has_secure_passkey 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 11ce9f55e205c9be680e02f1159a9880bde3abae369530bf6423235f90b7fbf0
+  data.tar.gz: 93f6d76763e8fc4910de588288daf9ce8451070c0bfc615fd8ab2a691f3c6898
+SHA512:
+  metadata.gz: 770fbbcf695704aa6e065f3b94ae239e5b91bafef8ac70c96aa949553987403186dfa31015c7101dad74b56b85b5abb7a1cacfd8d80424522e532bae24348ae1
+  data.tar.gz: 5abfed79a375a27985383b2235efd4d522b0a10449c22a186a1c257dd45a2c714b138b12c2da26cc4bea2271569acc38570f548b754a7f2370251a18b119ed55

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright Nick Pezza
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,32 @@
+# HasSecurePasskey
+
+HasSecurePasskey is part generator, part cinceptual compression of a passkey
+implementation. Implementing passkeys is more complex than regular passwords
+but they have the added benefit of being more secure and easier for end users
+to use.
+
+## Usage
+
+If you want to use the full implementation run the `bin/rails passkeys`
+generator which sets up models, controllers, and a mailer for the whole
+registration and session flow.
+
+Alternatively, you can just use the helpers provided by `has_secure_passkey` and
+the view helpers and make everything else yourself.
+
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "has_secure_passkey"
+```
+
+And then execute:
+```bash
+$ bundle
+$ bin/rails passkeys
+```
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"

data/app/assets/javascripts/@github--webauthn-json.js

@@ -0,0 +1 @@
+function base64urlToBuffer(e){const r="==".slice(0,(4-e.length%4)%4);const t=e.replace(/-/g,"+").replace(/_/g,"/")+r;const n=atob(t);const i=new ArrayBuffer(n.length);const o=new Uint8Array(i);for(let e=0;e<n.length;e++)o[e]=n.charCodeAt(e);return i}function bufferToBase64url(e){const r=new Uint8Array(e);let t="";for(const e of r)t+=String.fromCharCode(e);const n=btoa(t);const i=n.replace(/\+/g,"-").replace(/\//g,"_").replace(/=/g,"");return i}var e="copy";var r="convert";function convert(t,n,i){if(n===e)return i;if(n===r)return t(i);if(n instanceof Array)return i.map((e=>convert(t,n[0],e)));if(n instanceof Object){const e={};for(const[r,o]of Object.entries(n)){if(o.derive){const e=o.derive(i);void 0!==e&&(i[r]=e)}if(r in i)null!=i[r]?e[r]=convert(t,o.schema,i[r]):e[r]=null;else if(o.required)throw new Error(`Missing key: ${r}`)}return e}}function derived(e,r){return{required:true,schema:e,derive:r}}function required(e){return{required:true,schema:e}}function optional(e){return{required:false,schema:e}}var t={type:required(e),id:required(r),transports:optional(e)};var n={appid:optional(e),appidExclude:optional(e),credProps:optional(e)};var i={appid:optional(e),appidExclude:optional(e),credProps:optional(e)};var o={publicKey:required({rp:required(e),user:required({id:required(r),name:required(e),displayName:required(e)}),challenge:required(r),pubKeyCredParams:required(e),timeout:optional(e),excludeCredentials:optional([t]),authenticatorSelection:optional(e),attestation:optional(e),extensions:optional(n)}),signal:optional(e)};var a={type:required(e),id:required(e),rawId:required(r),authenticatorAttachment:optional(e),response:required({clientDataJSON:required(r),attestationObject:required(r),transports:derived(e,(e=>{var r;return(null==(r=e.getTransports)?void 0:r.call(e))||[]}))}),clientExtensionResults:derived(i,(e=>e.getClientExtensionResults()))};var u={mediation:optional(e),publicKey:required({challenge:required(r),timeout:optional(e),rpId:optional(e),allowCredentials:optional([t]),userVerification:optional(e),extensions:optional(n)}),signal:optional(e)};var s={type:required(e),id:required(e),rawId:required(r),authenticatorAttachment:optional(e),response:required({clientDataJSON:required(r),authenticatorData:required(r),signature:required(r),userHandle:required(r)}),clientExtensionResults:derived(i,(e=>e.getClientExtensionResults()))};var c={credentialCreationOptions:o,publicKeyCredentialWithAttestation:a,credentialRequestOptions:u,publicKeyCredentialWithAssertion:s};function createRequestFromJSON(e){return convert(base64urlToBuffer,o,e)}function createResponseToJSON(e){return convert(bufferToBase64url,a,e)}async function create(e){const r=await navigator.credentials.create(createRequestFromJSON(e));return createResponseToJSON(r)}function getRequestFromJSON(e){return convert(base64urlToBuffer,u,e)}function getResponseToJSON(e){return convert(bufferToBase64url,s,e)}async function get(e){const r=await navigator.credentials.get(getRequestFromJSON(e));return getResponseToJSON(r)}function supported(){return!!(navigator.credentials&&navigator.credentials.create&&navigator.credentials.get&&window.PublicKeyCredential)}export{create,get,c as schema,supported};

