├── .ruby-version
├── spec
├── dummy
│ ├── log
│ │ └── .keep
│ ├── lib
│ │ └── assets
│ │ │ └── .keep
│ ├── storage
│ │ └── .keep
│ ├── public
│ │ ├── favicon.ico
│ │ ├── apple-touch-icon.png
│ │ ├── apple-touch-icon-precomposed.png
│ │ ├── 500.html
│ │ ├── 422.html
│ │ └── 404.html
│ ├── app
│ │ ├── assets
│ │ │ ├── images
│ │ │ │ └── .keep
│ │ │ ├── config
│ │ │ │ └── manifest.js
│ │ │ └── stylesheets
│ │ │ │ └── application.css
│ │ ├── models
│ │ │ ├── concerns
│ │ │ │ └── .keep
│ │ │ ├── user.rb
│ │ │ ├── application_record.rb
│ │ │ └── contact.rb
│ │ ├── controllers
│ │ │ ├── concerns
│ │ │ │ └── .keep
│ │ │ └── application_controller.rb
│ │ ├── helpers
│ │ │ └── application_helper.rb
│ │ ├── channels
│ │ │ └── application_cable
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ ├── mailers
│ │ │ └── application_mailer.rb
│ │ ├── jobs
│ │ │ └── application_job.rb
│ │ └── views
│ │ │ └── layouts
│ │ │ └── application.html.erb
│ ├── bin
│ │ ├── rake
│ │ ├── rails
│ │ └── setup
│ ├── config
│ │ ├── environment.rb
│ │ ├── routes.rb
│ │ ├── cable.yml
│ │ ├── boot.rb
│ │ ├── initializers
│ │ │ ├── filter_parameter_logging.rb
│ │ │ ├── permissions_policy.rb
│ │ │ ├── assets.rb
│ │ │ ├── inflections.rb
│ │ │ └── content_security_policy.rb
│ │ ├── database.yml
│ │ ├── application.rb
│ │ ├── locales
│ │ │ └── en.yml
│ │ ├── storage.yml
│ │ ├── puma.rb
│ │ └── environments
│ │ │ ├── test.rb
│ │ │ ├── development.rb
│ │ │ └── production.rb
│ ├── config.ru
│ ├── Rakefile
│ └── db
│ │ ├── migrate
│ │ ├── 20230620194014_create_users.rb
│ │ └── 20230624050358_create_contacts.rb
│ │ └── schema.rb
├── support
│ ├── json_helpers.rb
│ ├── webauthn_helper.rb
│ └── api_helpers.rb
├── factories
│ ├── passkeys.rb
│ └── agents.rb
├── interactors
│ └── passkeys
│ │ └── rails
│ │ ├── begin_authentication_spec.rb
│ │ ├── generate_auth_token_spec.rb
│ │ ├── refresh_token_spec.rb
│ │ ├── validate_auth_token_spec.rb
│ │ ├── begin_challenge_spec.rb
│ │ ├── debug_login_spec.rb
│ │ ├── begin_registration_spec.rb
│ │ ├── finish_authentication_spec.rb
│ │ ├── debug_register_spec.rb
│ │ └── finish_registration_spec.rb
├── generator
│ └── passkeys_rails
│ │ └── install_generator_spec.rb
├── requests
│ ├── passkeys
│ │ └── rails
│ │ │ ├── passkeys_controller_refresh_spec.rb
│ │ │ ├── passkeys_controller_debug_login_spec.rb
│ │ │ ├── passkeys_controller_debug_register_spec.rb
│ │ │ ├── passkeys_controller_challenge_spec.rb
│ │ │ ├── passkeys_controller_authenticate_spec.rb
│ │ │ └── passkeys_controller_register_spec.rb
│ └── application_controller_spec.rb
├── configuration_spec.rb
├── features
│ └── register_new_user_spec.rb
├── spec_helper.rb
├── rails_helper.rb
└── passkeys_rails_spec.rb
├── .rspec
├── lib
├── passkeys_rails
│ ├── version.rb
│ ├── railtie.rb
│ ├── engine.rb
│ ├── test
│ │ └── integration_helpers.rb
│ └── configuration.rb
├── tasks
│ └── passkeys_rails_tasks.rake
├── generators
│ └── passkeys_rails
│ │ ├── USAGE
│ │ ├── templates
│ │ ├── README
│ │ └── passkeys_rails_config.rb
│ │ └── install_generator.rb
└── passkeys-rails.rb
├── app
├── models
│ ├── passkeys_rails
│ │ ├── application_record.rb
│ │ ├── passkey.rb
│ │ ├── error.rb
│ │ └── agent.rb
│ └── concerns
│ │ └── passkeys_rails
│ │ ├── authenticatable.rb
│ │ ├── debuggable.rb
│ │ └── authenticatable_creator.rb
├── interactors
│ └── passkeys_rails
│ │ ├── begin_authentication.rb
│ │ ├── refresh_token.rb
│ │ ├── generate_auth_token.rb
│ │ ├── begin_challenge.rb
│ │ ├── begin_registration.rb
│ │ ├── validate_auth_token.rb
│ │ ├── debug_login.rb
│ │ ├── debug_register.rb
│ │ ├── finish_authentication.rb
│ │ └── finish_registration.rb
└── controllers
│ ├── concerns
│ └── passkeys_rails
│ │ └── authentication.rb
│ └── passkeys_rails
│ ├── application_controller.rb
│ └── passkeys_controller.rb
├── Gemfile
├── .travis.yml
├── db
└── migrate
│ ├── 20230620012600_create_passkeys_rails_passkeys.rb
│ └── 20230620012530_create_passkeys_rails_agents.rb
├── Dangerfile
├── config
├── initializers
│ └── application_controller.rb
└── routes.rb
├── .gitignore
├── .reek.yml
├── bin
├── rails
└── rake
├── .github
└── workflows
│ └── danger.yml
├── Rakefile
├── MIT-LICENSE
├── RELEASING.md
├── CHANGELOG.md
├── passkeys_rails.gemspec
├── CODE_OF_CONDUCT.md
├── CONTRIBUTION_GUIDELINES.md
├── .rubocop.yml
├── Gemfile.lock
└── README.md
/.ruby-version:
--------------------------------------------------------------------------------
1 | 3.2.2
2 |
--------------------------------------------------------------------------------
/spec/dummy/log/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/lib/assets/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/storage/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/public/favicon.ico:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/app/assets/images/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/app/models/concerns/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/public/apple-touch-icon.png:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/app/controllers/concerns/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/spec/dummy/public/apple-touch-icon-precomposed.png:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/.rspec:
--------------------------------------------------------------------------------
1 | --color
2 | --require rails_helper
3 | --order rand
4 |
--------------------------------------------------------------------------------
/spec/dummy/app/helpers/application_helper.rb:
--------------------------------------------------------------------------------
1 | module ApplicationHelper
2 | end
3 |
--------------------------------------------------------------------------------
/lib/passkeys_rails/version.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | VERSION = "0.3.4".freeze
3 | end
4 |
--------------------------------------------------------------------------------
/spec/dummy/app/models/user.rb:
--------------------------------------------------------------------------------
1 | class User < ApplicationRecord
2 | include PasskeysRails::Authenticatable
3 | end
4 |
--------------------------------------------------------------------------------
/spec/dummy/bin/rake:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | require_relative "../config/boot"
3 | require "rake"
4 | Rake.application.run
5 |
--------------------------------------------------------------------------------
/spec/dummy/app/models/application_record.rb:
--------------------------------------------------------------------------------
1 | class ApplicationRecord < ActiveRecord::Base
2 | primary_abstract_class
3 | end
4 |
--------------------------------------------------------------------------------
/lib/tasks/passkeys_rails_tasks.rake:
--------------------------------------------------------------------------------
1 | # desc "Explaining what the task does"
2 | # task :passkeys_rails do
3 | # # Task goes here
4 | # end
5 |
--------------------------------------------------------------------------------
/spec/dummy/app/channels/application_cable/channel.rb:
--------------------------------------------------------------------------------
1 | module ApplicationCable
2 | class Channel < ActionCable::Channel::Base
3 | end
4 | end
5 |
--------------------------------------------------------------------------------
/spec/dummy/app/assets/config/manifest.js:
--------------------------------------------------------------------------------
1 | //= link_tree ../images
2 | //= link_directory ../stylesheets .css
3 | //= link passkeys_rails_manifest.js
4 |
--------------------------------------------------------------------------------
/spec/dummy/app/channels/application_cable/connection.rb:
--------------------------------------------------------------------------------
1 | module ApplicationCable
2 | class Connection < ActionCable::Connection::Base
3 | end
4 | end
5 |
--------------------------------------------------------------------------------
/spec/dummy/app/mailers/application_mailer.rb:
--------------------------------------------------------------------------------
1 | class ApplicationMailer < ActionMailer::Base
2 | default from: "from@example.com"
3 | layout "mailer"
4 | end
5 |
--------------------------------------------------------------------------------
/app/models/passkeys_rails/application_record.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class ApplicationRecord < ActiveRecord::Base
3 | self.abstract_class = true
4 | end
5 | end
6 |
--------------------------------------------------------------------------------
/spec/dummy/bin/rails:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | APP_PATH = File.expand_path("../config/application", __dir__)
3 | require_relative "../config/boot"
4 | require "rails/commands"
5 |
--------------------------------------------------------------------------------
/spec/dummy/config/environment.rb:
--------------------------------------------------------------------------------
1 | # Load the Rails application.
2 | require_relative "application"
3 |
4 | # Initialize the Rails application.
5 | Rails.application.initialize!
6 |
--------------------------------------------------------------------------------
/spec/dummy/config/routes.rb:
--------------------------------------------------------------------------------
1 | Rails.application.routes.draw do
2 | mount PasskeysRails::Engine => "/passkeys_rails"
3 | root to: 'application#index'
4 | get '/home' => 'application#home'
5 | end
6 |
--------------------------------------------------------------------------------
/spec/dummy/config.ru:
--------------------------------------------------------------------------------
1 | # This file is used by Rack-based servers to start the application.
2 |
3 | require_relative "config/environment"
4 |
5 | run Rails.application
6 | Rails.application.load_server
7 |
--------------------------------------------------------------------------------
/spec/support/json_helpers.rb:
--------------------------------------------------------------------------------
1 | module Requests
2 | module JsonHelpers
3 | def json
4 | json = JSON.parse(response.body)
5 | json.is_a?(Hash) ? json.with_indifferent_access : json
6 | end
7 | end
8 | end
9 |
--------------------------------------------------------------------------------
/spec/dummy/app/models/contact.rb:
--------------------------------------------------------------------------------
1 | class Contact < ApplicationRecord
2 | validates :first_name, presence: true
3 | validates :last_name, presence: true
4 | validates :phone, presence: true
5 | validates :email, presence: true
6 | end
7 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/begin_authentication.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class BeginAuthentication
3 | include Interactor
4 |
5 | def call
6 | context.options = WebAuthn::Credential.options_for_get
7 | end
8 | end
9 | end
10 |
--------------------------------------------------------------------------------
/spec/dummy/config/cable.yml:
--------------------------------------------------------------------------------
1 | development:
2 | adapter: async
3 |
4 | test:
5 | adapter: test
6 |
7 | production:
8 | adapter: redis
9 | url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
10 | channel_prefix: dummy_production
11 |
--------------------------------------------------------------------------------
/spec/dummy/Rakefile:
--------------------------------------------------------------------------------
1 | # Add your own tasks in files placed in lib/tasks ending in .rake,
2 | # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
3 |
4 | require_relative "config/application"
5 |
6 | Rails.application.load_tasks
7 |
--------------------------------------------------------------------------------
/spec/dummy/config/boot.rb:
--------------------------------------------------------------------------------
1 | # Set up gems listed in the Gemfile.
