passkey_auth 0.1.0

data/app/controllers/passkey_auth/webauthn/authentications/challenges_controller.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  module Webauthn
+    module Authentications
+      class ChallengesController < PasskeyAuth::ApplicationController
+        # Expects Rails Authentication concern to provide:
+        # - allow_unauthenticated_access
+
+        allow_unauthenticated_access
+
+        before_action :load_user
+
+        def create
+          if @user
+            # Prepare the needed data for a challenge
+            options = ::WebAuthn::Credential.options_for_get(allow: @user.webauthn_credentials.pluck(:external_id))
+          else
+            # For conditional UI, we create options for authentication without knowing the user ahead of time
+            # This allows the browser to prompt with available passkeys
+            options = ::WebAuthn::Credential.options_for_get(user_verification: "required")
+          end
+
+          # Generate the challenge and save it into the session
+          session[:webauthn_authentication_challenge] = options.challenge
+
+          respond_to do |format|
+            format.json { render json: options }
+          end
+        end
+
+        private
+
+        def load_user
+          @user = PasskeyAuth.user_class.find_by(id: session[:webauthn_authentication_user_id])
+        end
+      end
+    end
+  end
+end

data/app/controllers/passkey_auth/webauthn/authentications_controller.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  module Webauthn
+    class AuthenticationsController < PasskeyAuth::ApplicationController
+      # Expects Rails Authentication concern to provide:
+      # - allow_unauthenticated_access
+      # - start_new_session_for(user)
+      # - after_authentication_url
+
+      allow_unauthenticated_access only: :create
+
+      def index
+      end
+
+      def create
+        result = authenticate_webauthn
+
+        if result[:success]
+          session.delete(:webauthn_authentication_user_id)
+
+          respond_to do |format|
+            format.json { render json: result }
+            format.html { redirect_to result[:redirect_url], status: :see_other }
+          end
+        else
+          render json: result, status: :unprocessable_content
+        end
+      end
+
+      private
+
+      def authenticate_webauthn
+        webauthn_credential = ::WebAuthn::Credential.from_get(params[:credential])
+
+        # Verify the credential using the conditional challenge
+        challenge = session[:webauthn_authentication_challenge]
+        unless challenge
+          return { error: I18n.t("passkey_auth.webauthn.session_expired") }
+        end
+
+        user = PasskeyAuth.user_class.authenticate_with_webauthn(webauthn_credential, challenge)
+        start_new_session_for user
+
+        # Return success with redirect URL
+        { success: true, redirect_url: after_authentication_url }
+      rescue ::WebAuthn::Error => e
+        Rails.logger.error "WebAuthn verification failed: #{e.message}"
+        { error: I18n.t("passkey_auth.webauthn.authentication_failed") }
+      rescue PasskeyAuth::Concerns::Passwordless::AuthenticationError => e
+        Rails.logger.error "Webauthn Authentication failed: #{e.message}"
+        { error: I18n.t("passkey_auth.webauthn.passkey_not_registered") }
+      rescue => e
+        Rails.logger.error "Unexpected error during conditional authentication: #{e.message}"
+        Rails.logger.error e.backtrace.join("\n")
+        { error: I18n.t("passkey_auth.webauthn.unexpected_error") }
+      ensure
+        session.delete(:webauthn_authentication_challenge)
+      end
+    end
+  end
+end

data/app/controllers/passkey_auth/webauthn/credentials/challenges_controller.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  module Webauthn
+    module Credentials
+      class ChallengesController < PasskeyAuth::ApplicationController
+        # Expects Rails Authentication concern to provide:
+        # - allow_unauthenticated_access
+        # - current_user (may be nil if unauthenticated)
+
+        allow_unauthenticated_access
+
+        def create
+          user = current_user || find_user_by_session_id
+
+          # Generate WebAuthn ID if the user does not have any yet
+          user.update(webauthn_id: ::WebAuthn.generate_user_id) unless user.webauthn_id
+
+          user_email = PasskeyAuth.user_email(user)
+          webauthn_name = params[:name].presence || user.try(:name) || user_email
+
+          # Prepare the needed data for a challenge
+          create_options = ::WebAuthn::Credential.options_for_create(
+            user: {
+              id: user.webauthn_id,
+              display_name: webauthn_name,
+              name: user_email # unique name for auth
+            },
+            exclude: user.webauthn_credentials.pluck(:external_id),
+            authenticator_selection: {
+              authenticator_attachment: "platform",
+              user_verification: "preferred",
+              resident_key: "required"
+            }
+          )
+
+          # Generate the challenge and save it into the session
+          session[:webauthn_registration_challenge] = create_options.challenge
+
+          respond_to do |format|
+            format.json { render json: create_options }
+          end
+        end
+
+        private
+
+        def find_user_by_session_id
+          PasskeyAuth.user_class.find(session[:webauthn_credential_user_id])
+        end
+      end
+    end
+  end
+end

