Polish up Passkey interface

- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
This commit is contained in:
Stanko K.R.
2026-03-04 14:12:40 +01:00
parent f4fbe17b22
commit 017bcc9ce1
73 changed files with 2326 additions and 1103 deletions
@@ -0,0 +1,33 @@
require "test_helper"
class My::PasskeyChallengesControllerTest < ActionDispatch::IntegrationTest
test "returns a fresh challenge" do
untenanted do
post my_passkey_challenge_url
assert_response :success
assert_not_nil response.parsed_body["challenge"]
end
end
test "stores challenge in cookie" do
untenanted do
post my_passkey_challenge_url
jar = ActionDispatch::Cookies::CookieJar.build(request, cookies.to_hash)
assert_equal response.parsed_body["challenge"], jar.encrypted[ActionPack::Passkey::ChallengesController::COOKIE_NAME]
end
end
test "returns a different challenge each time" do
untenanted do
post my_passkey_challenge_url
first_challenge = response.parsed_body["challenge"]
post my_passkey_challenge_url
second_challenge = response.parsed_body["challenge"]
assert_not_equal first_challenge, second_challenge
end
end
end
@@ -0,0 +1,26 @@
require "test_helper"
class My::PasskeysControllerTest < ActionDispatch::IntegrationTest
include WebauthnTestHelper
setup do
sign_in_as :kevin
end
test "index" do
get my_passkeys_path
assert_response :success
end
test "register a passkey" do
challenge = request_webauthn_challenge
assert_difference -> { identities(:kevin).passkeys.count }, 1 do
post my_passkeys_path, params: build_attestation_params(challenge: challenge)
end
passkey = identities(:kevin).passkeys.order(created_at: :desc).first
assert_redirected_to edit_my_passkey_path(passkey, created: true)
assert_equal [ "internal" ], passkey.transports
end
end
@@ -1,14 +1,15 @@
require "test_helper"
class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
include WebauthnTestHelper
setup do
@identity = identities(:kevin)
@private_key = OpenSSL::PKey::EC.generate("prime256v1")
@credential = @identity.credentials.create!(
@credential = @identity.passkeys.create!(
name: "Test Passkey",
credential_id: Base64.urlsafe_encode64(SecureRandom.random_bytes(32), padding: false),
public_key: @private_key.public_to_der,
public_key: webauthn_private_key.public_to_der,
sign_count: 0,
transports: [ "internal" ]
)
@@ -16,10 +17,9 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
test "successful authentication" do
untenanted do
get new_session_url
challenge = session[:webauthn_challenge]
challenge = request_webauthn_challenge
post session_passkey_url, params: assertion_params(challenge: challenge)
post session_passkey_url, params: build_assertion_params(challenge: challenge, credential: @credential)
assert_response :redirect
assert cookies[:session_token].present?
@@ -29,10 +29,9 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
test "updates sign count" do
untenanted do
get new_session_url
challenge = session[:webauthn_challenge]
challenge = request_webauthn_challenge
post session_passkey_url, params: assertion_params(challenge: challenge, sign_count: 1)
post session_passkey_url, params: build_assertion_params(challenge: challenge, credential: @credential, sign_count: 1)
assert_equal 1, @credential.reload.sign_count
end
@@ -40,10 +39,9 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
test "rejects invalid signature" do
untenanted do
get new_session_url
challenge = session[:webauthn_challenge]
challenge = request_webauthn_challenge
params = assertion_params(challenge: challenge)
params = build_assertion_params(challenge: challenge, credential: @credential)
params[:passkey][:signature] = Base64.urlsafe_encode64("invalid", padding: false)
post session_passkey_url, params: params
@@ -56,7 +54,7 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
test "rejects unknown credential" do
untenanted do
get new_session_url
request_webauthn_challenge
post session_passkey_url, params: {
passkey: {
@@ -74,10 +72,9 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
test "successful authentication via JSON" do
untenanted do
get new_session_url
challenge = session[:webauthn_challenge]
challenge = request_webauthn_challenge
post session_passkey_url(format: :json), params: assertion_params(challenge: challenge)
post session_passkey_url(format: :json), params: build_assertion_params(challenge: challenge, credential: @credential)
assert_response :success
assert @response.parsed_body["session_token"].present?
@@ -86,7 +83,7 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
test "failed authentication via JSON" do
untenanted do
get new_session_url
request_webauthn_challenge
post session_passkey_url(format: :json), params: {
passkey: {
@@ -101,44 +98,4 @@ class Sessions::PasskeysControllerTest < ActionDispatch::IntegrationTest
assert_equal "That passkey didn't work. Try again.", @response.parsed_body["message"]
end
end
private
def assertion_params(challenge:, sign_count: 1)
origin = "http://www.example.com"
client_data_json = {
challenge: challenge,
origin: origin,
type: "webauthn.get"
}.to_json
authenticator_data = build_authenticator_data(sign_count: sign_count)
signature = sign(authenticator_data, client_data_json)
{
passkey: {
id: @credential.credential_id,
client_data_json: client_data_json,
authenticator_data: Base64.urlsafe_encode64(authenticator_data, padding: false),
signature: Base64.urlsafe_encode64(signature, padding: false)
}
}
end
def build_authenticator_data(sign_count:)
rp_id_hash = Digest::SHA256.digest("www.example.com")
flags = 0x01 | 0x04 # user present + user verified
bytes = []
bytes.concat(rp_id_hash.bytes)
bytes << flags
bytes.concat([ sign_count ].pack("N").bytes)
bytes.pack("C*")
end
def sign(authenticator_data, client_data_json)
client_data_hash = Digest::SHA256.digest(client_data_json)
signed_data = authenticator_data + client_data_hash
@private_key.sign("SHA256", signed_data)
end
end