webauthn 2.1.0 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78367d9a528b780d4e53a29667fe47cf95d03698c976714fc7d71d46b253f4fa
-  data.tar.gz: ab4e9b0ef6a0bfcb9bd2c33d8220e0f3241f2ba949c57053d52968b6e34a5a61
+  metadata.gz: 325d58807c73a2887233d3b68091bea56edcb9be7fb21f57067d1f974006d876
+  data.tar.gz: 24a7b26717f6ab10286f14410db64909a21a4e43cea30b1b168f32caa80412c6
 SHA512:
-  metadata.gz: f9a3514276b45c34c5509e7d55a6238d8a705ab19534a5ca3a802be4a00f42784b81c3dbc02f3c991918bb61da55b6f20c268a0573b8099224d9467d13932a60
-  data.tar.gz: e337a703e30a984b881d589f5c31a653e312a9ae4395cf2c411408e0f162871622c7f3d212412ea01de4db121a1ddf2431000ae55968358062f513b5feef812c
+  metadata.gz: f12ef1fad4fcf414b7081f9b89a4db5536d301b2c015449a3d2d631ea09a2a087cb6c02f3699f61528f9e9b61d3bf039c37bf0b0885991a7d7e26ac3dadd452a
+  data.tar.gz: f6464aaa94ddeec4ddefecb6b94b5fa310ada53d67bd1bf9b146c942dbd29e637790c6ae081d3d4cc81aed12be4a9073f056e2770ab2b846278d07923d67f6bf

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: build
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.4'
+          - '3.3'
+          - '3.2'
+          - '3.1'
+          - '3.0'
+          - '2.7'
+          - '2.6'
+          - '2.5'
+          - truffleruby
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - run: bundle exec rspec
+      env:
+        RUBYOPT: ${{ startsWith(matrix.ruby, '3.4') && '--enable=frozen-string-literal' || '' }}
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+          bundler-cache: true
+      - run: bundle exec rubocop -f github

data/.github/workflows/git.yml

@@ -0,0 +1,21 @@
+# Syntax reference:
+# https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions
+name: Git Checks
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  # Fixup commits are OK in pull requests, but should generally be squashed
+  # before merging to master, e.g. using `git rebase -i --autosquash master`.
+  # See https://github.com/marketplace/actions/block-autosquash-commits
+  block-fixup:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Block autosquash commits
+        uses: xt0rted/block-autosquash-commits-action@v2
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

data/.rubocop.yml

@@ -1,12 +1,18 @@
+require:
+  - rubocop-rspec
+  - rubocop-rake
+
 inherit_mode:
   merge:
     - AllowedNames
 
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.5
   DisabledByDefault: true
+  NewCops: disable
   Exclude:
     - "gemfiles/**/*"
+    - "vendor/**/*"
 
 Bundler:
   Enabled: true
@@ -17,18 +23,123 @@ Gemspec:
 Layout:
   Enabled: true
 
-Lint:
+Layout/ClassStructure:
+  Enabled: true
+
+Layout/EmptyLineBetweenDefs:
+  AllowAdjacentOneLineDefs: true
+
+Layout/EmptyLinesAroundAttributeAccessor:
   Enabled: true
 
-Metrics/LineLength:
+Layout/FirstMethodArgumentLineBreak:
+  Enabled: true
+
+Layout/LineLength:
   Max: 120
   Exclude:
     - spec/support/seeds.rb
 
+Layout/MultilineAssignmentLayout:
+  Enabled: true
+
+Layout/MultilineMethodArgumentLineBreaks:
+  Enabled: true
+
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+
+Lint:
+  Enabled: true
+
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
+
+Lint/MixedRegexpCaptureTypes:
+  Enabled: true
+
+Lint/RaiseException:
+  Enabled: true
+
+Lint/StructNewOverride:
+  Enabled: true
+
+Lint/BinaryOperatorWithIdenticalOperands:
+  Enabled: true
+
+Lint/DuplicateElsifCondition:
+  Enabled: true
+
+Lint/DuplicateRescueException:
+  Enabled: true
+
+Lint/EmptyConditionalBody:
+  Enabled: true
+
+Lint/FloatComparison:
+  Enabled: true
+
+Lint/MissingSuper:
+  Enabled: true
+
+Lint/OutOfRangeRegexpRef:
+  Enabled: true
+
+Lint/SelfAssignment:
+  Enabled: true
+
+Lint/TopLevelReturnWithArgument:
+  Enabled: true
+
+Lint/UnreachableLoop:
+  Enabled: true
+
 Naming:
   Enabled: true
 
