trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

ATH-01-010: rework

Browse source 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-06-16 15:16:05 +02:00
parent 7e75a48fd0
commit 8392916c84
No known key found for this signature in database
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
authentik/stages/authenticator_validate/challenge.py
View file

@ -131,9 +131,15 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE) challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
credential_id = data.get("id") credential_id = data.get("id")
device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first() device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
if not device: if not device:
raise ValidationError("Invalid device") raise ValidationError("Invalid device")
# We can only check the device's user if the user we're given isn't anonymous
# as this validation is also used for password-less login where webauthn is the very first
# step done by a user. Only if this validation happens at a later stage we can check
# that the device belongs to the user
if not user.is_anonymous and device.user != user:
raise ValidationError("Invalid device")
stage: AuthenticatorValidateStage = stage_view.executor.current_stage stage: AuthenticatorValidateStage = stage_view.executor.current_stage