Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def __init__(self, user_id, username, display_name, icon_url,
credential_id, public_key, sign_count, rp_id):
if not credential_id:
raise WebAuthnUserDataMissing("credential_id missing")
if not rp_id:
raise WebAuthnUserDataMissing("rp_id missing")
self.user_id = user_id
self.username = username
self.display_name = display_name
self.icon_url = icon_url
self.credential_id = credential_id
self.public_key = public_key
self.sign_count = sign_count
self.rp_id = rp_id
# private key may exist and are being used in parallel.
# Relying Parties should incorporate this information
# into their risk scoring. Whether the Relying Party
# updates the stored signature counter value in this
# case, or not, or fails the authentication ceremony
# or not, is Relying Party-specific.
sc = decoded_a_data[33:37]
sign_count = struct.unpack('!I', sc)[0]
if not sign_count:
raise AuthenticationRejectedException('Unable to parse sign_count.')
if (isinstance(self.webauthn_user.sign_count, int) and
self.webauthn_user.sign_count < 0) or not isinstance(
self.webauthn_user.sign_count, int):
raise WebAuthnUserDataMissing('sign_count missing from WebAuthnUser.')
if sign_count <= self.webauthn_user.sign_count:
raise AuthenticationRejectedException(
'Duplicate authentication detected.')
# Step 18.
#
# If all the above steps are successful, continue with the
# authentication ceremony as appropriate. Otherwise, fail the
# authentication ceremony.
return sign_count
except Exception as e:
raise AuthenticationRejectedException(
'Authentication rejected. Error: {}.'.format(e))
raise AuthenticationRejectedException(
'Invalid credential.')
# Step 3.
#
# Using credential's id attribute (or the corresponding rawId, if
# base64url encoding is inappropriate for your use case), look up
# the corresponding credential public key.
if not _validate_credential_id(self.webauthn_user.credential_id):
raise AuthenticationRejectedException('Invalid credential ID.')
if not isinstance(self.webauthn_user, WebAuthnUser):
raise AuthenticationRejectedException('Invalid user type.')
if not self.webauthn_user.public_key:
raise WebAuthnUserDataMissing("public_key missing")
credential_public_key = self.webauthn_user.public_key
public_key_alg, user_pubkey = _load_cose_public_key(
_webauthn_b64_decode(credential_public_key))
# Step 4.
#
# Let cData, aData and sig denote the value of credential's
# response's clientDataJSON, authenticatorData, and signature
# respectively.
c_data = self.assertion_response.get('clientData')
a_data = self.assertion_response.get('authData')
decoded_a_data = _webauthn_b64_decode(a_data)
sig = binascii.unhexlify(self.assertion_response.get('signature'))
# Step 5.
# If the allowCredentials option was given when this authentication
# ceremony was initiated, verify that credential.id identifies one
# of the public key credentials that were listed in allowCredentials.
cid = self.assertion_response.get('id')
if self.allow_credentials:
if cid not in self.allow_credentials:
raise AuthenticationRejectedException(
'Invalid credential.')
# Step 2.
#
# If credential.response.userHandle is present, verify that the user
# identified by this value is the owner of the public key credential
# identified by credential.id.
if not self.webauthn_user.username:
raise WebAuthnUserDataMissing("username missing")
user_handle = self.assertion_response.get('userHandle')
if user_handle:
if not user_handle == self.webauthn_user.username:
raise AuthenticationRejectedException(
'Invalid credential.')
# Step 3.
#
# Using credential's id attribute (or the corresponding rawId, if
# base64url encoding is inappropriate for your use case), look up
# the corresponding credential public key.
if not _validate_credential_id(self.webauthn_user.credential_id):
raise AuthenticationRejectedException('Invalid credential ID.')
if not isinstance(self.webauthn_user, WebAuthnUser):
def __init__(self, user_id, username, display_name, icon_url,
credential_id, public_key, sign_count, rp_id):
if not credential_id:
raise WebAuthnUserDataMissing("credential_id missing")
if not rp_id:
raise WebAuthnUserDataMissing("rp_id missing")
self.user_id = user_id
self.username = username
self.display_name = display_name
self.icon_url = icon_url
self.credential_id = credential_id
self.public_key = public_key
self.sign_count = sign_count
self.rp_id = rp_id