Bug 1463170 - Set AuthenticatorAssertionResponse.userHandle to null r=ttaubert r=smaug

Summary:
The WebAuthn spec says to set `AuthenticatorAssertionResponse.userHandle` to
null when the authenticator returns no user handle (e.g., when allowList is set),
but we return an empty ArrayBuffer. This is because of the defaults in
AuthenticatorAssertionResponse.h, as the field is itself unset.

We missed this change to the spec that happened in December [2], so this also
has a corresponding WebIDL update. I don't see any other instances of WebIDL
differences.

[1] https://w3c.github.io/webauthn/#ref-for-dom-authenticatorassertionresponse-userhandle%E2%91%A0
[2] w3c/webauthn@3b2a1d1

Test Plan: https://treeherder.mozilla.org/#/jobs?repo=try&revision=59a2ab255ef14e935c1aa9f457276f8e61e5d779

Reviewers: smaug, ttaubert

Bug #: 1463170

Differential Revision: https://phabricator.services.mozilla.com/D1337

--HG--
extra : amend_source : 966dcd24050585e745078648e1d7995b3beaf9ca
extra : transplant_source : h%3E%B7COQ%F3%05%A9%95%1C%5D%CD%E1XZ%06Z%8D%83

Author: jcjones

dom/webauthn/AuthenticatorAssertionResponse.cpp

@@ -99,10 +99,16 @@ void
 AuthenticatorAssertionResponse::GetUserHandle(JSContext* aCx,
                                               JS::MutableHandle<JSObject*> aRetVal)
 {
-  if (!mUserHandleCachedObj) {
-    mUserHandleCachedObj = mUserHandle.ToArrayBuffer(aCx);
+  // Per https://w3c.github.io/webauthn/#ref-for-dom-authenticatorassertionresponse-userhandle%E2%91%A0
+  // this should return null if the handle is unset.
+  if (mUserHandle.IsEmpty()) {
+    aRetVal.set(nullptr);
+  } else {
+    if (!mUserHandleCachedObj) {
+      mUserHandleCachedObj = mUserHandle.ToArrayBuffer(aCx);
+    }
+    aRetVal.set(mUserHandleCachedObj);
   }
-  aRetVal.set(mUserHandleCachedObj);
 }
 
 nsresult

dom/webauthn/tests/test_webauthn_loopback.html

@@ -116,9 +116,7 @@ <h1>Full-run test for MakeCredential/GetAssertion for W3C Web Authentication</h1
     ok(aAssertion.response.authenticatorData instanceof ArrayBuffer, "AuthenticatorAssertionResponse.AuthenticatorData is an ArrayBuffer");
     ok(aAssertion.response.signature === aAssertion.response.signature, "AuthenticatorAssertionResponse.Signature is SameObject");
     ok(aAssertion.response.signature instanceof ArrayBuffer, "AuthenticatorAssertionResponse.Signature is an ArrayBuffer");
-    ok(aAssertion.response.userHandle === aAssertion.response.userHandle, "AuthenticatorAssertionResponse.UserHandle is SameObject");
-    ok(aAssertion.response.userHandle instanceof ArrayBuffer, "AuthenticatorAssertionResponse.UserHandle is an ArrayBuffer");
-    is(aAssertion.response.userHandle.byteLength, 0, "AuthenticatorAssertionResponse.UserHandle is emtpy");
+    ok(aAssertion.response.userHandle === null, "AuthenticatorAssertionResponse.UserHandle is null for u2f authenticators");
 
     ok(aAssertion.response.authenticatorData.byteLength > 0, "Authenticator data exists");
     let clientData = JSON.parse(buffer2string(aAssertion.response.clientDataJSON));

dom/webidl/WebAuthentication.webidl

@@ -35,7 +35,7 @@ interface AuthenticatorAttestationResponse : AuthenticatorResponse {
 interface AuthenticatorAssertionResponse : AuthenticatorResponse {
     [SameObject] readonly attribute ArrayBuffer      authenticatorData;
     [SameObject] readonly attribute ArrayBuffer      signature;
-    [SameObject] readonly attribute ArrayBuffer      userHandle;
+    [SameObject] readonly attribute ArrayBuffer?     userHandle;
 };
 
 dictionary PublicKeyCredentialParameters {