devise-webauthn 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bedbd7cbfbce63ffd28dd38a828a34081880b037355c0fedb7ed0ae37921f105
-  data.tar.gz: 5bfc78ad1e764096d35fbf31b56b08d6370b731e757bd64e2c6af2b54c90c1f7
+  metadata.gz: f958718af83cd2bdae3d3c08d8ac72678e2e313b93eabdc7effe1af70bda300f
+  data.tar.gz: ea997a0537ca6a68d97e7aedbff6993331eeebab1857b2d7a26177987efe7571
 SHA512:
-  metadata.gz: 58786281bafd7c1032e331a09b48716aba0b49fd725856b33beb59708c2afc77310c174d0300a32c1294e0741fc6ff64fe0405f54d397e77be2853ec4ab0e925
-  data.tar.gz: e6a5d6fa654fb35bc854f96aa7783861da4370d65dd1dd72c43e10baa6cbea0291524fdbf2a175225778d80e584c734b6f88707a7731e61056657ce4b19bbd3b
+  metadata.gz: e81d1880a7b6722c150b9cdd3fcabcbc07128ab5beaea22c580a6ff5d6338ac108ed55728f876eb9635e087787c875fca246de6ed307450f53907b14eadc5c5d
+  data.tar.gz: 0fe56be79a56f2ca46349ebd4e9ce1ed1f3f43df73cb7acde76a0aebce4dae4cf022c8cc01dba53c89c9d0b637145474f169cab0b4f7f4811788fdc7b0fe2479

data/.github/workflows/ruby.yml

@@ -79,8 +79,8 @@ jobs:
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
+        rubygems: latest
         bundler-cache: true
 
     - name: Run tests
-      run: |
-        bundle exec rspec
+      run: bundle exec rspec

data/.rubocop.yml

@@ -1,3 +1,5 @@
+inherit_from: .rubocop_todo.yml
+
 plugins:
   - rubocop-rspec
   - rubocop-rails

data/.rubocop_todo.yml

@@ -0,0 +1,20 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2026-01-02 20:36:46 UTC using RuboCop version 1.79.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: Max, CountAsOne.
+RSpec/ExampleLength:
+  Exclude:
+    - 'spec/requests/devise/two_factor_authentication_spec.rb'
+
+# Offense count: 9
+# Configuration parameters: Max.
+RSpec/MultipleExpectations:
+  Exclude:
+    - 'spec/requests/devise/passkey_authentication_spec.rb'
+    - 'spec/requests/devise/two_factor_authentication_spec.rb'

data/Appraisals

@@ -22,7 +22,6 @@ appraise "rails-7_1" do
   gem "capybara", "~> 3.39"
   gem "importmap-rails", "~> 2.0"
   gem "pry-byebug", "~> 3.10"
-  gem "psych", "~> 4.0"
   gem "rack", "~> 2.2"
   gem "rspec-rails", "~> 7.1"
   gem "sqlite3", "~> 1.7"

