tests/test_k_server.py:
- TestVerifyAssertionToken (12 tests): unit tests using raw P-256 keys —
valid accept, wrong path/method, tampered nonce/signature/key, cross-
resource replay, malformed/empty token, wrong cdj type, missing field.
- TestVerifyAssertionTokenRoundTrip (5 tests): end-to-end via CardEmulator
— register, getAssertion with bound challenge, build bundle as k_phone
does, verify on server. Tests include wrong path/method and cross-user
key swap. Skipped automatically if fido2 is not installed.
All 17 pass.
proxy_service.dart: add comment to _handleSessionLogin explaining why
random challenge is correct there (user-presence proof for portal session,
not per-request resource binding).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
6f08c7eed4