2 | ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
3 |
4 | require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
5 | $LOAD_PATH.unshift File.expand_path("../../../lib", __dir__)
6 |
--------------------------------------------------------------------------------
/spec/factories/passkeys.rb:
--------------------------------------------------------------------------------
1 | FactoryBot.define do
2 | factory :passkey, class: "PasskeysRails::Passkey" do
3 | agent
4 | sequence(:identifier) { |i| "identifier #{i}" }
5 | sequence(:public_key) { |i| "public key #{i}" }
6 | sign_count { 0 }
7 | end
8 | end
9 |
--------------------------------------------------------------------------------
/app/models/passkeys_rails/passkey.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class Passkey < ApplicationRecord
3 | belongs_to :agent
4 | validates :identifier, presence: true, uniqueness: true
5 | validates :public_key, presence: true
6 | validates :sign_count, presence: true
7 | end
8 | end
9 |
--------------------------------------------------------------------------------
/spec/dummy/db/migrate/20230620194014_create_users.rb:
--------------------------------------------------------------------------------
1 | class CreateUsers < ActiveRecord::Migration[7.0]
2 | def change
3 | # rubocop:disable Style/SymbolProc
4 | create_table :users do |t|
5 | t.timestamps
6 | end
7 | # rubocop:enable Style/SymbolProc
8 | end
9 | end
10 |
--------------------------------------------------------------------------------
/spec/dummy/app/jobs/application_job.rb:
--------------------------------------------------------------------------------
1 | class ApplicationJob < ActiveJob::Base
2 | # Automatically retry jobs that encountered a deadlock
3 | # retry_on ActiveRecord::Deadlocked
4 |
5 | # Most jobs are safe to ignore if the underlying records are no longer available
6 | # discard_on ActiveJob::DeserializationError
7 | end
8 |
--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source "https://rubygems.org"
2 | git_source(:github) { |repo| "https://github.com/#{repo}.git" }
3 |
4 | # Specify your gem's dependencies in passkeys_rails.gemspec.
5 | gemspec
6 |
7 | # other development dependencies
8 | group :test do
9 | gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby]
10 | end
11 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 | - 3.2.1
4 |
5 | env:
6 | - DB=sqlite
7 | - DB=mysql
8 | - DB=postgresql
9 |
10 | before_script:
11 | - rake app:db:create
12 | - rake app:db:migrate
13 | - rake app:db:test:prepare
14 |
15 | after_script:
16 | - rake app:de:rollback
17 |
18 | branches:
19 | only:
20 | - main
21 |
--------------------------------------------------------------------------------
/app/models/passkeys_rails/error.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class Error < StandardError
3 | attr_reader :hash
4 |
5 | def initialize(message, hash = {})
6 | @hash = hash
7 | super(message)
8 | end
9 |
10 | def to_h
11 | { error: hash.merge(context: message) }
12 | end
13 | end
14 | end
15 |
--------------------------------------------------------------------------------
/spec/dummy/db/migrate/20230624050358_create_contacts.rb:
--------------------------------------------------------------------------------
1 | class CreateContacts < ActiveRecord::Migration[7.0]
2 | def change
3 | create_table :contacts do |t|
4 | t.string :first_name
5 | t.string :last_name
6 | t.string :phone
7 | t.string :email
8 |
9 | t.timestamps
10 | end
11 | end
12 | end
13 |
--------------------------------------------------------------------------------
/spec/dummy/app/controllers/application_controller.rb:
--------------------------------------------------------------------------------
1 | class ApplicationController < ActionController::Base
2 | before_action :authenticate_passkey!, only: :index
3 |
4 | def index
5 | render json: { username: current_agent&.username }
6 | end
7 |
8 | def home
9 | render json: { username: current_agent&.username }
10 | end
11 | end
12 |
--------------------------------------------------------------------------------
/lib/generators/passkeys_rails/USAGE:
--------------------------------------------------------------------------------
1 | Description:
2 | Creates a PasskeysRails config file, updates the routes and adds migrations.
3 |
4 | Example:
5 | bin/rails generate passkeys_rails:install
6 |
7 | This will:
8 | create config/passkeys_rails.rb
9 | add database migrations
10 | update routes to mount the passkeys_rails engine
11 |
--------------------------------------------------------------------------------
/spec/dummy/app/views/layouts/application.html.erb:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Dummy
5 |
6 | <%= csrf_meta_tags %>
7 | <%= csp_meta_tag %>
8 |
9 | <%= stylesheet_link_tag "application" %>
10 |
11 |
12 |
13 | <%= yield %>
14 |
15 |
16 |
--------------------------------------------------------------------------------
/db/migrate/20230620012600_create_passkeys_rails_passkeys.rb:
--------------------------------------------------------------------------------
1 | class CreatePasskeysRailsPasskeys < ActiveRecord::Migration[7.0]
2 | def change
3 | create_table :passkeys_rails_passkeys do |t|
4 | t.string :identifier
5 | t.string :public_key
6 | t.integer :sign_count
7 | t.references :agent, null: false, foreign_key: { to_table: :passkeys_rails_agents }
8 |
9 | t.timestamps
10 | end
11 | end
12 | end
13 |
--------------------------------------------------------------------------------
/spec/interactors/passkeys/rails/begin_authentication_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::BeginAuthentication do
2 | let(:call) { described_class.call }
3 |
4 | it "returns options from WebAuthn" do
5 | options = "SOME OPTIONS"
6 | allow(WebAuthn::Credential).to receive(:options_for_get).and_return(options)
7 |
8 | result = call
9 | expect(result).to be_success
10 | expect(result.options).to eq options
11 | end
12 | end
13 |
--------------------------------------------------------------------------------
/lib/passkeys_rails/railtie.rb:
--------------------------------------------------------------------------------
1 | require 'passkeys-rails'
2 | require 'rails'
3 |
4 | module PasskeysRails
5 | class Railtie < ::Rails::Railtie
6 | railtie_name :passkeys_rails
7 |
8 | rake_tasks do
9 | path = File.expand_path(__dir__)
10 | Dir.glob("#{path}/tasks/**/*.rake").each { |f| load f }
11 | end
12 |
13 | generators do
14 | require "generators/passkeys_rails/install_generator"
15 | end
16 | end
17 | end
18 |
--------------------------------------------------------------------------------
/spec/dummy/config/initializers/filter_parameter_logging.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Configure parameters to be filtered from the log file. Use this to limit dissemination of
4 | # sensitive information. See the ActiveSupport::ParameterFilter documentation for supported
5 | # notations and behaviors.
6 | Rails.application.config.filter_parameters += %i[
7 | passw secret token _key crypt salt certificate otp ssn
8 | ]
9 |
--------------------------------------------------------------------------------
/spec/dummy/config/initializers/permissions_policy.rb:
--------------------------------------------------------------------------------
1 | # Define an application-wide HTTP permissions policy. For further
2 | # information see https://developers.google.com/web/updates/2018/06/feature-policy
3 | #
4 | # Rails.application.config.permissions_policy do |f|
5 | # f.camera :none
6 | # f.gyroscope :none
7 | # f.microphone :none
8 | # f.usb :none
9 | # f.fullscreen :self
10 | # f.payment :self, "https://secure.example.com"
11 | # end
12 |
--------------------------------------------------------------------------------
/app/models/passkeys_rails/agent.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class Agent < ApplicationRecord
3 | belongs_to :authenticatable, polymorphic: true, optional: true
4 | has_many :passkeys
5 |
6 | scope :registered, -> { where.not registered_at: nil }
7 | scope :unregistered, -> { where registered_at: nil }
8 |
9 | validates :username, presence: true, uniqueness: true
10 |
11 | def registered?
12 | registered_at.present?
13 | end
14 | end
15 | end
16 |
--------------------------------------------------------------------------------
/Dangerfile:
--------------------------------------------------------------------------------
1 | # Make it more obvious that a PR is a work in progress and shouldn't be merged yet
2 | warn("PR is classed as Work in Progress") if github.pr_title.include? "[WIP]"
3 |
4 | # Warn when there is a big PR
5 | warn("Big PR") if git.lines_of_code > 500
6 |
7 | # Don't let testing shortcuts get into master by accident
8 | raise("fdescribe left in tests") if `grep -r fdescribe specs/ `.length > 1
9 | raise("fit left in tests") if `grep -r fit specs/ `.length > 1
10 |
11 | toc.check
12 | changelog.check
13 |
--------------------------------------------------------------------------------
/spec/factories/agents.rb:
--------------------------------------------------------------------------------
1 | FactoryBot.define do
2 | factory :agent, class: "PasskeysRails::Agent" do
3 | sequence(:username) { |n| "username-#{n}" }
4 | registered_at { nil }
5 | last_authenticated_at { nil }
6 |
7 | trait :registered do
8 | registered_at { 1.day.ago }
9 | end
10 |
11 | trait :unregistered do
12 | registered_at { nil }
13 | end
14 |
15 | trait :recentyl_authenticated do
16 | last_authenticated_at { 2.hours.ago }
17 | end
18 | end
19 | end
20 |
--------------------------------------------------------------------------------
/config/initializers/application_controller.rb:
--------------------------------------------------------------------------------
1 | # These should be autoloaded, but if these aren't required here, apps using this
2 | # gem will throw an exception that PasskeysRails::Authentication can't be found
3 | require_relative '../../app/controllers/concerns/passkeys_rails/authentication'
4 | require_relative '../../app/models/passkeys_rails/error'
5 |
6 | class ActionController::Base
7 | include PasskeysRails::Authentication
8 | end
9 |
10 | class ActionController::API
11 | include PasskeysRails::Authentication
12 | end
13 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /.bundle/
2 | /doc/
3 | /log/*.log
4 | /pkg/
5 | /tmp/
6 | /coverage/
7 | /spec/reports/
8 |
9 | # rspec failure tracking
10 | .rspec_status
11 |
12 | *.code-workspace
13 | .env
14 |
15 | /spec/dummy/db/*.sqlite3
16 | /spec/dummy/db/*.sqlite3-*
17 | /spec/dummy/log/*.log
18 | /spec/dummy/storage/
19 | /spec/dummy/tmp/
20 | *.gem
21 | .yardoc
22 | .vscode
23 | spec/dummy/db/migrate/*_create_passkeys_rails_agents.passkeys_rails.rb
24 | spec/dummy/db/migrate/*_create_passkeys_rails_passkeys.passkeys_rails.rb
25 | *.breakpoints
26 |
--------------------------------------------------------------------------------
/.reek.yml:
--------------------------------------------------------------------------------
1 | # Auto generated by Reeks --todo flag
2 | ---
3 | detectors:
4 | MissingSafeMethod:
5 | enabled: false
6 | UncommunicativeParameterName:
7 | enabled: false
8 | UncommunicativeVariableName:
9 | enabled: false
10 | IrresponsibleModule:
11 | enabled: false
12 |
13 | Attribute:
14 | exclude:
15 | - PasskeysRails#auth_token_algorithm
16 | - PasskeysRails#auth_token_expires_in
17 | - PasskeysRails#auth_token_secret
18 | - PasskeysRails#default_class
19 | - PasskeysRails#class_whitelist
20 |
--------------------------------------------------------------------------------
/app/models/concerns/passkeys_rails/authenticatable.rb:
--------------------------------------------------------------------------------
1 | require 'active_support/concern'
2 |
3 | module PasskeysRails
4 | module Authenticatable
5 | extend ActiveSupport::Concern
6 |
7 | included do
8 | has_one :agent, as: :authenticatable, class_name: "PasskeysRails::Agent"
9 |
10 | delegate :username, to: :agent, allow_nil: true
11 | delegate :registered?, to: :agent, allow_nil: true
12 |
13 | def registering_with(_params)
14 | # initialize required attributes
15 | end
16 | end
17 | end
18 | end
19 |
--------------------------------------------------------------------------------
/lib/passkeys_rails/engine.rb:
--------------------------------------------------------------------------------
1 | require "rails"
2 | require "active_support/core_ext/numeric/time"
3 | require "active_support/dependencies"
4 |
5 | require "interactor"
6 | require "jwt"
7 | require "webauthn"
8 |
9 | module PasskeysRails
10 | class Engine < ::Rails::Engine
11 | isolate_namespace PasskeysRails
12 |
13 | config.generators do |g|
14 | g.test_framework :rspec
15 | g.fixture_replacement :factory_bot
16 | g.factory_bot dir: 'spec/factories'
17 | g.assets false
18 | g.helper false
19 | end
20 | end
21 | end
22 |
--------------------------------------------------------------------------------
/app/models/concerns/passkeys_rails/debuggable.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | module Debuggable
3 | extend ActiveSupport::Concern
4 |
5 | protected
6 |
7 | def ensure_debug_mode
8 | context.fail!(code: :not_allowed, message: 'Action not allowed') if username_regex.blank?