-Naming/UncommunicativeMethodParamName:
+Naming/VariableNumber:
+  Enabled: false
+
+RSpec/Be:
+  Enabled: true
+
+RSpec/BeforeAfterAll:
+  Enabled: true
+
+RSpec/EmptyExampleGroup:
+  Enabled: true
+
+RSpec/EmptyLineAfterExample:
+  Enabled: true
+
+RSpec/EmptyLineAfterExampleGroup:
+  Enabled: true
+
+RSpec/EmptyLineAfterFinalLet:
+  Enabled: true
+
+RSpec/EmptyLineAfterHook:
+  Enabled: true
+
+RSpec/EmptyLineAfterSubject:
+  Enabled: true
+
+RSpec/HookArgument:
+  Enabled: true
+
+RSpec/LeadingSubject:
+  Enabled: true
+
+RSpec/NamedSubject:
+  Enabled: true
+
+RSpec/ScatteredLet:
+  Enabled: true
+
+RSpec/ScatteredSetup:
+  Enabled: true
+
+Naming/MethodParameterName:
   AllowedNames:
     - rp
 
@@ -38,9 +149,6 @@ Security:
 Style/BlockComments:
   Enabled: true
 
-Style/BracesAroundHashParameters:
-  Enabled: true
-
 Style/CaseEquality:
   Enabled: true
 
@@ -146,9 +254,15 @@ Style/RedundantException:
 Style/RedundantFreeze:
   Enabled: true
 
+Style/RedundantInterpolation:
+  Enabled: true
+
 Style/RedundantParentheses:
   Enabled: true
 
+Style/RedundantPercentQ:
+  Enabled: true
+
 Style/RedundantReturn:
   Enabled: true
 
@@ -182,12 +296,6 @@ Style/TrailingMethodEndStatement:
 Style/TrivialAccessors:
   Enabled: true
 
-Style/UnneededInterpolation:
-  Enabled: true
-
-Style/UnneededPercentQ:
-  Enabled: true
-
 Style/UnpackFirst:
   Enabled: true
 

