webauthn-rails 0.0.1 → 0.1.0

data/lib/generators/test_unit/webauthn_authentication/webauthn_authentication_generator.rb

@@ -0,0 +1,23 @@
+require "rails/generators/test_unit"
+
+module TestUnit
+  module Generators
+    class WebauthnAuthenticationGenerator < Rails::Generators::Base
+      hide!
+      source_root File.expand_path("../templates", __FILE__)
+
+      def create_controller_test_files
+        template "test/controllers/passkeys_controller_test.rb"
+        template "test/controllers/webauthn_sessions_controller_test.rb"
+      end
+
+      def create_system_test_files
+        template "test/system/manage_webauthn_credentials_test.rb"
+      end
+
+      def create_test_helper_files
+        template "test/test_helpers/virtual_authenticator_test_helper.rb"
+      end
+    end
+  end
+end

data/lib/generators/webauthn_authentication/bundle_helper.rb

@@ -0,0 +1,30 @@
+# Extracted from: https://github.com/rails/rails/blob/7549ba77254f038b1ca6304a0be6cbda8e2a09c4/railties/lib/rails/generators/bundle_helper.rb
+
+module BundleHelper # :nodoc:
+  def bundle_command(command, env = {}, params = {})
+    say_status :run, "bundle #{command}"
+
+    # We are going to shell out rather than invoking Bundler::CLI.new(command)
+    # because `rails new` loads the Thor gem and on the other hand bundler uses
+    # its own vendored Thor, which could be a different version. Running both
+    # things in the same process is a recipe for a night with paracetamol.
+    #
+    # Thanks to James Tucker for the Gem tricks involved in this call.
+    _bundle_command = Gem.bin_path("bundler", "bundle")
+
+    require "bundler"
+    Bundler.with_original_env do
+      exec_bundle_command(_bundle_command, command, env, params)
+    end
+  end
+
+  private
+  def exec_bundle_command(bundle_command, command, env, params)
+    full_command = %Q("#{Gem.ruby}" "#{bundle_command}" #{command})
+    if options[:quiet] || params[:quiet]
+      system(env, full_command, out: File::NULL)
+    else
+      system(env, full_command)
+    end
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/passkeys_controller.rb

@@ -0,0 +1,61 @@
+class PasskeysController < ApplicationController
+  def create_options
+    create_options = WebAuthn::Credential.options_for_create(
+      user: {
+        id: Current.user.webauthn_id,
+        name: Current.user.email_address
+      },
+      exclude: Current.user.webauthn_credentials.pluck(:external_id),
+      authenticator_selection: {
+        resident_key: "required",
+        user_verification: "required"
+      }
+    )
+
+    session[:current_registration] = { challenge: create_options.challenge }
+
+    render json: create_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_create(JSON.parse(create_credential_params[:public_key_credential]))
+
+    begin
+      webauthn_credential.verify(
+        session[:current_registration][:challenge] || session[:current_registration]["challenge"],
+        user_verification: true,
+      )
+
+      credential = Current.user.passkeys.find_or_initialize_by(
+        external_id: webauthn_credential.id
+      )
+
+      if credential.update(
+          nickname: create_credential_params[:nickname],
+          public_key: webauthn_credential.public_key,
+          sign_count: webauthn_credential.sign_count
+      )
+        redirect_to root_path, notice: "Security Key registered successfully"
+      else
+        flash[:alert] = "Error registering credential"
+        render :new
+      end
+    rescue WebAuthn::Error => e
+      redirect_to new_passkey_path, alert: "Verification failed: #{e.message}"
+    end
+  ensure
+    session.delete(:current_registration)
+  end
+
+  def destroy
+    Current.user.passkeys.destroy(params[:id])
+
+    redirect_to root_path, notice: "Security Key deleted successfully"
+  end
+
+  private
+
+  def create_credential_params
+    params.expect(credential: [ :nickname, :public_key_credential ])
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/second_factor_authentications_controller.rb

