passkeys-rails 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: afbb635c3ddfd36d60bccbf936e2a67e091a6bb15822683c9c1db050cdd49909
-  data.tar.gz: c9ef1cf6d9e9f5a760037efb831b856dbf706c0860fbf945eadd616c37cb297d
+  metadata.gz: a137b9b4f2ab7aac24fef0747ff112588215d496034f0542983df3790bc32de7
+  data.tar.gz: 412185131a984a883a11af7fae1bbbb69806819a978871a08e0929921c766fe4
 SHA512:
-  metadata.gz: 92e7f2a72715c7c4b313d57f7dc1c928cf334375fcdd28fc104f86721562b45484220234e8e5924106fce344e94d95f9cb7e29d0d6879e4ac73451e7a1a17915
-  data.tar.gz: 686d6a95cec8274eaadd3fa1555a89f0e1554bc248c1f30eca1ac253933a158e8d12e08bcd74e53b42cbe33a9e0a1630ed14d1ce3a7205a2fe289366d3cbe2c3
+  metadata.gz: bdf2974d31cb561bbeabaf599a29d99bb9cda2e4050cff913cbe5104a747c4eba2eb11a53936fcef013861ede39051208a2edbc3062a6b25a34476678388eba9
+  data.tar.gz: 149c795d0b56a7569170160426b466ff42abc75bcb2f46fc5adae3b35ad3eb9d6d465ce05f0834cbbfaf3bc30944d809b776c1112913c0e490175c316784e859

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+### 0.3.1
+
+* Fixed a bug in reading session/cookie variables
+* Added webauthn configuration parameters to this gem's configuration
+* Moved configuration to its own class
+* Added more info to the README
+
 ### 0.3.0
 
 * Added debug_register endpoint.

data/README.md

@@ -1,42 +1,60 @@
+# PasskeysRails - easy to integrate back end for implementing mobile passkeys
+
 [![Gem Version](https://badge.fury.io/rb/passkeys-rails.svg?cachebust=0.2.1)](https://badge.fury.io/rb/passkeys-rails)
 [![Build Status](https://app.travis-ci.com/alliedcode/passkeys-rails.svg?branch=main)](https://travis-ci.org/alliedcode/passkeys-rails)
 [![codecov](https://codecov.io/gh/alliedcode/passkeys-rails/branch/main/graph/badge.svg?token=UHSNJDUL21)](https://codecov.io/gh/alliedcode/passkeys-rails)
 
-# PasskeysRails
+<p align="center" >
+Created by <b>Troy Anderson, Allied Code</b> - <a href="https://alliedcode.com">alliedcode.com</a>
+</p>
 
-Devise is awesome, but we don't need all that UI/UX for PassKeys, especially for an API back end.
+PasskeysRails is a gem you can add to a Rails app to enable passskey registration and authorization from mobile front ends.  PasskeysRails leverages webauthn for the cryptographic work, and presents a simple API interface for passkey registration, authentication, and testing.
 
 The purpose of this gem is to make it easy to provide a rails back end API that supports PassKey authentication.  It uses the [`webauthn`](https://github.com/w3c/webauthn) gem to do the cryptographic work and presents a simple API interface for passkey registration and authentication.
 
 The target use case for this gem is a mobile application that uses a rails based API service to manage resources.  The goal is to make it simple to register and authenticate users using passkeys from mobile applications in a rails API service.
 
+What about [devise](https://github.com/heartcombo/devise)?  Devise is awesome, but we don't need all that UI/UX for PassKeys, especially for an API back end.
+
+## Documentation
+* [Usage](#usage)
+* [Installation](#installation)
+* [Rails Integration - Standard](#rails-Integration-standard)
+* [Rails Integration - Grape](#rails-Integration-grape)
+* [Notifications](#notifications)
+* [Failure Codes](#failure-codes)
+* [Testing](#testing)
+* [Mobile App Integration](#mobile-application-integration)
+* [Reference/Example Mobile Applications](#referenceexample-mobile-applications)
 
 ## Usage
 
-**PasskeysRails** maintains an `Agent` model and related `Passkeys`.  If you have a user model, add `include PasskeysRails::Authenticatable` to your model and include the name of that class (e.g. `"User"`) in the `authenticatable_class` param when calling the register API or set the `PasskeysRails.default_class` to the name of that class.
+**PasskeysRails** maintains a `PasskeysRails::Agent` model and related `PasskeysRails::Passkeys`.  In rails apps that maintain their own "user" model, add `include PasskeysRails::Authenticatable` to that model and include the name of that class (e.g. `"User"`) in the `authenticatable_class` param when calling the register API or set the `PasskeysRails.default_class` to the name of that class.
+
+In mobile apps, leverage the platform specific Passkeys APIs for ***registration*** and ***authentication***, and call the **PasskeysRails** API endpoints to complete the ceremony.  **PasskeysRails** provides endpoints to support ***registration***, ***authentication***, ***token refresh***, and ***debugging***.
 