9 | end
10 |
11 | def ensure_regex_match
12 | context.fail!(code: :not_allowed, message: 'Invalid username') unless username&.match?(username_regex)
13 | end
14 |
15 | def username_regex
16 | PasskeysRails.debug_login_regex
17 | end
18 | end
19 | end
20 |
--------------------------------------------------------------------------------
/spec/dummy/config/initializers/assets.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Version of your assets, change this if you want to expire all your assets.
4 | # Rails.application.config.assets.version = "1.0"
5 |
6 | # Add additional assets to the asset load path.
7 | # Rails.application.config.assets.paths << Emoji.images_path
8 |
9 | # Precompile additional assets.
10 | # application.js, application.css, and all non-JS/CSS in the app/assets
11 | # folder are already added.
12 | # Rails.application.config.assets.precompile += %w( admin.js admin.css )
13 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/refresh_token.rb:
--------------------------------------------------------------------------------
1 | # Finish authentication ceremony
2 | module PasskeysRails
3 | class RefreshToken
4 | include Interactor
5 |
6 | delegate :token, to: :context
7 |
8 | def call
9 | agent = ValidateAuthToken.call!(auth_token: token).agent
10 |
11 | context.agent = agent
12 | context.username = agent.username
13 | context.auth_token = GenerateAuthToken.call!(agent:).auth_token
14 | rescue Interactor::Failure => e
15 | context.fail! code: e.context.code, message: e.context.message
16 | end
17 | end
18 | end
19 |
--------------------------------------------------------------------------------
/bin/rails:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # This command will automatically be run when you run "rails" with Rails gems
3 | # installed from the root of your application.
4 |
5 | ENGINE_ROOT = File.expand_path("..", __dir__)
6 | ENGINE_PATH = File.expand_path("../lib/passkeys/rails/engine", __dir__)
7 | APP_PATH = File.expand_path("../spec/dummy/config/application", __dir__)
8 |
9 | # Set up gems listed in the Gemfile.
10 | ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
11 | require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
12 |
13 | require "rails/all"
14 | require "rails/engine/commands"
15 |
--------------------------------------------------------------------------------
/.github/workflows/danger.yml:
--------------------------------------------------------------------------------
1 | name: PR Linter
2 | on: [pull_request]
3 | jobs:
4 | danger:
5 | runs-on: ubuntu-latest
6 | steps:
7 | - uses: actions/checkout@v3
8 | with:
9 | fetch-depth: 0
10 | - name: Set up Ruby
11 | uses: ruby/setup-ruby@v1
12 | with:
13 | bundler-cache: true
14 | ruby-version: 3.1
15 | - run: |
16 | # the personal token is public, this is ok, base64 encode to avoid tripping Github
17 | TOKEN=$(echo -n Z2hwX2JPUVEwOEhqekRoZWhzNGplUkRvMzNENjRmOUR1UzNSSU80dQo= | base64 --decode)
18 | DANGER_GITHUB_API_TOKEN=$TOKEN bundle exec danger --verbose
19 |
20 |
--------------------------------------------------------------------------------
/config/routes.rb:
--------------------------------------------------------------------------------
1 | PasskeysRails::Engine.routes.draw do
2 | post 'challenge', to: 'passkeys#challenge'
3 | post 'register', to: 'passkeys#register'
4 | post 'authenticate', to: 'passkeys#authenticate'
5 | post 'refresh', to: 'passkeys#refresh'
6 |
7 | # These routes exist to allow easier mobile app debugging as it may not
8 | # be possible to acess Passkey functionality in mobile simulators.
9 | # CAUTION: It is very insecure to set DEBUG_LOGIN_REGEX in a production environment.
10 | constraints(->(_request) { PasskeysRails.debug_login_regex.present? }) do
11 | post 'debug_login', to: 'passkeys#debug_login'
12 | post 'debug_register', to: 'passkeys#debug_register'
13 | end
14 | end
15 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/generate_auth_token.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class GenerateAuthToken
3 | include Interactor
4 |
5 | delegate :agent, to: :context
6 |
7 | def call
8 | context.auth_token = generate_auth_token
9 | end
10 |
11 | private
12 |
13 | def generate_auth_token
14 | JWT.encode(jwt_payload,
15 | PasskeysRails.auth_token_secret,
16 | PasskeysRails.auth_token_algorithm)
17 | end
18 |
19 | def jwt_payload
20 | expiration = (Time.current + PasskeysRails.auth_token_expires_in).to_i
21 |
22 | payload = { agent_id: agent.id }
23 | payload[:exp] = expiration unless expiration.zero?
24 | payload
25 | end
26 | end
27 | end
28 |
--------------------------------------------------------------------------------
/spec/dummy/config/database.yml:
--------------------------------------------------------------------------------
1 | # SQLite. Versions 3.8.0 and up are supported.
2 | # gem install sqlite3
3 | #
4 | # Ensure the SQLite 3 gem is defined in your Gemfile
5 | # gem "sqlite3"
6 | #
7 | default: &default
8 | adapter: sqlite3
9 | pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
10 | timeout: 5000
11 |
12 | development:
13 | <<: *default
14 | database: db/development.sqlite3
15 |
16 | # Warning: The database defined as "test" will be erased and
17 | # re-generated from your development database when you run "rake".
18 | # Do not set this db to the same as development or production.
19 | test:
20 | <<: *default
21 | database: db/test.sqlite3
22 |
23 | production:
24 | <<: *default
25 | database: db/production.sqlite3
26 |
--------------------------------------------------------------------------------
/spec/dummy/config/initializers/inflections.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Add new inflection rules using the following format. Inflections
4 | # are locale specific, and you may define rules for as many different
5 | # locales as you wish. All of these examples are active by default:
6 | # ActiveSupport::Inflector.inflections(:en) do |inflect|
7 | # inflect.plural /^(ox)$/i, "\\1en"
8 | # inflect.singular /^(ox)en/i, "\\1"
9 | # inflect.irregular "person", "people"
10 | # inflect.uncountable %w( fish sheep )
11 | # end
12 |
13 | # These inflection rules are supported but not enabled by default:
14 | # ActiveSupport::Inflector.inflections(:en) do |inflect|
15 | # inflect.acronym "RESTful"
16 | # end
17 |
--------------------------------------------------------------------------------
/spec/interactors/passkeys/rails/generate_auth_token_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::GenerateAuthToken do
2 | let(:call) { described_class.call agent: }
3 |
4 | context "with an agent" do
5 | let(:agent) { create(:agent) }
6 |
7 | it "returns a properly encoded JWT" do
8 | result = call
9 | expect(result).to be_success
10 |
11 | token = result.auth_token
12 | expect(token).to be_a String
13 |
14 | payload, = JWT.decode(token, PasskeysRails.auth_token_secret, true, { algorithm: PasskeysRails.auth_token_algorithm })
15 |
16 | expect(payload['agent_id']).to eq agent.id
17 | expect(payload['exp']).to be_present
18 | expect(Time.zone.at(payload['exp'])).to be_future
19 | end
20 | end
21 | end
22 |
--------------------------------------------------------------------------------
/lib/generators/passkeys_rails/templates/README:
--------------------------------------------------------------------------------
1 | ===============================================================================
2 |
3 | Depending on your application's configuration some manual setup may be required:
4 |
5 | 1. Add a before_action to all controllers that require authentication to use.
6 |
7 | For example:
8 |
9 | before_action :authenticate_passkey!, except: [:index]
10 |
11 | 2. Optionally include PasskeysRails::Authenticatable to the model(s) you are using as
12 | your user model(s). For example, the User model.
13 |
14 | 3. See the reference mobile applications for how to use passkeys-rails for passkey
15 | authentication.
16 |
17 | ===============================================================================
18 |
--------------------------------------------------------------------------------
/Rakefile:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env rake
2 |
3 | begin
4 | require 'bundler/setup'
5 | rescue LoadError
6 | puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
7 | end
8 |
9 | Bundler::GemHelper.install_tasks
10 |
11 | APP_RAKEFILE = File.expand_path('spec/dummy/Rakefile', __dir__)
12 | load 'rails/tasks/engine.rake'
13 | require 'rspec/core/rake_task'
14 |
15 | RSpec::Core::RakeTask.new(:spec) do |spec|
16 | spec.pattern = 'spec/**/*_spec.rb'
17 | end
18 |
19 | require "rubocop/rake_task"
20 | RuboCop::RakeTask.new do |task|
21 | task.requires << 'rubocop-rails'
22 | task.requires << 'rubocop-performance'
23 | task.requires << 'rubocop-rspec'
24 | task.requires << 'rubocop-rake'
25 | task.requires << 'rubocop-factory_bot'
26 | end
27 |
28 | task default: %i[spec rubocop]
29 |
--------------------------------------------------------------------------------
/spec/dummy/app/assets/stylesheets/application.css:
--------------------------------------------------------------------------------
1 | /*
2 | * This is a manifest file that'll be compiled into application.css, which will include all the files
3 | * listed below.
4 | *
5 | * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
6 | * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
7 | *
8 | * You're free to add application-wide styles to this file and they'll appear at the bottom of the
9 | * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
10 | * files in this directory. Styles in this file should be added after the last require_* statement.
11 | * It is generally better to create a new file per style scope.
12 | *
13 | *= require_tree .
14 | *= require_self
15 | */
16 |
--------------------------------------------------------------------------------
/app/controllers/concerns/passkeys_rails/authentication.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | module Authentication
3 | extend ActiveSupport::Concern
4 |
5 | included do
6 | rescue_from PasskeysRails::Error do |e|
7 | render json: e.to_h, status: :unauthorized
8 | end
9 | end
10 |
11 | def current_agent
12 | @current_agent ||= (passkey_authentication_result.success? &&
13 | passkey_authentication_result.agent.registered? &&
14 | passkey_authentication_result.agent) || nil
15 | end
16 |
17 | def authenticate_passkey!
18 | @authenticate_passkey ||= PasskeysRails.authenticate!(request)
19 | end
20 |
21 | def passkey_authentication_result
22 | @passkey_authentication_result ||= PasskeysRails.authenticate(request)
23 | end
24 | end
25 | end
26 |
--------------------------------------------------------------------------------
/bin/rake:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | #
5 | # This file was generated by Bundler.
6 | #
7 | # The application 'rake' is installed as part of a gem, and
8 | # this file is here to facilitate running it.
9 | #
10 |
11 | ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
12 |
13 | bundle_binstub = File.expand_path("bundle", __dir__)
14 |
15 | if File.file?(bundle_binstub)
16 | if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
17 | load(bundle_binstub)
18 | else
19 | abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
20 | Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
21 | end
22 | end
23 |
24 | require "rubygems"
25 | require "bundler/setup"
26 |
27 | load Gem.bin_path("rake", "rake")
28 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/begin_challenge.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class BeginChallenge
3 | include Interactor
4 |
5 | delegate :username, to: :context
6 |
7 | def call
8 | result = generate_challenge!
9 |
10 | options = result.options
11 |
12 | context.response = options
13 | context.cookie_data = cookie_data(options)
14 | rescue Interactor::Failure => e
15 | context.fail! code: e.context.code, message: e.context.message
16 | end
17 |
18 | private
19 |
20 | def generate_challenge!
21 | if username.present?
22 | BeginRegistration.call!(username:)
23 | else
24 | BeginAuthentication.call!
