webauthn 2.5.2 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f07d44a7778995c6bd2531b26f61e8974ba6ccc8dcf5ff1f21886f353423d598
-  data.tar.gz: ecb287679447b3074065f2b06cb0f38b20c9a94114ed2b592d93e99874dfda1a
+  metadata.gz: 3b23698bdd722a0cda45be7ee9d5ba528f966eb98304a50069242f0a25dcd259
+  data.tar.gz: 4d7bf8874268cbbbfa75136006af9dc5a824b25d3f0522c5f2046092261bae5d
 SHA512:
-  metadata.gz: 98811fdbdb15cd80defb95a75de555a3775864bb1c1f1ac94af4a605af2fa3acf7908d91a120b5c3e214af890469d5f2194e5e037a9f8a40b03935159be6a1f1
-  data.tar.gz: 8d90a9d37fb83a0ecf5e0c29e8f5154a0ee2170da994238b55fcc4042cb84f6b7fb4e09386e704a2d83f363ef0864fb1fa60c913eea3ae2754e5189435302570
+  metadata.gz: bf2d6697ee0c34cccbb1f5f9765e70efe1a8062f73b35cb900894c59f512d81157a836046e8006c9c6d5b0a0b3040f9c76a83417928d0ff9fbaba2db1893aaef
+  data.tar.gz: 2952c2573b030ffbba7837f2ba299e73c7a4e09a3a46b4a7a19c7875b4ea5394a8af00059dda69ae4c3dc34b1531b3aad3d1d1445dc4000260b3cfc4e5e23a98

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -7,7 +7,11 @@
 
 name: build
 
-on: push
+on:  
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
 
 jobs:
   test:
@@ -16,15 +20,15 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - '3.2'
           - '3.1'
           - '3.0'
           - '2.7'
           - '2.6'
           - '2.5'
-          - '2.4'
           - truffleruby
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}

data/.github/workflows/git.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2.0.0
+      - uses: actions/checkout@v4
       - name: Block autosquash commits
         uses: xt0rted/block-autosquash-commits-action@v2
         with:

data/.rubocop.yml

@@ -7,7 +7,7 @@ inherit_mode:
     - AllowedNames
 
 AllCops:
-  TargetRubyVersion: 2.4
+  TargetRubyVersion: 2.5
   DisabledByDefault: true
   NewCops: disable
   Exclude:

data/CHANGELOG.md

@@ -1,12 +1,46 @@
 # Changelog
 
+## [v3.1.0] - 2023-12-26
+
+### Added
+
+- Add support for optional `authenticator_attachment` in `PublicKeyCredential`. #370 [@8ma10s]
+
+### Fixed
+
+- Fix circular require warning between `webauthn/relying_party` and `webauthn/credential`. #389 [@bdewater]
+- Correctly verify attestation that contains just a batch certificate that is present in the attestation root certificates. #406 [@santiagorodriguez96]
+
+### Changed
+
+- Inlined `base64` implementation. #402 [@olleolleolle]
+- Raise a more descriptive error if input `challenge` is `nil` when verifying the `PublicKeyCredential`. #413 [@soartec-lab]
+
+## [v3.0.0] - 2023-02-15
+
+### Added
+
+- Add the capability of handling appid extension #319 [@santiagorodriguez96]
+- Add support for credential backup flags #378 [@santiagorodriguez96]
+- Update dependencies to make gem compatible with OpenSSL 3.1 ([@bdewater],[@santiagorodriguez96])
+
+## [v3.0.0.alpha2] - 2022-09-12
+
+### Added
+
+- Rebased support for multiple relying parties from v3.0.0.alpha1 on top of v2.5.2, the previous alpha version was based on v2.3.0 ([@bdewater])
+
+### BREAKING CHANGES
+
+- Bumped minimum required Ruby version to 2.5 ([@bdewater])
+
 ## [v3.0.0.alpha1] - 2020-06-27
 
