticator to create one. Original error: ${message}`,
+    );
+  }
+  throw error;
+}
+
 export const enableWebAuthn = defineTool({
   name: 'webauthn_enable',
   description:
@@ -20,9 +49,7 @@ export const enableWebAuthn = defineTool({
   },
   schema: {},
   handler: async (_request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
+    const session = getCDPSession(context);
     await session.send('WebAuthn.enable');
     response.appendResponseLine(
       'WebAuthn virtual authenticator environment enabled.',
@@ -58,10 +85,7 @@ export const addVirtualAuthenticator = defineTool({
       .describe('Whether user verification is currently enabled/verified.'),
   },
   handler: async (request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
-
+    const session = getCDPSession(context);
     const {
       protocol,
       transport,
@@ -70,19 +94,22 @@ export const addVirtualAuthenticator = defineTool({
       isUserVerified,
     } = request.params;
 
-    const result = await session.send('WebAuthn.addVirtualAuthenticator', {
-      options: {
-        protocol,
-        transport,
-        hasResidentKey: hasResidentKey ?? false,
-        hasUserVerification: hasUserVerification ?? false,
-        isUserVerified: isUserVerified ?? false,
-      },
-    });
-
-    response.appendResponseLine(
-      `Added virtual authenticator (authenticatorId: ${result.authenticatorId})`,
-    );
+    try {
+      const result = await session.send('WebAuthn.addVirtualAuthenticator', {
+        options: {
+          protocol,
+          transport,
+          hasResidentKey: hasResidentKey ?? false,
+          hasUserVerification: hasUserVerification ?? false,
+          isUserVerified: isUserVerified ?? false,
+        },
+      });
+      response.appendResponseLine(
+        `Added virtual authenticator (authenticatorId: ${result.authenticatorId})`,
+      );
+    } catch (error) {
+      handleWebAuthnError(error);
+    }
   },
 });
 
@@ -99,17 +126,17 @@ export const removeVirtualAuthenticator = defineTool({
       .describe('The ID of the authenticator to remove.'),
   },
   handler: async (request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
-
-    await session.send('WebAuthn.removeVirtualAuthenticator', {
-      authenticatorId: request.params.authenticatorId,
-    });
-
-    response.appendResponseLine(
-      `Removed virtual authenticator (authenticatorId: ${request.params.authenticatorId})`,
-    );
+    const session = getCDPSession(context);
+    try {
+      await session.send('WebAuthn.removeVirtualAuthenticator', {
+        authenticatorId: request.params.authenticatorId,
+      });
+      response.appendResponseLine(
+        `Removed virtual authenticator (authenticatorId: ${request.params.authenticatorId})`,
+      );
+    } catch (error) {
+      handleWebAuthnError(error);
+    }
   },
 });
 
@@ -126,25 +153,26 @@ export const getCredentials = defineTool({
       .describe('The ID of the authenticator to get credentials from.'),
   },
   handler: async (request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
+    const session = getCDPSession(context);
+    try {
+      const result = await session.send('WebAuthn.getCredentials', {
+        authenticatorId: request.params.authenticatorId,
+      });
 
-    const result = await session.send('WebAuthn.getCredentials', {
-      authenticatorId: request.params.authenticatorId,
-    });
-
-    if (result.credentials.length === 0) {
-      response.appendResponseLine('No credentials registered.');
-    } else {
-      response.appendResponseLine(
-        `Found ${result.credentials.length} credential(s):`,
-      );
-      for (const cred of result.credentials) {
+      if (result.credentials.length === 0) {
+        response.appendResponseLine('No credentials registered.');
+      } else {
         response.appendResponseLine(
-          `- credentialId: ${cred.credentialId}, rpId: ${cred.rpId}, signCount: ${cred.signCount}`,
+          `Found ${result.credentials.length} credential(s):`,
         );
+        for (const cred of result.credentials) {
+          response.appendResponseLine(
+            `- credentialId: ${cred.credentialId}, rpId: ${cred.rpId}, signCount: ${cred.signCount}`,
+          );
+        }
       }
+    } catch (error) {
+      handleWebAuthnError(error);
     }
   },
 });
@@ -175,10 +203,7 @@ export const addCredential = defineTool({
     signCount: zod.number().int().optional().describe('The signature counter.'),
   },
   handler: async (request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
-
+    const session = getCDPSession(context);
     const {
       authenticatorId,
       credentialId,
@@ -189,21 +214,35 @@ export const addCredential = defineTool({
       signCount,
     } = request.params;
 
-    await session.send('WebAuthn.addCredential', {
-      authenticatorId,
-      credential: {
-        credentialId,
-        isResidentCredential,
-        rpId,
-        privateKey,
-        userHandle,
-        signCount: signCount ?? 0,
-      },
-    });
-
-    response.appendResponseLine(
-      `Added credential (credentialId: ${credentialId}) to authenticator ${authenticatorId}`,
-    );
+    try {
+      await session.send('WebAuthn.addCredential', {
+        authenticatorId,
+        credential: {
+          credentialId,
+          isResidentCredential,
+          rpId,
+          privateKey,
+          userHandle,
+          signCount: signCount ?? 0,
+        },
+      });
+      response.appendResponseLine(
+        `Added credential (credentialId: ${credentialId}) to authenticator ${authenticatorId}`,
+      );
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (message.includes('User Handle is required')) {
+        throw new Error(
+          'Resident credentials require a userHandle. Provide userHandle parameter.',
+        );
+      }
+      if (message.includes('error occurred trying to create')) {
+        throw new Error(
+          'Failed to create credential. Ensure privateKey is a valid PKCS#8 EC P-256 key (base64 encoded).',
+        );
+      }
+      handleWebAuthnError(error);
+    }
   },
 });
 
@@ -220,17 +259,17 @@ export const clearCredentials = defineTool({
       .describe('The ID of the authenticator to clear credentials from.'),
   },
   handler: async (request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
-
-    await session.send('WebAuthn.clearCredentials', {
-      authenticatorId: request.params.authenticatorId,
-    });
-
-    response.appendResponseLine(
-      `Cleared all credentials from authenticator ${request.params.authenticatorId}`,
-    );
+    const session = getCDPSession(context);
+    try {
+      await session.send('WebAuthn.clearCredentials', {
+        authenticatorId: request.params.authenticatorId,
+      });
+      response.appendResponseLine(
+        `Cleared all credentials from authenticator ${request.params.authenticatorId}`,
+      );
+    } catch (error) {
+      handleWebAuthnError(error);
+    }
   },
 });
 
@@ -249,17 +288,17 @@ export const setUserVerified = defineTool({
       .describe('Whether user verification should succeed.'),
   },
   handler: async (request, response, context) => {
-    const page = context.getSelectedPage();
-    // @ts-expect-error _client is internal Puppeteer API
-    const session = page._client() as CDPSession;
-
-    await session.send('WebAuthn.setUserVerified', {
-      authenticatorId: request.params.authenticatorId,
-      isUserVerified: request.params.isUserVerified,
-    });
-
-    response.appendResponseLine(
-      `Set user verification to ${request.params.isUserVerified} for authenticator ${request.params.authenticatorId}`,
-    );
+    const session = getCDPSession(context);
+    try {
+      await session.send('WebAuthn.setUserVerified', {
+        authenticatorId: request.params.authenticatorId,
+        isUserVerified: request.params.isUserVerified,
+      });
+      response.appendResponseLine(
+        `Set user verification to ${request.params.isUserVerified} for authenticator ${request.params.authenticatorId}`,
+      );
+    } catch (error) {
+      handleWebAuthnError(error);
+    }
   },
 });