 ### Optionally providing a **"user"** model during registration
 
-**PasskeysRails** does not require that you supply your own model, but it's often useful to do so.  For example, if you have a User model that you would like to have created at registration, you can supply the model name in the `finishRegistration` API call.
+**PasskeysRails** does not require any application specific models, but it's often useful to have one.  For example, a User model can be created at registration.  **PasskeysRails** provides two mechanisms to support this.  Either provide the name of the model in the `authenticatable_class` param when calling the `finishRegistration` endpoint, or set a `default_class` in `config/initializers/passkeys_rails.rb`.
 
-**PasskeysRails** supports multiple `"user"` models.  Whatever model name you supply will be created during a successful the `finishRegiration` API call. When created, it will be provided an opportunity to do any initialization at that time.
+**PasskeysRails** supports multiple different application specific models.  Whatever model name supplied when calling the `finishRegistration` endpoint will be created during a successful the `finishRegiration` process. When created, it will be provided an opportunity to do any initialization at that time.
 
-There are two **PasskeysRails** configuration options related to this: `default_class` and `class_whitelist` - see below.
+There are two **PasskeysRails** configuration options related to this: `default_class` and `class_whitelist`:
 
 #### `default_class`
 
-Configure `default_class` in `passkeys_rails.rb`.  Its value will be used during registration if none is provided in the API call.  The default value is `"User"`.  Since the `default_class` is just a default, it can be overridden in the `finishRegiration` API call to use a different model.  If no model is to be used by default, set it to nil.
+Configure `default_class` in `config/initializers/passkeys_rails.rb`.  Its value will be used during registration if none is provided in the API call.  The default value is `"User"`.  Since the `default_class` is just a default, it can be overridden in the `finishRegiration` API call to use a different model.  If no model is to be used by default, set it to nil.
 
 #### `class_whitelist`
 
-Configure `class_whitelist` in `passkeys_rails.rb`.  The default value is `nil`.  When `nil`, no whitelist will be applied. If it is non-nil, it should be an array of class names that are allowed during registration.  Supply an empty array to prevent **PasskeysRails** from attempting to create anything other than its own `PasskeysRails::Agent` during registration.
+Configure `class_whitelist` in `config/initializers/passkeys_rails.rb`.  The default value is `nil`.  When `nil`, no whitelist will be applied. If it is non-nil, it should be an array of class names that are allowed during registration.  Supply an empty array to prevent **PasskeysRails** from attempting to create anything other than its own `PasskeysRails::Agent` during registration.
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem "passkeys_rails"
+gem "passkeys-rails"
 ```
 
 And then execute:
@@ -58,29 +76,32 @@ $ rails generate passkeys_rails:install
 
 This will add the `config/initializers/passkeys_rails.rb` configuration file, passkeys routes, and a couple of database migrations to your project.
 
-### Adding to an standard rails project
 
-1. Add `before_action :authenticate_passkey!`
+<a id="rails-Integration-standard"></a>
+## Rails Integration <p><small>Adding to a standard rails project</small></p>
 
- To prevent access to controller actions, add `before_action :authenticate_passkey!`.  If an action is attempted without an authenticated entity, an error will be rendered in JSON with an :unauthorized result code.
+- ### Add `before_action :authenticate_passkey!`
 
-1. Use `current_agent` and `current_agent.authenticatable`
+To prevent access to controller actions, add `before_action :authenticate_passkey!`.  If an action is attempted without an authenticated entity, an error will be rendered in JSON with an :unauthorized result code.
 
- To access the currently authenticated entity, use `current_agent`.  If you associated the registration of the agent with one of your own models, use `current_agent.authenticatable`.  For example, if you associated the `User` class with the registration, `current_agent.authenticatable` will be a User object.
+- ### Use `current_agent` and `current_agent.authenticatable`
 
-1. Add `include PasskeysRails::Authenticatable` to model class(es)
+To access the currently authenticated entity, use `current_agent`.  If you associated the registration of the agent with one of your own models, use `current_agent.authenticatable`.  For example, if you associated the `User` class with the registration, `current_agent.authenticatable` will be a User object.
+
+- ### Add `include PasskeysRails::Authenticatable` to model class(es)
 
  If you have one or more classes that you want to use with authentication - e.g. a User class and an AdminUser class - add `include PasskeysRails::Authenticatable` to each of those classes.  That adds a `registered?` method that you can call on your model to determine if they are registerd with your service, and a `registering_with(params)` method that you can override to initialize attributes of your model when it is created during registration. `params` is a hash with params passed to the API when registering.  When called, your object has been built, but not yet saved.  Upon return, **PasskeysRails** will attempt to save your object before finishing registration.  If it is not valid, the registration will fail as well, returning the error error details to the caller.
 
-### Adding to a Grape API rails project
+<a id="rails-Integration-grape"></a>
+## Rails Integration - <p><small>Adding to a Grape API rails project</small></p>
 
-1. Call `PasskeysRails.authenticate(request)` to authenticate the request.
+- ### Call `PasskeysRails.authenticate(request)` to authenticate the request.
 
  Call `PasskeysRails.authenticate(request)` to get an object back that responds to `.success?` and `.failure?` as well as `.agent`, `.code`, and `.message`.
 
  Alternatively, call `PasskeysRails.authenticate!(request)` from a helper in your base class.  It will raise a `PasskeysRails.Error` exception if the caller isn't authenticated.  You can catch the exception and render an appropriate error.  The exception contains the error code and message.
 
-1. Consider adding the following helpers to your base API class:
+- ### Consider adding the following helpers to your base API class:
 
