feat: validate userHandle in PasskeyAuthenticatable strategy

Author: santiagorodriguez96

lib/devise/strategies/passkey_authenticatable.rb

@@ -9,13 +9,13 @@ def valid?
 
       def authenticate!
         passkey_from_params = WebAuthn::Credential.from_get(JSON.parse(passkey_param))
-        stored_passkey = WebauthnCredential.passkey.find_by(external_id: passkey_from_params.id)
+        resource = resource_class.find_by(webauthn_id: passkey_from_params.user_handle)
+        stored_passkey = resource&.passkeys&.find_by(external_id: passkey_from_params.id)
 
         return fail!(:passkey_not_found) if stored_passkey.blank?
 
         verify_passkeys(passkey_from_params, stored_passkey)
 
-        resource = stored_passkey.public_send(resource_name)
         success!(resource)
       rescue WebAuthn::Error
         fail!(:passkey_verification_failed)
@@ -40,8 +40,8 @@ def verify_passkeys(passkey_from_params, stored_passkey)
         stored_passkey.update!(sign_count: passkey_from_params.sign_count)
       end
 
-      def resource_name
-        mapping.to.name.underscore
+      def resource_class
+        mapping.to
       end
     end
   end

spec/requests/devise/passkey_authentication_spec.rb

@@ -22,11 +22,12 @@ def create_passkey_for(account, fake_client)
     )
   end
 
-  def generate_assertion(fake_client, challenge:, credential:)
+  def generate_assertion(fake_client, challenge:, credential:, user_handle: nil)
     fake_client.get(
       challenge: challenge,
       allow_credentials: [credential.external_id],
-      user_verified: true
+      user_verified: true,
+      user_handle: user_handle
     )
   end
 
@@ -43,7 +44,8 @@ def generate_assertion(fake_client, challenge:, credential:)
       assertion = generate_assertion(
         client,
         challenge: session[:authentication_challenge],
-        credential: passkey
+        credential: passkey,
+        user_handle: WebAuthn.configuration.encoder.decode(user.webauthn_id)
       )
 
       expect do
@@ -64,7 +66,8 @@ def generate_assertion(fake_client, challenge:, credential:)
       assertion = generate_assertion(
         client,
         challenge: session[:authentication_challenge],
-        credential: passkey
+        credential: passkey,
+        user_handle: WebAuthn.configuration.encoder.decode(user.webauthn_id)
       )
       passkey.destroy!
 
@@ -83,7 +86,8 @@ def generate_assertion(fake_client, challenge:, credential:)
 
       assertion = client.get(
         challenge: WebAuthn.configuration.encoder.encode("invalid_challenge"),
-        allow_credentials: [passkey.external_id]
+        allow_credentials: [passkey.external_id],
+        user_handle: WebAuthn.configuration.encoder.decode(user.webauthn_id)
       )
 
       post account_session_path, params: {
@@ -96,6 +100,45 @@ def generate_assertion(fake_client, challenge:, credential:)
       expect(controller.current_account).to be_nil
     end
 
+    it "rejects sign-in when userHandle is missing from the response" do
+      get new_account_session_path
+
+      assertion = client.get(
+        challenge: session[:authentication_challenge],
+        allow_credentials: [passkey.external_id],
+        user_verified: true
+      )
+
+      post account_session_path, params: {
+        public_key_credential: assertion.to_json
+      }
+
+      expect(response).to have_http_status(:unprocessable_entity)
+      expect(flash[:alert]).to eq(I18n.t("devise.failure.passkey_not_found"))
+      expect(controller.current_account).to be_nil
+    end
+
+    it "rejects sign-in when userHandle does not match the passkey owner" do
+      other_user = Account.create!(email: "other@example.com", password: password)
+
+      get new_account_session_path
+
+      assertion = client.get(
+        challenge: session[:authentication_challenge],
+        allow_credentials: [passkey.external_id],
+        user_verified: true,
+        user_handle: WebAuthn.configuration.encoder.decode(other_user.webauthn_id)
+      )
+
+      post account_session_path, params: {
+        public_key_credential: assertion.to_json
+      }
+
+      expect(response).to have_http_status(:unprocessable_entity)
+      expect(flash[:alert]).to eq(I18n.t("devise.failure.passkey_not_found"))
+      expect(controller.current_account).to be_nil
+    end
+
     it "fails when credential param is missing" do
       post account_session_path, params: {}