rodauth 1.22.0 → 2.3.0

data/doc/two_factor_base.rdoc

@@ -1,30 +1,68 @@
 = Documentation for Two Factor Base Feature
 
-The two factor base feature implements shared functionality for the other 2nd
-factor authentication features.
+The two_factor_base feature implements shared functionality for the other
+multifactor authentication features.
+
+To handle multiple and potentially different multifactor authentication setups
+per user, this feature implements disambiguation pages for multifactor
+authentication and manage.  If only a single multifactor authentication is
+available to setup, the manage page will redirect to the appropriate page.
+Likewise, if only a single multifactor authentication method is available,
+the authentication page will redirect to the appropriate page.  Otherwise,
+the authentication and manage pages will show links to the available pages.
+Additionally, there is a separate page for disabling all multifactor
+authentication methods and reverting to single factor authentication,
+so users do not have to disable each multifactor authentication method
+individually.
 
 == Auth Value Methods
 
-two_factor_already_authenticated_error_status :: The response status to use if going to a two factor authentication page when already authenticated via 2nd factor, 403 by default.
-two_factor_already_authenticated_error_flash :: The flash error to show if going to a two factor authentication page when already authenticated via 2nd factor.
-two_factor_already_authenticated_redirect :: Where to redirect if going to a two factor authentication page when already authenticated via 2nd factor.
-two_factor_auth_notice_flash :: The flash notice to show after a successful two factor authentication.
-two_factor_auth_redirect :: Whether to redirect after a successful two factor authentication.
-two_factor_auth_required_redirect :: Where to redirect if going to a page requiring two factor authentication when not authenticated via 2nd factor.
-two_factor_modifications_require_password? :: Whether modifications to two factor authentication require the use of passwords.
-two_factor_need_authentication_error_status :: The response status to use if going to a page that requires two factor authentication when not authenticated, 401 by default.
-two_factor_need_authentication_error_flash :: The flash error to show if going to a page that requires two factor authentication when not authenticated.
-two_factor_need_setup_redirect :: Where to redirect if going to a two factor authentication page when two factor authentication has not been setup.
-two_factor_not_setup_error_status :: The response status to use if going to a two factor authentication page when two factor authentication has not been setup, 403 by default.
-two_factor_not_setup_error_flash :: The flash error to show if going to a two factor authentication page when two factor authentication has not been setup.
-two_factor_session_key :: The session key used for storing a symbol indicating which type of 2nd factor was used to authenticate.
-two_factor_setup_session_key :: The session key used for storing whether two factor authentication has been setup for the current account.
+two_factor_already_authenticated_error_flash :: The flash error to show if going to a multifactor authentication page when already multifactor authenticated.
+two_factor_already_authenticated_error_status :: The response status to use if going to a multifactor authentication page when already multifactor authenticated, 403 by default.
+two_factor_already_authenticated_redirect :: Where to redirect if going to a multifactor authentication page when already multifactor authenticated.
+two_factor_auth_notice_flash :: The flash notice to show after a successful multifactor authentication.
+two_factor_auth_page_title :: The page title to use on the page linking to other multifactor authentication pages.
+two_factor_auth_redirect :: Where to redirect after a successful multifactor authentication.
+two_factor_auth_redirect_session_key :: The key in the session hash storing the location to redirect to after successful multifactor authentication.
+two_factor_auth_required_redirect :: Where to redirect if going to a page requiring multifactor authentication when not multifactor authenticated (the multifactor auth page by default).
+two_factor_auth_return_to_requested_location? :: Whether to redirect to the originally requested location after successful multifactor authentication when +require_two_factor_authenticated+ was used, false by default.
+two_factor_auth_route :: The route to the multifactor authentication page. Defaults to +multifactor-auth+.
+two_factor_disable_additional_form_tags :: HTML fragment containing additional form tags when disabling all multifactor authentication.
+two_factor_disable_button :: Text to use for button on the form to disable all multifactor authentication.
+two_factor_disable_error_flash :: The flash error to show if unable to disable all multifactor authentication.
+two_factor_disable_link_text :: The text to use for the link to disable all multifactor authentication from the multifactor manage page.
+two_factor_disable_notice_flash :: The flash notice to show after a successfully disabling all multifactor authentication.
+two_factor_disable_page_title :: The page title to use on the page for disabling all multifactor authentication.
+two_factor_disable_redirect :: Where to redirect after a successfully disabling all multifactor authentication.
+two_factor_disable_route :: The route to the page to disable all multifactor authentication. Defaults to +multifactor-disable+.
+two_factor_manage_page_title :: The page title to use on the page linking to other multifactor setup and remove pages.
+two_factor_manage_route :: The route to the page to manage multifactor authentication. Defaults to +multifactor-manage+.
+two_factor_modifications_require_password? :: Whether modifications to multifactor authentication require the inputing the user's password.
+two_factor_need_authentication_error_flash :: The flash error to show if going to a page that requires multifactor authentication when not authenticated.
+two_factor_need_authentication_error_status :: The response status to use if going to a page that requires multifactor authentication when not authenticated, 401 by default.
+two_factor_need_setup_redirect :: Where to redirect if going to a multifactor authentication page when multifactor authentication has not been setup (the multifactor manage page by default).
+two_factor_not_setup_error_flash :: The flash error to show if going to a multifactor authentication page when multifactor authentication has not been setup.
+two_factor_not_setup_error_status :: The response status to use if going to a multifactor authentication page when multifactor authentication has not been setup, 403 by default.
+two_factor_remove_heading :: The HTML to use above the remove links on the multifactor manage page.
+two_factor_setup_heading :: The HTML to use above the setup links on the multifactor manage page.
+two_factor_setup_session_key :: The session key used for storing whether multifactor authentication has been setup for the current account.
 
