The cookie approach seems like the more secure aproach because it ties the authentication or registration attempt to the user's browser session, but it doesn't work reliably on Chrome for Windows. Also, a simila problem pops up on Chrome for Linux if the session is used instead of a separate cookie. It looks like the browser doesn't propagate the state change through fast enough which results in some requests contaiining the new/updated cookie, and others don't, which results in sporadic failures. Since we use a signed and expiring challange we still get protection from replay attacks and tampering which enables us to omit the cookie entierly and rely on the challange's signature to prove expiration and authenticity. The only thing we lose is the ability to tie and attemp to a single browser session. See: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-challengeURL which proposes to add the same challange fetching logic as part of the standard See: https://github.com/w3c/webauthn/issues/1856 which discusses issues that arise from having expiring challanges (which the spec recommends) See: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m which is an explot that can happen if the server isn't able to verify the authenticity of challanges that are sent outside of a cookie
Fizzy
This is the source code of Fizzy, the Kanban tracking tool for issues and ideas by 37signals.
Running your own Fizzy instance
If you want to run your own Fizzy instance, but don't need to change its code, you can use our pre-built Docker image. You'll need access to a server on which you can run Docker, and you'll need to configure some options to customize your installation.
You can find the details of how to do a Docker-based deployment in our Docker deployment guide.
If you want more flexibility to customize your Fizzy installation by changing its code, and deploy those changes to your server, then we recommend you deploy Fizzy with Kamal. You can find a complete walkthrough of doing that in our Kamal deployment guide.
Development
You are welcome -- and encouraged -- to modify Fizzy to your liking. Please see our Development guide for how to get Fizzy set up for local development.
Contributing
We welcome contributions! Please read our style guide before submitting code.
License
Fizzy is released under the O'Saasy License.