action_auth 0.1.10 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5bea0149d86872b2b1c33c027547c89053a8cd4519459e320049f578e2f27bc3
-  data.tar.gz: ab18c246998b4b22c8c319a64b67ee4b9975d87cbf42c9358cfb219de73ce3d3
+  metadata.gz: 5dfe867ff71fdec35c9997e465f8cb471a8ea57733373cec378c6117cf643a6b
+  data.tar.gz: 16182c5888a401678b3d2637c3b0396e8730d06d4bef1da260c34b524a3fd296
 SHA512:
-  metadata.gz: da7f5ba2158c2129dd24f318b60dc17ccd6a489607e9f0d54af5c874f62d9dbe267e6f13e8c24f8a8d07254a84f09df6adb3a8cf5ae38b438fc16b405d4e70e5
-  data.tar.gz: 2ca16c8b8b5a9866f0c5b99bbe29021a1ff0fb0108f933647ee6a0054741201eb0f8bfd4f52342785ad2b49a0a8a027cbc81a91402f626c08ee7e37c6239c060
+  metadata.gz: e2fefbcc78596506ec864843444c196aa4e580b874f73fe53676409dba0d065a57527ae92cdc7a9fc061a3da498b15af24c8618389264dcac3ba32b39461e685
+  data.tar.gz: 78dd9cd3b739ed973c506b94f83d6cbbfa8c228d025376b571a4f4c156a4be80b085fd9fe44ba6823cd687c926b4936869410fc1e7db0adc02ac8dd396668819

data/README.md

@@ -15,7 +15,7 @@ bundle add action_auth
 bin/rails action_auth:install:migrations
 ```
 
-Modify config/routes.rb to include the following:
+Modify config/routes.rb to include the following (note that the path can be anything you want):
 
 ```ruby
 mount ActionAuth::Engine => 'action_auth'
@@ -25,7 +25,7 @@ In your view layout
 
 ```ruby
 <% if user_signed_in? %>
-  <li><%= link_to "Sessions", user_sessions_path %></li>
+  <li><%= link_to "Security", user_sessions_path %></li>
   <li><%= button_to "Sign Out", user_session_path(current_session), method: :delete %></li>
 <% else %>
   <li><%= link_to "Sign In", new_user_session_path %></li>
@@ -33,6 +33,8 @@ In your view layout
 <% end %>
 ```
 
+See [WebAuthn](#webauthn) for additional configuration.
+
 ## Features
 
 These are the planned features for ActionAuth. The ones that are checked off are currently implemented. The ones that are not checked off are planned for future releases.
@@ -45,9 +47,11 @@ These are the planned features for ActionAuth. The ones that are checked off are
 
 ✅ - Cookie-based sessions
 
-⏳ - Multifactor Authentication
+✅ - Device Session Management
+
+✅ - Multifactor Authentication (through Passkeys)
 
-⏳ - Passkeys/Hardware Security Keys
+✅ - Passkeys/Hardware Security Keys
 
 ⏳ - Magic Links
 
@@ -127,6 +131,41 @@ versus a user that is not logged in.
     end
     root to: 'welcome#index'
 
+## WebAuthn
+
+ActionAuth's approach for WebAuthn is simplicity. It is used as a multifactor authentication step,
+so users will still need to register their email address and password. Once the user is registered,
+they can add a Passkey to their account. The Passkey could be an iCloud Keychain, a hardware security
+key like a Yubikey, or a mobile device. If enabled and configured, the user will be prompted to use
+their Passkey after they log in.
+
+### Configuration
+
+The migrations are already copied over to your application when you run
+`bin/rails action_auth:install:migrations`. There are only two steps that you have to take to enable
+WebAuthn for your application.
+
+The reason why you need to add the gem is because it's not added to the gemspec of ActionAuth. This is
+intentional as not all users will want to add this functionality. This will help minimize
+the number of gems that your application relies on unless if they are features that you want to use.
+
+#### Add the gem
+
+```
+bundle add webauthn
+```
+
+### Configure the WebAuthn settings
+
+**Note:** that the origin name does not have a trailing / or a port number.
+
+```
+ActionAuth.configure do |config|
+  config.webauthn_enabled = true
+  config.webauthn_origin = "http://localhost:3000" # or "https://example.com"
+  config.webauthn_rp_name = Rails.application.class.to_s.deconstantize
+end
+```
 
