webauthn 3.0.0 → 3.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b133f46bd003c9bfb9a8557bb8caeca7239fcd6c185f78e74e0ae578444d576e
-  data.tar.gz: 14a32debc72ddcfe7e752118ebd4db832b8a46a5628ee54830f30eada4159bcf
+  metadata.gz: 50b5c2c43f3e5719dd1ed0f63e9a7bb9705f2f1e97861ab0a0ee0a7d61c4ee41
+  data.tar.gz: d8849b387d30e54f7a45fd66bcb2b164983100b0b3369ca8fbf52840261e7fe4
 SHA512:
-  metadata.gz: 9b4ff5cee18575b517473fef7d8000d7e41f113b178378e64a4d2b9036d248f4295edd846a519ab76036a270c3066020fbe44847019812c2a5758f2b1b428f4c
-  data.tar.gz: f3ab22709cbf537982e163acc60dbe114217f223b18cb4cf681a3d932e2f31276f8286091e49da392356c1958ada7e2c07a5b86b48d57b597f965a57c1bcf63d
+  metadata.gz: 4189cd8d89340585a464e6d9368b6ea532c7c59189cbd47022a04d767ec230979076652e333e70878dcead127688d7fe01e57706f63afe325eb1ec5673cf851a
+  data.tar.gz: 1cba3b28cd9388256f6d47493fb151f7732ad8680da5863476d4b5e237db7389e362f7a2543bc1447cd0e205e44134957cfa2e4ceb43e9fb32a6b5f851ff349a

data/.github/actions/install-openssl/action.yml

@@ -0,0 +1,55 @@
+name: Install OpenSSL
+
+inputs:
+  version:
+    description: 'The version of OpenSSL to install'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Restore cached OpenSSL library
+      id: cache-openssl-restore
+      uses: actions/cache/restore@v4
+      with:
+        path: ~/openssl
+        key: openssl-${{ inputs.version }}
+
+    - name: Compile OpenSSL library
+      if: steps.cache-openssl-restore.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        mkdir -p tmp/build-openssl && cd tmp/build-openssl
+        case ${{ inputs.version }} in
+        1.1.*)
+          OPENSSL_COMMIT=OpenSSL_
+          OPENSSL_COMMIT+=$(echo ${{ inputs.version  }} | sed -e 's/\./_/g')
+          git clone -b $OPENSSL_COMMIT --depth 1 https://github.com/openssl/openssl.git .
+          echo "Git commit: $(git rev-parse HEAD)"
+          ./Configure --prefix=$HOME/openssl --libdir=lib linux-x86_64
+          make depend && make -j4 && make install_sw
+          ;;
+        3.*)
+          OPENSSL_COMMIT=openssl-
+          OPENSSL_COMMIT+=$(echo ${{ inputs.version  }})
+          git clone -b $OPENSSL_COMMIT --depth 1 https://github.com/openssl/openssl.git .
+          echo "Git commit: $(git rev-parse HEAD)"
+          if [[ ${{ inputs.version }} == 3.5* ]]; then
+            ./Configure --prefix=$HOME/openssl --libdir=lib enable-fips no-tests no-legacy
+          else
+            ./Configure --prefix=$HOME/openssl --libdir=lib enable-fips no-tests
+          fi
+          make -j4 && make install_sw && make install_fips
+          ;;
+        *)
+          echo "Don't know how to build OpenSSL ${{ inputs.version }}"
+          ;;
+        esac
+
+    - name: Save OpenSSL library cache
+      if: steps.cache-openssl-restore.outputs.cache-hit != 'true'
+      id: cache-openssl-save
+      uses: actions/cache/save@v4
+      with:
+        path: ~/openssl
+        key: ${{ steps.cache-openssl-restore.outputs.cache-primary-key }}

