devise-webauthn 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91f62778d1c97e17cb2fcf97d8f6dcb91716eb70f7c304f662de39c4861c2273
-  data.tar.gz: f64c93b4af61569057b475b2ab2f4e4604bf1c7666f3eeda34d51993e96dfbc6
+  metadata.gz: 5b2e30cdcc561dc53baf71ada282183019321b12b1820afc6107b67c000c1297
+  data.tar.gz: f01204525d77a874a131b4a4f13928faa9d6819160792bc12efdb0ad9b9b6d5b
 SHA512:
-  metadata.gz: 1ba0a89c63ac5e1255fd657e9b6710167ff8932c700bd29b81dbfef32ed3f5fb1832a40766be2882f9e3548b49ab67e763de479a6ebe58f898869336d5e8d4ad
-  data.tar.gz: bff709a1283d67c0289ac21f3a1d31cd8e486202dfb973ac0450636129dcfe1cd467bfceacbfa3b84b8c7505b3b1c0e4eaa374c0f897a19c8c8e8d4a962937ae
+  metadata.gz: 3c4c14744bbaeb2ed55957baa3d868dd5eb4ebb48300a13a17cd110c329a373f18f97706da1d08f2cfe48d09d5e7a96d0d409c8af485658a55c357f121dbadde
+  data.tar.gz: 3456027c51e2aab1434a47afe3943e4e75910d38bba9e0dc551662cc0a0f4708d52d108e30229fe390f93f89e8d411d7be669cc9c2ffdb31dea2aa41aa280669

data/.rubocop.yml

@@ -9,6 +9,7 @@ AllCops:
     - "spec/internal/**/*"
     - "vendor/**/*"
     - "gemfiles/**/*"
+    - "lib/devise/strategies/database_authenticatable.rb"
 
 Style/Documentation:
   Enabled: false

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## Unreleased
+
+## [v0.2.0](https://github.com/cedarcode/devise-webauthn/compare/v0.1.2...v0.2.0/) - 2025-12-03
+
+- Add new `webauthn_two_factor_authenticatable` module for enabling 2FA using WebAuthn credentials.
+
+## [v0.1.2](https://github.com/cedarcode/devise-webauthn/compare/v0.1.1...v0.1.2/) - 2025-12-03
+
+### Fixed
+
+- Fixed sign in with passkey for resources with name different from "User"
+
 ## [v0.1.1](https://github.com/cedarcode/devise-webauthn/compare/v0.1.0...v0.1.1/) - 2025-11-13
 
 ### Changed

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise-webauthn (0.1.1)
+    devise-webauthn (0.2.0)
       devise (~> 4.9)
       webauthn (~> 3.0)
 

data/app/controllers/devise/second_factor_webauthn_credentials_controller.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecondFactorWebauthnCredentialsController < DeviseController
+    before_action :authenticate_scope!
+
+    def new
+      @options = WebAuthn::Credential.options_for_create(
+        user: {
+          id: resource.webauthn_id,
+          name: resource.email
+        },
+        exclude: resource.webauthn_credentials.pluck(:external_id),
+        authenticator_selection: {
+          resident_key: "discouraged",
+          user_verification: "discouraged"
+        }
+      )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = @options.challenge
+    end
+
+    def create
+      security_key_from_params = WebAuthn::Credential.from_create(JSON.parse(params[:public_key_credential]))
+
+      if verify_and_save_security_key(security_key_from_params)
+        set_flash_message! :notice, :security_key_created
+      else
+        set_flash_message! :alert, :webauthn_credential_verification_failed, scope: :"devise.failure"
+      end
+      redirect_to after_update_path
+    rescue WebAuthn::Error
+      set_flash_message! :alert, :webauthn_credential_verification_failed, scope: :"devise.failure"
+      redirect_to after_update_path
+    ensure
+      session.delete(:webauthn_challenge)
+    end
+
+    def destroy
+      resource.second_factor_webauthn_credentials.destroy(params[:id])
+      redirect_to after_update_path
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def verify_and_save_security_key(security_key_from_params)
+      security_key_from_params.verify(
+        session[:webauthn_challenge]
+      )
+
+      resource.second_factor_webauthn_credentials.create(
+        external_id: security_key_from_params.id,
+        name: params[:name],
+        public_key: security_key_from_params.public_key,
+        sign_count: security_key_from_params.sign_count
+      )
+    end
+
+    # The default url to be used after creating a second factor key. You can overwrite
+    # this method in your own SecondFactorWebauthnCredentialsController.
+    def after_update_path
+      new_second_factor_webauthn_credential_path(resource_name)
+    end
+  end
+end

