From 1aff300171a392ba3f6e2ddd31832d0f6d03daef Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Thu, 1 Jun 2023 13:23:37 +0200
Subject: [PATCH] ATH-01-010: fix missing user filter for webauthn device

This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
---
 authentik/stages/authenticator_validate/challenge.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authentik/stages/authenticator_validate/challenge.py b/authentik/stages/authenticator_validate/challenge.py
index 93c9f6a06..5444234ba 100644
--- a/authentik/stages/authenticator_validate/challenge.py
+++ b/authentik/stages/authenticator_validate/challenge.py
@@ -131,7 +131,7 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
     challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
     credential_id = data.get("id")
 
-    device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
+    device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first()
     if not device:
         raise ValidationError("Invalid device")