mirror of
https://github.com/discourse/discourse.git
synced 2024-11-21 16:38:15 -06:00
FIX: Webauthn origin was incorrect for subfolder setups (#25651)
This commit is contained in:
parent
7eb1215cb1
commit
021a02c3d8
@ -92,10 +92,8 @@ module DiscourseWebauthn
|
||||
# you might need to change this and the rp_id above
|
||||
# if you are using a non-default port/hostname locally
|
||||
"http://localhost:4200"
|
||||
when "test"
|
||||
"http://localhost:3000"
|
||||
else
|
||||
Discourse.base_url
|
||||
Discourse.base_url_no_prefix
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -183,6 +183,7 @@ RSpec.describe SecondFactorManager do
|
||||
disable_totp
|
||||
simulate_localhost_webauthn_challenge
|
||||
DiscourseWebauthn.stage_challenge(user, secure_session)
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
end
|
||||
|
||||
context "when security key params are valid" do
|
||||
@ -265,6 +266,7 @@ RSpec.describe SecondFactorManager do
|
||||
before do
|
||||
simulate_localhost_webauthn_challenge
|
||||
DiscourseWebauthn.stage_challenge(user, secure_session)
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
end
|
||||
|
||||
context "when method selected is invalid" do
|
||||
|
@ -97,8 +97,10 @@ RSpec.describe DiscourseWebauthn::AuthenticationService do
|
||||
let(:current_user) { Fabricate(:user) }
|
||||
|
||||
before do
|
||||
# we have to stub here because the public key was created using this specific challenge
|
||||
# we have to stub here because the test public key was created
|
||||
# using this specific challenge and this origin
|
||||
DiscourseWebauthn.stubs(:challenge).returns(challenge)
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
end
|
||||
|
||||
it "updates last_used when the security key and params are valid" do
|
||||
|
16
spec/lib/discourse_webauthn/discourse_webauthn_spec.rb
Normal file
16
spec/lib/discourse_webauthn/discourse_webauthn_spec.rb
Normal file
@ -0,0 +1,16 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
RSpec.describe DiscourseWebauthn do
|
||||
describe "#origin" do
|
||||
it "returns the current hostname" do
|
||||
expect(DiscourseWebauthn.origin).to eq("http://test.localhost")
|
||||
end
|
||||
|
||||
context "with subfolder" do
|
||||
it "does not append /forum to origin" do
|
||||
set_subfolder "/forum"
|
||||
expect(DiscourseWebauthn.origin).to eq("http://test.localhost")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
@ -7,7 +7,7 @@ RSpec.describe DiscourseWebauthn::RegistrationService do
|
||||
let(:secure_session) { SecureSession.new("tester") }
|
||||
let(:client_data_challenge) { Base64.encode64(challenge) }
|
||||
let(:client_data_webauthn_type) { "webauthn.create" }
|
||||
let(:client_data_origin) { "http://localhost:3000" }
|
||||
let(:client_data_origin) { "http://test.localhost" }
|
||||
let(:client_data_param) do
|
||||
{
|
||||
challenge: client_data_challenge,
|
||||
|
@ -403,6 +403,7 @@ RSpec.describe SessionController do
|
||||
|
||||
before do
|
||||
simulate_localhost_webauthn_challenge
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
|
||||
# store challenge in secure session by visiting the email login page
|
||||
get "/session/email-login/#{email_token.token}.json"
|
||||
@ -422,6 +423,7 @@ RSpec.describe SessionController do
|
||||
expect(response_body["error"]).to eq(I18n.t("login.not_enabled_second_factor_method"))
|
||||
end
|
||||
end
|
||||
|
||||
context "when the security key params are invalid" do
|
||||
it "shows an error message and denies login" do
|
||||
post "/session/email-login/#{email_token.token}.json",
|
||||
@ -442,6 +444,7 @@ RSpec.describe SessionController do
|
||||
expect(response_body["error"]).to eq(I18n.t("webauthn.validation.not_found_error"))
|
||||
end
|
||||
end
|
||||
|
||||
context "when the security key params are valid" do
|
||||
it "logs the user in" do
|
||||
post "/session/email-login/#{email_token.token}.json",
|
||||
@ -2021,6 +2024,7 @@ RSpec.describe SessionController do
|
||||
|
||||
before do
|
||||
simulate_localhost_webauthn_challenge
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
|
||||
# store challenge in secure session by failing login once
|
||||
post "/session.json", params: { login: user.username, password: "myawesomepassword" }
|
||||
@ -3097,6 +3101,8 @@ RSpec.describe SessionController do
|
||||
end
|
||||
|
||||
describe "#passkey_login" do
|
||||
before { DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000") }
|
||||
|
||||
it "returns 404 if feature is not enabled" do
|
||||
SiteSetting.enable_passkeys = false
|
||||
|
||||
|
@ -438,6 +438,7 @@ RSpec.describe UsersController do
|
||||
|
||||
before do
|
||||
simulate_localhost_webauthn_challenge
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
|
||||
# store challenge in secure session by visiting the email login page
|
||||
get "/u/password-reset/#{email_token.token}"
|
||||
@ -5824,9 +5825,13 @@ RSpec.describe UsersController do
|
||||
end
|
||||
|
||||
describe "#register_second_factor_security_key" do
|
||||
before do
|
||||
simulate_localhost_webauthn_challenge
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
end
|
||||
|
||||
context "when creation parameters are valid" do
|
||||
it "creates a security key for the user" do
|
||||
simulate_localhost_webauthn_challenge
|
||||
create_second_factor_security_key
|
||||
_response_parsed = response.parsed_body
|
||||
|
||||
@ -5841,7 +5846,6 @@ RSpec.describe UsersController do
|
||||
end
|
||||
|
||||
it "doesn't allow creating too many security keys" do
|
||||
simulate_localhost_webauthn_challenge
|
||||
create_second_factor_security_key
|
||||
_response_parsed = response.parsed_body
|
||||
|
||||
@ -5859,7 +5863,6 @@ RSpec.describe UsersController do
|
||||
end
|
||||
|
||||
it "doesn't allow the security key name to exceed the limit" do
|
||||
simulate_localhost_webauthn_challenge
|
||||
create_second_factor_security_key
|
||||
_response_parsed = response.parsed_body
|
||||
|
||||
@ -6076,7 +6079,10 @@ RSpec.describe UsersController do
|
||||
end
|
||||
|
||||
describe "#register_passkey" do
|
||||
before { SiteSetting.enable_passkeys = true }
|
||||
before do
|
||||
SiteSetting.enable_passkeys = true
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
end
|
||||
|
||||
it "fails if user is not logged in" do
|
||||
stub_secure_session_confirmed
|
||||
@ -6445,8 +6451,12 @@ RSpec.describe UsersController do
|
||||
)
|
||||
end
|
||||
|
||||
it "returns a successful response for the correct user" do
|
||||
before do
|
||||
DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
|
||||
simulate_localhost_passkey_challenge
|
||||
end
|
||||
|
||||
it "returns a successful response for the correct user" do
|
||||
user1.create_or_fetch_secure_identifier
|
||||
|
||||
post "/u/confirm-session.json",
|
||||
@ -6463,7 +6473,6 @@ RSpec.describe UsersController do
|
||||
|
||||
it "returns invalid response when key belongs to a different user" do
|
||||
sign_in(user2)
|
||||
simulate_localhost_passkey_challenge
|
||||
user2.create_or_fetch_secure_identifier
|
||||
|
||||
post "/u/confirm-session.json",
|
||||
|
Loading…
Reference in New Issue
Block a user