Leatherface/mastodon
0
0
Fork 0
mirror of https://github.com/glitch-soc/mastodon.git synced 2026-03-29 03:00:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Extract security_key_options endpoint to standalone controller (#38367)

Browse Source
This commit is contained in:
Matt Jankowski
2026-03-25 06:35:09 -04:00
committed by GitHub
parent bafc552a72
commit 5d7682c7dd
4 changed files with 66 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/controllers/auth/sessions/security_key_options_controller.rb Normal file
View File

@@ -0,0 +1,24 @@
# frozen_string_literal: true
class Auth::Sessions::SecurityKeyOptionsController < ApplicationController
skip_before_action :check_self_destruct!
skip_before_action :require_functional!
skip_before_action :update_user_sign_in
def show
user = User.find_by(id: session[:attempt_user_id])
if user&.webauthn_enabled?
options_for_get = WebAuthn::Credential.options_for_get(
allow: user.webauthn_credentials.pluck(:external_id),
user_verification: 'discouraged'
)
session[:webauthn_challenge] = options_for_get.challenge
render json: options_for_get, status: 200
else
render json: { error: t('webauthn_credentials.not_enabled') }, status: 401
end
end
end

17
app/controllers/auth/sessions_controller.rb
View File

@@ -38,23 +38,6 @@ class Auth::SessionsController < Devise::SessionsController
flash.delete(:notice) flash.delete(:notice)
end end
def webauthn_options
user = User.find_by(id: session[:attempt_user_id])
if user&.webauthn_enabled?
options_for_get = WebAuthn::Credential.options_for_get(
allow: user.webauthn_credentials.pluck(:external_id),
user_verification: 'discouraged'
)
session[:webauthn_challenge] = options_for_get.challenge
render json: options_for_get, status: 200
else
render json: { error: t('webauthn_credentials.not_enabled') }, status: 401
end
end
protected protected
def find_user def find_user

4
config/routes.rb
View File

@@ -76,8 +76,10 @@ Rails.application.routes.draw do
namespace :auth do namespace :auth do
resource :setup, only: [:show, :update], controller: :setup resource :setup, only: [:show, :update], controller: :setup
resource :challenge, only: [:create] resource :challenge, only: [:create]
get 'sessions/security_key_options', to: 'sessions#webauthn_options'
post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
namespace :sessions do
resource :security_key_options, only: :show
end
end end
end end

54
spec/requests/auth/sessions/security_key_options_spec.rb
View File

@@ -5,9 +5,9 @@ require 'webauthn/fake_client'
RSpec.describe 'Security Key Options' do RSpec.describe 'Security Key Options' do
describe 'GET /auth/sessions/security_key_options' do describe 'GET /auth/sessions/security_key_options' do
let!(:user) do subject { get '/auth/sessions/security_key_options' }
Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret)
end let!(:user) { Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret) }
context 'with WebAuthn and OTP enabled as second factor' do context 'with WebAuthn and OTP enabled as second factor' do
let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" } let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" }
@@ -19,31 +19,55 @@ RSpec.describe 'Security Key Options' do
user.update(webauthn_id: WebAuthn.generate_user_id) user.update(webauthn_id: WebAuthn.generate_user_id)
Fabricate( Fabricate(
:webauthn_credential, :webauthn_credential,
user_id: user.id,
external_id: public_key_credential.id, external_id: public_key_credential.id,
public_key: public_key_credential.public_key public_key: public_key_credential.public_key,
user_id: user.id
) )
post '/auth/sign_in', params: { user: { email: user.email, password: user.password } }
end end
it 'returns http success' do context 'when signed in' do
get '/auth/sessions/security_key_options' before { post '/auth/sign_in', params: { user: { email: user.email, password: user.password } } }
expect(response) it 'returns http success' do
.to have_http_status 200 subject
expect(response.content_type)
.to start_with('application/json') expect(response)
.to have_http_status 200
expect(response.media_type)
.to eq('application/json')
expect(response.parsed_body)
.to include(
challenge: be_present,
userVerification: eq('discouraged'),
allowCredentials: contain_exactly(include(type: 'public-key', id: be_present))
)
end
end
context 'when not signed in' do
it 'returns http unauthorized' do
subject
expect(response)
.to have_http_status 401
expect(response.media_type)
.to eq('application/json')
expect(response.parsed_body)
.to include(error: I18n.t('webauthn_credentials.not_enabled'))
end
end end
end end
context 'when WebAuthn not enabled' do context 'when WebAuthn not enabled' do
it 'returns http unauthorized' do it 'returns http unauthorized' do
get '/auth/sessions/security_key_options' subject
expect(response) expect(response)
.to have_http_status 401 .to have_http_status 401
expect(response.content_type) expect(response.media_type)
.to start_with('application/json') .to eq('application/json')
expect(response.parsed_body)
.to include(error: I18n.t('webauthn_credentials.not_enabled'))
end end
end end
end end