feat-allow-multiple-origins

* add deprecation warning
cedarcode · Oct 24, 2024 · 458d738 · 458d738
1 parent e0261d0
commit 458d738
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/lib/webauthn/authenticator_response.rb b/lib/webauthn/authenticator_response.rb
@@ -25,15 +25,20 @@ def initialize(client_data_json:, relying_party: WebAuthn.configuration.relying_
     end
 
     def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= relying_party.origin || relying_party.allowed_origins || raise("Unspecified expected origin")
+      expected_origin ||= relying_party.allowed_origins || [relying_party.origin] || raise("Unspecified expected origin")
       rp_id ||= relying_party.id
 
       verify_item(:type)
       verify_item(:token_binding)
       verify_item(:challenge, expected_challenge)
       verify_item(:origin, expected_origin)
       verify_item(:authenticator_data)
-      verify_item(:rp_id, rp_id || rp_id_from_origin(expected_origin))
+
+      # note: we are not trying to guess from 'expected_origin' since it is an array
+      verify_item(
+        :rp_id,
+        rp_id || rp_id_from_origin(relying_party.origin)
+      )
 
       if !relying_party.silent_authentication
         verify_item(:user_presence)
@@ -83,17 +88,12 @@ def valid_challenge?(expected_challenge)
     end
 
     # @return [Boolean]
-    # @param [String, Array<String>] expected_origin
-    # Validate if origin configured for RP is matching the one received from client
+    # @param [Array<String>] expected_origin
+    # Validate if one of the allowed origins configured for RP is matching the one received from client
     def valid_origin?(expected_origin)
       return false unless expected_origin
 
-      case expected_origin
-      when Array
-        expected_origin.include?(client_data.origin) # allow multiple origins as per spec
-      else
-        client_data.origin == expected_origin # keep the default behaviour for backwards compatibility
-      end
+      expected_origin.include?(client_data.origin)
     end
 
     # @return [Boolean]
@@ -120,6 +120,7 @@ def valid_user_verified?
     end
 
     # @return [String, nil]
+    # @param [Array[String]] expected_origin
     # Extract RP ID from origin in case rp_id is not provided explicitly
     # Note: In case origin is an array, we can not guess anymore since any guess would end up being wrong
     def rp_id_from_origin(expected_origin)

diff --git a/lib/webauthn/relying_party.rb b/lib/webauthn/relying_party.rb
@@ -32,7 +32,7 @@ def initialize(
       @algorithms = algorithms
       @encoding = encoding
       @origin = origin
-      @allowed_origins = allowed_origins.nil? ? [origin] : allowed_origins
+      @allowed_origins = allowed_origins
       @id = id
       @name = name
       @verify_attestation_statement = verify_attestation_statement
@@ -41,6 +41,13 @@ def initialize(
       @acceptable_attestation_types = acceptable_attestation_types
       @legacy_u2f_appid = legacy_u2f_appid
       self.attestation_root_certificates_finders = attestation_root_certificates_finders
+
+      if allowed_origins.nil? && !origin.nil?
+        warn(
+          "DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future"\
+          " Please use `WebAuthn.allowed_origins` instead that also allows configuring multiple origins per Relying Party"
+        )
+      end
     end
 
     attr_accessor :algorithms,