 ### Added
 
 - Ability to define multiple relying parties with the introduction of the `WebAuthn::RelyingParty` class ([@padulafacundo], [@brauliomartinezlm])
 
-## [v2.5.1] - 2022-07-13
+## [v2.5.2] - 2022-07-13
 
 ### Added
 
@@ -340,8 +374,11 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
-[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha1/
-[v2.5.2]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.0...v2.5.2/
+[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
+[v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
+[v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
+[v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v3.0.0.alpha1
+[v2.5.2]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.1...v2.5.2/
 [v2.5.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.5.0...v2.5.1/
 [v2.5.0]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.1...v2.5.0/
 [v2.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.4.0...v2.4.1/

data/README.md

@@ -6,7 +6,7 @@ For the current release version see https://github.com/cedarcode/webauthn-ruby/b
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
+[![Build](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -16,7 +16,7 @@ Makes your Ruby/Rails web server become a functional [WebAuthn Relying Party](ht
 
 Takes care of the [server-side operations](https://www.w3.org/TR/webauthn/#rp-operations) needed to
 [register](https://www.w3.org/TR/webauthn/#registration) or [authenticate](https://www.w3.org/TR/webauthn/#authentication)
-a user [credential](https://www.w3.org/TR/webauthn/#public-key-credential), including the necessary cryptographic checks.
+a user's [public key credential](https://www.w3.org/TR/webauthn/#public-key-credential) (also called a "passkey"), including the necessary cryptographic checks.
 
 ## Table of Contents
 
@@ -52,7 +52,7 @@ WebAuthn (Web Authentication) is a W3C standard for secure public-key authentica
 
 - WebAuthn [W3C Recommendation](https://www.w3.org/TR/webauthn/) (i.e. "The Standard")
 - [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) in MDN
-- How to use [WebAuthn in Android apps](https://developers.google.com/identity/fido/android/native-apps)
+- How to use WebAuthn in native [Android](https://developers.google.com/identity/fido/android/native-apps) or [macOS/iOS/iPadOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication) apps.
 - [Security Benefits for WebAuthn Servers (a.k.a Relying Parties)](https://www.w3.org/TR/webauthn/#sctn-rp-benefits)
 
 ## Prerequisites
@@ -89,7 +89,7 @@ Or install it yourself as:
 
 ## Usage
 
-You can find a working example on how to use this gem in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app).
+You can find a working example on how to use this gem in a pasword-less login in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app). If you want to see an example on how to use this gem as a second factor authenticator in a __Rails__ application instead, you can check it in [webauthn-2fa-rails-demo](https://github.com/cedarcode/webauthn-2fa-rails-demo).
 
 If you are migrating an existing application from the legacy FIDO U2F JavaScript API to WebAuthn, also refer to
 [`docs/u2f_migration.md`](docs/u2f_migration.md).

data/docs/advanced_configuration.md

@@ -21,7 +21,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
   relying_party = WebAuthn::RelyingParty.new(
     # This value needs to match `window.location.origin` evaluated by
     # the User Agent during registration and authentication ceremonies.
-    origin: "https://admin.example.com"
+    origin: "https://admin.example.com",
 
     # Relying Party name for display purposes
     name: "Admin Site for Example Inc."
@@ -40,7 +40,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
     # In this case the default would be "admin.example.com", but you can set it to
     # the suffix "example.com"
     #
-    # rp_id: "example.com"
+    # id: "example.com"
 
     # Configure preferred binary-to-text encoding scheme. This should match the encoding scheme
     # used in your client-side (user agent) code before sending the credential to the server.
@@ -59,7 +59,7 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
 
 **DISCLAIMER: This API was released on version 3.0.0.alpha1 and is still under evaluation. Although it has been throughly tested and it is fully functional it might be changed until the final release of version 3.0.0.**
 
-The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelytingParty.new(...)` the code in those explanations needs to be updated to:
+The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelyingParty.new(...)` the code in those explanations needs to be updated to:
 
