webauthn 1.18.0 → 2.0.0.beta1

data/lib/webauthn/public_key_credential.rb

@@ -1,50 +1,17 @@
 # frozen_string_literal: true
 
-require "base64"
-require "webauthn/authenticator_assertion_response"
-require "webauthn/authenticator_attestation_response"
 require "webauthn/encoder"
 
 module WebAuthn
   class PublicKeyCredential
-    VALID_TYPE = "public-key"
-
     attr_reader :type, :id, :raw_id, :response
 
-    def self.from_create(credential, encoding: :base64)
-      encoder = WebAuthn::Encoder.new(encoding)
-
-      new(
-        type: credential["type"],
-        id: credential["id"],
-        raw_id: encoder.decode(credential["rawId"]),
-        response: WebAuthn::AuthenticatorAttestationResponse.new(
-          attestation_object: encoder.decode(credential["response"]["attestationObject"]),
-          client_data_json: encoder.decode(credential["response"]["clientDataJSON"])
-        )
-      )
-    end
-
-    def self.from_get(credential, encoding: :base64)
-      encoder = WebAuthn::Encoder.new(encoding)
-
-      user_handle =
-        if credential["response"]["userHandle"]
-          encoder.decode(credential["response"]["userHandle"])
-        end
-
+    def self.from_client(credential)
       new(
         type: credential["type"],
         id: credential["id"],
-        raw_id: encoder.decode(credential["rawId"]),
-        response: WebAuthn::AuthenticatorAssertionResponse.new(
-          # FIXME: credential_id doesn't belong inside AuthenticatorAssertionResponse
-          credential_id: Base64.urlsafe_decode64(credential["id"]),
-          authenticator_data: encoder.decode(credential["response"]["authenticatorData"]),
-          client_data_json: encoder.decode(credential["response"]["clientDataJSON"]),
-          signature: encoder.decode(credential["response"]["signature"]),
-          user_handle: user_handle
-        )
+        raw_id: WebAuthn.configuration.encoder.decode(credential["rawId"]),
+        response: response_class.from_client(credential["response"])
       )
     end
 
@@ -55,24 +22,13 @@ module WebAuthn
       @response = response
     end
 
-    def verify(*args)
+    def verify(*_args)
       valid_type? || raise("invalid type")
       valid_id? || raise("invalid id")
-      response.verify(*args)
 
       true
     end
 
-    def public_key
-      response&.authenticator_data&.credential&.public_key
-    end
-
-    def user_handle
-      if response.is_a?(WebAuthn::AuthenticatorAssertionResponse)
-        response.user_handle
-      end
-    end
-
     def sign_count
       response&.authenticator_data&.sign_count
     end
@@ -80,11 +36,15 @@ module WebAuthn
     private
 
     def valid_type?
-      type == VALID_TYPE
+      type == TYPE_PUBLIC_KEY
     end
 
     def valid_id?
-      raw_id && id && raw_id == Base64.urlsafe_decode64(id)
+      raw_id && id && raw_id == WebAuthn.standard_encoder.decode(id)
+    end
+
+    def encoder
+      WebAuthn.configuration.encoder
     end
   end
 end

data/lib/webauthn/public_key_credential/creation_options.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require "cose/algorithm"
+require "webauthn/public_key_credential/options"
+require "webauthn/public_key_credential/rp_entity"
+require "webauthn/public_key_credential/user_entity"
+
+module WebAuthn
+  class PublicKeyCredential
+    class CreationOptions < Options
+      attr_accessor(
+        :attestation,
+        :authenticator_selection,
+        :exclude,
+        :algs,
+        :rp,
+        :user
+      )
+
+      def initialize(
+        attestation: nil,
+        authenticator_selection: nil,
+        exclude_credentials: nil,
+        exclude: nil,
+        pub_key_cred_params: nil,
+        algs: nil,
+        rp: {},
+        user:,
+        **keyword_arguments
+      )
+        super(**keyword_arguments)
+
+        @attestation = attestation
+        @authenticator_selection = authenticator_selection
+        @exclude_credentials = exclude_credentials
+        @exclude = exclude
+        @pub_key_cred_params = pub_key_cred_params
+        @algs = algs
+
+        @rp =
+          if rp.is_a?(Hash)
+            rp[:name] ||= configuration.rp_name
+            rp[:id] ||= configuration.rp_id
+
+            RPEntity.new(rp)
+          else
+            rp
+          end
+
+        @user =
+          if user.is_a?(Hash)
+            UserEntity.new(user)
+          else
+            user
+          end
+      end
+
+      def exclude_credentials
+        @exclude_credentials || exclude_credentials_from_exclude
+      end
+
+      def pub_key_cred_params
+        @pub_key_cred_params || pub_key_cred_params_from_algs
+      end
+
+      private
+
+      def attributes
+        super.concat([:rp, :user, :pub_key_cred_params, :attestation, :authenticator_selection, :exclude_credentials])
+      end
+
+      def exclude_credentials_from_exclude
+        if exclude
+          as_public_key_descriptors(exclude)
+        end
+      end
+
+      def pub_key_cred_params_from_algs
+        Array(algs || configuration.algorithms).map do |alg|
+          alg_id =
+            if alg.is_a?(String) || alg.is_a?(Symbol)
+              COSE::Algorithm.by_name(alg.to_s).id
+            else
+              alg
+            end
+
+          { type: TYPE_PUBLIC_KEY, alg: alg_id }
+        end
+      end
+    end
+  end
+end

