webauthn 3.3.0 → 3.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +2 -2
- data/CHANGELOG.md +10 -1
- data/README.md +2 -1
- data/lib/webauthn/authenticator_response.rb +13 -4
- data/lib/webauthn/client_data.rb +4 -6
- data/lib/webauthn/configuration.rb +2 -0
- data/lib/webauthn/relying_party.rb +20 -5
- data/lib/webauthn/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 325d58807c73a2887233d3b68091bea56edcb9be7fb21f57067d1f974006d876
|
|
4
|
+
data.tar.gz: 24a7b26717f6ab10286f14410db64909a21a4e43cea30b1b168f32caa80412c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f12ef1fad4fcf414b7081f9b89a4db5536d301b2c015449a3d2d631ea09a2a087cb6c02f3699f61528f9e9b61d3bf039c37bf0b0885991a7d7e26ac3dadd452a
|
|
7
|
+
data.tar.gz: f6464aaa94ddeec4ddefecb6b94b5fa310ada53d67bd1bf9b146c942dbd29e637790c6ae081d3d4cc81aed12be4a9073f056e2770ab2b846278d07923d67f6bf
|
data/.github/workflows/build.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,10 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v3.4.0] - 2025-02-17
|
|
4
|
+
|
|
5
|
+
- Added support for Webauthn.config and RelayingParty to accept multiple allowed_origins. [#431](https://github.com/cedarcode/webauthn-ruby/pull/431)[@obroshnij]
|
|
6
|
+
|
|
3
7
|
## [v3.3.0] - 2025-02-06
|
|
4
8
|
|
|
5
9
|
### Added
|
|
6
10
|
|
|
7
|
-
- Updated `tpm-key_attestation` dependency from `~>
|
|
11
|
+
- Updated `tpm-key_attestation` dependency from `~> 0.12.0` to `~> 0.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
|
|
8
12
|
|
|
9
13
|
## [v3.2.2] - 2024-11-14
|
|
10
14
|
|
|
@@ -413,6 +417,11 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
|
413
417
|
- `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
|
|
414
418
|
- Works with ruby 2.5
|
|
415
419
|
|
|
420
|
+
[v3.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.3.0...v3.4.0/
|
|
421
|
+
[v3.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.2...v3.3.0/
|
|
422
|
+
[v3.2.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.1...v3.2.2/
|
|
423
|
+
[v3.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.0...v3.2.1/
|
|
424
|
+
[v3.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.0/
|
|
416
425
|
[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
|
|
417
426
|
[v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
|
|
418
427
|
[v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
|
data/README.md
CHANGED
|
@@ -104,7 +104,8 @@ For a Rails application this would go in `config/initializers/webauthn.rb`.
|
|
|
104
104
|
WebAuthn.configure do |config|
|
|
105
105
|
# This value needs to match `window.location.origin` evaluated by
|
|
106
106
|
# the User Agent during registration and authentication ceremonies.
|
|
107
|
-
|
|
107
|
+
# Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
|
|
108
|
+
config.allowed_origins = ["https://auth.example.com"]
|
|
108
109
|
|
|
109
110
|
# Relying Party name for display purposes
|
|
110
111
|
config.rp_name = "Example Inc."
|
|
@@ -25,7 +25,8 @@ module WebAuthn
|
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
|
|
28
|
-
expected_origin ||= relying_party.
|
|
28
|
+
expected_origin ||= relying_party.allowed_origins || raise("Unspecified expected origin")
|
|
29
|
+
|
|
29
30
|
rp_id ||= relying_party.id
|
|
30
31
|
|
|
31
32
|
verify_item(:type)
|
|
@@ -33,7 +34,11 @@ module WebAuthn
|
|
|
33
34
|
verify_item(:challenge, expected_challenge)
|
|
34
35
|
verify_item(:origin, expected_origin)
|
|
35
36
|
verify_item(:authenticator_data)
|
|
36
|
-
|
|
37
|
+
|
|
38
|
+
verify_item(
|
|
39
|
+
:rp_id,
|
|
40
|
+
rp_id || rp_id_from_origin(expected_origin)
|
|
41
|
+
)
|
|
37
42
|
|
|
38
43
|
# Fallback to RP configuration unless user_presence is passed in explicitely
|
|
39
44
|
if user_presence.nil? && !relying_party.silent_authentication || user_presence
|
|
@@ -84,10 +89,14 @@ module WebAuthn
|
|
|
84
89
|
end
|
|
85
90
|
|
|
86
91
|
def valid_origin?(expected_origin)
|
|
87
|
-
|
|
92
|
+
return false unless expected_origin
|
|
93
|
+
|
|
94
|
+