data/CHANGELOG.md

@@ -1,5 +1,149 @@
 # Changelog
 
+## [v3.4.0] - 2025-02-17
+
+- Added support for Webauthn.config and RelayingParty to accept multiple allowed_origins. [#431](https://github.com/cedarcode/webauthn-ruby/pull/431)[@obroshnij]
+
+## [v3.3.0] - 2025-02-06
+
+### Added
+
+- Updated `tpm-key_attestation` dependency from `~> 0.12.0` to `~> 0.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
+
+## [v3.2.2] - 2024-11-14
+
+### Fixed
+
+- Fix `PublicKeyCredential::Options#.as_json` not camelCase'ing keys of attributes with hash or arrays as values. [#445](https://github.com/cedarcode/webauthn-ruby/pull/445) [@santiagorodriguez96]
+
+## [v3.2.1] - 2024-11-14
+
+### Fixed
+
+- Fix JSON Serializer generating json with attributes with a null value. [#442](https://github.com/cedarcode/webauthn-ruby/pull/442) @santiagorodriguez96
+
+## [v3.2.0] - 2024-11-13
+
+### Added
+
+- Added `AuthenticatorAttestationResponse#transports` for accessing the response's `transports` value. [#421](https://github.com/cedarcode/webauthn-ruby/pull/421) [@santiagorodriguez96]
+- `WebAuthn::AuthenticatorAssertionResponse#verify` and `WebAuthn::AuthenticatorAttestationResponse#verify`,
+  as well as `RelyingParty#verify_registration` and `RelyingParty#verify_authentication` now accept a `user_presence`
+  keyword arg in order to be able to skip the user presence check for specific attestation and assertion verifications.
+  By default, user presence will be checked unless `silent_authentication` is enabled for the Relying Party (as it was before).
+  [#432](https://github.com/cedarcode/webauthn-ruby/pull/432), [#434](https://github.com/cedarcode/webauthn-ruby/pull/434), [#435](https://github.com/cedarcode/webauthn-ruby/pull/435) ([@nov](https://github.com/nov), [@santiagorodriguez96])
+- `WebAuthn::FakeClient#create` and `WebAuthn::FakeAuthenticator#make_credential` now support a `credential_algorithm` and
+  `algorithm` param (respectively) for choosing the algorithm to use for creating the credential.
+  Supported values are: 'ES256', 'RSA256' and 'EdDSA'. [#400](https://github.com/cedarcode/webauthn-ruby/pull/400), [#437](https://github.com/cedarcode/webauthn-ruby/pull/437) [@santiagorodriguez96]
+- Remove `awrence` dependency. [#436](https://github.com/cedarcode/webauthn-ruby/pull/436) [@npezza](https://github.com/npezza93)
+- Run tests with Ruby 3.3. [#416](https://github.com/cedarcode/webauthn-ruby/pull/416) [@santiagorodriguez96]
+- Run tests with Ruby 3.4.0-preview2. [#436](https://github.com/cedarcode/webauthn-ruby/pull/436) [@npezza](https://github.com/npezza93)
+
+### Changed
+
+- Remove unused class `AttestationTrustworthinessVerificationError`. [#412](https://github.com/cedarcode/webauthn-ruby/pull/412) [@soartec-lab]
+
+## [v3.1.0] - 2023-12-26
+
+### Added
+
+- Add support for optional `authenticator_attachment` in `PublicKeyCredential`. #370 [@8ma10s]
+
+### Fixed
+
+- Fix circular require warning between `webauthn/relying_party` and `webauthn/credential`. #389 [@bdewater]
+- Correctly verify attestation that contains just a batch certificate that is present in the attestation root certificates. #406 [@santiagorodriguez96]
+
+### Changed
+
+- Inlined `base64` implementation. #402 [@olleolleolle]
+- Raise a more descriptive error if input `challenge` is `nil` when verifying the `PublicKeyCredential`. #413 [@soartec-lab]
+
+## [v3.0.0] - 2023-02-15
+
+### Added
+
+- Add the capability of handling appid extension #319 [@santiagorodriguez96]
+- Add support for credential backup flags #378 [@santiagorodriguez96]
+- Update dependencies to make gem compatible with OpenSSL 3.1 ([@bdewater],[@santiagorodriguez96])
+
+## [v3.0.0.alpha2] - 2022-09-12
+
+### Added
+
+- Rebased support for multiple relying parties from v3.0.0.alpha1 on top of v2.5.2, the previous alpha version was based on v2.3.0 ([@bdewater])
+
+### BREAKING CHANGES
+
+- Bumped minimum required Ruby version to 2.5 ([@bdewater])
+
+## [v3.0.0.alpha1] - 2020-06-27
+
+### Added
+
+- Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
+
+## [v2.5.2] - 2022-07-13
+
+### Added
+
+- Updated dependencies to make the gem compatible with openssl-3 [@ClearlyClaire]
+
+## [v2.5.1] - 2022-03-20
+
+### Added
+
+- Updated openssl support to be ~>2.2 [@bdewater]
+
+### Removed
+
+- Removed dependency [secure_compare dependency] (https://rubygems.org/gems/secure_compare/versions/0.0.1) and use OpenSSL#secure_compare instead [@bdewater]
+
+## [v2.5.0] - 2021-03-14
+
+### Added
+
+- Support 'apple' attestation statement format ([#343](https://github.com/cedarcode/webauthn-ruby/pull/343) / [@juanarias93], [@santiagorodriguez96])
+- Allow specifying an array of ids as `allow_credentials:` for `FakeClient#get` method ([#335](https://github.com/cedarcode/webauthn-ruby/pull/335) / [@kingjan1999])
+
+### Removed
+
+- No longer accept "removed from the WebAuthn spec" options `rp: { icon: }` and `user: { icon: }` for `WebAuthn::Credential.options_for_create` method ([#326](https://github.com/cedarcode/webauthn-ruby/pull/326) / [@santiagorodriguez96])
+
+## [v2.4.1] - 2021-02-15
+
+### Fixed
+
+- Fix verification of new credential if no attestation provided and 'None' type is not among configured `acceptable_attestation_types`. I.e. reject it instead of letting it go through.
+
+## [v2.4.0] - 2020-09-03
+
+### Added
+
+- Support for ES256K credentials
+- `FakeClient#get` accepts `user_handle:` keyword argument ([@lgarron])
+
+## [v2.3.0] - 2020-06-27
+
+### Added
+
+- Ability to access extension outputs with `PublicKeyCredential#client_extension_outputs` and `PublicKeyCredential#authenticator_extension_outputs` ([@santiagorodriguez96])
+
+## [v2.2.1] - 2020-06-06
+
+### Fixed
+
+- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 ([@santiagorodriguez96])
+
+## [v2.2.0] - 2020-03-14
+
+### Added
+
+- Verification step that checks the received credential public key algorithm during registration matches one of the configured algorithms
+- [EXPERIMENTAL] Attestation trustworthiness verification default steps for "tpm", "android-key" and "android-safetynet" ([@bdewater], [@padulafacundo]). Still manual configuration needed for "packed" and "fido-u2f".
+
+Note: Expect possible breaking changes for "EXPERIMENTAL" features.
+
 ## [v2.1.0] - 2019-12-30
 