data/CHANGELOG.md

@@ -2,6 +2,48 @@
 
 ## Unreleased
 
+## [v0.4.0](https://github.com/cedarcode/devise-webauthn/compare/v0.3.1...v0.4.0/) - 2026-04-06
+
+### Added
+
+- Dispatch `webauthn:unsupported` for browsers missing `parseOptionsFromJSON`. [#127](https://github.com/cedarcode/devise-webauthn/pull/127) [@santiagorodriguez96]
+- Scope `login_with_passkey_form_for` to the Devise resource so that form builder fields (e.g. `f.check_box :remember_me`) are properly namespaced (e.g. `account[remember_me]`). [#134](https://github.com/cedarcode/devise-webauthn/pull/134) [@RenzoMinelli]
+- Allow passing a -c flag to the controller generator to specify which controller to override. [#110](https://github.com/cedarcode/devise-webauthn/pull/110) [@nicolastemciuc]
+
+### Changed
+
+- Change `webauthn_id` generation from `after_initialize` to `before_validation` and add a data backfill to the `webauthn_id` migration generator for existing records. [#125](https://github.com/cedarcode/devise-webauthn/pull/125) [@santiagorodriguez96]
+- Options for getting or creating passkeys and security keys are now served by dedicated Rails controllers and retrieved via JavaScript fetch requests. [#73](https://github.com/cedarcode/devise-webauthn/pull/73) [@nicolastemciuc]
+- BREAKING!: Remove helpers for generating WebAuthn options. [#106](https://github.com/cedarcode/devise-webauthn/pull/115) [@nicolastemciuc]
+- BREAKING!: `login_with_passkey_button` and `login_with_security_key_button` helpers have been renamed to `login_with_passkey_form_for` and `login_with_security_key_form_for`. They now take a block and no longer generate the submit button automatically. You need to explicitly add the button inside the block. [#112](https://github.com/cedarcode/devise-webauthn/pull/112) [@RenzoMinelli]
+```erb
+<%# Before %>
+<%= login_with_passkey_button(:user, "Log in with passkeys") %>
+
+<%# After %>
+<%= login_with_passkey_form_for(:user) do |form| %>
+  <%= form.submit "Log in with passkeys" %>
+<% end %>
+```
+- BREAKING!: Replace `form_classes:` keyword argument with direct keyword arguments in all form helper methods (`passkey_creation_form_for`, `login_with_passkey_form_for`, `security_key_creation_form_for`, `login_with_security_key_form_for`). All options are delegated to `form_with`, allowing you to pass any HTML attributes or form options directly. [#111](https://github.com/cedarcode/devise-webauthn/pull/111) [@RenzoMinelli]
+```erb
+<%# Before %>
+<%= passkey_creation_form_for(:user, form_classes: "my-class") do |form| %>
+  ...
+<% end %>
+
+<%# After %>
+<%= passkey_creation_form_for(:user, class: "my-class", id: "my-form", data: { turbo: false }) do |form| %>
+  ...
+<% end %>
+```
+
+### Fixed
+
+- Validate `userHandle` from authenticator response against `webauthn_id`. [#131](https://github.com/cedarcode/devise-webauthn/pull/131) [@santiagorodriguez96]
+- Fix `Remember me` checkbox not honored when logging in with passkeys. [#133](https://github.com/cedarcode/devise-webauthn/pull/133) [@santiagorodriguez96]
+- Fix form helpers (`passkey_creation_form_for`, `login_with_passkey_button`, `security_key_creation_form_for`, `login_with_security_key_button`) to accept a `resource_name` instead of requiring the `resource` object from the view context. [#114](https://github.com/cedarcode/devise-webauthn/pull/114) [@RenzoMinelli]
+
 ## [v0.3.1](https://github.com/cedarcode/devise-webauthn/compare/v0.3.0...v0.3.1/) - 2026-02-10
 
 ### Fixed
@@ -22,6 +64,9 @@
   - Previously generated Stimulus controller for handling WebAuthn client logic are no longer generated.
   - Stimulus is no longer needed for this engine to work.
 - Make helpers for generating WebAuthn options public methods. [#106](https://github.com/cedarcode/devise-webauthn/pull/106) [@santiagorodriguez96]
+- BREAKING!: Our controller for managing second factor credentials now uses a separate method for each endpoint for setting the URL to redirect to. [#80](https://github.com/cedarcode/devise-webauthn/pull/80) [@nicolastemciuc]
+  - What used to be just an `after_update_path` for all endpoints, now it's an `after_(create|update|destroy)_path` for each endpoint.
+  - If you had overriden the controller to change the `after_update_path`, be mindful that now `create` and `destroy` endpoints will call its own method.
 
 ### Fixed
 

data/Gemfile

@@ -17,6 +17,7 @@ gem "pry-byebug", "~> 3.11"
 gem "puma", "~> 6.6"
 gem "rails", "~> 8.0"
 gem "rspec-rails", "~> 8.0"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise-webauthn (0.3.1)
+    devise-webauthn (0.4.0)
       devise (>= 4.9)
       webauthn (~> 3.0)
 
@@ -266,6 +266,8 @@ GEM
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
+    rspec-retry (0.6.2)
+      rspec-core (> 3.3)
     rspec-support (3.13.4)
     rubocop (1.79.1)
       json (~> 2.3)
@@ -351,6 +353,7 @@ DEPENDENCIES
   puma (~> 6.6)
   rails (~> 8.0)
   rspec-rails (~> 8.0)
+  rspec-retry
   rubocop (~> 1.79)
   rubocop-rails (~> 2.32)
   rubocop-rspec (~> 3.6)

data/README.md

@@ -73,6 +73,8 @@ Then, follow these steps to integrate Devise::Webauthn:
       config.rp_name = "Your App Name"
     end
     ```
+> [!TIP]
+> You can find a working example on how to use this gem for passwordless and two factor authentication in [`devise-webauthn-rails-demo`](https://github.com/cedarcode/devise-webauthn-demo-app).
 
