devise-passkeys 0.1.0

data/lib/devise/passkeys/controllers/concerns/passkey_reauthentication.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    module Controllers
+      module Concerns
+        module PasskeyReauthentication
+          extend ActiveSupport::Concern
+
+          def store_reauthentication_token_in_session
+            session[passkey_reauthentication_token_key] = Devise.friendly_token(50)
+          end
+
+          def stored_reauthentication_token
+            session[passkey_reauthentication_token_key]
+          end
+
+          def clear_reauthentication_token!
+            session.delete(passkey_reauthentication_token_key)
+          end
+
+          def consume_reauthentication_token!
+            value = stored_reauthentication_token
+            clear_reauthentication_token!
+            value
+          end
+
+          def valid_reauthentication_token?(given_reauthentication_token:)
+            Devise.secure_compare(consume_reauthentication_token!, given_reauthentication_token)
+          end
+
+          def passkey_reauthentication_token_key
+            "#{resource_name}_current_reauthentication_token"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/controllers/concerns/reauthentication_challenge.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    module Controllers
+      module Concerns
+        module ReauthenticationChallenge
+          extend ActiveSupport::Concern
+
+          def passkey_reauthentication_challenge_session_key
+            "#{resource_name}_current_reauthentication_challenge"
+          end
+
+          def store_reauthentication_challenge_in_session(options_for_authentication:)
+            session[passkey_reauthentication_challenge_session_key] = options_for_authentication.challenge
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/controllers/passkeys_controller_concern.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    module Controllers
+      module PasskeysControllerConcern
+        extend ActiveSupport::Concern
+
+        included do
+          include Devise::Passkeys::Controllers::Concerns::PasskeyReauthentication
+          include Devise::Passkeys::Controllers::Concerns::ReauthenticationChallenge
+          include Warden::WebAuthn::AuthenticationInitiationHelpers
+          include Warden::WebAuthn::RegistrationHelpers
+          include Warden::WebAuthn::StrategyHelpers
+
+          prepend_before_action :authenticate_scope!
+          before_action :ensure_at_least_one_passkey, only: %i[new_destroy_challenge destroy]
+          before_action :find_passkey, only: %i[new_destroy_challenge destroy]
+
+          before_action :verify_passkey_challenge, only: [:create]
+          before_action :verify_reauthentication_token, only: %i[create destroy]
+
+          # Authenticates the current scope and gets the current resource from the session.
+          def authenticate_scope!
+            send(:"authenticate_#{resource_name}!", force: true)
+            self.resource = send(:"current_#{resource_name}")
+          end
+
+          def registration_challenge_key
+            "#{resource_name}_passkey_creation_challenge"
+          end
+
+          def errors
+            warden.errors
+          end
+
+          def raw_credential
+            passkey_params[:credential]
+          end
+        end
+
+        def new_create_challenge
+          options_for_registration = generate_registration_options(
+            relying_party: relying_party,
+            user_details: user_details_for_registration,
+            exclude: exclude_external_ids_for_registration
+          )
+
+          store_challenge_in_session(options_for_registration: options_for_registration)
+
+          render json: options_for_registration
+        end
+
+        def create
+          create_passkey(resource: resource)
+        end
+
+        def new_destroy_challenge
+          allowed_passkeys = (resource.passkeys - [@passkey])
+
+          options_for_authentication = generate_authentication_options(relying_party: relying_party,
+                                                                       options: { allow: allowed_passkeys.pluck(:external_id) })
+
+          store_reauthentication_challenge_in_session(options_for_authentication: options_for_authentication)
+
+          render json: options_for_authentication
+        end
+
+        def destroy
+          @passkey.destroy
+          redirect_to root_path
+        end
+
+        protected
+
+        def create_passkey(resource:)
+          passkey = resource.passkeys.create!(
+            label: passkey_params[:label],
+            public_key: @webauthn_credential.public_key,
+            external_id: Base64.strict_encode64(@webauthn_credential.raw_id),
+            sign_count: @webauthn_credential.sign_count,
+            last_used_at: nil
+          )
+          yield [resource, passkey] if block_given?
+          redirect_to root_path
+        end
+
+        def exclude_external_ids_for_registration
+          resource.passkeys.pluck(:external_id)
+        end
+
+        def user_details_for_registration
+          { id: resource.webauthn_id, name: resource.email }
+        end
+
+        def verify_passkey_challenge
+          if parsed_credential.nil?
+            render json: { message: find_message(:credential_missing_or_could_not_be_parsed) }, status: :bad_request
