mortenVChristiansen
/
k_card
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
code for 3 machines demoing how to use the chrome card.
38 Commits 2 Branches 0 Tags 1.1 MiB
Python 51.8%
Dart 34.3%
JavaScript 7.3%
Go 2.3%
Kotlin 2.1%
Other 2.2%
Go to file
Morten V. Christiansen 592af0c314 Guard against cross-server token replay in _verify_assertion_token 
_verify_assertion_token now takes expected_host and rejects any token
whose bundle["host"] does not match — closing the cross-server replay
path where a token issued for server-a could have passed on server-b.

ServerState gains protected_host (default 127.0.0.1); k_server exposes
--protected-host CLI flag so operators declare which host they protect.

New abuse tests (unit + round-trip):
  test_cross_server_replay_rejected
  test_cross_server_replay_case_insensitive
  test_roundtrip_cross_server_replay_rejected
  test_roundtrip_cross_server_replay_accepted_on_correct_server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 		2026-05-09 23:57:28 +02:00
component3 Implement per-request FIDO2 token binding across all components 2026-05-08 12:01:23 +02:00
k_phone Switch token binding from per-request URL+method to domain-level host+nonce 2026-05-09 23:52:48 +02:00
tests Guard against cross-server token replay in _verify_assertion_token 2026-05-09 23:57:28 +02:00
.gitignore Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
CLAUDE.md Refactor k_phone (v2) and add component3 Go binary 2026-05-05 21:04:19 +02:00
PHASE5_RUNBOOK.md Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
Setup.md Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
Workplan.md Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
ctaphid_init_probe.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
fido2_probe.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
generate_phase2_certs.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
k_client_portal.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
k_proxy_app.py Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
k_server_app.py Guard against cross-server token replay in _verify_assertion_token 2026-05-09 23:57:28 +02:00
package-lock.json Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
package.json Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
phase5_chain_regression.sh Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
phase65_concurrency_probe.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
playwright.config.js Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
raw_ctap_probe.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
webauthn_local_demo.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00