@@ -0,0 +1,62 @@
+class SecondFactorAuthenticationsController < ApplicationController
+  allow_unauthenticated_access only: %i[new get_options create]
+  before_action :require_no_authentication
+  before_action :ensure_login_initiated
+
+  def get_options
+    get_options = WebAuthn::Credential.options_for_get(
+      allow: user.webauthn_credentials.pluck(:external_id),
+      user_verification: "discouraged"
+    )
+    session[:current_authentication][:challenge] = get_options.challenge
+
+    render json: get_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_get(JSON.parse(session_params[:public_key_credential]))
+
+    credential = user.webauthn_credentials.find_by(external_id: webauthn_credential.id)
+    unless credential
+      redirect_to new_second_factor_authentication_path, alert: "Credential not recognized"
+      return
+    end
+
+    begin
+      webauthn_credential.verify(
+        session[:current_authentication][:challenge] || session[:current_authentication]["challenge"],
+        public_key: credential.public_key,
+        sign_count: credential.sign_count
+      )
+
+      credential.update!(sign_count: webauthn_credential.sign_count)
+      start_new_session_for user
+
+      redirect_to after_authentication_url
+    rescue WebAuthn::Error => e
+      redirect_to new_second_factor_authentication_path, alert: "Verification failed: #{e.message}"
+    ensure
+      session.delete(:current_authentication)
+    end
+  end
+
+  private
+
+  def user
+    @user ||= User.find_by(id: current_authentication_user_id)
+  end
+
+  def ensure_login_initiated
+    if current_authentication_user_id.blank?
+      redirect_to new_session_path
+    end
+  end
+
+  def session_params
+    params.expect(session: [ :public_key_credential ])
+  end
+
+  def current_authentication_user_id
+    session[:current_authentication][:user_id] || session[:current_authentication]["user_id"]
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/second_factor_webauthn_credentials_controller.rb

@@ -0,0 +1,59 @@
+class SecondFactorWebauthnCredentialsController < ApplicationController
+  def create_options
+    create_options = WebAuthn::Credential.options_for_create(
+      user: {
+        id: Current.user.webauthn_id,
+        name: Current.user.email_address
+      },
+      exclude: Current.user.webauthn_credentials.pluck(:external_id),
+      authenticator_selection: {
+        resident_key: "discouraged",
+        user_verification: "discouraged"
+      }
+    )
+
+    session[:current_registration] = { challenge: create_options.challenge }
+
+    render json: create_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_create(JSON.parse(create_credential_params[:public_key_credential]))
+
+    begin
+      webauthn_credential.verify(
+        session[:current_registration][:challenge] || session[:current_registration]["challenge"]
+      )
+
+      credential = Current.user.second_factor_webauthn_credentials.find_or_initialize_by(
+        external_id: webauthn_credential.id
+      )
+
+      if credential.update(
+          nickname: create_credential_params[:nickname],
+          public_key: webauthn_credential.public_key,
+          sign_count: webauthn_credential.sign_count
+      )
+        redirect_to root_path, notice: "Security Key registered successfully"
+      else
+        redirect_to new_second_factor_webauthn_credential_path, alert: "Error registering credential"
+      end
+    rescue WebAuthn::Error => e
+      redirect_to new_second_factor_webauthn_credential_path, alert: "Verification failed: #{e.message}"
+    ensure
+      session.delete(:current_registration)
+    end
+  end
+
+  def destroy
+    Current.user.second_factor_webauthn_credentials.destroy(params[:id])
+
+    redirect_to root_path, notice: "Security Key deleted successfully"
+  end
+
+  private
+
+  def create_credential_params
+    params.expect(credential: [ :nickname, :public_key_credential ])
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/webauthn_sessions_controller.rb