data/app/controllers/passkey_auth/webauthn/credentials_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  module Webauthn
+    class CredentialsController < PasskeyAuth::ApplicationController
+      # Expects Rails Authentication concern to provide:
+      # - current_user
+
+      def index
+        @credentials = current_user.webauthn_credentials.order(created_at: :desc)
+      end
+
+      def create
+        webauthn_credential = ::WebAuthn::Credential.from_create(params[:credential])
+
+        # Verify the credential
+        challenge = session[:webauthn_registration_challenge]
+        unless challenge
+          return render json: { error: I18n.t("passkey_auth.webauthn.session_expired") }, status: :unprocessable_content
+        end
+
+        begin
+          webauthn_credential.verify(challenge)
+
+          # Ensure user has a webauthn_id
+          unless current_user.webauthn_id
+            current_user.update!(webauthn_id: ::WebAuthn.generate_user_id)
+          end
+
+          # Store the credential
+          credential = current_user.webauthn_credentials.create!(
+            external_id: webauthn_credential.id,
+            nickname: params[:nickname] || "Passkey",
+            public_key: webauthn_credential.public_key,
+            sign_count: webauthn_credential.sign_count
+          )
+
+          # Call hook if configured
+          PasskeyAuth.on_passkey_created&.call(current_user, credential)
+
+          render json: { success: true }
+        rescue ::WebAuthn::Error => e
+          Rails.logger.error "WebAuthn verification failed: #{e.message}"
+          render json: { error: I18n.t("passkey_auth.webauthn.verification_failed") }, status: :unprocessable_content
+        ensure
+          session.delete(:webauthn_registration_challenge)
+        end
+      end
+
+      def destroy
+        credential = current_user.webauthn_credentials.find(params[:id])
+        credential.destroy
+
+        redirect_to webauthn_credentials_path, notice: I18n.t("passkey_auth.webauthn.credential_deleted")
+      end
+    end
+  end
+end

data/app/javascript/passkey_auth/controllers/index.js

@@ -0,0 +1,4 @@
+// Export all PasskeyAuth Stimulus controllers
+export { default as PasskeyAuthenticationController } from "./passkey_authentication_controller";
+export { default as WebauthnRegisterController } from "./webauthn_register_controller";
+export { default as WebauthnAuthController } from "./webauthn_auth_controller";

data/app/javascript/passkey_auth/controllers/passkey_authentication_controller.js