25 | end
26 | end
27 |
28 | def cookie_data(options)
29 | {
30 | username:,
31 | challenge: options.challenge
32 | }
33 | end
34 | end
35 | end
36 |
--------------------------------------------------------------------------------
/db/migrate/20230620012530_create_passkeys_rails_agents.rb:
--------------------------------------------------------------------------------
1 | class CreatePasskeysRailsAgents < ActiveRecord::Migration[7.0]
2 | def change
3 | create_table :passkeys_rails_agents do |t|
4 | t.string :username, null: false
5 | t.references :authenticatable, polymorphic: true
6 | t.string :webauthn_identifier
7 | t.datetime :registered_at
8 | t.datetime :last_authenticated_at
9 |
10 | t.timestamps
11 | end
12 |
13 | # Make the authenticatable index enforce uniqueness
14 | remove_index :passkeys_rails_agents, %i[authenticatable_type authenticatable_id], name: 'index_passkeys_rails_agents_on_authenticatable'
15 | add_index :passkeys_rails_agents, %i[authenticatable_type authenticatable_id], unique: true, name: 'index_passkeys_rails_agents_on_authenticatable'
16 | add_index :passkeys_rails_agents, :username, unique: true
17 | end
18 | end
19 |
--------------------------------------------------------------------------------
/spec/dummy/config/application.rb:
--------------------------------------------------------------------------------
1 | require_relative "boot"
2 |
3 | require "rails/all"
4 |
5 | # Require the gems listed in Gemfile, including any gems
6 | # you've limited to :test, :development, or :production.
7 | Bundler.require(*Rails.groups)
8 |
9 | module Dummy
10 | class Application < Rails::Application
11 | config.load_defaults Rails::VERSION::STRING.to_f
12 |
13 | # For compatibility with applications that use this config
14 | config.action_controller.include_all_helpers = false
15 |
16 | # Configuration for the application, engines, and railties goes here.
17 | #
18 | # These settings can be overridden in specific environments using the files
19 | # in config/environments, which are processed later.
20 | #
21 | # config.time_zone = "Central Time (US & Canada)"
22 | # config.eager_load_paths << Rails.root.join("extras")
23 | end
24 | end
25 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/begin_registration.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class BeginRegistration
3 | include Interactor
4 |
5 | delegate :username, to: :context
6 |
7 | def call
8 | agent = create_or_replace_unregistered_agent
9 |
10 | context.options = WebAuthn::Credential.options_for_create(user: { id: agent.webauthn_identifier, name: agent.username })
11 | end
12 |
13 | private
14 |
15 | def create_or_replace_unregistered_agent
16 | context.fail! code: :origin_error, message: "config.wa_origin must be set" if WebAuthn.configuration.origin.blank?
17 |
18 | Agent.unregistered.where(username:).destroy_all
19 |
20 | agent = Agent.create(username:, webauthn_identifier: WebAuthn.generate_user_id)
21 |
22 | context.fail!(code: :validation_errors, message: agent.errors.full_messages.to_sentence) unless agent.valid?
23 |
24 | agent
25 | end
26 | end
27 | end
28 |
--------------------------------------------------------------------------------
/lib/generators/passkeys_rails/install_generator.rb:
--------------------------------------------------------------------------------
1 | require 'rails/generators'
2 |
3 | module PasskeysRails
4 | module Generators
5 | class InstallGenerator < ::Rails::Generators::Base
6 | source_root File.expand_path("templates", __dir__)
7 |
8 | desc "Adds passkeys config file to your application."
9 | def copy_config
10 | template 'passkeys_rails_config.rb', "config/initializers/passkeys_rails.rb"
11 | end
12 |
13 | desc "Adds passkeys routes to your application."
14 | def add_routes
15 | route 'mount PasskeysRails::Engine => "/passkeys"'
16 | end
17 |
18 | desc "Copies migrations to your application."
19 | def copy_migrations
20 | rake("passkeys_rails:install:migrations")
21 | end
22 |
23 | desc "Displays readme during installation."
24 | def show_readme
25 | readme "README" if behavior == :invoke
26 | end
27 | end
28 | end
29 | end
30 |
--------------------------------------------------------------------------------
/spec/dummy/config/locales/en.yml:
--------------------------------------------------------------------------------
1 | # Files in the config/locales directory are used for internationalization
2 | # and are automatically loaded by Rails. If you want to use locales other
3 | # than English, add the necessary files in this directory.
4 | #
5 | # To use the locales, use `I18n.t`:
6 | #
7 | # I18n.t "hello"
8 | #
9 | # In views, this is aliased to just `t`:
10 | #
11 | # <%= t("hello") %>
12 | #
13 | # To use a different locale, set it with `I18n.locale`:
14 | #
15 | # I18n.locale = :es
16 | #
17 | # This would use the information in config/locales/es.yml.
18 | #
19 | # The following keys must be escaped otherwise they will not be retrieved by
20 | # the default I18n backend:
21 | #
22 | # true, false, on, off, yes, no
23 | #
24 | # Instead, surround them with single quotes.
25 | #
26 | # en:
27 | # "true": "foo"
28 | #
29 | # To learn more, please read the Rails Internationalization guide
30 | # available at https://guides.rubyonrails.org/i18n.html.
31 |
32 | en:
33 | hello: "Hello world"
34 |
--------------------------------------------------------------------------------
/app/controllers/passkeys_rails/application_controller.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class ApplicationController < ActionController::Base
3 | rescue_from StandardError, with: :handle_standard_error
4 | rescue_from ::Interactor::Failure, with: :handle_interactor_failure
5 | rescue_from ActionController::ParameterMissing, with: :handle_missing_parameter
6 |
7 | protected
8 |
9 | def handle_standard_error(error)
10 | render_error(:authentication, 'error', error.message.truncate(512), status: 500)
11 | end
12 |
13 | def handle_missing_parameter(error)
14 | render_error(:authentication, 'missing_parameter', error.message)
15 | end
16 |
17 | def handle_interactor_failure(failure)
18 | render_error(:authentication, failure.context.code, failure.context.message)
19 | end
20 |
21 | private
22 |
23 | def render_error(context, code, message, status: :unprocessable_entity)
24 | render json: { error: { context:, code:, message: } }, status:
25 | end
26 | end
27 | end
28 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/validate_auth_token.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | class ValidateAuthToken
3 | include Interactor
4 |
5 | delegate :auth_token, to: :context
6 |
7 | def call
8 | context.fail!(code: :missing_token, message: "X-Auth header is required") if auth_token.blank?
9 |
10 | context.agent = fetch_agent
11 | end
12 |
13 | private
14 |
15 | def fetch_agent
16 | agent = Agent.find_by(id: payload['agent_id'])
17 | context.fail!(code: :invalid_token, message: "Invalid token - no agent exists with agent_id") if agent.blank?
18 |
19 | agent
20 | end
21 |
22 | def payload
23 | JWT.decode(auth_token,
24 | PasskeysRails.auth_token_secret,
25 | true,
26 | { required_claims: %w[exp agent_id], algorithm: PasskeysRails.auth_token_algorithm }).first
27 | rescue JWT::ExpiredSignature
28 | context.fail!(code: :expired_token, message: "The token has expired")
29 | rescue StandardError => e
30 | context.fail!(code: :token_error, message: e.message)
31 | end
32 | end
33 | end
34 |
--------------------------------------------------------------------------------
/MIT-LICENSE:
--------------------------------------------------------------------------------
1 | Copyright 2023 Troy Anderson
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining
4 | a copy of this software and associated documentation files (the
5 | "Software"), to deal in the Software without restriction, including
6 | without limitation the rights to use, copy, modify, merge, publish,
7 | distribute, sublicense, and/or sell copies of the Software, and to
8 | permit persons to whom the Software is furnished to do so, subject to
9 | the following conditions:
10 |
11 | The above copyright notice and this permission notice shall be
12 | included in all copies or substantial portions of the Software.
13 |
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 |
--------------------------------------------------------------------------------
/spec/dummy/bin/setup:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | require "fileutils"
3 |
4 | # path to your application root.
5 | APP_ROOT = File.expand_path("..", __dir__)
6 |
7 | def system!(*args)
8 | system(*args) || abort("\n== Command #{args} failed ==")
9 | end
10 |
11 | FileUtils.chdir APP_ROOT do
12 | # This script is a way to set up or update your development environment automatically.
13 | # This script is idempotent, so that you can run it at any time and get an expectable outcome.
14 | # Add necessary setup steps to this file.
15 |
16 | puts "== Installing dependencies =="
17 | system! "gem install bundler --conservative"
18 | system("bundle check") || system!("bundle install")
19 |
20 | # puts "\n== Copying sample files =="
21 | # unless File.exist?("config/database.yml")
22 | # FileUtils.cp "config/database.yml.sample", "config/database.yml"
23 | # end
24 |
25 | puts "\n== Preparing database =="
26 | system! "bin/rails db:prepare"
27 |
28 | puts "\n== Removing old logs and tempfiles =="
29 | system! "bin/rails log:clear tmp:clear"
30 |
31 | puts "\n== Restarting application server =="
32 | system! "bin/rails restart"
33 | end
34 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/debug_login.rb:
--------------------------------------------------------------------------------
1 | # This functionality exists to allow easier mobile app debugging as it may not
2 | # be possible to acess Passkey functionality in mobile simulators.
3 | # It is only operational if DEBUG_LOGIN_REGEX is set in the server environment.
4 | # CAUTION: It is very insecure to set DEBUG_LOGIN_REGEX in a production environment.
5 | module PasskeysRails
6 | class DebugLogin
7 | include Interactor
8 | include Debuggable
9 |
10 | delegate :username, to: :context
11 |
12 | def call
13 | ensure_debug_mode
14 | ensure_regex_match
15 |
16 | context.agent = agent
17 | context.username = agent.username
18 | context.auth_token = GenerateAuthToken.call!(agent:).auth_token
19 | rescue Interactor::Failure => e
20 | context.fail! code: e.context.code, message: e.context.message
21 | end
22 |
23 | private
24 |
25 | def agent
26 | @agent ||= begin
27 | agent = Agent.find_by(username:)
28 | context.fail!(code: :agent_not_found, message: "No agent found with that username") if agent.blank?
29 | agent
30 | end
31 | end
32 | end
33 | end
34 |
--------------------------------------------------------------------------------
/spec/generator/passkeys_rails/install_generator_spec.rb:
--------------------------------------------------------------------------------
1 | require 'generators/passkeys_rails/install_generator'
2 |
3 | RSpec.describe PasskeysRails::Generators::InstallGenerator do
4 | destination Rails.root.join('tmp')
5 |
6 | def create_temporary_routes_file
7 | FileUtils.mkdir_p(File.join(destination_root, "config"))
8 |
9 | routes_content = <<~CONTENT
10 | Rails.application.routes.draw do
11 | root to: 'application#index'
12 | end
13 | CONTENT
14 |
15 | File.write(File.join(destination_root, "config/routes.rb"), routes_content)
16 | end
17 |
18 | before do
19 | prepare_destination
20 | create_temporary_routes_file
21 | run_generator
22 | end
23 |
24 | it "has the correct structure and contents" do
25 | expect(destination_root).to have_structure {
26 | directory "config" do
27 | directory "initializers" do
28 | file "passkeys_rails.rb" do
29 | contains 'PasskeysRails.config do |c|'
30 | end
31 | end
32 | file 'routes.rb' do
33 | contains 'mount PasskeysRails::Engine => "/passkeys"'
34 | end
35 | end
36 | }
37 | end
38 | end
39 |
--------------------------------------------------------------------------------
/spec/dummy/config/initializers/content_security_policy.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Define an application-wide content security policy.
