Files
fizzy/lib/action_pack/passkey/request.rb
T
Stanko K.R. 1983014be6 Rely solely on the challange signature for verification
The cookie approach seems like the more secure aproach because it ties the authentication or registration attempt to the user's browser session, but it doesn't work reliably on Chrome for Windows. Also, a simila problem pops up on Chrome for Linux if the session is used instead of a separate cookie. It looks like the browser doesn't propagate the state change through fast enough which results in some requests contaiining the new/updated cookie, and others don't, which results in sporadic failures. Since we use a signed and expiring challange we still get protection from replay attacks and tampering which enables us to omit the cookie entierly and rely on the challange's signature to prove expiration and authenticity. The only thing we lose is the ability to tie and attemp to a single browser session.

See: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-challengeURL which proposes to add the same challange fetching logic as part of the standard

See: https://github.com/w3c/webauthn/issues/1856 which discusses issues that arise from having expiring challanges (which the spec recommends)

See: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m which is an explot that can happen if the server isn't able to verify the authenticity of challanges that are sent outside of a cookie
2026-03-25 17:26:49 +01:00

78 lines
2.2 KiB
Ruby

# = Action Pack Passkey Request
#
# Controller concern that sets up the WebAuthn request context and provides
# helper methods for passkey registration and authentication. Include this
# in any controller that handles passkey form submissions.
#
# == Registration example
#
# class PasskeysController < ApplicationController
# include ActionPack::Passkey::Request
#
# def new
# @creation_options = passkey_creation_options(holder: Current.user)
# end
#
# def create
# @passkey = ActionPack::Passkey.register(
# passkey_creation_params, holder: Current.user
# )
# redirect_to settings_path
# end
# end
#
# == Authentication example
#
# class SessionsController < ApplicationController
# include ActionPack::Passkey::Request
#
# def new
# @request_options = passkey_request_options
# end
#
# def create
# if passkey = ActionPack::Passkey.authenticate(passkey_request_params)
# sign_in passkey.holder
# redirect_to root_path
# else
# redirect_to new_session_path, alert: "Authentication failed"
# end
# end
# end
#
# == Before Action
#
# Automatically populates +ActionPack::WebAuthn::Current+ with the request
# host and origin.
#
module ActionPack::Passkey::Request
extend ActiveSupport::Concern
included do
before_action do
ActionPack::WebAuthn::Current.host = request.host
ActionPack::WebAuthn::Current.origin = request.base_url
end
end
# Returns strong parameters for the passkey registration ceremony.
def passkey_creation_params(param: :passkey)
params.expect(param => [ :client_data_json, :attestation_object, transports: [] ])
end
# Returns strong parameters for the passkey authentication ceremony.
def passkey_request_params(param: :passkey)
params.expect(param => [ :id, :client_data_json, :authenticator_data, :signature ])
end
# Returns RequestOptions for the authentication ceremony.
def passkey_request_options(**options)
ActionPack::Passkey.request_options(**options)
end
# Returns CreationOptions for the registration ceremony.
def passkey_creation_options(**options)
ActionPack::Passkey.creation_options(**options)
end
end