data/app/assets/javascripts/@rails--request.js

@@ -0,0 +1,2 @@
+class FetchResponse{constructor(t){this.response=t}get statusCode(){return this.response.status}get redirected(){return this.response.redirected}get ok(){return this.response.ok}get unauthenticated(){return this.statusCode===401}get unprocessableEntity(){return this.statusCode===422}get authenticationURL(){return this.response.headers.get("WWW-Authenticate")}get contentType(){const t=this.response.headers.get("Content-Type")||"";return t.replace(/;.*$/,"")}get headers(){return this.response.headers}get html(){return this.contentType.match(/^(application|text)\/(html|xhtml\+xml)$/)?this.text:Promise.reject(new Error(`Expected an HTML response but got "${this.contentType}" instead`))}get json(){return this.contentType.match(/^application\/.*json$/)?this.responseJson||(this.responseJson=this.response.json()):Promise.reject(new Error(`Expected a JSON response but got "${this.contentType}" instead`))}get text(){return this.responseText||(this.responseText=this.response.text())}get isTurboStream(){return this.contentType.match(/^text\/vnd\.turbo-stream\.html/)}get isScript(){return this.contentType.match(/\b(?:java|ecma)script\b/)}async renderTurboStream(){if(!this.isTurboStream)return Promise.reject(new Error(`Expected a Turbo Stream response but got "${this.contentType}" instead`));window.Turbo?await window.Turbo.renderStreamMessage(await this.text):console.warn("You must set `window.Turbo = Turbo` to automatically process Turbo Stream events with request.js")}async activeScript(){if(!this.isScript)return Promise.reject(new Error(`Expected a Script response but got "${this.contentType}" instead`));{const t=document.createElement("script");const e=document.querySelector("meta[name=csp-nonce]");const n=e&&e.content;n&&t.setAttribute("nonce",n);t.innerHTML=await this.text;document.body.appendChild(t)}}}class RequestInterceptor{static register(t){this.interceptor=t}static get(){return this.interceptor}static reset(){this.interceptor=void 0}}function getCookie(t){const e=document.cookie?document.cookie.split("; "):[];const n=`${encodeURIComponent(t)}=`;const s=e.find((t=>t.startsWith(n)));if(s){const t=s.split("=").slice(1).join("=");if(t)return decodeURIComponent(t)}}function compact(t){const e={};for(const n in t){const s=t[n];s!==void 0&&(e[n]=s)}return e}function metaContent(t){const e=document.head.querySelector(`meta[name="${t}"]`);return e&&e.content}function stringEntriesFromFormData(t){return[...t].reduce(((t,[e,n])=>t.concat(typeof n==="string"?[[e,n]]:[])),[])}function mergeEntries(t,e){for(const[n,s]of e)if(!(s instanceof window.File))if(t.has(n)&&!n.includes("[]")){t.delete(n);t.set(n,s)}else t.append(n,s)}class FetchRequest{constructor(t,e,n={}){this.method=t;this.options=n;this.originalUrl=e.toString()}async perform(){try{const t=RequestInterceptor.get();t&&await t(this)}catch(t){console.error(t)}const t=this.responseKind==="turbo-stream"&&window.Turbo?window.Turbo.fetch:window.fetch;const e=new FetchResponse(await t(this.url,this.fetchOptions));if(e.unauthenticated&&e.authenticationURL)return Promise.reject(window.location.href=e.authenticationURL);e.isScript&&await e.activeScript();const n=e.ok||e.unprocessableEntity;n&&e.isTurboStream&&await e.renderTurboStream();return e}addHeader(t,e){const n=this.additionalHeaders;n[t]=e;this.options.headers=n}sameHostname(){if(!this.originalUrl.startsWith("http:"))return true;try{return new URL(this.originalUrl).hostname===window.location.hostname}catch(t){return true}}get fetchOptions(){return{method:this.method.toUpperCase(),headers:this.headers,body:this.formattedBody,signal:this.signal,credentials:this.credentials,redirect:this.redirect}}get headers(){const t={"X-Requested-With":"XMLHttpRequest","Content-Type":this.contentType,Accept:this.accept};this.sameHostname()&&(t["X-CSRF-Token"]=this.csrfToken);return compact(Object.assign(t,this.additionalHeaders))}get csrfToken(){return getCookie(metaContent("csrf-param"))||metaContent("csrf-token")}get contentType(){return this.options.contentType?this.options.contentType:this.body==null||this.body instanceof window.FormData?void 0:this.body instanceof window.File?this.body.type:"application/json"}get accept(){switch(this.responseKind){case"html":return"text/html, application/xhtml+xml";case"turbo-stream":return"text/vnd.turbo-stream.html, text/html, application/xhtml+xml";case"json":return"application/json, application/vnd.api+json";case"script":return"text/javascript, application/javascript";default:return"*/*"}}get body(){return this.options.body}get query(){const t=(this.originalUrl.split("?")[1]||"").split("#")[0];const e=new URLSearchParams(t);let n=this.options.query;n=n instanceof window.FormData?stringEntriesFromFormData(n):n instanceof window.URLSearchParams?n.entries():Object.entries(n||{});mergeEntries(e,n);const s=e.toString();return s.length>0?`?${s}`:""}get url(){return this.originalUrl.split("?")[0].split("#")[0]+this.query}get responseKind(){return this.options.responseKind||"html"}get signal(){return this.options.signal}get redirect(){return this.options.redirect||"follow"}get credentials(){return this.options.credentials||"same-origin"}get additionalHeaders(){return this.options.headers||{}}get formattedBody(){const t=Object.prototype.toString.call(this.body)==="[object String]";const e=this.headers["Content-Type"]==="application/json";return e&&!t?JSON.stringify(this.body):this.body}}async function get(t,e){const n=new FetchRequest("get",t,e);return n.perform()}async function post(t,e){const n=new FetchRequest("post",t,e);return n.perform()}async function put(t,e){const n=new FetchRequest("put",t,e);return n.perform()}async function patch(t,e){const n=new FetchRequest("patch",t,e);return n.perform()}async function destroy(t,e){const n=new FetchRequest("delete",t,e);return n.perform()}export{FetchRequest,FetchResponse,RequestInterceptor,destroy,get,patch,post,put};
+//# sourceMappingURL=index.js.map

data/app/assets/javascripts/components/has_secure_passkey.js

@@ -0,0 +1,3 @@
+import WebAuthn from "./web_authn"
+
+customElements.define("web-authn", WebAuthn);

