FIX: Webauthn origin was incorrect for subfolder setups (#25651)

2025-02-25 18:55:32 -06:00 · 2024-02-12 16:27:24 -05:00
parent 7eb1215cb1
commit 021a02c3d8
7 changed files with 44 additions and 11 deletions
--- a/spec/lib/concern/second_factor_manager_spec.rb
+++ b/spec/lib/concern/second_factor_manager_spec.rb
@@ -183,6 +183,7 @@ RSpec.describe SecondFactorManager do
        disable_totp
        simulate_localhost_webauthn_challenge
        DiscourseWebauthn.stage_challenge(user, secure_session)
+        DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
      end

      context "when security key params are valid" do
@@ -265,6 +266,7 @@ RSpec.describe SecondFactorManager do
      before do
        simulate_localhost_webauthn_challenge
        DiscourseWebauthn.stage_challenge(user, secure_session)
+        DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
      end

      context "when method selected is invalid" do
--- a/spec/lib/discourse_webauthn/authentication_service_spec.rb
+++ b/spec/lib/discourse_webauthn/authentication_service_spec.rb
@@ -97,8 +97,10 @@ RSpec.describe DiscourseWebauthn::AuthenticationService do
  let(:current_user) { Fabricate(:user) }

  before do
-    # we have to stub here because the public key was created using this specific challenge
+    # we have to stub here because the test public key was created
+    # using this specific challenge and this origin
    DiscourseWebauthn.stubs(:challenge).returns(challenge)
+    DiscourseWebauthn.stubs(:origin).returns("http://localhost:3000")
  end

  it "updates last_used when the security key and params are valid" do
--- a/spec/lib/discourse_webauthn/discourse_webauthn_spec.rb
+++ b/spec/lib/discourse_webauthn/discourse_webauthn_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+RSpec.describe DiscourseWebauthn do
+  describe "#origin" do
+    it "returns the current hostname" do
+      expect(DiscourseWebauthn.origin).to eq("http://test.localhost")
+    end
+
+    context "with subfolder" do
+      it "does not append /forum to origin" do
+        set_subfolder "/forum"
+        expect(DiscourseWebauthn.origin).to eq("http://test.localhost")
+      end
+    end
+  end
+end
--- a/spec/lib/discourse_webauthn/registration_service_spec.rb
+++ b/spec/lib/discourse_webauthn/registration_service_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe DiscourseWebauthn::RegistrationService do
  let(:secure_session) { SecureSession.new("tester") }
  let(:client_data_challenge) { Base64.encode64(challenge) }
  let(:client_data_webauthn_type) { "webauthn.create" }
-  let(:client_data_origin) { "http://localhost:3000" }
+  let(:client_data_origin) { "http://test.localhost" }
  let(:client_data_param) do
    {
      challenge: client_data_challenge,