webauthn 3.3.0 → 3.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 758cb181dfb381a05748cee3143da113a66e40433b329ff5711e0ef973c799ec
-  data.tar.gz: 06df9d255ea57db6b9874c1406ab5f5606108a18abe4c992b799b7b5db8191be
+  metadata.gz: 93072800aa309dfef7946c9dd7f1601b41c8b6b11de8142aa388fb1f19b62869
+  data.tar.gz: 76bdba0f89cbcd48f30692af6ba50eb558dab98f07e4e8c7913d6a60a70ef582
 SHA512:
-  metadata.gz: d502b7a87d0472fab4c7e254438b5d6029702f3bf88ecd71244dae92c6789fd70d618b0422278498a5d4012aee3f9728cc378821c4d280f41140c9d695851530
-  data.tar.gz: 5f9851c90114474b0aa19129af023ea781255aa7baf8fc9ceb3873d6cd9a0fc12fbec3f10b57aa1c2c7486a34a48762fae4bfd06ab8f85fea95dfa40d936298d
+  metadata.gz: 7801c6840c5f4287724887ee2646ee1aa7966ffe8da3cf8f7a2b014564448f33a68b8d12011a87f8445bf661b6c55cca0a5d7309fe44411ad4b249ff5ceff01e
+  data.tar.gz: d25993a7b2868a3f3445af99b388ac68ef67a406a73f997b99f690304506d75f46a06b22c99aeeeb105271b849e86f855c11f610fd2908ea9b2f44a3f245060a

data/.github/workflows/build.yml

@@ -15,12 +15,12 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         ruby:
-          - '3.4.0-preview2'
+          - '3.4'
           - '3.3'
           - '3.2'
           - '3.1'

data/CHANGELOG.md

@@ -1,10 +1,18 @@
 # Changelog
 
+## [v3.4.1] - 2025-06-06
+
+- Avoid requiring `base64` as it's not a direct dependency. [#459](https://github.com/cedarcode/webauthn-ruby/pull/459)[@santiagorodriguez96]
+
+## [v3.4.0] - 2025-02-17
+
+- Added support for Webauthn.config and RelayingParty to accept multiple allowed_origins. [#431](https://github.com/cedarcode/webauthn-ruby/pull/431)[@obroshnij]
+
 ## [v3.3.0] - 2025-02-06
 
 ### Added
 
-- Updated `tpm-key_attestation` dependency from `~> 1.12.0` to `~> 1.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
+- Updated `tpm-key_attestation` dependency from `~> 0.12.0` to `~> 0.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
 
 ## [v3.2.2] - 2024-11-14
 
@@ -413,6 +421,12 @@ Note: Both additions should help making it compatible with Chrome for Android 70
   - `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
 - Works with ruby 2.5
 
+[v3.4.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.4.0...v3.4.1/
+[v3.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.3.0...v3.4.0/
+[v3.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.2...v3.3.0/
+[v3.2.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.1...v3.2.2/
+[v3.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.0...v3.2.1/
+[v3.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.0/
 [v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
 [v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
 [v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/

data/README.md

@@ -104,7 +104,8 @@ For a Rails application this would go in `config/initializers/webauthn.rb`.
 WebAuthn.configure do |config|
   # This value needs to match `window.location.origin` evaluated by
   # the User Agent during registration and authentication ceremonies.
-  config.origin = "https://auth.example.com"
+  # Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
+  config.allowed_origins = ["https://auth.example.com"]
 
   # Relying Party name for display purposes
   config.rp_name = "Example Inc."

data/lib/webauthn/attestation_statement/base.rb

@@ -46,7 +46,7 @@ module WebAuthn
       end
 
       def attestation_certificate_key_id
-        attestation_certificate.subject_key_identifier&.unpack("H*")&.[](0)
+        attestation_certificate.subject_key_identifier&.unpack1("H*")
       end
 
       private

data/lib/webauthn/authenticator_response.rb

@@ -25,7 +25,8 @@ module WebAuthn
     end
 
     def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
+      expected_origin ||= relying_party.allowed_origins || raise("Unspecified expected origin")
+
       rp_id ||= relying_party.id
 
       verify_item(:type)
@@ -33,7 +34,11 @@ module WebAuthn
       verify_item(:challenge, expected_challenge)
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
-      verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
+
+      verify_item(
+        :rp_id,
+        rp_id || rp_id_from_origin(expected_origin)
+      )
 
       # Fallback to RP configuration unless user_presence is passed in explicitely
       if user_presence.nil? && !relying_party.silent_authentication || user_presence
@@ -84,10 +89,14 @@ module WebAuthn
     end
 
     def valid_origin?(expected_origin)
-      expected_origin && (client_data.origin == expected_origin)
+      return false unless expected_origin
+
+      expected_origin.include?(client_data.origin)
     end
 
     def valid_rp_id?(rp_id)
+      return false unless rp_id
+
       OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
     end
 
