mirror of
https://github.com/we-promise/sure.git
synced 2026-05-10 14:15:01 +00:00
911aa34ba9
* feat(auth): add WebAuthn MFA credentials * fix(auth): harden WebAuthn MFA review paths * fix(auth): polish WebAuthn error handling * fix(auth): handle duplicate WebAuthn credential races * fix(auth): permit WebAuthn credential params * fix(auth): trim WebAuthn registration controller cleanup * fix(auth): tighten WebAuthn MFA handling * fix(auth): pin WebAuthn relying party config
32 lines
1.0 KiB
Ruby
32 lines
1.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module WebauthnRelyingParty
|
|
extend ActiveSupport::Concern
|
|
|
|
private
|
|
def webauthn_relying_party
|
|
webauthn_config = Rails.application.config.x.webauthn
|
|
|
|
WebAuthn::RelyingParty.new(
|
|
name: "Sure",
|
|
id: webauthn_config.rp_id,
|
|
allowed_origins: webauthn_config.allowed_origins,
|
|
# Accept consumer passkeys/security keys without attesting device vendor
|
|
# identity; this keeps MFA registration broad for self-hosted users.
|
|
verify_attestation_statement: false
|
|
)
|
|
end
|
|
|
|
def webauthn_credential_payload
|
|
payload = params.require(:credential)
|
|
payload = JSON.parse(payload) if payload.is_a?(String)
|
|
|
|
payload = payload.to_unsafe_h if payload.respond_to?(:to_unsafe_h)
|
|
raise ActionController::BadRequest, "credential must be an object" unless payload.is_a?(Hash)
|
|
|
|
payload
|
|
rescue JSON::ParserError, TypeError, ArgumentError
|
|
raise ActionController::BadRequest, "invalid credential payload"
|
|
end
|
|
end
|