 ### Added
@@ -273,6 +417,23 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.3.0...v3.4.0/
+[v3.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.2...v3.3.0/
+[v3.2.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.1...v3.2.2/
+[v3.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.0...v3.2.1/
+[v3.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.0/
+[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
+[v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
+[v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
+[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v3.0.0.alpha1
+[v2.5.2]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.1...v2.5.2/
+[v2.5.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.0...v2.5.1/
+[v2.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.1...v2.5.0/
+[v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/
+[v2.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v2.4.0/
+[v2.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.1...v2.3.0/
+[v2.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.2.0...v2.2.1/
+[v2.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.1.0...v2.2.0/
 [v2.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.0.0...v2.1.0/
 [v2.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.18.0...v2.0.0/
 [v1.18.0]: https://github.com/cedarcode/webauthn-ruby/compare/v1.17.0...v1.18.0/
@@ -297,6 +458,7 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [v0.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.1.0...v0.2.0/
 [v0.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v0.0.0...v0.1.0/
 
+[@brauliomartinezlm]: https://github.com/brauliomartinezlm
 [@bdewater]: https://github.com/bdewater
 [@jdongelmans]: https://github.com/jdongelmans
 [@kalebtesfay]: https://github.com/kalebtesfay
@@ -304,3 +466,10 @@ Note: Both additions should help making it compatible with Chrome for Android 70
 [@sorah]: https://github.com/sorah
 [@ssuttner]: https://github.com/ssuttner
 [@padulafacundo]: https://github.com/padulafacundo
+[@santiagorodriguez96]: https://github.com/santiagorodriguez96
+[@lgarron]: https://github.com/lgarron
+[@juanarias93]: https://github.com/juanarias93
+[@kingjan1999]: https://github.com/@kingjan1999
+[@jdongelmans]: https://github.com/jdongelmans
+[@petergoldstein]: https://github.com/petergoldstein
+[@ClearlyClaire]: https://github.com/ClearlyClaire

data/CONTRIBUTING.md

@@ -14,11 +14,6 @@
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake` to run the tests and code-style checks. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-Some tests require stubbing time with [libfaketime](https://github.com/wolfcw/libfaketime) in order to pass, otherwise they're skipped. You can install this library with your package manager. Follow libfaketime's instructions for your OS to preload the library before running the tests, and use the `FAKETIME_NO_CACHE=1` option. E.g. when installed via homebrew on macOS:
-```shell
-DYLD_INSERT_LIBRARIES=/usr/local/Cellar/libfaketime/2.9.7_1/lib/faketime/libfaketime.1.dylib DYLD_FORCE_FLAT_NAMESPACE=1 FAKETIME_NO_CACHE=1 bundle exec rspec
-```
-
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ### Styleguide