 == Auth Methods
 
-after_two_factor_authentication :: Any actions to take after successful two factor authentication.
-two_factor_authenticated? :: Whether the current session has already been authenticated via 2nd factor.
-two_factor_remove :: Any action to take to remove two factor authentication, called when closing accounts.
-two_factor_remove_auth_failures :: Any action to take to remove 2nd factor authentication failures, called after a successful 2nd factor authentication.
-two_factor_remove_session :: What actions to take to remove two factor authentication, called when disabling two factor authentication.
-two_factor_update_session(type) :: How to update the session to reflect a successful two factor authentication.
+after_two_factor_authentication :: Any actions to take after successful multifactor authentication.
+after_two_factor_disable :: Any actions to take after successful disabling of all multifactor authentication.
+before_two_factor_auth_route :: Run arbitrary code before handling the multifactor auth route.
+before_two_factor_disable :: Any actions to take before disabling of all multifactor authentication.
+before_two_factor_disable_route :: Run arbitrary code before handling the multifactor disable route.
+before_two_factor_manage_route :: Run arbitrary code before handling the multifactor manage route.
+two_factor_auth_links :: An array of entries for links to show on the multifactor auth page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
+two_factor_auth_view :: The HTML to use for the page linking to other multifactor authentication pages.
+two_factor_authenticated? :: Whether the current session has already been multifactor authenticated.
+two_factor_disable_view :: The HTML to use for the page for disabling all multifactor authentication.
+two_factor_manage_view :: The HTML to use for the page linking to other multifactor setup and remove pages.
+two_factor_remove :: Any action to take to remove multifactor authentication, called when closing accounts.
+two_factor_remove_auth_failures :: Any action to take to remove multifactor authentication failures, called after a successful multifactor authentication.
+two_factor_remove_links :: An array of entries for remove links to show on the multifactor manage page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
+two_factor_remove_session :: What actions to take to remove multifactor authentication status from the session, called when disabling multifactor authentication when authenticated using the factor being removed.
+two_factor_setup_links :: An array of entries for setup links to show on the multifactor manage page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
+two_factor_update_session(type) :: How to update the session to reflect a successful multifactor authentication.

