unmagic-passkeys 0.1.0

data/lib/unmagic/passkeys/web_authn/cose_key.rb

@@ -0,0 +1,183 @@
+# = Action Pack WebAuthn COSE Key
+#
+# Parses COSE (CBOR Object Signing and Encryption) public keys as specified in
+# RFC 9053[https://datatracker.ietf.org/doc/html/rfc9053]. WebAuthn authenticators
+# return public keys in COSE format, which must be converted to a standard format
+# for signature verification.
+#
+# == Usage
+#
+#   # Decode a COSE key from CBOR bytes (e.g., from authenticator data)
+#   cose_key = Unmagic::Passkeys::WebAuthn::CoseKey.decode(cbor_bytes)
+#
+#   # Convert to OpenSSL key for signature verification
+#   openssl_key = cose_key.to_openssl_key
+#   openssl_key.verify("SHA256", signature, signed_data)
+#
+# == Supported Algorithms
+#
+# [ES256]
+#   ECDSA with P-256 curve and SHA-256. The most common algorithm for WebAuthn.
+#
+# [EdDSA]
+#   EdDSA with Ed25519 curve. Increasingly supported by modern authenticators.
+#
+# [RS256]
+#   RSASSA-PKCS1-v1_5 with SHA-256. Used by some security keys and platforms.
+#
+# == Attributes
+#
+# [+key_type+]
+#   The COSE key type (1 for OKP, 2 for EC2, 3 for RSA).
+#
+# [+algorithm+]
+#   The COSE algorithm identifier (-7 for ES256, -8 for EdDSA, -257 for RS256).
+#
+# [+parameters+]
+#   The full COSE key parameters map, including curve and coordinate data.
+class Unmagic::Passkeys::WebAuthn::CoseKey
+  P256_COORDINATE_LENGTH = 32
+  MINIMUM_RSA_KEY_BITS = 2048
+
+  # COSE key labels
+  KEY_TYPE_LABEL = 1
+  ALGORITHM_LABEL = 3
+  EC2_CURVE_LABEL = -1
+  EC2_X_LABEL = -2
+  EC2_Y_LABEL = -3
+  RSA_N_LABEL = -1
+  RSA_E_LABEL = -2
+  OKP_CURVE_LABEL = -1
+  OKP_X_LABEL = -2
+
+  # COSE key types
+  OKP = 1
+  EC2 = 2
+  RSA = 3
+
+  # COSE algorithms
+  ES256 = -7
+  EDDSA = -8
+  RS256 = -257
+
+  # COSE EC2 curves
+  P256 = 1
+
+  # COSE OKP curves
+  ED25519 = 6
+
+  # OpenSSL types
+  UNCOMPRESSED_POINT_MARKER = 0x04
+
+  attr_reader :key_type, :algorithm, :parameters
+
+  class << self
+    # Decodes a COSE key from CBOR-encoded bytes.
+    #
+    #   cose_key = Unmagic::Passkeys::WebAuthn::CoseKey.decode(cbor_bytes)
+    #   cose_key.algorithm # => -7 (ES256)
+    def decode(bytes)
+      data = Unmagic::Passkeys::WebAuthn::CborDecoder.decode(bytes)
+      new(
+        key_type: data[KEY_TYPE_LABEL],
+        algorithm: data[ALGORITHM_LABEL],
+        parameters: data
+      )
+    end
+  end
+
+  def initialize(key_type:, algorithm:, parameters:) # :nodoc:
+    @key_type = key_type
+    @algorithm = algorithm
+    @parameters = parameters
+  end
+
+  # Converts the COSE key to an OpenSSL public key object.
+  #
+  # Returns an +OpenSSL::PKey::EC+ for EC2 keys, +OpenSSL::PKey::RSA+ for
+  # RSA keys, or an Ed25519 key for OKP keys, suitable for use with
+  # +OpenSSL::PKey#verify+.
+  #
+  # Raises +UnsupportedKeyTypeError+ if the key type, algorithm, or curve
+  # is not supported.
+  def to_openssl_key
+    case [ key_type, algorithm ]
+    when [ EC2, ES256 ] then build_ec2_es256_key
+    when [ OKP, EDDSA ] then build_okp_eddsa_key
+    when [ RSA, RS256 ] then build_rsa_rs256_key
+    else raise Unmagic::Passkeys::WebAuthn::UnsupportedKeyTypeError, "Unsupported COSE key type/algorithm: #{key_type}/#{algorithm}"
+    end
+  end
+
+  private
+    def build_ec2_es256_key
+      curve = parameters[EC2_CURVE_LABEL]
+      raise Unmagic::Passkeys::WebAuthn::UnsupportedKeyTypeError, "Unsupported EC curve: #{curve}" unless curve == P256
+
+      x = parameters[EC2_X_LABEL]
+      y = parameters[EC2_Y_LABEL]
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Missing EC2 key coordinates" if x.nil? || y.nil?
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Invalid EC2 coordinate length" unless x.bytesize == P256_COORDINATE_LENGTH && y.bytesize == P256_COORDINATE_LENGTH
+
+      # Uncompressed point format: 0x04 || x || y
+      public_key_bytes = [ UNCOMPRESSED_POINT_MARKER, *x.bytes, *y.bytes ].pack("C*")
+
+      asn1 = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+          OpenSSL::ASN1::ObjectId("prime256v1")
+        ]),
+        OpenSSL::ASN1::BitString(public_key_bytes)
+      ])
+
+      OpenSSL::PKey::EC.new(asn1.to_der)
+    rescue OpenSSL::PKey::PKeyError => error
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Invalid EC2 key: #{error.message}"
+    end
+
+    def build_okp_eddsa_key
+      curve = parameters[OKP_CURVE_LABEL]
+      raise Unmagic::Passkeys::WebAuthn::UnsupportedKeyTypeError, "Unsupported OKP curve: #{curve}" unless curve == ED25519
+
+      x = parameters[OKP_X_LABEL]
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Missing OKP key coordinate" if x.nil?
+
+      asn1 = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::ObjectId("ED25519")
+        ]),
+        OpenSSL::ASN1::BitString(x)
+      ])
+
+      OpenSSL::PKey.read(asn1.to_der)
+    rescue OpenSSL::PKey::PKeyError => error
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Invalid OKP key: #{error.message}"
+    end
+
+    def build_rsa_rs256_key
+      n_bytes = parameters[RSA_N_LABEL]
+      e_bytes = parameters[RSA_E_LABEL]
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Missing RSA key parameters" if n_bytes.nil? || e_bytes.nil?
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "RSA key must be at least #{MINIMUM_RSA_KEY_BITS} bits" if n_bytes.bytesize * 8 < MINIMUM_RSA_KEY_BITS
+
+      n = OpenSSL::BN.new(n_bytes, 2)
+      e = OpenSSL::BN.new(e_bytes, 2)
+
+      asn1 = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::ObjectId("rsaEncryption"),
+          OpenSSL::ASN1::Null.new(nil)
+        ]),
+        OpenSSL::ASN1::BitString(
+          OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::Integer(n),
+            OpenSSL::ASN1::Integer(e)
+          ]).to_der
+        )
+      ])
+
+      OpenSSL::PKey::RSA.new(asn1.to_der)
+    rescue OpenSSL::PKey::PKeyError => error
+      raise Unmagic::Passkeys::WebAuthn::InvalidKeyError, "Invalid RSA key: #{error.message}"
+    end
+end

