feat:allow multiple origins

* add a possibility to set `allowed_origins` configuration option that would be an alternative to `origin`

Author: Vitalii Tereshchenko

lib/webauthn/authenticator_response.rb

@@ -25,7 +25,7 @@ def initialize(client_data_json:, relying_party: WebAuthn.configuration.relying_
     end
 
     def verify(expected_challenge, expected_origin = nil, user_verification: nil, rp_id: nil)
-      expected_origin ||= relying_party.origin || raise("Unspecified expected origin")
+      expected_origin ||= relying_party.origin || relying_party.allowed_origins || raise("Unspecified expected origin")
       rp_id ||= relying_party.id
 
       verify_item(:type)

lib/webauthn/configuration.rb

@@ -22,6 +22,8 @@ class Configuration
                    :encoding=,
                    :origin,
                    :origin=,
+                   :allowed_origins,
+                   :allowed_origins=,
                    :verify_attestation_statement,
                    :verify_attestation_statement=,
                    :credential_options_timeout,

lib/webauthn/relying_party.rb

@@ -18,6 +18,7 @@ def self.if_pss_supported(algorithm)
     def initialize(
       algorithms: DEFAULT_ALGORITHMS.dup,
       encoding: WebAuthn::Encoder::STANDARD_ENCODING,
+      allowed_origins: nil,
       origin: nil,
       id: nil,
       name: nil,
@@ -31,6 +32,7 @@ def initialize(
       @algorithms = algorithms
       @encoding = encoding
       @origin = origin
+      @allowed_origins = allowed_origins.nil? ? [origin] : allowed_origins
       @id = id
       @name = name
       @verify_attestation_statement = verify_attestation_statement
@@ -43,6 +45,7 @@ def initialize(
 
     attr_accessor :algorithms,
                   :encoding,
+                  :allowed_origins,
                   :origin,
                   :id,
                   :name,

spec/webauthn/authenticator_attestation_response_spec.rb

@@ -39,7 +39,7 @@
     end
 
     before do
-      WebAuthn.configuration.origin = allowed_origins
+      WebAuthn.configuration.allowed_origins = allowed_origins
     end
   end
 
@@ -49,7 +49,7 @@
     end
   end
 
-  shared_examples "is valid and verifies" do
+  shared_examples "a valid attestation response" do
     it "verifies" do
       expect(attestation_response.verify(original_challenge)).to be_truthy
     end
@@ -63,7 +63,7 @@
     context "when there is a single origin" do
       include_context "with a single origin"
 
-      it_behaves_like "is valid and verifies"
+      it_behaves_like "a valid attestation response"
 
       # TODO: let FakeClient#create recieve a fixed credential
       # https://github.com/cedarcode/webauthn-ruby/pull/302#discussion_r365338434
@@ -83,7 +83,7 @@
       context "when rp_id is set explicitly" do
         include_context "with rp_id set to", "localhost"
 
-        it_behaves_like "is valid and verifies"
+        it_behaves_like "a valid attestation response"
 
         # TODO: let FakeClient#create recieve a fixed credential
         # https://github.com/cedarcode/webauthn-ruby/pull/302#discussion_r365338434
@@ -100,11 +100,11 @@
       context "when rp_id is not set explicitly" do
         include_context "with rp_id set to", nil
 
-        it "verifies" do
+        it "raises error" do
           expect { attestation_response.verify(original_challenge) }.to raise_error(WebAuthn::RpIdVerificationError)
         end
 
-        it "is valid" do
+        it "is not valid" do
           expect(attestation_response.valid?(original_challenge)).to be_falsey
         end
 
@@ -145,7 +145,7 @@
         WebAuthn.configuration.attestation_root_certificates_finders = finder_for('feitian_ft_fido_0200.pem')
       end
 
-      it_behaves_like "is valid and verifies"
+      it_behaves_like "a valid attestation response"
 
       it "returns attestation info" do
         attestation_response.valid?(original_challenge)
@@ -171,17 +171,17 @@
       context "when rp_id is set explicitly" do
         include_context "with rp_id set to", "localhost"
 