+            delete_registration_challenge
+            return false
+          end
+          begin
+            @webauthn_credential = verify_registration(relying_party: relying_party)
+          rescue ::WebAuthn::Error => e
+            error_key = Warden::WebAuthn::ErrorKeyFinder.webauthn_error_key(exception: e)
+            render json: { message: find_message(error_key) }, status: :bad_request
+          end
+        end
+
+        def passkey_params
+          params.require(:passkey).permit(:label, :credential)
+        end
+
+        def ensure_at_least_one_passkey
+          return unless current_user.passkeys.count <= 1
+
+          render json: { error: find_message(:must_be_at_least_one_passkey) }, status: :bad_request
+        end
+
+        def find_passkey
+          @passkey = resource.passkeys.where(id: params[:id]).first
+          return unless @passkey.nil?
+
+          head :not_found
+          nil
+        end
+
+        def verify_reauthentication_token
+          return if valid_reauthentication_token?(given_reauthentication_token: reauthentication_params[:reauthentication_token])
+
+          render json: { error: find_message(:not_reauthenticated) }, status: :bad_request
+        end
+
+        def reauthentication_params
+          params.require(:passkey).permit(:reauthentication_token)
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/controllers/reauthentication_controller_concern.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    module Controllers
+      module ReauthenticationControllerConcern
+        extend ActiveSupport::Concern
+
+        included do
+          include Devise::Passkeys::Controllers::Concerns::PasskeyReauthentication
+          include Devise::Passkeys::Controllers::Concerns::ReauthenticationChallenge
+          include Warden::WebAuthn::AuthenticationInitiationHelpers
+          include Warden::WebAuthn::StrategyHelpers
+
+          prepend_before_action :authenticate_scope!
+
+          before_action :prepare_params, only: [:reauthenticate]
+
+          # Prepending is crucial to ensure that the relying party is set in the
+          # request.env before the strategy is executed
+          prepend_before_action :set_relying_party_in_request_env
+
+          # Authenticates the current scope and gets the current resource from the session.
+          def authenticate_scope!
+            send(:"authenticate_#{resource_name}!", force: true)
+            self.resource = send(:"current_#{resource_name}")
+          end
+        end
+
+        def new_challenge
+          options_for_authentication = generate_authentication_options(relying_party: relying_party,
+                                                                       options: { allow: resource.passkeys.pluck(:external_id) })
+
+          store_reauthentication_challenge_in_session(options_for_authentication: options_for_authentication)
+
+          render json: options_for_authentication
+        end
+
+        def reauthenticate
+          sign_out(resource)
+          self.resource = warden.authenticate!(strategy, auth_options)
+          sign_in(resource, event: :passkey_reauthentication)
+          yield resource if block_given?
+
+          store_reauthentication_token_in_session
+
+          render json: { reauthentication_token: stored_reauthentication_token }
+        ensure
+          delete_reauthentication_challenge
+        end
+
+        protected
+
+        def prepare_params
+          request.params[resource_name] = ActionController::Parameters.new({
+                                                                             passkey_credential: params[:passkey_credential]
+                                                                           })
+        end
+
+        def strategy
+          :passkey_reauthentication
+        end
+
+        def auth_options
+          { scope: resource_name, recall: root_path }
+        end
+
+        def delete_reauthentication_challenge
+          session.delete(passkey_reauthentication_challenge_session_key)
+        end
+
+        def set_relying_party_in_request_env
+          raise "need to define relying_party for this SessionsController"
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/controllers/registrations_controller_concern.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    module Controllers
+      module RegistrationsControllerConcern
+        extend ActiveSupport::Concern
+
+        included do
+          include Devise::Passkeys::Controllers::Concerns::PasskeyReauthentication
+          include Warden::WebAuthn::RegistrationHelpers
+
+          before_action :require_no_authentication, only: [:new_challenge]
+          before_action :require_email_and_passkey_label, only: %i[new_challenge create]
+          before_action :verify_passkey_registration_challenge, only: [:create]
+          before_action :configure_sign_up_params, only: [:create]
+
+          before_action :verify_reauthentication_token, only: %i[update destroy]
+
+          def registration_user_id_key
+            "#{resource_name}_current_webauthn_user_id"
+          end
+
+          def registration_challenge_key
+            "#{resource_name}_current_webauthn_registration_challenge"
+          end
+
+          def raw_credential
+            passkey_params[:passkey_credential]
