webauthn-rails 0.0.1 → 0.1.1

data/lib/generators/test_unit/webauthn_authentication/templates/test/controllers/second_factor_webauthn_credentials_controller_test.rb

@@ -0,0 +1,103 @@
+require "test_helper"
+require "webauthn/fake_client"
+
+class SecondFactorWebauthnCredentialsControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:one)
+    @client = WebAuthn::FakeClient.new(WebAuthn.configuration.allowed_origins.first)
+  end
+
+  test "create_options" do
+    sign_in_as @user
+    post create_options_second_factor_webauthn_credentials_url
+
+    assert_response :success
+    body = JSON.parse(response.body)
+    assert body["challenge"].present?
+    assert body["authenticatorSelection"]["residentKey"] == "discouraged"
+    assert body["authenticatorSelection"]["userVerification"] == "discouraged"
+
+    assert_equal session[:current_registration][:challenge], body["challenge"]
+  end
+
+  test "create_options unauthenticated" do
+    post create_options_second_factor_webauthn_credentials_url
+
+    assert_response :redirect
+    assert_redirected_to new_session_url
+  end
+
+  test "create" do
+    sign_in_as @user
+
+    post create_options_second_factor_webauthn_credentials_url
+    challenge = session[:current_registration][:challenge]
+
+    public_key_credential = @client.create(
+      challenge: challenge,
+      user_verified: false,
+    )
+
+    assert_difference("WebauthnCredential.second_factor.count", 1) do
+      post second_factor_webauthn_credentials_url, params: {
+        credential: {
+          nickname: "My Security Key",
+          public_key_credential: public_key_credential.to_json
+        }
+      }
+    end
+
+    assert_redirected_to root_path
+    assert_match (/Security Key registered successfully/), flash[:notice]
+    assert_nil session[:current_registration]
+  end
+
+  test "create with WebAuthn error" do
+    sign_in_as @user
+
+    post create_options_second_factor_webauthn_credentials_url
+
+    public_key_credential = @client.create(
+      user_verified: false,
+    )
+
+    assert_no_difference("WebauthnCredential.count") do
+      post second_factor_webauthn_credentials_url, params: {
+        credential: {
+          nickname: "My Security Key",
+          public_key_credential: public_key_credential.to_json
+        }
+      }
+    end
+
+    assert_redirected_to new_second_factor_webauthn_credential_path
+    assert_match (/Verification failed/), flash[:alert]
+    assert_nil session[:current_registration]
+  end
+
+  test "create unauthenticated" do
+    post second_factor_webauthn_credentials_url
+
+    assert_response :redirect
+    assert_redirected_to new_session_url
+  end
+
+  test "destroy" do
+    credential = WebauthnCredential.second_factor.create!(
+      user: @user,
+      nickname: "My Security Key",
+      external_id: "external_id",
+      public_key: "public_key",
+      sign_count: 0
+    )
+
+    sign_in_as @user
+
+    assert_difference("WebauthnCredential.second_factor.count", -1) do
+      delete second_factor_webauthn_credential_url(credential)
+    end
+
+    assert_redirected_to root_path
+    assert_match (/Security Key deleted successfully/), flash[:notice]
+  end
+end

data/lib/generators/test_unit/webauthn_authentication/templates/test/controllers/webauthn_sessions_controller_test.rb