4 | # See the Securing Rails Applications Guide for more information:
5 | # https://guides.rubyonrails.org/security.html#content-security-policy-header
6 |
7 | # Rails.application.configure do
8 | # config.content_security_policy do |policy|
9 | # policy.default_src :self, :https
10 | # policy.font_src :self, :https, :data
11 | # policy.img_src :self, :https, :data
12 | # policy.object_src :none
13 | # policy.script_src :self, :https
14 | # policy.style_src :self, :https
15 | # # Specify URI for violation reports
16 | # # policy.report_uri "/csp-violation-report-endpoint"
17 | # end
18 | #
19 | # # Generate session nonces for permitted importmap and inline scripts
20 | # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
21 | # config.content_security_policy_nonce_directives = %w(script-src)
22 | #
23 | # # Report violations without enforcing the policy.
24 | # # config.content_security_policy_report_only = true
25 | # end
26 |
--------------------------------------------------------------------------------
/spec/requests/passkeys/rails/passkeys_controller_refresh_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::PasskeysController do
2 | let(:call_api) { post '/passkeys_rails/refresh', params:, headers: }
3 |
4 | include_context 'with api params'
5 |
6 | it_behaves_like 'an api that requires some params'
7 |
8 | context 'with required params' do
9 | let(:required_params) { { auth_token: "123" } }
10 |
11 | context 'with valid parameters and a successfull call to RefreshToken' do
12 | before {
13 | allow(PasskeysRails::RefreshToken)
14 | .to receive(:call!)
15 | .and_return(Interactor::Context.build(username: "name", auth_token: "123", agent:))
16 | }
17 |
18 | let(:agent) { create(:agent) }
19 |
20 | it 'Succeeds and returns instance credentails' do
21 | call_api
22 |
23 | expect_success
24 | expect(PasskeysRails::RefreshToken).to have_received(:call!).exactly(1).time
25 | expect(json.keys).to match_array %w[username auth_token]
26 | expect(json).to include(username: "name", auth_token: "123")
27 | end
28 |
29 | it_behaves_like "a notifier", :did_refresh
30 | end
31 | end
32 | end
33 |
--------------------------------------------------------------------------------
/spec/dummy/config/storage.yml:
--------------------------------------------------------------------------------
1 | test:
2 | service: Disk
3 | root: <%= Rails.root.join("tmp/storage") %>
4 |
5 | local:
6 | service: Disk
7 | root: <%= Rails.root.join("storage") %>
8 |
9 | # Use bin/rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
10 | # amazon:
11 | # service: S3
12 | # access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
13 | # secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
14 | # region: us-east-1
15 | # bucket: your_own_bucket-<%= Rails.env %>
16 |
17 | # Remember not to checkin your GCS keyfile to a repository
18 | # google:
19 | # service: GCS
20 | # project: your_project
21 | # credentials: <%= Rails.root.join("path/to/gcs.keyfile") %>
22 | # bucket: your_own_bucket-<%= Rails.env %>
23 |
24 | # Use bin/rails credentials:edit to set the Azure Storage secret (as azure_storage:storage_access_key)
25 | # microsoft:
26 | # service: AzureStorage
27 | # storage_account_name: your_account_name
28 | # storage_access_key: <%= Rails.application.credentials.dig(:azure_storage, :storage_access_key) %>
29 | # container: your_container_name-<%= Rails.env %>
30 |
31 | # mirror:
32 | # service: Mirror
33 | # primary: local
34 | # mirrors: [ amazon, google, microsoft ]
35 |
--------------------------------------------------------------------------------
/spec/interactors/passkeys/rails/refresh_token_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::RefreshToken do
2 | let(:call) { described_class.call token: }
3 | let(:agent) { create(:agent) }
4 | let(:token) { nil }
5 |
6 | context "with a valid, non-expired token" do
7 | let(:token) { PasskeysRails::GenerateAuthToken.call(agent:).auth_token }
8 |
9 | it "returns a new auth token that expires in the future" do
10 | result = call
11 | expect(result).to be_success
12 |
13 | token = result.auth_token
14 | expect(token).to be_a String
15 | expect(result.agent).to be_a PasskeysRails::Agent
16 |
17 | payload, = JWT.decode(token, PasskeysRails.auth_token_secret, true, { algorithm: PasskeysRails.auth_token_algorithm })
18 |
19 | expect(payload['agent_id']).to eq agent.id
20 | expect(payload['exp']).to be_present
21 | expect(Time.zone.at(payload['exp'])).to be_future
22 | end
23 | end
24 |
25 | context "with an bogus token" do
26 | let(:token) { "BOGUS" }
27 |
28 | it_behaves_like "a failing call", :token_error, "Not enough or too many segments"
29 | end
30 |
31 | context "with a valid, but expired token" do
32 | let(:token) { Timecop.freeze(1.year.ago) { PasskeysRails::GenerateAuthToken.call(agent:).auth_token } }
33 |
34 | it_behaves_like "a failing call", :expired_token, "The token has expired"
35 | end
36 | end
37 |
--------------------------------------------------------------------------------
/spec/configuration_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::Configuration do
2 | subject(:configuration) { described_class.new }
3 |
4 | it "allows customization auth_token_expires_in" do
5 | new_value = 1.week
6 |
7 | expect { configuration.auth_token_expires_in = new_value }
8 | .to change { configuration.auth_token_expires_in }
9 | .to(new_value)
10 | end
11 |
12 | it "allows customization auth_token_algorithm" do
13 | expect { configuration.auth_token_algorithm = "MY ALGORITHM" }
14 | .to change { configuration.auth_token_algorithm }
15 | .from("HS256")
16 | .to("MY ALGORITHM")
17 | end
18 |
19 | it "allows customization auth_token_secret" do
20 | expect { configuration.auth_token_secret = "MY SECRET" }
21 | .to change { configuration.auth_token_secret }
22 | .from(Rails.application.secret_key_base)
23 | .to("MY SECRET")
24 | end
25 |
26 | it "allows customization default_class" do
27 | expect { configuration.default_class = "AdminUser" }
28 | .to change { configuration.default_class }
29 | .from("User")
30 | .to("AdminUser")
31 | end
32 |
33 | it "allows customization class_whitelist" do
34 | expect { configuration.class_whitelist = %w[User AdminUser] }
35 | .to change { configuration.class_whitelist }
36 | .from(nil)
37 | .to match_array(%w[User AdminUser])
38 | end
39 | end
40 |
--------------------------------------------------------------------------------
/RELEASING.md:
--------------------------------------------------------------------------------
1 | # Releasing passkeys-rails
2 |
3 | There're no hard rules about when to release passkeys-rails. Release bug fixes frequently, features not so frequently and breaking API changes rarely.
4 |
5 | ### Release
6 |
7 | Run tests, check that all tests succeed locally.
8 |
9 | ```
10 | bundle install
11 | bundle exec rake
12 | ```
13 |
14 | Change "Next" in [CHANGELOG.md](CHANGELOG.md) to the current date.
15 |
16 | ```
17 | ### 0.2.2 (2024/12/25)
18 | ```
19 |
20 | Remove the line with "Your contribution here.", since there will be no more contributions to this release.
21 |
22 | Commit your changes.
23 |
24 | ```
25 | git add CHANGELOG.md
26 | git commit -m "Preparing for release 0.2.2"
27 | git push origin main
28 | ```
29 |
30 | Release.
31 |
32 | ```
33 | $ bundle exec rake release
34 |
35 | passkeys-rails 0.2.2 built to pkg/passkeys-rails-0.2.2.gem.
36 | Tagged v0.2.2.
37 | Pushed git commits and tags.
38 | Pushed passkeys-rails 0.2.2 to rubygems.org.
39 | ```
40 |
41 | ### Prepare for the Next Version
42 |
43 | Add the next release to [CHANGELOG.md](CHANGELOG.md).
44 |
45 | ```
46 | ### 0.2.3 (Next)
47 |
48 | - Your contribution here.
49 | ```
50 |
51 | Increment the third version number in [lib/passkeys_rails/version.rb](lib/passkeys_rails/version.rb).
52 |
53 | Commit your changes.
54 |
55 | ```
56 | git add CHANGELOG.md lib/passkeys_rails/version.rb
57 | git commit -m "Preparing for next development iteration - 0.2.3"
58 | git push origin main
59 | ```
60 |
--------------------------------------------------------------------------------
/lib/passkeys_rails/test/integration_helpers.rb:
--------------------------------------------------------------------------------
1 | module PasskeysRails
2 | # PasskeysRails::Test::IntegrationHelpers is a helper module for facilitating
3 | # authentication on Rails integration tests to bypass the required steps for
4 | # signin in or signin out a record.
5 | #
6 | # Examples
7 | #
8 | # class PostsTest < ActionDispatch::IntegrationTest
9 | # include PasskeysRails::Test::IntegrationHelpers
10 | #
11 | # test 'authenticated users can see posts' do
12 | # get '/posts', headers: logged_in_headers('username-1')
13 | # assert_response :success
14 | # end
15 | # end
16 | module Test
17 | module IntegrationHelpers
18 | def self.included(base)
19 | base.class_eval do
20 | setup :setup_integration_for_passkeys_rails
21 | teardown :teardown_integration_for_passkeys_rails
22 | end
23 | end
24 |
25 | def logged_in_headers(username, authenticatable = nil, headers: {})
26 | @agent = Agent.create(username:, registered_at: Time.current, authenticatable:)
27 | result = PasskeysRails::GenerateAuthToken.call(agent:)
28 | raise result.message if result.failure?
29 |
30 | headers.merge("X-Auth" => result.auth_token)
31 | end
32 |
33 | protected
34 |
35 | attr_reader :agent
36 |
37 | def setup_integration_for_passkeys_rails
38 | # Nothing to do here
39 | end
40 |
41 | def teardown_integration_for_passkeys_rails
42 | @agent&.destroy
43 | end
44 | end
45 | end
46 | end
47 |
--------------------------------------------------------------------------------
/app/interactors/passkeys_rails/debug_register.rb:
--------------------------------------------------------------------------------
1 | # This functionality exists to allow easier mobile app debugging as it may not
2 | # be possible to acess Passkey functionality in mobile simulators.
3 | # It is only operational if DEBUG_LOGIN_REGEX is set in the server environment.
4 | # CAUTION: It is very insecure to set DEBUG_LOGIN_REGEX in a production environment.
5 | module PasskeysRails
6 | class DebugRegister
7 | include Interactor
8 | include Debuggable
9 | include AuthenticatableCreator
10 |
11 | delegate :username, :authenticatable_info, to: :context
12 |
13 | def call
14 | ensure_debug_mode
15 | ensure_regex_match
16 |
17 | ActiveRecord::Base.transaction do
18 | create_authenticatable! if aux_class_name.present?
19 | end
20 |
21 | context.agent = agent
22 | context.username = agent.username
23 | context.auth_token = GenerateAuthToken.call!(agent:).auth_token
24 | rescue Interactor::Failure => e
25 | context.fail! code: e.context.code, message: e.context.message
26 | end
27 |
28 | private
29 |
30 | def agent
31 | @agent ||= begin
32 | result = BeginRegistration.call(username:)
33 | context.fail!(code: result.code, message: result.message) if result.failure?
34 |
35 | agent = Agent.find_by(username:)
36 | context.fail!(code: :agent_not_found, message: "No agent found with that username") if agent.blank?
