devise-passkeys 0.1.0 → 0.2.0

data/lib/devise/passkeys/controllers/passkeys_controller_concern.rb

@@ -7,16 +7,16 @@ module Devise
         extend ActiveSupport::Concern
 
         included do
-          include Devise::Passkeys::Controllers::Concerns::PasskeyReauthentication
+          include Devise::Passkeys::Controllers::Concerns::Reauthentication
           include Devise::Passkeys::Controllers::Concerns::ReauthenticationChallenge
           include Warden::WebAuthn::AuthenticationInitiationHelpers
           include Warden::WebAuthn::RegistrationHelpers
-          include Warden::WebAuthn::StrategyHelpers
 
           prepend_before_action :authenticate_scope!
           before_action :ensure_at_least_one_passkey, only: %i[new_destroy_challenge destroy]
           before_action :find_passkey, only: %i[new_destroy_challenge destroy]
 
+          before_action :verify_credential_integrity, only: [:create]
           before_action :verify_passkey_challenge, only: [:create]
           before_action :verify_reauthentication_token, only: %i[create destroy]
 
@@ -93,18 +93,17 @@ module Devise
           { id: resource.webauthn_id, name: resource.email }
         end
 
+        def verify_credential_integrity
+          return render_credential_missing_or_could_not_be_parsed_error if parsed_credential.nil?
+        rescue JSON::JSONError, TypeError
+          return render_credential_missing_or_could_not_be_parsed_error
+        end
+
         def verify_passkey_challenge
-          if parsed_credential.nil?
-            render json: { message: find_message(:credential_missing_or_could_not_be_parsed) }, status: :bad_request
-            delete_registration_challenge
-            return false
-          end
-          begin
-            @webauthn_credential = verify_registration(relying_party: relying_party)
-          rescue ::WebAuthn::Error => e
-            error_key = Warden::WebAuthn::ErrorKeyFinder.webauthn_error_key(exception: e)
-            render json: { message: find_message(error_key) }, status: :bad_request
-          end
+          @webauthn_credential = verify_registration(relying_party: relying_party)
+        rescue ::WebAuthn::Error => e
+          error_key = Warden::WebAuthn::ErrorKeyFinder.webauthn_error_key(exception: e)
+          render json: { message: find_message(error_key) }, status: :bad_request
         end
 
         def passkey_params
@@ -134,6 +133,12 @@ module Devise
         def reauthentication_params
           params.require(:passkey).permit(:reauthentication_token)
         end
+
+        def render_credential_missing_or_could_not_be_parsed_error
+          render json: { message: find_message(:credential_missing_or_could_not_be_parsed) }, status: :bad_request
+          delete_registration_challenge
+          return false
+        end
       end
     end
   end

data/lib/devise/passkeys/controllers/reauthentication_controller_concern.rb

@@ -3,14 +3,44 @@
 module Devise
   module Passkeys
     module Controllers
+      # This concern is responsible for handling reauthentication.
+      # It should be included in any controller that handles reauthentication, and defines:
+      #
+      # - Useful methods to assist with the reauthentication process
+      # - Concerns that are required to complete the reauthentication process
+      # - Helper modules from `Warden::WebAuthn` that are required to complete the reauthentication process
+      #
+      # **Note**: the implementing controller **must** define a `relying_party` method in order for
+      # reauthentications to work.
+      #
+      # @example
+      #  class ReauthenticationController < ApplicationController
+      #    include Devise::Passkeys::Controllers::ReauthenticationControllerConcern
+      #
+      #    def relying_party
+      #       WebAuthn::RelyingParty.new
+      #    end
+      #  end
+      #
+      # The `authenticate_scope!` is called as a `before_action` to verify the authentication and set the
+      # `resource` for the controller.
+      #
+      # Likewise, `Warden::WebAuthn::RackHelpers#set_relying_party_in_request_env` is a `before_action` to ensure that the relying party is set in the
+      # `request.env` before the Warden strategy is executed
+      #
+      # @see relying_party
+      # @see Devise::Passkeys::Controllers::Concerns::ReauthenticationChallenge
+      # @see Devise::Passkeys::Controllers::Concerns::Reauthentication
+      # @see Warden::WebAuthn::StrategyHelpers
+      # @see Warden::WebAuthn::RackHelpers
       module ReauthenticationControllerConcern
         extend ActiveSupport::Concern
 