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.org/cedarcode/webauthn-ruby)
+[![Build](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -16,7 +16,7 @@ Makes your Ruby/Rails web server become a functional [WebAuthn Relying Party](ht
 
 Takes care of the [server-side operations](https://www.w3.org/TR/webauthn/#rp-operations) needed to
 [register](https://www.w3.org/TR/webauthn/#registration) or [authenticate](https://www.w3.org/TR/webauthn/#authentication)
-a user [credential](https://www.w3.org/TR/webauthn/#public-key-credential), including the necessary cryptographic checks.
+a user's [public key credential](https://www.w3.org/TR/webauthn/#public-key-credential) (also called a "passkey"), including the necessary cryptographic checks.
 
 ## Table of Contents
 
@@ -52,7 +52,7 @@ WebAuthn (Web Authentication) is a W3C standard for secure public-key authentica
 
 - WebAuthn [W3C Recommendation](https://www.w3.org/TR/webauthn/) (i.e. "The Standard")
 - [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) in MDN
-- How to use [WebAuthn in Android apps](https://developers.google.com/identity/fido/android/native-apps)
+- How to use WebAuthn in native [Android](https://developers.google.com/identity/fido/android/native-apps) or [macOS/iOS/iPadOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication) apps.
 - [Security Benefits for WebAuthn Servers (a.k.a Relying Parties)](https://www.w3.org/TR/webauthn/#sctn-rp-benefits)
 
 ## Prerequisites
@@ -64,12 +64,12 @@ Known conformant pairs are, for example:
 - Google Chrome for Android 70+ and Android's Fingerprint-based platform authenticator
 - Microsoft Edge and Windows 10 platform authenticator
 - Mozilla Firefox for Desktop and Yubico's Security Key roaming authenticator via USB
+- Safari in iOS 13.3+ and YubiKey 5 NFC via NFC
 
-For a detailed picture about what is conformant and what not, you can refer to:
-
-- [apowers313/fido2-webauthn-status](https://github.com/apowers313/fido2-webauthn-status)
-- [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products)
+For a complete list:
 
+- User Agents (Clients): [Can I Use: Web Authentication API](https://caniuse.com/#search=webauthn)
+- Authenticators: [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products) (search for Type=Authenticator and Specification=FIDO2)
 
 ## Install
 
@@ -89,20 +89,23 @@ Or install it yourself as:
 
 ## Usage
 
-You can find a working example on how to use this gem in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app).
+You can find a working example on how to use this gem in a pasword-less login in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app). If you want to see an example on how to use this gem as a second factor authenticator in a __Rails__ application instead, you can check it in [webauthn-2fa-rails-demo](https://github.com/cedarcode/webauthn-2fa-rails-demo).
 
 If you are migrating an existing application from the legacy FIDO U2F JavaScript API to WebAuthn, also refer to
 [`docs/u2f_migration.md`](docs/u2f_migration.md).
 
 ### Configuration
 
+If you have a multi-tenant application or just need to configure WebAuthn differently for separate parts of your application (e.g. if your users authenticate to different subdomains in the same application), we strongly recommend you look at this [Advanced Configuration](docs/advanced_configuration.md) section instead of this.
+
 For a Rails application this would go in `config/initializers/webauthn.rb`.
 
 ```ruby
 WebAuthn.configure do |config|
   # This value needs to match `window.location.origin` evaluated by
   # the User Agent during registration and authentication ceremonies.
-  config.origin = "https://auth.example.com"
+  # Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
+  config.allowed_origins = ["https://auth.example.com"]
 
   # Relying Party name for display purposes
   config.rp_name = "Example Inc."
@@ -150,7 +153,7 @@ if !user.webauthn_id
 end
 
 options = WebAuthn::Credential.options_for_create(
-  user: { id: user.webauthn_id, name: user.name }
+  user: { id: user.webauthn_id, name: user.name },
   exclude: user.credentials.map { |c| c.webauthn_id }
 )
 
@@ -252,6 +255,54 @@ rescue WebAuthn::Error => e
 end
 ```
 