37 |
38 | agent.update! registered_at: Time.current
39 |
40 | agent
41 | end
42 | end
43 | end
44 | end
45 |
--------------------------------------------------------------------------------
/spec/interactors/passkeys/rails/validate_auth_token_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::ValidateAuthToken do
2 | let(:call) { described_class.call auth_token: }
3 |
4 | context "with a valid auth_token" do
5 | let(:agent) { create(:agent) }
6 | let(:auth_token) { PasskeysRails::GenerateAuthToken.call(agent:).auth_token }
7 |
8 | it "returns the agent" do
9 | result = call
10 | expect(result).to be_success
11 | expect(result.agent).to eq agent
12 | end
13 | end
14 |
15 | context "with an bogus auth_token" do
16 | let(:auth_token) { "BOGUS" }
17 |
18 | it_behaves_like "a failing call", :token_error, "Not enough or too many segments"
19 | end
20 |
21 | context "with a JWT with an agent_id, but without an expiration" do
22 | let(:auth_token) { JWT.encode({ agent_id: 123 }, PasskeysRails.auth_token_secret, PasskeysRails.auth_token_algorithm) }
23 |
24 | it_behaves_like "a failing call", :token_error, "Missing required claim exp"
25 | end
26 |
27 | context "with a JWT with an expiration, but without an agent_id" do
28 | let(:auth_token) { JWT.encode({ exp: 1.day.from_now.to_i }, PasskeysRails.auth_token_secret, PasskeysRails.auth_token_algorithm) }
29 |
30 | it_behaves_like "a failing call", :token_error, "Missing required claim agent_id"
31 | end
32 |
33 | context "with a JWT with an expiration, but an agent_id that doesn't exist" do
34 | let(:auth_token) { JWT.encode({ exp: 1.day.from_now.to_i, agent_id: 0 }, PasskeysRails.auth_token_secret, PasskeysRails.auth_token_algorithm) }
35 |
36 | it_behaves_like "a failing call", :invalid_token, "Invalid token - no agent exists with agent_id"
37 | end
38 | end
39 |
--------------------------------------------------------------------------------
/spec/requests/passkeys/rails/passkeys_controller_debug_login_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::PasskeysController do
2 | let(:call_api) { post '/passkeys_rails/debug_login', params:, headers: }
3 |
4 | context "when debug_login_regex is empty" do
5 | before { allow(PasskeysRails).to receive(:debug_login_regex).and_return(nil) }
6 |
7 | let(:params) { {} }
8 | let(:headers) { {} }
9 |
10 | it 'responds that there are no matching routes' do
11 | expect(call_api).to eq 404
12 | end
13 | end
14 |
15 | context "when debug_login_regex has a regex that matches adam-123" do
16 | before { allow(PasskeysRails).to receive(:debug_login_regex).and_return(/^adam-\d+$/) }
17 |
18 | include_context 'with api params'
19 |
20 | it_behaves_like 'an api that requires some params'
21 |
22 | context 'with required params' do
23 | let(:required_params) { { username: 'adam-123' } }
24 |
25 | context 'with valid parameters and a successfull call to DebugLogin' do
26 | before {
27 | allow(PasskeysRails::DebugLogin)
28 | .to receive(:call!)
29 | .and_return(Interactor::Context.build(username: "adam-123", auth_token: "456", agent: create(:agent)))
30 | }
31 |
32 | it 'Succeeds and returns instance credentails' do
33 | call_api
34 |
35 | expect_success
36 | expect(PasskeysRails::DebugLogin).to have_received(:call!).exactly(1).time
37 | expect(json.keys).to match_array %w[username auth_token]
38 | expect(json).to include(username: "adam-123", auth_token: "456")
39 | end
40 |
41 | it_behaves_like "a notifier", :did_authenticate
42 | end
43 | end
44 | end
45 | end
46 |
--------------------------------------------------------------------------------
/spec/requests/passkeys/rails/passkeys_controller_debug_register_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::PasskeysController do
2 | let(:call_api) { post '/passkeys_rails/debug_register', params:, headers: }
3 |
4 | context "when debug_login_regex is empty" do
5 | before { allow(PasskeysRails).to receive(:debug_login_regex).and_return(nil) }
6 |
7 | let(:params) { {} }
8 | let(:headers) { {} }
9 |
10 | it 'responds that there are no matching routes' do
11 | expect(call_api).to eq 404
12 | end
13 | end
14 |
15 | context "when debug_login_regex has a regex that matches adam-123" do
16 | before { allow(PasskeysRails).to receive(:debug_login_regex).and_return(/^adam-\d+$/) }
17 |
18 | include_context 'with api params'
19 |
20 | it_behaves_like 'an api that requires some params'
21 |
22 | context 'with required params' do
23 | let(:required_params) { { username: 'adam-123' } }
24 |
25 | context 'with valid parameters and a successfull call to DebugRegister' do
26 | before {
27 | allow(PasskeysRails::DebugRegister)
28 | .to receive(:call!)
29 | .and_return(Interactor::Context.build(username: "adam-123", auth_token: "456", agent: create(:agent)))
30 | }
31 |
32 | it 'Succeeds and returns instance credentails' do
33 | call_api
34 |
35 | expect_success
36 | expect(PasskeysRails::DebugRegister).to have_received(:call!).exactly(1).time
37 | expect(json.keys).to match_array %w[username auth_token]
38 | expect(json).to include(username: "adam-123", auth_token: "456")
39 | end
40 |
41 | it_behaves_like "a notifier", :did_register
42 | end
43 | end
44 | end
45 | end
46 |
--------------------------------------------------------------------------------
/spec/interactors/passkeys/rails/begin_challenge_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::BeginChallenge do
2 | let(:call) { described_class.call username: }
3 |
4 | context "with all parameters" do
5 | let(:username) { nil }
6 |
7 | context "without a username" do
8 | it "calls BeginAuthentication and returns the challenge, and options" do
9 | options = instance_double(WebAuthn::PublicKeyCredential::RequestOptions, challenge: "CHALLENGE")
10 | context = Interactor::Context.build(options:)
11 |
12 | allow(PasskeysRails::BeginAuthentication)
13 | .to receive(:call!)
14 | .and_return(context)
15 | .exactly(1).time
16 |
17 | result = call
18 | expect(result).to be_success
19 | expect(result.cookie_data[:username]).to be_nil
20 | expect(result.cookie_data[:challenge]).to eq "CHALLENGE"
21 | expect(result.response).to eq options
22 | end
23 | end
24 |
25 | context "with a username" do
26 | let(:username) { "alice" }
27 |
28 | it "calls BeginRegistration and returns the username, challenge, and options" do
29 | options = instance_double(WebAuthn::PublicKeyCredential::CreationOptions, challenge: "CHALLENGE")
30 | context = Interactor::Context.build(options:)
31 |
32 | allow(PasskeysRails::BeginRegistration)
33 | .to receive(:call!)
34 | .with(username:)
35 | .and_return(context)
36 | .exactly(1).time
37 |
38 | result = call
39 | expect(result).to be_success
40 | expect(result.cookie_data[:username]).to eq username
41 | expect(result.cookie_data[:challenge]).to eq "CHALLENGE"
42 | expect(result.response).to eq options
43 | end
44 | end
45 | end
46 | end
47 |
--------------------------------------------------------------------------------
/spec/requests/passkeys/rails/passkeys_controller_challenge_spec.rb:
--------------------------------------------------------------------------------
1 | RSpec.describe PasskeysRails::PasskeysController do
2 | let(:call_api) { post '/passkeys_rails/challenge', params:, headers: }
3 |
4 | shared_examples "a successful registration initiation process" do
5 | it 'begins the registration process and returns the passkey challenge fields' do
6 | call_api
7 | expect_success
8 | expect(json.keys).to match(%w[challenge timeout extensions rp user pubKeyCredParams])
9 | end
10 | end
11 |
12 | include_context 'with api params'
13 |
14 | context 'with no params' do
15 | it 'begins the login process and returns the passkey challenge fields' do
16 | call_api
17 | expect_success
18 | expect(json.keys).to match(%w[challenge timeout extensions allowCredentials])
19 | end
20 | end
21 |
22 | context 'with the username param' do
23 | let(:optional_params) { { username: } }
24 | let(:username) { '' }
25 |
26 | context 'when the username is not yet taken by any agent' do
27 | let(:username) { 'Testing 1 2 3' }
28 |
29 | it_behaves_like "a successful registration initiation process"
30 | end
31 |
32 | context 'when the username is taken by an unregistered agent' do
33 | let(:username) { create(:agent, :unregistered).username }
34 |
35 | it_behaves_like "a successful registration initiation process"
36 | end
37 |
38 | context 'when the username is taken by a registered agent' do
39 | let(:username) { create(:agent, :registered).username }
40 |
41 | it 'fails with an appropriate error' do
42 | call_api
43 | expect(error).to match([:authentication, 'validation_errors', "Username has already been taken"])
44 | end
45 | end
46 | end
47 | end
48 |
--------------------------------------------------------------------------------
/spec/support/webauthn_helper.rb:
--------------------------------------------------------------------------------
1 | require "webauthn"
2 | require "webauthn/fake_client"
3 |
4 | module Requests
5 | module WebauthnHelpers
6 | def fake_origin
7 | "http://localhost"
8 | end
9 |
10 | def fake_challenge
11 | SecureRandom.random_bytes(32)
12 | end
13 |
14 | def fake_cose_credential_key(algorithm: -7, x_coordinate: nil, y_coordinate: nil)
15 | crv_p256 = 1
16 |
17 | COSE::Key::EC2.new(
18 | alg: algorithm,
19 | crv: crv_p256,
20 | x: x_coordinate || SecureRandom.random_bytes(32),
21 | y: y_coordinate || SecureRandom.random_bytes(32)
22 | ).serialize
23 | end
24 |
25 | def create_credential(
26 | client: WebAuthn::FakeClient.new,
27 | rp_id: nil,
28 | relying_party: WebAuthn.configuration.relying_party
29 | )
30 | rp_id ||= relying_party.id || URI.parse(client.origin).host
31 |
32 | create_result = client.create(rp_id:)
33 |
34 | attestation_object =
35 | if client.encoding
36 | relying_party.encoder.decode(create_result["response"]["attestationObject"])
37 | else
38 | create_result["response"]["attestationObject"]
39 | end
40 |
41 | client_data_json =
42 | if client.encoding
43 | relying_party.encoder.decode(create_result["response"]["clientDataJSON"])
44 | else
45 | create_result["response"]["clientDataJSON"]
46 | end
47 |
48 | response =
49 | WebAuthn::AuthenticatorAttestationResponse
50 | .new(
51 | attestation_object:,
52 | client_data_json:,
53 | relying_party:
54 | )
55 |
56 | credential_public_key = response.credential.public_key
57 |
58 | [create_result["id"], credential_public_key, response.authenticator_data.sign_count]
59 | end
60 | end
61 | end
62 |
--------------------------------------------------------------------------------
/spec/features/register_new_user_spec.rb:
--------------------------------------------------------------------------------
1 | require "webauthn/attestation_statement/fido_u2f/public_key"
2 | require "webauthn/authenticator_assertion_response"
3 | require "webauthn/u2f_migrator"
4 |
5 | RSpec.describe 'Register new user', type: :request do
6 | let(:challenge_params) { { username: } }
7 | let(:json_content_type_headers) { { 'Content-Type': 'application/json' } }
8 | let(:username) { "Test User" }
9 |
10 | let(:client) { WebAuthn::FakeClient.new(actual_origin, encoding: false) }
11 | let(:origin) { fake_origin }
12 | let(:actual_origin) { origin }
13 | let(:credential) { create_credential(client:) }
14 | let(:credential_public_key) { credential[1] }
15 | let(:authenticatable) { {} }
16 |
17 | it "requests a challenge, follows up with a registration request, and receives a valid auth token" do
18 | post '/passkeys_rails/challenge', params: challenge_params.to_json, headers: json_content_type_headers
19 | expect(response).to be_successful
20 |
21 | account = client.create(challenge: json[:challenge])
22 |
23 | pending "Figuring out how to create the params from the passkeys_rails/challenge"
24 | # TODO: Not sure how create the params from the passkeys_rails/challenge response that succeed"
25 | credential = {
26 | id: Base64.strict_encode64(account['id']),
27 | rawId: Base64.strict_encode64(account['rawId']),
28 | type: account['type'],
29 | response: {
30 | attestationObject: Base64.strict_encode64(account['response']['attestationObject']),
31 | clientDataJSON: Base64.strict_encode64(account['response']['clientDataJSON'])
32 | }
33 | }
34 |
35 | register_params = { credential:, authenticatable: }
36 |
37 | post '/passkeys_rails/register', params: register_params.to_json, headers: json_content_type_headers
38 | expect(json[:error]).to be_blank
39 | expect(response).to be_successful
40 | end
41 | end
42 |
--------------------------------------------------------------------------------
/spec/dummy/public/500.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | We're sorry, but something went wrong (500)
5 |
6 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
We're sorry, but something went wrong.
