From 030c70e3e5e111f78a0c6c3236d49d512086ff55 Mon Sep 17 00:00:00 2001 From: Banura Randika Date: Mon, 11 Aug 2025 14:29:09 +0530 Subject: [PATCH 1/2] fix: update origin handling to support wildcard origins --- lib/webauthn/authenticator_response.rb | 6 ++++-- lib/webauthn/fake_client.rb | 4 ++++ spec/spec_helper.rb | 5 +++++ spec/webauthn/authenticator_assertion_response_spec.rb | 8 ++++---- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/lib/webauthn/authenticator_response.rb b/lib/webauthn/authenticator_response.rb index be640b16..04976b4f 100644 --- a/lib/webauthn/authenticator_response.rb +++ b/lib/webauthn/authenticator_response.rb @@ -91,7 +91,7 @@ def valid_challenge?(expected_challenge) def valid_origin?(expected_origin) return false unless expected_origin - expected_origin.include?(client_data.origin) + Array(expected_origin).any? { |allowed_origin| allowed_origin === client_data.origin } end def valid_rp_id?(rp_id) @@ -115,7 +115,9 @@ def valid_user_verified? end def rp_id_from_origin(expected_origin) - URI.parse(expected_origin.first).host if expected_origin.size == 1 + return unless valid_origin?(expected_origin) + + URI.parse(client_data.origin).host if expected_origin.size == 1 end def type diff --git a/lib/webauthn/fake_client.rb b/lib/webauthn/fake_client.rb index 98ae0d45..39bdd74b 100644 --- a/lib/webauthn/fake_client.rb +++ b/lib/webauthn/fake_client.rb @@ -160,6 +160,10 @@ def fake_origin "http://localhost#{rand(1000)}.test" end + def fake_wildcard_origin + /http:\/\/localhost.*/ + end + def type_for(method) TYPES[method] end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 433ec47c..132cda6b 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -63,6 +63,11 @@ def fake_origin "http://localhost" end +def fake_wildcard_origin + /http:\/\/localhost.*/ +end + + def fake_challenge SecureRandom.random_bytes(32) end diff --git a/spec/webauthn/authenticator_assertion_response_spec.rb b/spec/webauthn/authenticator_assertion_response_spec.rb index 36a5d0f4..7652c612 100644 --- a/spec/webauthn/authenticator_assertion_response_spec.rb +++ b/spec/webauthn/authenticator_assertion_response_spec.rb @@ -12,8 +12,8 @@ let!(:credential) { create_credential(client: client) } let(:credential_public_key) { credential[1] } - let(:origin) { fake_origin } - let(:actual_origin) { origin } + let(:origin) { fake_wildcard_origin } + let(:actual_origin) { fake_origin } let(:original_challenge) { fake_challenge } let(:assertion) { client.get(challenge: original_challenge) } let(:authenticator_data) { assertion["response"]["authenticatorData"] } @@ -429,7 +429,7 @@ original_challenge, public_key: credential_public_key, sign_count: 0, - rp_id: URI.parse(origin).host + rp_id: URI.parse(actual_origin).host ) ).to be_truthy end @@ -440,7 +440,7 @@ original_challenge, public_key: credential_public_key, sign_count: 0, - rp_id: URI.parse(origin).host + rp_id: URI.parse(actual_origin).host ) ).to be_truthy end From cff4edf18e27a7f705744d10a047a798db8567db Mon Sep 17 00:00:00 2001 From: Banura Randika Date: Mon, 11 Aug 2025 14:30:19 +0530 Subject: [PATCH 2/2] fix: update origin handling to support wildcard origins --- spec/spec_helper.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 132cda6b..504a525a 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -67,7 +67,6 @@ def fake_wildcard_origin /http:\/\/localhost.*/ end - def fake_challenge SecureRandom.random_bytes(32) end