From 8392916c847be3a7b9f5fbca331822f92edafcdb Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Fri, 16 Jun 2023 15:16:05 +0200
Subject: [PATCH] ATH-01-010: rework

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/stages/authenticator_validate/challenge.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/authentik/stages/authenticator_validate/challenge.py b/authentik/stages/authenticator_validate/challenge.py
index 5444234ba..05ea0e517 100644
--- a/authentik/stages/authenticator_validate/challenge.py
+++ b/authentik/stages/authenticator_validate/challenge.py
@@ -131,9 +131,15 @@ def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -
     challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
     credential_id = data.get("id")
 
-    device = WebAuthnDevice.objects.filter(credential_id=credential_id, user=user).first()
+    device = WebAuthnDevice.objects.filter(credential_id=credential_id).first()
     if not device:
         raise ValidationError("Invalid device")
+    # We can only check the device's user if the user we're given isn't anonymous
+    # as this validation is also used for password-less login where webauthn is the very first
+    # step done by a user. Only if this validation happens at a later stage we can check
+    # that the device belongs to the user
+    if not user.is_anonymous and device.user != user:
+        raise ValidationError("Invalid device")
 
     stage: AuthenticatorValidateStage = stage_view.executor.current_stage