Add Webauthn Verification authenticate endpoint

[jenshenny]

What problem are you solving?

Part of #3298

Creates the endpoint for the authentication of the webauthn credential. If successful, a json payload of {"message": "success"} will be returned. Otherwise, {"message": error_message} would be returned.

What approach did you choose and why?

• The logic is inspired off of the logic in the sessions controller. I memoized the different variables used to reduce the size of the original method.
• Removing user as a part of session[:webauthn_authentication], we should be using the webauthn path token to find the user.

What should reviewers focus on?

• Any missing test cases
• Is authenticate the right action name? Was thinking between authenticate or verify, but chose authenticate since verify might be confused with the webauthn verification object itself.

Testing

Follow the tophat instructions from #3324 to get to the prompt page. You are able to authenticate your webauthn credential when clicking the button.

[jchestershopify]

Some nits and questions, but otherwise LGTM.

[jchestershopify]

What is :rawId and how does it differ from :id?

[jenshenny]

In the docs, id is a base 64 encoded string of the id, and the rawID is the id in binary form. Both are required to verify the credential.

[jchestershopify]

Dumb question: what does only: [] achieve?

[jenshenny]

Not dumb at all! To my knowledge, you define an only clause to keep the specified actions for a resource (eg. update, show, edit). Since this controller doesn't implement any of those default actions, I put it as []. I put the "custom" routes in the resource clause to help with grouping and remove some repetition in the code.

[jchestershopify]

This might be an occasion for a EOL comment. Something like "# 'only' is empty because this controller has custom actions rather than 'show', 'create' etc."

[jenshenny]

I'm leaning towards refraining from adding a comment. There's 4-5 occasions of this in the routes file already so this pattern is not going outside any unexpected code. If you feel strongly, I'll add it in!

[jchestershopify]

Gotcha. In that case we should leave it uncommented.

[codecov]

Codecov Report

Merging #3331 (15d33b0) into webauthn-cli (7cf09a7) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@              Coverage Diff              @@
##           webauthn-cli    #3331   +/-   ##
=============================================
  Coverage         98.54%   98.54%           
=============================================
  Files               116      116           
  Lines              3426     3441   +15     
=============================================
+ Hits               3376     3391   +15     
  Misses               50       50           

Impacted Files	Coverage Δ
...p/controllers/webauthn_verifications_controller.rb	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[jenshenny]

WebAuthn::ChallengeVerificationError isn't the best error message, I don't think it would be triggered much but could be worth punting it as an future enhancement

[jchestershopify]

Looking even better! Some small suggestions.

[jchestershopify]

It was probably time we did this. Might be worth updating Metrics/BlockLength in .rubocop_todo.yml to a lower value, since we've just been incrementing it each time we updated routes.rb.

[jenshenny]

since we've just been incrementing it each time we updated routes.rb.

Oh haha TIL, will do 🫡

[jenshenny]

Updated the rubocop files accordingly. Also added tasks and concerns to the mix of exclusions because the content of a task or concern is supposed to be surrounded by a block.

[jchestershopify]

This might be an occasion for a EOL comment. Something like "# 'only' is empty because this controller has custom actions rather than 'show', 'create' etc."

[jchestershopify]

Why a regex for json?

[jenshenny]

I did some copy and pasta with the regex from another route. I'm intending to keep it as is since we're planning to support html as a format in a followup -> format: /html|json/.

[jchestershopify]

No notes - LGTM.