Allow to pass expected origin to verify

cedarcode / webauthn-ruby

WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party

https://rubygems.org/gems/webauthn

MIT License

649 stars 53 forks source link

Allow to pass expected origin to verify #365

Closed manubo closed 1 year ago

manubo commented 2 years ago

Both

WebAuthn::AuthenticatorAttestationResponse#verify and
WebAuthn::AuthenticatorAssertionResponse#verify

accept the parameter expected_origin, but the calling methods

PublicKeyCredentialWithAttestation#verify and
PublicKeyCredentialWithAssertion#verify,

respectively, do not.

We have a multi-tenant system where each tenant has its own subdomain and need to be able to pass the origin when validating the data.

brauliomartinezlm commented 2 years ago

Hi @manubo ! thank you for the agency on putting this PR up. For a multi-tenant usage of this gem, I'd recommend using our v3 which is in alpha right now but it's been highly tested at this point. We're about to release v3 alpha2 so please stayed tuned for https://github.com/cedarcode/webauthn-ruby/pull/368

manubo commented 1 year ago

Hi @brauliomartinezlm, thanks for your feedback. I have seen that #368 was merged, which is great. There is no v3 alpha2 tag yet, but I assume it's the same as master at the moment, right? I will give it a try, thanks for your support 👍🏼

manubo commented 1 year ago

Closed in favour of using v3 of this gem.

brauliomartinezlm commented 1 year ago

@manubo I've just released 3.0.0.alpha2. Hope it worked as you needed.

manubo commented 1 year ago

Yes, works like a charm, thanks @brauliomartinezlm 👍🏼