data/lib/webauthn/public_key_credential/entity.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "awrence"
+
+module WebAuthn
+  class PublicKeyCredential
+    class Entity
+      attr_reader :name, :icon
+
+      def initialize(name:, icon: nil)
+        @name = name
+        @icon = icon
+      end
+
+      def as_json
+        to_hash.to_camelback_keys
+      end
+
+      private
+
+      def to_hash
+        hash = {}
+
+        attributes.each do |attribute_name|
+          value = send(attribute_name)
+
+          if value.respond_to?(:as_json)
+            value = value.as_json
+          end
+
+          if value
+            hash[attribute_name] = value
+          end
+        end
+
+        hash
+      end
+
+      def attributes
+        [:name, :icon]
+      end
+    end
+  end
+end

data/lib/webauthn/public_key_credential/options.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "awrence"
+require "securerandom"
+
+module WebAuthn
+  class PublicKeyCredential
+    class Options
+      CHALLENGE_LENGTH = 32
+
+      attr_reader :timeout, :extensions
+
+      def initialize(timeout: default_timeout, extensions: nil)
+        @timeout = timeout
+        @extensions = extensions
+      end
+
+      def challenge
+        encoder.encode(raw_challenge)
+      end
+
+      # Argument wildcard for Ruby on Rails controller automatic object JSON serialization
+      def as_json(*)
+        to_hash.to_camelback_keys
+      end
+
+      private
+
+      def to_hash
+        hash = {}
+
+        attributes.each do |attribute_name|
+          value = send(attribute_name)
+
+          if value.respond_to?(:as_json)
+            value = value.as_json
+          end
+
+          if value
+            hash[attribute_name] = value
+          end
+        end
+
+        hash
+      end
+
+      def attributes
+        [:challenge, :timeout, :extensions]
+      end
+
+      def encoder
+        WebAuthn.configuration.encoder
+      end
+
+      def raw_challenge
+        @raw_challenge ||= SecureRandom.random_bytes(CHALLENGE_LENGTH)
+      end
+
+      def default_timeout
+        configuration.credential_options_timeout
+      end
+
+      def configuration
+        WebAuthn.configuration
+      end
+
+      def as_public_key_descriptors(ids)
+        Array(ids).map { |id| { type: TYPE_PUBLIC_KEY, id: id } }
+      end
+    end
+  end
+end

data/lib/webauthn/public_key_credential/request_options.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "webauthn/public_key_credential/options"
+
+module WebAuthn
+  class PublicKeyCredential
+    class RequestOptions < Options
+      attr_accessor :rp_id, :allow, :user_verification
+
+      def initialize(rp_id: nil, allow_credentials: nil, allow: nil, user_verification: nil, **keyword_arguments)
+        super(**keyword_arguments)
+
+        @rp_id = rp_id || configuration.rp_id
+        @allow_credentials = allow_credentials
+        @allow = allow
+        @user_verification = user_verification
+      end
+
+      def allow_credentials
+        @allow_credentials || allow_credentials_from_allow || []
+      end
+
+      private
+
+      def attributes
+        super.concat([:allow_credentials, :rp_id, :user_verification])
+      end
+
+      def allow_credentials_from_allow
+        if allow
+          as_public_key_descriptors(allow)
+        end
+      end
+    end
+  end
+end

data/lib/webauthn/public_key_credential/rp_entity.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "webauthn/public_key_credential/entity"
+
+module WebAuthn
+  class PublicKeyCredential
+    class RPEntity < Entity
+      attr_reader :id
+
+      def initialize(id: nil, **keyword_arguments)
+        super(**keyword_arguments)
+
+        @id = id
+      end
+
+      private
+
+      def attributes
+        super.concat([:id])
+      end
+    end
+  end
+end

data/lib/webauthn/public_key_credential/user_entity.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "webauthn/public_key_credential/entity"
+
+module WebAuthn
+  class PublicKeyCredential
+    class UserEntity < Entity
+      attr_reader :id, :display_name
+
+      def initialize(id:, display_name: nil, **keyword_arguments)
+        super(**keyword_arguments)
+
+        @id = id
+        @display_name = display_name || name
+      end
+
+      private
+
+      def attributes
+        super.concat([:id, :display_name])
+      end
+    end
+  end
+end

data/lib/webauthn/public_key_credential_with_assertion.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "webauthn/authenticator_assertion_response"
+require "webauthn/public_key_credential"
+
+module WebAuthn
+  class PublicKeyCredentialWithAssertion < PublicKeyCredential
+    def self.response_class
+      WebAuthn::AuthenticatorAssertionResponse
+    end
+
+    def verify(challenge, public_key:, sign_count:, user_verification: nil)
+      super
+
+      response.verify(
+        encoder.decode(challenge),
+        public_key: encoder.decode(public_key),
+        sign_count: sign_count,
+        user_verification: user_verification
+      )
+
+      true
+    end
+
+    def user_handle
+      if raw_user_handle
+        encoder.encode(raw_user_handle)
+      end
+    end
+
+    def raw_user_handle
+      response.user_handle
+    end
+  end
+end

data/lib/webauthn/public_key_credential_with_attestation.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require "webauthn/authenticator_attestation_response"
+require "webauthn/public_key_credential"
+
+module WebAuthn
+  class PublicKeyCredentialWithAttestation < PublicKeyCredential
+    def self.response_class
+      WebAuthn::AuthenticatorAttestationResponse
+    end
+
+    def verify(challenge, user_verification: nil)
+      super
+
+      response.verify(encoder.decode(challenge), user_verification: user_verification)
+
+      true
+    end
+
+    def public_key
+      if raw_public_key
+        encoder.encode(raw_public_key)
+      end
+    end
+
+    def raw_public_key
+      response&.authenticator_data&.credential&.public_key
+    end
+  end
+end