@@ -25,15 +25,20 @@ def initialize(client_data_json:, relying_party: WebAuthn.configuration.relying_
2525 end
2626
2727 def verify ( expected_challenge , expected_origin = nil , user_verification : nil , rp_id : nil )
28- expected_origin ||= relying_party . origin || relying_party . allowed_origins || raise ( "Unspecified expected origin" )
28+ expected_origin ||= relying_party . allowed_origins || [ relying_party . origin ] || raise ( "Unspecified expected origin" )
2929 rp_id ||= relying_party . id
3030
3131 verify_item ( :type )
3232 verify_item ( :token_binding )
3333 verify_item ( :challenge , expected_challenge )
3434 verify_item ( :origin , expected_origin )
3535 verify_item ( :authenticator_data )
36- verify_item ( :rp_id , rp_id || rp_id_from_origin ( expected_origin ) )
36+
37+ # note: we are not trying to guess from 'expected_origin' since it is an array
38+ verify_item (
39+ :rp_id ,
40+ rp_id || rp_id_from_origin ( relying_party . origin )
41+ )
3742
3843 if !relying_party . silent_authentication
3944 verify_item ( :user_presence )
@@ -83,17 +88,12 @@ def valid_challenge?(expected_challenge)
8388 end
8489
8590 # @return [Boolean]
86- # @param [String, Array<String>] expected_origin
87- # Validate if origin configured for RP is matching the one received from client
91+ # @param [Array<String>] expected_origin
92+ # Validate if one of the allowed origins configured for RP is matching the one received from client
8893 def valid_origin? ( expected_origin )
8994 return false unless expected_origin
9095
91- case expected_origin
92- when Array
93- expected_origin . include? ( client_data . origin ) # allow multiple origins as per spec
94- else
95- client_data . origin == expected_origin # keep the default behaviour for backwards compatibility
96- end
96+ expected_origin . include? ( client_data . origin )
9797 end
9898
9999 # @return [Boolean]
@@ -120,6 +120,7 @@ def valid_user_verified?
120120 end
121121
122122 # @return [String, nil]
123+ # @param [Array[String]] expected_origin
123124 # Extract RP ID from origin in case rp_id is not provided explicitly
124125 # Note: In case origin is an array, we can not guess anymore since any guess would end up being wrong
125126 def rp_id_from_origin ( expected_origin )
0 commit comments