@@ -106,7 +115,7 @@ module WebAuthn
     end
 
     def rp_id_from_origin(expected_origin)
-      URI.parse(expected_origin).host
+      URI.parse(expected_origin.first).host if expected_origin.size == 1
     end
 
     def type

data/lib/webauthn/client_data.rb

@@ -49,12 +49,10 @@ module WebAuthn
 
     def data
       @data ||=
-        begin
-          if client_data_json
-            JSON.parse(client_data_json)
-          else
-            raise ClientDataMissingError, "Client Data JSON is missing"
-          end
+        if client_data_json
+          JSON.parse(client_data_json)
+        else
+          raise ClientDataMissingError, "Client Data JSON is missing"
         end
     end
   end

data/lib/webauthn/configuration.rb

@@ -22,6 +22,8 @@ module WebAuthn
                    :encoding=,
                    :origin,
                    :origin=,
+                   :allowed_origins,
+                   :allowed_origins=,
                    :verify_attestation_statement,
                    :verify_attestation_statement=,
                    :credential_options_timeout,

data/lib/webauthn/encoder.rb

@@ -1,55 +1,18 @@
 # frozen_string_literal: true
 
-require "base64"
+require "webauthn/encoders"
 
 module WebAuthn
-  def self.standard_encoder
-    @standard_encoder ||= Encoder.new
-  end
-
   class Encoder
+    extend Forwardable
+
     # https://www.w3.org/TR/webauthn-2/#base64url-encoding
     STANDARD_ENCODING = :base64url
 
-    attr_reader :encoding
+    def_delegators :@encoder_klass, :encode, :decode
 
     def initialize(encoding = STANDARD_ENCODING)
-      @encoding = encoding
-    end
-
-    def encode(data)
-      case encoding
-      when :base64
-        [data].pack("m0") # Base64.strict_encode64(data)
-      when :base64url
-        data = [data].pack("m0") # Base64.urlsafe_encode64(data, padding: false)
-        data.chomp!("==") or data.chomp!("=")
-        data.tr!("+/", "-_")
-        data
-      when nil, false
-        data
-      else
-        raise "Unsupported or unknown encoding: #{encoding}"
-      end
-    end
-
-    def decode(data)
-      case encoding
-      when :base64
-        data.unpack1("m0") # Base64.strict_decode64(data)
-      when :base64url
-        if !data.end_with?("=") && data.length % 4 != 0 #  Base64.urlsafe_decode64(data)
-          data = data.ljust((data.length + 3) & ~3, "=")
-          data.tr!("-_", "+/")
-        else
-          data = data.tr("-_", "+/")
-        end
-        data.unpack1("m0")
-      when nil, false
-        data
-      else
-        raise "Unsupported or unknown encoding: #{encoding}"
-      end
+      @encoder_klass = Encoders.lookup(encoding)
     end
   end
 end

data/lib/webauthn/encoders.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module WebAuthn
+  def self.standard_encoder
+    @standard_encoder ||= Encoders.lookup(Encoder::STANDARD_ENCODING)
+  end
+
+  module Encoders
+    class << self
+      def lookup(encoding)
+        case encoding
+        when :base64
+          Base64Encoder
+        when :base64url
+          Base64UrlEncoder
+        when nil, false
+          NullEncoder
+        else
+          raise "Unsupported or unknown encoding: #{encoding}"
+        end
+      end
+    end
+
+    class Base64Encoder
+      def self.encode(data)
+        [data].pack("m0") # Base64.strict_encode64(data)
+      end
+
+      def self.decode(data)
+        data.unpack1("m0") # Base64.strict_decode64(data)
+      end
+    end
+
+    class Base64UrlEncoder
+      def self.encode(data)
+        data = [data].pack("m0") # Base64.urlsafe_encode64(data, padding: false)
+        data.chomp!("==") or data.chomp!("=")
+        data.tr!("+/", "-_")
+        data
+      end
+
+      def self.decode(data)
+        if !data.end_with?("=") && data.length % 4 != 0 #  Base64.urlsafe_decode64(data)
+          data = data.ljust((data.length + 3) & ~3, "=")
+        end
+
+        data = data.tr("-_", "+/")
+        data.unpack1("m0")
+      end
+    end
+
+    class NullEncoder
+      def self.encode(data)
+        data
+      end
+
+      def self.decode(data)
+        data
+      end
+    end
+  end
+end

data/lib/webauthn/relying_party.rb

@@ -9,15 +9,16 @@ module WebAuthn
   class RootCertificateFinderNotSupportedError < Error; end
 
   class RelyingParty
+    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
+
     def self.if_pss_supported(algorithm)
       OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
     end
 