 ### Credential Registration
 
@@ -71,9 +71,9 @@ if !user.webauthn_id
   user.update!(webauthn_id: WebAuthn.generate_user_id)
 end
 
-options = relying_party.options_for_create(
+options = relying_party.options_for_registration(
   user: { id: user.webauthn_id, name: user.name },
-  exclude: user.credentials.map { |c| c.webauthn_id }
+  exclude: user.credentials.map { |c| c.external_id }
 )
 
 # Store the newly generated challenge somewhere so you can have it
@@ -106,7 +106,7 @@ begin
 
   # Store Credential ID, Credential Public Key and Sign Count for future authentications
   user.credentials.create!(
-    webauthn_id: webauthn_credential.id,
+    external_id: webauthn_credential.id,
     public_key: webauthn_credential.public_key,
     sign_count: webauthn_credential.sign_count
   )
@@ -120,7 +120,7 @@ end
 #### Initiation phase
 
 ```ruby
-options = relying_party.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })
+options = relying_party.options_for_authentication(allow: user.credentials.map { |c| c.webauthn_id })
 
 # Store the newly generated challenge somewhere so you can have it
 # for the verification phase.
@@ -148,9 +148,9 @@ begin
   webauthn_credential, stored_credential = relying_party.verify_authentication(
     params[:publicKeyCredential],
     session[:authentication_challenge]
-  ) do
+  ) do |webauthn_credential|
     # the returned object needs to respond to #public_key and #sign_count
-    user.credentials.find_by(webauthn_id: webauthn_credential.id)
+    user.credentials.find_by(external_id: webauthn_credential.id)
   end
 
   # Update the stored credential sign count with the value from `webauthn_credential.sign_count`
@@ -171,4 +171,4 @@ end
 
 Adding a configuration for a new instance does not mean you need to get rid of your Global configuration. They can co-exist in your application and be both available for the different usages you might have. `WebAuthn.configuration.relying_party` will always return the global one while `WebAuthn::RelyingParty.new`, executed anywhere in your codebase, will allow you to create a different instance as you see the need. They will not collide and instead operate in isolation without any shared state.
 
-The gem API described in the current [Usage](../README.md#usage) section for the [Global Configuration](../README.md#configuration) approach will still valid but the [Instance Based API](#instance-based-api) also works with the global `relying_party` that is maintain globally at `WebAuthn.configuration.relying_party`.
+The gem API described in the current [Usage](../README.md#usage) section for the [Global Configuration](../README.md#configuration) approach will still valid but the [Instance Based API](#instance-based-api) also works with the global `relying_party` that is maintain globally at `WebAuthn.configuration.relying_party`.

data/docs/u2f_migration.md

@@ -53,7 +53,7 @@ migrated_credential.authenticator_data.sign_count
 
 ## Authenticate migrated U2F credentials
 
-Following the documentation on the [authentication initiation](https://github.com/cedarcode/webauthn-ruby/blob/master/README.md#authentication),
+Following the documentation on the [authentication initiation](https://github.com/cedarcode/webauthn-ruby/blob/master/README.md#initiation-phase-1),
 you need to specify the [FIDO AppID extension](https://www.w3.org/TR/webauthn/#sctn-appid-extension) for U2F migratedq
 credentials. The WebAuthn standard explains:
 
@@ -65,33 +65,26 @@ For the earlier given example `domain` this means:
 - FIDO AppID: `https://login.example.com`
 - Valid RP IDs: `login.example.com` (default) and `example.com`
 
+You can request the use of the `appid` extension by setting the AppID in the configuration, like this:
+
+```ruby
+WebAuthn.configure do |config|
+  config.legacy_u2f_appid = "https://login.example.com"
+end
+```
+
+By doing this, the `appid` extension will be automatically requested when generating the options for get:
+
 ```ruby
-credential_request_options = WebAuthn.credential_request_options
