Merge pull request #30 from deibertf/1.x

Update webauthn.js to prevent wrong request urls
Use const, minor line break fix.
2023-02-15 22:18:36 -03:00 · 2023-02-15 22:16:02 -03:00 · 2023-02-16 00:34:39 +01:00 · 2023-02-16 00:10:01 +01:00 · 2023-01-19 11:55:21 -03:00 · 2023-01-19 11:48:49 -03:00
2 changed files with 16 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -258,6 +258,8 @@ const webAuthn = new WebAuthn({}, {
 Attestation is the _ceremony_ to create WebAuthn Credentials. To create an Attestable Response that the user device can understand, use the `AttestationRequest::toCreate()` form request.
 For example, we can create our own `AttestationController` to create it.
 ```php
 // app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
@@ -354,6 +356,8 @@ The Assertion procedure also follows a two-step procedure: the user will input i
 First, use the `AssertionRequest::toVerify()` form request. It will automatically create an assertion for the user that matches the credentials, or a blank one in case you're using [userless login](#userlessone-touchtypeless-login). Otherwise, you may set stricter validation rules to always ask for credentials.
 For example, we can use our own `AssertionController` to handle it.
 ```php
 // app\Http\Controllers\WebAuthn\AssertionController.php
 use Laragear\WebAuthn\Http\Requests\AssertionRequest;
@@ -573,10 +577,17 @@ return [
 The _Relying Party_ is just a way to uniquely identify your application in the user device:
 * `name`: The name of the application. Defaults to the application name.
-* `id`: An unique ID the application, like the site domain. If `null`, the device may fill it internally, usually as the full domain.
+* `id`: An unique ID the application, like the site URL. If `null`, the device _may_ fill it internally, usually as the full domain.
 > WebAuthn authentication only work on the top domain it was registered. 
 Instead of modifying the config file, you should use the environment variables to set the name and ID for WebAuthn.
 ```dotenv
 WEBAUTHN_NAME=SecureBank
 WEBAUTHN_ID=https://auth.securebank.com
 ```
 ### Challenge configuration
 ```php
--- a/resources/js/webauthn.js
+++ b/resources/js/webauthn.js
@@ -156,7 +156,9 @@ class WebAuthn {
     * @returns {Promise<Response>}
     */
    #fetch(data, route, headers = {}) {
-        return fetch(route, {
+        const url = new URL(route, window.location.origin).href;
        return fetch(url, {
            method: "POST",
            credentials: this.#includeCredentials ? "include" : "same-origin",
            redirect: "error",
@@ -313,6 +315,7 @@ class WebAuthn {
        const publicKeyCredential = this.#parseOutgoingCredentials(credentials);
        Object.assign(publicKeyCredential, response);
        Object.assign(publicKeyCredential, request);
        return await this.#fetch(publicKeyCredential, this.#routes.register).then(WebAuthn.#handleResponse);
    }
Author	SHA1	Message	Date
Italo	2e420ba518	Merge pull request #30 from deibertf/1.x Update webauthn.js to prevent wrong request urls	2023-02-15 22:18:36 -03:00
Italo	73502cea4e	Use const, minor line break fix.	2023-02-15 22:16:02 -03:00
Felix Deibert	0b381551e0	Update webauthn.js	2023-02-16 00:34:39 +01:00
Felix Deibert	b0aa1974de	Update webauthn.js	2023-02-16 00:10:01 +01:00
Italo	3291c57a3a	Clarified hypothetical controllers	2023-01-19 11:55:21 -03:00
Italo	2ed7cdeff3	Minor clarification to WEBAUTHN_ID	2023-01-19 11:48:49 -03:00