-    DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
-
     def initialize(
       algorithms: DEFAULT_ALGORITHMS.dup,
       encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      allowed_origins: nil,
       origin: nil,
       id: nil,
       name: nil,
@@ -30,7 +31,7 @@ module WebAuthn
     )
       @algorithms = algorithms
       @encoding = encoding
-      @origin = origin
+      @allowed_origins = allowed_origins
       @id = id
       @name = name
       @verify_attestation_statement = verify_attestation_statement
@@ -38,12 +39,13 @@ module WebAuthn
       @silent_authentication = silent_authentication
       @acceptable_attestation_types = acceptable_attestation_types
       @legacy_u2f_appid = legacy_u2f_appid
+      self.origin = origin
       self.attestation_root_certificates_finders = attestation_root_certificates_finders
     end
 
     attr_accessor :algorithms,
                   :encoding,
-                  :origin,
+                  :allowed_origins,
                   :id,
                   :name,
                   :verify_attestation_statement,
@@ -52,7 +54,7 @@ module WebAuthn
                   :acceptable_attestation_types,
                   :legacy_u2f_appid
 
-    attr_reader :attestation_root_certificates_finders
+    attr_reader :attestation_root_certificates_finders, :origin
 
     # This is the user-data encoder.
     # Used to decode user input and to encode data provided to the user.
@@ -118,5 +120,18 @@ module WebAuthn
         block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
       end
     end
+
+    # DEPRECATED: This method will be removed in future.
+    def origin=(new_origin)
+      return if new_origin.nil?
+
+      warn(
+        "DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future. "\
+        "Please use `WebAuthn.allowed_origins` instead "\
+        "that also allows configuring multiple origins per Relying Party"
+      )
+
+      @allowed_origins ||= Array(new_origin) # rubocop:disable Naming/MemoizedInstanceVariableName
+    end
   end
 end

data/lib/webauthn/u2f_migrator.rb

@@ -43,7 +43,9 @@ module WebAuthn
     end
 
     def attestation_trust_path
-      @attestation_trust_path ||= [OpenSSL::X509::Certificate.new(Base64.strict_decode64(@certificate))]
+      @attestation_trust_path ||= [
+        OpenSSL::X509::Certificate.new(WebAuthn::Encoders::Base64Encoder.decode(@certificate))
+      ]
     end
 
     private
@@ -51,14 +53,14 @@ module WebAuthn
     # https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#u2f-authenticatorMakeCredential-interoperability
     # Let credentialId be a credentialIdLength byte array initialized with CTAP1/U2F response key handle bytes.
     def credential_id
-      Base64.urlsafe_decode64(@key_handle)
+      WebAuthn::Encoders::Base64UrlEncoder.decode(@key_handle)
     end
 
     # Let x9encodedUserPublicKey be the user public key returned in the U2F registration response message [U2FRawMsgs].
     # Let coseEncodedCredentialPublicKey be the result of converting x9encodedUserPublicKey’s value from ANS X9.62 /
     # Sec-1 v2 uncompressed curve point representation [SEC1V2] to COSE_Key representation ([RFC8152] Section 7).
     def credential_cose_key
-      decoded_public_key = Base64.strict_decode64(@public_key)
+      decoded_public_key = WebAuthn::Encoders::Base64Encoder.decode(@public_key)
       if WebAuthn::AttestationStatement::FidoU2f::PublicKey.uncompressed_point?(decoded_public_key)
         COSE::Key::EC2.new(
           alg: COSE::Algorithm.by_name("ES256").id,

data/lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.3.0"
+  VERSION = "3.4.1"
 end

data/webauthn.gemspec

@@ -41,12 +41,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "safety_net_attestation", "~> 0.4.0"
   spec.add_dependency "tpm-key_attestation", "~> 0.14.0"
 
-  spec.add_development_dependency "base64", ">= 0.1.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3.0"
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "~> 1.9.1"
-  spec.add_development_dependency "rubocop-rake", "~> 0.5.1"
-  spec.add_development_dependency "rubocop-rspec", "~> 2.2.0"
+  spec.add_development_dependency "rubocop", "~> 1"
+  spec.add_development_dependency "rubocop-rake", "~> 0.5"
+  spec.add_development_dependency "rubocop-rspec", ">= 2.2", "< 4.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: webauthn
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.4.1
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-02-06 00:00:00.000000000 Z
+date: 2025-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: android_key_attestation
@@ -109,20 +109,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.14.0
-- !ruby/object:Gem::Dependency
-  name: base64
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.1.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -191,42 +177,48 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: '1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: rubocop-rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.1
+        version: '0.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.1
+        version: '0.5'
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '4.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '4.0'
 description: |-
   WebAuthn ruby server library ― Make your application a W3C Web Authentication conformant
       Relying Party and allow your users to authenticate with U2F and FIDO2 authenticators.
@@ -282,6 +274,7 @@ files:
 - lib/webauthn/credential_rp_entity.rb
 - lib/webauthn/credential_user_entity.rb
 - lib/webauthn/encoder.rb
+- lib/webauthn/encoders.rb
 - lib/webauthn/error.rb
 - lib/webauthn/fake_authenticator.rb
 - lib/webauthn/fake_authenticator/attestation_object.rb