core: bump webauthn from 1.11.1 to 2.0.0 (#8134)
* core: bump webauthn from 1.11.1 to 2.0.0 Bumps [webauthn](https://github.com/duo-labs/py_webauthn) from 1.11.1 to 2.0.0. - [Release notes](https://github.com/duo-labs/py_webauthn/releases) - [Changelog](https://github.com/duo-labs/py_webauthn/blob/master/CHANGELOG.md) - [Commits](https://github.com/duo-labs/py_webauthn/compare/v1.11.1...v2.0.0) --- updated-dependencies: - dependency-name: webauthn dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * fix? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * actually fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
be66ee52cd
commit
f77c2e8254
|
@ -1,4 +1,5 @@
|
|||
"""Validation stage challenge checking"""
|
||||
from json import loads
|
||||
from typing import Optional
|
||||
from urllib.parse import urlencode
|
||||
|
||||
|
@ -10,11 +11,12 @@ from django.utils.translation import gettext_lazy as _
|
|||
from rest_framework.fields import CharField
|
||||
from rest_framework.serializers import ValidationError
|
||||
from structlog.stdlib import get_logger
|
||||
from webauthn import options_to_json
|
||||
from webauthn.authentication.generate_authentication_options import generate_authentication_options
|
||||
from webauthn.authentication.verify_authentication_response import verify_authentication_response
|
||||
from webauthn.helpers.base64url_to_bytes import base64url_to_bytes
|
||||
from webauthn.helpers.exceptions import InvalidAuthenticationResponse
|
||||
from webauthn.helpers.structs import AuthenticationCredential
|
||||
from webauthn.helpers.structs import UserVerificationRequirement
|
||||
|
||||
from authentik.core.api.utils import JSONDictField, PassiveSerializer
|
||||
from authentik.core.models import Application, User
|
||||
|
@ -66,12 +68,7 @@ def get_webauthn_challenge_without_user(
|
|||
)
|
||||
request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = authentication_options.challenge
|
||||
|
||||
return authentication_options.model_dump(
|
||||
mode="json",
|
||||
by_alias=True,
|
||||
exclude_unset=False,
|
||||
exclude_none=True,
|
||||
)
|
||||
return loads(options_to_json(authentication_options))
|
||||
|
||||
|
||||
def get_webauthn_challenge(
|
||||
|
@ -91,17 +88,12 @@ def get_webauthn_challenge(
|
|||
authentication_options = generate_authentication_options(
|
||||
rp_id=get_rp_id(request),
|
||||
allow_credentials=allowed_credentials,
|
||||
user_verification=stage.webauthn_user_verification,
|
||||
user_verification=UserVerificationRequirement(stage.webauthn_user_verification),
|
||||
)
|
||||
|
||||
request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = authentication_options.challenge
|
||||
|
||||
return authentication_options.model_dump(
|
||||
mode="json",
|
||||
by_alias=True,
|
||||
exclude_unset=False,
|
||||
exclude_none=True,
|
||||
)
|
||||
return loads(options_to_json(authentication_options))
|
||||
|
||||
|
||||
def select_challenge(request: HttpRequest, device: Device):
|
||||
|
@ -152,7 +144,7 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
|
|||
|
||||
try:
|
||||
authentication_verification = verify_authentication_response(
|
||||
credential=AuthenticationCredential.model_validate(data),
|
||||
credential=data,
|
||||
expected_challenge=challenge,
|
||||
expected_rp_id=get_rp_id(request),
|
||||
expected_origin=get_origin(request),
|
||||
|
|
|
@ -1,14 +1,18 @@
|
|||
"""WebAuthn stage"""
|
||||
from json import loads
|
||||
|
||||
from django.http import HttpRequest, HttpResponse
|
||||
from django.http.request import QueryDict