62 |
63 |
If you are the application owner check the logs for more information.
64 |
60 |
61 |
The change you wanted was rejected.
62 |
Maybe you tried to change something you didn't have access to.
63 |
64 |
If you are the application owner check the logs for more information.
65 |
60 |
61 |
The page you were looking for doesn't exist.
62 |
You may have mistyped the address or the page may have moved.
63 |
64 |
If you are the application owner check the logs for more information.
65 |
8 | Created by Troy Anderson, Allied Code - alliedcode.com
9 |
10 |
11 | PasskeysRails is a gem you can add to a Rails app to enable passskey registration and authorization from mobile front ends. PasskeysRails leverages webauthn for the cryptographic work, and presents a simple API interface for passkey registration, authentication, and testing.
12 |
13 | The purpose of this gem is to make it easy to provide a rails back end API that supports PassKey authentication. It uses the [`webauthn`](https://github.com/w3c/webauthn) gem to do the cryptographic work and presents a simple API interface for passkey registration and authentication.
14 |
15 | The target use case for this gem is a mobile application that uses a rails based API service to manage resources. The goal is to make it simple to register and authenticate users using passkeys from mobile applications in a rails API service.
16 |
17 | What about [devise](https://github.com/heartcombo/devise)? Devise is awesome, but we don't need all that UI/UX for PassKeys, especially for an API back end.
18 |
19 | ## Documentation
20 | * [Usage](#usage)
21 | * [Installation](#installation)
22 | * [Rails Integration - Standard](#rails-Integration-standard)
23 | * [Rails Integration - Grape](#rails-Integration-grape)
24 | * [Notifications](#notifications)
25 | * [Failure Codes](#failure-codes)
26 | * [Testing](#testing)
27 | * [Mobile App Integration](#mobile-application-integration)
28 | * [Reference/Example Mobile Applications](#referenceexample-mobile-applications)
29 |
30 | ## Usage
31 |
32 | **PasskeysRails** maintains a `PasskeysRails::Agent` model and related `PasskeysRails::Passkeys`. In rails apps that maintain their own "user" model, add `include PasskeysRails::Authenticatable` to that model and include the name of that class (e.g. `"User"`) in the `authenticatable_class` param when calling the register API or set the `PasskeysRails.default_class` to the name of that class.
33 |
34 | In mobile apps, leverage the platform specific Passkeys APIs for ***registration*** and ***authentication***, and call the **PasskeysRails** API endpoints to complete the ceremony. **PasskeysRails** provides endpoints to support ***registration***, ***authentication***, ***token refresh***, and ***debugging***.
35 |
36 | ### Optionally providing a **"user"** model during registration
37 |
38 | **PasskeysRails** does not require any application specific models, but it's often useful to have one. For example, a User model can be created at registration. **PasskeysRails** provides two mechanisms to support this. Either provide the name of the model in the `authenticatable_class` param when calling the `finishRegistration` endpoint, or set a `default_class` in `config/initializers/passkeys_rails.rb`.
39 |
40 | **PasskeysRails** supports multiple different application specific models. Whatever model name supplied when calling the `finishRegistration` endpoint will be created during a successful the `finishRegistration` process. When created, it will be provided an opportunity to do any initialization at that time.
41 |
42 | There are two **PasskeysRails** configuration options related to this: `default_class` and `class_whitelist`:
43 |
44 | #### `default_class`
45 |
46 | Configure `default_class` in `config/initializers/passkeys_rails.rb`. Its value will be used during registration if none is provided in the API call. The default value is `"User"`. Since the `default_class` is just a default, it can be overridden in the `finishRegiration` API call to use a different model. If no model is to be used by default, set it to nil.
47 |
48 | #### `class_whitelist`
49 |
50 | Configure `class_whitelist` in `config/initializers/passkeys_rails.rb`. The default value is `nil`. When `nil`, no whitelist will be applied. If it is non-nil, it should be an array of class names that are allowed during registration. Supply an empty array to prevent **PasskeysRails** from attempting to create anything other than its own `PasskeysRails::Agent` during registration.
51 |
52 | ## Installation
53 |
54 | Add this line to your application's Gemfile:
55 |
56 | ```ruby
57 | gem "passkeys-rails"
58 | ```
59 |
60 | And then execute:
61 |
62 | ```bash
63 | $ bundle install
64 | ```
65 |
66 | Or install it yourself as:
67 | ```bash
68 | $ gem install passkeys_rails
69 | ```
70 |
71 | Finally, execute:
72 |
73 | ```bash
74 | $ rails generate passkeys_rails:install
75 | ```
76 |
77 | This will add the `config/initializers/passkeys_rails.rb` configuration file, passkeys routes, and a couple of database migrations to your project.
78 |
79 |
80 |
81 | ## Rails Integration Adding to a standard rails project
82 |
83 | - ### Add `before_action :authenticate_passkey!`
84 |
85 | To prevent access to controller actions, add `before_action :authenticate_passkey!`. If an action is attempted without an authenticated entity, an error will be rendered in JSON with an :unauthorized result code.
86 |
87 | - ### Use `current_agent` and `current_agent.authenticatable`
88 |
89 | To access the currently authenticated entity, use `current_agent`. If you associated the registration of the agent with one of your own models, use `current_agent.authenticatable`. For example, if you associated the `User` class with the registration, `current_agent.authenticatable` will be a User object.
90 |
91 | - ### Add `include PasskeysRails::Authenticatable` to model class(es)
92 |
93 | If you have one or more classes that you want to use with authentication - e.g. a User class and an AdminUser class - add `include PasskeysRails::Authenticatable` to each of those classes. That adds a `registered?` method that you can call on your model to determine if they are registerd with your service, and a `registering_with(params)` method that you can override to initialize attributes of your model when it is created during registration. `params` is a hash with params passed to the API when registering. When called, your object has been built, but not yet saved. Upon return, **PasskeysRails** will attempt to save your object before finishing registration. If it is not valid, the registration will fail as well, returning the error error details to the caller.
94 |
95 |
96 | ## Rails Integration - Adding to a Grape API rails project
97 |
98 | - ### Call `PasskeysRails.authenticate(request)` to authenticate the request.
99 |
100 | Call `PasskeysRails.authenticate(request)` to get an object back that responds to `.success?` and `.failure?` as well as `.agent`, `.code`, and `.message`.
101 |
102 | Alternatively, call `PasskeysRails.authenticate!(request)` from a helper in your base class. It will raise a `PasskeysRails.Error` exception if the caller isn't authenticated. You can catch the exception and render an appropriate error. The exception contains the error code and message.
103 |
104 | - ### Consider adding the following helpers to your base API class:
105 |
106 | ```ruby
107 | helpers do
108 | # Authenticate the request and cache the result
109 | def passkey
110 | @passkey ||= PasskeysRails.authenticate(request)
111 | end
112 |
113 | # Raise an exception if the request is not authentic
114 | def authenticate_passkey!
115 | error!({ code: passkey.code, message: passkey.message }, :unauthorized) if passkey.failure?
116 | end
117 |
118 | # Return the Passkeys::Agent if authentic, else return nil
119 | def current_agent
120 | passkey.agent
121 | end
122 |
123 | # If you have set authenticatable to be a User, you can use this to access the user from Grape endpoint methods
124 | def current_user
125 | user = current_agent&.authenticatable
126 | user.is_a?(User) ? user : nil # sanity check to be sure authenticatable is a User
127 | end
128 | end
129 | ```
130 |
131 | To prevent access to various endpoints, add `before_action :authenticate_passkey!` or call `authenticate_passkey!` from any method that requires authentication. If an action is attempted without an authenticated entity, an error will be rendered in JSON with an :unauthorized result code.
132 |
133 | - ### Use `current_agent` and `current_agent.authenticatable`
134 |
135 | To access the currently authenticated entity, use `current_agent`. If you associated the registration of the agent with one of your own models, use `current_agent.authenticatable`. For example, if you associated the `User` class with the registration, `current_agent.authenticatable` will be a User object.
136 |
137 | ## Notifications
138 |
139 | Certain actions trigger notifications that can be subscribed. See `subscribe` in `config/initializers/passkeys_rails.rb`.
140 |
141 | These are completely optional. **PasskeysRails** will manage all the credentials and keys without these being implemented. They are useful for taking application specific actions like logging based on the authentication related events.
142 |
143 | ### Events
144 |
145 | - `:did_register ` - a new agent has registered
146 |
147 | - `:did_authenticate` - an agent has been authenticated
148 |
149 | - `:did_refresh` - an agent's auth token has been refreshed
150 |
151 | A convenient place to set these up in is in `config/initializers/passkeys_rails.rb`
152 |
153 | ```ruby
154 | PasskeysRails.config do |c|
155 | c.subscribe(:did_register) do |event, agent, request|
156 | # do something with the agent and/or request
157 | end
158 |
159 | c.subscribe(:did_authenticate) do |event, agent, request|
160 | # do something with the agent and/or request
161 | end
162 | end
163 | ```
164 |
165 | Subscriptions can also be done elsewhere as subscribe is a PasskeysRails class method.
166 |
167 | ```ruby
168 | PasskeysRails.subscribe(:did_register) do |event, agent, request|
169 | # do something with the agent and/or request
170 | end
171 | ```
172 |
173 | ## Failure Codes
174 |
175 | 1. In the event of authentication failure, **PasskeysRails** API endpoints render an error code and message.
176 |
177 | 1. In a standard rails controller, the error code and message are rendered in JSON if `before_action :authenticate_passkey!` fails.
178 |
179 | 1. In Grape, the error code and message are available in the result of the `PasskeysRails.authenticate(request)` method.
180 |
181 | 1. From standard rails controllers, you can also access `passkey_authentication_result` to get the code and message.
182 |
183 | 1. For `PasskeysRails.authenticate(request)` and `passkey_authentication_result`, the result is an object that respods to `.success?` and `.failure?`.
184 | - When `.success?` is true (`.failure?` is false), the resources is authentic and it also responds to `.agent`, returning a PasskeysRails::Agent
185 | - When `.success?` is false (`.failure?` is true), it responds to `.code` and `.message` to expose the error details.
186 | - When `.code` is `:missing_token`, `.message` is **X-Auth header is required**, which means the caller didn't supply the auth header.
187 | - When `.code` is `:invalid_token`, `.message` is **Invalid token - no agent exists with agent_id**, which means that the auth data is not valid.
188 | - When `.code` is `:expired_token`, `.message` is **The token has expired**, which means that the token is valid, but expired, thuis it's not considered authentic.
189 | - When `.code` is `:token_error`, `.message` is a description of the error. This is a catch-all in the event we are unable to decode the token.
190 |
191 | In the future, the intention is to have the `.code` value stay consistent even if the `.message` changes. This also allows you to localize the messages as needed using the code.
192 |
193 | ## Testing
194 |
195 | PasskeysRails includes some test helpers for integration tests. In order to use them, you need to include the module in your test cases/specs.
196 |
197 | Integration test helpers are available by including the `PasskeysRails::IntegrationHelpers` module.
198 |
199 | ```ruby
200 | class PostTests < ActionDispatch::IntegrationTest
201 | include PasskeysRails::Test::IntegrationHelpers
202 | end
203 | ```
204 | Now you can use the following `logged_in_headers` method in your integration tests.`
205 |
206 | ```ruby
207 | test 'authenticated users can see posts' do
208 | user = User.create
209 | get '/posts', headers: logged_in_headers('username-123', user)
210 | assert_response :success
211 | end
212 | ```
213 |
214 | RSpec can include the `IntegrationHelpers` module in their `:feature` and `:request` specs.