 5. **Include bundled WebAuthn JavaScript in your application:**
    The install generator automatically configures JavaScript loading based on your setup:
@@ -143,16 +145,27 @@ $ bin/rails generate devise:webauthn:views -v passkeys
 ```
 
 ### Helper methods
-Devise::Webauthn provides helpers that can be used in your views. For example, for a resource named `user`, you can use the following helpers:
+Devise::Webauthn provides helpers that can be used in your views. These helpers accept either a resource name (e.g., `:user`) or a resource object (e.g., `@user`) as the first argument.
 
-To add a button for logging in with passkeys:
+For example, for a resource named `user`, you can use the following helpers:
+
+To add a form for logging in with passkeys:
+```erb
+<%= login_with_passkey_form_for(:user) do |form| %>
+  <%= form.submit "Log in with passkeys" %>
+<% end %>
+```
+
+To add a form for logging in with security keys (2FA):
 ```erb
-<%= login_with_passkey_button("Log in with passkeys", session_path: user_session_path) %>
+<%= login_with_security_key_form_for(@resource) do |form| %>
+  <%= form.submit "Use security key" %>
+<% end %>
 ```
 
 To add a passkeys creation form:
 ```erb
-<%= passkey_creation_form_for(current_user) do |form| %>
+<%= passkey_creation_form_for(:user) do |form| %>
   <%= form.label :name, 'Passkey name' %>
   <%= form.text_field :name, required: true %>
   <%= form.submit 'Create Passkey' %>

data/app/assets/javascript/devise/webauthn.js

@@ -3,7 +3,9 @@ function isWebAuthnSupported() {
     navigator.credentials &&
     navigator.credentials.create &&
     navigator.credentials.get &&
-    window.PublicKeyCredential
+    window.PublicKeyCredential &&
+    PublicKeyCredential.parseCreationOptionsFromJSON &&
+    PublicKeyCredential.parseRequestOptionsFromJSON
   );
 }
 
@@ -20,8 +22,8 @@ export class WebauthnCreateElement extends HTMLElement {
       event.preventDefault();
 
       try {
-        const options = JSON.parse(this.getAttribute('data-options-json'));
-        const publicKey = PublicKeyCredential.parseCreationOptionsFromJSON(options);
+        const response = await fetch(this.getAttribute('data-options-url'));
+        const publicKey = PublicKeyCredential.parseCreationOptionsFromJSON(await response.json());
         const credential = await navigator.credentials.create({ publicKey });
 
         this.querySelector('[data-webauthn-target="response"]').value = await this.stringifyRegistrationCredentialWithGracefullyHandlingAuthenticatorIssues(credential);
@@ -101,8 +103,8 @@ export class WebauthnGetElement extends HTMLElement {
       event.preventDefault();
 
       try {
-        const options = JSON.parse(this.getAttribute('data-options-json'));
-        const publicKey = PublicKeyCredential.parseRequestOptionsFromJSON(options);
+        const response = await fetch(this.getAttribute('data-options-url'));
+        const publicKey = PublicKeyCredential.parseRequestOptionsFromJSON(await response.json());
         const credential = await navigator.credentials.get({ publicKey });
 
         this.querySelector('[data-webauthn-target="response"]').value = await this.stringifyAuthenticationCredentialWithGracefullyHandlingAuthenticatorIssues(credential);

data/app/controllers/devise/passkey_authentication_options_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyAuthenticationOptionsController < DeviseController
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_get(
+          user_verification: "required"
+        )
+
+      # Store challenge in session for later verification
+      session[:authentication_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+  end
+end

data/app/controllers/devise/passkey_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.passkeys.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "required",
+            user_verification: "required"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

data/app/controllers/devise/security_key_authentication_options_controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecurityKeyAuthenticationOptionsController < DeviseController
+    before_action :set_resource
+
+    def index
+      security_key_authentication_options =
+        WebAuthn::Credential.options_for_get(
+          allow: @resource.webauthn_credentials.pluck(:external_id),
+          user_verification: "discouraged"
+        )
+
+      # Store challenge in session for later verification
+      session[:two_factor_authentication_challenge] = security_key_authentication_options.challenge
+
+      render json: security_key_authentication_options
+    end
+
+    private
+
+    def set_resource
+      @resource = resource_class.find(session[:current_authentication_resource_id])
+    end
+  end
+end