@@ -0,0 +1,156 @@
+import { Controller } from "@hotwired/stimulus";
+import * as WebAuthnJSON from "@github/webauthn-json";
+import { post } from "@rails/request.js";
+
+export default class extends Controller {
+  static targets = ["signinButton"];
+  static values = {
+    challengePath: String,
+    authenticationPath: String
+  };
+
+  connect() {
+    if (!("PublicKeyCredential" in window)) {
+      this.hidePasskeyButton();
+      console.error("Passkeys not supported in this browser");
+      return;
+    }
+
+    // Prefetch challenge early to preserve user gesture later
+    this.challengePromise = this.fetchChallenge();
+
+    this.abortController = null;
+    this.busy = false;
+  }
+
+  disconnect() {
+    // Ensure we cancel any pending ceremony when navigating away
+    this.abortActiveCeremony();
+  }
+
+  async fetchChallenge() {
+    try {
+      const resp = await post(this.challengePathValue);
+      if (!resp.ok) throw new Error("Challenge endpoint failed");
+      return await resp.json;
+    } catch (e) {
+      console.error("Failed to fetch challenge:", e);
+      return null; // degrade gracefully; button can fallback or show error
+    }
+  }
+
+  hidePasskeyButton() {
+    this.element.style.display = "none";
+  }
+
+  enableButton() {
+    if (this.hasSigninButtonTarget) {
+      this.signinButtonTarget.disabled = false;
+    }
+  }
+
+  disableButton() {
+    if (this.hasSigninButtonTarget) {
+      this.signinButtonTarget.disabled = true;
+    }
+  }
+
+  async signIn(event) {
+    event.preventDefault();
+    await this.initiateSignIn("required");
+  }
+
+  abortActiveCeremony() {
+    if (this.abortController) {
+      try { this.abortController.abort(); } catch {}
+      this.abortController = null;
+    }
+    this.busy = false;
+    this.enableButton();
+  }
+
+  async initiateSignIn(mediation = "required") {
+    if (!("PublicKeyCredential" in window)) return;
+    if (this.busy) return;
+
+    // If a conditional ceremony might be running, cancel it before starting a required one
+    this.abortActiveCeremony();
+
+    this.busy = true;
+    this.abortController = new AbortController();
+    this.disableButton();
+
+    const { signal } = this.abortController;
+
+    try {
+      // Use the pre-fetched challenge if available; else fetch now
+      const publicKey = (await this.challengePromise) || (await this.fetchChallenge());
+      if (!publicKey) throw new Error("No challenge options available");
+
+      // Only pass 'mediation' if we're actually using conditional
+      const opts = { publicKey, signal };
+      if (mediation === "conditional") opts.mediation = "conditional";
+
+      // IMPORTANT: call immediately (no more awaits before this point)
+      const credential = await WebAuthnJSON.get(opts);
+
+      if (credential) {
+        await this.submitCredentialForVerification(credential);
+      }
+    } catch (error) {
+      console.error("Passkey authentication error:", error);
+      // Common fast-fails you might want to ignore quietly for conditional UI
+      if (error.name === "AbortError") {
+        // expected if we navigated or started another ceremony
+      } else if (error.name === "NotAllowedError" && mediation === "conditional") {
+        // user dismissed sheet; fine to ignore
+      } else if (error.name === "SecurityError") {
+        this.showErrorMessage("Passkey authentication isn't allowed in this context. Try another sign-in method.");
+      } else if (error.name === "InvalidStateError") {
+        this.showErrorMessage("This passkey is in an invalid state. Try another method or re-enroll.");
+      } else {
+        this.showErrorMessage("Passkey sign-in failed. Please try another method.");
+      }
+    } finally {
+      this.busy = false;
+      this.abortController = null;
+      // Refresh the challenge for the *next* attempt to avoid replay issues
+      this.challengePromise = this.fetchChallenge();
+      this.enableButton();
+    }
+  }
+
+  async submitCredentialForVerification(credential) {
+    try {
+      const response = await post(this.authenticationPathValue, { body: { credential } });
+      const result = await response.json;
+
+      if (response.ok && result.success) {
+        window.Turbo.visit(result.redirect_url);
+      } else {
+        this.showErrorMessage(result.error || "Authentication failed");
+
+        // Signal to browser that this credential wasn't recognized
+        if (PublicKeyCredential.signalUnknownCredential) {
+          PublicKeyCredential.signalUnknownCredential({
+            rpId: window.location.hostname,
+            credentialId: credential.id
+          });
+        }
+      }
+    } catch (error) {
+      console.error("Credential verification error:", error);
+      this.showErrorMessage("Please try signing in another way.");
+    }
+  }
+
+  showErrorMessage(message) {
+    let friendly = message;
+    if (message && message.includes("credential not found")) {
+      friendly = "This passkey isn't registered with your account. Sign in another way, then add this passkey in Security settings.";
+    }
+
+    // Display alert - customize this based on your app's alert system
+    alert(friendly);
+  }
+}