data/lib/unmagic/passkeys/web_authn/current.rb

@@ -0,0 +1,19 @@
+# = Action Pack WebAuthn Current Attributes
+#
+# Thread-isolated request-scoped attributes for WebAuthn ceremonies. These are
+# set automatically by Unmagic::Passkeys::Request at the start of each
+# request and consumed by the registration/authentication flows.
+#
+# == Attributes
+#
+# [+host+]
+#   The relying party identifier (typically +request.host+). Used as the
+#   default RelyingParty ID.
+#
+# [+origin+]
+#   The expected origin (typically +request.base_url+). Validated against the
+#   +origin+ field in the authenticator's client data.
+#
+class Unmagic::Passkeys::WebAuthn::Current < ActiveSupport::CurrentAttributes
+  attribute :host, :origin
+end

data/lib/unmagic/passkeys/web_authn/public_key_credential/creation_options.rb

@@ -0,0 +1,109 @@
+# = Action Pack WebAuthn Public Key Credential Creation Options
+#
+# Generates options for the WebAuthn registration ceremony (creating a new
+# credential). These options are passed to +navigator.credentials.create()+ in
+# the browser to prompt the user to register an authenticator.
+#
+# == Usage
+#
+#   options = Unmagic::Passkeys::WebAuthn::PublicKeyCredential::CreationOptions.new(
+#     id: current_user.id,
+#     name: current_user.email,
+#     display_name: current_user.name
+#   )
+#
+#   # In your controller, return as JSON for the JavaScript WebAuthn API
+#   render json: { publicKey: options.as_json }
+#
+# == Attributes
+#
+# [+id+]
+#   A unique identifier for the user account. Will be Base64URL-encoded in the
+#   output. This should be an opaque identifier (like a primary key), not
+#   personally identifiable information.
+#
+# [+name+]
+#   A human-readable identifier for the user account, typically an email
+#   address or username. Displayed by the authenticator.
+#
+# [+display_name+]
+#   A human-friendly name for the user, typically their full name. Displayed
+#   by the authenticator during registration.
+#
+# [+relying_party+]
+#   The relying party (your application) configuration. Defaults to
+#   +Unmagic::Passkeys::WebAuthn.relying_party+.
+#
+# == Supported Algorithms
+#
+# By default, supports ES256 (ECDSA with P-256 and SHA-256), EdDSA
+# (Ed25519), and RS256 (RSASSA-PKCS1-v1_5 with SHA-256), which cover
+# the vast majority of authenticators.
+class Unmagic::Passkeys::WebAuthn::PublicKeyCredential::CreationOptions < Unmagic::Passkeys::WebAuthn::PublicKeyCredential::Options
+  ES256 = { type: "public-key", alg: -7 }.freeze
+  EDDSA = { type: "public-key", alg: -8 }.freeze
+  RS256 = { type: "public-key", alg: -257 }.freeze
+  RESIDENT_KEY_OPTIONS = %i[ preferred required discouraged ].freeze
+  ATTESTATION_PREFERENCES = %i[ none indirect direct enterprise ].freeze
+
+  attribute :id
+  attribute :name
+  attribute :display_name
+  attribute :resident_key, default: :required
+  attribute :exclude_credentials, default: -> { [] }
+  attribute :attestation, default: :none
+  attribute :challenge_expiration, default: -> { Rails.configuration.unmagic_passkeys.web_authn.creation_challenge_expiration }
+  attribute :challenge_purpose, default: "registration"
+
+  validates :id, :name, :display_name, presence: true
+  validates :resident_key, inclusion: { in: RESIDENT_KEY_OPTIONS }
+  validates :attestation, inclusion: { in: ATTESTATION_PREFERENCES }
+
+  def initialize(attributes = {})
+    super
+    self.resident_key = resident_key.to_sym
+    self.attestation = attestation.to_sym
+    validate!
+  end
+
+  # Returns a Hash suitable for JSON serialization and passing to the
+  # WebAuthn JavaScript API.
+  def as_json(options = {})
+    json = {
+      challenge: challenge,
+      rp: relying_party.as_json,
+      user: {
+        id: Base64.urlsafe_encode64(id.to_s, padding: false),
+        name: name,
+        displayName: display_name
+      },
+      pubKeyCredParams: [
+        ES256,
+        EDDSA,
+        RS256
+      ],
+      authenticatorSelection: {
+        residentKey: resident_key.to_s,
+        requireResidentKey: resident_key == :required,
+        userVerification: user_verification.to_s
+      }
+    }
+
+    if exclude_credentials.any?
+      json[:excludeCredentials] = exclude_credentials.map { |credential| exclude_credential_json(credential) }
+    end
+
+    if attestation != :none
+      json[:attestation] = attestation.to_s
+    end
+
+    json.as_json(options)
+  end
+
+  private
+    def exclude_credential_json(credential)
+      hash = { type: "public-key", id: credential.id }
+      hash[:transports] = credential.transports if credential.transports.any?
+      hash
+    end
+end