@@ -0,0 +1,50 @@
+class WebauthnSessionsController < ApplicationController
+  allow_unauthenticated_access only: %i[get_options create]
+
+  def get_options
+    get_options = WebAuthn::Credential.options_for_get(user_verification: "required")
+    session[:current_authentication] = { challenge: get_options.challenge }
+
+    render json: get_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_get(JSON.parse(session_params[:public_key_credential]))
+
+    stored_credential = WebauthnCredential.passkey.find_by(external_id: webauthn_credential.id)
+    unless stored_credential
+      redirect_to new_session_path, alert: "Credential not recognized"
+      return
+    end
+
+    begin
+      webauthn_credential.verify(
+        session[:current_authentication][:challenge] || session[:current_authentication]["challenge"],
+        public_key: stored_credential.public_key,
+        sign_count: stored_credential.sign_count,
+        user_verification: true,
+      )
+
+      stored_credential.update!(sign_count: webauthn_credential.sign_count)
+      start_new_session_for stored_credential.user
+
+      redirect_to after_authentication_url
+    rescue WebAuthn::Error => e
+      redirect_to new_session_path, alert: "Verification failed: #{e.message}"
+    end
+  ensure
+    session.delete(:current_authentication)
+  end
+
+  def destroy
+    terminate_session
+
+    redirect_to new_session_path
+  end
+
+  private
+
+  def session_params
+    params.expect(session: [ :public_key_credential ])
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/javascript/controllers/webauthn_credentials_controller.js

@@ -0,0 +1,64 @@
+import { Controller } from "@hotwired/stimulus";
+import { create as createWebAuthnJSON, get as getWebAuthnJSON } from "@github/webauthn-json/browser-ponyfill";
+
+export default class extends Controller {
+  static targets = ["credentialHiddenInput", "submitButton"];
+  static values = { optionsUrl: String }
+
+  connect() {
+    this.submitButtonTarget.disabled = false;
+  }
+
+  async create() {
+    try {
+      const optionsResponse = await fetch(this.optionsUrlValue, {
+        method: "POST",
+        body: new FormData(this.element),
+        headers: {
+          "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]')?.getAttribute("content")
+        },
+      });
+
+      const optionsJson = await optionsResponse.json();
+      if (optionsResponse.ok) {
+        const credentialOptions = PublicKeyCredential.parseCreationOptionsFromJSON(optionsJson);
+        const credential = await createWebAuthnJSON({ publicKey: credentialOptions });
+
+        this.credentialHiddenInputTarget.value = JSON.stringify(credential);
+
+        this.element.submit();
+      } else {
+        alert(optionsJson.errors?.[0] || "Unknown error");
+      }
+    } catch (error) {
+      alert(error.message || error);
+    }
+  }
+
+  async get() {
+    try {
+      const optionsResponse = await fetch(this.optionsUrlValue, {
+        method: "POST",
+        body: new FormData(this.element),
+        headers: {
+          "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]')?.getAttribute("content")
+        },
+      });
+
+      const optionsJson = await optionsResponse.json();
+
+      if (optionsResponse.ok) {
+        const credentialOptions = PublicKeyCredential.parseRequestOptionsFromJSON(optionsJson);
+        const credential = await getWebAuthnJSON({ publicKey: credentialOptions });
+
+        this.credentialHiddenInputTarget.value = JSON.stringify(credential);
+
+        this.element.submit();
+      } else {
+        alert(optionsJson.errors?.[0] || "Unknown error");
+      }
+    } catch (error) {
+      alert(error.message || error);
+    }
+  }
+}

data/lib/generators/webauthn_authentication/templates/app/models/webauthn_credential.rb

@@ -0,0 +1,12 @@
+class WebauthnCredential < ApplicationRecord
+  belongs_to :user
+
+  validates :external_id, :public_key, :nickname, :sign_count, presence: true
+  validates :external_id, uniqueness: true
+  validates :sign_count,
+    numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 2**32 - 1 }
+
+  enum :authentication_factor, { first_factor: 0, second_factor: 1 }
+
+  scope :passkey, -> { first_factor }
+end

data/lib/generators/webauthn_authentication/templates/config/initializers/webauthn.rb