         included do
-          include Devise::Passkeys::Controllers::Concerns::PasskeyReauthentication
+          include Devise::Passkeys::Controllers::Concerns::Reauthentication
           include Devise::Passkeys::Controllers::Concerns::ReauthenticationChallenge
           include Warden::WebAuthn::AuthenticationInitiationHelpers
-          include Warden::WebAuthn::StrategyHelpers
+          include Warden::WebAuthn::RackHelpers
 
           prepend_before_action :authenticate_scope!
 
@@ -27,6 +57,14 @@ module Devise
           end
         end
 
+        # A controller action that stores the reauthentication challenge in session
+        # and renders the options for authentication from `webauthn-ruby`.
+        #
+        # The response is rendered as JSON, with a status of `200 OK`.
+        #
+        # @see Devise::Passkeys::Controllers::Concerns::ReauthenticationChallenge#store_reauthentication_challenge_in_session
+        # @see Warden::WebAuthn::AuthenticationInitiationHelpers#generate_authentication_options
+        # @see Warden::WebAuthn::RackHelpers#set_relying_party_in_request_env
         def new_challenge
           options_for_authentication = generate_authentication_options(relying_party: relying_party,
                                                                        options: { allow: resource.passkeys.pluck(:external_id) })
@@ -36,6 +74,24 @@ module Devise
           render json: options_for_authentication
         end
 
+        # A controller action that:
+        #
+        # 1. Uses the `warden` strategy to authenticate the current user with the defined strategy
+        # 2. Calls `sign_in` with `event: :passkey_reauthentication` to verify that the user can authenticate
+        # 3. Stores the reauthentication token in the session
+        # 4. Renders a JSON object with the reauthentication token
+        # 5. Ensures that the reauthentication challenge from the session, regardless of any errors
+        #
+        # @example
+        #  {"reauthentication_token": "abcd1234"}
+        #
+        # `prepare_params` is called as a `before_action` to prepare the passkey credential for use by the
+        # Warden strategy.
+        #
+        # Optionally accepts a block that will be executed after the user has been reauthenticated.
+        # @see strategy
+        # @see Devise::Passkeys::Controllers::Concerns::Reauthentication#store_reauthentication_token_in_session
+        # @see prepare_params
         def reauthenticate
           sign_out(resource)
           self.resource = warden.authenticate!(strategy, auth_options)
@@ -51,12 +107,18 @@ module Devise
 
         protected
 
+        # @!visibility public
+        # Prepares the request parameters for use by the Warden strategy
         def prepare_params
           request.params[resource_name] = ActionController::Parameters.new({
                                                                              passkey_credential: params[:passkey_credential]
                                                                            })
         end
 
+        # @!visibility public
+        # A method that can be overridden to customize the Warden stratey used.
+        # @return [Symbol] The key that identifies which `Warden` strategy will be used to handle the
+        #                  authentication flow for the reauthentication. Defaults to `:passkey_reauthentication`
         def strategy
           :passkey_reauthentication
         end
@@ -69,8 +131,12 @@ module Devise
           session.delete(passkey_reauthentication_challenge_session_key)
         end
 
-        def set_relying_party_in_request_env
-          raise "need to define relying_party for this SessionsController"
+        # @!visibility public
+        # @abstract
+        # The method that returns the `WebAuthn::RelyingParty` for this request.
+        # @return [WebAuthn::RelyingParty] when overridden, this method should return a `WebAuthn::RelyingParty` instance
+        def relying_party
+          raise NoMethodError, "need to define relying_party for this #{self.class.name}"
         end
       end
     end