data/app/controllers/devise/security_key_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecurityKeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      create_security_key_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.webauthn_credentials.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "discouraged",
+            user_verification: "discouraged"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = create_security_key_options.challenge
+
+      render json: create_security_key_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

data/app/views/devise/passkeys/new.html.erb

@@ -1,4 +1,4 @@
-<%= passkey_creation_form_for(resource) do |form| %>
+<%= passkey_creation_form_for(resource_name) do |form| %>
   <%= form.label :name, 'Passkey name' %>
   <%= form.text_field :name, required: true %>
   <%= form.submit 'Create Passkey' %>

data/app/views/devise/second_factor_webauthn_credentials/new.html.erb

@@ -1,4 +1,4 @@
-<%= security_key_creation_form_for(resource) do |form| %>
+<%= security_key_creation_form_for(resource_name) do |form| %>
   <%= form.label :name, 'Security Key name' %>
   <%= form.text_field :name, required: true %>
   <%= form.submit 'Create Security Key' %>

data/app/views/devise/sessions/new.html.erb

@@ -23,6 +23,8 @@
   </div>
 <% end %>
 
-<%= login_with_passkey_button("Log in with passkeys", session_path: session_path(resource_name)) %>
+<%= login_with_passkey_form_for(resource_name) do |form| %>
+  <%= form.submit "Log in with passkeys" %>
+<% end %>
 
 <%= render "devise/shared/links" %>

data/app/views/devise/two_factor_authentications/new.html.erb

@@ -1 +1,3 @@
-<%= login_with_security_key_button('Use security key', resource: @resource) %>
+<%= login_with_security_key_form_for(resource_name) do |form| %>
+  <%= form.submit 'Use security key' %>
+<% end %>

data/gemfiles/devise_5_0.gemfile

@@ -12,12 +12,12 @@ gem "pry-byebug", "~> 3.10"
 gem "puma", "~> 6.6"
 gem "rails", ">= 7.1"
 gem "rspec-rails", ">= 7.1"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"
 gem "selenium-webdriver"
 gem "sqlite3", ">= 1.6", "!= 1.7.0", "!= 1.7.1", "!= 1.7.2", "!= 1.7.3"
-gem "stimulus-rails", "~> 1.3"
 
 install_if -> { RUBY_VERSION < "3.0" } do
   gem "rack", "~> 2.2"

data/gemfiles/rails_7_1.gemfile

@@ -12,13 +12,12 @@ gem "pry-byebug", "~> 3.10"
 gem "puma", "~> 6.6"
 gem "rails", "~> 7.1.x"
 gem "rspec-rails", "~> 7.1"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"
 gem "selenium-webdriver"
 gem "sqlite3", "~> 1.7"
-gem "stimulus-rails", "~> 1.3"
-gem "psych", "~> 4.0"
 gem "rack", "~> 2.2"
 
 gemspec path: "../"

data/gemfiles/rails_7_2.gemfile

@@ -12,11 +12,11 @@ gem "pry-byebug", "~> 3.11"
 gem "puma", "~> 6.6"
 gem "rails", "~> 7.2.x"
 gem "rspec-rails", "~> 8.0"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"
 gem "selenium-webdriver"
 gem "sqlite3", "~> 2.7"
-gem "stimulus-rails", "~> 1.3"
 
 gemspec path: "../"

data/gemfiles/rails_8_0.gemfile

@@ -12,11 +12,11 @@ gem "pry-byebug", "~> 3.11"
 gem "puma", "~> 6.6"
 gem "rails", "~> 8.0.x"
 gem "rspec-rails", "~> 8.0"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"
 gem "selenium-webdriver"
 gem "sqlite3", "~> 2.7"
-gem "stimulus-rails", "~> 1.3"
 
 gemspec path: "../"

data/gemfiles/rails_8_1.gemfile

@@ -12,11 +12,11 @@ gem "pry-byebug", "~> 3.11"
 gem "puma", "~> 6.6"
 gem "rails", "~> 8.1.x"
 gem "rspec-rails", "~> 8.0"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"
 gem "selenium-webdriver"
 gem "sqlite3", "~> 2.7"
-gem "stimulus-rails", "~> 1.3"
 
 gemspec path: "../"

