From de2cfea107cff4fb98fc81be692d0b83cf597398 Mon Sep 17 00:00:00 2001 From: sebadob Date: Mon, 21 Oct 2024 10:40:31 +0200 Subject: [PATCH] fix: missing CSRF token on passkey reg start for new user (#593) --- src/api/src/users.rs | 4 ++-- src/api_types/src/users.rs | 4 ---- src/service/src/password_reset.rs | 6 ------ 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/src/api/src/users.rs b/src/api/src/users.rs index 65568d16..f1b34e08 100644 --- a/src/api/src/users.rs +++ b/src/api/src/users.rs @@ -15,7 +15,7 @@ use rauthy_api_types::users::{ }; use rauthy_common::constants::{ COOKIE_MFA, ENABLE_WEB_ID, HEADER_ALLOW_ALL_ORIGINS, HEADER_HTML, HEADER_JSON, OPEN_USER_REG, - PWD_RESET_COOKIE, SSP_THRESHOLD, TEXT_TURTLE, USER_REG_DOMAIN_BLACKLIST, + PWD_CSRF_HEADER, PWD_RESET_COOKIE, SSP_THRESHOLD, TEXT_TURTLE, USER_REG_DOMAIN_BLACKLIST, USER_REG_DOMAIN_RESTRICTION, }; use rauthy_common::utils::real_ip_from_req; @@ -943,7 +943,7 @@ pub async fn post_webauthn_reg_start( ) -> Result { // If we have a magic link ID in the payload, we do not validate the active session / principal. // This is mandatory to make registering a passkey for a completely new account work. - if req_data.magic_link_id.is_some() && req_data.email.is_some() { + if req_data.magic_link_id.is_some() && req.headers().get(PWD_CSRF_HEADER).is_some() { password_reset::handle_put_user_passkey_start( &data, req, diff --git a/src/api_types/src/users.rs b/src/api_types/src/users.rs index 1a939b83..73aaecea 100644 --- a/src/api_types/src/users.rs +++ b/src/api_types/src/users.rs @@ -227,10 +227,6 @@ pub struct WebauthnRegStartRequest { /// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}` #[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))] pub passkey_name: String, - - /// Validation: `email` - #[validate(email)] - pub email: Option, /// Validation: `[a-zA-Z0-9]{64}` #[validate(regex(path = "*RE_ALNUM_64", code = "[a-zA-Z0-9]{64}"))] pub magic_link_id: Option, diff --git a/src/service/src/password_reset.rs b/src/service/src/password_reset.rs index ff81f153..286e744b 100644 --- a/src/service/src/password_reset.rs +++ b/src/service/src/password_reset.rs @@ -70,12 +70,6 @@ pub async fn handle_put_user_passkey_start<'a>( // validate user_id / given email address debug!("getting user"); let user = User::find(data, user_id).await?; - if req_data.email != Some(user.email) { - return Err(ErrorResponse::new( - ErrorResponseType::BadRequest, - String::from("E-Mail does not match for this user"), - )); - } debug!("getting magic link"); // unwrap is safe -> checked in API endpoint already