habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ATH-01-010: fix missing user filter for webauthn device

Browse Source 
This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
This commit is contained in:
Jens Langhammer
2023-06-01 13:23:37 +02:00
parent ffb98eaa75
commit 1aff300171
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
authentik/stages/authenticator_validate/challenge.py
View File

@ -131,7 +131,7 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
credential_id = data.get("id")
device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first()
if not device:
raise ValidationError("Invalid device")