data/.github/actions/install-ruby/action.yml

@@ -0,0 +1,84 @@
+name: Install Ruby
+
+inputs:
+  version:
+    description: 'The version of Ruby to install'
+    required: true
+  openssl-version:
+    description: 'The version of OpenSSL used'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Restore cached Ruby installation
+      id: cache-ruby-restore
+      uses: actions/cache/restore@v4
+      with:
+        path: ~/rubies/ruby-${{ inputs.version }}
+        key: ruby-${{ inputs.version }}-with-openssl-${{ inputs.openssl-version }}
+
+    - name: Install Ruby
+      if: steps.cache-ruby-restore.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        latest_patch=$(curl -s https://cache.ruby-lang.org/pub/ruby/${{ inputs.version }}/ \
+           | grep -oP "ruby-${{ inputs.version }}\.\d+\.tar\.xz" \
+           | grep -oP "\d+(?=\.tar\.xz)" \
+           | sort -V | tail -n 1)
+        wget https://cache.ruby-lang.org/pub/ruby/${{ inputs.version }}/ruby-${{ inputs.version }}.${latest_patch}.tar.xz
+        tar -xJvf ruby-${{ inputs.version }}.${latest_patch}.tar.xz
+        cd ruby-${{ inputs.version }}.${latest_patch}
+        ./configure --prefix=$HOME/rubies/ruby-${{ inputs.version }} --with-openssl-dir=$HOME/openssl
+        make
+        make install
+
+    - name: Update PATH
+      shell: bash
+      run: |
+        echo "~/rubies/ruby-${{ inputs.version }}/bin" >> $GITHUB_PATH
+
+    - name: Install Bundler
+      shell: bash
+      run: |
+        case ${{ inputs.version }} in
+        2.7* | 3.*)
+          echo "Skipping Bundler installation for Ruby ${{ inputs.version }}"
+          ;;
+        2.5* | 2.6*)
+          gem install bundler -v '~> 2.3.0'
+          ;;
+        *)
+          echo "Don't know how to install Bundler for Ruby ${{ inputs.version }}"
+          ;;
+        esac
+
+    - name: Save Ruby installation cache
+      if: steps.cache-ruby-restore.outputs.cache-hit != 'true'
+      id: cache-ruby-save
+      uses: actions/cache/save@v4
+      with:
+        path: ~/rubies/ruby-${{ inputs.version }}
+        key: ${{ steps.cache-ruby-restore.outputs.cache-primary-key }}
+
+    - name: Cache Bundler Install
+      id: cache-bundler-restore
+      uses: actions/cache/restore@v4
+      env:
+        GEMFILE: ${{ env.BUNDLE_GEMFILE || 'Gemfile' }}
+      with:
+        path: ~/bundler/cache
+        key: bundler-ruby-${{ inputs.version }}-${{ inputs.openssl-version }}-${{ hashFiles(env.Gemfile, 'webauthn.gemspec') }}
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        bundle config set --local path ~/bundler/cache
+        bundle install
+
+    - name: Save Bundler Install cache
+      id: cache-bundler-save
+      uses: actions/cache/save@v4
+      with:
+        path: ~/bundler/cache
+        key: ${{ steps.cache-bundler-restore.outputs.cache-primary-key }}

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -7,26 +7,76 @@
 
 name: build
 
-on: push
+on:
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    name: 'Test Ruby ${{ matrix.ruby }} with OpenSSL ${{ matrix.openssl }}'
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         ruby:
+          - '3.4'
+          - '3.3'
           - '3.2'
           - '3.1'
-          - '3.0'
-          - '2.7'
-          - '2.6'
-          - '2.5'
-          - truffleruby
+        openssl:
+          - '3.5.3'
+          - '3.4.2'
+          - '3.3.4'
+          - '3.2.5'
+          - '3.1.8'
+          - '3.0.17'
+          - '1.1.1w'
+        include:
+          - ruby: truffleruby
+          - ruby: '3.0'
+            openssl: '1.1.1w'
+          - ruby: '2.7'
+            openssl: '1.1.1w'
+          - ruby: '2.6'
+            openssl: '1.1.1w'
+          - ruby: '2.5'
+            openssl: '1.1.1w'
+
     steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
+    - uses: actions/checkout@v5
+
+    - name: Install OpenSSL
+      if: matrix.ruby != 'truffleruby'
+      uses: ./.github/actions/install-openssl
+      with:
+        version: ${{ matrix.openssl }}
+
+    - name: Manually set up Ruby
+      if: matrix.ruby != 'truffleruby'
+      uses: ./.github/actions/install-ruby
+      with:
+        version: ${{ matrix.ruby }}
+        openssl-version: ${{ matrix.openssl }}
+
+    - name: Set up Ruby
+      if: matrix.ruby == 'truffleruby'
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true
-    - run: bundle exec rake
+
+    - run: bundle exec rspec
+      env:
+        RUBYOPT: ${{ startsWith(matrix.ruby, '3.4') && '--enable=frozen-string-literal' || '' }}
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+          bundler-cache: true
+      - run: bundle exec rubocop -f github