data/doc/verify_account.rdoc

@@ -10,30 +10,32 @@ after verifying the account. Depends on the login and create account features.
 attempt_to_create_unverified_account_error_flash :: The flash error message to show when attempting to create an account awaiting verification.
 attempt_to_login_to_unverified_account_error_flash :: The flash error message to show when attempting to login to an account awaiting verification.
 no_matching_verify_account_key_error_flash :: The flash error message to show when an invalid verify account key is used.
+resend_verify_account_page_title :: The page title to use on page requesting resending the verify account email.
 verify_account_additional_form_tags :: HTML fragment containing additional form tags to use on the verify account form.
 verify_account_autologin? :: Whether to autologin the user after successful account verification, true by default.
 verify_account_button :: The text to use for the verify account button.
+verify_account_email_last_sent_column :: The email last sent column in the +verify_account_table+. Set to nil to always send a verify account email when requested.
 verify_account_email_recently_sent_error_flash :: The flash error to show if not sending verify account email because one has been sent recently.
 verify_account_email_recently_sent_redirect :: Where to redirect if not sending verify account email because one has been sent recently.
-verify_account_email_subject :: The subject to use for the verify account email.
-verify_account_email_sent_redirect :: Where to redirect after sending the verify account email.
 verify_account_email_sent_notice_flash :: The flash notice to set after sending the verify account email.
-verify_account_email_last_sent_column :: The email last sent column in the verify account keys table.  nil by default, so a verify account email is always sent when requested by default.
+verify_account_email_sent_redirect :: Where to redirect after sending the verify account email.
+verify_account_email_subject :: The subject to use for the verify account email.
 verify_account_error_flash :: The flash error to show if no matching key is submitted when verifying an account.
-verify_account_id_column :: The id column in the verify account keys table, should be a foreign key referencing the accounts table.
-verify_account_key_column :: The verify account key/token column in the verify account keys table.
+verify_account_id_column :: The id column in the +verify_account_table+, should be a foreign key referencing the accounts table.
+verify_account_key_column :: The verify account key/token column in the +verify_account_table+.
 verify_account_key_param :: The parameter name to use for the verify account key.
 verify_account_notice_flash :: The flash notice to show after verifying the account.
+verify_account_page_title :: The page title to use on the verify account form.
+verify_account_redirect :: Where to redirect after verifying the account.
 verify_account_resend_additional_form_tags :: HTML fragment containing additional form tags to use on the page requesting resending the verify account email.
 verify_account_resend_button :: The text to use for the verify account resend button.
-verify_account_redirect :: Where to redirect after verifying the account.
 verify_account_resend_error_flash :: The flash error to show if unable to resend a verify account email.
 verify_account_resend_explanatory_text :: The text to display above the button to resend the verify account email.
-verify_account_resend_link :: The HTML to use for a link to the page to request the account verification email be resent.
+verify_account_resend_link_text :: The text to use for a link to the page to request the account verification email be resent.
 verify_account_resend_route :: The route to the verify account resend action.  Defaults to +verify-account-resend+.
 verify_account_route :: The route to the verify account action. Defaults to +verify-account+.
 verify_account_session_key :: The key in the session to hold the verify account key temporarily.
-verify_account_set_password? :: Whether to ask for a password to be set on the verify account form.  Defaults to false.  If set to true, will automatically stop asking for passwords to be set on the create account form.
+verify_account_set_password? :: Whether to ask for a password to be set on the verify account form.  True by default. If set to false, will ask for password when creating the account instead of when verifying.
 verify_account_skip_resend_email_within :: The number of seconds before sending another verify account email, if +verify_account_email_last_sent_column+ is set.
 verify_account_table :: The name of the verify account keys table.
 
