webauthn 3.3.0 → 3.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +2 -2
- data/CHANGELOG.md +10 -1
- data/README.md +2 -1
- data/lib/webauthn/authenticator_response.rb +13 -4
- data/lib/webauthn/client_data.rb +4 -6
- data/lib/webauthn/configuration.rb +2 -0
- data/lib/webauthn/relying_party.rb +20 -5
- data/lib/webauthn/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 325d58807c73a2887233d3b68091bea56edcb9be7fb21f57067d1f974006d876
|
|
4
|
+
data.tar.gz: 24a7b26717f6ab10286f14410db64909a21a4e43cea30b1b168f32caa80412c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f12ef1fad4fcf414b7081f9b89a4db5536d301b2c015449a3d2d631ea09a2a087cb6c02f3699f61528f9e9b61d3bf039c37bf0b0885991a7d7e26ac3dadd452a
|
|
7
|
+
data.tar.gz: f6464aaa94ddeec4ddefecb6b94b5fa310ada53d67bd1bf9b146c942dbd29e637790c6ae081d3d4cc81aed12be4a9073f056e2770ab2b846278d07923d67f6bf
|
data/.github/workflows/build.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,10 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v3.4.0] - 2025-02-17
|
|
4
|
+
|
|
5
|
+
- Added support for Webauthn.config and RelayingParty to accept multiple allowed_origins. [#431](https://github.com/cedarcode/webauthn-ruby/pull/431)[@obroshnij]
|
|
6
|
+
|
|
3
7
|
## [v3.3.0] - 2025-02-06
|
|
4
8
|
|
|
5
9
|
### Added
|
|
6
10
|
|
|
7
|
-
- Updated `tpm-key_attestation` dependency from `~>
|
|
11
|
+
- Updated `tpm-key_attestation` dependency from `~> 0.12.0` to `~> 0.14.0`. [#449](https://github.com/cedarcode/webauthn-ruby/pull/449) [@brauliomartinezlm], [@nicolastemciuc]
|
|
8
12
|
|
|
9
13
|
## [v3.2.2] - 2024-11-14
|
|
10
14
|
|
|
@@ -413,6 +417,11 @@ Note: Both additions should help making it compatible with Chrome for Android 70
|
|
|
413
417
|
- `WebAuthn::AuthenticatorAttestationResponse.valid?` can be used to validate fido-u2f attestations returned by the browser
|
|
414
418
|
- Works with ruby 2.5
|
|
415
419
|
|
|
420
|
+
[v3.4.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.3.0...v3.4.0/
|
|
421
|
+
[v3.3.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.2...v3.3.0/
|
|
422
|
+
[v3.2.2]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.1...v3.2.2/
|
|
423
|
+
[v3.2.1]: https://github.com/cedarcode/webauthn-ruby/compare/v3.2.0...v3.2.1/
|
|
424
|
+
[v3.2.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.0/
|
|
416
425
|
[v3.1.0]: https://github.com/cedarcode/webauthn-ruby/compare/v3.0.0...v3.1.0/
|
|
417
426
|
[v3.0.0]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0/
|
|
418
427
|
[v3.0.0.alpha2]: https://github.com/cedarcode/webauthn-ruby/compare/2-stable...v3.0.0.alpha2/
|
data/README.md
CHANGED
|
@@ -104,7 +104,8 @@ For a Rails application this would go in `config/initializers/webauthn.rb`.
|
|
|
104
104
|
WebAuthn.configure do |config|
|
|
105
105
|
# This value needs to match `window.location.origin` evaluated by
|
|
106
106
|
# the User Agent during registration and authentication ceremonies.
|
|
107
|
-
|
|
107
|
+
# Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.
|
|
108
|
+
config.allowed_origins = ["https://auth.example.com"]
|
|
108
109
|
|
|
109
110
|
# Relying Party name for display purposes
|
|
110
111
|
config.rp_name = "Example Inc."
|
|
@@ -25,7 +25,8 @@ module WebAuthn
|
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def verify(expected_challenge, expected_origin = nil, user_presence: nil, user_verification: nil, rp_id: nil)
|
|
28
|
-
expected_origin ||= relying_party.
