Browse Source

Fix webauthn secure key authentication (#16792)

* Add tests

* Fix webauthn secure key authentication

Fixes #16769
closed-social-glitch-2
Claire 3 years ago
committed by GitHub
parent
commit
24f9ea7818
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 1 deletions
  1. +1
    -1
      app/controllers/auth/sessions_controller.rb
  2. +29
    -0
      spec/controllers/auth/sessions_controller_spec.rb

+ 1
- 1
app/controllers/auth/sessions_controller.rb View File

@ -42,7 +42,7 @@ class Auth::SessionsController < Devise::SessionsController
end end
def webauthn_options def webauthn_options
user = find_user
user = User.find_by(id: session[:attempt_user_id])
if user&.webauthn_enabled? if user&.webauthn_enabled?
options_for_get = WebAuthn::Credential.options_for_get( options_for_get = WebAuthn::Credential.options_for_get(

+ 29
- 0
spec/controllers/auth/sessions_controller_spec.rb View File

@ -519,4 +519,33 @@ RSpec.describe Auth::SessionsController, type: :controller do
end end
end end
end end
describe 'GET #webauthn_options' do
context 'with WebAuthn and OTP enabled as second factor' do
let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http' }://#{Rails.configuration.x.web_domain}" }
let(:fake_client) { WebAuthn::FakeClient.new(domain) }
let!(:user) do
Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
end
before do
user.update(webauthn_id: WebAuthn.generate_user_id)
public_key_credential = WebAuthn::Credential.from_create(fake_client.create)
user.webauthn_credentials.create(
nickname: 'SecurityKeyNickname',
external_id: public_key_credential.id,
public_key: public_key_credential.public_key,
sign_count: '1000'
)
post :create, params: { user: { email: user.email, password: user.password } }
end
it 'returns http success' do
get :webauthn_options
expect(response).to have_http_status :ok
end
end
end
end end

Loading…
Cancel
Save