@@ -41,14 +43,14 @@ verify_account_table :: The name of the verify account keys table.
 
 account_from_verify_account_key(key) :: Retrieve the account using the given verify account key, or return nil if no account matches.
 after_verify_account :: Run arbitrary code after verifying the account.
-after_verify_account_resend :: Run arbitrary code after resending a verify account email.
+after_verify_account_email_resend :: Run arbitrary code after resending a verify account email.
 allow_resending_verify_account_email? :: Whether to allow sending the verify account email for the account, true by default only if the account has not been verified.
 before_verify_account :: Run arbitrary code before verifying the account.
-before_verify_account_resend :: Run arbitrary code before resending a verify account email.
+before_verify_account_email_resend :: Run arbitrary code before resending a verify account email.
 before_verify_account_resend_route :: Run arbitrary code before handling a verify account resend route.
 before_verify_account_route :: Run arbitrary code before handling a verify account route.
-create_verify_account_key :: Add the verify account key data to the database.
 create_verify_account_email :: A Mail::Message for the verify account email.
+create_verify_account_key :: Add the verify account key data to the database.
 get_verify_account_email_last_sent :: Get the last time a verify account email is sent, or nil if there is no last sent time.
 get_verify_account_key(id) :: Get the verify account key for the given account id from the database.
 remove_verify_account_key :: Remove the verify account key for the current account, run after successful account verification.
@@ -58,6 +60,6 @@ set_verify_account_email_last_sent :: Set the last time a verify account email i
 verify_account :: Verify the account by changing the status from unverified to open.
 verify_account_email_body :: The body to use for the verify account email.
 verify_account_email_link :: The link to the verify account form in the verify account email.
-verify_account_key_insert_hash :: The hash to insert into the verify account keys table.
+verify_account_key_insert_hash :: The hash to insert into the +verify_account_table+.
 verify_account_key_value :: The value of the verify account key.
 verify_account_view :: The HTML to use for the verify account form.

data/doc/verify_account_grace_period.rdoc

@@ -2,12 +2,16 @@
 
 The verify account grace period feature allows users to login for
 a given period of time (1 day by default) before their account is
-verified.  Depends on the verify account feature.
+verified.  Depends on the verify account feature.  This switches
+the +verify_account_set_password?+ to false so that user can login
+with a password during the grace period.
 
 == Auth Value Methods
 
-verification_requested_at_column :: The column in the +verify_account_table+ table that holds the verification requested timestamp.
 unverified_account_session_key :: The session key set if the logged in account has not been unverified.
+unverified_change_login_error_flash :: The flash error to show when an unverified accounts accesses a change login route.
+unverified_change_login_redirect :: Where to redirect when an unverified accounts accesses a change login route.
+verification_requested_at_column :: The column in the +verify_account_table+ table that holds the verification requested timestamp.
 verify_account_grace_period :: The amount of seconds after an account creation that a user will be able to login without verifying (86400 by default).
 
 == Auth Methods

data/doc/verify_login_change.rdoc

@@ -1,11 +1,11 @@
 = Documentation for Verify Login Change Feature
 
-The verify login change feature implements login verification after
-a login change.  With this feature, login changes do not take effect
+The verify login change feature implements verification of login
+changes.  With this feature, login changes do not take effect
 until after the user has verified the new login.  Until the new
 login has been verified, the old login continues to work.
 