data/lib/unmagic/passkeys/web_authn/public_key_credential/options.rb

@@ -0,0 +1,80 @@
+# = Action Pack WebAuthn Public Key Credential Options
+#
+# Abstract base class for WebAuthn ceremony options. Provides shared
+# attributes and challenge generation for both CreationOptions (registration)
+# and RequestOptions (authentication).
+#
+# This class should not be instantiated directly. Use CreationOptions or
+# RequestOptions instead.
+#
+# == Challenge Generation
+#
+# Each options object generates a signed, expiring challenge via
+# +Unmagic::Passkeys::WebAuthn.challenge_verifier+. The challenge is Base64URL-encoded
+# and includes an embedded timestamp so the server can reject stale challenges.
+#
+# == Attributes
+#
+# [+user_verification+]
+#   Controls whether user verification (biometrics/PIN) is required. One of
+#   +:required+, +:preferred+, or +:discouraged+. Defaults to +:preferred+.
+#
+# [+relying_party+]
+#   The RelyingParty configuration. Defaults to +Unmagic::Passkeys::WebAuthn.relying_party+.
+#
+# [+challenge_expiration+]
+#   How long the challenge remains valid. Defaults vary by ceremony type
+#   (configured in the Railtie).
+#
+class Unmagic::Passkeys::WebAuthn::PublicKeyCredential::Options
+  include ActiveModel::API
+  include ActiveModel::Attributes
+
+  CHALLENGE_LENGTH = 32
+  USER_VERIFICATION_OPTIONS = %i[ required preferred discouraged ].freeze
+
+  attribute :user_verification, default: :preferred
+  attribute :relying_party, default: -> { Unmagic::Passkeys::WebAuthn.relying_party }
+  attribute :challenge_expiration
+  attribute :challenge_purpose
+
+  validates :user_verification, inclusion: { in: USER_VERIFICATION_OPTIONS }
+
+  def initialize(attributes = {})
+    super
+    self.user_verification = user_verification.to_sym
+  end
+
+  # Validates the options, raising +InvalidOptionsError+ if any are invalid.
+  def validate!
+    super
+  rescue ActiveModel::ValidationError
+    raise Unmagic::Passkeys::WebAuthn::InvalidOptionsError, errors.full_messages.to_sentence
+  end
+
+  # Returns a human-readable representation of the options.
+  def inspect
+    attributes_string = attributes.map { |name, value| "#{name}: #{value.inspect}" }.join(", ")
+    "#<#{self.class.name} #{attributes_string}>"
+  end
+
+  # Returns a Base64URL-encoded signed challenge containing a random nonce and
+  # an embedded timestamp. The challenge is generated once and memoized for the
+  # lifetime of this object.
+  #
+  # The timestamp allows the server to reject stale challenges. The expiration
+  # window is configurable per-ceremony via
+  # +config.unmagic_passkeys.web_authn.creation_challenge_expiration+ and
+  # +config.unmagic_passkeys.web_authn.request_challenge_expiration+, or per-instance
+  # via the +challenge_expiration+ attribute.
+  def challenge
+    @challenge ||= Base64.urlsafe_encode64(
+      Unmagic::Passkeys::WebAuthn.challenge_verifier.generate(
+        Base64.strict_encode64(SecureRandom.random_bytes(CHALLENGE_LENGTH)),
+        expires_in: challenge_expiration,
+        purpose: challenge_purpose
+      ),
+      padding: false
+    )
+  end
+end

