3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-01 00:48:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

webauthn: only return known device credentials that match the given type

Browse source
This commit is contained in:
Caleb Doxsey 2023-02-15 16:23:55 -07:00
parent f2a5bda162
commit b966264cfd
2 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
pkg/webauthnutil/options.go
View file

@ -12,6 +12,7 @@ import (
"github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/device" "github.com/pomerium/pomerium/pkg/grpc/device"
"github.com/pomerium/pomerium/pkg/grpc/user" "github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/slices"
) )
const ( const (
@ -156,7 +157,10 @@ func newRequestOptions(
options, options,
deviceType.GetWebauthn().GetOptions().GetAuthenticatorSelection().UserVerification, deviceType.GetWebauthn().GetOptions().GetAuthenticatorSelection().UserVerification,
) )
for _, knownDeviceCredential := range knownDeviceCredentials { knownDeviceCredentialsForType := slices.Filter(knownDeviceCredentials, func(c *device.Credential) bool {
return c.GetTypeId() == deviceType.GetId()
})
for _, knownDeviceCredential := range knownDeviceCredentialsForType {
if publicKey := knownDeviceCredential.GetWebauthn(); publicKey != nil { if publicKey := knownDeviceCredential.GetWebauthn(); publicKey != nil {
options.AllowCredentials = append(options.AllowCredentials, webauthn.PublicKeyCredentialDescriptor{ options.AllowCredentials = append(options.AllowCredentials, webauthn.PublicKeyCredentialDescriptor{
Type: webauthn.PublicKeyCredentialTypePublicKey, Type: webauthn.PublicKeyCredentialTypePublicKey,

5
pkg/webauthnutil/options_test.go
View file

@ -81,9 +81,12 @@ func TestGenerateRequestOptions(t *testing.T) {
t.Run(DefaultDeviceType, func(t *testing.T) { t.Run(DefaultDeviceType, func(t *testing.T) {
key := []byte{1, 2, 3} key := []byte{1, 2, 3}
options := GenerateRequestOptions(r, key, predefinedDeviceTypes[DefaultDeviceType], []*device.Credential{ options := GenerateRequestOptions(r, key, predefinedDeviceTypes[DefaultDeviceType], []*device.Credential{
{Id: "device1", Specifier: &device.Credential_Webauthn{Webauthn: &device.Credential_WebAuthn{ {Id: "device1", TypeId: DefaultDeviceType, Specifier: &device.Credential_Webauthn{Webauthn: &device.Credential_WebAuthn{
Id: []byte{4, 5, 6}, Id: []byte{4, 5, 6},
}}}, }}},
{Id: "device2", TypeId: "some-other-type", Specifier: &device.Credential_Webauthn{Webauthn: &device.Credential_WebAuthn{
Id: []byte{7, 8, 9},
}}},
}) })
options.Challenge = nil options.Challenge = nil
assert.Equal(t, &webauthn.PublicKeyCredentialRequestOptions{ assert.Equal(t, &webauthn.PublicKeyCredentialRequestOptions{