data/app/controllers/devise/two_factor_authentications_controller.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Devise
+  class TwoFactorAuthenticationsController < DeviseController
+    prepend_before_action :set_resource, only: :new
+    prepend_before_action :ensure_sign_in_initiated
+    prepend_before_action :require_no_authentication
+
+    def new
+      @options = WebAuthn::Credential.options_for_get(
+        allow: @resource.webauthn_credentials.pluck(:external_id),
+        user_verification: "discouraged"
+      )
+      session[:two_factor_authentication_challenge] = @options.challenge
+    end
+
+    def create
+      self.resource = warden.authenticate!(auth_options)
+      set_flash_message! :notice, :signed_in, scope: :"devise.sessions"
+      sign_in(resource_name, resource)
+      yield resource if block_given?
+      respond_with resource, location: after_sign_in_path_for(resource)
+    end
+
+    protected
+
+    def auth_options
+      { scope: resource_name, recall: "#{controller_path}#new", locale: I18n.locale }
+    end
+
+    private
+
+    def ensure_sign_in_initiated
+      return if session[:current_authentication_resource_id].present?
+
+      set_flash_message! :alert, :sign_in_not_initiated, scope: :"devise.failure"
+      redirect_to new_session_path(resource_name)
+    end
+
+    def set_resource
+      @resource = resource_class.find(session[:current_authentication_resource_id])
+    end
+  end
+end

data/app/views/devise/second_factor_webauthn_credentials/new.html.erb

@@ -0,0 +1,15 @@
+<%= form_with(
+  url: second_factor_webauthn_credentials_path(resource),
+  method: :post,
+  data: {
+    action: "webauthn-credentials#create:prevent",
+    controller: "webauthn-credentials",
+    webauthn_credentials_options_param: @options,
+  }
+) do |form| %>
+  <%= form.hidden_field(:public_key_credential,
+                        data: { "webauthn-credentials-target": "credentialHiddenInput" }) %>
+  <%= form.label :name, 'Security Key name' %>
+  <%= form.text_field :name, required: true %>
+  <%= form.submit 'Create Security Key' %>
+<% end %>

data/app/views/devise/two_factor_authentications/new.html.erb

@@ -0,0 +1,12 @@
+<%= form_with(
+  url: two_factor_authentication_path(resource_name),
+  method: :post,
+  data: {
+    action: "webauthn-credentials#get:prevent",
+    controller: "webauthn-credentials",
+    webauthn_credentials_options_param: @options
+  },
+) do |f| %>
+  <%= f.hidden_field(:public_key_credential, data: { "webauthn-credentials-target": "credentialHiddenInput" }) %>
+  <%= f.button('Use security key', type: "submit") %>
+<% end %>

data/config/locales/en.yml

@@ -3,6 +3,12 @@ en:
     passkeys:
       passkey_created: "Passkey created successfully."
       passkey_creation_failed: "Passkey creation failed."
+    second_factor_webauthn_credentials:
+      security_key_created: "Security Key created successfully."
     failure:
       passkey_not_found: "Your passkey doesn't exist or is not valid."
       passkey_verification_failed: "Passkey verification failed."
+      sign_in_not_initiated: "Sign in was not initiated."
+      two_factor_required: "Two-factor authentication is required to sign in."
+      webauthn_credential_not_found: "Your WebAuthn credential doesn't exist or is not valid."
+      webauthn_credential_verification_failed: "Webauthn credential verification failed."

data/devise-webauthn.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/cedarcode/devise-webauthn"
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
-  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/master/CHANGELOG.md"
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.

data/lib/devise/models/passkey_authenticatable.rb

@@ -1,21 +1,17 @@
 # frozen_string_literal: true
 
 require "active_support/concern"
+require "devise/models/webauthn_credential_authenticatable"
 require "devise/strategies/passkey_authenticatable"
 
 module Devise
   module Models
     module PasskeyAuthenticatable
       extend ActiveSupport::Concern
+      include WebauthnCredentialAuthenticatable
 
       included do
-        has_many :passkeys, dependent: :destroy, class_name: "WebauthnCredential"
-
-        validates :webauthn_id, uniqueness: true, allow_blank: true
-
-        after_initialize do
-          self.webauthn_id ||= WebAuthn.generate_user_id
-        end
+        has_many :passkeys, -> { passkey }, class_name: "WebauthnCredential"
       end
     end
   end

data/lib/devise/models/webauthn_credential_authenticatable.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Devise
+  module Models
+    module WebauthnCredentialAuthenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        has_many :webauthn_credentials, dependent: :destroy
+
+        validates :webauthn_id, uniqueness: true, allow_blank: true
+
+        after_initialize do
+          self.webauthn_id ||= WebAuthn.generate_user_id
+        end
+      end
+    end
+  end
+end