data/.github/workflows/git.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
       - name: Block autosquash commits
         uses: xt0rted/block-autosquash-commits-action@v2
         with:

data/.rubocop.yml

@@ -1,4 +1,4 @@
-require:
+plugins:
   - rubocop-rspec
   - rubocop-rake
 

data/CHANGELOG.md

@@ -1,5 +1,74 @@
 # Changelog
 
+## [v3.4.2] - 2025-09-22
+
+### Added
+
+- Updated `safety_net_attestation` dependency from `~> 0.4.0` to `~> 0.5.0`.
+
+## [v3.4.1] - 2025-06-06
+
+- Avoid requiring `base64` as it's not a direct dependency. [#459](https://github.com/cedarcode/webauthn-ruby/pull/459)[@santiagorodriguez96]
+
+## [v3.4.0] - 2025-02-17
+
+- Added support for Webauthn.config and RelayingParty to accept multiple allowed_origins. [#431](https://github.com/cedarcode/webauthn-ruby/pull/431)[@obroshnij]
+
+## [v3.3.0] - 2025-02-06
+
+### Added
+
+- Updated `tpm-key_attestation` dependency from `~> 0.12.0` to `~> 0.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
+
+## [v3.2.2] - 2024-11-14
+
+### Fixed
+
+- Fix `PublicKeyCredential::Options#.as_json` not camelCase'ing keys of attributes with hash or arrays as values. [#445](https://github.com/cedarcode/webauthn-ruby/pull/445) [@santiagorodriguez96]
+
+## [v3.2.1] - 2024-11-14
+
+### Fixed
+
+- Fix JSON Serializer generating json with attributes with a null value. [#442](https://github.com/cedarcode/webauthn-ruby/pull/442) @santiagorodriguez96
+
+## [v3.2.0] - 2024-11-13
+
+### Added
+
+- Added `AuthenticatorAttestationResponse#transports` for accessing the response's `transports` value. [#421](https://github.com/cedarcode/webauthn-ruby/pull/421) [@santiagorodriguez96]
+- `WebAuthn::AuthenticatorAssertionResponse#verify` and `WebAuthn::AuthenticatorAttestationResponse#verify`,
+  as well as `RelyingParty#verify_registration` and `RelyingParty#verify_authentication` now accept a `user_presence`
+  keyword arg in order to be able to skip the user presence check for specific attestation and assertion verifications.
+  By default, user presence will be checked unless `silent_authentication` is enabled for the Relying Party (as it was before).
+  [#432](https://github.com/cedarcode/webauthn-ruby/pull/432), [#434](https://github.com/cedarcode/webauthn-ruby/pull/434), [#435](https://github.com/cedarcode/webauthn-ruby/pull/435) ([@nov](https://github.com/nov), [@santiagorodriguez96])
+- `WebAuthn::FakeClient#create` and `WebAuthn::FakeAuthenticator#make_credential` now support a `credential_algorithm` and
+  `algorithm` param (respectively) for choosing the algorithm to use for creating the credential.
+  Supported values are: 'ES256', 'RSA256' and 'EdDSA'. [#400](https://github.com/cedarcode/webauthn-ruby/pull/400), [#437](https://github.com/cedarcode/webauthn-ruby/pull/437) [@santiagorodriguez96]
+- Remove `awrence` dependency. [#436](https://github.com/cedarcode/webauthn-ruby/pull/436) [@npezza](https://github.com/npezza93)
+- Run tests with Ruby 3.3. [#416](https://github.com/cedarcode/webauthn-ruby/pull/416) [@santiagorodriguez96]
+- Run tests with Ruby 3.4.0-preview2. [#436](https://github.com/cedarcode/webauthn-ruby/pull/436) [@npezza](https://github.com/npezza93)
+
+### Changed
+
+- Remove unused class `AttestationTrustworthinessVerificationError`. [#412](https://github.com/cedarcode/webauthn-ruby/pull/412) [@soartec-lab]
+
+## [v3.1.0] - 2023-12-26
+
+### Added
+
+- Add support for optional `authenticator_attachment` in `PublicKeyCredential`. #370 [@8ma10s]
+
+### Fixed
+
+- Fix circular require warning between `webauthn/relying_party` and `webauthn/credential`. #389 [@bdewater]
+- Correctly verify attestation that contains just a batch certificate that is present in the attestation root certificates. #406 [@santiagorodriguez96]
+
+### Changed
+
+- Inlined `base64` implementation. #402 [@olleolleolle]
+- Raise a more descriptive error if input `challenge` is `nil` when verifying the `PublicKeyCredential`. #413 [@soartec-lab]
+
 ## [v3.0.0] - 2023-02-15
 