@@ -0,0 +1,123 @@
+require "test_helper"
+require "webauthn/fake_client"
+
+class WebauthnSessionsControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:one)
+    @client = WebAuthn::FakeClient.new(WebAuthn.configuration.allowed_origins.first)
+
+    creation_options = WebAuthn::Credential.options_for_create(
+      user: { id: @user.webauthn_id, name: @user.email_address }
+    )
+    create_options = @client.create(challenge: creation_options.challenge)
+    credential = WebAuthn::Credential.from_create(create_options)
+
+    WebauthnCredential.passkey.create!(
+      nickname: "My Passkey",
+      user: @user,
+      external_id: credential.id,
+      public_key: credential.public_key,
+      sign_count: 0,
+    )
+  end
+
+  test "get_options" do
+    post get_options_webauthn_session_url
+
+    assert_response :success
+    body = JSON.parse(response.body)
+    assert body["challenge"].present?
+    assert body["userVerification"] == "required"
+
+    assert_equal session[:current_authentication][:challenge], body["challenge"]
+  end
+
+  test "create" do
+    post get_options_webauthn_session_url
+    challenge = session[:current_authentication][:challenge]
+
+    public_key_credential = @client.get(challenge: challenge, user_verified: true)
+
+    post webauthn_session_url, params: {
+      session: {
+        public_key_credential: public_key_credential.to_json
+      }
+    }
+
+    assert_redirected_to root_path
+    assert_nil session[:current_authentication]
+  end
+
+  test "create with WebAuthn error" do
+    post get_options_webauthn_session_url
+    challenge = session[:current_authentication][:challenge]
+
+    public_key_credential = @client.get(challenge: challenge, user_verified: false)
+
+    post webauthn_session_url, params: {
+      session: {
+        public_key_credential: public_key_credential.to_json
+      }
+    }
+
+    assert_redirected_to new_session_path
+    assert_match (/Verification failed/), flash[:alert]
+    assert_nil session[:current_authentication]
+  end
+
+  test "create with unrecognized credential" do
+    post get_options_webauthn_session_url
+    challenge = session[:current_authentication][:challenge]
+
+    public_key_credential = @client.get(challenge: challenge, user_verified: true)
+    public_key_credential["id"] = "invalid-id"
+
+    post webauthn_session_url, params: {
+      session: {
+        public_key_credential: public_key_credential.to_json
+      }
+    }
+
+    assert_redirected_to new_session_path
+    assert_equal "Credential not recognized", flash[:alert]
+    assert_nil session[:current_authentication]
+  end
+
+  test "create with a second factor credential" do
+    client = WebAuthn::FakeClient.new(WebAuthn.configuration.allowed_origins.first)
+
+    creation_options = WebAuthn::Credential.options_for_create(
+      user: { id: @user.webauthn_id, name: @user.email_address }
+    )
+    create_options = client.create(challenge: creation_options.challenge)
+    credential = WebAuthn::Credential.from_create(create_options)
+
+    WebauthnCredential.second_factor.create!(
+      nickname: "Second Factor Key",
+      user: @user,
+      external_id: credential.id,
+      public_key: credential.public_key,
+      sign_count: 0,
+    )
+
+    post get_options_webauthn_session_url
+    challenge = session[:current_authentication][:challenge]
+
+    public_key_credential = client.get(challenge: challenge, user_verified: true)
+
+    post webauthn_session_url, params: {
+      session: {
+        public_key_credential: public_key_credential.to_json
+      }
+    }
+
+    assert_redirected_to new_session_path
+    assert_equal "Credential not recognized", flash[:alert]
+    assert_nil session[:current_authentication]
+  end
+
+  test "destroy" do
+    delete webauthn_session_url
+    assert_redirected_to new_session_path
+  end
+end

data/lib/generators/test_unit/webauthn_authentication/templates/test/system/manage_webauthn_credentials_test.rb

@@ -0,0 +1,76 @@
+require "application_system_test_case"
+require_relative "../test_helpers/virtual_authenticator_test_helper"
+
+class ManageWebauthnCredentialsTest < ApplicationSystemTestCase
+  include VirtualAuthenticatorTestHelper
+
+  def setup
+    user = User.create!(email_address: "alice@example.com", password: "S3cr3tP@ssw0rd!")
+    sign_in_as(user)
+    @authenticator = add_virtual_authenticator
+  end
+
+  def teardown
+    @authenticator.remove!
+  end
+
+  test "add credentials and sign in" do
+    visit root_path
+
+    click_on "Add Passkey"
+
+    fill_in("Security Key nickname", with: "Touch ID")
+    click_on "Add Security Key"
+
+    assert_current_path "/"
+    assert_selector "div", text: "Security Key registered successfully"
+    assert_selector "span", text: "Touch ID"
+
+    click_on "Sign out"
+    assert_selector("input[type=submit][value='Sign in']")
+
+    click_on "Sign In with Passkey"
+
+    assert_current_path "/"
+    assert_selector "h3", text: "Your Passkeys"
+  end
+
+  test "sign in with 2FA WebAuthn credential" do
+    visit root_path
+
+    click_on "Add Second Factor Key"
+
+    fill_in("Security Key nickname", with: "Touch ID")
+    click_on "Add Security Key"
+
+    assert_current_path "/"
+    assert_selector "div", text: "Security Key registered successfully"
+    assert_selector "span", text: "Touch ID"
+
+    click_on "Sign out"
+    assert_selector("input[type=submit][value='Sign in']")
+
+    fill_in "email_address", with: "alice@example.com"
+    fill_in "password", with: "S3cr3tP@ssw0rd!"
+    click_on "Sign in"
+
+    assert_selector "h3", text: "Two-factor authentication"
+    click_on "Use Security Key"
+
+    assert_current_path "/"
+    assert_selector "h3", text: "Your Passkeys"
+  end
+
+  private
+
+  def sign_in_as(user)
+    visit new_session_path
+
+    fill_in "email_address", with: user.email_address
+    fill_in "password", with: user.password
+
+    click_on "Sign in"
+
+    assert_selector "h3", text: "Your Passkeys"
+  end
+end

data/lib/generators/test_unit/webauthn_authentication/templates/test/test_helpers/virtual_authenticator_test_helper.rb

