Polish up Passkey interface

- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
This commit is contained in:
Stanko K.R.
2026-03-04 14:12:40 +01:00
parent f4fbe17b22
commit 017bcc9ce1
73 changed files with 2326 additions and 1103 deletions
@@ -1,60 +0,0 @@
import { Controller } from "@hotwired/stimulus"
import { post } from "@rails/request.js"
import { base64urlToBuffer, bufferToBase64url } from "helpers/base64url_helpers"
export default class extends Controller {
static values = { publicKey: Object, registerUrl: String }
static targets = ["button", "error", "cancelled"]
async create() {
this.buttonTarget.disabled = true
this.errorTarget.hidden = true
this.cancelledTarget.hidden = true
try {
const publicKey = this.#prepareOptions(this.publicKeyValue)
const credential = await navigator.credentials.create({ publicKey })
await this.#registerCredential(credential)
} catch (error) {
if (error.name === "AbortError" || error.name === "NotAllowedError") {
this.cancelledTarget.hidden = false
} else {
this.errorTarget.hidden = false
}
this.buttonTarget.disabled = false
}
}
async #registerCredential(credential) {
const response = await post(this.registerUrlValue, {
body: JSON.stringify({
passkey: {
client_data_json: new TextDecoder().decode(credential.response.clientDataJSON),
attestation_object: bufferToBase64url(credential.response.attestationObject),
transports: credential.response.getTransports?.() || []
}
}),
contentType: "application/json",
responseKind: "json"
})
if (response.ok) {
const { location } = await response.json
Turbo.visit(location)
} else {
throw new Error("Registration failed")
}
}
#prepareOptions(options) {
return {
...options,
challenge: base64urlToBuffer(options.challenge),
user: { ...options.user, id: base64urlToBuffer(options.user.id) },
excludeCredentials: (options.excludeCredentials || []).map(cred => ({
...cred,
id: base64urlToBuffer(cred.id)
}))
}
}
}
@@ -1,80 +0,0 @@
import { Controller } from "@hotwired/stimulus"
import { base64urlToBuffer, bufferToBase64url } from "helpers/base64url_helpers"
export default class extends Controller {
static values = { publicKey: Object, url: String, csrfToken: String }
#abortController
connect() {
this.#attemptConditionalMediation()
}
disconnect() {
this.#abortController?.abort()
}
async #attemptConditionalMediation() {
if (!await PublicKeyCredential?.isConditionalMediationAvailable?.()) return
this.#abortController = new AbortController()
try {
const credential = await navigator.credentials.get({
publicKey: this.#prepareOptions(this.publicKeyValue),
mediation: "conditional",
signal: this.#abortController.signal
})
this.#submitAssertion(credential)
} catch (error) {
if (error.name !== "AbortError") {
console.error("Passkey error:", error)
}
}
}
#submitAssertion(credential) {
const form = document.createElement("form")
form.method = "POST"
form.action = this.urlValue
form.style.display = "none"
const fields = {
authenticity_token: this.csrfTokenValue,
"passkey[id]": credential.id,
"passkey[client_data_json]": new TextDecoder().decode(credential.response.clientDataJSON),
"passkey[authenticator_data]": bufferToBase64url(credential.response.authenticatorData),
"passkey[signature]": bufferToBase64url(credential.response.signature)
}
for (const [name, value] of Object.entries(fields)) {
const input = document.createElement("input")
input.type = "hidden"
input.name = name
input.value = value
form.appendChild(input)
}
document.body.appendChild(form)
form.submit()
}
#prepareOptions(options) {
const prepared = {
...options,
challenge: base64urlToBuffer(options.challenge)
}
if (options.allowCredentials?.length) {
prepared.allowCredentials = options.allowCredentials.map(cred => ({
...cred,
id: base64urlToBuffer(cred.id)
}))
} else {
delete prepared.allowCredentials
}
return prepared
}
}