+          end
+        end
+
+        def new_challenge
+          options_for_registration = generate_registration_options(
+            relying_party: relying_party,
+            user_details: user_details_for_registration,
+            exclude: exclude_external_ids_for_registration
+          )
+
+          store_challenge_in_session(options_for_registration: options_for_registration)
+
+          render json: options_for_registration
+        end
+
+        def create
+          super do |resource|
+            create_resource_and_passkey(resource: resource)
+          end
+        end
+
+        protected
+
+        def create_resource_and_passkey(resource:)
+          return unless resource.persisted?
+
+          passkey = create_passkey(resource: resource)
+
+          yield [resource, passkey] if block_given?
+          delete_registration_user_id!
+        end
+
+        def create_passkey(resource:)
+          resource.passkeys.create!(
+            label: passkey_params[:passkey_label],
+            public_key: @webauthn_credential.public_key,
+            external_id: Base64.strict_encode64(@webauthn_credential.raw_id),
+            sign_count: @webauthn_credential.sign_count,
+            last_used_at: Time.now.utc
+          )
+        end
+
+        def verify_reauthentication_token
+          return if valid_reauthentication_token?(given_reauthentication_token: reauthentication_params[:reauthentication_token])
+
+          render json: { error: find_message(:not_reauthenticated) }, status: :bad_request
+        end
+
+        def reauthentication_params
+          params.require(:user).permit(:reauthentication_token)
+        end
+
+        def update_resource(resource, params)
+          resource.update(params)
+        end
+
+        # Override if you need to exclude certain external IDs
+        def exclude_external_ids_for_registration
+          []
+        end
+
+        def passkey_params
+          params.require(resource_name).permit(:passkey_label, :passkey_credential)
+        end
+
+        def require_email_and_passkey_label
+          if sign_up_params[:email].blank?
+            render json: { message: find_message(:email_missing) }, status: :bad_request
+            return false
+          end
+
+          if passkey_params[:passkey_label].blank?
+            render json: { message: find_message(:passkey_label_missing) }, status: :bad_request
+            return false
+          end
+
+          true
+        end
+
+        def verify_passkey_registration_challenge
+          @webauthn_credential = verify_registration(relying_party: relying_party)
+        rescue ::WebAuthn::Error => e
+          error_key = Warden::WebAuthn::ErrorKeyFinder.webauthn_error_key(exception: e)
+          render json: { message: find_message(error_key) }, status: :bad_request
+        end
+
+        # If you have extra params to permit, append them to the sanitizer.
+        def configure_sign_up_params
+          params[:user][:webauthn_id] = registration_user_id
+          devise_parameter_sanitizer.permit(:sign_up, keys: [:webauthn_id])
+        end
+
+        def user_details_for_registration
+          store_registration_user_id
+          { id: registration_user_id, name: sign_up_params[:email] }
+        end
+
+        def registration_user_id
+          session[registration_user_id_key]
+        end
+
+        def delete_registration_user_id!
+          session.delete(registration_user_id_key)
+        end
+
+        def store_registration_user_id
+          session[registration_user_id_key] = WebAuthn.generate_user_id
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/controllers/sessions_controller_concern.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    module Controllers
+      module SessionsControllerConcern
+        extend ActiveSupport::Concern
+
+        included do
+          include Warden::WebAuthn::AuthenticationInitiationHelpers
+          include Warden::WebAuthn::StrategyHelpers
+
+          # Prepending is crucial to ensure that the relying party is set in the
+          # request.env before the strategy is executed
+          prepend_before_action :set_relying_party_in_request_env
+
+          def authentication_challenge_key
+            "#{resource_name}_current_webauthn_authentication_challenge"
+          end
+        end
+
+        def new_challenge
+          options_for_authentication = generate_authentication_options(relying_party: relying_party)
+
+          store_challenge_in_session(options_for_authentication: options_for_authentication)
+
+          render json: options_for_authentication
+        end
+
+        protected
+
+        def set_relying_party_in_request_env
+          raise "need to define relying_party for this SessionsController"
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/controllers.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative "controllers/concerns/passkey_reauthentication"
+require_relative "controllers/concerns/reauthentication_challenge"
+require_relative "controllers/sessions_controller_concern"
+require_relative "controllers/registrations_controller_concern"
+require_relative "controllers/reauthentication_controller_concern"
+require_relative "controllers/passkeys_controller_concern"
+
+module Devise
+  module Passkeys
+    module Controllers
+    end
+  end
+end