 ```ruby
   helpers do
@@ -109,15 +130,17 @@ This will add the `config/initializers/passkeys_rails.rb` configuration file, pa
 
  To prevent access to various endpoints, add `before_action :authenticate_passkey!` or call `authenticate_passkey!` from any method that requires authentication.  If an action is attempted without an authenticated entity, an error will be rendered in JSON with an :unauthorized result code.
 
-1. Use `current_agent` and `current_agent.authenticatable`
+- ### Use `current_agent` and `current_agent.authenticatable`
 
  To access the currently authenticated entity, use `current_agent`.  If you associated the registration of the agent with one of your own models, use `current_agent.authenticatable`.  For example, if you associated the `User` class with the registration, `current_agent.authenticatable` will be a User object.
 
-### Notifications
+## Notifications
+
+Certain actions trigger notifications that can be subscribed.  See `subscribe` in `config/initializers/passkeys_rails.rb`.
 
-Certain actions trigger notifications that can be subscribed.  See `subscribe` in `passkeys_rails.rb`.
+These are completely optional.  **PasskeysRails** will manage all the credentials and keys without these being implemented.  They are useful for taking application specific actions like logging based on the authentication related events.
 
-#### Events
+### Events
 
 - `:did_register ` - a new agent has registered
 
@@ -125,7 +148,7 @@ Certain actions trigger notifications that can be subscribed.  See `subscribe` i
 
 - `:did_refresh` - an agent's auth token has been refreshed
 
-A convenient place to set these up in is in `passkeys_rails.rb`
+A convenient place to set these up in is in `config/initializers/passkeys_rails.rb`
 
 ```ruby
 PasskeysRails.config do |c|
@@ -147,10 +170,9 @@ PasskeysRails.subscribe(:did_register) do |event, agent, request|
 end
 ```
 
+## Failure Codes
 
-### Authentication Failure
-
-1. In the event of authentication failure, PasskeysRails returns an error code and message.
+1. In the event of authentication failure, **PasskeysRails** API endpoints render an error code and message.
 
 1. In a standard rails controller, the error code and message are rendered in JSON if `before_action :authenticate_passkey!` fails.
 
@@ -168,12 +190,10 @@ end
 
  In the future, the intention is to have the `.code` value stay consistent even if the `.message` changes.  This also allows you to localize the messages as need using the code.
 
-### Test Helpers
+## Testing
 
 PasskeysRails includes some test helpers for integration tests.  In order to use them, you need to include the module in your test cases/specs.
 
-### Integration tests
-
 Integration test helpers are available by including the `PasskeysRails::IntegrationHelpers` module.
 
 ```ruby
@@ -210,20 +230,38 @@ RSpec.describe 'Posts', type: :request do
 end
 ```
 
-### Mobile Application Integration
+## Mobile Application Integration
+
+### Prerequisites
+
+For iOS, you need to associate your app with your server.  This amounts to setting up a special file on your server that defines the association.  See [setup your apple-app-site-association](#Ensure-`.well-known/apple-app-site-association`-is-in-place)
+
 
-There are n groups of API endpoints that your mobile application may consume.
+### Mobile API Endpoints
+
+There are 3 groups of API endpoints that your mobile application may consume.
 
 1. Unauthenticated (public) endpoints
 1. Authenticated (private) endpoints
 1. Passey endpoints (for supporting authentication)
 
-**Unauthenticated endpoints** can be consumed without and authentication.
+**Unauthenticated endpoints** can be consumed without any authentication.
 
 **Authenticated endpoints** are protected by `authenticate_passkey!` or `PasskeysRails.authenticate!(request)`.  Those methods check for and validate the `X-Auth` header, which must be set to the auth token returned in the `AuthResponse`, described below.
 
 **Passkey endpoints** are supplied by this gem and allow you to register a user, authenticate (login) a user, and refresh the token.  This section describes these endpoints.
 
