webauthn 3.2.2 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 410e18172c68e2171f46e15d7b34cd56ef7859c4efd421b6a84a3469f0281c41
-  data.tar.gz: 16841587928fb284c5ad542868a0d6a21f6152a82bdd76abc0ae537887275bc3
+  metadata.gz: 325d58807c73a2887233d3b68091bea56edcb9be7fb21f57067d1f974006d876
+  data.tar.gz: 24a7b26717f6ab10286f14410db64909a21a4e43cea30b1b168f32caa80412c6
 SHA512:
-  metadata.gz: b7337230a3b9118e55bfd1ac84858d163bc173d70107e5f425077579801c5d1b68cf6ec0be65d0317c63d69d1594d7a50662a42e3ed4ac34e45cae97954a8477
-  data.tar.gz: 53dcf09f8065ee447633de769c5d4587e39150f117fa3f6226a78fbbac7b48be9195bcd40ff14a683f06343a2f10f46c3df057dedaf96fcabfedb41865b64362
+  metadata.gz: f12ef1fad4fcf414b7081f9b89a4db5536d301b2c015449a3d2d631ea09a2a087cb6c02f3699f61528f9e9b61d3bf039c37bf0b0885991a7d7e26ac3dadd452a
+  data.tar.gz: f6464aaa94ddeec4ddefecb6b94b5fa310ada53d67bd1bf9b146c942dbd29e637790c6ae081d3d4cc81aed12be4a9073f056e2770ab2b846278d07923d67f6bf

data/.github/workflows/build.yml

@@ -15,12 +15,12 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         ruby:
-          - '3.4.0-preview2'
+          - '3.4'
           - '3.3'
           - '3.2'
           - '3.1'

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [v3.4.0] - 2025-02-17
+
+- Added support for Webauthn.config and RelayingParty to accept multiple allowed_origins. [#431](https://github.com/cedarcode/webauthn-ruby/pull/431)[@obroshnij]
+
+## [v3.3.0] - 2025-02-06
+
+### Added
+
+- Updated `tpm-key_attestation` dependency from `~> 0.12.0` to `~> 0.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
+
 ## [v3.2.2] - 2024-11-14
 
 ### Fixed
@@ -407,6 +417,11 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.3.0...v3.4.0/
+[v3.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.2...v3.3.0/
+[v3.2.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.1...v3.2.2/
+[v3.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.0...v3.2.1/
+[v3.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.0/
 [v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
 [v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
 [v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/

data/README.md

@@ -104,7 +104,8 @@ For a Rails application this would go in `config/initializers/webauthn.rb`.
 WebAuthn.configure do |config|
   # This value needs to match `window.location.origin` evaluated by
   # the User Agent during registration and authentication ceremonies.
-  config.origin = "https://auth.example.com"
+  # Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
+  config.allowed_origins = ["https://auth.example.com"]
 
   # Relying Party name for display purposes
   config.rp_name = "Example Inc."

data/lib/webauthn/authenticator_response.rb

@@ -25,7 +25,8 @@ module WebAuthn
     end
 
     def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
+      expected_origin ||= relying_party.allowed_origins || raise("Unspecified expected origin")
+
       rp_id ||= relying_party.id
 
       verify_item(:type)
@@ -33,7 +34,11 @@ module WebAuthn
       verify_item(:challenge, expected_challenge)
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
-      verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
+
+      verify_item(
+        :rp_id,
+        rp_id || rp_id_from_origin(expected_origin)
+      )
 
       # Fallback to RP configuration unless user_presence is passed in explicitely
       if user_presence.nil? && !relying_party.silent_authentication || user_presence
@@ -84,10 +89,14 @@ module WebAuthn
     end
 
     def valid_origin?(expected_origin)
-      expected_origin && (client_data.origin == expected_origin)
+      return false unless expected_origin
+
+      expected_origin.include?(client_data.origin)
     end
 
     def valid_rp_id?(rp_id)
+      return false unless rp_id
+
       OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
     end
 