 ### Added
@@ -358,6 +427,14 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.4.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.4.1...v3.4.2/
+[v3.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.4.0...v3.4.1/
+[v3.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.3.0...v3.4.0/
+[v3.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.2...v3.3.0/
+[v3.2.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.1...v3.2.2/
+[v3.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.0...v3.2.1/
+[v3.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.0/
+[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
 [v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
 [v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
 [v3.0.0.alpha1]: https://github.com/cedarcode/webauthn-ruby/compare/v2.3.0...v3.0.0.alpha1

data/README.md

@@ -1,12 +1,12 @@
-__Note__: You are viewing the README for the development version of webauthn-ruby.
-For the current release version see https://github.com/cedarcode/webauthn-ruby/blob/2-stable/README.md.
+> [!warning]
+> You are viewing the README for the development version of webauthn-ruby. For the current release version see https://github.com/cedarcode/webauthn-ruby/blob/3-stable/README.md.
 
 # webauthn-ruby
 
 ![banner](assets/webauthn-ruby.png)
 
 [![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)
-[![Travis](https://img.shields.io/travis/cedarcode/webauthn-ruby/master.svg?style=flat-square)](https://travis-ci.com/cedarcode/webauthn-ruby)
+[![Build](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)
 [![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
@@ -104,7 +104,8 @@ For a Rails application this would go in `config/initializers/webauthn.rb`.
 WebAuthn.configure do |config|
   # This value needs to match `window.location.origin` evaluated by
   # the User Agent during registration and authentication ceremonies.
-  config.origin = "https://auth.example.com"
+  # Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
+  config.allowed_origins = ["https://auth.example.com"]
 
   # Relying Party name for display purposes
   config.rp_name = "Example Inc."

data/docs/advanced_configuration.md

@@ -4,24 +4,25 @@
 
 Which approach suits best your needs will depend on the architecture of your application and how do your users need to register and authenticate to it.
 
-If you have a multi-tenant application, or any application segmenation, where your users register and authenticate to each of these tenants or segments individuallly using different hostnames, or with different security needs, you need to go through [Instance Based Configuration](#instance-based-configuration).
+If you have a multi-tenant application, or any application segmentation, where your users register and authenticate to each of these tenants or segments individually using different hostnames, or with different security needs, you need to go through [Instance Based Configuration](#instance-based-configuration).
 
-However, if your application is served for just one hostname, or else if your users authenticate to only one subdmain (e.g. your application serves www.example.com and admin.example.com but all you users authenticate through auth.example.com) you can still rely on one [Global Configuration](../README.md#configuration).
+However, if your application is served for just one hostname, or else if your users authenticate to only one subdomain (e.g. your application serves www.example.com and admin.example.com but all your users authenticate through auth.example.com) you can still rely on one [Global Configuration](../README.md#configuration).
 
 If you are still not sure, or want to keep your options open, be aware that [Instance Based Configuration](#instance-based-configuration) is also a valid way of defining a single instance configuration and how you share such configuration across your application, it's up to you.
 
