fix: missing CSRF token on passkey reg start for new user (#593)

sebadob · Oct 21, 2024 · de2cfea · de2cfea
1 parent 1ef1353
commit de2cfea
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 12 deletions.
diff --git a/src/api/src/users.rs b/src/api/src/users.rs
@@ -15,7 +15,7 @@ use rauthy_api_types::users::{
 };
 use rauthy_common::constants::{
     COOKIE_MFA, ENABLE_WEB_ID, HEADER_ALLOW_ALL_ORIGINS, HEADER_HTML, HEADER_JSON, OPEN_USER_REG,
-    PWD_RESET_COOKIE, SSP_THRESHOLD, TEXT_TURTLE, USER_REG_DOMAIN_BLACKLIST,
+    PWD_CSRF_HEADER, PWD_RESET_COOKIE, SSP_THRESHOLD, TEXT_TURTLE, USER_REG_DOMAIN_BLACKLIST,
     USER_REG_DOMAIN_RESTRICTION,
 };
 use rauthy_common::utils::real_ip_from_req;
@@ -943,7 +943,7 @@ pub async fn post_webauthn_reg_start(
 ) -> Result<HttpResponse, ErrorResponse> {
     // If we have a magic link ID in the payload, we do not validate the active session / principal.
     // This is mandatory to make registering a passkey for a completely new account work.
-    if req_data.magic_link_id.is_some() && req_data.email.is_some() {
+    if req_data.magic_link_id.is_some() && req.headers().get(PWD_CSRF_HEADER).is_some() {
         password_reset::handle_put_user_passkey_start(
             &data,
             req,

diff --git a/src/api_types/src/users.rs b/src/api_types/src/users.rs
@@ -227,10 +227,6 @@ pub struct WebauthnRegStartRequest {
     /// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
     #[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
     pub passkey_name: String,
-
-    /// Validation: `email`
-    #[validate(email)]
-    pub email: Option<String>,
     /// Validation: `[a-zA-Z0-9]{64}`
     #[validate(regex(path = "*RE_ALNUM_64", code = "[a-zA-Z0-9]{64}"))]
     pub magic_link_id: Option<String>,

diff --git a/src/service/src/password_reset.rs b/src/service/src/password_reset.rs
@@ -70,12 +70,6 @@ pub async fn handle_put_user_passkey_start<'a>(
     // validate user_id / given email address
     debug!("getting user");
     let user = User::find(data, user_id).await?;
-    if req_data.email != Some(user.email) {
-        return Err(ErrorResponse::new(
-            ErrorResponseType::BadRequest,
-            String::from("E-Mail does not match for this user"),
-        ));
-    }
 
     debug!("getting magic link");
     // unwrap is safe -> checked in API endpoint already