Skip to content

Commit 29b5369

Browse files
nicolastemciucnicolastemciuc
committed
test: when allowed_top_origins is nil
1 parent 08f2b25 commit 29b5369

File tree

2 files changed

+202
-70
lines changed

2 files changed

+202
-70
lines changed

lib/webauthn/authenticator_response.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ def valid_token_binding?
8989
def valid_top_origin?
9090
return false unless client_data.cross_origin
9191

92-
relying_party.allowed_top_origins.include?(client_data.top_origin)
92+
relying_party.allowed_top_origins&.include?(client_data.top_origin)
9393
end
9494

9595
def valid_challenge?(expected_challenge)

spec/webauthn/authenticator_assertion_response_spec.rb

Lines changed: 201 additions & 69 deletions
Original file line numberDiff line numberDiff line change
@@ -506,31 +506,17 @@
506506
let(:top_origin) { fake_top_origin }
507507

508508
before do
509-
WebAuthn.configuration.allowed_top_origins = [top_origin]
509+
WebAuthn.configuration.allowed_top_origins = allowed_top_origins
510510
end
511511

512-
context "when cross_origin is true" do
513-
let(:cross_origin) { true }
512+
context "when allowed_top_origins is not set" do
513+
let(:allowed_top_origins) { nil }
514514

515-
context "when top_origin is set" do
516-
context "when top_origin matches client top_origin" do
517-
let(:client_top_origin) { top_origin }
518-
519-
it "verifies" do
520-
expect(
521-
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
522-
).to be_truthy
523-
end
524-
525-
it "is valid" do
526-
expect(
527-
assertion_response.valid?(original_challenge, public_key: credential_public_key, sign_count: 0)
528-
).to be_truthy
529-
end
530-
end
515+
context "when cross_origin is true" do
516+
let(:cross_origin) { true }
531517

532-
context "when top_origin does not match client top_origin" do
533-
let(:client_top_origin) { "https://malicious.example.com" }
518+
context "when top_origin is set" do
519+
let(:client_top_origin) { top_origin }
534520

535521
it "is invalid" do
536522
expect(
@@ -548,35 +534,9 @@
548534
}.to raise_exception(WebAuthn::TopOriginVerificationError)
549535
end
550536
end
551-
end
552-
553-
context "when top_origin is not set" do
554-
let(:client_top_origin) { nil }
555-
556-
it "is invalid" do
557-
expect(
558-
assertion_response.valid?(
559-
original_challenge,
560-
public_key: credential_public_key,
561-
sign_count: 0
562-
)
563-
).to be_falsy
564-
end
565537

566-
it "doesn't verify" do
567-
expect {
568-
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
569-
}.to raise_exception(WebAuthn::TopOriginVerificationError)
570-
end
571-
end
572-
end
573-
574-
context "when cross_origin is false" do
575-
let(:cross_origin) { false }
576-
577-
context "when top_origin is set" do
578-
context "when top_origin matches client top_origin" do
579-
let(:client_top_origin) { top_origin }
538+
context "when top_origin is not set" do
539+
let(:client_top_origin) { nil }
580540

581541
it "is invalid" do
582542
expect(
@@ -594,9 +554,13 @@
594554
}.to raise_exception(WebAuthn::TopOriginVerificationError)
595555
end
596556
end
557+
end
558+
559+
context "when cross_origin is false" do
560+
let(:cross_origin) { false }
597561

598-
context "when top_origin does not match client top_origin" do
599-
let(:client_top_origin) { "https://malicious.example.com" }
562+
context "when top_origin is set" do
563+
let(:client_top_origin) { top_origin }
600564

601565
it "is invalid" do
602566
expect(
@@ -631,13 +595,11 @@
631595
end
632596
end
633597
end
634-
end
635598

636-
context "when cross_origin is not set" do
637-
let(:cross_origin) { nil }
599+
context "when cross_origin is not set" do
600+
let(:cross_origin) { nil }
638601

639-
context "when top_origin is set" do
640-
context "when top_origin matches client top_origin" do
602+
context "when top_origin is set" do
641603
let(:client_top_origin) { top_origin }
642604

