ATH-01-010: fix missing user filter for webauthn device
This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
This commit is contained in:
parent
bd54d034e1
commit
143663d293
|
@ -130,7 +130,7 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
|
||||||
challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
|
challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
|
||||||
credential_id = data.get("id")
|
credential_id = data.get("id")
|
||||||
|
|
||||||
device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
|
device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first()
|
||||||
if not device:
|
if not device:
|
||||||
raise ValidationError("Invalid device")
|
raise ValidationError("Invalid device")
|
||||||
|
|
||||||
|
|
Reference in New Issue