Passkeys: Fix RP ID validation

keepassxreboot · Mar 31, 2024 · 3b30d54 · 3b30d54
1 parent 35fdcfa
commit 3b30d54
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 10 deletions.
diff --git a/src/browser/BrowserService.cpp b/src/browser/BrowserService.cpp
@@ -630,7 +630,7 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
     }
 
     const auto excludeCredentials = credentialCreationOptions["excludeCredentials"].toArray();
-    const auto rpId = publicKeyOptions["rp"]["id"].toString();
+    const auto rpId = credentialCreationOptions["rp"].toObject()["id"].toString();
     const auto timeout = publicKeyOptions["timeout"].toInt();
     const auto username = credentialCreationOptions["user"].toObject()["name"].toString();
 

diff --git a/src/browser/PasskeyUtils.cpp b/src/browser/PasskeyUtils.cpp
@@ -109,14 +109,17 @@ int PasskeyUtils::validateRpId(const QJsonValue& rpIdValue, const QString& effec
         return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;
     }
 
-    if (rpIdValue.isUndefined()) {
-        return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;
-    }
-
     if (effectiveDomain.isEmpty()) {
         return ERROR_PASSKEYS_ORIGIN_NOT_ALLOWED;
     }
 
+    //  The RP ID defaults to being the caller's origin's effective domain unless the caller has explicitly set
+    //  options.rp.id
+    if (rpIdValue.isUndefined() || rpIdValue.isNull()) {
+        *result = effectiveDomain;
+        return PASSKEYS_SUCCESS;
+    }
+
     const auto rpId = rpIdValue.toString();
     if (!isRegistrableDomainSuffix(rpId, effectiveDomain)) {
         return ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH;

diff --git a/tests/TestPasskeys.cpp b/tests/TestPasskeys.cpp
@@ -573,17 +573,18 @@ void TestPasskeys::testRpIdValidation()
     QString result;
     auto allowedIdentical = passkeyUtils()->validateRpId(QString("example.com"), QString("example.com"), &result);
     QCOMPARE(result, QString("example.com"));
-    QVERIFY(allowedIdentical == 0);
+    QVERIFY(allowedIdentical == PASSKEYS_SUCCESS);
 
     result.clear();
     auto allowedSubdomain = passkeyUtils()->validateRpId(QString("example.com"), QString("www.example.com"), &result);
     QCOMPARE(result, QString("example.com"));
-    QVERIFY(allowedSubdomain == 0);
+    QVERIFY(allowedSubdomain == PASSKEYS_SUCCESS);
 
     result.clear();
-    auto emptyRpId = passkeyUtils()->validateRpId({}, QString("example.com"), &result);
-    QCOMPARE(result, QString(""));
-    QVERIFY(emptyRpId == ERROR_PASSKEYS_DOMAIN_RPID_MISMATCH);
+    QJsonValue emptyValue;
+    auto emptyRpId = passkeyUtils()->validateRpId(emptyValue, QString("example.com"), &result);
+    QCOMPARE(result, QString("example.com"));
+    QVERIFY(emptyRpId == PASSKEYS_SUCCESS);
 
     result.clear();
     auto ipRpId = passkeyUtils()->validateRpId(QString("127.0.0.1"), QString("example.com"), &result);