Authenticate is a builder

Firstyear · Apr 27, 2024 · 148db40 · 148db40
1 parent e4c43b9
commit 148db40
Show file tree

Hide file tree

Showing 6 changed files with 147 additions and 73 deletions.
diff --git a/compat_tester/webauthn-rs-demo/src/actors.rs b/compat_tester/webauthn-rs-demo/src/actors.rs
@@ -367,11 +367,15 @@ impl WebauthnActor {
                     .ok_or(WebauthnError::CredentialNotFound)?;
 
                 self.wan
-                    .generate_challenge_authenticate(vec![cred], uv, extensions, None, None)
+                    .new_challenge_authenticate_builder(vec![cred], uv)
+                    .map(|builder| builder.extensions(extensions))
+                    .and_then(|b| self.wan.generate_challenge_authenticate(b))
             }
             None => self
                 .wan
-                .generate_challenge_authenticate(creds, None, extensions, None, None),
+                .new_challenge_authenticate_builder(creds, None)
+                .map(|builder| builder.extensions(extensions))
+                .and_then(|b| self.wan.generate_challenge_authenticate(b)),
         }?;
 
         debug!("complete ChallengeAuthenticate -> {:?}", acr);

diff --git a/webauthn-authenticator-rs/examples/authenticate.rs b/webauthn-authenticator-rs/examples/authenticate.rs
@@ -280,17 +280,15 @@ async fn main() {
             .connect_provider(CableRequestType::GetAssertion, &ui)
             .await;
         let (chal, auth_state) = wan
-            .generate_challenge_authenticate(
-                vec![cred.clone()],
-                None,
-                Some(RequestAuthenticationExtensions {
+            .new_challenge_authenticate_builder(vec![cred.clone()], None)
+            .map(|builder| {
+                builder.extensions(Some(RequestAuthenticationExtensions {
                     appid: Some("example.app.id".to_string()),
                     uvm: None,
                     hmac_get_secret: None,
-                }),
-                None,
-                None,
-            )
+                }))
+            })
+            .and_then(|b| wan.generate_challenge_authenticate(b))
             .unwrap();
 
         let r = u

diff --git a/webauthn-authenticator-rs/src/softpasskey.rs b/webauthn-authenticator-rs/src/softpasskey.rs
@@ -568,7 +568,8 @@ mod tests {
         let cred = wan.register_credential(&r, &reg_state, None).unwrap();
 
         let (chal, auth_state) = wan
-            .generate_challenge_authenticate(vec![cred], None, None, None, None)
+            .new_challenge_authenticate_builder(vec![cred], None)
+            .and_then(|b| wan.generate_challenge_authenticate(b))
             .unwrap();
 
         let r = wa

diff --git a/webauthn-authenticator-rs/src/softtoken.rs b/webauthn-authenticator-rs/src/softtoken.rs
@@ -928,7 +928,8 @@ mod tests {
         info!("Credential -> {:?}", cred);
 
         let (chal, auth_state) = wan
-            .generate_challenge_authenticate(vec![cred], None, None, None, None)
+            .new_challenge_authenticate_builder(vec![cred], None)
+            .and_then(|b| wan.generate_challenge_authenticate(b))
             .unwrap();
 
         let r = wa
@@ -1014,7 +1015,8 @@ mod tests {
         let mut wa = WebauthnAuthenticator::new(soft_token);
 
         let (chal, auth_state) = wan
-            .generate_challenge_authenticate(vec![cred], None, None, None, None)
+            .new_challenge_authenticate_builder(vec![cred], None)
+            .and_then(|b| wan.generate_challenge_authenticate(b))
             .unwrap();
 
         let r = wa

diff --git a/webauthn-rs-core/src/core.rs b/webauthn-rs-core/src/core.rs
@@ -79,6 +79,16 @@ pub struct ChallengeRegisterBuilder {
     hints: Option<Vec<PublicKeyCredentialHints>>,
 }
 
+/// A builder allowing customisation of a client authentication challenge.
+#[derive(Debug)]
+pub struct ChallengeAuthenticateBuilder {
+    creds: Vec<Credential>,
+    policy: UserVerificationPolicy,
+    extensions: Option<RequestAuthenticationExtensions>,
+    allow_backup_eligible_upgrade: bool,
+    hints: Option<Vec<PublicKeyCredentialHints>>,
+}
+
 impl ChallengeRegisterBuilder {
     /// Set the attestation conveyance preference. Defaults to None.
     pub fn attestation(mut self, value: AttestationConveyancePreference) -> Self {
@@ -147,6 +157,29 @@ impl ChallengeRegisterBuilder {
     }
 }
 
