Fix webauthn bug. Fix tests. Update docs
This commit is contained in:
Dan Milne
@@ -1,6 +1,9 @@
|
|||||||
class WebauthnCredential < ApplicationRecord
|
class WebauthnCredential < ApplicationRecord
|
||||||
belongs_to :user
|
belongs_to :user
|
||||||
|
|
||||||
|
# Set default authenticator_type if not provided
|
||||||
|
after_initialize :set_default_authenticator_type, if: :new_record?
|
||||||
|
|
||||||
# Validations
|
# Validations
|
||||||
validates :external_id, presence: true, uniqueness: true
|
validates :external_id, presence: true, uniqueness: true
|
||||||
validates :public_key, presence: true
|
validates :public_key, presence: true
|
||||||
@@ -77,6 +80,10 @@ class WebauthnCredential < ApplicationRecord
|
|||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def set_default_authenticator_type
|
||||||
|
self.authenticator_type ||= "cross-platform"
|
||||||
|
end
|
||||||
|
|
||||||
def time_ago_in_words(time)
|
def time_ago_in_words(time)
|
||||||
seconds = Time.current - time
|
seconds = Time.current - time
|
||||||
minutes = seconds / 60
|
minutes = seconds / 60
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
|
|||||||
- [ ] Document required vs. optional configuration
|
- [ ] Document required vs. optional configuration
|
||||||
- [ ] Provide sensible defaults
|
- [ ] Provide sensible defaults
|
||||||
- [ ] Validate production SMTP configuration
|
- [ ] Validate production SMTP configuration
|
||||||
- [ ] Ensure OIDC private key generation process is documented
|
- [x] Ensure OIDC private key generation process is documented
|
||||||
|
|
||||||
### Database
|
### Database
|
||||||
- [x] Migrations are idempotent
|
- [x] Migrations are idempotent
|
||||||
@@ -187,7 +187,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
|
|||||||
## Known Limitations & Risks
|
## Known Limitations & Risks
|
||||||
|
|
||||||
### Documented Risks
|
### Documented Risks
|
||||||
- [ ] Document that ForwardAuth requires same-domain setup
|
- [x] Document that ForwardAuth requires same-domain setup
|
||||||
- [ ] Document HTTPS requirement for production
|
- [ ] Document HTTPS requirement for production
|
||||||
- [ ] Document backup code security (single-use, store securely)
|
- [ ] Document backup code security (single-use, store securely)
|
||||||
- [ ] Document admin password security requirements
|
- [ ] Document admin password security requirements
|
||||||
|
|||||||
@@ -128,7 +128,10 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
|
|||||||
nickname: "Test Key"
|
nickname: "Test Key"
|
||||||
)
|
)
|
||||||
|
|
||||||
# Sign in with WebAuthn
|
# Sign in first
|
||||||
|
post signin_path, params: {email_address: user.email_address, password: "password123"}
|
||||||
|
|
||||||
|
# Get WebAuthn challenge
|
||||||
post webauthn_challenge_path, params: {email: "webauthn_verify_origin_test@example.com"}
|
post webauthn_challenge_path, params: {email: "webauthn_verify_origin_test@example.com"}
|
||||||
assert_response :success
|
assert_response :success
|
||||||
|
|
||||||
@@ -224,8 +227,8 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
|
|||||||
)
|
)
|
||||||
|
|
||||||
credential.reload
|
credential.reload
|
||||||
assert_equal "192.168.1.100", credential.last_ip_address
|
assert_equal "192.168.1.100", credential.last_used_ip
|
||||||
assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.last_user_agent
|
assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.user_agent
|
||||||
|
|
||||||
user.destroy
|
user.destroy
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user