data/gemfiles/rails_edge.gemfile

@@ -12,11 +12,11 @@ gem "pry-byebug", "~> 3.11"
 gem "puma", "~> 6.6"
 gem "rails", branch: "main", git: "https://github.com/rails/rails"
 gem "rspec-rails", "~> 8.0"
+gem "rspec-retry"
 gem "rubocop", "~> 1.79"
 gem "rubocop-rails", "~> 2.32"
 gem "rubocop-rspec", "~> 3.6"
 gem "selenium-webdriver"
 gem "sqlite3", "~> 2.7"
-gem "stimulus-rails", "~> 1.3"
 
 gemspec path: "../"

data/lib/devise/models/webauthn_credential_authenticatable.rb

@@ -12,7 +12,7 @@ module Devise
 
         validates :webauthn_id, uniqueness: true, allow_blank: true
 
-        after_initialize do
+        before_validation do
           self.webauthn_id ||= WebAuthn.generate_user_id
         end
       end

data/lib/devise/strategies/passkey_authenticatable.rb

@@ -7,15 +7,19 @@ module Devise
         passkey_param.present? && session[:authentication_challenge].present?
       end
 
-      def authenticate!
+      def authenticate! # rubocop:disable Metrics/AbcSize
         passkey_from_params = WebAuthn::Credential.from_get(JSON.parse(passkey_param))
-        stored_passkey = WebauthnCredential.passkey.find_by(external_id: passkey_from_params.id)
+
+        return fail!(:passkey_not_found) if passkey_from_params.user_handle.nil?
+
+        resource = resource_class.find_by(webauthn_id: passkey_from_params.user_handle)
+        stored_passkey = resource&.passkeys&.find_by(external_id: passkey_from_params.id)
 
         return fail!(:passkey_not_found) if stored_passkey.blank?
 
         verify_passkeys(passkey_from_params, stored_passkey)
 
-        resource = stored_passkey.public_send(resource_name)
+        remember_me(resource)
         success!(resource)
       rescue WebAuthn::Error
         fail!(:passkey_verification_failed)
@@ -40,8 +44,20 @@ module Devise
         stored_passkey.update!(sign_count: passkey_from_params.sign_count)
       end
 
-      def resource_name
-        mapping.to.name.underscore
+      def remember_me(resource)
+        resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
+      end
+
+      def remember_me?
+        params_auth_hash.is_a?(Hash) && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+
+      def params_auth_hash
+        params[scope]
+      end
+
+      def resource_class
+        mapping.to
       end
     end
   end

data/lib/devise/strategies/webauthn_two_factor_authenticatable.rb

@@ -16,6 +16,9 @@ module Devise
         stored_credential = resource&.webauthn_credentials&.find_by(external_id: credential_from_params.id)
 
         return fail!(:webauthn_credential_not_found) if stored_credential.blank?
+        if user_handle_mismatch?(credential_from_params, resource)
+          return fail!(:webauthn_credential_verification_failed)
+        end
 
         verify_credential(credential_from_params, stored_credential)
 
@@ -47,6 +50,11 @@ module Devise
         stored_credential.update!(sign_count: credential_from_params.sign_count)
       end
 
+      def user_handle_mismatch?(credential_from_params, resource)
+        credential_from_params.user_handle.present? &&
+          credential_from_params.user_handle != resource.webauthn_id
+      end
+
       def resource_class
         mapping.to
       end

data/lib/devise/webauthn/helpers/credentials_helper.rb

@@ -1,140 +1,57 @@
 # frozen_string_literal: true
 
-# rubocop:disable Metrics/ModuleLength
 module Devise
   module Webauthn
     module CredentialsHelper
-      def passkey_creation_form_for(resource, form_classes: nil, &block)
+      def passkey_creation_form_for(resource_or_resource_name, **options, &block)
         form_with(
-          url: passkeys_path(resource),
-          method: :post,
-          class: form_classes
+          **options, url: passkeys_path(resource_or_resource_name), method: :post
         ) do |f|
-          tag.webauthn_create(data: { options_json: create_passkey_options(resource) }) do
+          tag.webauthn_create(data: { options_url: passkey_registration_options_path(resource_or_resource_name) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
       end
 
-      def login_with_passkey_button(text = nil, session_path:, button_classes: nil, form_classes: nil, &block)
+      def login_with_passkey_form_for(resource_or_resource_name, **options, &block)
+        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
+
         form_with(
-          url: session_path,
-          method: :post,
-          class: form_classes
+          **options, scope: scope, url: session_path(resource_or_resource_name), method: :post
         ) do |f|
-          tag.webauthn_get(data: { options_json: passkey_authentication_options }) do
-            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
-
-            concat f.button(text, type: "submit", class: button_classes, &block)
+          tag.webauthn_get(data: { options_url: passkey_authentication_options_path(resource_or_resource_name) }) do
+            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
+            concat capture(f, &block)
           end
         end
       end
 