data/app/javascript/passkey_auth/controllers/webauthn_auth_controller.js

@@ -0,0 +1,40 @@
+import { Controller } from "@hotwired/stimulus";
+import { authenticate } from "../lib/passkey";
+
+export default class extends Controller {
+  static values = { callbackUrl: String };
+
+  connect() {
+    this.abortController = null;
+  }
+
+  async submit(event) {
+    event.preventDefault();
+
+    // Cancel any in-flight attempt
+    this.abortController?.abort();
+    this.abortController = new AbortController();
+
+    try {
+      const result = await authenticate({
+        authUrl: this.element.action,
+        callbackUrl: this.callbackUrlValue,
+        signal: this.abortController.signal
+      });
+
+      if (result.aborted) {
+        // User canceled the authentication
+        return;
+      }
+
+      // If not redirected, callbackRes likely contained a turbo-stream update already
+    } catch (err) {
+      console.error("Passkey authentication failed:", err);
+      alert("Authentication failed. Please try again.");
+    }
+  }
+
+  disconnect() {
+    this.abortController?.abort();
+  }
+}

data/app/javascript/passkey_auth/controllers/webauthn_register_controller.js

@@ -0,0 +1,70 @@
+import { Controller } from "@hotwired/stimulus";
+import { register } from "../lib/passkey";
+
+export default class extends Controller {
+  static targets = ["nickname"];
+  static values = {
+    callbackUrl: String,
+    challengeUrl: String,
+    nameSourceSelector: String
+  };
+
+  connect() {
+    this.abortController = null;
+  }
+
+  async submit(event) {
+    event.preventDefault();
+
+    this.element.classList.add('opacity-50');
+    const submitButton = this.element.querySelector('[type="submit"]');
+    submitButton?.setAttribute('disabled', 'disabled');
+
+    // Cancel any in-flight attempt
+    this.abortController?.abort();
+    this.abortController = new AbortController();
+
+    const challengeUrl = this.challengeUrlValue || this.element.action;
+    let userName = null;
+
+    if (this.nameSourceSelectorValue) {
+      const nameSource = document.querySelector(this.nameSourceSelectorValue);
+      if (nameSource) {
+        userName = nameSource.value;
+      }
+    }
+
+    try {
+      const response = await register({
+        challengeUrl: challengeUrl,
+        callbackUrl: this.callbackUrlValue,
+        signal: this.abortController.signal,
+        nickname: this.hasNicknameTarget ? this.nicknameTarget.value : null,
+        userName: userName
+      });
+
+      if (response.aborted) {
+        console.warn("Passkey registration request was aborted");
+        return;
+      }
+    } catch (error) {
+      if (error.name == "InvalidStateError") {
+        alert("This security key is already registered to your account");
+      } else if (error.name == "NotSupportedError") {
+        alert("Your browser doesn't support security keys. Please try a modern browser.");
+      } else if (error.message) {
+        alert(`Registration failed: ${error.message}`);
+      }
+      console.error("Passkey error:", error);
+      return;
+    } finally {
+      this.abortController = null;
+      this.element.classList.remove('opacity-50');
+      submitButton?.removeAttribute('disabled');
+    }
+  }
+
+  disconnect() {
+    this.abortController?.abort();
+  }
+}

data/app/javascript/passkey_auth/index.js

@@ -0,0 +1,3 @@
+// Main entry point for PasskeyAuth JavaScript
+export * from "./controllers/index";
+export * as Passkey from "./lib/passkey";