-Any time you use the verify login change and change login features together,
+Any time you use the verify account and change login features together,
 you should probably use this, otherwise it is trivial for users to work
 around account verification by creating an account with an email address
 they control, and the changing the login to an email address they don't
@@ -17,17 +17,18 @@ no_matching_verify_login_change_key_error_flash :: The flash error message to sh
 verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
 verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
 verify_login_change_button :: The text to use for the verify login change button.
-verify_login_change_deadline_column :: The column name in the verify login change keys table storing the deadline after which the token will be ignored.
+verify_login_change_deadline_column :: The column name in the +verify_login_change_table+ storing the deadline after which the token will be ignored.
 verify_login_change_deadline_interval :: The amount of time for which to allow users to verify login changes, 1 day by default.
 verify_login_change_duplicate_account_error_flash :: The flash error message to show when attempting to verify a login change when the login is already taken.
 verify_login_change_duplicate_account_redirect :: Where to redirect if not changing a login during verification because the new login is already taken.
 verify_login_change_email_subject :: The subject to use for the verify login change email.
 verify_login_change_error_flash :: The flash error to show if no matching key is submitted when verifying login change.
-verify_login_change_id_column :: The id column in the verify login change keys table, should be a foreign key referencing the accounts table.
-verify_login_change_key_column :: The verify login change key/token column in the verify login change keys table.
+verify_login_change_id_column :: The id column in the +verify_login_change_table+, should be a foreign key referencing the accounts table.
+verify_login_change_key_column :: The verify login change key/token column in the +verify_login_change_table+.
 verify_login_change_key_param :: The parameter name to use for the verify login change key.
-verify_login_change_login_column :: The login column in the verify login change keys table, containing the new login.
+verify_login_change_login_column :: The login column in the +verify_login_change_table+, containing the new login.
 verify_login_change_notice_flash :: The flash notice to show after verifying the login change.
+verify_login_change_page_title :: The page title to use on the verify login change form.
 verify_login_change_redirect :: Where to redirect after verifying the login change.
 verify_login_change_route :: The route to the verify login change action. Defaults to +verify-login-change+.
 verify_login_change_session_key :: The key in the session to hold the verify login change key temporarily.
@@ -49,7 +50,7 @@ send_verify_login_change_email(login) :: Send the verify login change email.
 verify_login_change :: Change the login for the given account to the new login.
 verify_login_change_email_body :: The body to use for the verify login change email.
 verify_login_change_email_link :: The link to the verify login change form in the verify login change email.
-verify_login_change_key_insert_hash(login) :: The hash to insert into the verify login change keys table.
+verify_login_change_key_insert_hash(login) :: The hash to insert into the +verify_login_change_table+.
 verify_login_change_key_value :: The value of the verify login change key.
 verify_login_change_new_login :: The new login to use when the login change is verified.
 verify_login_change_old_login :: The old login to display in the verify login change email.