data/lib/devise/passkeys/controllers/registrations_controller_concern.rb

@@ -3,11 +3,43 @@
 module Devise
   module Passkeys
     module Controllers
+      # This concern should be included in any controller that handles
+      # user (`resource`) registration management (ie: signup/deleting an account),
+      # and defines:
+      #
+      # - Useful methods and before filters to streamline user (`resource`) registration management using session variables
+      # - Controller actions for:
+      #     - Issuing a new WebAuthn challenge
+      #     - A `create` action that creates a passkey if the user (`resource`) has been persisted
+      # - Helper modules from `Warden::WebAuthn` that are required to complete the registration process
+      #
+      # The `registration_user_id_key` and `registration_challenge_key` are defined
+      # using the `resource_name`, to keep the generated IDs unique between resources
+      # during the registration process.
+      #
+      # A `raw_credential` method is provided to streamline access to
+      # `passkey_params[:passkey_credential]`.
+      #
+      # **Note**: the implementing controller **must** define a `relying_party` method in order for
+      # registrations to work.
+      #
+      # @example
+      #   class RegistrationsController < ApplicationController
+      #     include Devise::Passkeys::Controllers::RegistrationsControllerConcern
+      #
+      #     def relying_party
+      #       WebAuthn::RelyingParty.new
+      #     end
+      #   end
+      #
+      #
+      # @see Devise::Passkeys::Controllers::Concerns::Reauthentication
+      # @see Warden::WebAuthn::RegistrationHelpers
       module RegistrationsControllerConcern
         extend ActiveSupport::Concern
 
         included do
-          include Devise::Passkeys::Controllers::Concerns::PasskeyReauthentication
+          include Devise::Passkeys::Controllers::Concerns::Reauthentication
           include Warden::WebAuthn::RegistrationHelpers
 
           before_action :require_no_authentication, only: [:new_challenge]
@@ -30,6 +62,20 @@ module Devise
           end
         end
 
+        # This controller action issues a new challenge for the registration handshake.
+        #
+        # The challenge is stored in a session variable, and renders the WebAuthn
+        # registration options as a JSON response.
+        #
+        # The following before filters are called:
+        #
+        # - `require_no_authentication`
+        # - `require_email_and_passkey_label`
+        #
+        # @see DeviseController#require_no_authentication
+        # @see require_email_and_passkey_label
+        # @see Warden::WebAuthn#generate_registration_options
+        # @see https://github.com/cedarcode/webauthn-ruby#initiation-phase
         def new_challenge
           options_for_registration = generate_registration_options(
             relying_party: relying_party,
@@ -42,15 +88,48 @@ module Devise
           render json: options_for_registration
         end
 
+        # This controller action creates a new user (`resource`), using the given
+        # email & passkey. It:
+        #
+        # 1. calls the parent class's `#create` method
+        # 2. calls `#create_passkey_for_resource` to finish creating the passkey
+        #    if the user (`resource`) was actually persisted
+        # 3. Finishes the rest of the parent class's `#create` method
+        #
+        #
+        # The following before actions are called:
+        #
+        # - `require_email_and_passkey_label`
+        # - `verify_passkey_registration_challenge`
+        # - `configure_sign_up_params`
+        #
+        # @see require_email_and_passkey_label
+        # @see verify_passkey_registration_challenge
+        # @see configure_sign_up_params
+        # @see create_passkey_for_resource
         def create
           super do |resource|
-            create_resource_and_passkey(resource: resource)
+            create_passkey_for_resource(resource: resource)
           end
         end
 
         protected
 
-        def create_resource_and_passkey(resource:)
+        # @!visibility public
+        #
+        # Creates a passkey for given user (`resource`).
+        #
+        # The method tests that the user (`resource`) is in the database
+        # before saving the passkey for the given user (`resource`).
+        #
+        #
+        # This method also ensures that the generated WebAuthn User ID is deleted from the session to prevent
+        # data leaks.
+        #
+        #
+        # @yield [resource, passkey] The provided `resource` and the newly created passkey.
+        # @see create_passkey
+        def create_passkey_for_resource(resource:)
           return unless resource.persisted?
 