data/lib/unmagic/passkeys/web_authn/public_key_credential/request_options.rb

@@ -0,0 +1,55 @@
+# = Action Pack WebAuthn Public Key Credential Request Options
+#
+# Generates options for the WebAuthn authentication ceremony (using an existing
+# credential). These options are passed to +navigator.credentials.get()+ in
+# the browser to prompt the user to authenticate with a registered authenticator.
+#
+# == Usage
+#
+#   options = Unmagic::Passkeys::WebAuthn::PublicKeyCredential::RequestOptions.new(
+#     credentials: current_user.webauthn_credentials
+#   )
+#
+#   # In your controller, return as JSON for the JavaScript WebAuthn API
+#   render json: { publicKey: options.as_json }
+#
+# == Attributes
+#
+# [+credentials+]
+#   A collection of credential records for the user. Each credential must
+#   respond to +id+ returning the Base64URL-encoded credential ID, and
+#   +transports+ returning an array of transport strings.
+#
+# [+relying_party+]
+#   The relying party (your application) configuration. Defaults to
+#   +Unmagic::Passkeys::WebAuthn.relying_party+.
+class Unmagic::Passkeys::WebAuthn::PublicKeyCredential::RequestOptions < Unmagic::Passkeys::WebAuthn::PublicKeyCredential::Options
+  attribute :credentials, default: -> { [] }
+  attribute :challenge_expiration, default: -> { Rails.configuration.unmagic_passkeys.web_authn.request_challenge_expiration }
+  attribute :challenge_purpose, default: "authentication"
+
+  def initialize(attributes = {})
+    super
+    validate!
+  end
+
+  # Returns a Hash suitable for JSON serialization and passing to the
+  # WebAuthn JavaScript API.
+  def as_json(options = {})
+    json = {
+      challenge: challenge,
+      rpId: relying_party.id,
+      allowCredentials: credentials.map { |credential| allow_credential_json(credential) },
+      userVerification: user_verification.to_s
+    }
+
+    json.as_json(options)
+  end
+
+  private
+    def allow_credential_json(credential)
+      hash = { type: "public-key", id: credential.id }
+      hash[:transports] = credential.transports if credential.transports.any?
+      hash
+    end
+end

data/lib/unmagic/passkeys/web_authn/public_key_credential.rb

@@ -0,0 +1,153 @@
+# = Action Pack WebAuthn Public Key Credential
+#
+# Represents a WebAuthn public key credential and orchestrates the registration
+# and authentication ceremonies. During registration (+.register+), it verifies
+# the attestation response and returns a new credential. During authentication
+# (+#authenticate+), it verifies the assertion response against the stored
+# public key.
+#
+# == Registration
+#
+#   credential = Unmagic::Passkeys::WebAuthn::PublicKeyCredential.register(
+#     params[:passkey],
+#     origin: Unmagic::Passkeys::WebAuthn::Current.origin
+#   )
+#
+#   credential.id         # => Base64URL-encoded credential ID
+#   credential.public_key # => OpenSSL::PKey::EC
+#   credential.sign_count # => 0
+#
+# == Authentication
+#
+#   credential = Unmagic::Passkeys::WebAuthn::PublicKeyCredential.new(
+#     id: stored_credential_id,
+#     public_key: stored_public_key,
+#     sign_count: stored_sign_count
+#   )
+#
+#   credential.authenticate(params[:passkey])
+#
+# == Ceremony Options
+#
+# Use +.creation_options+ and +.request_options+ to generate the JSON options
+# passed to the browser's +navigator.credentials.create()+ and
+# +navigator.credentials.get()+ calls.
+#
+# == Attributes
+#
+# [+id+]
+#   The Base64URL-encoded credential identifier.
+#
+# [+public_key+]
+#   The OpenSSL public key for signature verification.
+#
+# [+sign_count+]
+#   The signature counter, used for replay detection.
+#
+# [+aaguid+]
+#   The authenticator attestation GUID (set during registration).
+#
+# [+backed_up+]
