diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 07:08:36 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 07:08:36 +0000 |
commit | 48aff82709769b098321c738f3444b9bdaa694c6 (patch) | |
tree | e00c7c43e2d9b603a5a6af576b1685e400410dee /app/services/webauthn | |
parent | 879f5329ee916a948223f8f43d77fba4da6cd028 (diff) | |
download | gitlab-ce-48aff82709769b098321c738f3444b9bdaa694c6.tar.gz |
Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42
Diffstat (limited to 'app/services/webauthn')
-rw-r--r-- | app/services/webauthn/authenticate_service.rb | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/app/services/webauthn/authenticate_service.rb b/app/services/webauthn/authenticate_service.rb index a4513c62c2d..a575a853995 100644 --- a/app/services/webauthn/authenticate_service.rb +++ b/app/services/webauthn/authenticate_service.rb @@ -11,12 +11,6 @@ module Webauthn def execute parsed_device_response = Gitlab::Json.parse(@device_response) - # appid is set for legacy U2F devices, will be used in a future iteration - # rp_id = @app_id - # unless parsed_device_response['clientExtensionResults'] && parsed_device_response['clientExtensionResults']['appid'] - # rp_id = URI(@app_id).host - # end - webauthn_credential = WebAuthn::Credential.from_get(parsed_device_response) encoded_raw_id = Base64.strict_encode64(webauthn_credential.raw_id) stored_webauthn_credential = @user.webauthn_registrations.find_by_credential_xid(encoded_raw_id) @@ -52,10 +46,14 @@ module Webauthn # Verifies that webauthn_credential matches stored_credential with the given challenge # def verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder) + # We need to adjust the relaying party id (RP id) we verify against if the registration in question + # is a migrated U2F registration. This is beacuse the appid of U2F and the rp id of WebAuthn differ. + rp_id = webauthn_credential.client_extension_outputs['appid'] ? WebAuthn.configuration.origin : URI(WebAuthn.configuration.origin).host webauthn_credential.response.verify( encoder.decode(challenge), public_key: encoder.decode(stored_credential.public_key), - sign_count: stored_credential.counter) + sign_count: stored_credential.counter, + rp_id: rp_id) end end end |