           passkey = create_passkey(resource: resource)
@@ -59,6 +138,17 @@ module Devise
           delete_registration_user_id!
         end
 
+        # @!visibility public
+        #
+        # Generates a passkey for the given `resource`, using the `resource.passkeys.create!`
+        # method with the following attributes:
+        #
+        # - `label`: The `passkey_params[:passkey_label]`
+        # - `public_key`: The `@webauthn_credential.public_key`
+        # - `external_id`: The credential ID, strictly encoded as a Base 64 string
+        # - `sign_count`: The `@webauthn_credential.sign_count`
+        # - `last_used_at`: The current time, since this is the first time the passkey is being used
+        #
         def create_passkey(resource:)
           resource.passkeys.create!(
             label: passkey_params[:passkey_label],
@@ -69,29 +159,61 @@ module Devise
           )
         end
 
+        # @!visibility public
+        #
+        # Verifies that the given reauthentication token matches the
+        # expected value stored in the session.
+        #
+        # If the reauthentication token is not valid,
+        # a `400 Bad Request` JSON response is rendered.
+        #
+        # @example
+        #  {"error": "Please reauthenticate to continue."}
+        #
+        # @see reauthentication_params
+        # @see Devise::Passkeys::Controllers::Concerns::Reauthentication#valid_reauthentication_token?
         def verify_reauthentication_token
           return if valid_reauthentication_token?(given_reauthentication_token: reauthentication_params[:reauthentication_token])
 
           render json: { error: find_message(:not_reauthenticated) }, status: :bad_request
         end
 
+        # @!visibility public
+        # The subset of parameters used when verifying a reauthentication_token
         def reauthentication_params
-          params.require(:user).permit(:reauthentication_token)
+          params.require(resource_name).permit(:reauthentication_token)
         end
 
+        # @!visibility public
+        # An override of `DeviseController`'s implementation, to circumvent the
+        # `update_with_password` method
+        # @see DeviseController#update_resource
         def update_resource(resource, params)
           resource.update(params)
         end
 
-        # Override if you need to exclude certain external IDs
+        # @!visibility public
+        # Override this method if you need to exclude certain WebAuthn credentials
+        # from a registration request.
+        # @see new_challenge
+        # @see https://github.com/cedarcode/webauthn-ruby#initiation-phase
         def exclude_external_ids_for_registration
           []
         end
 
+        # @!visibility public
+        # The subset of parameters used when verifying the passkey
         def passkey_params
           params.require(resource_name).permit(:passkey_label, :passkey_credential)
         end
 
+        # @!visibility public
+        # Verifies that the `sign_up_params` has an `:email` and `:passkey_label`.
+        #
+        # If either is missing or blank, a `400 Bad Request` JSON response is rendered.
+        #
+        # @example
+        #  {"error": "Please enter your email address."}
         def require_email_and_passkey_label
           if sign_up_params[:email].blank?
             render json: { message: find_message(:email_missing) }, status: :bad_request
@@ -106,6 +228,18 @@ module Devise
           true
         end
 
+        # @!visibility public
+        # Verifies the registration challenge is correct.
+        #
+        # If the challenge failed, a `400 Bad Request` JSON
+        # response is rendered.
+        #
+        # @example
+        #  {"error": "Please try a different passkey."}
+        #
+        # @see Warden::WebAuthn::RegistrationHelpers#verify_registration
+        # @see https://github.com/cedarcode/webauthn-ruby#verification-phase
+        # @see Warden::WebAuthn::ErrorKeyFinder#webauthn_error_key
         def verify_passkey_registration_challenge
           @webauthn_credential = verify_registration(relying_party: relying_party)
         rescue ::WebAuthn::Error => e
@@ -113,12 +247,17 @@ module Devise
           render json: { message: find_message(error_key) }, status: :bad_request
         end
 
-        # If you have extra params to permit, append them to the sanitizer.
+        # @!visibility public
+        # Adds the generated WebAuthn User ID to `devise_parameter_sanitizer`'s permitted keys
         def configure_sign_up_params
-          params[:user][:webauthn_id] = registration_user_id
+          params[resource_name][:webauthn_id] = registration_user_id
           devise_parameter_sanitizer.permit(:sign_up, keys: [:webauthn_id])
         end
 