-credential_request_options[:extensions] = { appid: domain.to_s }
+options = WebAuthn::Credential.options_for_get
 ```
 
 On the frontend, in the resolved value from `navigator.credentials.get({ "publicKey": credentialRequestOptions })` add
 a call to [getClientExtensionResults()](https://www.w3.org/TR/webauthn/#dom-publickeycredential-getclientextensionresults)
 and send its result to your backend alongside the `id`/`rawId` and `response` values. If the authenticator used the AppID
-extension, the returned value will contain `{ "appid": true }`. In the example below, we use `clientExtensionResults`.
+extension, the returned value will contain `{ "appid": true }`.
 
-During authentication verification phase, you must pass either the original AppID or the RP ID as the `rp_id` argument:
+During authentication verification phase, if you followed the [verification phase documentation](https://github.com/cedarcode/webauthn-ruby#verification-phase-1) and have set the AppID in the config, the method `PublicKeyCredentialWithAssertion#verify` will be smart enough to determine if it should use the AppID or the RP ID to verify the WebAuthn credential, depending on the output of the `appid` client extension:
 
 > If true, the AppID was used and thus, when verifying an assertion, the Relying Party MUST expect the `rpIdHash` to be
 > the hash of the _AppID_, not the RP ID.
-
-```ruby
-assertion_response = WebAuthn::AuthenticatorAssertionResponse.new(
-  user_handle: params[:response][:userHandle],
-  authenticator_data: params[:response][:authenticatorData],
-  client_data_json: params[:response][:clientDataJSON],
-  signature: params[:response][:signature],
-)
-
-assertion_response.verify(
-  expected_challenge,
-  public_key: credential.public_key,
-  sign_count: credential.count,
-  rp_id: params[:clientExtensionResults][:appid] ? domain.to_s : domain.host,
-)
-```

data/lib/webauthn/attestation_object.rb

@@ -10,18 +10,22 @@ module WebAuthn
   class AttestationObject
     extend Forwardable
 
-    def self.deserialize(attestation_object)
-      from_map(CBOR.decode(attestation_object))
+    def self.deserialize(attestation_object, relying_party)
+      from_map(CBOR.decode(attestation_object), relying_party)
     end
 
-    def self.from_map(map)
+    def self.from_map(map, relying_party)
       new(
         authenticator_data: WebAuthn::AuthenticatorData.deserialize(map["authData"]),
-        attestation_statement: WebAuthn::AttestationStatement.from(map["fmt"], map["attStmt"])
+        attestation_statement: WebAuthn::AttestationStatement.from(
+          map["fmt"],
+          map["attStmt"],
+          relying_party: relying_party
+        )
       )
     end
 
-    attr_reader :authenticator_data, :attestation_statement
+    attr_reader :authenticator_data, :attestation_statement, :relying_party
 
     def initialize(authenticator_data:, attestation_statement:)
       @authenticator_data = authenticator_data

data/lib/webauthn/attestation_statement/base.rb

@@ -28,8 +28,9 @@ module WebAuthn
     class Base
       AAGUID_EXTENSION_OID = "1.3.6.1.4.1.45724.1.1.4"
 
-      def initialize(statement)
+      def initialize(statement, relying_party = WebAuthn.configuration.relying_party)
         @statement = statement
+        @relying_party = relying_party
       end
 
       def valid?(_authenticator_data, _client_data_hash)
@@ -50,7 +51,7 @@ module WebAuthn
 
       private
 
-      attr_reader :statement
+      attr_reader :statement, :relying_party
 
       def matching_aaguid?(attested_credential_data_aaguid)
         extension = attestation_certificate&.find_extension(AAGUID_EXTENSION_OID)
@@ -93,14 +94,23 @@ module WebAuthn
 
       def trustworthy?(aaguid: nil, attestation_certificate_key_id: nil)
         if ATTESTATION_TYPES_WITH_ROOT.include?(attestation_type)
-          configuration.acceptable_attestation_types.include?(attestation_type) &&
+          relying_party.acceptable_attestation_types.include?(attestation_type) &&
             valid_certificate_chain?(aaguid: aaguid, attestation_certificate_key_id: attestation_certificate_key_id)