data/app/assets/javascripts/components/web_authn.js

@@ -0,0 +1,81 @@
+import * as WebAuthnJSON from "../@github--webauthn-json"
+import { post } from "../@rails--request"
+
+export default class WebAuthn extends HTMLElement {
+  static observedAttributes = ["action", "callback", "options"];
+
+  constructor() {
+    super();
+  }
+
+  connectedCallback() {
+    this.progressBar = Turbo.navigator.delegate.adapter.progressBar
+    this.style.display = "none"
+    this.setAttribute("id", "webauthn")
+    this.setAttribute("data-turbo-temporary", 1)
+    this.run()
+  }
+
+  run() {
+    WebAuthnJSON[this.action](this.options).
+      then(async (credential) => {
+        this.showProgress()
+
+        const { response, redirected } = await post(this.callback, {
+          responseKind: "turbo-stream",
+          body: JSON.stringify(Object.assign(credential, { webauthn_message: this.message }))
+        })
+
+        this.hideProgress()
+
+        if (response.ok && redirected) {
+          const responseHTML = await response.text()
+          const options = { action: "advance", shouldCacheSnapshot: false,
+            response: { statusCode: response.status, responseHTML, redirected } }
+            Turbo.navigator.proposeVisit(new URL(response.url), options)
+        }
+      }).catch((error) => {
+        this.onError(error)
+      })
+  }
+
+  showProgress() {
+    this.progressBar.setValue(0)
+    this.progressBar.show()
+  }
+
+  hideProgress() {
+    this.progressBar.setValue(1)
+    this.progressBar.hide()
+  }
+
+  onError(error) {
+    let event
+
+    if (error.code === 0 && error.name === "NotAllowedError") {
+      event = new CustomEvent("web-authn-error", { bubbles: true, detail: "That didn't work. Either it was cancelled or took too long. Please try again." });
+    } else if (error.code === 11 && error.name === "InvalidStateError") {
+      event = new CustomEvent("web-authn-error", { bubbles: true, detail: "We couldn't add that security key. Looks like you may have already registered it." });
+    } else {
+      event = new CustomEvent("web-authn-error", { bubbles: true, detail: error.message });
+    }
+
+    this.dispatchEvent(event);
+  }
+
+  get action() {
+    return this.getAttribute('action');
+  }
+
+  get callback() {
+    return this.getAttribute('callback');
+  }
+
+  get options() {
+    return JSON.parse(this.getAttribute('options'));
+  }
+
+  get message() {
+    return this.getAttribute('message');
+  }
+}