@@ -106,7 +115,7 @@ module WebAuthn
     end
 
     def rp_id_from_origin(expected_origin)
-      URI.parse(expected_origin).host
+      URI.parse(expected_origin.first).host if expected_origin.size == 1
     end
 
     def type

data/lib/webauthn/client_data.rb

@@ -49,12 +49,10 @@ module WebAuthn
 
     def data
       @data ||=
-        begin
-          if client_data_json
-            JSON.parse(client_data_json)
-          else
-            raise ClientDataMissingError, "Client Data JSON is missing"
-          end
+        if client_data_json
+          JSON.parse(client_data_json)
+        else
+          raise ClientDataMissingError, "Client Data JSON is missing"
         end
     end
   end

data/lib/webauthn/configuration.rb

@@ -22,6 +22,8 @@ module WebAuthn
                    :encoding=,
                    :origin,
                    :origin=,
+                   :allowed_origins,
+                   :allowed_origins=,
                    :verify_attestation_statement,
                    :verify_attestation_statement=,
                    :credential_options_timeout,

data/lib/webauthn/relying_party.rb

@@ -9,15 +9,16 @@ module WebAuthn
   class RootCertificateFinderNotSupportedError < Error; end
 
   class RelyingParty
+    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
+
     def self.if_pss_supported(algorithm)
       OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
     end
 
-    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
-
     def initialize(
       algorithms: DEFAULT_ALGORITHMS.dup,
       encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      allowed_origins: nil,
       origin: nil,
       id: nil,
       name: nil,
@@ -30,7 +31,7 @@ module WebAuthn
     )
       @algorithms = algorithms
       @encoding = encoding
-      @origin = origin
+      @allowed_origins = allowed_origins
       @id = id
       @name = name
       @verify_attestation_statement = verify_attestation_statement
@@ -38,12 +39,13 @@ module WebAuthn
       @silent_authentication = silent_authentication
       @acceptable_attestation_types = acceptable_attestation_types
       @legacy_u2f_appid = legacy_u2f_appid
+      self.origin = origin
       self.attestation_root_certificates_finders = attestation_root_certificates_finders
     end
 
     attr_accessor :algorithms,
                   :encoding,
-                  :origin,
+                  :allowed_origins,
                   :id,
                   :name,
                   :verify_attestation_statement,
@@ -52,7 +54,7 @@ module WebAuthn
                   :acceptable_attestation_types,
                   :legacy_u2f_appid
 
-    attr_reader :attestation_root_certificates_finders
+    attr_reader :attestation_root_certificates_finders, :origin
 
     # This is the user-data encoder.
     # Used to decode user input and to encode data provided to the user.
@@ -118,5 +120,18 @@ module WebAuthn
         block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
       end
     end
+
+    # DEPRECATED: This method will be removed in future.
+    def origin=(new_origin)
+      return if new_origin.nil?
+
+      warn(
+        "DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future. "\
+        "Please use `WebAuthn.allowed_origins` instead "\
+        "that also allows configuring multiple origins per Relying Party"
+      )
+
+      @allowed_origins ||= Array(new_origin) # rubocop:disable Naming/MemoizedInstanceVariableName
+    end
   end
 end

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.2.2"
+  VERSION = "3.4.0"
 end

data/webauthn.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "cose", "~> 1.1"
   spec.add_dependency "openssl", ">= 2.2"
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
-  spec.add_dependency "tpm-key_attestation", "~> 0.12.0"
+  spec.add_dependency "tpm-key_attestation", "~> 0.14.0"
 
   spec.add_development_dependency "base64", ">= 0.1.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.2.2
+  version: 3.4.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-14 00:00:00.000000000 Z
+date: 2025-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -101,14 +101,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.0
+        version: 0.14.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.0
+        version: 0.14.0
 - !ruby/object:Gem::Dependency
   name: base64
   requirement: !ruby/object:Gem::Requirement