 
 ## Instance Based Configuration
 
-Intead of the [Global Configuration](../README.md#configuration) you place in `config/initializers/webauthn.rb`,
+Instead of the [Global Configuration](../README.md#configuration) you place in `config/initializers/webauthn.rb`,
  you can now have an on-demand instance of `WebAuthn::RelyingParty` with the same configuration options, that
- you can build anywhere in you application, in the following way:
+ you can build anywhere in your application, in the following way:
 
 ```ruby
   relying_party = WebAuthn::RelyingParty.new(
     # This value needs to match `window.location.origin` evaluated by
     # the User Agent during registration and authentication ceremonies.
-    origin: "https://admin.example.com",
+    # Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
+    allowed_origins: ["https://admin.example.com"],
 
     # Relying Party name for display purposes
     name: "Admin Site for Example Inc."
@@ -57,9 +58,9 @@ Intead of the [Global Configuration](../README.md#configuration) you place in `c
 
 ## Instance Based API
 
-**DISCLAIMER: This API was released on version 3.0.0.alpha1 and is still under evaluation. Although it has been throughly tested and it is fully functional it might be changed until the final release of version 3.0.0.**
+**DISCLAIMER: This API was released on version 3.0.0.alpha1 and is still under evaluation. Although it has been thoroughly tested and it is fully functional it might be changed until the final release of version 3.0.0.**
 
-The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelytingParty.new(...)` the code in those explanations needs to be updated to:
+The explanation for each ceremony can be found in depth in [Credential Registration](../README.md#credential-registration) and [Credential Authentication](../README.md#credential-authentication) but if you choose this instance based approach to define your WebAuthn configurations and assuming `relying_party` is the result of an instance you get through `WebAuthn::RelyingParty.new(...)` the code in those explanations needs to be updated to:
 
 ### Credential Registration
 
@@ -73,7 +74,7 @@ end
 
 options = relying_party.options_for_registration(
   user: { id: user.webauthn_id, name: user.name },
-  exclude: user.credentials.map { |c| c.webauthn_id }
+  exclude: user.credentials.map { |c| c.external_id }
 )
 
 # Store the newly generated challenge somewhere so you can have it
@@ -101,12 +102,12 @@ session[:creation_challenge] = options.challenge
 begin
   webauthn_credential = relying_party.verify_registration(
     params[:publicKeyCredential],
-    params[:create_challenge]
+    session[:creation_challenge]
   )
 
   # Store Credential ID, Credential Public Key and Sign Count for future authentications
   user.credentials.create!(
-    webauthn_id: webauthn_credential.id,
+    external_id: webauthn_credential.id,
     public_key: webauthn_credential.public_key,
     sign_count: webauthn_credential.sign_count
   )
@@ -120,7 +121,7 @@ end
 #### Initiation phase
 
 ```ruby
-options = relying_party.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })
+options = relying_party.options_for_authentication(allow: user.credentials.map { |c| c.webauthn_id })
 
 # Store the newly generated challenge somewhere so you can have it
 # for the verification phase.
@@ -148,9 +149,9 @@ begin
   webauthn_credential, stored_credential = relying_party.verify_authentication(
     params[:publicKeyCredential],
     session[:authentication_challenge]
-  ) do
+  ) do |webauthn_credential|
     # the returned object needs to respond to #public_key and #sign_count
-    user.credentials.find_by(webauthn_id: webauthn_credential.id)
+    user.credentials.find_by(external_id: webauthn_credential.id)
   end
 
   # Update the stored credential sign count with the value from `webauthn_credential.sign_count`
@@ -159,7 +160,7 @@ begin
   # Continue with successful sign in or 2FA verification...
 
 rescue WebAuthn::SignCountVerificationError => e
-  # Cryptographic verification of the authenticator data succeeded, but the signature counter was less then or equal
+  # Cryptographic verification of the authenticator data succeeded, but the signature counter was less than or equal
   # to the stored value. This can have several reasons and depending on your risk tolerance you can choose to fail or
   # pass authentication. For more information see https://www.w3.org/TR/webauthn/#sign-counter
 rescue WebAuthn::Error => e
@@ -171,4 +172,4 @@ end
 
 Adding a configuration for a new instance does not mean you need to get rid of your Global configuration. They can co-exist in your application and be both available for the different usages you might have. `WebAuthn.configuration.relying_party` will always return the global one while `WebAuthn::RelyingParty.new`, executed anywhere in your codebase, will allow you to create a different instance as you see the need. They will not collide and instead operate in isolation without any shared state.
 
-The gem API described in the current [Usage](../README.md#usage) section for the [Global Configuration](../README.md#configuration) approach will still valid but the [Instance Based API](#instance-based-api) also works with the global `relying_party` that is maintain globally at `WebAuthn.configuration.relying_party`.
+The gem API described in the current [Usage](../README.md#usage) section for the [Global Configuration](../README.md#configuration) approach will still be valid but the [Instance Based API](#instance-based-api) also works with the global `relying_party` that is maintained globally at `WebAuthn.configuration.relying_party`.