@@ -0,0 +1,9 @@
+module VirtualAuthenticatorTestHelper
+  def add_virtual_authenticator
+    options = ::Selenium::WebDriver::VirtualAuthenticatorOptions.new
+    options.user_verification = true
+    options.user_verified = true
+    options.resident_key = true
+    page.driver.browser.add_virtual_authenticator(options)
+  end
+end

data/lib/generators/test_unit/webauthn_authentication/webauthn_authentication_generator.rb

@@ -0,0 +1,25 @@
+require "rails/generators/test_unit"
+
+module TestUnit
+  module Generators
+    class WebauthnAuthenticationGenerator < Rails::Generators::Base
+      hide!
+      source_root File.expand_path("../templates", __FILE__)
+
+      def create_controller_test_files
+        template "test/controllers/passkeys_controller_test.rb"
+        template "test/controllers/webauthn_sessions_controller_test.rb"
+        template "test/controllers/second_factor_authentications_controller_test.rb"
+        template "test/controllers/second_factor_webauthn_credentials_controller_test.rb"
+      end
+
+      def create_system_test_files
+        template "test/system/manage_webauthn_credentials_test.rb"
+      end
+
+      def create_test_helper_files
+        template "test/test_helpers/virtual_authenticator_test_helper.rb"
+      end
+    end
+  end
+end

data/lib/generators/webauthn_authentication/bundle_helper.rb

@@ -0,0 +1,30 @@
+# Extracted from: https://github.com/rails/rails/blob/7549ba77254f038b1ca6304a0be6cbda8e2a09c4/railties/lib/rails/generators/bundle_helper.rb
+
+module BundleHelper # :nodoc:
+  def bundle_command(command, env = {}, params = {})
+    say_status :run, "bundle #{command}"
+
+    # We are going to shell out rather than invoking Bundler::CLI.new(command)
+    # because `rails new` loads the Thor gem and on the other hand bundler uses
+    # its own vendored Thor, which could be a different version. Running both
+    # things in the same process is a recipe for a night with paracetamol.
+    #
+    # Thanks to James Tucker for the Gem tricks involved in this call.
+    _bundle_command = Gem.bin_path("bundler", "bundle")
+
+    require "bundler"
+    Bundler.with_original_env do
+      exec_bundle_command(_bundle_command, command, env, params)
+    end
+  end
+
+  private
+  def exec_bundle_command(bundle_command, command, env, params)
+    full_command = %Q("#{Gem.ruby}" "#{bundle_command}" #{command})
+    if options[:quiet] || params[:quiet]
+      system(env, full_command, out: File::NULL)
+    else
+      system(env, full_command)
+    end
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/passkeys_controller.rb

@@ -0,0 +1,61 @@
+class PasskeysController < ApplicationController
+  def create_options
+    create_options = WebAuthn::Credential.options_for_create(
+      user: {
+        id: Current.user.webauthn_id,
+        name: Current.user.email_address
+      },
+      exclude: Current.user.webauthn_credentials.pluck(:external_id),
+      authenticator_selection: {
+        resident_key: "required",
+        user_verification: "required"
+      }
+    )
+
+    session[:current_registration] = { challenge: create_options.challenge }
+
+    render json: create_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_create(JSON.parse(create_credential_params[:public_key_credential]))
+
+    begin
+      webauthn_credential.verify(
+        session[:current_registration][:challenge] || session[:current_registration]["challenge"],
+        user_verification: true,
+      )
+
+      credential = Current.user.passkeys.find_or_initialize_by(
+        external_id: webauthn_credential.id
+      )
+
+      if credential.update(
+          nickname: create_credential_params[:nickname],
+          public_key: webauthn_credential.public_key,
+          sign_count: webauthn_credential.sign_count
+      )
+        redirect_to root_path, notice: "Security Key registered successfully"
+      else
+        flash[:alert] = "Error registering credential"
+        render :new
+      end
+    rescue WebAuthn::Error => e
+      redirect_to new_passkey_path, alert: "Verification failed: #{e.message}"
+    end
+  ensure
+    session.delete(:current_registration)
+  end
+
+  def destroy
+    Current.user.passkeys.destroy(params[:id])
+
+    redirect_to root_path, notice: "Security Key deleted successfully"
+  end
+
+  private
+
+  def create_credential_params
+    params.expect(credential: [ :nickname, :public_key_credential ])
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/second_factor_authentications_controller.rb

