fix: fix CredentialAssertionValidator (#447)

asbiin · web-flow · commit 7ea4c1da7d88 · 2023-09-06T15:51:35.000+02:00
diff --git a/src/Services/Webauthn/CredentialAssertionValidator.php b/src/Services/Webauthn/CredentialAssertionValidator.php
@@ -6,7 +6,8 @@
 use Illuminate\Contracts\Cache\Repository as Cache;
 use Illuminate\Http\Request;
 use LaravelWebauthn\Exceptions\ResponseMismatchException;
-use Psr\Http\Message\ServerRequestInterface;
+use LaravelWebauthn\Services\Webauthn;
+use ParagonIE\ConstantTime\Base64UrlSafe;
 use Webauthn\AuthenticatorAssertionResponse;
 use Webauthn\AuthenticatorAssertionResponseValidator;
 use Webauthn\PublicKeyCredential;
@@ -18,7 +19,6 @@ class CredentialAssertionValidator extends CredentialValidator
     public function __construct(
         Request $request,
         Cache $cache,
-        protected ServerRequestInterface $serverRequest,
         protected PublicKeyCredentialLoader $loader,
         protected AuthenticatorAssertionResponseValidator $validator
     ) {
@@ -37,10 +37,10 @@ public function __invoke(User $user, array $data): bool
 
         // Check the response against the request
         $this->validator->check(
-            $publicKeyCredential->getRawId(),
+            $this->getCredentialSource($user, $publicKeyCredential),
             $this->getResponse($publicKeyCredential),
             $this->pullPublicKey($user),
-            $this->serverRequest,
+            $this->request->host(),
             $user->getAuthIdentifier()
         );
 
@@ -74,4 +74,19 @@ protected function getResponse(PublicKeyCredential $publicKeyCredential): Authen
 
         return $response;
     }
+
+    /**
+     * Get credential source from user and public key.
+     */
+    protected function getCredentialSource(User $user, PublicKeyCredential $publicKeyCredential)
+    {
+        $credentialId = $publicKeyCredential->getRawId();
+
+        return (Webauthn::model())::where('user_id', $user->getAuthIdentifier())
+            ->where(fn ($query) => $query->where('credentialId', Base64UrlSafe::encode($credentialId))
+                    ->orWhere('credentialId', Base64UrlSafe::encodeUnpadded($credentialId))
+            )
+            ->firstOrFail()
+            ->publicKeyCredentialSource;
+    }
 }
diff --git a/src/Services/Webauthn/CredentialAttestationValidator.php b/src/Services/Webauthn/CredentialAttestationValidator.php
@@ -6,7 +6,6 @@
 use Illuminate\Contracts\Cache\Repository as Cache;
 use Illuminate\Http\Request;
 use LaravelWebauthn\Exceptions\ResponseMismatchException;
-use Psr\Http\Message\ServerRequestInterface;
 use Webauthn\AuthenticatorAttestationResponse;
 use Webauthn\AuthenticatorAttestationResponseValidator;
 use Webauthn\PublicKeyCredential;
@@ -19,7 +18,6 @@ class CredentialAttestationValidator extends CredentialValidator
     public function __construct(
         Request $request,
         Cache $cache,
-        protected ServerRequestInterface $serverRequest,
         protected PublicKeyCredentialLoader $loader,
         protected AuthenticatorAttestationResponseValidator $validator
     ) {
@@ -40,7 +38,7 @@ public function __invoke(User $user, array $data): PublicKeyCredentialSource
         return $this->validator->check(
             $this->getResponse($publicKeyCredential),
             $this->pullPublicKey($user),
-            $this->serverRequest
+            $this->request->host()
         );
     }
 
diff --git a/tests/Unit/Services/WebauthnTest.php b/tests/Unit/Services/WebauthnTest.php
@@ -102,6 +102,7 @@ public function test_wrong_do_authenticate()
         $user = $this->signIn();
         factory(WebauthnKey::class)->create([
             'user_id' => $user->getAuthIdentifier(),
+            'credentialId' => '0',
         ]);
 
         $publicKey = $this->app[PrepareAssertionData::class]($user);