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
@@ -134,5 +173,6 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Credits
 
-Heavily inspired by [Drifting Ruby #300](https://www.driftingruby.com/episodes/authentication-from-scratch)
-and [Authentication Zero](https://github.com/lazaronixon/authentication-zero).
+❤️ Heavily inspired by [Drifting Ruby #300](https://www.driftingruby.com/episodes/authentication-from-scratch)
+and [Authentication Zero](https://github.com/lazaronixon/authentication-zero) and WebAuthn work from
+[cedarcode](https://www.cedarcode.com/).

data/app/assets/config/action_auth_manifest.js

@@ -1 +1,2 @@
 //= link_directory ../stylesheets/action_auth .css
+//= link_directory ../javascripts/action_auth .js

data/app/assets/javascripts/action_auth/application.js

@@ -0,0 +1,98 @@
+import { Application, Controller } from "https://unpkg.com/@hotwired/stimulus/dist/stimulus.js";
+window.Stimulus = Application.start();
+
+import * as WebAuthnJSON from 'https://unpkg.com/@github/webauthn-json@2.1.1/dist/esm/webauthn-json.js';
+const Credential = {
+  getCRFSToken: function () {
+    const CSRFSelector = document.querySelector('meta[name="csrf-token"]');
+    if (CSRFSelector) {
+      return CSRFSelector.getAttribute("content");
+    } else {
+      return null;
+    }
+  },
+
+  callback: function (url, body) {
+    const token = this.getCRFSToken();
+    fetch(url, {
+      method: "POST",
+      body: JSON.stringify(body),
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "X-CSRF-Token": token
+      },
+      credentials: 'same-origin'
+    }).then(function (response) {
+      if (response.ok) {
+        window.location.replace("/");
+      } else if (response.status < 500) {
+        response.text();
+      }
+    });
+  },
+
+  create: function (callbackUrl, credentialOptions) {
+    const self = this;
+    WebAuthnJSON.create({ "publicKey": credentialOptions }).then(function (credential) {
+      self.callback(callbackUrl, credential);
+    });
+  },
+
+  get: function (credentialOptions) {
+    const self = this;
+    const webauthnUrl = document.querySelector('meta[name="webauthn_auth_url"]').getAttribute("content");
+    WebAuthnJSON.get({ "publicKey": credentialOptions }).then(function (credential) {
+      self.callback(webauthnUrl, credential);
+    });
+  }
+};
+
+
+Stimulus.register(
+  "add-credential",
+  class extends Controller {
+    create(event) {
+      const webauthnUrl = document.querySelector('meta[name="webauthn_cred_url"]').getAttribute("content");
+      const credentialOptions = event.detail;
+      const credential_nickname = event.target.querySelector("input[name='webauthn_credential[nickname]']").value;
+      const callback_url = `${webauthnUrl}/?credential_nickname=${credential_nickname}`
+      Credential.create(encodeURI(callback_url), credentialOptions);
+    }
+  }
+);
+
+Stimulus.register(
+  "credential-authenticator",
+  class extends Controller {
+    static values = { options: Object }
+    connect() {
+      console.log(this.optionsValue);
+      if (this.hasOptionsValue) {
+        Credential.get(this.optionsValue);
+      }
+    }
+  }
+);
+
+document.addEventListener('DOMContentLoaded', function () {
+  const form = document.getElementById('webauthn_credential_form');
+  if (form) {
+    form.addEventListener('submit', function (event) {
+      event.preventDefault();
+      const formData = new FormData(form);
+      fetch(form.action, {
+        method: 'POST',
+        body: formData,
+        headers: {
+          'X-CSRF-Token': document.querySelector('[name="csrf-token"]').content
+        },
+        credentials: 'same-origin'
+      }).then(response => {
+        return response.json();
+      }).then(data => {
+        form.dispatchEvent(new CustomEvent('ajax:success', { detail: data }));
+      });
+    });
+  }
+});