@@ -0,0 +1,62 @@
+class SecondFactorAuthenticationsController < ApplicationController
+  allow_unauthenticated_access only: %i[new get_options create]
+  before_action :require_no_authentication
+  before_action :ensure_login_initiated
+
+  def get_options
+    get_options = WebAuthn::Credential.options_for_get(
+      allow: user.webauthn_credentials.pluck(:external_id),
+      user_verification: "discouraged"
+    )
+    session[:current_authentication][:challenge] = get_options.challenge
+
+    render json: get_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_get(JSON.parse(session_params[:public_key_credential]))
+
+    credential = user.webauthn_credentials.find_by(external_id: webauthn_credential.id)
+    unless credential
+      redirect_to new_second_factor_authentication_path, alert: "Credential not recognized"
+      return
+    end
+
+    begin
+      webauthn_credential.verify(
+        session[:current_authentication][:challenge] || session[:current_authentication]["challenge"],
+        public_key: credential.public_key,
+        sign_count: credential.sign_count
+      )
+
+      credential.update!(sign_count: webauthn_credential.sign_count)
+      start_new_session_for user
+
+      redirect_to after_authentication_url
+    rescue WebAuthn::Error => e
+      redirect_to new_second_factor_authentication_path, alert: "Verification failed: #{e.message}"
+    end
+  ensure
+    session.delete(:current_authentication)
+  end
+
+  private
+
+  def user
+    @user ||= User.find_by(id: current_authentication_user_id)
+  end
+
+  def ensure_login_initiated
+    if current_authentication_user_id.blank?
+      redirect_to new_session_path
+    end
+  end
+
+  def session_params
+    params.expect(session: [ :public_key_credential ])
+  end
+
+  def current_authentication_user_id
+    session.dig(:current_authentication, :user_id) || session.dig(:current_authentication, "user_id")
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/second_factor_webauthn_credentials_controller.rb

@@ -0,0 +1,59 @@
+class SecondFactorWebauthnCredentialsController < ApplicationController
+  def create_options
+    create_options = WebAuthn::Credential.options_for_create(
+      user: {
+        id: Current.user.webauthn_id,
+        name: Current.user.email_address
+      },
+      exclude: Current.user.webauthn_credentials.pluck(:external_id),
+      authenticator_selection: {
+        resident_key: "discouraged",
+        user_verification: "discouraged"
+      }
+    )
+
+    session[:current_registration] = { challenge: create_options.challenge }
+
+    render json: create_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_create(JSON.parse(create_credential_params[:public_key_credential]))
+
+    begin
+      webauthn_credential.verify(
+        session[:current_registration][:challenge] || session[:current_registration]["challenge"]
+      )
+
+      credential = Current.user.second_factor_webauthn_credentials.find_or_initialize_by(
+        external_id: webauthn_credential.id
+      )
+
+      if credential.update(
+          nickname: create_credential_params[:nickname],
+          public_key: webauthn_credential.public_key,
+          sign_count: webauthn_credential.sign_count
+      )
+        redirect_to root_path, notice: "Security Key registered successfully"
+      else
+        redirect_to new_second_factor_webauthn_credential_path, alert: "Error registering credential"
+      end
+    rescue WebAuthn::Error => e
+      redirect_to new_second_factor_webauthn_credential_path, alert: "Verification failed: #{e.message}"
+    end
+  ensure
+    session.delete(:current_registration)
+  end
+
+  def destroy
+    Current.user.second_factor_webauthn_credentials.destroy(params[:id])
+
+    redirect_to root_path, notice: "Security Key deleted successfully"
+  end
+
+  private
+
+  def create_credential_params
+    params.expect(credential: [ :nickname, :public_key_credential ])
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/controllers/webauthn_sessions_controller.rb

