device-bound-session-credentials/subdomain-registration.https.html

<!DOCTYPE html>
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/device-bound-session-credentials/helper.js" type="module"></script>

<script type="module">
  import {
    addCookieAndSessionCleanup,
    configureServer,
    documentHasCookie,
    expireCookie,
    setupShardedServerState,
    waitForCookie
  } from "/device-bound-session-credentials/helper.js";

  async function waitForRefresh(cookieAndAttributes, cookieAndValue, expectRefreshed) {
    const startTime = Date.now();
    const refreshed = await new Promise(resolve => {
      async function tryRefresh() {
        expireCookie(cookieAndAttributes);
        assert_false(documentHasCookie(cookieAndValue));
        const authResponseAfterExpiry = await fetch('verify_authenticated.py');
        if (authResponseAfterExpiry.status == 200) {
          resolve(true);
          return;
        }
        if (!expectRefreshed && Date.now() - startTime >= 1000) {
          resolve(false);
          return;
        }

        step_timeout(tryRefresh, 100);
      }

      tryRefresh();
    });

    assert_equals(refreshed, expectRefreshed);
  }

  async function runTest(t, subdomain, expectRegistration) {
    await setupShardedServerState();
    const expectedCookieAndValue = "auth_cookie=abcdef0123";
    const expectedCookieAttributes = `Domain=${location.hostname};Path=/device-bound-session-credentials`;
    const expectedCookieAndAttributes = `${expectedCookieAndValue};${expectedCookieAttributes}`;
    addCookieAndSessionCleanup(t);

    // Configure the server with the parent domain's origin + cookie
    // details instead of the subdomain's.
    await configureServer({
      "scopeOrigin": location.origin,
      "cookieDetails": [
        {
          "nameAndValue": expectedCookieAndValue,
          "attributes": expectedCookieAttributes
        }
      ]
    });

    // .well-known/device-bound-sessions hardcodes www as allowed, but not www1.
    const loginUrl = new URL("/device-bound-session-credentials/login.py", location);
    loginUrl.hostname = `${subdomain}.${location.hostname}`;

    const loginResponse = await fetch(loginUrl.toString(), {credentials: "include"});
    assert_equals(loginResponse.status, 200);
    // Wait for the cookie returned by the server providing the session config to
    // the user agent.
    await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);
    // There is still well-known fetching after that, so we can't conclude yet that
    // registration is finished and has either succeeded or failed as expected.
    // Trigger repeated refresh attempts to confirm this instead.
    await waitForRefresh(expectedCookieAndAttributes, expectedCookieAndValue, /*expectRefresh=*/expectRegistration);
  }

  promise_test(async t => {
    await runTest(t, /*subdomain=*/"www1", /*expectRegistration=*/false);
  }, "Registration fails without a .well-known");

  promise_test(async t => {
    await runTest(t, /*subdomain=*/"www", /*expectRegistration=*/true);
  }, "Registration succeeds with a .well-known");
</script>