Revert "fix/613-cross-origin-flag-verification"

MasterKale · Oct 12, 2024 · be62018 · be62018
1 parent 0aedc62
commit be62018
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 24 deletions.
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts
@@ -22,7 +22,6 @@ export type VerifyAuthenticationResponseOpts = {
   credential: WebAuthnCredential;
   expectedType?: string | string[];
   requireUserVerification?: boolean;
-  allowEmbeddedAuthentication?: boolean;
   advancedFIDOConfig?: {
     userVerification?: UserVerificationRequirement;
   };
@@ -40,7 +39,6 @@ export type VerifyAuthenticationResponseOpts = {
  * @param credential - An internal {@link WebAuthnCredential} corresponding to `id` in the authentication response
  * @param expectedType **(Optional)** - The response type expected ('webauthn.get')
  * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
- * @param allowEmbeddedAuthentication **(Optional)** - Allow credential use from within an iframe embedded on a different origin ("cross-origin"). Defaults to `false`
  * @param advancedFIDOConfig **(Optional)** - Options for satisfying more stringent FIDO RP feature requirements
  * @param advancedFIDOConfig.userVerification **(Optional)** - Enable alternative rules for evaluating the User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional unless this value is `"required"`
  */
@@ -55,7 +53,6 @@ export async function verifyAuthenticationResponse(
     expectedType,
     credential,
     requireUserVerification = true,
-    allowEmbeddedAuthentication = false,
     advancedFIDOConfig,
   } = options;
   const { id, rawId, type: credentialType, response: assertionResponse } = response;
@@ -87,7 +84,7 @@ export async function verifyAuthenticationResponse(
 
   const clientDataJSON = decodeClientDataJSON(assertionResponse.clientDataJSON);
 
-  const { type, origin, challenge, tokenBinding, crossOrigin } = clientDataJSON;
+  const { type, origin, challenge, tokenBinding } = clientDataJSON;
 
   // Make sure we're handling an authentication
   if (Array.isArray(expectedType)) {
@@ -136,14 +133,6 @@ export async function verifyAuthenticationResponse(
     }
   }
 
-  if (crossOrigin !== undefined) {
-    if (crossOrigin && !allowEmbeddedAuthentication) {
-      throw new Error(
-        `Registration response crossOrigin was true but embedded registration was disallowed`,
-      );
-    }
-  }
-
   if (!isoBase64URL.isBase64URL(assertionResponse.authenticatorData)) {
     throw new Error(
       'Credential response authenticatorData was not a base64url string',

diff --git a/packages/server/src/registration/verifyRegistrationResponse.ts b/packages/server/src/registration/verifyRegistrationResponse.ts
@@ -38,7 +38,6 @@ export type VerifyRegistrationResponseOpts = {
   expectedType?: string | string[];
   requireUserPresence?: boolean;
   requireUserVerification?: boolean;
-  allowEmbeddedRegistration?: boolean;
   supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
 };
 
@@ -54,7 +53,6 @@ export type VerifyRegistrationResponseOpts = {
  * @param expectedType **(Optional)** - The response type expected ('webauthn.create')
  * @param requireUserPresence **(Optional)** - Enforce user presence by the authenticator (or skip it during auto registration) Defaults to `true`
  * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
- * @param allowEmbeddedRegistration **(Optional)** - Allow credential registration from within an iframe embedded on a different origin ("cross-origin"). Defaults to `false`
  * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
  */
 export async function verifyRegistrationResponse(
@@ -68,7 +66,6 @@ export async function verifyRegistrationResponse(
     expectedType,
     requireUserPresence = true,
     requireUserVerification = true,
-    allowEmbeddedRegistration = false,
     supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers,
   } = options;
   const { id, rawId, type: credentialType, response: attestationResponse } = response;
@@ -94,7 +91,7 @@ export async function verifyRegistrationResponse(
     attestationResponse.clientDataJSON,
   );
 
-  const { type, origin, challenge, tokenBinding, crossOrigin } = clientDataJSON;
+  const { type, origin, challenge, tokenBinding } = clientDataJSON;
 
   // Make sure we're handling an registration
   if (Array.isArray(expectedType)) {
@@ -146,14 +143,6 @@ export async function verifyRegistrationResponse(
     }
   }
 
-  if (crossOrigin !== undefined) {
-    if (crossOrigin && !allowEmbeddedRegistration) {
-      throw new Error(
-        `Registration response crossOrigin was true but embedded registration was disallowed`,
-      );
-    }
-  }
-
   if (tokenBinding) {
     if (typeof tokenBinding !== 'object') {
       throw new Error(`Unexpected value for TokenBinding "${tokenBinding}"`);