Merge pull request from GHSA-v9hx-v6vf-g36j

Release 0.9.1
webauthn4j · Oct 16, 2023 · 129700d · 129700d
2 parents ad81ea0 + 8726269
commit 129700d
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ If you are using Maven, just add the webauthn4j-spring-security as a dependency:
 <properties>
   ...
   <!-- Use the latest version whenever possible. -->
-  <webauthn4j-spring-security.version>0.9.0.RELEASE</webauthn4j-spring-security.version>
+  <webauthn4j-spring-security.version>0.9.1.RELEASE</webauthn4j-spring-security.version>
   ...
 </properties>
 

diff --git a/gradle.properties b/gradle.properties
@@ -13,5 +13,5 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-webAuthn4JSpringSecurityVersion=0.9.1-SNAPSHOT
-latestReleasedWebAuthn4JSpringSecurityVersion=0.9.0.RELEASE
+webAuthn4JSpringSecurityVersion=0.9.1.RELEASE
+latestReleasedWebAuthn4JSpringSecurityVersion=0.9.1.RELEASE
diff --git a/samples/spa/src/test/java/e2e/RegistrationAndAuthenticationE2ETest.java b/samples/spa/src/test/java/e2e/RegistrationAndAuthenticationE2ETest.java
@@ -16,6 +16,7 @@
 
 package e2e;
 
+import com.webauthn4j.springframework.security.authenticator.WebAuthnAuthenticatorService;
 import com.webauthn4j.springframework.security.webauthn.sample.SampleSPA;
 import e2e.page.AuthenticatorLoginComponent;
 import e2e.page.PasswordLoginComponent;
@@ -34,18 +35,24 @@
 import org.openqa.selenium.support.ui.WebDriverWait;
 import org.openqa.selenium.virtualauthenticator.HasVirtualAuthenticator;
 import org.openqa.selenium.virtualauthenticator.VirtualAuthenticatorOptions;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.junit4.SpringRunner;
 
 import java.time.Duration;
 
+import static org.assertj.core.api.Assertions.assertThat;
+
 @RunWith(SpringRunner.class)
 @SpringBootTest(classes = SampleSPA.class, webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
 public class RegistrationAndAuthenticationE2ETest {
 
     private WebDriver driver;
     private WebDriverWait wait;
 
+    @Autowired
+    private WebAuthnAuthenticatorService webAuthnAuthenticatorService;
+
     @BeforeClass
     public static void setupClassTest() {
         WebDriverManager.chromedriver().setup();
@@ -86,8 +93,10 @@ public void test() {
         signupComponent.waitRegisterClickable();
         signupComponent.clickRegister();
 
-        // Password authentication
         wait.until(ExpectedConditions.urlToBe("http://localhost:8080/angular/login"));
+        long counterValueAtRegistrationPhase = webAuthnAuthenticatorService.loadAuthenticatorsByUserPrincipal("john.doe@example.com").get(0).getCounter();
+
+        // Password authentication
         PasswordLoginComponent passwordLoginComponent = new PasswordLoginComponent(driver);
         passwordLoginComponent.setUsername("john.doe@example.com");
         passwordLoginComponent.setPassword("password");
@@ -98,6 +107,10 @@ public void test() {
         // nop
 
         wait.until(ExpectedConditions.urlToBe("http://localhost:8080/angular/profile"));
+        long counterValueAtAuthenticationPhase = webAuthnAuthenticatorService.loadAuthenticatorsByUserPrincipal("john.doe@example.com").get(0).getCounter();
+
+        assertThat(counterValueAtAuthenticationPhase).isGreaterThan(counterValueAtRegistrationPhase);
+
         ProfileComponent profileComponent = new ProfileComponent(driver);
 
     }

diff --git a/...src/main/java/com/webauthn4j/springframework/security/WebAuthnAuthenticationProvider.java b/...src/main/java/com/webauthn4j/springframework/security/WebAuthnAuthenticationProvider.java
@@ -136,13 +136,7 @@ void doAuthenticate(WebAuthnAssertionAuthenticationToken authenticationToken, We
         );
         AuthenticationParameters authenticationParameters = new AuthenticationParameters(
                 parameters.getServerProperty(),
-                new AuthenticatorImpl(
-                        webAuthnAuthenticator.getAttestedCredentialData(),
-                        webAuthnAuthenticator.getAttestationStatement(),
-                        webAuthnAuthenticator.getCounter(),
-                        webAuthnAuthenticator.getTransports(),
-                        webAuthnAuthenticator.getClientExtensions(),
-                        webAuthnAuthenticator.getAuthenticatorExtensions()),
+                webAuthnAuthenticator,
                 null,
                 parameters.isUserVerificationRequired(),
                 parameters.isUserPresenceRequired()