+        # @!visibility public
+        # Prepares the user details for a WebAuthn registration request
+        # @see new_challenge
+        # @see https://github.com/cedarcode/webauthn-ruby#initiation-phase
         def user_details_for_registration
           store_registration_user_id
           { id: registration_user_id, name: sign_up_params[:email] }

data/lib/devise/passkeys/controllers/sessions_controller_concern.rb

@@ -8,7 +8,7 @@ module Devise
 
         included do
           include Warden::WebAuthn::AuthenticationInitiationHelpers
-          include Warden::WebAuthn::StrategyHelpers
+          include Warden::WebAuthn::RackHelpers
 
           # Prepending is crucial to ensure that the relying party is set in the
           # request.env before the strategy is executed
@@ -29,8 +29,8 @@ module Devise
 
         protected
 
-        def set_relying_party_in_request_env
-          raise "need to define relying_party for this SessionsController"
+        def relying_party
+          raise NoMethodError, "need to define relying_party for this #{self.class.name}"
         end
       end
     end

data/lib/devise/passkeys/controllers.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative "controllers/concerns/passkey_reauthentication"
+require_relative "controllers/concerns/reauthentication"
 require_relative "controllers/concerns/reauthentication_challenge"
 require_relative "controllers/sessions_controller_concern"
 require_relative "controllers/registrations_controller_concern"
@@ -9,6 +9,60 @@ require_relative "controllers/passkeys_controller_concern"
 
 module Devise
   module Passkeys
+    # This module contains all the controller-level logic for:
+    #
+    # - User (resource) registration management (signup/delete account) using passkeys
+    # - User (resource) management of their passkeys
+    # - User (resource) authentication & reauthenticating using their passkeys
+    #
+    # Rather than having base classes, `Devise::Passkeys::Controllers` has a series of concerns
+    # that can be mixed into your app's controllers. This allows you to change behavior,
+    # and does not keep you stuck down a path that could be incompatible with your
+    # existing authentication setup.
+    #
+    # @example
+    #   class Users::RegistrationsController < Devise::RegistrationsController
+    #     include Devise::Passkeys::Controllers::RegistrationsControllerConcern
+    #   end
+    #
+    #
+    #   class Users::SessionsController < Devise::SessionsController
+    #     include Devise::Passkeys::Controllers::SessionsControllerConcern
+    #     # ... any custom code you need
+    #
+    #     def relying_party
+    #        WebAuthn::RelyingParty.new(...)
+    #     end
+    #   end
+    #
+    #   # frozen_string_literal: true
+    #
+    #   class Users::ReauthenticationController < DeviseController
+    #     include Devise::Passkeys::Controllers::ReauthenticationControllerConcern
+    #     # ... any custom code you need
+    #
+    #     def relying_party
+    #        WebAuthn::RelyingParty.new(...)
+    #     end
+    #   end
+    #
+    #   # frozen_string_literal: true
+    #
+    #   class Users::PasskeysController < DeviseController
+    #     include Devise::Passkeys::Controllers::PasskeysControllerConcern
+    #     # ... any custom code you need
+    #
+    #     def relying_party
+    #        WebAuthn::RelyingParty.new(...)
+    #     end
+    #   end
+    #
+    # *Note:* The `Devise::Passkeys::Controllers::Concerns` namespace is for:
+    # > Code, related to the concerns for controllers, that can be extracted into a standalone
+    # > module that can be included & extended as needed for apps that need
+    # > to do something custom with their setup.
+    # >
+    # > https://github.com/ruby-passkeys/devise-passkeys/issues/4#issuecomment-1590357907
     module Controllers
     end
   end

