Support cross-origin authentication verification#759
Conversation
| } | ||
| }); | ||
|
|
||
| Deno.test('should NOT check topOrigin when crossOrigin is false', async () => { |
There was a problem hiding this comment.
This test is an interesting one. According to the spec, topOrigin should only be set if crossOrigin is true:
It is set only if the call was made from context that is not same-origin with its ancestors, i.e. if crossOrigin is true.
https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin
Based on this I'd actually make the new code error out if crossOrigin is false but there's a topOrigin defined in clientDataJSON 🤔
There was a problem hiding this comment.
Fixed. Please have a look.
…e.ts Co-authored-by: Matthew Miller <matthew@millerti.me>
…e.ts Co-authored-by: Matthew Miller <matthew@millerti.me>
…raints in verifyAuthenticationResponse
MasterKale
left a comment
MasterKale
left a comment
There was a problem hiding this comment.
@agektmr I'm so sorry for taking so long to respond. I think this PR is really close to getting merged. I had a few proposed changes I'd like you to consider first.
…e.ts Co-authored-by: Matthew Miller <matthew@millerti.me>
|
@MasterKale the suggestion looks great. Thank you! |
…origin behavior and refine cross-origin error messages
MasterKale
left a comment
MasterKale
left a comment
There was a problem hiding this comment.
Sorry for the delay, this looks great. I want to roll this out as a new feautre with the v14.0.0 milestone (https://github.com/MasterKale/SimpleWebAuthn/milestone/54) so please bear with me as I coordinate development of another feature or two before rolling this out 🙇♂️
2 participants
To support cross-origin authentication on SimpleWebAuthn, this pull request adds the following to the
verifyAuthenticationResponse.ts:expectedTopOriginproperty to theoptionscrossOriginistrueorfalsetopOriginmeets the expectation