data/lib/devise/models/webauthn_two_factor_authenticatable.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+require "devise/models/webauthn_credential_authenticatable"
+require "devise/strategies/webauthn_two_factor_authenticatable"
+
+module Devise
+  module Models
+    module WebauthnTwoFactorAuthenticatable
+      extend ActiveSupport::Concern
+      include WebauthnCredentialAuthenticatable
+
+      included do
+        has_many :second_factor_webauthn_credentials, -> { second_factor }, class_name: "WebauthnCredential"
+      end
+
+      def second_factor_enabled?
+        webauthn_credentials.any?
+      end
+    end
+  end
+end

data/lib/devise/strategies/database_authenticatable.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    # Default strategy for signing in a user, based on their email and password in the database.
+    class DatabaseAuthenticatable < Authenticatable
+      def authenticate!
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
+        hashed = false
+
+        if validate(resource){ hashed = true; resource.valid_password?(password) }
+          if resource.second_factor_enabled?
+            session[:current_authentication_resource_id] = resource.id
+            request.flash[:notice] = two_factor_required_message
+            request.commit_flash
+            redirect!(two_factor_authentication_path, {}, message: two_factor_required_message)
+          else
+            remember_me(resource)
+            resource.after_database_authentication
+            success!(resource)
+          end
+        end
+
+        # In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
+        # This is necessary to prevent enumeration attacks - e.g. the request is faster when a resource doesn't
+        # exist in the database if the password hashing algorithm is not called.
+        mapping.to.new.password = password if !hashed && Devise.paranoid
+        unless resource
+          Devise.paranoid ? fail(:invalid) : fail(:not_found_in_database)
+        end
+      end
+
+      private
+
+      def two_factor_authentication_path
+        Rails.application.routes.url_helpers.send(:"new_#{scope}_two_factor_authentication_path")
+      end
+
+      def two_factor_required_message
+        I18n.t(:"#{scope}.two_factor_required", resource_name: scope, scope: "devise.failure", default: :two_factor_required)
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

data/lib/devise/strategies/passkey_authenticatable.rb

@@ -2,20 +2,21 @@
 
 module Devise
   module Strategies
-    class PasskeyAuthenticatable < Warden::Strategies::Base
+    class PasskeyAuthenticatable < Devise::Strategies::Base
       def valid?
         passkey_param.present? && session[:authentication_challenge].present?
       end
 
       def authenticate!
         passkey_from_params = WebAuthn::Credential.from_get(JSON.parse(passkey_param))
-        stored_passkey = WebauthnCredential.find_by(external_id: passkey_from_params.id)
+        stored_passkey = WebauthnCredential.passkey.find_by(external_id: passkey_from_params.id)
 
         return fail!(:passkey_not_found) if stored_passkey.blank?
 
         verify_passkeys(passkey_from_params, stored_passkey)
 
-        success!(stored_passkey.user)
+        resource = stored_passkey.public_send(resource_name)
+        success!(resource)
       rescue WebAuthn::Error
         fail!(:passkey_verification_failed)
       ensure
@@ -38,6 +39,10 @@ module Devise
 
         stored_passkey.update!(sign_count: passkey_from_params.sign_count)
       end
+
+      def resource_name
+        mapping.to.name.underscore
+      end
     end
   end
 end

data/lib/devise/strategies/webauthn_two_factor_authenticatable.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Devise
+  module Strategies
+    class WebauthnTwoFactorAuthenticatable < Devise::Strategies::Base
+      def valid?
+        credential_param.present? && session[:two_factor_authentication_challenge].present?
+      end
+
+      def authenticate!
+        credential_from_params = WebAuthn::Credential.from_get(JSON.parse(credential_param))
+        stored_credential = WebauthnCredential.find_by(external_id: credential_from_params.id)
+
+        return fail!(:webauthn_credential_not_found) if stored_credential.blank?
+
+        verify_credential(credential_from_params, stored_credential)
+
+        resource = stored_credential.public_send(resource_name)
+        success!(resource)
+
+        session.delete(:current_authentication_resource_id)
+      rescue WebAuthn::Error
+        fail!(:webauthn_credential_verification_failed)
+      ensure
+        session.delete(:two_factor_authentication_challenge)
+      end
+
+      private
+
+      def credential_param
+        params[:public_key_credential]
+      end
+
+      def verify_credential(credential_from_params, stored_credential)
+        credential_from_params.verify(
+          session[:two_factor_authentication_challenge],
+          public_key: stored_credential.public_key,
+          sign_count: stored_credential.sign_count
+        )
+
+        stored_credential.update!(sign_count: credential_from_params.sign_count)
+      end
+
+      def resource_name
+        mapping.to.name.underscore
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:webauthn_two_factor_authenticatable, Devise::Strategies::WebauthnTwoFactorAuthenticatable)