-      def security_key_creation_form_for(resource, form_classes: nil, &block)
+      def security_key_creation_form_for(resource_or_resource_name, **options, &block)
         form_with(
-          url: second_factor_webauthn_credentials_path(resource),
-          method: :post,
-          class: form_classes
+          **options, url: second_factor_webauthn_credentials_path(resource_or_resource_name), method: :post
         ) do |f|
-          tag.webauthn_create(data: { options_json: create_security_key_options(resource) }) do
+          tag.webauthn_create(
+            data: { options_url: security_key_registration_options_path(resource_or_resource_name) }
+          ) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
       end
 
-      def login_with_security_key_button(text = nil, resource:, button_classes: nil, form_classes: nil, &block)
+      def login_with_security_key_form_for(resource_or_resource_name, **options, &block)
         form_with(
-          url: two_factor_authentication_path(resource),
-          method: :post,
-          class: form_classes
+          **options, url: two_factor_authentication_path(resource_or_resource_name), method: :post
         ) do |f|
-          tag.webauthn_get(data: { options_json: security_key_authentication_options(resource) }) do
+          tag.webauthn_get(data: {
+                             options_url: security_key_authentication_options_path(resource_or_resource_name)
+                           }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
-            concat f.button(text, type: "submit", class: button_classes, &block)
+            concat capture(f, &block)
           end
         end
       end
-
-      def create_passkey_options(resource)
-        @create_passkey_options ||= begin
-          options = WebAuthn::Credential.options_for_create(
-            user: {
-              id: resource.webauthn_id,
-              name: resource_human_palatable_identifier
-            },
-            exclude: resource.passkeys.pluck(:external_id),
-            authenticator_selection: {
-              resident_key: "required",
-              user_verification: "required"
-            }
-          )
-
-          # Store challenge in session for later verification
-          session[:webauthn_challenge] = options.challenge
-
-          options
-        end
-      end
-
-      def passkey_authentication_options
-        @passkey_authentication_options ||= begin
-          options = WebAuthn::Credential.options_for_get(
-            user_verification: "required"
-          )
-
-          # Store challenge in session for later verification
-          session[:authentication_challenge] = options.challenge
-
-          options
-        end
-      end
-
-      def create_security_key_options(resource)
-        @create_security_key_options ||= begin
-          options = WebAuthn::Credential.options_for_create(
-            user: {
-              id: resource.webauthn_id,
-              name: resource_human_palatable_identifier
-            },
-            exclude: resource.webauthn_credentials.pluck(:external_id),
-            authenticator_selection: {
-              resident_key: "discouraged",
-              user_verification: "discouraged"
-            }
-          )
-
-          # Store challenge in session for later verification
-          session[:webauthn_challenge] = options.challenge
-
-          options
-        end
-      end
-
-      def security_key_authentication_options(resource)
-        @security_key_authentication_options ||= begin
-          options = WebAuthn::Credential.options_for_get(
-            allow: resource.webauthn_credentials.pluck(:external_id),
-            user_verification: "discouraged"
-          )
-
-          # Store challenge in session for later verification
-          session[:two_factor_authentication_challenge] = options.challenge
-
-          options
-        end
-      end
-
-      private
-
-      def resource_human_palatable_identifier
-        authentication_keys = resource.class.authentication_keys
-        authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
-
-        authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
-      end
     end
   end
 end
-# rubocop:enable Metrics/ModuleLength

data/lib/devise/webauthn/routes.rb

@@ -7,6 +7,10 @@ module ActionDispatch
 
       def devise_passkey_authentication(_mapping, controllers)
         resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys]
+
+        resources :passkey_authentication_options, only: :index,
+                                                   controller: controllers[:passkey_authentication_options]
+        resources :passkey_registration_options, only: :index, controller: controllers[:passkey_registration_options]
       end
 
       def devise_two_factor_authentication(_mapping, controllers)
@@ -17,6 +21,11 @@ module ActionDispatch
         resources :second_factor_webauthn_credentials,
                   only: %i[new create update destroy],
                   controller: controllers[:second_factor_webauthn_credentials]
+
+        resources :security_key_authentication_options, only: %i[index],
+                                                        controller: controllers[:security_key_authentication_options]
+        resources :security_key_registration_options, only: %i[index],
+                                                      controller: controllers[:security_key_registration_options]
       end
     end
   end