|
|
28
|
+
expected_origin ||= relying_party.allowed_origins || raise("Unspecified expected origin")
|
|
29
|
+
|
|
29
30
|
rp_id ||= relying_party.id
|
|
30
31
|
|
|
31
32
|
verify_item(:type)
|
|
@@ -33,7 +34,11 @@ module WebAuthn
|
|
|
33
34
|
verify_item(:challenge, expected_challenge)
|
|
34
35
|
verify_item(:origin, expected_origin)
|
|
35
36
|
verify_item(:authenticator_data)
|
|
36
|
-
|
|
37
|
+
|
|
38
|
+
verify_item(
|
|
39
|
+
:rp_id,
|
|
40
|
+
rp_id || rp_id_from_origin(expected_origin)
|
|
41
|
+
)
|
|
37
42
|
|
|
38
43
|
# Fallback to RP configuration unless user_presence is passed in explicitely
|
|
39
44
|
if user_presence.nil? && !relying_party.silent_authentication || user_presence
|
|
@@ -84,10 +89,14 @@ module WebAuthn
|
|
|
84
89
|
end
|
|
85
90
|
|
|
86
91
|
def valid_origin?(expected_origin)
|
|
87
|
-
|
|
92
|
+
return false unless expected_origin
|
|
93
|
+
|
|
94
|
+
expected_origin.include?(client_data.origin)
|
|
88
95
|
end
|
|
89
96
|
|
|
90
97
|
def valid_rp_id?(rp_id)
|
|
98
|
+
return false unless rp_id
|
|
99
|
+
|
|
91
100
|
OpenSSL::Digest::SHA256.digest(rp_id) == authenticator_data.rp_id_hash
|
|
92
101
|
end
|
|
93
102
|
|
|
@@ -106,7 +115,7 @@ module WebAuthn
|
|
|
106
115
|
end
|
|
107
116
|
|
|
108
117
|
def rp_id_from_origin(expected_origin)
|
|
109
|
-
URI.parse(expected_origin).host
|
|
118
|
+
URI.parse(expected_origin.first).host if expected_origin.size == 1
|
|
110
119
|
end
|
|
111
120
|
|
|
112
121
|
def type
|
data/lib/webauthn/client_data.rb
CHANGED
|
@@ -49,12 +49,10 @@ module WebAuthn
|
|
|
49
49
|
|
|
50
50
|
def data
|
|
51
51
|
@data ||=
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
raise ClientDataMissingError, "Client Data JSON is missing"
|
|
57
|
-
end
|
|
52
|
+
if client_data_json
|
|
53
|
+
JSON.parse(client_data_json)
|
|
54
|
+
else
|
|
55
|
+
raise ClientDataMissingError, "Client Data JSON is missing"
|
|
58
56
|
end
|
|
59
57
|
end
|
|
60
58
|
end
|
|
@@ -9,15 +9,16 @@ module WebAuthn
|
|
|
9
9
|
class RootCertificateFinderNotSupportedError < Error; end
|
|
10
10
|
|
|
11
11
|
class RelyingParty
|
|
12
|
+
DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
|
|
13
|
+
|
|
12
14
|
def self.if_pss_supported(algorithm)
|
|
13
15
|
OpenSSL::PKey::RSA.instance_methods.include?(:verify_pss) ? algorithm : nil
|
|
14
16
|
end
|
|
15
17
|
|
|
16
|
-
DEFAULT_ALGORITHMS = ["ES256", "PS256", "RS256"].compact.freeze
|
|
17
|
-
|
|
18
18
|
def initialize(
|
|
19
19
|
algorithms: DEFAULT_ALGORITHMS.dup,
|
|
20
20
|
encoding: WebAuthn::Encoder::STANDARD_ENCODING,
|
|
21
|
+
allowed_origins: nil,
|
|
21
22
|
origin: nil,
|
|
22
23
|
id: nil,
|
|
23
24
|
name: nil,
|
|
@@ -30,7 +31,7 @@ module WebAuthn
|
|
|
30
31
|
)
|
|
31
32
|
@algorithms = algorithms
|
|
32
33
|
@encoding = encoding
|
|
33
|
-
@
|
|
34
|
+
@allowed_origins = allowed_origins
|
|
34
35
|
@id = id
|
|
35
36
|
@name = name
|
|
36
37
|
@verify_attestation_statement = verify_attestation_statement
|
|
@@ -38,12 +39,13 @@ module WebAuthn
|
|
|
38
39
|
@silent_authentication = silent_authentication
|
|
39
40
|
@acceptable_attestation_types = acceptable_attestation_types
|
|
40
41
|
@legacy_u2f_appid = legacy_u2f_appid
|
|
42
|
+
self.origin = origin
|
|
41
43
|
self.attestation_root_certificates_finders = attestation_root_certificates_finders
|
|
42
44
|
end
|
|
43
45
|
|
|
44
46
|
attr_accessor :algorithms,
|
|
45
47
|
:encoding,
|
|
46
|
-
:
|
|
48
|
+
:allowed_origins,
|
|
47
49
|
:id,
|
|
48
50
|
:name,
|
|
49
51
|
:verify_attestation_statement,
|
|
@@ -52,7 +54,7 @@ module WebAuthn
|
|
|
52
54
|
:acceptable_attestation_types,
|
|
53
55
|
:legacy_u2f_appid
|
|
54
56
|
|
|
55
|
-
attr_reader :attestation_root_certificates_finders
|
|
57
|
+
attr_reader :attestation_root_certificates_finders, :origin
|
|
56
58
|
|
|
57
59
|
# This is the user-data encoder.
|
|
58
60
|
# Used to decode user input and to encode data provided to the user.
|
|
@@ -118,5 +120,18 @@ module WebAuthn
|
|
|
118
120
|
block_given? ? [webauthn_credential, stored_credential] : webauthn_credential
|
|
119
121
|
end
|
|
120
122
|
end
|
|
123
|
+
|
|
124
|
+
# DEPRECATED: This method will be removed in future.
|
|
125
|
+
def origin=(new_origin)
|
|
126
|
+
return if new_origin.nil?
|
|
127
|
+
|
|
128
|
+
warn(
|
|
129
|
+
"DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future. "\
|
|
130
|
+
"Please use `WebAuthn.allowed_origins` instead "\
|
|
131
|
+
"that also allows configuring multiple origins per Relying Party"
|
|
132
|
+
)
|
|
133
|
+
|
|
134
|
+
@allowed_origins ||= Array(new_origin) # rubocop:disable Naming/MemoizedInstanceVariableName
|
|
135
|
+
end
|
|
121
136
|
end
|
|
122
137
|
end
|
data/lib/webauthn/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: webauthn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Gonzalo Rodriguez
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2025-02-
|
|
12
|
+
date: 2025-02-17 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: android_key_attestation
|