+This gem supports the Passkey endpoints.
+
+### Endpoints
+
+* [POST /passkeys/challenge](post-passkeys-challenge)
+* [POST /passkeys/register](post-passkeys-register)
+* [POST /passkeys/authenticate](post-passkeys-authenticate)
+* [POST /passkeys/refresh](post-passkeys-refresh)
+* [POST /passkeys/debug_register](post-passkeys-debug-register)
+* [POST /passkeys/debug_login](post-passkeys-debug-login)
+
 All Passkey endpoints accept and respond with JSON.
 
 On **success**, they will respond with a 200 or 201 response code and relevant JSON.
@@ -249,7 +287,7 @@ Some endpoints return an `AuthResponse`, which has this JSON structure:
 }
 ```
 
-#### POST /passkeys/challenge
+### POST /passkeys/challenge
 
 Submit this to begin registration or authentication.
 
@@ -260,7 +298,7 @@ If the username is already in use, or anything else goes wrong, an error with co
 Omit the `username` when authenticating (logging in).
 The JSON response will be the `options_for_get` from webauthn.
 
-#### POST /passkeys/register
+### POST /passkeys/register
 
 After calling the `challenge` endpoint with a `username`, and handling its response, finish registering by calling this endpoint.
 
@@ -291,16 +329,16 @@ On **success**, the response is an `AuthResponse`.
 
 Possible **failure codes** (using the `ErrorResponse` structure) are:
 
-- webauthn_error - something is wrong with the credential
-- error - something else went wrong during credentail validation - see the `message` in the `ErrorResponse`
-- passkey_error - unable to persiste the passkey
-- invalid_authenticatable_class - the supplied authenticatable class can't be created/found (check spelling & capitalization)
-- invalid_class_whitelist - the whitelist in the passkeys_rails.rb configuration is invalid - be sure it's nil or an array
-- invalid_authenticatable_class - the supplied authenticatable class is not allowed - maybe it's not in the whitelist
-- record_invalid - the object of the supplied authenticatable class cannot be saved due to validation errors
-- agent_not_found - the agent referenced in the credential cannot be found in the database
+- `webauthn_error` - something is wrong with the credential
+- `error` - something else went wrong during credentail validation - see the `message` in the `ErrorResponse`
+- `passkey_error` - unable to persist the passkey
+- `invalid_authenticatable_class` - the supplied authenticatable class can't be created/found (check spelling & capitalization)
+- `invalid_class_whitelist` - the whitelist in the passkeys_rails.rb configuration is invalid - be sure it's nil or an array
+- `invalid_authenticatable_class` - the supplied authenticatable class is not allowed - maybe it's not in the whitelist
+- `record_invalid` - the object of the supplied authenticatable class cannot be saved due to validation errors
+- `agent_not_found` - the agent referenced in the credential cannot be found in the database
 
-#### POST /passkeys/authenticate
+### POST /passkeys/authenticate
 
 After calling the `challenge` endpoint without a `username`, and handling its response, finish authenticating by calling this endpoint.
 
@@ -325,12 +363,12 @@ On **success**, the response is an `AuthResponse`.
 
 Possible **failure codes** (using the `ErrorResponse` structure) are:
 
-- webauthn_error - something is wrong with the credential
-- passkey_not_found - the passkey referenced in the credential cannot be found in the database
+- `webauthn_error` - something is wrong with the credential
+- `passkey_not_found` - the passkey referenced in the credential cannot be found in the database
 
-#### POST /passkeys/refresh
+### POST /passkeys/refresh
 
-The token will expire after some time (configurable in passkeys_rails.rb).  Before that happens, refresh it using this API.  Once it's expired, to get a new token, use the /authentication API.
+The token will expire after some time (configurable in `config/initializers/passkeys_rails.rb`).  Before that happens, refresh it using this API.  Once it expires, to get a new token, use the `/authentication` API.
 
 Supply the following JSON structure:
 
@@ -345,28 +383,28 @@ On **success**, the response is an `AuthResponse` with a new, refreshed token.
 
 Possible **failure codes** (using the `ErrorResponse` structure) are:
 
-- invalid_token - the token data is invalid
-- expired_token - the token is expired
-- token_error - some other error ocurred when decoding the token
+- `invalid_token` - the token data is invalid
+- `expired_token` - the token is expired
+- `token_error` - some other error ocurred when decoding the token
 
-#### POST /passkeys/debug_login
+### POST /passkeys/debug_register
 
-As it may not be possible to acess Passkey functionality in mobile simulators, this endpoint may be called to login (authenticate) a username while bypassing the normal challenge/response sequence.
+As it may not be possible to acess Passkey functionality in mobile simulators, this endpoint may be called to register a username while bypassing the normal challenge/response sequence.
 
-This endpoint only responds if DEBUG_LOGIN_REGEX is set in the server environment.  It is very insecure to set this variable in a production environment as it bypasses all Passkey checks.  It is only intended to be used during mobile application development.
+This endpoint only responds if DEBUG_LOGIN_REGEX is set in the server environment.  It is **very insecure to set this variable in a production environment** as it bypasses all Passkey checks.  It is only intended to be used during mobile application development.
 
 To use this endpoint:
 
-1. Manually create one or more PasskeysRails::Agent records in the database.  A unique username is required for each.
-
 1. Set DEBUG_LOGIN_REGEX to a regex that matches any username you want to use during development - for example `^test(-\d+)?$` will match `test`, `test-1`, `test-123`, etc.
 
-1. In the mobile application, call this endpoint in stead of the /passkeys/challenge and /passkeys/authenticate.  The response is identicial to that of /passkeys/authenticate.
+1. In the mobile application, call this endpoint in stead of the /passkeys/challenge and /passkeys/register.  The response is identicial to that of /passkeys/register.
 
-1. Use the response as if it was from /passkeys/authenticate.
+1. Use the response as if it was from /passkeys/register.
 
 If you supply a username that doesn't match the DEBUG_LOGIN_REGEX, the endpoint will respond with an error.
 
+Supply the following JSON structure:
+
 ```JSON
 # POST body
 {
@@ -377,71 +415,62 @@ On **success**, the response is an `AuthResponse`.
 