|
||||
from rest_framework.fields import CharField
|
||||
from rest_framework.serializers import ValidationError
|
||||
from webauthn import options_to_json
|
||||
from webauthn.helpers.bytes_to_base64url import bytes_to_base64url
|
||||
from webauthn.helpers.exceptions import InvalidRegistrationResponse
|
||||
from webauthn.helpers.structs import (
|
||||
AuthenticatorSelectionCriteria,
|
||||
PublicKeyCredentialCreationOptions,
|
||||
RegistrationCredential,
|
||||
ResidentKeyRequirement,
|
||||
UserVerificationRequirement,
|
||||
)
|
||||
from webauthn.registration.generate_registration_options import generate_registration_options
|
||||
from webauthn.registration.verify_registration_response import (
|
||||
|
@ -53,7 +57,7 @@ class AuthenticatorWebAuthnChallengeResponse(ChallengeResponse):
|
|||
|
||||
try:
|
||||
registration: VerifiedRegistration = verify_registration_response(
|
||||
credential=RegistrationCredential.model_validate(response),
|
||||
credential=response,
|
||||
expected_challenge=challenge,
|
||||
expected_rp_id=get_rp_id(self.request),
|
||||
expected_origin=get_origin(self.request),
|
||||
|
@ -91,12 +95,12 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
|
|||
registration_options: PublicKeyCredentialCreationOptions = generate_registration_options(
|
||||
rp_id=get_rp_id(self.request),
|
||||
rp_name=self.request.tenant.branding_title,
|
||||
user_id=user.uid,
|
||||
user_id=user.uid.encode("utf-8"),
|
||||
user_name=user.username,
|
||||
user_display_name=user.name,
|
||||
authenticator_selection=AuthenticatorSelectionCriteria(
|
||||
resident_key=str(stage.resident_key_requirement),
|
||||
user_verification=str(stage.user_verification),
|
||||
resident_key=ResidentKeyRequirement(str(stage.resident_key_requirement)),
|
||||
user_verification=UserVerificationRequirement(str(stage.user_verification)),
|
||||
authenticator_attachment=authenticator_attachment,
|
||||
),
|
||||
)
|
||||
|
@ -106,12 +110,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
|
|||
return AuthenticatorWebAuthnChallenge(
|
||||
data={
|
||||
"type": ChallengeTypes.NATIVE.value,
|
||||
"registration": registration_options.model_dump(
|
||||
mode="json",
|
||||
by_alias=True,
|
||||
exclude_unset=False,
|
||||
exclude_none=True,
|
||||
),
|
||||
"registration": loads(options_to_json(registration_options)),
|
||||
}
|
||||
)
|
||||
|
||||
|
|
11
poetry.lock
generated
11
poetry.lock
generated
|
@ -4153,21 +4153,20 @@ files = [
|
|||
|
||||
[[package]]
|
||||
name = "webauthn"
|
||||
version = "1.11.1"
|
||||
version = "2.0.0"
|
||||
description = "Pythonic WebAuthn"
|
||||
optional = false
|
||||
python-versions = "*"
|
||||
files = [
|
||||
{file = "webauthn-1.11.1-py3-none-any.whl", hash = "sha256:13592ee71489b571cb6e4a5d8b3c34f7b040cd3539a9d94b6b7d23fa88df5dfb"},
|
||||
{file = "webauthn-1.11.1.tar.gz", hash = "sha256:24eda57903897369797f52a377f8c470e7057e79da5525779d0720a9fcc11926"},
|
||||
{file = "webauthn-2.0.0-py3-none-any.whl", hash = "sha256:644dc68af5caaade06be6a2a2278775e85116e92dd755ad7a49d992d51c82033"},
|
||||
{file = "webauthn-2.0.0.tar.gz", hash = "sha256:12cc1759da98668b8242badc37c4129df300f89d89f5c183fac80e7b33c41dfd"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
asn1crypto = ">=1.4.0"
|
||||
cbor2 = ">=5.4.6"
|
||||
cryptography = ">=41.0.4"
|
||||
pydantic = ">=1.10.11"
|
||||
pyOpenSSL = ">=23.2.0"
|
||||
cryptography = ">=41.0.7"
|
||||
pyOpenSSL = ">=23.3.0"
|
||||
|
||||
[[package]]
|
||||
name = "websocket-client"
|
||||
|
|
Reference in a new issue