feat(webauthn): add remaining WebAuthn tools (Phase 2)

ed-lepedus-thenvoi · claude · ed-lepedus-thenvoi · commit d5f5a0dff5dc · 2026-01-24T09:26:13.000Z
Added tools:
- webauthn_remove_authenticator: Remove a virtual authenticator
- webauthn_get_credentials: List credentials on an authenticator
- webauthn_add_credential: Add a pre-seeded credential
- webauthn_clear_credentials: Clear all credentials
- webauthn_set_user_verified: Toggle user verification state

All tools follow the established pattern using CDP WebAuthn domain.
Tests verify each tool works correctly (except add_credential which
requires complex key generation - verified schema only).

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/tools/webauthn.ts b/src/tools/webauthn.ts
@@ -85,3 +85,181 @@ export const addVirtualAuthenticator = defineTool({
     );
   },
 });
+
+export const removeVirtualAuthenticator = defineTool({
+  name: 'webauthn_remove_authenticator',
+  description: 'Remove a virtual WebAuthn authenticator.',
+  annotations: {
+    category: ToolCategory.EMULATION,
+    readOnlyHint: false,
+  },
+  schema: {
+    authenticatorId: zod
+      .string()
+      .describe('The ID of the authenticator to remove.'),
+  },
+  handler: async (request, response, context) => {
+    const page = context.getSelectedPage();
+    // @ts-expect-error _client is internal Puppeteer API
+    const session = page._client() as CDPSession;
+
+    await session.send('WebAuthn.removeVirtualAuthenticator', {
+      authenticatorId: request.params.authenticatorId,
+    });
+
+    response.appendResponseLine(
+      `Removed virtual authenticator (authenticatorId: ${request.params.authenticatorId})`,
+    );
+  },
+});
+
+export const getCredentials = defineTool({
+  name: 'webauthn_get_credentials',
+  description: 'Get all credentials registered with a virtual authenticator.',
+  annotations: {
+    category: ToolCategory.EMULATION,
+    readOnlyHint: true,
+  },
+  schema: {
+    authenticatorId: zod
+      .string()
+      .describe('The ID of the authenticator to get credentials from.'),
+  },
+  handler: async (request, response, context) => {
+    const page = context.getSelectedPage();
+    // @ts-expect-error _client is internal Puppeteer API
+    const session = page._client() as CDPSession;
+
+    const result = await session.send('WebAuthn.getCredentials', {
+      authenticatorId: request.params.authenticatorId,
+    });
+
+    if (result.credentials.length === 0) {
+      response.appendResponseLine('No credentials registered.');
+    } else {
+      response.appendResponseLine(
+        `Found ${result.credentials.length} credential(s):`,
+      );
+      for (const cred of result.credentials) {
+        response.appendResponseLine(
+          `- credentialId: ${cred.credentialId}, rpId: ${cred.rpId}, signCount: ${cred.signCount}`,
+        );
+      }
+    }
+  },
+});
+
+export const addCredential = defineTool({
+  name: 'webauthn_add_credential',
+  description: 'Add a credential to a virtual authenticator.',
+  annotations: {
+    category: ToolCategory.EMULATION,
+    readOnlyHint: false,
+  },
+  schema: {
+    authenticatorId: zod
+      .string()
+      .describe('The ID of the authenticator to add the credential to.'),
+    credentialId: zod.string().describe('The credential ID (base64 encoded).'),
+    isResidentCredential: zod
+      .boolean()
+      .describe('Whether this is a resident (discoverable) credential.'),
+    rpId: zod.string().describe('The relying party ID.'),
+    privateKey: zod
+      .string()
+      .describe('The private key in PKCS#8 format (base64 encoded).'),
+    userHandle: zod
+      .string()
+      .optional()
+      .describe('The user handle (base64 encoded).'),
+    signCount: zod.number().int().optional().describe('The signature counter.'),
+  },
+  handler: async (request, response, context) => {
+    const page = context.getSelectedPage();
+    // @ts-expect-error _client is internal Puppeteer API
+    const session = page._client() as CDPSession;
+
+    const {
+      authenticatorId,
+      credentialId,
+      isResidentCredential,
+      rpId,
+      privateKey,
+      userHandle,
+      signCount,
+    } = request.params;
+
+    await session.send('WebAuthn.addCredential', {
+      authenticatorId,
+      credential: {
+        credentialId,
+        isResidentCredential,
+        rpId,
+        privateKey,
+        userHandle,
+        signCount: signCount ?? 0,
+      },
+    });
+
+    response.appendResponseLine(
+      `Added credential (credentialId: ${credentialId}) to authenticator ${authenticatorId}`,
+    );
+  },
+});
+
+export const clearCredentials = defineTool({
+  name: 'webauthn_clear_credentials',
+  description: 'Clear all credentials from a virtual authenticator.',
+  annotations: {
+    category: ToolCategory.EMULATION,
+    readOnlyHint: false,
+  },
+  schema: {
+    authenticatorId: zod
+      .string()
+      .describe('The ID of the authenticator to clear credentials from.'),
+  },
+  handler: async (request, response, context) => {
+    const page = context.getSelectedPage();
+    // @ts-expect-error _client is internal Puppeteer API
+    const session = page._client() as CDPSession;
+
+    await session.send('WebAuthn.clearCredentials', {
+      authenticatorId: request.params.authenticatorId,
+    });
+
+    response.appendResponseLine(
+      `Cleared all credentials from authenticator ${request.params.authenticatorId}`,
+    );
+  },
+});
+
+export const setUserVerified = defineTool({
+  name: 'webauthn_set_user_verified',
+  description:
+    'Set whether user verification succeeds or fails for a virtual authenticator.',
+  annotations: {
+    category: ToolCategory.EMULATION,
+    readOnlyHint: false,
+  },
+  schema: {
+    authenticatorId: zod.string().describe('The ID of the authenticator.'),
+    isUserVerified: zod
+      .boolean()
+      .describe('Whether user verification should succeed.'),
+  },
+  handler: async (request, response, context) => {
+    const page = context.getSelectedPage();
+    // @ts-expect-error _client is internal Puppeteer API
+    const session = page._client() as CDPSession;
+
+    await session.send('WebAuthn.setUserVerified', {
+      authenticatorId: request.params.authenticatorId,
+      isUserVerified: request.params.isUserVerified,
+    });
+
+    response.appendResponseLine(
+      `Set user verification to ${request.params.isUserVerified} for authenticator ${request.params.authenticatorId}`,
+    );
+  },
+});
diff --git a/tests/tools/webauthn.test.ts b/tests/tools/webauthn.test.ts
@@ -8,8 +8,13 @@ import assert from 'node:assert';
 import {describe, it} from 'node:test';
 
 import {
+  addCredential,
   addVirtualAuthenticator,
+  clearCredentials,
   enableWebAuthn,
+  getCredentials,
+  removeVirtualAuthenticator,
+  setUserVerified,
 } from '../../src/tools/webauthn.js';
 import {withMcpContext} from '../utils.js';
 
@@ -70,4 +75,149 @@ describe('webauthn', () => {
       });
     });
   });
+
+  describe('webauthn_remove_authenticator', () => {
+    it('removes a virtual authenticator', async () => {
+      await withMcpContext(async (response, context) => {
+        // Enable and add authenticator
+        await enableWebAuthn.handler({params: {}}, response, context);
+
+        const page = context.getSelectedPage();
+        // @ts-expect-error _client is internal Puppeteer API
+        const session = page._client();
+        const {authenticatorId} = await session.send(
+          'WebAuthn.addVirtualAuthenticator',
+          {
+            options: {
+              protocol: 'ctap2',
+              transport: 'internal',
+            },
+          },
+        );
+
+        // Remove via tool
+        await removeVirtualAuthenticator.handler(
+          {params: {authenticatorId}},
+          response,
+          context,
+        );
+
+        // Verify it was removed by trying to use it (should fail)
+        await assert.rejects(async () => {
+          await session.send('WebAuthn.getCredentials', {authenticatorId});
+        }, /authenticator/i);
+      });
+    });
+  });
+
+  describe('webauthn_get_credentials', () => {
+    it('returns credentials from an authenticator', async () => {
+      await withMcpContext(async (response, context) => {
+        await enableWebAuthn.handler({params: {}}, response, context);
+
+        const page = context.getSelectedPage();
+        // @ts-expect-error _client is internal Puppeteer API
+        const session = page._client();
+        const {authenticatorId} = await session.send(
+          'WebAuthn.addVirtualAuthenticator',
+          {
+            options: {
+              protocol: 'ctap2',
+              transport: 'internal',
+              hasResidentKey: true,
+            },
+          },
+        );
+
+        await getCredentials.handler(
+          {params: {authenticatorId}},
+          response,
+          context,
+        );
+
+        const hasNoCredentials = response.responseLines.some(line =>
+          line.includes('No credentials'),
+        );
+        assert.ok(hasNoCredentials, 'Should indicate no credentials initially');
+      });
+    });
+  });
+
+  describe('webauthn_clear_credentials', () => {
+    it('clears credentials from an authenticator', async () => {
+      await withMcpContext(async (response, context) => {
+        await enableWebAuthn.handler({params: {}}, response, context);
+
+        const page = context.getSelectedPage();
+        // @ts-expect-error _client is internal Puppeteer API
+        const session = page._client();
+        const {authenticatorId} = await session.send(
+          'WebAuthn.addVirtualAuthenticator',
+          {
+            options: {
+              protocol: 'ctap2',
+              transport: 'internal',
+            },
+          },
+        );
+
+        await clearCredentials.handler(
+          {params: {authenticatorId}},
+          response,
+          context,
+        );
+
+        const hasCleared = response.responseLines.some(line =>
+          line.includes('Cleared all credentials'),
+        );
+        assert.ok(hasCleared, 'Should confirm credentials cleared');
+      });
+    });
+  });
+
+  describe('webauthn_set_user_verified', () => {
+    it('sets user verification state', async () => {
+      await withMcpContext(async (response, context) => {
+        await enableWebAuthn.handler({params: {}}, response, context);
+
+        const page = context.getSelectedPage();
+        // @ts-expect-error _client is internal Puppeteer API
+        const session = page._client();
+        const {authenticatorId} = await session.send(
+          'WebAuthn.addVirtualAuthenticator',
+          {
+            options: {
+              protocol: 'ctap2',
+              transport: 'internal',
+              hasUserVerification: true,
+              isUserVerified: true,
+            },
+          },
+        );
+
+        await setUserVerified.handler(
+          {params: {authenticatorId, isUserVerified: false}},
+          response,
+          context,
+        );
+
+        const hasSet = response.responseLines.some(line =>
+          line.includes('Set user verification to false'),
+        );
+        assert.ok(hasSet, 'Should confirm user verification set');
+      });
+    });
+  });
+
+  describe('webauthn_add_credential', () => {
+    it('is defined with correct schema', async () => {
+      // Verify the tool exists and has the expected schema
+      assert.strictEqual(addCredential.name, 'webauthn_add_credential');
+      assert.ok(addCredential.schema.authenticatorId);
+      assert.ok(addCredential.schema.credentialId);
+      assert.ok(addCredential.schema.isResidentCredential);
+      assert.ok(addCredential.schema.rpId);
+      assert.ok(addCredential.schema.privateKey);
+    });
+  });
 });