+impl ChallengeAuthenticateBuilder {
+    /// Define extensions to be requested in the request. Defaults to None.
+    pub fn extensions(mut self, value: Option<RequestAuthenticationExtensions>) -> Self {
+        self.extensions = value;
+        self
+    }
+
+    /// Allow authenticators to modify their backup eligibility. This can occur
+    /// where some formerly hardware bound devices become roaming ones. If in
+    /// double leave this value as default (false, rejects credentials that
+    /// post-create move from single device to roaming).
+    pub fn allow_backup_eligible_upgrade(mut self, value: bool) -> Self {
+        self.allow_backup_eligible_upgrade = value;
+        self
+    }
+
+    /// Add the set of hints for which public keys may satisfy this request.
+    pub fn hints(mut self, hints: Option<Vec<PublicKeyCredentialHints>>) -> Self {
+        self.hints = hints;
+        self
+    }
+}
+
 impl WebauthnCore {
     /// ⚠️  ⚠️  ⚠️  THIS IS UNSAFE. AVOID USING THIS DIRECTLY ⚠️  ⚠️  ⚠️
     ///
@@ -905,22 +938,15 @@ impl WebauthnCore {
         Ok(data.authenticator_data)
     }
 
-    /// Authenticate a set of credentials allowing the user verification policy to be set.
-    /// If no credentials are provided, this will start a discoverable credential authentication.
-    ///
-    /// Policy defines the require UserVerification policy. This MUST be consistent with the
-    /// credentials being used in the authentication.
-    ///
-    /// `allow_backup_eligible_upgrade` allows rejecting credentials whos backup eligibility
-    /// has changed between registration and authentication.
-    pub fn generate_challenge_authenticate(
+    /// Generate a new challenge builder for client authentication. This is the first
+    /// step in authentication of a credential. This function will return an
+    /// authentication builder allowing you to customise the parameters that will be
+    /// sent to the client.
+    pub fn new_challenge_authenticate_builder(
         &self,
         creds: Vec<Credential>,
         policy: Option<UserVerificationPolicy>,
-        extensions: Option<RequestAuthenticationExtensions>,
-        allow_backup_eligible_upgrade: Option<bool>,
-        hints: Option<Vec<PublicKeyCredentialHints>>,
-    ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError> {
+    ) -> Result<ChallengeAuthenticateBuilder, WebauthnError> {
         let policy = if let Some(policy) = policy {
             policy
         } else {
@@ -938,8 +964,37 @@ impl WebauthnCore {
             policy
         };
 
-        // Defaults to false.
-        let allow_backup_eligible_upgrade = allow_backup_eligible_upgrade.unwrap_or_default();
+        Ok(ChallengeAuthenticateBuilder {
+            creds,
+            policy,
+            extensions: Default::default(),
+            allow_backup_eligible_upgrade: Default::default(),
+            hints: Default::default(),
+        })
+    }
+
+    /// Generate a new challenge for client authentication from the parameters defined by the
+    /// [ChallengeAuthenticateBuilder].
+    ///
+    /// This function will return the
+    /// [RequestChallengeResponse] which is suitable for serde json serialisation
+    /// to be sent to the client. The client (generally a web browser) will pass this JSON
+    /// structure to the `navigator.credentials.create()` javascript function for registration.
+    ///
+    /// It also returns an [AuthenticationState], that you *must*
+    /// persist. It is strongly advised you associate this AuthenticationState with a
+    /// private session ID that is unique to this request.
+    pub fn generate_challenge_authenticate(
+        &self,
+        challenge_builder: ChallengeAuthenticateBuilder,
+    ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError> {
+        let ChallengeAuthenticateBuilder {
+            creds,
+            policy,
+            extensions,
+            allow_backup_eligible_upgrade,
+            hints,
+        } = challenge_builder;
 
         let chal = self.generate_challenge();
 
@@ -2841,7 +2896,7 @@ mod tests {
         // Ensure we get a bad result.
 
         assert!(
-            wan.generate_challenge_authenticate(creds.clone(), None, None, None, None)
+            wan.new_challenge_authenticate_builder(creds.clone(), None)
                 .unwrap_err()
                 == WebauthnError::InconsistentUserVerificationPolicy
         );
@@ -2866,7 +2921,11 @@ mod tests {
                 .unwrap();
         }
 
-        let r = wan.generate_challenge_authenticate(creds.clone(), None, None, None, None);
+        let builder = wan
+            .new_challenge_authenticate_builder(creds.clone(), None)
+            .expect("Unable to create authenticate builder");
+
+        let r = wan.generate_challenge_authenticate(builder);
         debug!("{:?}", r);
         assert!(r.is_ok());
 
@@ -2890,7 +2949,12 @@ mod tests {
                 .unwrap();
         }
 
-        let r = wan.generate_challenge_authenticate(creds.clone(), None, None, None, None);
+        let builder = wan
+            .new_challenge_authenticate_builder(creds.clone(), None)
+            .expect("Unable to create authenticate builder");
+
+        let r = wan.generate_challenge_authenticate(builder);
+
         debug!("{:?}", r);
         assert!(r.is_ok());
     }

diff --git a/webauthn-rs/src/lib.rs b/webauthn-rs/src/lib.rs
@@ -679,17 +679,18 @@ impl Webauthn {
         let extensions = None;
         let creds = creds.iter().map(|sk| sk.cred.clone()).collect();
         let policy = Some(UserVerificationPolicy::Required);
-        let allow_backup_eligible_upgrade = Some(true);
+        let allow_backup_eligible_upgrade = true;
         let hints = None;
 
         self.core
-            .generate_challenge_authenticate(
-                creds,
-                policy,
-                extensions,
-                allow_backup_eligible_upgrade,
-                hints,
-            )
+            .new_challenge_authenticate_builder(creds, policy)
+            .map(|builder| {
+                builder
+                    .extensions(extensions)
+                    .allow_backup_eligible_upgrade(allow_backup_eligible_upgrade)
+                    .hints(hints)
+            })
+            .and_then(|b| self.core.generate_challenge_authenticate(b))
             .map(|(rcr, ast)| (rcr, PasskeyAuthentication { ast }))
     }
 