data/lib/devise/webauthn/engine.rb

@@ -14,6 +14,15 @@ module Devise
             route: { passkey_authentication: [] }
           }
         )
+
+        Devise.add_module(
+          :webauthn_two_factor_authenticatable,
+          {
+            model: "devise/models/webauthn_two_factor_authenticatable",
+            strategy: true,
+            route: { two_factor_authentication: [] }
+          }
+        )
       end
 
       initializer "devise.webauthn.helpers" do

data/lib/devise/webauthn/routes.rb

@@ -8,6 +8,16 @@ module ActionDispatch
       def devise_passkey_authentication(_mapping, controllers)
         resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys]
       end
+
+      def devise_two_factor_authentication(_mapping, controllers)
+        resource :two_factor_authentication,
+                 only: %i[new create],
+                 controller: controllers[:two_factor_authentications]
+
+        resources :second_factor_webauthn_credentials,
+                  only: %i[new create destroy],
+                  controller: controllers[:second_factor_webauthn_credentials]
+      end
     end
   end
 end

data/lib/devise/webauthn/url_helpers.rb

@@ -23,7 +23,10 @@ module Devise
     module UrlHelpers
       {
         passkeys: [nil],
-        passkey: [nil, :new]
+        passkey: [nil, :new],
+        two_factor_authentication: [nil, :new],
+        second_factor_webauthn_credentials: [nil],
+        second_factor_webauthn_credential: [nil, :new]
       }.each do |route, actions|
         %i[path url].each do |path_or_url|
           actions.each do |action|

data/lib/devise/webauthn/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module Webauthn
-    VERSION = "0.1.1"
+    VERSION = "0.2.0"
   end
 end

data/lib/generators/devise/webauthn/webauthn_credential_model/webauthn_credential_model_generator.rb

@@ -19,7 +19,8 @@ module Devise
           "name:string",
           "public_key:text",
           "sign_count:integer{8}",
-          "#{user_model_name}:references"
+          "#{user_model_name}:references",
+          "authentication_factor:integer{1}"
         ]
       end
 
@@ -28,6 +29,10 @@ module Devise
           <<~RUBY.indent(2)
             validates :external_id, :public_key, :name, :sign_count, presence: true
             validates :external_id, uniqueness: true
+
+            enum :authentication_factor, { first_factor: 0, second_factor: 1 }
+
+            scope :passkey, -> { first_factor }
           RUBY
         end
       end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-webauthn
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Cedarcode
+autorequire:
 bindir: exe
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2025-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -37,6 +38,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+description:
 email:
 - webauthn@cedarcode.com
 executables: []
@@ -56,8 +58,12 @@ files:
 - README.md
 - Rakefile
 - app/controllers/devise/passkeys_controller.rb
+- app/controllers/devise/second_factor_webauthn_credentials_controller.rb
+- app/controllers/devise/two_factor_authentications_controller.rb
 - app/views/devise/passkeys/new.html.erb
+- app/views/devise/second_factor_webauthn_credentials/new.html.erb
 - app/views/devise/sessions/new.html.erb
+- app/views/devise/two_factor_authentications/new.html.erb
 - bin/console
 - bin/rails
 - bin/setup
@@ -69,7 +75,11 @@ files:
 - gemfiles/rails_8_0.gemfile
 - gemfiles/rails_edge.gemfile
 - lib/devise/models/passkey_authenticatable.rb
+- lib/devise/models/webauthn_credential_authenticatable.rb
+- lib/devise/models/webauthn_two_factor_authenticatable.rb
+- lib/devise/strategies/database_authenticatable.rb
 - lib/devise/strategies/passkey_authenticatable.rb
+- lib/devise/strategies/webauthn_two_factor_authenticatable.rb
 - lib/devise/webauthn.rb
 - lib/devise/webauthn/engine.rb
 - lib/devise/webauthn/helpers/credentials_helper.rb
@@ -93,8 +103,9 @@ licenses:
 metadata:
   homepage_uri: https://github.com/cedarcode/devise-webauthn
   source_code_uri: https://github.com/cedarcode/devise-webauthn
-  changelog_uri: https://github.com/cedarcode/devise-webauthn/blob/main/CHANGELOG.md
+  changelog_uri: https://github.com/cedarcode/devise-webauthn/blob/master/CHANGELOG.md
   rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -109,7 +120,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.2.1
+signing_key:
 specification_version: 4
 summary: Devise extension to support WebAuthn.
 test_files: []