data/lib/devise/passkeys/model.rb

@@ -2,8 +2,16 @@
 
 module Devise
   module Models
+    # This is the actual module that gets included in your
+    # model when you include `:passkey_authenticatable` in the
+    # `devise` call (eg: `devise :passkey_authenticatable, ...`).
     module PasskeyAuthenticatable
-      def after_passkey_authentication; end
+      # This is a callback that is called right after a successful passkey authentication.
+      #
+      # By default, it is a no-op, but you can override it in your model for any custom behavior
+      # (such as notifying the user of a new login).
+      # @param passkey [String] the passkey that was used for authentication
+      def after_passkey_authentication(passkey:); end
     end
   end
 end

data/lib/devise/passkeys/passkey_issuer.rb

@@ -35,8 +35,6 @@ module Devise
 
       private
 
-      attr_accessor :maximum_passkeys_per_user
-
       def passkey_class(resource)
         if resource.respond_to?(:association) # ActiveRecord
           resource.association(:passkeys).klass

data/lib/devise/passkeys/reauthentication_strategy.rb

@@ -9,6 +9,13 @@ module Devise
       def authentication_challenge_key
         "#{mapping.singular}_current_reauthentication_challenge"
       end
+
+      # Reauthentication runs through Authentication (user_set)
+      # as part of its cycle, which would normally reset CSRF
+      # data in the session
+      def clean_up_csrf?
+        false
+      end
     end
   end
 end

data/lib/devise/passkeys/strategy.rb

@@ -32,7 +32,7 @@ module Devise
 
         if validate(resource)
           remember_me(resource)
-          resource.after_passkey_authentication
+          resource.after_passkey_authentication(passkey: passkey)
           record_passkey_use(passkey: passkey)
           success!(resource)
           return

data/lib/devise/passkeys/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module Passkeys
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/devise/passkeys.rb

@@ -11,7 +11,29 @@ require_relative "passkeys/reauthentication_strategy"
 require_relative "passkeys/version"
 
 module Devise
+  # This module provides a devise extension to use passkeys instead
+  # of passwords for user authentication.
+  #
+  # It is lightweight and non-configurable. It does what it has to do and
+  # leaves some manual implementation to you.
+  #
+  # Please consult the {file:README.md#label-Usage} for installation & configuration instructions;
+  # and the links below for additional reading about:
+  #
+  # - What passkeys are
+  # - The underlying gems used to build this devise extension
+  # - Platform support & user interface implementation guides
+  #
+  # @see https://webauthn.guide
+  # @see https://passkeys.dev
+  # @see https://fidoalliance.org/passkeys
+  # @see https://github.com/cedarcode/webauthn-ruby
+  # @see https://github.com/ruby-passkeys/warden-webauthn
   module Passkeys
+    # This is a helper method that creates and returns a passkey for
+    # the given user (`resource`), using the provided label & `WebAuthn::Credential`
+    # @see PasskeyIssuer#create_and_return_passkey
+    # @return A saved passkey for the the given user (`resource`)
     def self.create_and_return_passkey(resource:, label:, webauthn_credential:, extra_attributes: {})
       PasskeyIssuer.build.create_and_return_passkey(
         resource: resource,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-passkeys
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Thomas Cannon
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-05-07 00:00:00.000000000 Z
+date: 2023-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 4.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 4.7.1
 - !ruby/object:Gem::Dependency
   name: warden-webauthn
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.2.1
 description: A Devise extension to use passkeys instead of passwords for authentication,
   using warden-webauthn
 email:
@@ -47,21 +47,24 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rubocop.yml"
+- ".yardopts"
 - Appraisals
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
+- THANKS.md
 - devise-passkeys.gemspec
 - gemfiles/.bundle/config
 - gemfiles/rails_6.gemfile
 - gemfiles/rails_7.gemfile
 - lib/devise/passkeys.rb
 - lib/devise/passkeys/controllers.rb
-- lib/devise/passkeys/controllers/concerns/passkey_reauthentication.rb
+- lib/devise/passkeys/controllers/concerns/reauthentication.rb
 - lib/devise/passkeys/controllers/concerns/reauthentication_challenge.rb
 - lib/devise/passkeys/controllers/passkeys_controller_concern.rb
 - lib/devise/passkeys/controllers/reauthentication_controller_concern.rb