-
-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Webauthn Verification authenticate endpoint #3331
Add Webauthn Verification authenticate endpoint #3331
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits and questions, but otherwise LGTM.
def credential_params | ||
@parameters ||= params.require(:credentials).permit(:id, | ||
:type, | ||
:rawId, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is :rawId
and how does it differ from :id
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the docs, id
is a base 64 encoded string of the id, and the rawID
is the id in binary form. Both are required to verify the credential.
@@ -183,7 +183,10 @@ | |||
|
|||
resources :ownership_calls, only: :index | |||
resources :webauthn_credentials, only: :destroy | |||
get 'webauthn_verification/:webauthn_token', to: 'webauthn_verifications#prompt', as: 'webauthn_verification' | |||
resource :webauthn_verification, only: [] do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dumb question: what does only: []
achieve?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not dumb at all! To my knowledge, you define an only clause to keep the specified actions for a resource (eg. update
, show
, edit
). Since this controller doesn't implement any of those default actions, I put it as []
. I put the "custom" routes in the resource clause to help with grouping and remove some repetition in the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be an occasion for a EOL comment. Something like "# 'only' is empty because this controller has custom actions rather than 'show', 'create' etc."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm leaning towards refraining from adding a comment. There's 4-5 occasions of this in the routes file already so this pattern is not going outside any unexpected code. If you feel strongly, I'll add it in!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha. In that case we should leave it uncommented.
035e976
to
c444a2f
Compare
Codecov Report
@@ Coverage Diff @@
## webauthn-cli #3331 +/- ##
=============================================
Coverage 98.54% 98.54%
=============================================
Files 116 116
Lines 3426 3441 +15
=============================================
+ Hits 3376 3391 +15
Misses 50 50
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
||
should respond_with :unauthorized | ||
should "return error message" do | ||
assert_equal "WebAuthn::ChallengeVerificationError", JSON.parse(response.body)["message"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WebAuthn::ChallengeVerificationError
isn't the best error message, I don't think it would be triggered much but could be worth punting it as an future enhancement
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking even better! Some small suggestions.
.rubocop.yml
Outdated
@@ -59,6 +59,7 @@ Metrics/AbcSize: | |||
Metrics/BlockLength: | |||
Exclude: | |||
- test/**/*.rb | |||
- 'config/routes.rb' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was probably time we did this. Might be worth updating Metrics/BlockLength
in .rubocop_todo.yml
to a lower value, since we've just been incrementing it each time we updated routes.rb
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since we've just been incrementing it each time we updated routes.rb.
Oh haha TIL, will do 🫡
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the rubocop files accordingly. Also added tasks and concerns to the mix of exclusions because the content of a task or concern is supposed to be surrounded by a block.
@@ -183,7 +183,10 @@ | |||
|
|||
resources :ownership_calls, only: :index | |||
resources :webauthn_credentials, only: :destroy | |||
get 'webauthn_verification/:webauthn_token', to: 'webauthn_verifications#prompt', as: 'webauthn_verification' | |||
resource :webauthn_verification, only: [] do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be an occasion for a EOL comment. Something like "# 'only' is empty because this controller has custom actions rather than 'show', 'create' etc."
get 'webauthn_verification/:webauthn_token', to: 'webauthn_verifications#prompt', as: 'webauthn_verification' | ||
resource :webauthn_verification, only: [] do | ||
get ':webauthn_token', to: 'webauthn_verifications#prompt', as: '' | ||
post ':webauthn_token', to: 'webauthn_verifications#authenticate', as: :authenticate, constraints: { format: /json/ } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why a regex for json
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did some copy and pasta with the regex from another route. I'm intending to keep it as is since we're planning to support html as a format in a followup -> format: /html|json/
.
c444a2f
to
6e5978b
Compare
6e5978b
to
15d33b0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No notes - LGTM.
What problem are you solving?
Part of #3298
Creates the endpoint for the authentication of the webauthn credential. If successful, a json payload of
{"message": "success"}
will be returned. Otherwise,{"message": error_message}
would be returned.What approach did you choose and why?
session[:webauthn_authentication]
, we should be using the webauthn path token to find the user.What should reviewers focus on?
Testing
Follow the tophat instructions from #3324 to get to the prompt page. You are able to authenticate your webauthn credential when clicking the button.