feat: add client data origin validation

cedarcode · brauliomartinezlm · May 24, 2018 · May 23, 2018 · May 24, 2018 · May 24, 2018
commit af83f77eae055472ab45b9984ac1c73067c4fa65
diff --git a/lib/webauthn/authenticator_attestation_response.rb b/lib/webauthn/authenticator_attestation_response.rb
@@ -14,9 +14,10 @@ def initialize(attestation_object:, client_data_json:)
  @client_data_json = client_data_json
  end
 
- def valid?(original_challenge)
+ def valid?(original_challenge, original_origin)
  valid_type? &&
  valid_challenge?(original_challenge) &&
+ valid_origin?(original_origin) &&
  authenticator_data.valid? &&
  user_present? &&
  valid_attestation_statement?
@@ -34,6 +35,10 @@ def valid_challenge?(original_challenge)
  Base64.urlsafe_decode64(client_data.challenge) == Base64.urlsafe_decode64(original_challenge)
  end
 
+ def valid_origin?(original_origin)
+ client_data.origin == original_origin
+ end
+
  def valid_attestation_statement?
  if attestation_format == ATTESTATION_FORMAT_NONE
  true

diff --git a/lib/webauthn/client_data.rb b/lib/webauthn/client_data.rb
@@ -14,6 +14,10 @@ def challenge
  data["challenge"]
  end
 
+ def origin
+ data["origin"]
+ end
+
  private
 
  attr_reader :client_data_json

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -2,6 +2,7 @@
 
 require "bundler/setup"
 require "webauthn"
+require "cbor"
 
 require "byebug"
 
@@ -39,3 +40,11 @@ def seeds
  }
  }
 end
+
+def hash_to_encoded_json(hash)
+ Base64.urlsafe_encode64(hash.to_json)
+end
+
+def hash_to_encoded_cbor(hash)
+ Base64.urlsafe_encode64(CBOR.encode(hash))
+end
diff --git a/spec/webauthn/authenticator_attestation_response_spec.rb b/spec/webauthn/authenticator_attestation_response_spec.rb
@@ -12,7 +12,7 @@
  client_data_json: response[:client_data_json]
  )
 
- expect(response.valid?(original_challenge)).to eq(true)
+ expect(response.valid?(original_challenge, "http:https://localhost:3000")).to eq(true)
  end
 
  it "returns user-friendly error if no client data received" do
@@ -22,7 +22,50 @@
  )
 
  expect {
- response.valid?("")
+ response.valid?("", "")
  }.to raise_exception(RuntimeError, "Missing client_data_json")
  end
+
+ describe "origin validation" do
+ let(:base_url) { "http:https://localhost" }
+ let(:challenge) { Base64.urlsafe_encode64(SecureRandom.random_bytes(16)) }
+ let(:client_data_json) { hash_to_encoded_json(challenge: challenge,
+ clientExtensions: {},
+ hashAlgorithm: "SHA-256",
+ origin: origin,
+ type: "webauthn.create") }
+ let(:auth_data) { [73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100,
+ 118, 96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153,
+ 92, 243, 186, 131, 29, 151, 99, 65, 0, 0, 0, 0].pack('c*') }
+ let(:attestation_object) { hash_to_encoded_cbor(fmt: "none",
+ attStmt: {},
+ authData: auth_data) }
+
+ context "matches the default one" do
+ let(:origin) { "http:https://localhost" }
+
+ it "is valid" do
+ response = WebAuthn::AuthenticatorAttestationResponse.new(
+ attestation_object: attestation_object,
+ client_data_json: client_data_json
+ )
+
+ expect(response.valid?(challenge, base_url)).to be_truthy
+ end
+ end
+
+ context "doesn't match the default one" do
+ let(:origin) { "http:https://invalid" }
+
+ it "isn't valid" do
+ response = WebAuthn::AuthenticatorAttestationResponse.new(
+ attestation_object: attestation_object,
+ client_data_json: client_data_json
+ )
+
+ expect(response.valid?(challenge, base_url)).to be_falsy
+ end
+ end
+ end
+
 end