AuthenticationInitiationHelpers#store_challenge_in_jwt for REST APIs

[asavageiv]

Would you be interested in a PR that adds store_challenge_in_jwt to AuthenticationInitiationHelpers? This would help out apps that can't use cookies.

[tcannonfodder]

Yes, that’s a great idea! 😄 Thanks for offering to tackle this!

[asavageiv]

Is storing the challenge in the cookies allowed per the specification?
https://w3c.github.io/webauthn/#sctn-cryptographic-challenges

Could an attacker who can see the cookies being sent replay an authentication request to gain access to the system? Deleting the challenge from the session doesn't prevent that, right?

[tcannonfodder]

Shit; it’s possible, yeah; based on these docs: https://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions

We should have integration or system tests that test this session replay attack scenario; and figure out next steps if it is possible.

my plate is swamped currently, could you write these tests?

[asavageiv]

Unfortunately I am also swamped at the moment. Do you agree it's a non-issue for HTTPS?