643605
it "is invalid" do
@@ -657,8 +619,70 @@
657619
end
658620
end
659621

660-
context "when top_origin does not match client top_origin" do
661-
let(:client_top_origin) { "https://malicious.example.com" }
622+
context "when top_origin is not set" do
623+
let(:client_top_origin) { nil }
624+
625+
it "verifies" do
626+
expect(
627+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
628+
).to be_truthy
629+
end
630+
631+
it "is valid" do
632+
expect(
633+
assertion_response.valid?(original_challenge, public_key: credential_public_key, sign_count: 0)
634+
).to be_truthy
635+
end
636+
end
637+
end
638+
end
639+
640+
context "when allowed_top_origins is set" do
641+
let(:allowed_top_origins) { [top_origin] }
642+
643+
context "when cross_origin is true" do
644+
let(:cross_origin) { true }
645+
646+
context "when top_origin is set" do
647+
context "when top_origin matches client top_origin" do
648+
let(:client_top_origin) { top_origin }
649+
650+
it "verifies" do
651+
expect(
652+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
653+
).to be_truthy
654+
end
655+
656+
it "is valid" do
657+
expect(
658+
assertion_response.valid?(original_challenge, public_key: credential_public_key, sign_count: 0)
659+
).to be_truthy
660+
end
661+
end
662+
663+
context "when top_origin does not match client top_origin" do
664+
let(:client_top_origin) { "https://malicious.example.com" }
665+
666+
it "is invalid" do
667+
expect(
668+
assertion_response.valid?(
669+
original_challenge,
670+
public_key: credential_public_key,
671+
sign_count: 0
672+
)
673+
).to be_falsy
674+
end
675+
676+
it "doesn't verify" do
677+
expect {
678+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
679+
}.to raise_exception(WebAuthn::TopOriginVerificationError)
680+
end
681+
end
682+
end
683+
684+
context "when top_origin is not set" do
685+
let(:client_top_origin) { nil }
662686

663687
it "is invalid" do
664688
expect(
@@ -676,20 +700,128 @@
676700
}.to raise_exception(WebAuthn::TopOriginVerificationError)
677701
end
678702
end
703+
end
679704

680-
context "when top_origin is not set" do
681-
let(:client_top_origin) { nil }
682-
683-
it "verifies" do
684-
expect(
685-
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
686-
).to be_truthy
705+
context "when cross_origin is false" do
706+
let(:cross_origin) { false }
707+
708+
context "when top_origin is set" do
709+
context "when top_origin matches client top_origin" do
710+
let(:client_top_origin) { top_origin }
711+
712+
it "is invalid" do
713+
expect(
714+
assertion_response.valid?(
715+
original_challenge,
716+
public_key: credential_public_key,
717+
sign_count: 0
718+
)
719+
).to be_falsy
720+
end
721+
722+
it "doesn't verify" do
723+
expect {
724+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
725+
}.to raise_exception(WebAuthn::TopOriginVerificationError)
726+
end
727+
end
728+
729+
context "when top_origin does not match client top_origin" do
730+
let(:client_top_origin) { "https://malicious.example.com" }
731+
732+
it "is invalid" do
733+
expect(
734+
assertion_response.valid?(
735+
original_challenge,
736+
public_key: credential_public_key,
737+
sign_count: 0
738+
)
739+
).to be_falsy
740+
end
741+
742+
it "doesn't verify" do
743+
expect {
744+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
745+
}.to raise_exception(WebAuthn::TopOriginVerificationError)
746+
end
747+
end
748+
749+
context "when top_origin is not set" do
750+
let(:client_top_origin) { nil }
751+
752+
it "verifies" do
753+
expect(
754+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
755+
).to be_truthy
756+
end
757+
758+
it "is valid" do
759+
expect(
760+
assertion_response.valid?(original_challenge, public_key: credential_public_key, sign_count: 0)
761+
).to be_truthy
762+
end
687763
end
764+
end
765+
end
688766

689-
it "is valid" do
690-
expect(
691-
assertion_response.valid?(original_challenge, public_key: credential_public_key, sign_count: 0)
692-
).to be_truthy
767+
context "when cross_origin is not set" do
768+
let(:cross_origin) { nil }
769+
770+
context "when top_origin is set" do
771+
context "when top_origin matches client top_origin" do
772+
let(:client_top_origin) { top_origin }
773+
774+
it "is invalid" do
775+
expect(
776+
assertion_response.valid?(
777+
original_challenge,
778+
public_key: credential_public_key,
779+
sign_count: 0
780+
)
781+
).to be_falsy
782+
end
783+
784+
it "doesn't verify" do
785+
expect {
786+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
787+
}.to raise_exception(WebAuthn::TopOriginVerificationError)
788+
end
789+
end
790+
791+
context "when top_origin does not match client top_origin" do
792+
let(:client_top_origin) { "https://malicious.example.com" }
793+
794+
it "is invalid" do
795+
expect(
796+
assertion_response.valid?(
797+
original_challenge,
798+
public_key: credential_public_key,
799+
sign_count: 0
800+
)
801+
).to be_falsy
802+
end
803+
804+
it "doesn't verify" do
805+
expect {
806+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
807+
}.to raise_exception(WebAuthn::TopOriginVerificationError)
808+
end
809+
end
810+
811+
context "when top_origin is not set" do
812+
let(:client_top_origin) { nil }
813+
814+
it "verifies" do
815+
expect(
816+
assertion_response.verify(original_challenge, public_key: credential_public_key, sign_count: 0)
817+
).to be_truthy
818+
end
819+
820+
it "is valid" do
821+
expect(
822+
assertion_response.valid?(original_challenge, public_key: credential_public_key, sign_count: 0)
823+
).to be_truthy
824+
end
693825
end
694826
end
695827
end

0 commit comments

Comments
 (0)