data/app/controllers/action_auth/sessions_controller.rb

@@ -1,7 +1,9 @@
 module ActionAuth
   class SessionsController < ApplicationController
     before_action :set_current_request_details
+    before_action :authenticate_user!, only: [:index, :destroy]
     layout "action_auth/application-full-width", only: :index
+
     def index
       @sessions = Current.user.action_auth_sessions.order(created_at: :desc)
     end
@@ -11,9 +13,14 @@ module ActionAuth
 
     def create
       if user = User.authenticate_by(email: params[:email], password: params[:password])
-        @session = user.action_auth_sessions.create
-        cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
-        redirect_to main_app.root_path, notice: "Signed in successfully"
+        if user.second_factor_enabled?
+          session[:webauthn_user_id] = user.id
+          redirect_to new_webauthn_credential_authentications_path
+        else
+          @session = user.action_auth_sessions.create
+          cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
+          redirect_to main_app.root_path, notice: "Signed in successfully"
+        end
       else
         redirect_to sign_in_path(email_hint: params[:email]), alert: "That email or password is incorrect"
       end
@@ -22,7 +29,7 @@ module ActionAuth
     def destroy
       session = Current.user.action_auth_sessions.find(params[:id])
       session.destroy
-      redirect_to(main_app.root_path, notice: "That session has been logged out")
+      redirect_to main_app.root_path, notice: "That session has been logged out"
     end
   end
 end

data/app/controllers/action_auth/webauthn_credential_authentications_controller.rb

@@ -0,0 +1,50 @@
+class ActionAuth::WebauthnCredentialAuthenticationsController < ApplicationController
+  before_action :ensure_user_not_authenticated
+  before_action :ensure_login_initiated
+  layout "action_auth/application-full-width"
+
+  def new
+    get_options = WebAuthn::Credential.options_for_get(allow: user.action_auth_webauthn_credentials.pluck(:external_id))
+    session[:current_challenge] = get_options.challenge
+    @options = get_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_get(params)
+
+    credential = user.action_auth_webauthn_credentials.find_by(external_id: webauthn_credential.id)
+
+    begin
+      webauthn_credential.verify(
+        session[:current_challenge],
+        public_key: credential.public_key,
+        sign_count: credential.sign_count
+      )
+
+      credential.update!(sign_count: webauthn_credential.sign_count)
+      session.delete(:webauthn_user_id)
+      session = user.action_auth_sessions.create
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      render json: { status: "ok" }, status: :ok
+    rescue WebAuthn::Error => e
+      Rails.logger.error "❌ Verification failed: #{e.message}"
+      render json: "Verification failed: #{e.message}", status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def user
+    @user ||= ActionAuth::User.find_by(id: session[:webauthn_user_id])
+  end
+
+  def ensure_login_initiated
+    return unless session[:webauthn_user_id].blank?
+    redirect_to sign_in_path
+  end
+
+  def ensure_user_not_authenticated
+    return unless current_user
+    redirect_to main_app.root_path
+  end
+end

data/app/controllers/action_auth/webauthn_credentials_controller.rb

@@ -0,0 +1,57 @@
+class ActionAuth::WebauthnCredentialsController < ApplicationController
+  before_action :authenticate_user!
+  layout "action_auth/application-full-width"
+
+  def new
+  end
+
+  def options
+    if current_user.webauthn_id.blank?
+      current_user.update!(webauthn_id: WebAuthn.generate_user_id)
+    end
+
+    create_options = WebAuthn::Credential.options_for_create(
+      user: {
+        id: current_user.webauthn_id,
+        name: current_user.email
+      },
+      exclude: current_user.action_auth_webauthn_credentials.pluck(:external_id)
+    )
+
+    session[:current_challenge] = create_options.challenge
+
+    respond_to do |format|
+      format.json { render json: create_options }
+    end
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_create(params)
+
+    begin
+      webauthn_credential.verify(session[:current_challenge])
+
+      credential = current_user.action_auth_webauthn_credentials.build(
+        external_id: webauthn_credential.id,
+        nickname: params[:credential_nickname],
+        public_key: webauthn_credential.public_key,
+        sign_count: webauthn_credential.sign_count
+      )
+
+      if credential.save
+        render json: { status: "ok" }, status: :ok
+      else
+        render json: "Couldn't add your Security Key", status: :unprocessable_entity
+      end
+    rescue WebAuthn::Error => e
+      Rails.logger.error "❌ Verification failed: #{e.message}"
+      render json: "Verification failed: #{e.message}", status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    current_user.action_auth_webauthn_credentials.destroy(params[:id])
+
+    redirect_to sessions_path
+  end
+end

