Add cross-origin flag verification

MasterKale / SimpleWebAuthn

WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers, Node, Deno, and more.

https://simplewebauthn.dev

MIT License

1.57k stars 133 forks source link

Add cross-origin flag verification #613

Open MasterKale opened 2 weeks ago

MasterKale commented 2 weeks ago

Describe the issue

WebAuthn L3 is being updated with explicit verification steps for the clientDataJSON.crossOrigin flag:

https://github.com/w3c/webauthn/pull/2166

I should update both verifyRegistrationResponse() and verifyAuthenticationResponse() to support verifying this flag accordingly for RP's that might care to know:

https://github.com/MasterKale/SimpleWebAuthn/blob/dc70416e781c9ab11625ba9afbf092809391874e/packages/server/src/helpers/decodeClientDataJSON.ts#L18

MasterKale commented 1 week ago

Reopening this to take another stab. I reverted the initial attempt for now:

https://github.com/MasterKale/SimpleWebAuthn/pull/626