data/lib/webauthn/attestation_statement/base.rb

@@ -46,7 +46,7 @@ module WebAuthn
       end
 
       def attestation_certificate_key_id
-        attestation_certificate.subject_key_identifier&.unpack("H*")&.[](0)
+        attestation_certificate.subject_key_identifier&.unpack1("H*")
       end
 
       private
@@ -102,6 +102,15 @@ module WebAuthn
       end
 
       def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
+        root_certificates = root_certificates(
+          aaguid: aaguid,
+          attestation_certificate_key_id: attestation_certificate_key_id
+        )
+
+        if certificates&.one? && root_certificates.include?(attestation_certificate)
+          return true
+        end
+
         attestation_root_certificates_store(
           aaguid: aaguid,
           attestation_certificate_key_id: attestation_certificate_key_id

data/lib/webauthn/authenticator_assertion_response.rb

@@ -37,8 +37,22 @@ module WebAuthn
       @user_handle = user_handle
     end
 
-    def verify(expected_challenge, expected_origin = nil, public_key:, sign_count:, user_verification: nil, rp_id: nil)
-      super(expected_challenge, expected_origin, user_verification: user_verification, rp_id: rp_id)
+    def verify(
+      expected_challenge,
+      expected_origin = nil,
+      public_key:,
+      sign_count:,
+      user_presence: nil,
+      user_verification: nil,
+      rp_id: nil
+    )
+      super(
+        expected_challenge,
+        expected_origin,
+        user_presence: user_presence,
+        user_verification: user_verification,
+        rp_id: rp_id
+      )
       verify_item(:signature, WebAuthn::PublicKey.deserialize(public_key))
       verify_item(:sign_count, sign_count)
 

data/lib/webauthn/authenticator_attestation_response.rb

@@ -12,7 +12,6 @@ require "webauthn/encoder"
 
 module WebAuthn
   class AttestationStatementVerificationError < VerificationError; end
-  class AttestationTrustworthinessVerificationError < VerificationError; end
   class AttestedCredentialVerificationError < VerificationError; end
 
   class AuthenticatorAttestationResponse < AuthenticatorResponse
@@ -23,21 +22,23 @@ module WebAuthn
 
       new(
         attestation_object: encoder.decode(response["attestationObject"]),
+        transports: response["transports"],
         client_data_json: encoder.decode(response["clientDataJSON"]),
         relying_party: relying_party
       )
     end
 
-    attr_reader :attestation_type, :attestation_trust_path
+    attr_reader :attestation_type, :attestation_trust_path, :transports
 
-    def initialize(attestation_object:, **options)
+    def initialize(attestation_object:, transports: [], **options)
       super(**options)
 
       @attestation_object_bytes = attestation_object
+      @transports = transports
       @relying_party = relying_party
     end
 
-    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
+    def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
       super
 
       verify_item(:attested_credential)

data/lib/webauthn/authenticator_response.rb

@@ -24,8 +24,9 @@ module WebAuthn
       @relying_party = relying_party
     end
 
-    def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
+    def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
+      expected_origin ||= relying_party.allowed_origins || raise("Unspecified expected origin")
+
       rp_id ||= relying_party.id
 
       verify_item(:type)
@@ -33,9 +34,14 @@ module WebAuthn
       verify_item(:challenge, expected_challenge)
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
-      verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
 
-      if !relying_party.silent_authentication
+      verify_item(
+        :rp_id,
+        rp_id || rp_id_from_origin(expected_origin)
+      )
+
+      # Fallback to RP configuration unless user_presence is passed in explicitely
+      if user_presence.nil? && !relying_party.silent_authentication || user_presence
         verify_item(:user_presence)
       end
 
@@ -83,10 +89,14 @@ module WebAuthn
     end
 
     def valid_origin?(expected_origin)
-      expected_origin && (client_data.origin == expected_origin)
+      return false unless expected_origin
+
+      expected_origin.include?(client_data.origin)
     end
 
     def valid_rp_id?(rp_id)
+      return false unless rp_id
+
       OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
     end
 
@@ -105,7 +115,7 @@ module WebAuthn
     end
 
     def rp_id_from_origin(expected_origin)
-      URI.parse(expected_origin).host
+      URI.parse(expected_origin.first).host if expected_origin.size == 1
     end
 
     def type

data/lib/webauthn/client_data.rb

@@ -49,12 +49,10 @@ module WebAuthn
 
     def data
       @data ||=
-        begin
-          if client_data_json
-            JSON.parse(client_data_json)
-          else
-            raise ClientDataMissingError, "Client Data JSON is missing"
-          end
+        if client_data_json
+          JSON.parse(client_data_json)
+        else
+          raise ClientDataMissingError, "Client Data JSON is missing"
         end
     end
   end

data/lib/webauthn/configuration.rb

@@ -22,6 +22,8 @@ module WebAuthn
                    :encoding=,
                    :origin,
                    :origin=,
+                   :allowed_origins,
+                   :allowed_origins=,
                    :verify_attestation_statement,
                    :verify_attestation_statement=,
                    :credential_options_timeout,