data/app/models/action_auth/user.rb

@@ -2,6 +2,14 @@ module ActionAuth
   class User < ApplicationRecord
     has_secure_password
 
+    has_many :action_auth_sessions, dependent: :destroy,
+      class_name: "ActionAuth::Session", foreign_key: "action_auth_user_id"
+
+    if ActionAuth.configuration.webauthn_enabled?
+      has_many :action_auth_webauthn_credentials, dependent: :destroy,
+        class_name: "ActionAuth::WebauthnCredential", foreign_key: "action_auth_user_id"
+    end
+
     generates_token_for :email_verification, expires_in: 2.days do
       email
     end
@@ -10,8 +18,6 @@ module ActionAuth
       password_salt.last(10)
     end
 
-    has_many :action_auth_sessions, dependent: :destroy, class_name: "ActionAuth::Session", foreign_key: "action_auth_user_id"
-
     validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
     validates :password, allow_nil: true, length: { minimum: 12 }
 
@@ -24,5 +30,10 @@ module ActionAuth
     after_update if: :password_digest_previously_changed? do
       action_auth_sessions.where.not(id: Current.session).delete_all
     end
+
+    def second_factor_enabled?
+      return false unless ActionAuth.configuration.webauthn_enabled?
+      action_auth_webauthn_credentials.any?
+    end
   end
 end

data/app/models/action_auth/webauthn_credential.rb

@@ -0,0 +1,12 @@
+module ActionAuth
+  class WebauthnCredential < ApplicationRecord
+    validates :external_id, :public_key, :nickname, :sign_count, presence: true
+    validates :external_id, uniqueness: true
+    validates :sign_count,
+              numericality: {
+                only_integer: true,
+                greater_than_or_equal_to: 0,
+                less_than_or_equal_to: 2**32 - 1
+              }
+  end
+end

data/app/views/action_auth/sessions/index.html.erb

@@ -5,6 +5,7 @@
 </h1>
 <small><%= link_to "back to app", main_app.root_path %></small>
 
+<h2>Sessions</h2>
 <div id="sessions">
   <table class="action-auth--table">
     <thead>
@@ -28,3 +29,38 @@
   </table>
 </div>
 
+<% if ActionAuth.configuration.webauthn_enabled? %>
+  <% if current_user.second_factor_enabled? %>
+    <h3>Your Security Keys:</h3>
+    <table class="action-auth--table">
+      <thead>
+        <tr>
+          <th>Key</th>
+          <th nowrap>Registered On</th>
+          <th nowrap></th>
+        </tr>
+      </thead>
+      <tbody>
+        <% current_user.action_auth_webauthn_credentials.each do |credential| %>
+          <%= content_tag :tr, id: dom_id(credential) do %>
+            <td><%= credential.nickname %></td>
+            <td nowrap><%= credential.created_at.strftime('%B %d, %Y') %></td>
+            <td nowrap><%= button_to "Delete", credential, method: :delete, class: "btn btn-primary" %></td>
+          <% end %>
+        <% end %>
+      </tbody>
+    </table>
+
+    <div>
+      <%= button_to("Register new Security Key",
+                    new_webauthn_credential_path,
+                    method: :get,
+                    class: "btn btn-primary") %>
+    </div>
+  <% else %>
+    <h2>Enable Two-Factor Authentication</h2>
+    <div class="">
+      <%= link_to "Add a passkey", new_webauthn_credential_path, class: "btn btn-primary" %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/action_auth/webauthn_credential_authentications/new.html.erb