-        it_behaves_like "is valid and verifies"
+        it_behaves_like "a valid attestation response"
       end
 
       context "when rp_id is not set explicitly" do
         include_context "with rp_id set to", nil
 
-        it "verifies" do
+        it "raises error" do
           expect { attestation_response.verify(original_challenge) }.to raise_error(WebAuthn::RpIdVerificationError)
         end
 
-        it "is valid" do
+        it "is not valid" do
           expect(attestation_response.valid?(original_challenge)).to be_falsey
         end
       end
@@ -208,7 +208,7 @@
       )
     end
 
-    it_behaves_like "is valid and verifies"
+    it_behaves_like "a valid attestation response"
 
     it "returns attestation info" do
       attestation_response.valid?(original_challenge)
@@ -250,7 +250,7 @@
       WebAuthn.configuration.attestation_root_certificates_finders = finder_for('yubico_u2f_root.pem')
     end
 
-    it_behaves_like "is valid and verifies"
+    it_behaves_like "a valid attestation response"
 
     it "returns attestation info" do
       attestation_response.valid?(original_challenge)
@@ -350,7 +350,7 @@
       allow(attestation_response.attestation_statement).to receive(:time).and_return(time)
     end
 
-    it_behaves_like "is valid and verifies"
+    it_behaves_like "a valid attestation response"
 
     it "returns attestation info" do
       attestation_response.valid?(original_challenge)
@@ -391,7 +391,7 @@
 
       include_context "with a single origin"
 
-      it_behaves_like "is valid and verifies"
+      it_behaves_like "a valid attestation response"
 
       it "returns attestation info" do
         attestation_response.valid?(original_challenge)
@@ -423,7 +423,7 @@
       context "when rp_id is set explicitly" do
         include_context "with rp_id set to", "localhost"
 
-        it_behaves_like "is valid and verifies"
+        it_behaves_like "a valid attestation response"
 
         it "returns attestation info" do
           attestation_response.valid?(original_challenge)
@@ -444,11 +444,11 @@
       context "when rp_id is not set explicitly" do
         include_context "with rp_id set to", nil
 
-        it "verifies" do
+        it "raises error" do
           expect { attestation_response.verify(original_challenge) }.to raise_error(WebAuthn::RpIdVerificationError)
         end
 
-        it "is valid" do
+        it "is not valid" do
           expect(attestation_response.valid?(original_challenge)).to be_falsey
         end
       end
@@ -479,7 +479,7 @@
       fake_certificate_chain_validation_time(attestation_response.attestation_statement, Time.parse("2021-02-23"))
     end
 
-    it_behaves_like "is valid and verifies"
+    it_behaves_like "a valid attestation response"
 
     it "returns attestation info" do
       attestation_response.valid?(original_challenge)
@@ -527,7 +527,7 @@
     context "matches the default one" do
       let(:actual_origin) { "http://localhost" }
 
-      it_behaves_like "is valid and verifies"
+      it_behaves_like "a valid attestation response"
     end
 
     context "doesn't match the default one" do
@@ -563,7 +563,7 @@
     context "matches the default one" do
       let(:rp_id) { "localhost" }
 
-      it_behaves_like "is valid and verifies"
+      it_behaves_like "a valid attestation response"
     end
 
     context "doesn't match the default one" do
@@ -587,7 +587,7 @@
         WebAuthn.configuration.rp_id = rp_id
       end
 
-      it_behaves_like "is valid and verifies"
+      it_behaves_like "a valid attestation response"
     end
   end
 
@@ -690,7 +690,7 @@
         WebAuthn.configuration.verify_attestation_statement = true
       end
 
-      it "verifies the attestation statement" do
+      it "raises error" do
         expect { attestation_response.verify(original_challenge) }.to raise_error(OpenSSL::PKey::PKeyError)
       end
     end