webauthn-ruby
webauthn-ruby copied to clipboard
cedarcode
WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party
Hi, first of all, thank you for creating this wonderful gem. This fix is minor. While reading the source code of this gem, I found a class that was probably...
> F-10 Send ServerAuthenticatorAttestationResponse with FULL "packed" attestation, with attStmt.x5c containing full chain, and check that server returns an error How to run FIDO2 conformance tests: https://github.com/cedarcode/webauthn-ruby/tree/master/spec/conformance.
> P-3 Send a valid ServerAuthenticatorAttestationResponse with "tpm" attestation pubArea.nameAlg is not matching algorithm used for generate attested.name, and check that server succeeds How to run FIDO2 conformance tests: https://github.com/cedarcode/webauthn-ruby/tree/master/spec/conformance.
Follow up to https://github.com/bdewater/fido_metadata/pull/10.
Fixes #276. The gem already supports EdDSA credential keys after https://github.com/cedarcode/cose-ruby/issues/48. This PR just updates `FakeAuthenticator`, `FakeAuthenticator::AttestationObject` and `FakeAuthenticator::AuthenticatorData` in order for them to be used with these keys.
* Add links (with notes about alpha status) to the README to the: * `warden-webauthn` gem * `devise-passkeys` gem * `devise-passkeys-template` template Repo * Also reorganized the demo repos from...
Per the [spec](https://www.w3.org/TR/webauthn/#relying-party-identifier) the RP ID "must be equal to the [origin](https://www.w3.org/TR/webauthn/#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised)'s [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain), or a [registrable domain suffix](https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to) of the [origin](https://www.w3.org/TR/webauthn/#determines-the-set-of-origins-on-which-the-public-key-credential-may-be-exercised)'s [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain)." and "By default, the [RP ID](https://www.w3.org/TR/webauthn/#rp-id)...
While implementing Webauthn for Web + Mobile I found that Android requires using the [APK hash as the `origin`](https://developer.android.com/training/sign-in/passkeys#verify-origin). It is valid to have a list of valid origins per...