@@ -0,0 +1,12 @@
+<h2 class="">Use one of your security keys to sign in</h2>
+
+<%= content_tag :div,
+  id: "webauthn_credential_form",
+  data: { controller: "credential-authenticator",
+  "credential-authenticator-options-value": @options } do %>
+
+  <div class="mb-3">
+    If it's an USB key be sure to insert it and, if necessary, tap it.
+  </div>
+<% end %>
+

data/app/views/action_auth/webauthn_credentials/new.html.erb

@@ -0,0 +1,21 @@
+<h2 class="">Add a security key:</h2>
+<%= form_with scope: :webauthn_credential,
+              url: options_for_webauthn_credentials_path,
+              id: "webauthn_credential_form",
+              data: {
+                controller: "add-credential",
+                action: "ajax:success->add-credential#create",
+              } do |form| %>
+
+  <div class="mb-3">
+    <%= form.text_field :nickname, autofocus: true, placeholder: "New Security Key nickname", required: true %>
+  </div>
+
+  <div class="mb-3">
+    <%= form.submit "Add Security Key", class: "btn btn-primary" %>
+  </div>
+
+  <div class="">
+    <span class="">If it's an USB key be sure to insert it and, if necessary, tap it.</span>
+  </div>
+<% end %>

data/app/views/layouts/action_auth/application-full-width.html.erb

@@ -5,6 +5,11 @@
   <%= csrf_meta_tags %>
   <%= csp_meta_tag %>
   <%= stylesheet_link_tag "action_auth/application", media: "all" %>
+  <%= javascript_include_tag "action_auth/application", "data-turbo-track": "reload", type: "module" %>
+  <% if ActionAuth.configuration.webauthn_enabled? %>
+    <%= tag :meta, name: :webauthn_auth_url, content: action_auth.webauthn_credential_authentications_url %>
+    <%= tag :meta, name: :webauthn_cred_url, content: action_auth.webauthn_credentials_url %>
+  <% end %>
 </head>
 <body class="bg-light">
   <div class="container-fluid bg-white border pb-3">

data/app/views/layouts/action_auth/application.html.erb

@@ -5,6 +5,7 @@
   <%= csrf_meta_tags %>
   <%= csp_meta_tag %>
   <%= stylesheet_link_tag "action_auth/application", media: "all" %>
+  <%= javascript_include_tag "action_auth/application", "data-turbo-track": "reload", type: "module" %>
 </head>
 <body class="bg-light">
   <div class="container bg-white border pb-3">

data/config/routes.rb

@@ -10,4 +10,12 @@ ActionAuth::Engine.routes.draw do
     resource :email_verification, only: [:show, :create]
     resource :password_reset,     only: [:new, :edit, :create, :update]
   end
+
+  if ActionAuth.configuration.webauthn_enabled?
+    resources :webauthn_credentials, only: [:new, :create, :destroy] do
+      post :options, on: :collection, as: 'options_for'
+    end
+
+    resource :webauthn_credential_authentications, only: [:new, :create]
+  end
 end

data/db/migrate/20240111125859_add_webauthn_credentials.rb

@@ -0,0 +1,16 @@
+class AddWebauthnCredentials < ActiveRecord::Migration[7.1]
+  def change
+    create_table :action_auth_webauthn_credentials do |t|
+      t.string :external_id, null: false
+      t.string :public_key, null: false
+      t.string :nickname, null: false
+      t.bigint :sign_count, null: false, default: 0
+
+      t.index :external_id, unique: true
+
+      t.references :action_auth_user, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20240111142545_add_webauthn_id_to_users.rb