@@ -0,0 +1,8 @@
+WebAuthn.configure do |config|
+  # This value needs to match `window.location.origin` evaluated by
+  # the User Agent during registration and authentication ceremonies.
+  # config.allowed_origins = [ "https://auth.example.com" ]
+
+  # Relying Party name for display purposes
+  # config.rp_name = "Example Inc."
+end

data/lib/generators/webauthn_authentication/webauthn_authentication_generator.rb

@@ -0,0 +1,182 @@
+require "rails/generators/base"
+require "rails/generators/active_record/migration"
+if Rails.version >= "8.1"
+  require "rails/generators/bundle_helper"
+else
+  require "generators/webauthn_authentication/bundle_helper"
+end
+
+class WebauthnAuthenticationGenerator < ::Rails::Generators::Base
+  include ActiveRecord::Generators::Migration
+  include BundleHelper
+
+  source_root File.expand_path("../templates", __FILE__)
+
+  desc "Injects webauthn files to your application."
+
+  class_option :api, type: :boolean,
+    desc: "Generate API-only files, with no view templates"
+
+  class_option :with_rails_authentication, type: :boolean,
+    desc: "Run the Ruby on Rails authentication generator"
+
+  def invoke_rails_authentication
+    invoke "authentication" if options.with_rails_authentication?
+  end
+
+  def modify_sessions_controller
+    if File.exist?(File.join(destination_root, "app/controllers/sessions_controller.rb"))
+      gsub_file "app/controllers/sessions_controller.rb",
+        /^  def create.*?^  end/m,
+        <<~RUBY.strip_heredoc.indent(2)
+          def create
+            if user = User.authenticate_by(params.permit(:email_address, :password))
+              if user.second_factor_enabled?
+                session[:current_authentication] = { user_id: user.id }
+                redirect_to new_second_factor_authentication_path
+              else
+                start_new_session_for user
+                redirect_to after_authentication_url
+              end
+            else
+              redirect_to new_session_path, alert: "Try another email address or password."
+            end
+          end
+        RUBY
+    else
+      raise Thor::Error, "Could not find app/controllers/sessions_controller.rb. Please make sure the Rails Authentication generator was executed, or pass the --with-rails-authentication option."
+    end
+  end
+
+  def inject_to_authentication_concern
+    inject_into_file "app/controllers/concerns/authentication.rb",
+      after: /def terminate_session.*?end\n/m do
+        <<-RUBY.strip_heredoc.indent(4)
+
+          def require_no_authentication
+            if Current.user
+              redirect_to root_path
+            end
+          end
+        RUBY
+      end
+  end
+
+  def copy_controllers_and_concerns
+    template "app/controllers/passkeys_controller.rb"
+    template "app/controllers/webauthn_sessions_controller.rb"
+    template "app/controllers/second_factor_authentications_controller.rb"
+    template "app/controllers/second_factor_webauthn_credentials_controller.rb"
+  end
+
+  hook_for :template_engine do |template_engine|
+    invoke template_engine unless options.api?
+  end
+
+  def copy_stimulus_controllers
+    if using_importmap? || using_bun? || has_package_json?
+      template "app/javascript/controllers/webauthn_credentials_controller.js"
+
+      if using_bun? || has_package_json?
+        run "bin/rails stimulus:manifest:update"
+      end
+    else
+      puts "You must either be running with node (package.json) or importmap-rails (config/importmap.rb) to use this gem."
+    end
+  end
+
+  def inject_js_packages
+    if using_importmap?
+      say %(Appending: pin "@github/webauthn-json/browser-ponyfill", to: "https://ga.jspm.io/npm:@github/webauthn-json@2.1.1/dist/esm/webauthn-json.browser-ponyfill.js")