data/doc/webauthn.rdoc

@@ -0,0 +1,115 @@
+= Documentation for WebAuthn Feature
+
+The webauthn feature implements multifactor authentication via WebAuthn.
+It supports registering WebAuthn authenticators, using them for
+multifactor authentication, and removing WebAuthn authenticators.
+This feature supports multiple WebAuthn authenticators per user,
+and users are encouraged to have multiple WebAuthn authenticators
+so that they have a backup if one is not available.
+
+WebAuthn authentication requires javascript to work in
+browsers, for the browser to communicate with the authenticator.
+This feature offers routes that return the appropriate javascript.
+However, the javascript works by setting a hidden form field and
+using normal form submission.  This allows testing the feature
+without using javascript.  See Rodauth's tests for how testing
+without javascript works.
+
+The webauthn feature requires the webauthn gem.
+
+== Auth Value Methods
+
+authenticated_webauthn_id_session_key :: The session key used for storing which WebAuthn ID was used during authentication.
+webauthn_attestation :: The value of the WebAuthn attestation option when registering a new WebAuthn authenticator.
+webauthn_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via WebAuthn.
+webauthn_auth_button :: Text to use for button on the form to authenticate via WebAuthn.
+webauthn_auth_challenge_hmac_param :: The parameter name for the HMAC of the WebAuthn challenge during authentication.
+webauthn_auth_challenge_param :: The parameter name for the WebAuthn challenge during authentication.
+webauthn_auth_error_flash :: The flash error to show if unable to authenticate via WebAuthn.
+webauthn_auth_js :: The javascript code to execute on the page to authenticate via WebAuthn.
+webauthn_auth_js_route :: The route to the webauthn auth javascript file.
+webauthn_auth_link_text :: The text to use for the link from the multifactor auth page.
+webauthn_auth_page_title :: The page title to use on the page for authenticating via WebAuthn.
+webauthn_auth_param :: The parameter name for the WebAuthn authentication data.
+webauthn_auth_route :: The route to the webauthn auth action.
+webauthn_auth_timeout :: The number of milliseconds to wait when authenticating using a WebAuthn authenticator.
+webauthn_authenticator_selection ::  The value of the WebAuthn authenticatorSelection option when registering a new WebAuthn authenticator.
+webauthn_duplicate_webauthn_id_message :: The error message to when there is an attempt to insert a duplicate WebAuthn authenticator. 
+webauthn_extensions :: The value of the WebAuthn extensions option when registering a new WebAuthn authenticator or authenticating via WebAuthn.
+webauthn_invalid_auth_param_message :: The error message to show when invalid or missing WebAuthn authentication data is provided.
+webauthn_invalid_remove_param_message :: The error message to show when invalid WebAuthn ID is provided when removing a WebAuthn authenticator.
+webauthn_invalid_setup_param_message :: The error message to show when invalid or missing WebAuthn registration data is provided.
+webauthn_invalid_sign_count_message :: The error message to when there is an attempt to authenticate with WebAuthn authenticator with an invalid sign count.
+webauthn_js_host :: The protocol and domain if using a separate host for the WebAuthn setup and auth javascript files.
+webauthn_keys_account_id_column :: The column in the +webauthn_keys_table+ containing the account id.
+webauthn_keys_last_use_column :: The column in the +webauthn_keys_table+ containing the last time the WebAuthn credential was used.
+webauthn_keys_public_key_column :: The column in the +webauthn_keys_table+ containing the public key for the WebAuthn credential.
+webauthn_keys_sign_count_column :: The column in the +webauthn_keys_table+ containing the sign count for the WebAuthn credential.
+webauthn_keys_table :: The table name containing the WebAuthn public keys.
+webauthn_keys_webauthn_id_column :: The column in the +webauthn_keys_table+ containing the WebAuthn ID for the WebAuthn credential.
+webauthn_not_setup_error_flash :: The flash error to show if going to the WebAuthn authentication page without having registered a WebAuthn authenticator.
+webauthn_not_setup_error_status :: The status code to use if going to the WebAuthn authentication page without having registered a WebAuthn authenticator.
+webauthn_origin :: The origin to use when verifying a WebAuthn authenticator.
+webauthn_remove_additional_form_tags :: HTML fragment containing additional form tags when removing an existing WebAuthn authenticator.
+webauthn_remove_button :: Text to use for button on the form to remove an existing WebAuthn authenticator.
+webauthn_remove_error_flash :: The flash error to show if unable to remove an existing WebAuthn authenticator.
+webauthn_remove_link_text :: The text to use for the remove link from the multifactor manage page.
+webauthn_remove_notice_flash :: The flash notice to show after removing an existing WebAuthn authenticator.
+webauthn_remove_page_title :: The page title to use on the page for removing an existing WebAuthn authenticator.
+webauthn_remove_param :: The parameter name for the WebAuthn ID to remove.
