From ae99d3d9cfcada8fc1ba4105b08b894b3b144992 Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Thu, 1 Jan 2026 15:24:56 +1100 Subject: [PATCH] Fix webauthn bug. Fix tests. Update docs --- app/models/webauthn_credential.rb | 7 +++++++ docs/beta-checklist.md | 4 ++-- test/integration/webauthn_security_test.rb | 9 ++++++--- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/app/models/webauthn_credential.rb b/app/models/webauthn_credential.rb index 2f54715..571a620 100644 --- a/app/models/webauthn_credential.rb +++ b/app/models/webauthn_credential.rb @@ -1,6 +1,9 @@ class WebauthnCredential < ApplicationRecord belongs_to :user + # Set default authenticator_type if not provided + after_initialize :set_default_authenticator_type, if: :new_record? + # Validations validates :external_id, presence: true, uniqueness: true validates :public_key, presence: true @@ -77,6 +80,10 @@ class WebauthnCredential < ApplicationRecord private + def set_default_authenticator_type + self.authenticator_type ||= "cross-platform" + end + def time_ago_in_words(time) seconds = Time.current - time minutes = seconds / 60 diff --git a/docs/beta-checklist.md b/docs/beta-checklist.md index 76f5ac5..984b793 100644 --- a/docs/beta-checklist.md +++ b/docs/beta-checklist.md @@ -136,7 +136,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar - [ ] Document required vs. optional configuration - [ ] Provide sensible defaults - [ ] Validate production SMTP configuration -- [ ] Ensure OIDC private key generation process is documented +- [x] Ensure OIDC private key generation process is documented ### Database - [x] Migrations are idempotent @@ -187,7 +187,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar ## Known Limitations & Risks ### Documented Risks -- [ ] Document that ForwardAuth requires same-domain setup +- [x] Document that ForwardAuth requires same-domain setup - [ ] Document HTTPS requirement for production - [ ] Document backup code security (single-use, store securely) - [ ] Document admin password security requirements diff --git a/test/integration/webauthn_security_test.rb b/test/integration/webauthn_security_test.rb index 6942268..c71ea92 100644 --- a/test/integration/webauthn_security_test.rb +++ b/test/integration/webauthn_security_test.rb @@ -128,7 +128,10 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest nickname: "Test Key" ) - # Sign in with WebAuthn + # Sign in first + post signin_path, params: {email_address: user.email_address, password: "password123"} + + # Get WebAuthn challenge post webauthn_challenge_path, params: {email: "webauthn_verify_origin_test@example.com"} assert_response :success @@ -224,8 +227,8 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest ) credential.reload - assert_equal "192.168.1.100", credential.last_ip_address - assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.last_user_agent + assert_equal "192.168.1.100", credential.last_used_ip + assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.user_agent user.destroy end