+#   Whether the credential is backed up to cloud storage (synced passkey).
+#
+# [+transports+]
+#   Transport hints (e.g., "internal", "usb", "ble", "nfc").
+#
+class Unmagic::Passkeys::WebAuthn::PublicKeyCredential
+  attr_reader :id, :public_key, :sign_count, :aaguid, :backed_up, :transports
+
+  class << self
+    # Returns a RequestOptions object for the authentication ceremony.
+    # Credentials responding to +to_public_key_credential+ are automatically
+    # transformed.
+    def request_options(**attributes)
+      attributes[:credentials] = transform_credentials(attributes[:credentials]) if attributes[:credentials]
+
+      Unmagic::Passkeys::WebAuthn::PublicKeyCredential::RequestOptions.new(**attributes)
+    end
+
+    # Returns a CreationOptions object for the registration ceremony.
+    # Credentials in +exclude_credentials+ responding to
+    # +to_public_key_credential+ are automatically transformed.
+    def creation_options(**attributes)
+      attributes[:exclude_credentials] = transform_credentials(attributes[:exclude_credentials]) if attributes[:exclude_credentials]
+
+      Unmagic::Passkeys::WebAuthn::PublicKeyCredential::CreationOptions.new(**attributes)
+    end
+
+    # Verifies an attestation response from the browser and returns a new
+    # PublicKeyCredential with the registered credential data.
+    #
+    # Raises +InvalidResponseError+ if the attestation is invalid.
+    def register(params, origin: Unmagic::Passkeys::WebAuthn::Current.origin)
+      response = Unmagic::Passkeys::WebAuthn::Authenticator::AttestationResponse.new(
+        client_data_json: params[:client_data_json],
+        attestation_object: params[:attestation_object],
+        origin: origin
+      )
+
+      response.validate!
+
+      new(
+        id: response.attestation.credential_id,
+        public_key: response.attestation.public_key,
+        sign_count: response.attestation.sign_count,
+        aaguid: response.attestation.aaguid,
+        backed_up: response.attestation.backed_up?,
+        transports: Array(params[:transports])
+      )
+    end
+
+    private
+      def transform_credentials(credentials)
+        Array(credentials).map do |credential|
+          if credential.respond_to?(:to_public_key_credential)
+            credential.to_public_key_credential
+          else
+            credential
+          end
+        end
+      end
+  end
+
+  def initialize(id:, public_key:, sign_count:, aaguid: nil, backed_up: nil, transports: [])
+    @id = id
+    @public_key = public_key
+    @public_key = OpenSSL::PKey.read(public_key) unless public_key.is_a?(OpenSSL::PKey::PKey)
+    @sign_count = sign_count
+    @aaguid = aaguid
+    @backed_up = backed_up
+    @transports = transports
+  end
+
+  # Verifies an assertion response against this credential's public key.
+  # Updates +sign_count+ and +backed_up+ on success.
+  #
+  # Raises +InvalidResponseError+ if the assertion is invalid.
+  def authenticate(params, origin: Unmagic::Passkeys::WebAuthn::Current.origin)
+    response = Unmagic::Passkeys::WebAuthn::Authenticator::AssertionResponse.new(
+      client_data_json: params[:client_data_json],
+      authenticator_data: params[:authenticator_data],
+      signature: params[:signature],
+      credential: self,
+      origin: origin
+    )
+
+    response.validate!
+
+    @sign_count = response.authenticator_data.sign_count
+    @backed_up = response.authenticator_data.backed_up?
+  end
+
+  # Returns a Hash of the credential data suitable for persisting.
+  def to_h
+    {
+      credential_id: id,
+      public_key: public_key.to_der,
+      sign_count: sign_count,
+      aaguid: aaguid,
+      backed_up: backed_up,
+      transports: transports
+    }
+  end
+end