expected_origin.include?(client_data.origin)
|
|
88
95
|
end
|
|
89
96
|
|
|
90
97
|
def valid_rp_id?(rp_id)
|
|
98
|
+
return false unless rp_id
|
|
99
|
+
|
|
91
100
|
OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
|
|
92
101
|
end
|
|
93
102
|
|
|
@@ -106,7 +115,7 @@ module WebAuthn
|
|
|
106
115
|
end
|
|
107
116
|
|
|
108
117
|
def rp_id_from_origin(expected_origin)
|
|
109
|
-
URI.parse(expected_origin).host
|
|
118
|
+
URI.parse(expected_origin.first).host if expected_origin.size == 1
|
|
110
119
|
end
|
|
111
120
|
|
|
112
121
|
def type
|
data/lib/webauthn/client_data.rb
CHANGED
|
@@ -49,12 +49,10 @@ module WebAuthn
|
|
|
49
49
|
|
|
50
50
|
def data
|
|
51
51
|
@data ||=
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
raise ClientDataMissingError, "Client Data JSON is missing"
|
|
57
|
-
end
|
|
52
|
+
if client_data_json
|
|
53
|
+
JSON.parse(client_data_json)
|
|
54
|
+
else
|
|
55
|
+
raise ClientDataMissingError, "Client Data JSON is missing"
|
|
58
56
|
end
|
|
59
57
|
end
|
|
60
58
|
end
|
|
@@ -9,15 +9,16 @@ module WebAuthn
|
|
|
9
9
|
class RootCertificateFinderNotSupportedError < Error; end
|
|
10
10
|
|
|
11
11
|
class RelyingParty
|
|
12
|
+
DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
|
|
13
|
+
|
|
12
14
|
def self.if_pss_supported(algorithm)
|
|
13
15
|
OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
|
|
14
16
|
end
|
|
15
17
|
|
|
16
|
-
DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
|
|
17
|
-
|
|
18
18
|
def initialize(
|
|
19
19
|
algorithms: DEFAULT_ALGORITHMS.dup,
|
|
20
20
|
encoding: WebAuthn::Encoder::STANDARD_ENCODING,
|
|
21
|
+
allowed_origins: nil,
|
|
21
22
|
origin: nil,
|
|
22
23
|
id: nil,
|
|
23
24
|
name: nil,
|
|
@@ -30,7 +31,7 @@ module WebAuthn
|
|
|
30
31
|
)
|
|
31
32
|
@algorithms = algorithms
|
|
32
33
|
@encoding = encoding
|
|
33
|
-
@
|
|
34
|
+
@allowed_origins = allowed_origins
|
|
34
35
|
@id = id
|
|
35
36
|
@name = name
|
|
36
37
|
@verify_attestation_statement = verify_attestation_statement
|
|
@@ -38,12 +39,13 @@ module WebAuthn
|
|
|
38
39
|
@silent_authentication = silent_authentication
|
|
39
40
|
@acceptable_attestation_types = acceptable_attestation_types
|
|
40
41
|
@legacy_u2f_appid = legacy_u2f_appid
|
|
42
|
+
self.origin = origin
|
|
41
43
|
self.attestation_root_certificates_finders = attestation_root_certificates_finders
|
|
42
44
|
end
|
|
43
45
|
|
|
44
46
|
attr_accessor :algorithms,
|
|
45
47
|
:encoding,
|
|
46
|
-
:
|
|
48
|
+
:allowed_origins,
|
|
47
49
|
:id,
|
|
48
50
|
:name,
|
|
49
51
|
:verify_attestation_statement,
|
|
@@ -52,7 +54,7 @@ module WebAuthn
|
|
|
52
54
|
:acceptable_attestation_types,
|
|
53
55
|
:legacy_u2f_appid
|
|
54
56
|
|
|
55
|
-
attr_reader :attestation_root_certificates_finders
|
|
57
|
+
attr_reader :attestation_root_certificates_finders, :origin
|
|
56
58
|
|
|
57
59
|
# This is the user-data encoder.
|
|
58
60
|
# Used to decode user input and to encode data provided to the user.
|
|
@@ -118,5 +120,18 @@ module WebAuthn
|
|
|
118
120
|
block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
|
|
119
121
|
end
|
|
120
122
|
end
|
|
123
|
+
|
|
124
|
+
# DEPRECATED: This method will be removed in future.
|
|
125
|
+
def origin=(new_origin)
|
|
126
|
+
return if new_origin.nil?
|
|
127
|
+
|
|
128
|
+
warn(
|
|
129
|
+
"DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future. "\
|
|
130
|
+
"Please use `WebAuthn.allowed_origins` instead "\
|
|
131
|
+
"that also allows configuring multiple origins per Relying Party"
|
|
132
|
+
)
|
|
133
|
+
|
|
134
|
+
@allowed_origins ||= Array(new_origin) # rubocop:disable Naming/MemoizedInstanceVariableName
|
|
135
|
+
end
|
|
121
136
|
end
|
|
122
137
|
end
|
data/lib/webauthn/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: webauthn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Gonzalo Rodriguez
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2025-02-
|
|
12
|
+
date: 2025-02-17 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: android_key_attestation
|