+webauthn_remove_redirect :: Where to redirect after successfully removing an existing WebAuthn authenticator.
+webauthn_remove_route :: The route to the webauthn remove action.
+webauthn_rp_id :: The relying party ID to use when registering a WebAuthn authenticator or authenticating via WebAuthn.
+webauthn_rp_name :: The relying party name to use when registering a WebAuthn authenticator.
+webauthn_setup_additional_form_tags :: HTML fragment containing additional form tags when registering a new WebAuthn authenticator.
+webauthn_setup_button :: Text to use for button on the form to register a new WebAuthn authenticator.
+webauthn_setup_challenge_hmac_param :: The parameter name for the HMAC of the WebAuthn challenge during registration.
+webauthn_setup_challenge_param :: The parameter name for the WebAuthn challenge during registration.
+webauthn_setup_error_flash :: The flash error to show if unable to register a new WebAuthn authenticator.
+webauthn_setup_js :: The javascript code to execute on the page to register a new WebAuthn credential.
+webauthn_setup_js_route :: The route to the webauthn setup javascript file.
+webauthn_setup_link_text :: The text to use for the setup link from the multifactor manage page.
+webauthn_setup_notice_flash :: The flash notice to show after registering a new WebAuthn authenticator.
+webauthn_setup_page_title :: The page title to use on the page for registering a new WebAuthn authenticator.
+webauthn_setup_param :: The parameter name for the WebAuthn registration data.
+webauthn_setup_redirect :: Where to redirect after successfully registering a new WebAuthn authenticator.
+webauthn_setup_timeout :: The number of milliseconds to wait when registering a new WebAuthn authenticator.
+webauthn_setup_route :: The route to the webauthn setup action.
+webauthn_user_ids_account_id_column :: The column in the +webauthn_user_ids_table+ containing the account id.
+webauthn_user_ids_table :: The table name containing the WebAuthn user IDs.
+webauthn_user_ids_webauthn_id_column :: The column in the +webauthn_user_ids_table+ containing the accounts WebAuthn user ID.
+webauthn_user_verification :: The value of the WebAuthn userVerification option when registering a new WebAuthn authenticator.
+
+== Auth Methods
+
+account_webauthn_ids :: An array of WebAuthn IDs for registered WebAuthn credentials for the current account.
+account_webauthn_usage :: A hash mapping WebAuthn IDs to the time of their last use for registered WebAuthn credentials for the current account.
+account_webauthn_user_id :: The WebAuthn User ID for the current account.
+add_webauthn_credential(webauthn_credential) :: Register the given WebAuthn credential to current account.
+after_webauthn_auth_failure :: Any actions to take after a WebAuthn authentication failure.
+after_webauthn_remove :: Any actions to take after removing an existing WebAuthn authenticator.
+after_webauthn_setup :: Any actions to take after registering a new WebAuthn authenticator.
+authenticated_webauthn_id :: The WebAuthn ID for the credential used to authenticate via WebAuthn for the current session.
+before_webauthn_auth :: Any actions to take before authenticating via WebAuthn.
+before_webauthn_auth_js_route :: Run arbitrary code before handling a webauthn auth javascript route.
+before_webauthn_auth_route :: Run arbitrary code before handling a webauthn auth route.
+before_webauthn_remove :: Any actions to take before removing an existing WebAuthn authenticator.
+before_webauthn_remove_route :: Run arbitrary code before handling a webauthn remove route.
+before_webauthn_setup :: Any actions to take before registering a new WebAuthn authenticator.
+before_webauthn_setup_js_route :: Run arbitrary code before handling a webauthn setup javascript route.
+before_webauthn_setup_route :: Run arbitrary code before handling a webauthn setup route.
+handle_webauthn_sign_count_verification_error :: What actions to take if there is an invalid sign count when authenticating. The default results in an error, but overriding without calling super will result in successful WebAuthn authentication.
+new_webauthn_credential :: WebAuthn credential options to provide to the client during WebAuthn registration.
+remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the WebAuthn user ID from the current account.
+remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
+valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
+valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
+webauth_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
+webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
+webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
+webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.
+webauthn_remove_view :: The HTML to use for the page for removing an existing WebAuthn authenticator.
+webauthn_setup_js_path :: The path to the WebAuthn registration javascript.
+webauthn_setup_view :: The HTML to use for the page for registering a new WebAuthn authenticator.
+webauthn_update_session(webauthn_id) :: Set the authenticated WebAuthn ID after authenticating via WebAuthn.
+webauthn_user_name :: The user name to use when registering a new WebAuthn credential, the user's email by default.