 Possible **failure codes** (using the `ErrorResponse` structure) are:
 
-- not_allowed - Invalid username (the username doesn't match the regex)
-- agent_not_found - No agent found with that username
-
-## Reference/Example Mobile Applications
-
-**TODO**: Point to the soon-to-be-created reference mobile applications for how to use **passkeys-rails** for passkey authentication.
-
-## Contributing
-
-### Contributing Guidelines
+- `not_allowed` - Invalid username (the username doesn't match the regex)
+- `invalid_authenticatable_class` - the supplied authenticatable class can't be created/found (check spelling & capitalization)
+- `invalid_class_whitelist` - the whitelist in the passkeys_rails.rb configuration is invalid - be sure it's nil or an array
+- `invalid_authenticatable_class` - the supplied authenticatable class is not allowed - maybe it's not in the whitelist
+- `record_invalid` - the object of the supplied authenticatable class cannot be saved due to validation errors
 
-Thank you for considering contributing to PasskeysRails! We welcome your help to improve and enhance this project. Whether it's a bug fix, documentation update, or a new feature, your contributions are valuable to the community.
-
-To ensure a smooth collaboration, please follow the guidelines below when submitting your contributions:
-
-#### Code of Conduct
-
-Please note that this project follows the [Code of Conduct](https://github.com/alliedcode/passkeys-rails/blob/main/CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. If you encounter any behavior that violates the code, please report it to the project maintainers.
-
-#### How to Contribute
-
-1. Fork the repository on GitHub.
+### POST /passkeys/debug_login
 
-2. Create a new branch for your contribution. Use a descriptive name that reflects the purpose of your changes.
-
-3. Make your changes and commit them with clear and concise messages. Remember to follow the project's coding style and guidelines.
+As it may not be possible to acess Passkey functionality in mobile simulators, this endpoint may be called to login (authenticate) a username while bypassing the normal challenge/response sequence.
 
-4. Before submitting a pull request, ensure that your changes pass all existing tests and add relevant tests if applicable.
+This endpoint only responds if DEBUG_LOGIN_REGEX is set in the server environment.  It is **very insecure to set this variable in a production environment** as it bypasses all Passkey checks.  It is only intended to be used during mobile application development.
 
-5. Update the documentation if your changes introduce new features, modify existing behavior, or require user instructions.
+To use this endpoint:
 
-6. Squash your commits into a single logical commit if needed. Keep your commit history clean and focused.
+1. Manually create one or more PasskeysRails::Agent records in the database.  A unique username is required for each.
 
-7. Submit a pull request against the `main` branch of the original repository.
+1. Set DEBUG_LOGIN_REGEX to a regex that matches any username you want to use during development - for example `^test(-\d+)?$` will match `test`, `test-1`, `test-123`, etc.
 
-8. Add a comment at the top of the CHANGELOG.md describing the change.
+1. In the mobile application, call this endpoint in stead of the /passkeys/challenge and /passkeys/authenticate.  The response is identicial to that of /passkeys/authenticate.
 
-#### Pull Request Guidelines
+1. Use the response as if it was from /passkeys/authenticate.
 
-When submitting a pull request, please include the following details:
+If you supply a username that doesn't match the DEBUG_LOGIN_REGEX, the endpoint will respond with an error.
 
