Update webauthn to 0.11.2 (#1195)

backend/authschemes/webauthn/webauthn.go

@@ -21,46 +21,46 @@ import (
 	"github.com/go-chi/chi/v5"
 
 	"github.com/go-webauthn/webauthn/protocol"
-	auth "github.com/go-webauthn/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/webauthn"
 )
 
 type WebAuthn struct {
 	RegistrationEnabled bool
-	Web                 *auth.WebAuthn
+	Web                 *webauthn.WebAuthn
 }
 
 func New(cfg config.AuthInstanceConfig, webConfig *config.WebConfig) (WebAuthn, error) {
 	parsedUrl, err := url.Parse(webConfig.FrontendIndexURL)
+	if err != nil {
+		return WebAuthn{}, err
+	}
 
-	var host string
-	var port string
+	host, _, err := net.SplitHostPort(parsedUrl.Host)
 	if err != nil {
 		return WebAuthn{}, err
 	}
 
-	if host, port, err = net.SplitHostPort(parsedUrl.Host); err != nil {
-		host = parsedUrl.Host
+	rpID := host
+	if cfg.WebauthnConfig.RPID != "" {
+		rpID = cfg.WebauthnConfig.RPID
 	}
 
-	config := auth.Config{
+	rpOrigins := []string{webConfig.FrontendIndexURL}
+	if len(cfg.WebauthnConfig.RPOrigins) > 0 {
+		rpOrigins = append(rpOrigins, cfg.WebauthnConfig.RPOrigins...)
+	}
+
+	webauthnConfig := &webauthn.Config{
 		RPDisplayName: cfg.WebauthnConfig.DisplayName,
-		RPID:          host,
+		RPID:          rpID,
+		RPOrigins:     rpOrigins,
 		// the below are all optional
 		Debug:                  cfg.WebauthnConfig.Debug,
-		Timeout:                cfg.WebauthnConfig.Timeout,
 		AttestationPreference:  cfg.WebauthnConfig.Conveyance(),
 		AuthenticatorSelection: cfg.BuildAuthenticatorSelection(),
 	}
 
-	// TODO: I don't understand how to correctly set the RPOrigin. the code works *specifically* for
-	// localhost, but may fail for proper deployments. We might need to make this an env var.
-	if cfg.WebauthnConfig.RPOrigin != "" {
-		config.RPOrigin = cfg.WebauthnConfig.RPOrigin
-	} else if host == "localhost" {
-		config.RPOrigin = "http://" + host + ":" + port
-	}
-
-	web, err := auth.New(&config)
+	web, err := webauthn.New(webauthnConfig)
 	if err != nil {
 		return WebAuthn{}, err
 	}
@@ -181,7 +181,7 @@ func (a WebAuthn) BindRoutes(r chi.Router, bridge authschemes.AShirtAuthBridge)
 			}
 			discoverable := isDiscoverable(r)
 
-			var cred *auth.Credential
+			var cred *webauthn.Credential
 			var err error
 
 			if discoverable {
@@ -191,7 +191,7 @@ func (a WebAuthn) BindRoutes(r chi.Router, bridge authschemes.AShirtAuthBridge)
 				}
 
 				var webauthnUser webauthnUser
-				userHandler := func(_, userHandle []byte) (user auth.User, err error) {
+				userHandler := func(_, userHandle []byte) (user webauthn.User, err error) {
 					authnID := string(userHandle)
 					dbUser, err := bridge.GetUserFromAuthnID(authnID)
 					if err != nil {
@@ -488,7 +488,7 @@ func (a WebAuthn) beginRegistration(w http.ResponseWriter, r *http.Request, brid
 		credCreationOpts.AuthenticatorSelection = selection
 	}
 
-	credOptions, sessionData, err := a.Web.BeginRegistration(&user, auth.WithAuthenticatorSelection(selection), registrationOptions)
+	credOptions, sessionData, err := a.Web.BeginRegistration(&user, webauthn.WithAuthenticatorSelection(selection), registrationOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -503,12 +503,12 @@ func (a WebAuthn) beginLogin(w http.ResponseWriter, r *http.Request, bridge auth
 
 	var data interface{}
 	var options *protocol.CredentialAssertion
-	var sessionData *auth.SessionData
+	var sessionData *webauthn.SessionData
 	var err error
 
 	if discoverable {
-		var opts = []auth.LoginOption{
-			auth.WithUserVerification(protocol.VerificationPreferred),
+		var opts = []webauthn.LoginOption{
+			webauthn.WithUserVerification(protocol.VerificationPreferred),
 		}
 		options, sessionData, err = a.Web.BeginDiscoverableLogin(opts...)
 