data/app/assets/javascripts/has_secure_passkey.js

@@ -0,0 +1,406 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+
+// app/assets/javascripts/@github--webauthn-json.js
+var exports__github_webauthn_json = {};
+__export(exports__github_webauthn_json, {
+  supported: () => {
+    {
+      return supported;
+    }
+  },
+  schema: () => {
+    {
+      return c;
+    }
+  },
+  get: () => {
+    {
+      return get;
+    }
+  },
+  create: () => {
+    {
+      return create;
+    }
+  }
+});
+var base64urlToBuffer = function(e) {
+  const r = "==".slice(0, (4 - e.length % 4) % 4);
+  const t = e.replace(/-/g, "+").replace(/_/g, "/") + r;
+  const n = atob(t);
+  const i = new ArrayBuffer(n.length);
+  const o = new Uint8Array(i);
+  for (let e2 = 0;e2 < n.length; e2++)
+    o[e2] = n.charCodeAt(e2);
+  return i;
+};
+var bufferToBase64url = function(e) {
+  const r = new Uint8Array(e);
+  let t = "";
+  for (const e2 of r)
+    t += String.fromCharCode(e2);
+  const n = btoa(t);
+  const i = n.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return i;
+};
+var convert = function(t, n, i) {
+  if (n === e)
+    return i;
+  if (n === r)
+    return t(i);
+  if (n instanceof Array)
+    return i.map((e) => convert(t, n[0], e));
+  if (n instanceof Object) {
+    const e = {};
+    for (const [r, o] of Object.entries(n)) {
+      if (o.derive) {
+        const e2 = o.derive(i);
+        e2 !== undefined && (i[r] = e2);
+      }
+      if (r in i)
+        i[r] != null ? e[r] = convert(t, o.schema, i[r]) : e[r] = null;
+      else if (o.required)
+        throw new Error(`Missing key: ${r}`);
+    }
+    return e;
+  }
+};
+var derived = function(e, r) {
+  return { required: true, schema: e, derive: r };
+};
+var required = function(e) {
+  return { required: true, schema: e };
+};
+var optional = function(e) {
+  return { required: false, schema: e };
+};
+var createRequestFromJSON = function(e) {
+  return convert(base64urlToBuffer, o, e);
+};
+var createResponseToJSON = function(e) {
+  return convert(bufferToBase64url, a, e);
+};
+async function create(e) {
+  const r = await navigator.credentials.create(createRequestFromJSON(e));
+  return createResponseToJSON(r);
+}
+var getRequestFromJSON = function(e) {
+  return convert(base64urlToBuffer, u, e);
+};
+var getResponseToJSON = function(e) {
+  return convert(bufferToBase64url, s, e);
+};
+async function get(e) {
+  const r = await navigator.credentials.get(getRequestFromJSON(e));
+  return getResponseToJSON(r);
+}
+var supported = function() {
+  return !!(navigator.credentials && navigator.credentials.create && navigator.credentials.get && window.PublicKeyCredential);
+};
+var e = "copy";
+var r = "convert";
+var t = { type: required(e), id: required(r), transports: optional(e) };
+var n = { appid: optional(e), appidExclude: optional(e), credProps: optional(e) };
+var i = { appid: optional(e), appidExclude: optional(e), credProps: optional(e) };
+var o = { publicKey: required({ rp: required(e), user: required({ id: required(r), name: required(e), displayName: required(e) }), challenge: required(r), pubKeyCredParams: required(e), timeout: optional(e), excludeCredentials: optional([t]), authenticatorSelection: optional(e), attestation: optional(e), extensions: optional(n) }), signal: optional(e) };
+var a = { type: required(e), id: required(e), rawId: required(r), authenticatorAttachment: optional(e), response: required({ clientDataJSON: required(r), attestationObject: required(r), transports: derived(e, (e2) => {