215 |
216 | ```ruby
217 | RSpec.configure do |config|
218 | config.include PasskeysRails::Test::IntegrationHelpers, type: :feature
219 | config.include PasskeysRails::Test::IntegrationHelpers, type: :request
220 | end
221 | ```
222 |
223 | ```ruby
224 | RSpec.describe 'Posts', type: :request do
225 | let(:user) { User.create }
226 | it "allows authenticated users to see posts" do
227 | get '/posts', headers: logged_in_headers('username-123', user)
228 | expect(response).to be_success
229 | end
230 | end
231 | ```
232 |
233 | ## Mobile Application Integration
234 |
235 | ### Prerequisites
236 |
237 | For iOS, you need to associate your app with your server. This amounts to setting up a special file on your server that defines the association. See [setup your apple-app-site-association](#Ensure-`.well-known/apple-app-site-association`-is-in-place)
238 |
239 |
240 | ### Mobile API Endpoints
241 |
242 | There are 3 groups of API endpoints that your mobile application might consume.
243 |
244 | 1. Unauthenticated (public) endpoints
245 | 1. Authenticated (private) endpoints
246 | 1. Passkey endpoints (for supporting authentication)
247 |
248 | **Unauthenticated endpoints** can be consumed without any authentication.
249 |
250 | **Authenticated endpoints** are protected by `authenticate_passkey!` or `PasskeysRails.authenticate!(request)`. Those methods check for and validate the `X-Auth` header, which must be set to the auth token returned in the `AuthResponse`, described below.
251 |
252 | **Passkey endpoints** are supplied by this gem and allow you to register a user, authenticate (login) a user, and refresh the token. This section describes these endpoints.
253 |
254 | This gem supports the Passkey endpoints.
255 |
256 | ### Passkey Endpoints
257 |
258 | * [POST /passkeys/challenge](post-passkeys-challenge)
259 | * [POST /passkeys/register](post-passkeys-register)
260 | * [POST /passkeys/authenticate](post-passkeys-authenticate)
261 | * [POST /passkeys/refresh](post-passkeys-refresh)
262 | * [POST /passkeys/debug_register](post-passkeys-debug-register)
263 | * [POST /passkeys/debug_login](post-passkeys-debug-login)
264 |
265 | All Passkey endpoints accept and respond with JSON.
266 |
267 | On **success**, they will respond with a 200 or 201 response code and relevant JSON.
268 |
269 | On **error**, they will respond with a status code of `422` (Unprocessable Entity) and a JSON `ErrorResponse` structure:
270 |
271 | ```JSON
272 | {
273 | "error": {
274 | "context": "authentication",
275 | "code": "Specific text code",
276 | "message": "Some human readable message"
277 | }
278 | }
279 | ```
280 |
281 | Some endpoints return an `AuthResponse`, which has this JSON structure:
282 |
283 | ```JSON
284 | {
285 | "username": String, # the username used during registration
286 | "auth_token": String # an expiring token to use to authenticate with the back end (X-Auth header)
287 | }
288 | ```
289 |
290 | ### POST /passkeys/challenge
291 |
292 | Submit this to begin registration or authentication.
293 |
294 | #### Registration (register)
295 |
296 | To begin registration of a new credential, supply a `{ "username": "unique username" }`.
297 | If all goes well, the JSON response will be the `options_for_create` from webauthn.
298 | If the username is already in use, or anything else goes wrong, an error with code `validation_errors` will be returned.
299 |
300 | After receiving a successful response, follow up with a POST to `/passkeys/register`, below.
301 |
302 | #### Authentication (login)
303 | To begin authenticating an existing credential, omit the `username`. The JSON response will be the `options_for_get` from webauthn.
304 |
305 | After receiving a successful response, follow up with a POST to `/passkeys/authenticate`, below.
306 |
307 | ### POST /passkeys/register
308 |
309 | After calling the `challenge` endpoint with a `username`, and handling its response, finish registering by calling this endpoint.
310 |
311 | Supply the following JSON structure:
312 |
313 | ```JSON
314 | # POST body
315 | {
316 | # NOTE: credential will likely come directly from the PassKeys class/library on the platform
317 | "credential": {
318 | "id": String,
319 | "rawId": String,
320 | "type": String,
321 | "response": {
322 | "attestationObject": String,
323 | "clientDataJSON": String
324 | }
325 | },
326 | # authenticatable is optional and is informas PasskeysRails how to build your "user" model
327 | "authenticatable": { # optional
328 | "class": "User", # whatever class to which you want this credential to apply (as described earlier)
329 | "params": { } # Any params you want passed as a hash to the registering_with method on that class
330 | }
331 | }
332 | ```
333 |
334 | On **success**, the response is an `AuthResponse`.
335 |
336 | Possible **failure codes** (using the `ErrorResponse` structure) are:
337 |
338 | - `webauthn_error` - something is wrong with the credential
339 | - `error` - something else went wrong during credentail validation - see the `message` in the `ErrorResponse`
340 | - `passkey_error` - unable to persist the passkey
341 | - `invalid_authenticatable_class` - the supplied authenticatable class can't be created/found (check spelling & capitalization)
342 | - `invalid_class_whitelist` - the whitelist in the passkeys_rails.rb configuration is invalid - be sure it's nil or an array
343 | - `invalid_authenticatable_class` - the supplied authenticatable class is not allowed - maybe it's not in the whitelist
344 | - `record_invalid` - the object of the supplied authenticatable class cannot be saved due to validation errors
345 | - `agent_not_found` - the agent referenced in the credential cannot be found in the database
346 |
347 | ### POST /passkeys/authenticate
348 |
349 | After calling the `challenge` endpoint without a `username`, and handling its response, finish authenticating by calling this endpoint.
350 |
351 | Supply the following JSON structure:
352 |
353 | ```JSON
354 | # POST body
355 | {
356 | # NOTE: all of this will likely come directly from the PassKeys class/library on the platform
357 | "id": String, # Base64 encoded assertion.credentialID
358 | "rawId": String, # Base64 encoded assertion.credentialID
359 | "type": "public-key",
360 | "response": {
361 | "authenticatorData": String, # Base64 encoded assertion.rawAuthenticatorData
362 | "clientDataJSON": String, # Base64 encoded assertion.rawClientDataJSON
363 | "signature": String, # Base64 encoded signature
364 | "userHandle":String # Base64 encoded assertion.userID
365 | }
366 | }
367 | ```
368 | On **success**, the response is an `AuthResponse`.
369 |
370 | Possible **failure codes** (using the `ErrorResponse` structure) are:
371 |
372 | - `webauthn_error` - something is wrong with the credential
373 | - `passkey_not_found` - the passkey referenced in the credential cannot be found in the database
374 |
375 | ### POST /passkeys/refresh
376 |
377 | The token will expire after some time (configurable in `config/initializers/passkeys_rails.rb`). Before that happens, refresh it using this API. Once it expires, to get a new token, use the `/authentication` API.
378 |
379 | Supply the following JSON structure:
380 |
381 | ```JSON
382 | # POST body
383 | {
384 | token: String
385 | }
386 | ```
387 |
388 | On **success**, the response is an `AuthResponse` with a new, refreshed token.
389 |
390 | Possible **failure codes** (using the `ErrorResponse` structure) are:
391 |
392 | - `invalid_token` - the token data is invalid
393 | - `expired_token` - the token is expired
394 | - `token_error` - some other error ocurred when decoding the token
395 |
396 | ### POST /passkeys/debug_register
397 |
398 | As it may not be possible to acess Passkey functionality in mobile simulators, this endpoint may be called to register a username while bypassing the normal challenge/response sequence.
399 |
400 | This endpoint only responds if `DEBUG_LOGIN_REGEX` is set in the server environment. It is **very insecure to set this variable in a production environment** as it bypasses all Passkey checks. It is only intended to be used during mobile application development.
401 |
402 | To use this endpoint:
403 |
404 | 1. Set `DEBUG_LOGIN_REGEX` to a regex that matches any username you want to use during development - for example `^test(-\d+)?$` will match `test`, `test-1`, `test-123`, etc.
405 |
406 | 1. In the mobile application, call this endpoint in stead of the `/passkeys/challenge` and `/passkeys/register`. The response is identicial to that of `/passkeys/register`.
407 |
408 | 1. Use the response as if it was from `/passkeys/register`.
409 |
410 | If you supply a username that doesn't match the `DEBUG_LOGIN_REGEX`, the endpoint will respond with an error.
411 |
412 | Supply the following JSON structure:
413 |
414 | ```JSON
415 | # POST body
416 | {
417 | "username": String
418 | }
419 | ```
420 | On **success**, the response is an `AuthResponse`.
421 |
422 | Possible **failure codes** (using the `ErrorResponse` structure) are:
423 |
424 | - `not_allowed` - Invalid username (the username doesn't match the regex)
425 | - `invalid_authenticatable_class` - the supplied authenticatable class can't be created/found (check spelling & capitalization)
426 | - `invalid_class_whitelist` - the whitelist in the passkeys_rails.rb configuration is invalid - be sure it's nil or an array
427 | - `invalid_authenticatable_class` - the supplied authenticatable class is not allowed - maybe it's not in the whitelist
428 | - `record_invalid` - the object of the supplied authenticatable class cannot be saved due to validation errors
429 |
430 | ### POST /passkeys/debug_login
431 |
432 | As it may not be possible to acess Passkey functionality in mobile simulators, this endpoint may be called to login (authenticate) a username while bypassing the normal challenge/response sequence.
433 |
434 | This endpoint only responds if `DEBUG_LOGIN_REGEX` is set in the server environment. It is **very insecure to set this variable in a production environment** as it bypasses all Passkey checks. It is only intended to be used during mobile application development.
435 |
436 | To use this endpoint:
437 |
438 | 1. Manually create one or more PasskeysRails::Agent records in the database. A unique username is required for each.
439 |
440 | 1. Set `DEBUG_LOGIN_REGEX` to a regex that matches any username you want to use during development - for example `^test(-\d+)?$` will match `test`, `test-1`, `test-123`, etc.
441 |
442 | 1. In the mobile application, call this endpoint in stead of the `/passkeys/challenge` and `/passkeys/authenticate`. The response is identicial to that of `/passkeys/authenticate`.
443 |
444 | 1. Use the response as if it was from `/passkeys/authenticate`.
445 |
446 | If you supply a username that doesn't match the `DEBUG_LOGIN_REGEX`, the endpoint will respond with an error.
447 |
448 | Supply the following JSON structure:
449 |
450 | ```JSON
451 | # POST body
452 | {
453 | "username": String
454 | }
455 | ```
456 | On **success**, the response is an `AuthResponse`.
457 |
458 | Possible **failure codes** (using the `ErrorResponse` structure) are:
459 |
460 | - `not_allowed` - Invalid username (the username doesn't match the regex)
461 | - `agent_not_found` - No agent found with that username
462 |
463 | ## Reference/Example Mobile Applications
464 |
465 | There is a sample iOS app that integrates with **passkeys-rails** based server implementations. It's a great place to get a quick start on implementing passkyes in your iOS, iPadOS or MacOS apps.
466 |
467 | Check out the [PasskeysRailsDemo](https://github.com/alliedcode/PasskeysRailsDemo) app.
468 |
469 | ## Contributing
470 |
471 | ### Contribution Guidelines
472 |
473 | Thank you for considering contributing to PasskeysRails! We welcome your help to improve and enhance this project. Whether it's a bug fix, documentation update, or a new feature, your contributions are valuable to the community.
474 |
475 | To ensure a smooth collaboration, please follow the [Contribution Guidelines](https://github.com/alliedcode/passkeys-rails/blob/main/CONTRIBUTION_GUIDELINES.md) when submitting your contributions.
476 |
477 | ### Code of Conduct
478 |
479 | Please note that this project follows the [Code of Conduct](https://github.com/alliedcode/passkeys-rails/blob/main/CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. If you encounter any behavior that violates the code, please report it to the project maintainers.
480 |
481 | ## License
482 |
483 | The gem is available as open source under the terms of the [MIT License](https://github.com/alliedcode/passkeys-rails/blob/main/MIT-LICENSE).
484 |
--------------------------------------------------------------------------------