Use allowed_origins instead of origin argument to WebAuthn::RelyingParty.new to avoid deprecation warning in webauthn 3.4.0+

jeremyevans · jeremyevans · commit 84833ee367ee · 2025-04-22T13:04:15.000-07:00
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,7 @@
 === master
 
+* Use allowed_origins instead of origin argument to WebAuthn::RelyingParty.new to avoid deprecation warning in webauthn 3.4.0+ (jeremyevans)
+
 * Change JSON.fast_generate to JSON.generate in jwt feature to avoid deprecation warning in recent json versions (jeremyevans)
 
 * Avoid exceeding 4K cookie size limit by setting an upper limit on path size when using login_return_to_requested_location? (jeremyevans)
diff --git a/lib/rodauth/features/webauthn.rb b/lib/rodauth/features/webauthn.rb
@@ -410,13 +410,25 @@ def possible_authentication_methods
     private
 
     if WebAuthn::VERSION >= '3'
-      def webauthn_relying_party
-        # No need to memoize, only called once per request
-        WebAuthn::RelyingParty.new(
-          origin: webauthn_origin,
-          id: webauthn_rp_id,
-          name: webauthn_rp_name,
-        )
+      if WebAuthn::RelyingParty.instance_method(:initialize).parameters.include?([:key, :allowed_origins])
+        def webauthn_relying_party
+          # No need to memoize, only called once per request
+          WebAuthn::RelyingParty.new(
+            allowed_origins: [webauthn_origin],
+            id: webauthn_rp_id,
+            name: webauthn_rp_name,
+          )
+        end
+      # :nocov:
+      else
+        def webauthn_relying_party
+          WebAuthn::RelyingParty.new(
+            origin: webauthn_origin,
+            id: webauthn_rp_id,
+            name: webauthn_rp_name,
+          )
+        end
+      # :nocov:
       end
 
       def webauthn_create_relying_party_opts