data/doc/webauthn_login.rdoc

@@ -0,0 +1,15 @@
+= Documentation for WebAuthn Login Feature
+
+The webauthn feature implements passwordless authentication via
+WebAuthn. It depends on the login and webauthn features.
+
+== Auth Value Methods
+
+webauthn_login_error_flash :: The flash error to show if there is a failure during passwordless login via WebAuthn.
+webauthn_login_failure_redirect :: Whether to redirect if there is a failure during passwordless login via WebAuthn.
+webauthn_login_route :: The route to the webauthn login action.
+
+== Auth Methods
+
+before_webauthn_login :: Any actions to take before passwordless login via WebAuthn.
+before_webauthn_login_route :: Run arbitrary code before handling a webauthn login route.

data/doc/webauthn_verify_account.rdoc

@@ -0,0 +1,9 @@
+= Documentation for WebAuthn Verify Account Feature
+
+The webauthn feature implements setting up an WebAuthn authenticator
+during the account verification process, and making such setup
+a requirement for account verification.  By default, it disables
+asking for a password during account creation and verification,
+allowing for completely passwordless designs, where the only
+authentication option is WebAuthn. It depends on the verify_account
+and webauthn features.

data/javascript/webauthn_auth.js

@@ -0,0 +1,45 @@
+(function() {
+  var element = document.getElementById('webauthn-auth-form');
+  var f = function(e) {
+    //console.log(e);
+    e.preventDefault();
+    if (navigator.credentials) {
+      var opts = JSON.parse(element.getAttribute("data-credential-options"));
+      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.allowCredentials.forEach(function(cred) {
+        cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      });
+      //console.log(opts);
+      navigator.credentials.get({publicKey: opts}).
+        then(function(cred){
+          //console.log(cred);
+          //window.cred = cred
+
+          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          var authValue = {
+            type: cred.type,
+            id: rawId,
+            rawId: rawId,
+            response: {
+              authenticatorData: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.authenticatorData))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
+              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
+              signature: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.signature))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+            }
+          };
+
+          if (cred.response.userHandle) {
+            authValue.response.userHandle = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.userHandle))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          }
+
+          document.getElementById('webauthn-auth').value = JSON.stringify(authValue);
+          element.removeEventListener("submit", f);
+          element.submit();
+        }).
+        catch(function(e){document.getElementById('webauthn-auth-button').innerHTML = "Error authenticating using WebAuthn: " + e});
+    } else {
+        document.getElementById('webauthn-auth-button').innerHTML = "WebAuthn not supported by browser, or browser has disabled it on this page";
+    }
+  };
+  element.addEventListener("submit", f);
+})();
+

data/javascript/webauthn_setup.js

@@ -0,0 +1,35 @@
+(function() {
+  var element = document.getElementById('webauthn-setup-form');
+  var f = function(e) {
+    //console.log(e);
+    e.preventDefault();
+    if (navigator.credentials) {
+      var opts = JSON.parse(element.getAttribute("data-credential-options"));
+      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      //console.log(opts);
+      navigator.credentials.create({publicKey: opts}).
+        then(function(cred){
+          //console.log(cred);
+          //window.cred = cred
+          
+          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          document.getElementById('webauthn-setup').value = JSON.stringify({
+            type: cred.type,
+            id: rawId,
+            rawId: rawId,
+            response: {
+              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
+              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+            }
+          });
+          element.removeEventListener("submit", f);
+          element.submit();
+        }).
+        catch(function(e){document.getElementById('webauthn-setup-button').innerHTML = "Error creating public key in authenticator: " + e});
+    } else {
+        document.getElementById('webauthn-setup-button').innerHTML = "WebAuthn not supported by browser, or browser has disabled it on this page";
+    }
+  };
+  element.addEventListener("submit", f);
+})();