@@ -957,24 +958,25 @@ impl Webauthn {
     ) -> WebauthnResult<(RequestChallengeResponse, SecurityKeyAuthentication)> {
         let extensions = None;
         let creds = creds.iter().map(|sk| sk.cred.clone()).collect();
-        let allow_backup_eligible_upgrade = Some(false);
+        let allow_backup_eligible_upgrade = false;
 
         let policy = if self.user_presence_only_security_keys {
-            UserVerificationPolicy::Discouraged_DO_NOT_USE
+            Some(UserVerificationPolicy::Discouraged_DO_NOT_USE)
         } else {
-            UserVerificationPolicy::Preferred
+            Some(UserVerificationPolicy::Preferred)
         };
 
         let hints = Some(vec![PublicKeyCredentialHints::SecurityKey]);
 
         self.core
-            .generate_challenge_authenticate(
-                creds,
-                Some(policy),
-                extensions,
-                allow_backup_eligible_upgrade,
-                hints,
-            )
+            .new_challenge_authenticate_builder(creds, policy)
+            .map(|builder| {
+                builder
+                    .extensions(extensions)
+                    .allow_backup_eligible_upgrade(allow_backup_eligible_upgrade)
+                    .hints(hints)
+            })
+            .and_then(|b| self.core.generate_challenge_authenticate(b))
             .map(|(rcr, ast)| (rcr, SecurityKeyAuthentication { ast }))
     }
 
@@ -1257,21 +1259,22 @@ impl Webauthn {
         });
 
         let policy = Some(UserVerificationPolicy::Required);
-        let allow_backup_eligible_upgrade = Some(false);
+        let allow_backup_eligible_upgrade = false;
 
         let hints = Some(vec![
             PublicKeyCredentialHints::SecurityKey,
             PublicKeyCredentialHints::ClientDevice,
         ]);
 
         self.core
-            .generate_challenge_authenticate(
-                creds,
-                policy,
-                extensions,
-                allow_backup_eligible_upgrade,
-                hints,
-            )
+            .new_challenge_authenticate_builder(creds, policy)
+            .map(|builder| {
+                builder
+                    .extensions(extensions)
+                    .allow_backup_eligible_upgrade(allow_backup_eligible_upgrade)
+                    .hints(hints)
+            })
+            .and_then(|b| self.core.generate_challenge_authenticate(b))
             .map(|(rcr, ast)| (rcr, AttestedPasskeyAuthentication { ast }))
     }
 
@@ -1321,17 +1324,18 @@ impl Webauthn {
             uvm: Some(true),
             hmac_get_secret: None,
         });
-        let allow_backup_eligible_upgrade = Some(false);
+        let allow_backup_eligible_upgrade = false;
         let hints = None;
 
         self.core
-            .generate_challenge_authenticate(
-                vec![],
-                policy,
-                extensions,
-                allow_backup_eligible_upgrade,
-                hints,
-            )
+            .new_challenge_authenticate_builder(Vec::with_capacity(0), policy)
+            .map(|builder| {
+                builder
+                    .extensions(extensions)
+                    .allow_backup_eligible_upgrade(allow_backup_eligible_upgrade)
+                    .hints(hints)
+            })
+            .and_then(|b| self.core.generate_challenge_authenticate(b))
             .map(|(mut rcr, ast)| {
                 // Force conditional ui - this is not a generic discoverable credential
                 // workflow!
@@ -1499,21 +1503,22 @@ impl Webauthn {
         });
 
         let policy = Some(UserVerificationPolicy::Required);
-        let allow_backup_eligible_upgrade = Some(false);
+        let allow_backup_eligible_upgrade = false;
 
         let hints = Some(vec![
             PublicKeyCredentialHints::SecurityKey,
             PublicKeyCredentialHints::ClientDevice,
         ]);
 
         self.core
-            .generate_challenge_authenticate(
-                creds,
-                policy,
-                extensions,
-                allow_backup_eligible_upgrade,
-                hints,
-            )
+            .new_challenge_authenticate_builder(creds, policy)
+            .map(|builder| {
+                builder
+                    .extensions(extensions)
+                    .allow_backup_eligible_upgrade(allow_backup_eligible_upgrade)
+                    .hints(hints)
+            })
+            .and_then(|b| self.core.generate_challenge_authenticate(b))
             .map(|(rcr, ast)| (rcr, AttestedResidentKeyAuthentication { ast }))
     }