@@ -585,7 +585,7 @@ func (a WebAuthn) validateRegistrationComplete(r *http.Request, bridge authschem
 	return data, encodedCreds, nil
 }
 
-func updateSignCount(data *webAuthNSessionData, loginCred *auth.Credential, bridge authschemes.AShirtAuthBridge) error {
+func updateSignCount(data *webAuthNSessionData, loginCred *webauthn.Credential, bridge authschemes.AShirtAuthBridge) error {
 	userID := data.UserData.UserIDAsI64()
 
 	userAuth, err := bridge.FindUserAuthByUserID(userID)

backend/authschemes/webauthn/webauthnuser.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/ashirt-ops/ashirt-server/backend/helpers"
-	auth "github.com/go-webauthn/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
 )
 
@@ -91,7 +91,7 @@ func (u *webauthnUser) WebAuthnIcon() string {
 	return u.IconURL
 }
 
-func (u *webauthnUser) WebAuthnCredentials() []auth.Credential {
+func (u *webauthnUser) WebAuthnCredentials() []webauthn.Credential {
 	return helpers.Map(u.Credentials, unwrapCredential)
 }
 

backend/config/authconfig.go

@@ -42,9 +42,9 @@ type OIDCConfig struct {
 type WebauthnConfig struct {
 	DisplayName string `split_words:"true"`
 	// All of the below have innate defaults, and so are effectively optional
-	Timeout                         int
-	RPOrigin                        string `envconfig:"RP_ORIGIN"`
-	AttestationPreference           string `split_words:"true"`
+	RPID                            string   `split_words:"true"`
+	RPOrigins                       []string `split_words:"true"`
+	AttestationPreference           string   `split_words:"true"`
 	Debug                           bool
 	AuthenticatorAttachment         string `split_words:"true"`
 	AuthenticatorResidentKey        string `split_words:"true"`

docker-compose.yml

@@ -51,8 +51,10 @@ services:
       AUTH_SERVICES: ashirt
       # AUTH_SERVICES: ashirt,google
       AUTH_SERVICES_ALLOW_REGISTRATION: ashirt
+
       # AUTH_WEBAUTHN_NAME: webauthn
       # AUTH_WEBAUTHN_DISPLAY_NAME: ashirt
+      # AUTH_WEBAUTHN_TYPE: webauthn
 
       # Google oidc
       AUTH_GOOGLE_TYPE: oidc

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-sql-driver/mysql v1.8.1
-	github.com/go-webauthn/webauthn v0.10.2
+	github.com/go-webauthn/webauthn v0.11.2
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/csrf v1.7.2
 	github.com/gorilla/securecookie v1.1.2
@@ -68,15 +68,15 @@ require (
 	github.com/envoyproxy/go-control-plane v0.13.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-webauthn/x v0.1.9 // indirect
+	github.com/go-webauthn/x v0.1.14 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/go-tpm v0.9.0 // indirect
+	github.com/google/go-tpm v0.9.1 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect

go.sum

@@ -100,8 +100,8 @@ github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6
 github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
-github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
 github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
@@ -115,10 +115,10 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
-github.com/go-webauthn/webauthn v0.10.2 h1:OG7B+DyuTytrEPFmTX503K77fqs3HDK/0Iv+z8UYbq4=
-github.com/go-webauthn/webauthn v0.10.2/go.mod h1:Gd1IDsGAybuvK1NkwUTLbGmeksxuRJjVN2PE/xsPxHs=
-github.com/go-webauthn/x v0.1.9 h1:v1oeLmoaa+gPOaZqUdDentu6Rl7HkSSsmOT6gxEQHhE=
-github.com/go-webauthn/x v0.1.9/go.mod h1:pJNMlIMP1SU7cN8HNlKJpLEnFHCygLCvaLZ8a1xeoQA=
+github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
+github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
+github.com/go-webauthn/x v0.1.14 h1:1wrB8jzXAofojJPAaRxnZhRgagvLGnLjhCAwg3kTpT0=
+github.com/go-webauthn/x v0.1.14/go.mod h1:UuVvFZ8/NbOnkDz3y1NaxtUN87pmtpC1PQ+/5BBQRdc=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -145,8 +145,8 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
-github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
+github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
+github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=