Merge remote-tracking branch 'origin/master' into temciuc--verify-top-origin

Author: nicolastemciuc

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## Unreleased
+
+## [v3.4.3] - 2025-10-23
+
+### Fixed
+
+- Fix `RelyingParty#origin` and `WebAuthn.configuration.origin` always returning `nil`. [#484](https://github.com/cedarcode/webauthn-ruby/pull/484)[@santiagorodriguez96]
+    - Now they return the allowed origin if allowed origins has only one element.
+
 ## [v3.4.2] - 2025-09-22
 
 ### Added

lib/webauthn/relying_party.rb

@@ -60,7 +60,7 @@ def initialize(
                   :acceptable_attestation_types,
                   :legacy_u2f_appid
 
-    attr_reader :attestation_root_certificates_finders, :origin
+    attr_reader :attestation_root_certificates_finders
 
     # This is the user-data encoder.
     # Used to decode user input and to encode data provided to the user.
@@ -127,13 +127,24 @@ def verify_authentication(
       end
     end
 
+    # DEPRECATED: This method will be removed in future.
+    def origin
+      warn(
+        "DEPRECATION WARNING: `WebAuthn.origin` is deprecated and returns `nil` " \
+        "when `WebAuthn.allowed_origins` contains more than one origin. " \
+        "It will be removed in future. Please use `WebAuthn.allowed_origins` instead."
+      )
+
+      allowed_origins.first if allowed_origins&.size == 1
+    end
+
     # DEPRECATED: This method will be removed in future.
     def origin=(new_origin)
       return if new_origin.nil?
 
       warn(
-        "DEPRECATION WARNING: `WebAuthn.origin` is deprecated and will be removed in future. "\
-        "Please use `WebAuthn.allowed_origins` instead "\
+        "DEPRECATION WARNING: `WebAuthn.origin=` is deprecated and will be removed in future. "\
+        "Please use `WebAuthn.allowed_origins=` instead "\
         "that also allows configuring multiple origins per Relying Party"
       )
 

lib/webauthn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebAuthn
-  VERSION = "3.4.2"
+  VERSION = "3.4.3"
 end

spec/conformance/Gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-ruby "~> 3.4.2"
+ruby file: '.ruby-version'
 
 gem "byebug"
 gem "fido_metadata", "~> 0.5.0"

spec/conformance/Gemfile.lock

@@ -31,7 +31,7 @@ GEM
     mustermann (3.0.4)
       ruby2_keywords (~> 0.0.1)
     nio4r (2.7.4)
-    openssl (3.3.0)
+    openssl (3.3.1)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     puma (6.6.1)

spec/webauthn/relying_party_spec.rb

@@ -135,6 +135,42 @@
     end
   end
 
+  describe '#origin' do
+    subject do
+      old_verbose, $VERBOSE = $VERBOSE, nil # Silence warnings to avoid deprecation warnings
+
+      rp.origin
+    ensure
+      $VERBOSE = old_verbose
+    end
+
+    context 'when relying party has only one allowed origin' do
+      let(:rp) do
+        WebAuthn::RelyingParty.new(allowed_origins: ["https://admin.example.test"])
+      end
+
+      it 'returns that allowed origin' do
+        is_expected.to eq("https://admin.example.test")
+      end
+    end
+
+    context 'when relying party has multiple allowed origins' do
+      let(:rp) do
+        WebAuthn::RelyingParty.new(allowed_origins: ["https://admin.example.test", "https://newadmin.example.test"])
+      end
+
+      it { is_expected.to be_nil }
+    end
+
+    context 'when relying party has not set its allowed origins' do
+      let(:rp) do
+        WebAuthn::RelyingParty.new(allowed_origins: nil)
+      end
+
+      it { is_expected.to be_nil }
+    end
+  end
+
   context "without having any global configuration" do
     let(:consumer_rp) do
       WebAuthn::RelyingParty.new(