data/app/javascript/passkey_auth/lib/passkey.js

@@ -0,0 +1,103 @@
+import * as WebAuthnJSON from "@github/webauthn-json";
+import { post } from "@rails/request.js";
+
+export async function register({ challengeUrl, callbackUrl, signal, nickname, userName } = {}) {
+  // 1) Ask server for PublicKey options
+  const credentialRes = await post(challengeUrl, {
+    body: { name: userName },
+    contentType: "application/json",
+    responseKind: "json",
+    signal
+  });
+  if (!credentialRes.ok) throw new Error(`Register options HTTP ${credentialRes.status}`);
+
+  const publicKey = await credentialRes.json;
+
+  // 2) Perform WebAuthn assertion (user presence / verification)
+  let credential;
+  try {
+    credential = await WebAuthnJSON.create({ publicKey });
+  } catch (e) {
+    if (e?.name === "NotAllowedError" || e?.name === "AbortError") {
+      // benign: user canceled / dismissed prompt
+      return { aborted: true };
+    }
+    throw e;
+  }
+
+  if (!nickname) {
+    nickname = await generatePasskeyName(credential);
+  }
+
+  // 3) Send credential to server (Turbo Stream capable)
+  const callbackRes = await post(callbackUrl, {
+    body: JSON.stringify({ nickname, credential }),
+    contentType: "application/json",
+    responseKind: "turbo-stream",
+    signal
+  });
+
+  return { aborted: false, response: callbackRes };
+}
+
+export async function authenticate({ authUrl, callbackUrl, signal } = {}) {
+  // 1) Ask server for PublicKey options
+  const authRes = await post(authUrl, {
+    contentType: "application/json",
+    responseKind: "json",
+    signal
+  });
+  if (!authRes.ok) throw new Error(`Auth options HTTP ${authRes.status}`);
+
+  const publicKey = await authRes.json;
+
+  // 2) Perform WebAuthn assertion (user presence / verification)
+  let credential;
+  try {
+    credential = await WebAuthnJSON.get({ publicKey });
+  } catch (e) {
+    if (e?.name === "NotAllowedError" || e?.name === "AbortError") {
+      // benign: user canceled / dismissed prompt
+      return { aborted: true };
+    }
+    throw e;
+  }
+
+  // 3) Send credential to server (Turbo Stream capable)
+  const callbackRes = await post(callbackUrl, {
+    body: JSON.stringify({ credential }),
+    contentType: "application/json",
+    responseKind: "turbo-stream",
+    signal
+  });
+
+  if (callbackRes.redirected) {
+    window.Turbo.visit(callbackRes.response.url);
+  }
+
+  return { aborted: false, response: callbackRes };
+}
+
+async function generatePasskeyName(credential) {
+  const attachment = credential.authenticatorAttachment; // 'platform' or 'cross-platform'
+  const ua = navigator.userAgent.toLowerCase();
+  let name = '';
+
+  if (attachment === 'platform') {
+    if (ua.includes('windows')) {
+      name = 'Windows Hello';
+    } else if (ua.includes('macintosh') || ua.includes('mac os x')) {
+      name = 'Mac Touch ID';
+    } else if (ua.includes('iphone') || ua.includes('ipad')) {
+      name = ua.includes('iphone') ? 'iPhone Touch ID' : 'iPad Touch ID';
+    } else if (ua.includes('android')) {
+      name = 'Android Biometric';
+    } else {
+      name = 'Platform Authenticator';
+    }
+  } else {
+    name = 'External Security Key'; // e.g., YubiKey or 1Password
+  }
+
+  return name;
+}

data/app/mailers/passkey_auth/application_mailer.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  class ApplicationMailer < ActionMailer::Base
+    default from: "noreply@example.com"
+    layout "mailer"
+  end
+end

data/app/mailers/passkey_auth/magic_link_mailer.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  class MagicLinkMailer < ApplicationMailer
+    def login_link(magic_link)
+      @magic_link = magic_link
+      @user = magic_link.user
+      @url = verify_magic_link_url(token: magic_link.token)
+      @expires_in = ((magic_link.expires_at - Time.current) / 60).round
+      @short_code = MagicLink::ShortCode.format(@magic_link.short_code)
+
+      subject = I18n.t("passkey_auth.magic_link_mailer.login_link.subject", code: @short_code)
+
+      mail(to: PasskeyAuth.user_email(@user), subject: subject)
+    end
+  end
+end

data/app/models/passkey_auth/magic_link/short_code.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module PasskeyAuth
+  class MagicLink
+    class ShortCode
+      # Based on the Crockford alphabet: https://www.crockford.com/base32.html
+      ALPHABET = "0123456789ABCDEFGHJKMNPQRSTVWXYZ".freeze
+      CHARS    = ALPHABET.chars.freeze
+      BASE     = CHARS.size
+      DEFAULT_LENGTH = 8
+
+      def self.generate(length = DEFAULT_LENGTH)
+        Array.new(length) { CHARS[SecureRandom.random_number(BASE)] }.join
+      end
+
+      # Format code for display (e.g., "1234-5678")
+      def self.format(code)
+        return nil if code.blank?
+
+        sprintf("%s%s%s%s-%s%s%s%s", *code.chars)
+      end
+
+      # Clean user input by removing any formatting and uppercase
+      def self.clean(code)
+        code.to_s.upcase.gsub(/[^A-Z0-9]/, "")
+      end
+    end
+  end
+end