data/lib/unmagic/passkeys/web_authn/relying_party.rb

@@ -0,0 +1,50 @@
+# = Action Pack WebAuthn Relying Party
+#
+# Represents the relying party (your application) in WebAuthn ceremonies. The
+# relying party identity is sent to authenticators during registration and
+# authentication to scope credentials to your application.
+#
+# == Usage
+#
+#   # Using defaults (host from Current, name from Rails application)
+#   relying_party = Unmagic::Passkeys::WebAuthn::RelyingParty.new
+#
+#   # With explicit values
+#   relying_party = Unmagic::Passkeys::WebAuthn::RelyingParty.new(
+#     id: "example.com",
+#     name: "Example Application"
+#   )
+#
+# == Attributes
+#
+# [+id+]
+#   The relying party identifier, typically the application's domain name
+#   (e.g., "example.com"). This must match the origin's effective domain
+#   or be a registrable domain suffix of it. Credentials are scoped to this
+#   identifier. Defaults to +Unmagic::Passkeys::WebAuthn::Current.host+.
+#
+# [+name+]
+#   A human-readable name for your application, displayed by authenticators
+#   during ceremonies. Defaults to +Rails.application.name+.
+class Unmagic::Passkeys::WebAuthn::RelyingParty
+  attr_reader :id, :name
+
+  # Creates a new relying party configuration.
+  #
+  # ==== Options
+  #
+  # [+:id+]
+  #   Optional. The relying party identifier (domain).
+  #
+  # [+:name+]
+  #   Optional. The application display name.
+  def initialize(id: Unmagic::Passkeys::WebAuthn::Current.host, name: Rails.application.name)
+    @id = id
+    @name = name
+  end
+
+  # Returns a Hash suitable for JSON serialization.
+  def as_json(*)
+    { id: id, name: name }
+  end
+end