-- A clear description of the changes you made and the problem it solves.
+Supply the following JSON structure:
 
-- Any relevant issue numbers that your pull request addresses or fixes.
+```JSON
+# POST body
+{
+  "username": String
+}
+```
+On **success**, the response is an `AuthResponse`.
 
-- The steps to test your changes, so the project maintainers can verify them.
+Possible **failure codes** (using the `ErrorResponse` structure) are:
 
-- Ensure that your pull request title and description are descriptive and informative.
+- `not_allowed` - Invalid username (the username doesn't match the regex)
+- `agent_not_found` - No agent found with that username
 
-#### Code Review Process
+## Reference/Example Mobile Applications
 
-All pull requests will undergo a code review process by the project maintainers. We appreciate your patience during this review process. Constructive feedback may be provided, and further changes might be requested.
+There is a sample iOS app that integrates with **passkeys-rails** based server implementations.  It's a great place to get a quick start on implementing passkyes in your iOS, iPadOS or MacOS apps.
 
-#### Contributor License Agreement
+Check out the [PasskeysRailsDemo](https://github.com/alliedcode/PasskeysRailsDemo) app.
 
-By submitting a pull request, you acknowledge that your contributions will be licensed under the project's [MIT License](https://github.com/alliedcode/passkeys-rails/blob/main/MIT-LICENSE).
+## Contributing
 
-#### Reporting Issues
+### Contribution Guidelines
 
-If you encounter any bugs, problems, or have suggestions for improvement, please create an issue on the GitHub repository. Provide clear and detailed information about the issue to help us address it efficiently.
+Thank you for considering contributing to PasskeysRails! We welcome your help to improve and enhance this project. Whether it's a bug fix, documentation update, or a new feature, your contributions are valuable to the community.
 
-#### Thank You
+To ensure a smooth collaboration, please follow the [Contribution Guidelines](https://github.com/alliedcode/passkeys-rails/blob/main/CONTRIBUTION_GUIDELINES.md) when submitting your contributions.
 
-Your contributions are valuable, and we sincerely appreciate your efforts to improve PasskeysRails. Together, we can build a better software ecosystem for the community. Thank you for your support and happy contributing!
+### Code of Conduct
 
+Please note that this project follows the [Code of Conduct](https://github.com/alliedcode/passkeys-rails/blob/main/CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. If you encounter any behavior that violates the code, please report it to the project maintainers.
 
 ## License
 

data/app/controllers/passkeys_rails/passkeys_controller.rb

@@ -7,16 +7,17 @@ module PasskeysRails
       result = PasskeysRails::BeginChallenge.call!(username: challenge_params[:username])
 
       # Store the challenge so we can verify the future register or authentication request
-      session[:passkeys_rails] = result.session_data
+      cookies[:passkeys_rails] = result.cookie_data
 
       render json: result.response.as_json
     end
 
     def register
+      cookie_data = cookies["passkeys_rails"] || {}
       result = PasskeysRails::FinishRegistration.call!(credential: attestation_credential_params.to_h,
                                                        authenticatable_info: authenticatable_params&.to_h,
-                                                       username: session.dig(:passkeys_rails, :username),
-                                                       challenge: session.dig(:passkeys_rails, :challenge))
+                                                       username: cookie_data["username"],
+                                                       challenge: cookie_data["challenge"])
 
       broadcast(:did_register, agent: result.agent)
 
@@ -24,8 +25,9 @@ module PasskeysRails
     end
 
     def authenticate
+      cookie_data = cookies["passkeys_rails"] || {}
       result = PasskeysRails::FinishAuthentication.call!(credential: authentication_params.to_h,
-                                                         challenge: session.dig(:passkeys_rails, :challenge))
+                                                         challenge: cookie_data["challenge"])
 
       broadcast(:did_authenticate, agent: result.agent)
 

data/app/interactors/passkeys_rails/begin_challenge.rb

@@ -10,7 +10,7 @@ module PasskeysRails
       options = result.options
 
       context.response = options
-      context.session_data = session_data(options)
+      context.cookie_data = cookie_data(options)
     rescue Interactor::Failure => e
       context.fail! code: e.context.code, message: e.context.message
     end
@@ -25,7 +25,7 @@ module PasskeysRails
       end
     end
 
