From e8259791f0f939857439197bb8fdc76d88078617 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 23 Feb 2021 23:39:00 +0100 Subject: [PATCH] stages/authenticator_webauthn: fix rp_id and origin generation --- authentik/stages/authenticator_webauthn/stage.py | 10 +++++----- authentik/stages/authenticator_webauthn/utils.py | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/authentik/stages/authenticator_webauthn/stage.py b/authentik/stages/authenticator_webauthn/stage.py index 1b3ff2bfb..305f8a106 100644 --- a/authentik/stages/authenticator_webauthn/stage.py +++ b/authentik/stages/authenticator_webauthn/stage.py @@ -18,7 +18,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER from authentik.flows.stage import ChallengeStageView from authentik.lib.templatetags.authentik_utils import avatar from authentik.stages.authenticator_webauthn.models import WebAuthnDevice -from authentik.stages.authenticator_webauthn.utils import generate_challenge +from authentik.stages.authenticator_webauthn.utils import generate_challenge, get_origin, get_rp_id RP_NAME = "authentik" @@ -52,8 +52,8 @@ class AuthenticatorWebAuthnChallengeResponse(ChallengeResponse): none_attestation_permitted = True webauthn_registration_response = WebAuthnRegistrationResponse( - self.request.get_host(), - self.request.build_absolute_uri("/"), + get_rp_id(self.request), + get_origin(self.request), response, challenge, trusted_attestation_cert_required=trusted_attestation_cert_required, @@ -110,7 +110,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView): make_credential_options = WebAuthnMakeCredentialOptions( challenge, RP_NAME, - self.request.get_host(), + get_rp_id(self.request), user.uid, user.username, user.name, @@ -154,7 +154,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView): public_key=webauthn_credential.public_key, credential_id=webauthn_credential.credential_id, sign_count=webauthn_credential.sign_count, - rp_id=self.request.get_host(), + rp_id=get_rp_id(self.request), ) else: return self.executor.stage_invalid( diff --git a/authentik/stages/authenticator_webauthn/utils.py b/authentik/stages/authenticator_webauthn/utils.py index 217f685e4..6c0509e07 100644 --- a/authentik/stages/authenticator_webauthn/utils.py +++ b/authentik/stages/authenticator_webauthn/utils.py @@ -1,6 +1,7 @@ """webauthn utils""" import base64 import os +from django.http import HttpRequest CHALLENGE_DEFAULT_BYTE_LEN = 32 @@ -21,3 +22,16 @@ def generate_challenge(challenge_len=CHALLENGE_DEFAULT_BYTE_LEN): if not isinstance(challenge_base64, str): challenge_base64 = challenge_base64.decode("utf-8") return challenge_base64 + +def get_rp_id(request: HttpRequest) -> str: + """Get hostname from http request, without port""" + host = request.get_host() + if ":" in host: + return host.split(":")[0] + return host + +def get_origin(request: HttpRequest) -> str: + """Return Origin by building an absolute URL and removing the + trailing slash""" + full_url = request.build_absolute_uri("/") + return full_url[:-1]