+  var r2;
+  return ((r2 = e2.getTransports) == null ? undefined : r2.call(e2)) || [];
+}) }), clientExtensionResults: derived(i, (e2) => e2.getClientExtensionResults()) };
+var u = { mediation: optional(e), publicKey: required({ challenge: required(r), timeout: optional(e), rpId: optional(e), allowCredentials: optional([t]), userVerification: optional(e), extensions: optional(n) }), signal: optional(e) };
+var s = { type: required(e), id: required(e), rawId: required(r), authenticatorAttachment: optional(e), response: required({ clientDataJSON: required(r), authenticatorData: required(r), signature: required(r), userHandle: required(r) }), clientExtensionResults: derived(i, (e2) => e2.getClientExtensionResults()) };
+var c = { credentialCreationOptions: o, publicKeyCredentialWithAttestation: a, credentialRequestOptions: u, publicKeyCredentialWithAssertion: s };
+
+// app/assets/javascripts/@rails--request.js
+var getCookie = function(t2) {
+  const e2 = document.cookie ? document.cookie.split("; ") : [];
+  const n2 = `${encodeURIComponent(t2)}=`;
+  const s2 = e2.find((t3) => t3.startsWith(n2));
+  if (s2) {
+    const t3 = s2.split("=").slice(1).join("=");
+    if (t3)
+      return decodeURIComponent(t3);
+  }
+};
+var compact = function(t2) {
+  const e2 = {};
+  for (const n2 in t2) {
+    const s2 = t2[n2];
+    s2 !== undefined && (e2[n2] = s2);
+  }
+  return e2;
+};
+var metaContent = function(t2) {
+  const e2 = document.head.querySelector(`meta[name="${t2}"]`);
+  return e2 && e2.content;
+};
+var stringEntriesFromFormData = function(t2) {
+  return [...t2].reduce((t3, [e2, n2]) => t3.concat(typeof n2 === "string" ? [[e2, n2]] : []), []);
+};
+var mergeEntries = function(t2, e2) {
+  for (const [n2, s2] of e2)
+    if (!(s2 instanceof window.File))
+      if (t2.has(n2) && !n2.includes("[]")) {
+        t2.delete(n2);
+        t2.set(n2, s2);
+      } else
+        t2.append(n2, s2);
+};
+async function post(t2, e2) {
+  const n2 = new FetchRequest("post", t2, e2);
+  return n2.perform();
+}
+class FetchResponse {
+  constructor(t2) {
+    this.response = t2;
+  }
+  get statusCode() {
+    return this.response.status;
+  }
+  get redirected() {
+    return this.response.redirected;
+  }
+  get ok() {
+    return this.response.ok;
+  }
+  get unauthenticated() {
+    return this.statusCode === 401;
+  }
+  get unprocessableEntity() {
+    return this.statusCode === 422;
+  }
+  get authenticationURL() {
+    return this.response.headers.get("WWW-Authenticate");
+  }
+  get contentType() {
+    const t2 = this.response.headers.get("Content-Type") || "";
+    return t2.replace(/;.*$/, "");
+  }
+  get headers() {
+    return this.response.headers;
+  }
+  get html() {
+    return this.contentType.match(/^(application|text)\/(html|xhtml\+xml)$/) ? this.text : Promise.reject(new Error(`Expected an HTML response but got "${this.contentType}" instead`));
+  }
+  get json() {
+    return this.contentType.match(/^application\/.*json$/) ? this.responseJson || (this.responseJson = this.response.json()) : Promise.reject(new Error(`Expected a JSON response but got "${this.contentType}" instead`));
+  }
+  get text() {
+    return this.responseText || (this.responseText = this.response.text());
+  }
+  get isTurboStream() {
+    return this.contentType.match(/^text\/vnd\.turbo-stream\.html/);
+  }
+  get isScript() {
+    return this.contentType.match(/\b(?:java|ecma)script\b/);
+  }
+  async renderTurboStream() {
