From b966264cfd328b00a586753673f540dd4ef6876c Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Wed, 15 Feb 2023 16:23:55 -0700
Subject: [PATCH] webauthn: only return known device credentials that match the
 given type

---
 pkg/webauthnutil/options.go      | 6 +++++-
 pkg/webauthnutil/options_test.go | 5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/pkg/webauthnutil/options.go b/pkg/webauthnutil/options.go
index 88b018d12..689d64d0f 100644
--- a/pkg/webauthnutil/options.go
+++ b/pkg/webauthnutil/options.go
@@ -12,6 +12,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/device"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/slices"
 )
 
 const (
@@ -156,7 +157,10 @@ func newRequestOptions(
 		options,
 		deviceType.GetWebauthn().GetOptions().GetAuthenticatorSelection().UserVerification,
 	)
-	for _, knownDeviceCredential := range knownDeviceCredentials {
+	knownDeviceCredentialsForType := slices.Filter(knownDeviceCredentials, func(c *device.Credential) bool {
+		return c.GetTypeId() == deviceType.GetId()
+	})
+	for _, knownDeviceCredential := range knownDeviceCredentialsForType {
 		if publicKey := knownDeviceCredential.GetWebauthn(); publicKey != nil {
 			options.AllowCredentials = append(options.AllowCredentials, webauthn.PublicKeyCredentialDescriptor{
 				Type: webauthn.PublicKeyCredentialTypePublicKey,
diff --git a/pkg/webauthnutil/options_test.go b/pkg/webauthnutil/options_test.go
index be5a9e0d0..6f3b238b1 100644
--- a/pkg/webauthnutil/options_test.go
+++ b/pkg/webauthnutil/options_test.go
@@ -81,9 +81,12 @@ func TestGenerateRequestOptions(t *testing.T) {
 	t.Run(DefaultDeviceType, func(t *testing.T) {
 		key := []byte{1, 2, 3}
 		options := GenerateRequestOptions(r, key, predefinedDeviceTypes[DefaultDeviceType], []*device.Credential{
-			{Id: "device1", Specifier: &device.Credential_Webauthn{Webauthn: &device.Credential_WebAuthn{
+			{Id: "device1", TypeId: DefaultDeviceType, Specifier: &device.Credential_Webauthn{Webauthn: &device.Credential_WebAuthn{
 				Id: []byte{4, 5, 6},
 			}}},
+			{Id: "device2", TypeId: "some-other-type", Specifier: &device.Credential_Webauthn{Webauthn: &device.Credential_WebAuthn{
+				Id: []byte{7, 8, 9},
+			}}},
 		})
 		options.Challenge = nil
 		assert.Equal(t, &webauthn.PublicKeyCredentialRequestOptions{