cedarcode · randikabanura · Aug 11, 2025 · Aug 11, 2025 · randikabanura · Aug 11, 2025
diff --git a/lib/webauthn/authenticator_response.rb b/lib/webauthn/authenticator_response.rb
@@ -91,7 +91,7 @@
     def valid_origin?(expected_origin)
       return false unless expected_origin
 
-      expected_origin.include?(client_data.origin)
+      Array(expected_origin).any? { |allowed_origin| allowed_origin === client_data.origin }
-      Array(expected_origin).any? { |allowed_origin| allowed_origin === client_data.origin }
+      expected_origin.any? { |allowed_origin| allowed_origin === client_data.origin }
-      Array(expected_origin).any? { |allowed_origin| allowed_origin === client_data.origin }
+      expected_origin.any? { |allowed_origin| allowed_origin === client_data.origin }
     end
 
     def valid_rp_id?(rp_id)
@@ -115,7 +115,9 @@
     end
 
     def rp_id_from_origin(expected_origin)
-      URI.parse(expected_origin.first).host if expected_origin.size == 1
+      return unless valid_origin?(expected_origin)
+
+      URI.parse(client_data.origin).host if expected_origin.size == 1
     end
 
     def type

diff --git a/lib/webauthn/fake_client.rb b/lib/webauthn/fake_client.rb
@@ -160,6 +160,10 @@ def fake_origin
       "http://localhost#{rand(1000)}.test"
     end
 
+    def fake_wildcard_origin
+      /http:\/\/localhost.*/
+    end
+
     def type_for(method)
       TYPES[method]
     end

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -63,6 +63,10 @@ def fake_origin
   "http://localhost"
 end
 
+def fake_wildcard_origin
+  /http:\/\/localhost.*/
+end
+
 def fake_challenge
   SecureRandom.random_bytes(32)
 end

diff --git a/spec/webauthn/authenticator_assertion_response_spec.rb b/spec/webauthn/authenticator_assertion_response_spec.rb
@@ -12,8 +12,8 @@
   let!(:credential) { create_credential(client: client) }
   let(:credential_public_key) { credential[1] }
 
-  let(:origin) { fake_origin }
-  let(:actual_origin) { origin }
+  let(:origin) { fake_wildcard_origin }
+  let(:actual_origin) { fake_origin }
   let(:original_challenge) { fake_challenge }
   let(:assertion) { client.get(challenge: original_challenge) }
   let(:authenticator_data) { assertion["response"]["authenticatorData"] }
@@ -429,7 +429,7 @@
             original_challenge,
             public_key: credential_public_key,
             sign_count: 0,
-            rp_id: URI.parse(origin).host
+            rp_id: URI.parse(actual_origin).host
           )
         ).to be_truthy
       end
@@ -440,7 +440,7 @@
             original_challenge,
             public_key: credential_public_key,
             sign_count: 0,
-            rp_id: URI.parse(origin).host
+            rp_id: URI.parse(actual_origin).host
           )
         ).to be_truthy
       end