@@ -0,0 +1,5 @@
+class AddWebauthnIdToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :action_auth_users, :webauthn_id, :string
+  end
+end

data/lib/action_auth/configuration.rb

@@ -0,0 +1,19 @@
+module ActionAuth
+  class Configuration
+
+    attr_accessor :webauthn_enabled
+    attr_accessor :webauthn_origin
+    attr_accessor :webauthn_rp_name
+
+    def initialize
+      @webauthn_enabled = defined?(WebAuthn)
+      @webauthn_origin = "http://localhost:3000"
+      @webauthn_rp_name = Rails.application.class.to_s.deconstantize
+    end
+
+    def webauthn_enabled?
+      @webauthn_enabled.respond_to?(:call) ? @webauthn_enabled.call : @webauthn_enabled
+    end
+
+  end
+end

data/lib/action_auth/controllers/helpers.rb

@@ -14,6 +14,12 @@ module ActionAuth
 
         def user_signed_in?; Current.user.present?; end
         helper_method :user_signed_in?
+
+        def authenticate_user!
+          return if user_signed_in?
+          redirect_to new_user_session_path
+        end
+        helper_method :authenticate_user!
       end
 
       private

data/lib/action_auth/version.rb

@@ -1,3 +1,3 @@
 module ActionAuth
-  VERSION = "0.1.10"
+  VERSION = "0.2.1"
 end

data/lib/action_auth.rb

@@ -1,7 +1,23 @@
 require "action_auth/version"
 require "action_auth/engine"
+require "action_auth/configuration"
 
 module ActionAuth
-  module Controllers
+  class << self
+    attr_accessor :configuration
+
+    def configure
+      self.configuration ||= Configuration.new
+      yield(configuration)
+      configure_webauthn
+    end
+
+    def configure_webauthn
+      return unless configuration.webauthn_enabled?
+      WebAuthn.configure do |config|
+        config.origin = configuration.webauthn_origin
+        config.rp_name = configuration.webauthn_rp_name
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.10
+  version: 0.2.1
 platform: ruby
 authors:
 - Dave Kimura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-11 00:00:00.000000000 Z
+date: 2024-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -50,6 +50,7 @@ files:
 - README.md
 - Rakefile
 - app/assets/config/action_auth_manifest.js
+- app/assets/javascripts/action_auth/application.js
 - app/assets/stylesheets/action_auth/application.css
 - app/controllers/action_auth/application_controller.rb
 - app/controllers/action_auth/identity/email_verifications_controller.rb
@@ -58,6 +59,8 @@ files:
 - app/controllers/action_auth/passwords_controller.rb
 - app/controllers/action_auth/registrations_controller.rb
 - app/controllers/action_auth/sessions_controller.rb
+- app/controllers/action_auth/webauthn_credential_authentications_controller.rb
+- app/controllers/action_auth/webauthn_credentials_controller.rb
 - app/helpers/action_auth/application_helper.rb
 - app/jobs/action_auth/application_job.rb
 - app/mailers/action_auth/application_mailer.rb
@@ -66,6 +69,7 @@ files:
 - app/models/action_auth/current.rb
 - app/models/action_auth/session.rb
 - app/models/action_auth/user.rb
+- app/models/action_auth/webauthn_credential.rb
 - app/views/action_auth/identity/emails/edit.html.erb
 - app/views/action_auth/identity/password_resets/edit.html.erb
 - app/views/action_auth/identity/password_resets/new.html.erb
@@ -77,6 +81,8 @@ files:
 - app/views/action_auth/user_mailer/email_verification.text.erb
 - app/views/action_auth/user_mailer/password_reset.html.erb
 - app/views/action_auth/user_mailer/password_reset.text.erb
+- app/views/action_auth/webauthn_credential_authentications/new.html.erb
+- app/views/action_auth/webauthn_credentials/new.html.erb
 - app/views/layouts/action_auth/application-full-width.html.erb
 - app/views/layouts/action_auth/application.html.erb
 - app/views/layouts/action_auth/mailer.html.erb
@@ -84,7 +90,10 @@ files:
 - config/routes.rb
 - db/migrate/20231107165548_create_action_auth_users.rb
 - db/migrate/20231107170349_create_action_auth_sessions.rb
+- db/migrate/20240111125859_add_webauthn_credentials.rb
+- db/migrate/20240111142545_add_webauthn_id_to_users.rb
 - lib/action_auth.rb
+- lib/action_auth/configuration.rb
 - lib/action_auth/controllers/helpers.rb
 - lib/action_auth/engine.rb
 - lib/action_auth/routing/helpers.rb