         else
-          configuration.acceptable_attestation_types.include?(attestation_type)
+          relying_party.acceptable_attestation_types.include?(attestation_type)
         end
       end
 
       def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
+        root_certificates = root_certificates(
+          aaguid: aaguid,
+          attestation_certificate_key_id: attestation_certificate_key_id
+        )
+
+        if certificates&.one? && root_certificates.include?(attestation_certificate)
+          return true
+        end
+
         attestation_root_certificates_store(
           aaguid: aaguid,
           attestation_certificate_key_id: attestation_certificate_key_id
@@ -120,7 +130,7 @@ module WebAuthn
 
       def root_certificates(aaguid: nil, attestation_certificate_key_id: nil)
         root_certificates =
-          configuration.attestation_root_certificates_finders.reduce([]) do |certs, finder|
+          relying_party.attestation_root_certificates_finders.reduce([]) do |certs, finder|
             if certs.empty?
               finder.find(
                 attestation_format: format,
@@ -158,14 +168,10 @@ module WebAuthn
       def cose_algorithm
         @cose_algorithm ||=
           COSE::Algorithm.find(algorithm).tap do |alg|
-            alg && configuration.algorithms.include?(alg.name) ||
+            alg && relying_party.algorithms.include?(alg.name) ||
               raise(UnsupportedAlgorithm, "Unsupported algorithm #{algorithm}")
           end
       end
-
-      def configuration
-        WebAuthn.configuration
-      end
     end
   end
 end

data/lib/webauthn/attestation_statement.rb

@@ -31,11 +31,11 @@ module WebAuthn
       ATTESTATION_FORMAT_APPLE => WebAuthn::AttestationStatement::Apple
     }.freeze
 
-    def self.from(format, statement)
+    def self.from(format, statement, relying_party: WebAuthn.configuration.relying_party)
       klass = FORMAT_TO_CLASS[format]
 
       if klass
-        klass.new(statement)
+        klass.new(statement, relying_party)
       else
         raise(FormatNotSupportedError, "Unsupported attestation format '#{format}'")
       end

data/lib/webauthn/authenticator_assertion_response.rb

@@ -10,8 +10,8 @@ module WebAuthn
   class SignCountVerificationError < VerificationError; end
 
   class AuthenticatorAssertionResponse < AuthenticatorResponse
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       user_handle =
         if response["userHandle"]
@@ -22,7 +22,8 @@ module WebAuthn
         authenticator_data: encoder.decode(response["authenticatorData"]),
         client_data_json: encoder.decode(response["clientDataJSON"]),
         signature: encoder.decode(response["signature"]),
-        user_handle: user_handle
+        user_handle: user_handle,
+        relying_party: relying_party
       )
     end
 

data/lib/webauthn/authenticator_attestation_response.rb

@@ -18,12 +18,13 @@ module WebAuthn
   class AuthenticatorAttestationResponse < AuthenticatorResponse
     extend Forwardable
 
-    def self.from_client(response)
-      encoder = WebAuthn.configuration.encoder
+    def self.from_client(response, relying_party: WebAuthn.configuration.relying_party)
+      encoder = relying_party.encoder
 
       new(
         attestation_object: encoder.decode(response["attestationObject"]),
-        client_data_json: encoder.decode(response["clientDataJSON"])
+        client_data_json: encoder.decode(response["clientDataJSON"]),
+        relying_party: relying_party
       )
     end
 
@@ -33,13 +34,14 @@ module WebAuthn
       super(**options)
 
       @attestation_object_bytes = attestation_object
+      @relying_party = relying_party
     end
 
     def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
       super
 
       verify_item(:attested_credential)
-      if WebAuthn.configuration.verify_attestation_statement
+      if relying_party.verify_attestation_statement
         verify_item(:attestation_statement)
       end
 
@@ -47,7 +49,7 @@ module WebAuthn