-    def session_data(options)
+    def cookie_data(options)
       {
         username:,
         challenge: WebAuthn.standard_encoder.encode(options.challenge)

data/app/interactors/passkeys_rails/begin_registration.rb

@@ -13,6 +13,8 @@ module PasskeysRails
     private
 
     def create_or_replace_unregistered_agent
+      context.fail! code: :origin_error, message: "config.wa_origin must be set" if WebAuthn.configuration.origin.blank?
+
       Agent.unregistered.where(username:).destroy_all
 
       agent = Agent.create(username:, webauthn_identifier: WebAuthn.generate_user_id)

data/app/interactors/passkeys_rails/finish_registration.rb

@@ -28,7 +28,11 @@ module PasskeysRails
     rescue WebAuthn::Error => e
       context.fail!(code: :webauthn_error, message: e.message)
     rescue StandardError => e
-      context.fail!(code: :error, message: e.message)
+      if e.message == "undefined method `end_with?' for nil:NilClass"
+        context.fail!(code: :webauthn_error, message: "origin is not set")
+      else
+        context.fail!(code: :error, message: e.message)
+      end
     end
 
     def store_passkey_and_register_agent!
@@ -51,7 +55,7 @@ module PasskeysRails
     def agent
       @agent ||= begin
         agent = Agent.find_by(username:)
-        context.fail!(code: :agent_not_found, message: "Agent not found for session value: \"#{username}\"") if agent.blank?
+        context.fail!(code: :agent_not_found, message: "Agent not found for cookie value: \"#{username}\"") if agent.blank?
 
         agent
       end

data/lib/generators/passkeys_rails/templates/passkeys_rails_config.rb

@@ -60,4 +60,45 @@ PasskeysRails.config do |c|
   # c.subscribe(:did_register) do |event, agent, request|
   #   puts("#{event} | #{agent.id} | #{request.headers}")
   # end
+
+  # PasskeysRails uses webauthn to help with the protocol.
+  # The following settings are passed throught webauthn.
+  # wa_origin is the only one requried
+
+  # This value needs to match `window.location.origin` evaluated by
+  # the User Agent during registration and authentication ceremonies.
+  # c.wa_origin = ENV['DEFAULT_HOST'] || https://myapp.mydomain.com
+
+  # Relying Party name for display purposes
+  # c.wa_relying_party_name = "My App Name"
+
+  # Optionally configure a client timeout hint, in milliseconds.
+  # This hint specifies how long the browser should wait for any
+  # interaction with the user.
+  # This hint may be overridden by the browser.
+  # https://www.w3.org/TR/webauthn/#dom-publickeycredentialcreationoptions-timeout
+  # c.wa_credential_options_timeout = 120_000
+
+  # You can optionally specify a different Relying Party ID
+  # (https://www.w3.org/TR/webauthn/#relying-party-identifier)
+  # if it differs from the default one.
+  #
+  # In this case the default would be "auth.example.com", but you can set it to
+  # the suffix "example.com"
+  #
+  # c.wa_rp_id = "example.com"
+
+  # Configure preferred binary-to-text encoding scheme. This should match the encoding scheme
+  # used in your client-side (user agent) code before sending the credential to the server.
+  # Supported values: `:base64url` (default), `:base64` or `false` to disable all encoding.
+  #
+  # c.wa_encoding = :base64url
+
+  # Possible values: "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "RS1"
+  # Default: ["ES256", "PS256", "RS256"]
+  #
+  # c.wa_algorithms = ["ES256", "PS256", "RS256"]
+
+  # Append an algorithm to the existing set
+  # c.wa_algorithm = "PS512"
 end

data/lib/passkeys-rails.rb

@@ -1,49 +1,42 @@
 # rubocop:disable Naming/FileName
 require 'passkeys_rails/engine'
+require 'passkeys_rails/configuration'
 require 'passkeys_rails/version'
 require_relative "generators/passkeys_rails/install_generator"
+require 'forwardable'
 
 module PasskeysRails
   module Test
     autoload :IntegrationHelpers, 'passkeys_rails/test/integration_helpers'
   end
 
-  # Secret used to encode the auth token.
-  # Rails.application.secret_key_base is used if none is defined here.
-  # Changing this value will invalidate all tokens that have been fetched
-  # through the API.
-  mattr_accessor(:auth_token_secret)
+  class << self
+    extend Forwardable
 
-  # Algorithm used to generate the auth token.
-  # Changing this value will invalidate all tokens that have been fetched
-  # through the API.
-  mattr_accessor :auth_token_algorithm, default: "HS256"
+    def_delegators :config, :auth_token_secret, :auth_token_algorithm, :auth_token_expires_in, :default_class, :class_whitelist
 
-  # How long the auth token is valid before requiring a refresh or new login.
-  # Set it to 0 for no expiration (not recommended in production).
-  mattr_accessor :auth_token_expires_in, default: 30.days
+    def config
+      @config ||= begin
+        config = Configuration.new
+        yield(config) if block_given?
+        apply_webauthn_configuration(config)
 
-  # Model to use when creating or authenticating a passkey.
-  # This can be overridden when calling the API, but if no
-  # value is supplied when calling the API, this value is used.
-  # If nil, there is no default, and if none is supplied when
-  # calling the API, no resource is created other than
-  # a PaskeysRails::Agent that is used to track the passkey.
-  #
-  # This library doesn't assume that there will only be one
-  # model, but it is a common use case, so setting the
-  # default_class simplifies the use of the API in that case.
-  mattr_accessor :default_class, default: "User"
+        config
+      end
+    end
+  end
 
