ATH-01-010: fix missing user filter for webauthn device

This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
This commit is contained in:
Jens Langhammer 2023-06-01 13:23:37 +02:00
parent bd54d034e1
commit 143663d293
No known key found for this signature in database
1 changed files with 1 additions and 1 deletions

View File

@ -130,7 +130,7 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE) challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
credential_id = data.get("id") credential_id = data.get("id")
device = WebAuthnDevice.objects.filter(credential_id=credential_id).first() device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first()
if not device: if not device:
raise ValidationError("Invalid device") raise ValidationError("Invalid device")