     end
 
     def attestation_object
-      @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes)
+      @attestation_object ||= WebAuthn::AttestationObject.deserialize(attestation_object_bytes, relying_party)
     end
 
     def_delegators(
@@ -63,14 +65,15 @@ module WebAuthn
 
     private
 
-    attr_reader :attestation_object_bytes
+    attr_reader :attestation_object_bytes, :relying_party
 
     def type
       WebAuthn::TYPES[:create]
     end
 
     def valid_attested_credential?
-      attestation_object.valid_attested_credential?
+      attestation_object.valid_attested_credential? &&
+        relying_party.algorithms.include?(authenticator_data.credential.algorithm)
     end
 
     def valid_attestation_statement?

data/lib/webauthn/authenticator_data/attested_credential_data.rb

@@ -22,9 +22,8 @@ module WebAuthn
       count_bytes_remaining :trailing_bytes_length
       string :trailing_bytes, length: :trailing_bytes_length
 
-      # TODO: use keyword_init when we dropped Ruby 2.4 support
       Credential =
-        Struct.new(:id, :public_key) do
+        Struct.new(:id, :public_key, :algorithm, keyword_init: true) do
           def public_key_object
             COSE::Key.deserialize(public_key).to_pkey
           end
@@ -47,7 +46,7 @@ module WebAuthn
       def credential
         @credential ||=
           if valid?
-            Credential.new(id, public_key)
+            Credential.new(id: id, public_key: public_key, algorithm: algorithm)
           end
       end
 
@@ -59,10 +58,16 @@ module WebAuthn
 
       private
 
+      def algorithm
+        COSE::Algorithm.find(cose_key.alg).name
+      end
+
       def valid_credential_public_key?
-        cose_key = COSE::Key.deserialize(public_key)
+        !!cose_key.alg
+      end
 
-        !!cose_key.alg && WebAuthn.configuration.algorithms.include?(COSE::Algorithm.find(cose_key.alg).name)
+      def cose_key
+        @cose_key ||= COSE::Key.deserialize(public_key)
       end
 
       def public_key

data/lib/webauthn/authenticator_data.rb

@@ -19,9 +19,9 @@ module WebAuthn
     struct :flags do
       bit1 :extension_data_included
       bit1 :attested_credential_data_included
-      bit1 :reserved_for_future_use_4
-      bit1 :reserved_for_future_use_3
       bit1 :reserved_for_future_use_2
+      bit1 :backup_state
+      bit1 :backup_eligibility
       bit1 :user_verified
       bit1 :reserved_for_future_use_1
       bit1 :user_present
@@ -58,6 +58,14 @@ module WebAuthn
       flags.user_verified == 1
     end
 
+    def credential_backup_eligible?
+      flags.backup_eligibility == 1
+    end
+
+    def credential_backed_up?
+      flags.backup_state == 1
+    end
+
     def attested_credential_data_included?
       flags.attested_credential_data_included == 1
     end

data/lib/webauthn/authenticator_response.rb

@@ -19,13 +19,14 @@ module WebAuthn
   class UserVerifiedVerificationError < VerificationError; end
 
   class AuthenticatorResponse
-    def initialize(client_data_json:)
+    def initialize(client_data_json:, relying_party: WebAuthn.configuration.relying_party)
       @client_data_json = client_data_json
+      @relying_party = relying_party
     end
 
     def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= WebAuthn.configuration.origin || raise("Unspecified expected origin")
-      rp_id ||= WebAuthn.configuration.rp_id
+      expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
+      rp_id ||= relying_party.id
 
       verify_item(:type)
       verify_item(:token_binding)
@@ -34,7 +35,7 @@ module WebAuthn
       verify_item(:authenticator_data)
       verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
 
-      if !WebAuthn.configuration.silent_authentication
+      if !relying_party.silent_authentication
         verify_item(:user_presence)
       end
 
@@ -57,7 +58,7 @@ module WebAuthn
 
     private
 
-    attr_reader :client_data_json
+    attr_reader :client_data_json, :relying_party
 
     def verify_item(item, *args)
       if send("valid_#{item}?", *args)