From aca5fc83158cac2866a9869a16780ea4c53535c5 Mon Sep 17 00:00:00 2001
From: Max Batischev <mblancer@mail.ru>
Date: Mon, 23 Dec 2024 13:42:52 +0300
Subject: [PATCH] WebAuthnDsl Bug Fix

Closes gh-16338
---
 .../config/annotation/web/WebAuthnDsl.kt      | 13 ++--
 .../config/annotation/web/WebAuthnDslTests.kt | 75 ++++++++++++++++++-
 2 files changed, 82 insertions(+), 6 deletions(-)

diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt
index 1624817431e..ea56729de53 100644
--- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,18 +26,21 @@ import org.springframework.security.config.annotation.web.configurers.WebAuthnCo
  * @property the allowed origins
  * @since 6.4
  * @author Rob Winch
+ * @author Max Batischev
  */
 @SecurityMarker
 class WebAuthnDsl {
     var rpName: String? = null
     var rpId: String? = null
     var allowedOrigins: Set<String>? = null
+    var disableDefaultRegistrationPage: Boolean? = false
 
     internal fun get(): (WebAuthnConfigurer<HttpSecurity>) -> Unit {
-        return { webAuthn -> webAuthn
-                .rpId(rpId)
-                .rpName(rpName)
-                .allowedOrigins(allowedOrigins);
+        return { webAuthn ->
+            rpName?.also { webAuthn.rpName(rpName) }
+            rpId?.also { webAuthn.rpId(rpId) }
+            allowedOrigins?.also { webAuthn.allowedOrigins(allowedOrigins) }
+            disableDefaultRegistrationPage?.also { webAuthn.disableDefaultRegistrationPage(disableDefaultRegistrationPage!!) }
         }
     }
 }
diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt
index c0705e50bc2..b5d9652f37e 100644
--- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.annotation.web
 
+import org.hamcrest.Matchers
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
@@ -30,7 +31,9 @@ import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.get
 import org.springframework.test.web.servlet.post
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers
 
 /**
  * Tests for [WebAuthnDsl]
@@ -80,4 +83,74 @@ class WebAuthnDslTests {
             return InMemoryUserDetailsManager(userDetails)
         }
     }
+
+    @Test
+    fun `webauthn and formLogin configured with default registration page`() {
+        spring.register(DefaultWebauthnConfig::class.java).autowire()
+
+        this.mockMvc.get("/login/webauthn.js")
+                .andExpect {
+                    MockMvcResultMatchers.status().isOk
+                    header {
+                        string("content-type", "text/javascript;charset=UTF-8")
+                    }
+                    content {
+                        string(Matchers.containsString("async function authenticate("))
+                    }
+                }
+    }
+
+    @Test
+    fun `webauthn and formLogin configured with disabled default registration page`() {
+        spring.register(FormLoginAndNoDefaultRegistrationPageConfiguration::class.java).autowire()
+
+        this.mockMvc.get("/login/webauthn.js")
+                .andExpect {
+                    MockMvcResultMatchers.status().isOk
+                    header {
+                        string("content-type", "text/javascript;charset=UTF-8")
+                    }
+                    content {
+                        string(Matchers.containsString("async function authenticate("))
+                    }
+                }
+    }
+
+    @Configuration
+    @EnableWebSecurity
+    open class DefaultWebauthnConfig {
+        @Bean
+        open fun userDetailsService(): UserDetailsService  =
+                InMemoryUserDetailsManager()
+
+
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http{
+                formLogin { }
+                webAuthn { }
+            }
+            return http.build()
+        }
+    }
+
+    @Configuration
+    @EnableWebSecurity
+    open class FormLoginAndNoDefaultRegistrationPageConfiguration {
+        @Bean
+        open fun userDetailsService(): UserDetailsService  =
+                InMemoryUserDetailsManager()
+
+
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http{
+                formLogin { }
+                webAuthn {
+                    disableDefaultRegistrationPage = true
+                }
+            }
+            return http.build()
+        }
+    }
 }