81 lines
2.7 KiB
PHP
81 lines
2.7 KiB
PHP
<?php
|
|
|
|
namespace Laragear\WebAuthn\Assertion\Validator\Pipes;
|
|
|
|
use Closure;
|
|
use Laragear\WebAuthn\Assertion\Validator\AssertionValidation;
|
|
use Laragear\WebAuthn\Exceptions\AssertionException;
|
|
use Ramsey\Uuid\Uuid;
|
|
use function hash_equals;
|
|
|
|
/**
|
|
* 6. Identify the user being authenticated and verify that this user is the owner of the public
|
|
* key credential source credentialSource identified by credential.id:
|
|
*
|
|
* - If the user was identified before the authentication ceremony was initiated, e.g., via a
|
|
* username or cookie, verify that the identified user is the owner of credentialSource. If
|
|
* response.userHandle is present, let userHandle be its value. Verify that userHandle also
|
|
* maps to the same user.
|
|
*
|
|
* - If the user was not identified before the authentication ceremony was initiated, verify
|
|
* that response.userHandle is present, and that the user identified by this value is the
|
|
* owner of credentialSource.
|
|
*
|
|
* @internal
|
|
*/
|
|
class CheckCredentialIsForUser
|
|
{
|
|
/**
|
|
* Handle the incoming Assertion Validation.
|
|
*
|
|
* @param \Laragear\WebAuthn\Assertion\Validator\AssertionValidation $validation
|
|
* @param \Closure $next
|
|
* @return mixed
|
|
* @throws \Laragear\WebAuthn\Exceptions\AssertionException
|
|
*/
|
|
public function handle(AssertionValidation $validation, Closure $next): mixed
|
|
{
|
|
if ($validation->user) {
|
|
$this->validateUser($validation);
|
|
|
|
if ($validation->request->json('response.userHandle')) {
|
|
$this->validateId($validation);
|
|
}
|
|
} else {
|
|
$this->validateId($validation);
|
|
}
|
|
|
|
return $next($validation);
|
|
}
|
|
|
|
/**
|
|
* Validate the user owns the Credential if it already exists in the validation procedure.
|
|
*
|
|
* @param \Laragear\WebAuthn\Assertion\Validator\AssertionValidation $validation
|
|
* @return void
|
|
*/
|
|
protected function validateUser(AssertionValidation $validation): void
|
|
{
|
|
// @phpstan-ignore-next-line
|
|
if ($validation->credential->authenticatable()->isNot($validation->user)) {
|
|
throw AssertionException::make('User is not owner of the stored credential.');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Validate the user ID of the response.
|
|
*
|
|
* @param \Laragear\WebAuthn\Assertion\Validator\AssertionValidation $validation
|
|
* @return void
|
|
*/
|
|
protected function validateId(AssertionValidation $validation): void
|
|
{
|
|
$handle = $validation->request->json('response.userHandle');
|
|
|
|
if (! $handle || ! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) {
|
|
throw AssertionException::make('User ID is not owner of the stored credential.');
|
|
}
|
|
}
|
|
|
|
}
|