data/lib/devise/webauthn/url_helpers.rb

@@ -24,9 +24,13 @@ module Devise
       {
         passkeys: [nil],
         passkey: [nil, :new],
+        passkey_authentication_options: [nil],
+        passkey_registration_options: [nil],
         two_factor_authentication: [nil, :new],
         second_factor_webauthn_credentials: [nil],
-        second_factor_webauthn_credential: [nil, :new]
+        second_factor_webauthn_credential: [nil, :new],
+        security_key_authentication_options: [nil],
+        security_key_registration_options: [nil]
       }.each do |route, actions|
         %i[path url].each do |path_or_url|
           actions.each do |action|

data/lib/devise/webauthn/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module Webauthn
-    VERSION = "0.3.1"
+    VERSION = "0.4.0"
   end
 end

data/lib/generators/devise/webauthn/controllers_generator.rb

@@ -9,6 +9,10 @@ module Devise
         passkeys
         second_factor_webauthn_credentials
         two_factor_authentications
+        passkey_authentication_options
+        passkey_registration_options
+        security_key_authentication_options
+        security_key_registration_options
       ].freeze
 
       desc "Create inherited Devise::Webauthn controllers in your app/controllers folder."
@@ -16,10 +20,13 @@ module Devise
       source_root File.expand_path("templates/controllers", __dir__)
       argument :scope, required: true,
                        desc: "The scope to create controllers in, e.g. users, admins"
+      class_option :controllers, aliases: "-c", type: :array,
+                                 desc: "Select specific controllers to generate (#{CONTROLLERS.join(', ')})"
 
       def create_controllers
         @scope_prefix = scope.blank? ? "" : "#{scope.camelize}::"
-        CONTROLLERS.each do |name|
+        controllers = options[:controllers] || CONTROLLERS
+        controllers.each do |name|
           template "#{name}_controller.rb",
                    "app/controllers/#{scope}/#{name}_controller.rb"
         end

data/lib/generators/devise/webauthn/templates/controllers/passkey_authentication_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeyAuthenticationOptionsController < Devise::PasskeyAuthenticationOptionsController
+  # GET /resource/passkey_authentication_options
+  # def index
+  #   super
+  # end
+end

data/lib/generators/devise/webauthn/templates/controllers/passkey_registration_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeyRegistrationOptionsController < Devise::PasskeyRegistrationOptionsController
+  # GET /resource/passkey_registration_options
+  # def index
+  #   super
+  # end
+end

data/lib/generators/devise/webauthn/templates/controllers/security_key_authentication_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>SecurityKeyAuthenticationOptionsController < Devise::SecurityKeyAuthenticationOptionsController
+  # GET /resource/security_key_authentication_options
+  # def index
+  #   super
+  # end
+end

data/lib/generators/devise/webauthn/templates/controllers/security_key_registration_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>SecurityKeyRegistrationOptionsController < Devise::SecurityKeyRegistrationOptionsController
+  # GET /resource/securiy_key_registration_options
+  # def index
+  #   super
+  # end
+end

data/lib/generators/devise/webauthn/webauthn_id/templates/add_webauthn_id.rb.erb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class AddWebauthnIdTo<%= user_table_name.camelize %> < ActiveRecord::Migration[<%= Rails.version.to_f %>]
+  def up
+    add_column :<%= user_table_name %>, :webauthn_id, :string
+    add_index :<%= user_table_name %>, :webauthn_id, unique: true
+
+    # WARNING: The code below backfills webauthn_id for all existing records
+    # one row at a time. For larger tables, consider removing it and running
+    # the backfill separately (e.g., in a background job or maintenance task).
+    #
+    # Worth noting: PostgreSQL and MySQL support single-query backfills:
+    #
+    #   PostgreSQL:
+    #     UPDATE <%= user_table_name %> SET webauthn_id = encode(gen_random_bytes(64), 'base64') WHERE webauthn_id IS NULL
+    #
+    #   MySQL:
+    #     UPDATE <%= user_table_name %> SET webauthn_id = TO_BASE64(RANDOM_BYTES(64)) WHERE webauthn_id IS NULL
+    #
+    execute("SELECT id FROM <%= user_table_name %> WHERE webauthn_id IS NULL").each do |row|
+      webauthn_id = WebAuthn.generate_user_id
+      execute(ActiveRecord::Base.sanitize_sql_array(
+        ["UPDATE <%= user_table_name %> SET webauthn_id = ? WHERE id = ?", webauthn_id, row["id"]]
+      ))
+    end
+    # Note: if your application creates records using methods that skip
+    # callbacks (e.g., insert_all), consider adding a database default
+    # to ensure webauthn_id is always set. For example, in PostgreSQL:
+    #
+    #   change_column_default :<%= user_table_name %>, :webauthn_id, from: nil, to: -> { "encode(gen_random_bytes(64), 'base64')" }
+    #
+    # For the same reason, you may want to add a NOT NULL constraint in a
+    # separate migration after the backfill is complete:
+    #
+    #   change_column_null :<%= user_table_name %>, :webauthn_id, false
+  end
+
+  def down
+    remove_column :<%= user_table_name %>, :webauthn_id
+  end
+end