@@ -0,0 +1,50 @@
+class WebauthnSessionsController < ApplicationController
+  allow_unauthenticated_access only: %i[get_options create]
+
+  def get_options
+    get_options = WebAuthn::Credential.options_for_get(user_verification: "required")
+    session[:current_authentication] = { challenge: get_options.challenge }
+
+    render json: get_options
+  end
+
+  def create
+    webauthn_credential = WebAuthn::Credential.from_get(JSON.parse(session_params[:public_key_credential]))
+
+    stored_credential = WebauthnCredential.passkey.find_by(external_id: webauthn_credential.id)
+    unless stored_credential
+      redirect_to new_session_path, alert: "Credential not recognized"
+      return
+    end
+
+    begin
+      webauthn_credential.verify(
+        session[:current_authentication][:challenge] || session[:current_authentication]["challenge"],
+        public_key: stored_credential.public_key,
+        sign_count: stored_credential.sign_count,
+        user_verification: true,
+      )
+
+      stored_credential.update!(sign_count: webauthn_credential.sign_count)
+      start_new_session_for stored_credential.user
+
+      redirect_to after_authentication_url
+    rescue WebAuthn::Error => e
+      redirect_to new_session_path, alert: "Verification failed: #{e.message}"
+    end
+  ensure
+    session.delete(:current_authentication)
+  end
+
+  def destroy
+    terminate_session
+
+    redirect_to new_session_path
+  end
+
+  private
+
+  def session_params
+    params.expect(session: [ :public_key_credential ])
+  end
+end

data/lib/generators/webauthn_authentication/templates/app/javascript/controllers/webauthn_credentials_controller.js

@@ -0,0 +1,64 @@
+import { Controller } from "@hotwired/stimulus";
+import { create as createWebAuthnJSON, get as getWebAuthnJSON } from "@github/webauthn-json/browser-ponyfill";
+
+export default class extends Controller {
+  static targets = ["credentialHiddenInput", "submitButton"];
+  static values = { optionsUrl: String }
+
+  connect() {
+    this.submitButtonTarget.disabled = false;
+  }
+
+  async create() {
+    try {
+      const optionsResponse = await fetch(this.optionsUrlValue, {
+        method: "POST",
+        body: new FormData(this.element),
+        headers: {
+          "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]')?.getAttribute("content")
+        },
+      });
+
+      const optionsJson = await optionsResponse.json();
+      if (optionsResponse.ok) {
+        const credentialOptions = PublicKeyCredential.parseCreationOptionsFromJSON(optionsJson);
+        const credential = await createWebAuthnJSON({ publicKey: credentialOptions });
+
+        this.credentialHiddenInputTarget.value = JSON.stringify(credential);
+
+        this.element.submit();
+      } else {
+        alert(optionsJson.errors?.[0] || "Unknown error");
+      }
+    } catch (error) {
+      alert(error.message || error);
+    }
+  }
+
+  async get() {
+    try {
+      const optionsResponse = await fetch(this.optionsUrlValue, {
+        method: "POST",
+        body: new FormData(this.element),
+        headers: {
+          "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]')?.getAttribute("content")
+        },
+      });
+
+      const optionsJson = await optionsResponse.json();
+
+      if (optionsResponse.ok) {
+        const credentialOptions = PublicKeyCredential.parseRequestOptionsFromJSON(optionsJson);
+        const credential = await getWebAuthnJSON({ publicKey: credentialOptions });
+
+        this.credentialHiddenInputTarget.value = JSON.stringify(credential);
+
+        this.element.submit();
+      } else {
+        alert(optionsJson.errors?.[0] || "Unknown error");
+      }
+    } catch (error) {
+      alert(error.message || error);
+    }
+  }
+}

data/lib/generators/webauthn_authentication/templates/app/models/webauthn_credential.rb

@@ -0,0 +1,12 @@
+class WebauthnCredential < ApplicationRecord
+  belongs_to :user
+
+  validates :external_id, :public_key, :nickname, :sign_count, presence: true
+  validates :external_id, uniqueness: true
+  validates :sign_count,
+    numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 2**32 - 1 }
+
+  enum :authentication_factor, { first_factor: 0, second_factor: 1 }
+
+  scope :passkey, -> { first_factor }
+end

data/lib/generators/webauthn_authentication/templates/config/initializers/webauthn.rb

@@ -0,0 +1,8 @@
+WebAuthn.configure do |config|
+  # This value needs to match `window.location.origin` evaluated by
+  # the User Agent during registration and authentication ceremonies.
+  # config.allowed_origins = [ "https://auth.example.com" ]
+
+  # Relying Party name for display purposes
+  # config.rp_name = "Example Inc."
+end