+      append_to_file "config/importmap.rb", %(pin "@github/webauthn-json/browser-ponyfill", to: "https://ga.jspm.io/npm:@github/webauthn-json@2.1.1/dist/esm/webauthn-json.browser-ponyfill.js"\n)
+    elsif using_bun?
+      say "Adding webauthn-json to your package manager"
+      run "bun add @github/webauthn-json/browser-ponyfill"
+    elsif has_package_json?
+      say "Adding webauthn-json to your package manager"
+      run "yarn add @github/webauthn-json/browser-ponyfill"
+    else
+      puts "You must either be running with node (package.json) or importmap-rails (config/importmap.rb) to use this gem."
+    end
+  end
+
+  def inject_webauthn_dependency
+    unless File.read(File.expand_path("Gemfile", destination_root)).include?('gem "webauthn"')
+      bundle_command("add webauthn", {}, quiet: true)
+    end
+  end
+
+  def copy_initializer_file
+    template "config/initializers/webauthn.rb"
+  end
+
+  def inject_webauthn_content
+    generate "migration", "AddWebauthnToUsers", "webauthn_id:string"
+    inject_webauthn_content_to_user_model
+
+    inject_into_file "config/routes.rb", after: "Rails.application.routes.draw do\n" do
+      <<-RUBY.strip_heredoc.indent(2)
+        resource :webauthn_session, only: [ :create, :destroy ] do
+          post :get_options, on: :collection
+        end
+
+        resources :passkeys, only: [ :new, :create, :destroy ] do
+          post :create_options, on: :collection
+        end
+
+        resources :second_factor_webauthn_credentials, only: [ :new, :create, :destroy ] do
+          post :create_options, on: :collection
+        end
+
+        resource :second_factor_authentication, only: [ :new, :create ] do
+          post :get_options, on: :collection
+        end
+      RUBY
+    end
+
+    template "app/models/webauthn_credential.rb"
+    generate "migration", "CreateWebauthnCredentials", "user:references! external_id:string:uniq public_key:string nickname:string sign_count:integer{8} authentication_factor:integer{1}!"
+  end
+
+  hook_for :test_framework
+
+  def final_message
+    say ""
+    say "Almost done! Now edit `config/initializers/webauthn.rb` and set the `allowed_origins` and `rp_name` for your app.", :yellow
+  end
+
+  private
+
+  def using_bun?
+    File.exist?(File.join(destination_root, "bun.config.js"))
+  end
+
+  def using_importmap?
+    File.exist?(File.join(destination_root, "config/importmap.rb"))
+  end
+
+  def has_package_json?
+    File.exist?(File.join(destination_root, "package.json"))
+  end
+
+  def inject_webauthn_content_to_user_model
+    inject_into_file "app/models/user.rb", after: "normalizes :email_address, with: ->(e) { e.strip.downcase }\n"  do
+      <<-RUBY.strip_heredoc.indent(2)
+
+        has_many :webauthn_credentials, dependent: :destroy
+        with_options class_name: "WebauthnCredential" do
+          has_many :second_factor_webauthn_credentials, -> { second_factor }
+          has_many :passkeys, -> { passkey }
+        end
+
+        after_initialize do
+          self.webauthn_id ||= WebAuthn.generate_user_id
+        end
+
+        def second_factor_enabled?
+          webauthn_credentials.any?
+        end
+      RUBY
+    end
+  end
+end

data/lib/tasks/webauthn/rails_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :webauthn_rails do
+#   # Task goes here
+# end

data/lib/webauthn/rails/version.rb

@@ -1,7 +1,5 @@
-# frozen_string_literal: true
-
 module Webauthn
   module Rails
-    VERSION = "0.0.1"
+    VERSION = "0.1.0"
   end
 end

data/lib/webauthn/rails.rb

@@ -1,10 +1,6 @@
-# frozen_string_literal: true
-
-require_relative "rails/version"
+require "webauthn/rails/version"
 
 module Webauthn
   module Rails
-    class Error < StandardError; end
-    # Your code goes here...
   end
 end