search

jeremyevans / rodauth

Ruby's Most Advanced Authentication Framework
http://rodauth.jeremyevans.net
MIT License
1.69k stars 95 forks source link

webauthn_rp_id should not include port #203

Closed iain closed 2 years ago

iain commented 2 years ago

The default value for webauthn_rp_id includes the port number (e.g. localhost:9292). This is not allowed according to the spec.

Note: An RP ID is based on a host's domain name. It does not itself include a scheme or port, as an origin does.

Source: https://www.w3.org/TR/webauthn-2/#relying-party-identifier

This will most likely be a problem during development, where custom ports are common.

I suggest the default implementationof webauthn_rp_id also removes /:\d+\z/ from the webauthn_origin value, or maybe a note in the docs if that is not a good solution.

jeremyevans commented 2 years ago

Thanks for the report. I'll work on fixing this in a couple days.

jeremyevans commented 2 years ago

Sorry I haven't been able to get to this yet. I'm hoping to get to this later this week. In any case, it will be fixed before the next release, which should be sometime next week.