-  # By providing a class_whitelist, the API will require that
-  # any supplied class is in the whitelist.  If it is not, the
-  # auth API will return an error.  This prevents a caller from
-  # attempting to create an unintended record on registration.
-  # If nil, any model will be allowed.
-  # If [], no model will be allowed.
-  # This should be an array of symbols or strings,
-  # for example: %w[User AdminUser]
-  mattr_accessor :class_whitelist, default: nil
+  def self.apply_webauthn_configuration(config)
+    WebAuthn.configure do |c|
+      c.origin = config.wa_origin
+      c.rp_name = config.wa_relying_party_name if config.wa_relying_party_name
+      c.credential_options_timeout = config.wa_credential_options_timeout if config.wa_credential_options_timeout
+      c.rp_id = config.wa_rp_id if config.wa_rp_id
+      c.encoding = config.wa_encoding if config.wa_encoding
+      c.algorithms = config.wa_algorithms if config.wa_algorithms
+      c.algorithms << config.wa_algorithm if config.wa_algorithm
+    end
+  end
 
   # Convenience method to subscribe to various events in PasskeysRails.
   #
@@ -104,16 +97,6 @@ module PasskeysRails
                                    message: auth.message)
   end
 
-  class << self
-    def config
-      yield self
-    end
-  end
-
   require 'passkeys_rails/railtie' if defined?(Rails)
 end
-
-ActiveSupport.on_load(:before_initialize) do
-  PasskeysRails.auth_token_secret ||= Rails.application.secret_key_base
-end
 # rubocop:enable Naming/FileName

data/lib/passkeys_rails/configuration.rb

@@ -0,0 +1,62 @@
+module PasskeysRails
+  class Configuration
+    # Secret used to encode the auth token.
+    # Rails.application.secret_key_base is used if none is defined here.
+    # Changing this value will invalidate all tokens that have been fetched
+    # through the API.
+    attr_accessor :auth_token_secret
+
+    # Algorithm used to generate the auth token.
+    # Changing this value will invalidate all tokens that have been fetched
+    # through the API.
+    attr_accessor :auth_token_algorithm
+
+    # How long the auth token is valid before requiring a refresh or new login.
+    # Set it to 0 for no expiration (not recommended in production).
+    attr_accessor :auth_token_expires_in
+
+    # Model to use when creating or authenticating a passkey.
+    # This can be overridden when calling the API, but if no
+    # value is supplied when calling the API, this value is used.
+    # If nil, there is no default, and if none is supplied when
+    # calling the API, no resource is created other than
+    # a PaskeysRails::Agent that is used to track the passkey.
+    #
+    # This library doesn't assume that there will only be one
+    # model, but it is a common use case, so setting the
+    # default_class simplifies the use of the API in that case.
+    attr_accessor :default_class
+
+    # By providing a class_whitelist, the API will require that
+    # any supplied class is in the whitelist.  If it is not, the
+    # auth API will return an error.  This prevents a caller from
+    # attempting to create an unintended record on registration.
+    # If nil, any model will be allowed.
+    # If [], no model will be allowed.
+    # This should be an array of symbols or strings,
+    # for example: %w[User AdminUser]
+    attr_accessor :class_whitelist
+
+    # webauthn settings
+    attr_accessor :wa_origin,
+                  :wa_relying_party_name,
+                  :wa_credential_options_timeout,
+                  :wa_rp_id,
+                  :wa_encoding,
+                  :wa_algorithms,
+                  :wa_algorithm
+
+    def initialize
+      # defaults
+      @auth_token_secret = Rails.application.secret_key_base
+      @auth_token_algorithm = "HS256"
+      @auth_token_expires_in = 30.days
+      @default_class = "User"
+      @wa_origin = "https://example.com"
+    end
+
+    def subscribe(event_name)
+      PasskeysRails.subscribe(event_name)
+    end
+  end
+end

data/lib/passkeys_rails/version.rb

@@ -1,3 +1,3 @@
 module PasskeysRails
-  VERSION = "0.3.0".freeze
+  VERSION = "0.3.1".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passkeys-rails
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Troy Anderson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-08-01 00:00:00.000000000 Z
+date: 2023-11-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -380,6 +380,7 @@ files:
 - lib/generators/passkeys_rails/templates/README
 - lib/generators/passkeys_rails/templates/passkeys_rails_config.rb
 - lib/passkeys-rails.rb
+- lib/passkeys_rails/configuration.rb
 - lib/passkeys_rails/engine.rb
 - lib/passkeys_rails/railtie.rb
 - lib/passkeys_rails/test/integration_helpers.rb