feat: validate userHandle in WebauthnTwoFactorAuthenticatable strategy

santiagorodriguez96 · santiagorodriguez96 · commit 1185d9701150 · 2026-03-12T17:16:23.000-03:00
diff --git a/lib/devise/strategies/webauthn_two_factor_authenticatable.rb b/lib/devise/strategies/webauthn_two_factor_authenticatable.rb
@@ -16,6 +16,9 @@ def authenticate!
         stored_credential = resource&.webauthn_credentials&.find_by(external_id: credential_from_params.id)
 
         return fail!(:webauthn_credential_not_found) if stored_credential.blank?
+        if user_handle_mismatch?(credential_from_params, resource)
+          return fail!(:webauthn_credential_verification_failed)
+        end
 
         verify_credential(credential_from_params, stored_credential)
 
@@ -47,6 +50,11 @@ def verify_credential(credential_from_params, stored_credential)
         stored_credential.update!(sign_count: credential_from_params.sign_count)
       end
 
+      def user_handle_mismatch?(credential_from_params, resource)
+        credential_from_params.user_handle.present? &&
+          credential_from_params.user_handle != resource.webauthn_id
+      end
+
       def resource_class
         mapping.to
       end
diff --git a/spec/requests/devise/two_factor_authentication_spec.rb b/spec/requests/devise/two_factor_authentication_spec.rb
@@ -164,6 +164,60 @@ def generate_assertion(fake_client, challenge:, credential:)
       expect(controller.current_account).to be_nil
     end
 
+    it "completes authentication when userHandle matches the authenticated user" do
+      post account_session_path, params: { account: { email: user.email, password: password } }
+
+      expect(response).to redirect_to(new_account_two_factor_authentication_path)
+
+      follow_redirect!
+
+      expect(response).to have_http_status(:ok)
+      get account_security_key_authentication_options_path
+
+      assertion = client.get(
+        challenge: session[:two_factor_authentication_challenge],
+        allow_credentials: [security_key.external_id],
+        user_handle: WebAuthn.configuration.encoder.decode(user.webauthn_id)
+      )
+
+      expect do
+        post account_two_factor_authentication_path, params: {
+          public_key_credential: assertion.to_json
+        }
+
+        expect(response).to redirect_to(root_path)
+        expect(controller.current_account).to eq(user)
+      end.to change { security_key.reload.sign_count }.by(1)
+    end
+
+    it "rejects 2FA when userHandle does not match the authenticated user" do
+      other_user = Account.create!(email: "other@example.com", password: password)
+
+      post account_session_path, params: { account: { email: user.email, password: password } }
+
+      expect(response).to redirect_to(new_account_two_factor_authentication_path)
+
+      follow_redirect!
+
+      expect(response).to have_http_status(:ok)
+      get account_security_key_authentication_options_path
+
+      assertion = client.get(
+        challenge: session[:two_factor_authentication_challenge],
+        allow_credentials: [security_key.external_id],
+        user_handle: WebAuthn.configuration.encoder.decode(other_user.webauthn_id)
+      )
+
+      post account_two_factor_authentication_path, params: {
+        public_key_credential: assertion.to_json
+      }
+
+      expect(response).to have_http_status(:unprocessable_entity)
+      expect(response.body).to include("Use security key")
+      expect(flash[:alert]).to eq(I18n.t("devise.failure.webauthn_credential_verification_failed"))
+      expect(controller.current_account).to be_nil
+    end
+
     it "re-renders 2FA page when credential param is missing" do
       post account_session_path, params: { account: { email: user.email, password: password } }
 