data/lib/devise/passkeys/model.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Devise
+  module Models
+    module PasskeyAuthenticatable
+      def after_passkey_authentication; end
+    end
+  end
+end

data/lib/devise/passkeys/passkey_issuer.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    class PasskeyIssuer
+      def self.build
+        new
+      end
+
+      def create_and_return_passkey(resource:, label:, webauthn_credential:, extra_attributes: {})
+        # rubocop:disable Lint/UselessAssignment
+        passkey_class = passkey_class(resource)
+        # rubocop:enable Lint/UselessAssignment
+
+        resource.passkeys.create!({
+          label: label,
+          public_key: webauthn_credential.public_key,
+          external_id: Base64.strict_encode64(webauthn_credential.raw_id),
+          sign_count: webauthn_credential.sign_count,
+          last_used_at: nil
+        }.merge(extra_attributes))
+      end
+
+      class CredentialFinder
+        attr_reader :resource_class
+
+        def initialize(resource_class:)
+          @resource_class = resource_class
+        end
+
+        def find_with_credential_id(encoded_credential_id)
+          resource_class.passkeys_class.where(external_id: encoded_credential_id).first
+        end
+      end
+
+      private
+
+      attr_accessor :maximum_passkeys_per_user
+
+      def passkey_class(resource)
+        if resource.respond_to?(:association) # ActiveRecord
+          resource.association(:passkeys).klass
+        elsif resource.respond_to?(:relations) # Mongoid
+          resource.relations["passkeys"].klass
+        else
+          raise "Cannot determine passkey class, unsupported ORM/ODM?"
+        end
+      end
+    end
+  end
+end

data/lib/devise/passkeys/rails.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Devise::Passkeys
+  class Engine < ::Rails::Engine
+  end
+end

data/lib/devise/passkeys/reauthentication_strategy.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "devise/strategies/authenticatable"
+require_relative "passkey_issuer"
+
+module Devise
+  module Strategies
+    class PasskeyReauthentication < PasskeyAuthenticatable
+      def authentication_challenge_key
+        "#{mapping.singular}_current_reauthentication_challenge"
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:passkey_reauthentication, Devise::Strategies::PasskeyReauthentication)

data/lib/devise/passkeys/strategy.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "devise/strategies/authenticatable"
+require_relative "passkey_issuer"
+
+module Devise
+  module Strategies
+    class PasskeyAuthenticatable < Authenticatable
+      include Warden::WebAuthn::StrategyHelpers
+
+      def store?
+        super && !mapping.to.skip_session_storage.include?(:passkey_auth)
+      end
+
+      def valid?
+        return true unless parsed_credential.nil?
+
+        # rubocop:disable Lint/UnreachableCode
+        fail(:credential_missing_or_could_not_be_parsed)
+        false
+        # rubocop:enable Lint/UnreachableCode
+      end
+
+      def authenticate!
+        passkey = verify_authentication_and_find_stored_credential
+
+        return if passkey.nil?
+
+        resource = mapping.to.find_for_passkey(passkey)
+
+        return fail(:invalid_passkey) unless resource
+
+        if validate(resource)
+          remember_me(resource)
+          resource.after_passkey_authentication
+          record_passkey_use(passkey: passkey)
+          success!(resource)
+          return
+        end
+
+        # In paranoid mode, fail with a generic invalid error
+        Devise.paranoid ? fail(:invalid_passkey) : fail(:not_found_in_database)
+      end
+
+      def credential_finder
+        Devise::Passkeys::PasskeyIssuer::CredentialFinder.new(resource_class: mapping.to)
+      end
+
+      def raw_credential
+        params.dig(mapping.singular, :passkey_credential)
+      end
+
+      def authentication_challenge_key
+        "#{mapping.singular}_current_webauthn_authentication_challenge"
+      end
+
+      def record_passkey_use(passkey:)
+        passkey.update_attribute(:last_used_at, Time.current)
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:passkey_authenticatable, Devise::Strategies::PasskeyAuthenticatable)

data/lib/devise/passkeys/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Devise
+  module Passkeys
+    VERSION = "0.1.0"
+  end
+end

data/lib/devise/passkeys.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "devise"
+require "warden/webauthn"
+require_relative "passkeys/rails"
+require_relative "passkeys/model"
+require_relative "passkeys/controllers"
+require_relative "passkeys/passkey_issuer"
+require_relative "passkeys/strategy"
+require_relative "passkeys/reauthentication_strategy"
+require_relative "passkeys/version"
+
+module Devise
+  module Passkeys
+    def self.create_and_return_passkey(resource:, label:, webauthn_credential:, extra_attributes: {})
+      PasskeyIssuer.build.create_and_return_passkey(
+        resource: resource,
+        label: label,
+        webauthn_credential: webauthn_credential,
+        extra_attributes: extra_attributes
+      )
+    end
+  end
+end
+
+Devise.add_module :passkey_authenticatable,
+                  model: "devise/passkeys/model",
+                  strategy: true,
+                  no_input: true

data/sig/devise/passkeys.rbs

@@ -0,0 +1,6 @@
+module Devise
+  module Passkeys
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end