+    if (!this.isTurboStream)
+      return Promise.reject(new Error(`Expected a Turbo Stream response but got "${this.contentType}" instead`));
+    window.Turbo ? await window.Turbo.renderStreamMessage(await this.text) : console.warn("You must set `window.Turbo = Turbo` to automatically process Turbo Stream events with request.js");
+  }
+  async activeScript() {
+    if (!this.isScript)
+      return Promise.reject(new Error(`Expected a Script response but got "${this.contentType}" instead`));
+    {
+      const t2 = document.createElement("script");
+      const e2 = document.querySelector("meta[name=csp-nonce]");
+      const n2 = e2 && e2.content;
+      n2 && t2.setAttribute("nonce", n2);
+      t2.innerHTML = await this.text;
+      document.body.appendChild(t2);
+    }
+  }
+}
+
+class RequestInterceptor {
+  static register(t2) {
+    this.interceptor = t2;
+  }
+  static get() {
+    return this.interceptor;
+  }
+  static reset() {
+    this.interceptor = undefined;
+  }
+}
+
+class FetchRequest {
+  constructor(t2, e2, n2 = {}) {
+    this.method = t2;
+    this.options = n2;
+    this.originalUrl = e2.toString();
+  }
+  async perform() {
+    try {
+      const t3 = RequestInterceptor.get();
+      t3 && await t3(this);
+    } catch (t3) {
+      console.error(t3);
+    }
+    const t2 = this.responseKind === "turbo-stream" && window.Turbo ? window.Turbo.fetch : window.fetch;
+    const e2 = new FetchResponse(await t2(this.url, this.fetchOptions));
+    if (e2.unauthenticated && e2.authenticationURL)
+      return Promise.reject(window.location.href = e2.authenticationURL);
+    e2.isScript && await e2.activeScript();
+    const n2 = e2.ok || e2.unprocessableEntity;
+    n2 && e2.isTurboStream && await e2.renderTurboStream();
+    return e2;
+  }
+  addHeader(t2, e2) {
+    const n2 = this.additionalHeaders;
+    n2[t2] = e2;
+    this.options.headers = n2;
+  }
+  sameHostname() {
+    if (!this.originalUrl.startsWith("http:"))
+      return true;
+    try {
+      return new URL(this.originalUrl).hostname === window.location.hostname;
+    } catch (t2) {
+      return true;
+    }
+  }
+  get fetchOptions() {
+    return { method: this.method.toUpperCase(), headers: this.headers, body: this.formattedBody, signal: this.signal, credentials: this.credentials, redirect: this.redirect };
+  }
+  get headers() {
+    const t2 = { "X-Requested-With": "XMLHttpRequest", "Content-Type": this.contentType, Accept: this.accept };
+    this.sameHostname() && (t2["X-CSRF-Token"] = this.csrfToken);
+    return compact(Object.assign(t2, this.additionalHeaders));
+  }
+  get csrfToken() {
+    return getCookie(metaContent("csrf-param")) || metaContent("csrf-token");
+  }
+  get contentType() {
+    return this.options.contentType ? this.options.contentType : this.body == null || this.body instanceof window.FormData ? undefined : this.body instanceof window.File ? this.body.type : "application/json";
+  }
+  get accept() {
+    switch (this.responseKind) {
+      case "html":
+        return "text/html, application/xhtml+xml";
+      case "turbo-stream":
+        return "text/vnd.turbo-stream.html, text/html, application/xhtml+xml";
+      case "json":
+        return "application/json, application/vnd.api+json";
+      case "script":
+        return "text/javascript, application/javascript";
+      default:
+        return "*/*";
+    }
+  }
+  get body() {
+    return this.options.body;
+  }
+  get query() {
+    const t2 = (this.originalUrl.split("?")[1] || "").split("#")[0];
