trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ATH-01-010: fix missing user filter for webauthn device 

This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
This commit is contained in:
Jens Langhammer 2023-06-01 13:23:37 +02:00
parent ffb98eaa75
commit 1aff300171
No known key found for this signature in database
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
authentik/stages/authenticator_validate/challenge.py
View File

@ -131,7 +131,7 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
credential_id = data.get("id")
device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first()
if not device:
raise ValidationError("Invalid device")