Struct RpIdVerifier

Source

pub struct RpIdVerifier<P> { /* private fields */ }

Expand description

Wrapper struct for verifying that a given RpId matches the request’s origin.

While most cases should not use this type directly and instead use Client, there are some cases that warrant the need for checking an RpId in the same way that the client does, but without the rest of pieces that the client needs.

Implementations§

Source §

impl RpIdVerifier
where P: EffectiveTLDProvider + Sync + 'static,

Source

pub fn new(tld_provider: P) -> Self

Create a new Verifier with a given TLD provider. Most cases should just use public_suffix::DEFAULT_PROVIDER.

Source

pub fn allows_insecure_localhost(self, is_allowed: bool) -> Self

Allows RpIdVerifier::assert_domain to pass through requests from localhost

Source

pub fn assert_domain<'a>( &self, origin: &'a Origin<'_>, rp_id: Option<&'a str>, ) -> Result<&'a str, WebauthnError>

Parse the given Relying Party Id and verify it against the origin url of the request.

This follows the steps defined in: https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to

Returns the effective domain on success or some WebauthnError

Source

pub fn is_valid_rp_id(&self, rp_id: &str) -> bool

Parse a given Relying Party ID and assert that it is valid to act as such.

This method is only to assert that an RP ID passes the required checks. In order to ensure that a request’s origin is in accordance with it’s claimed RP ID, Self::assert_domain should be used.

There are several checks that an RP ID must pass:

An RP ID set to localhost is only allowed when explicitly enabled with Self::allows_insecure_localhost.
An RP ID must not be part of the [public suffix list], since that would allow it to act as a credential for unrelated services by other entities.