+    const e2 = new URLSearchParams(t2);
+    let n2 = this.options.query;
+    n2 = n2 instanceof window.FormData ? stringEntriesFromFormData(n2) : n2 instanceof window.URLSearchParams ? n2.entries() : Object.entries(n2 || {});
+    mergeEntries(e2, n2);
+    const s2 = e2.toString();
+    return s2.length > 0 ? `?${s2}` : "";
+  }
+  get url() {
+    return this.originalUrl.split("?")[0].split("#")[0] + this.query;
+  }
+  get responseKind() {
+    return this.options.responseKind || "html";
+  }
+  get signal() {
+    return this.options.signal;
+  }
+  get redirect() {
+    return this.options.redirect || "follow";
+  }
+  get credentials() {
+    return this.options.credentials || "same-origin";
+  }
+  get additionalHeaders() {
+    return this.options.headers || {};
+  }
+  get formattedBody() {
+    const t2 = Object.prototype.toString.call(this.body) === "[object String]";
+    const e2 = this.headers["Content-Type"] === "application/json";
+    return e2 && !t2 ? JSON.stringify(this.body) : this.body;
+  }
+}
+
+// app/assets/javascripts/components/web_authn.js
+class WebAuthn extends HTMLElement {
+  static observedAttributes = ["action", "callback", "options"];
+  constructor() {
+    super();
+  }
+  connectedCallback() {
+    this.progressBar = Turbo.navigator.delegate.adapter.progressBar;
+    this.style.display = "none";
+    this.setAttribute("id", "webauthn");
+    this.setAttribute("data-turbo-temporary", 1);
+    this.run();
+  }
+  run() {
+    exports__github_webauthn_json[this.action](this.options).then(async (credential) => {
+      this.showProgress();
+      const { response, redirected } = await post(this.callback, {
+        responseKind: "turbo-stream",
+        body: JSON.stringify(Object.assign(credential, { webauthn_message: this.message }))
+      });
+      this.hideProgress();
+      if (response.ok && redirected) {
+        const responseHTML = await response.text();
+        const options = {
+          action: "advance",
+          shouldCacheSnapshot: false,
+          response: { statusCode: response.status, responseHTML, redirected }
+        };
+        Turbo.navigator.proposeVisit(new URL(response.url), options);
+      }
+    }).catch((error) => {
+      this.onError(error);
+    });
+  }
+  showProgress() {
+    this.progressBar.setValue(0);
+    this.progressBar.show();
+  }
+  hideProgress() {
+    this.progressBar.setValue(1);
+    this.progressBar.hide();
+  }
+  onError(error) {
+    let event;
+    if (error.code === 0 && error.name === "NotAllowedError") {
+      event = new CustomEvent("web-authn-error", { bubbles: true, detail: "That didn't work. Either it was cancelled or took too long. Please try again." });
+    } else if (error.code === 11 && error.name === "InvalidStateError") {
+      event = new CustomEvent("web-authn-error", { bubbles: true, detail: "We couldn't add that security key. Looks like you may have already registered it." });
+    } else {
+      event = new CustomEvent("web-authn-error", { bubbles: true, detail: error.message });
+    }
+    this.dispatchEvent(event);
+  }
+  get action() {
+    return this.getAttribute("action");
+  }
+  get callback() {
+    return this.getAttribute("callback");
+  }
+  get options() {
+    return JSON.parse(this.getAttribute("options"));
+  }
+  get message() {
+    return this.getAttribute("message");
+  }
+}
+
+// app/assets/javascripts/components/has_secure_passkey.js
+customElements.define("web-authn", WebAuthn);