+### Extensions
+
+> The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension.
+
+> When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested ceremony if they are supported by the WebAuthn Client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call (for authentication extensions) or create() call (for registration extensions) to the WebAuthn client. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
+
+Extensions can be requested in the initiation phase in both Credential Registration and Authentication ceremonies by adding the extension parameter when generating the options for create/get:
+
+```ruby
+# Credential Registration
+creation_options = WebAuthn::Credential.options_for_create(
+  user: { id: user.webauthn_id, name: user.name },
+  exclude: user.credentials.map { |c| c.webauthn_id },
+  extensions: { appidExclude: domain.to_s }
+)
+
+# OR
+
+# Credential Authentication
+options = WebAuthn::Credential.options_for_get(
+  allow: user.credentials.map { |c| c.webauthn_id },
+  extensions: { appid: domain.to_s }
+)
+```
+
+Consequently, after these `options` are sent to the WebAuthn client:
+
+> The WebAuthn client performs client extension processing for each extension that the client supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
+
+> For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions).
+
+> The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]
+
+Finally, you can check the values returned for each extension by calling `client_extension_outputs` and `authenticator_extension_outputs` respectively.
+For example, following the initialization phase for the Credential Authentication ceremony specified in the above example:
+
+```ruby
+webauthn_credential = WebAuthn::Credential.from_get(credential_get_result_hash)
+
+webauthn_credential.client_extension_outputs #=> { "appid" => true }
+webauthn_credential.authenticator_extension_outputs #=> nil
+```
+
+A list of all currently defined extensions:
+
+  - [Last published version](https://www.w3.org/TR/webauthn-2/#sctn-defined-extensions)
+  - [Next version (in draft)](https://w3c.github.io/webauthn/#sctn-defined-extensions)
+
 ## API
 
 #### `WebAuthn.generate_user_id`
@@ -342,25 +393,40 @@ credential_with_assertion.verify(
 )
 ```
 
+#### `PublicKeyCredential#client_extension_outputs`
+
+```ruby
+credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
+
+credential.client_extension_outputs
+```
+
+#### `PublicKeyCredential#authenticator_extension_outputs`
+
+```ruby
+credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])
+
+credential.authenticator_extension_outputs
+```
+
 ## Attestation
 
-### Attestation Statement Format
+### Attestation Statement Formats
 
 | Attestation Statement Format | Supported? |
 | -------- | :--------: |
 | packed (self attestation) | Yes |
 | packed (x5c attestation) | Yes |
-| packed (ECDAA attestation) | No |
 | tpm (x5c attestation) | Yes |
-| tpm (ECDAA attestation) | No |
 | android-key | Yes |
 | android-safetynet | Yes |
+| apple | Yes |
 | fido-u2f | Yes |
 | none | Yes |
 
 ### Attestation Types
 
-You can define what trust policy to enforce by setting `acceptable_attestation_types` config to a subset of `['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']` and `attestation_root_certificates_finders` to an object that responds to `#find` and returns the corresponding root certificate for each registration. The `#find` method will be called passing keyword arguments `attesation_format`, `aaguid` and `attestation_certificate_key_id`.
+You can define what trust policy to enforce by setting `acceptable_attestation_types` config to a subset of `['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']` and `attestation_root_certificates_finders` to an object that responds to `#find` and returns the corresponding root certificate for each registration. The `#find` method will be called passing keyword arguments `attestation_format`, `aaguid` and `attestation_certificate_key_id`.
 
 ## Testing Your Integration
 

data/SECURITY.md

@@ -4,11 +4,14 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.1.z    | :white_check_mark: |
-| 2.0.z    | :white_check_mark: |
+| 2.5.z    | :white_check_mark: |
+| 2.4.z    | :white_check_mark: |
+| 2.3.z    | :white_check_mark: |
+| 2.2.z    | :x: |
+| 2.1.z    | :x: |
+| 2.0.z    | :x: |
 | 1.18.z   | :white_check_mark: |
-| 1.17.z   | :white_check_mark: |
-| < 1.17   | :x:                |
+| < 1.18   | :x:                |
 
 ## Reporting a Vulnerability