First release
This commit is contained in:
Italo
79
src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
Normal file
79
src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
Normal file
@@ -0,0 +1,79 @@
|
||||
<?php
|
||||
|
||||
namespace Laragear\WebAuthn\Assertion\Validator\Pipes;
|
||||
|
||||
use Closure;
|
||||
use Laragear\WebAuthn\Assertion\Validator\AssertionValidation;
|
||||
use Laragear\WebAuthn\Exceptions\AssertionException;
|
||||
use Ramsey\Uuid\Uuid;
|
||||
use function hash_equals;
|
||||
|
||||
/**
|
||||
* 6. Identify the user being authenticated and verify that this user is the owner of the public
|
||||
* key credential source credentialSource identified by credential.id:
|
||||
*
|
||||
* - If the user was identified before the authentication ceremony was initiated, e.g., via a
|
||||
* username or cookie, verify that the identified user is the owner of credentialSource. If
|
||||
* response.userHandle is present, let userHandle be its value. Verify that userHandle also
|
||||
* maps to the same user.
|
||||
*
|
||||
* - If the user was not identified before the authentication ceremony was initiated, verify
|
||||
* that response.userHandle is present, and that the user identified by this value is the
|
||||
* owner of credentialSource.
|
||||
*
|
||||
* @internal
|
||||
*/
|
||||
class CheckCredentialIsForUser
|
||||
{
|
||||
/**
|
||||
* Handle the incoming Assertion Validation.
|
||||
*
|
||||
* @param \Laragear\WebAuthn\Assertion\Validator\AssertionValidation $validation
|
||||
* @param \Closure $next
|
||||
* @return mixed
|
||||
* @throws \Laragear\WebAuthn\Exceptions\AssertionException
|
||||
*/
|
||||
public function handle(AssertionValidation $validation, Closure $next): mixed
|
||||
{
|
||||
if ($validation->user) {
|
||||
$this->validateUser($validation);
|
||||
|
||||
if ($validation->request->json('response.userHandle')) {
|
||||
$this->validateId($validation);
|
||||
}
|
||||
} else {
|
||||
$this->validateId($validation);
|
||||
}
|
||||
|
||||
return $next($validation);
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate the user owns the Credential if it already exists in the validation procedure.
|
||||
*
|
||||
* @param \Laragear\WebAuthn\Assertion\Validator\AssertionValidation $validation
|
||||
* @return void
|
||||
*/
|
||||
protected function validateUser(AssertionValidation $validation): void
|
||||
{
|
||||
if ($validation->credential->authenticatable()->isNot($validation->user)) {
|
||||
throw AssertionException::make('User is not owner of the stored credential.');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate the user ID of the response.
|
||||
*
|
||||
* @param \Laragear\WebAuthn\Assertion\Validator\AssertionValidation $validation
|
||||
* @return void
|
||||
*/
|
||||
protected function validateId(AssertionValidation $validation): void
|
||||
{
|
||||
$handle = $validation->request->json('response.userHandle');
|
||||
|
||||
if (! $handle || ! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) {
|
||||
throw AssertionException::make('User ID is not owner of the stored credential.');
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user