data/app/assets/stylesheets/has_secure_passkey/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/has_secure_passkey/application_controller.rb

@@ -0,0 +1,4 @@
+module HasSecurePasskey
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/has_secure_passkey/challenges_controller.rb

@@ -0,0 +1,6 @@
+module HasSecurePasskey
+  class ChallengesController < ApplicationController
+    def create
+    end
+  end
+end

data/app/helpers/has_secure_passkey/application_helper.rb

@@ -0,0 +1,32 @@
+module HasSecurePasskey
+  module ApplicationHelper
+    def prompt_for_new_passkey(callback:, current_authenticatable: nil, **options)
+      options_for_create =
+        if current_authenticatable.present?
+          HasSecurePasskey::OptionsForCreate.new(authenticatable: current_authenticatable)
+        else
+          HasSecurePasskey::OptionsForCreate.
+            from_message(params[:webauthn_message])
+        end
+
+      tag.web_authn(nil, action: :create, callback:,
+        options: options_for_create.to_json,
+        message: options_for_create.message, **options)
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      false
+    end
+
+    def login_with_passkey(callback:, **options)
+      options_for_get = HasSecurePasskey::OptionsForGet.new
+
+      tag.web_authn(nil, action: :get, callback:,
+        options: options_for_get.to_json,
+        message: options_for_get.message,
+        **options)
+    end
+
+    def button_to_passkey_login(text, path, **options)
+      button_to text, has_secure_passkey.challenges_path(path), **options
+    end
+  end
+end

data/app/mailers/has_secure_passkey/application_mailer.rb

@@ -0,0 +1,6 @@
+module HasSecurePasskey
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/has_secure_passkey/application_record.rb

@@ -0,0 +1,5 @@
+module HasSecurePasskey
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/views/has_secure_passkey/challenges/create.turbo_stream.erb

@@ -0,0 +1,5 @@
+<%= turbo_stream.remove_all "web-authn" %>
+
+<%= turbo_stream.append_all "body" do %>
+  <%= login_with_passkey(callback: params[:session_path]) %>
+<% end %>