data/lib/generators/devise/webauthn/webauthn_id/webauthn_id_generator.rb

@@ -6,17 +6,22 @@ require "rails/generators/active_record"
 module Devise
   module Webauthn
     class WebauthnIdGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
       hide!
       namespace "devise:webauthn:webauthn_id"
 
+      source_root File.expand_path("templates", __dir__)
+
       desc "Add webauthn_id field to User model"
       class_option :resource_name, type: :string, default: "user", desc: "The resource name for Devise (default: user)"
 
+      def self.next_migration_number(dirname)
+        ActiveRecord::Generators::Base.next_migration_number(dirname)
+      end
+
       def generate_migration
-        invoke "active_record:migration", [
-          "add_webauthn_id_to_#{user_table_name}",
-          "webauthn_id:string:uniq"
-        ]
+        migration_template "add_webauthn_id.rb.erb", "db/migrate/add_webauthn_id_to_#{user_table_name}.rb"
       end
 
       def show_instructions

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-webauthn
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Cedarcode
@@ -50,6 +50,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- ".rubocop_todo.yml"
 - ".ruby-version"
 - Appraisals
 - CHANGELOG.md
@@ -59,8 +60,12 @@ files:
 - README.md
 - Rakefile
 - app/assets/javascript/devise/webauthn.js
+- app/controllers/devise/passkey_authentication_options_controller.rb
+- app/controllers/devise/passkey_registration_options_controller.rb
 - app/controllers/devise/passkeys_controller.rb
 - app/controllers/devise/second_factor_webauthn_credentials_controller.rb
+- app/controllers/devise/security_key_authentication_options_controller.rb
+- app/controllers/devise/security_key_registration_options_controller.rb
 - app/controllers/devise/two_factor_authentications_controller.rb
 - app/views/devise/passkeys/new.html.erb
 - app/views/devise/second_factor_webauthn_credentials/new.html.erb
@@ -96,12 +101,17 @@ files:
 - lib/generators/devise/webauthn/install/templates/webauthn.rb
 - lib/generators/devise/webauthn/javascript_configuration/javascript_configuration_generator.rb
 - lib/generators/devise/webauthn/templates/controllers/README
+- lib/generators/devise/webauthn/templates/controllers/passkey_authentication_options_controller.rb.tt
+- lib/generators/devise/webauthn/templates/controllers/passkey_registration_options_controller.rb.tt
 - lib/generators/devise/webauthn/templates/controllers/passkeys_controller.rb.tt
 - lib/generators/devise/webauthn/templates/controllers/second_factor_webauthn_credentials_controller.rb.tt
+- lib/generators/devise/webauthn/templates/controllers/security_key_authentication_options_controller.rb.tt
+- lib/generators/devise/webauthn/templates/controllers/security_key_registration_options_controller.rb.tt
 - lib/generators/devise/webauthn/templates/controllers/two_factor_authentications_controller.rb.tt
 - lib/generators/devise/webauthn/views_generator.rb
 - lib/generators/devise/webauthn/webauthn_credential_model/templates/webauthn_credential_migration.rb.erb
 - lib/generators/devise/webauthn/webauthn_credential_model/webauthn_credential_model_generator.rb
+- lib/generators/devise/webauthn/webauthn_id/templates/add_webauthn_id.rb.erb
 - lib/generators/devise/webauthn/webauthn_id/webauthn_id_generator.rb
 homepage: https://github.com/cedarcode/devise-webauthn
 licenses: