Three new specs in tests/:
- k_phone_portal.spec.js: portal UI flow (enroll/login/status/logout/delete)
- k_phone_proxy.spec.js: 4 serial proxy-routing tests via Node http module;
requires adb forward for emulator use
- k_phone_android.spec.js: same 4 tests with Chrome running inside the
Android emulator via playwright.android; no port-forward needed,
auto-skips if no ADB device found
All tests use card_emulator_bridge.py for instant FIDO2 auto-approval —
no physical card or fingerprint interaction required in emulator mode.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tests/test_k_server.py:
- TestVerifyAssertionToken (12 tests): unit tests using raw P-256 keys —
valid accept, wrong path/method, tampered nonce/signature/key, cross-
resource replay, malformed/empty token, wrong cdj type, missing field.
- TestVerifyAssertionTokenRoundTrip (5 tests): end-to-end via CardEmulator
— register, getAssertion with bound challenge, build bundle as k_phone
does, verify on server. Tests include wrong path/method and cross-user
key swap. Skipped automatically if fido2 is not installed.
All 17 pass.
proxy_service.dart: add comment to _handleSessionLogin explaining why
random challenge is correct there (user-presence proof for portal session,
not per-request resource binding).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Morten V. Christiansen