[X] This feature helps everyone using this package
[X] It's feasible and maintainable
[X] It's non breaking
[ ] I issued a PR with the implementation (optional)
Description
When a user logs in via Assertion, a session key should be set with the ID of the credential used to login via assertion.
This would help developers to check which device the user is using, and reject disabling the current device by mistake by simple id comparison: If the Credential ID is equal to the Session Credential ID, don't allow to disable it.
Implementation should be in the guard. Assertion pipelines should be kept as-is as the feature is authentication-session-specific.
Code sample
/**
* Validate the WebAuthn assertion.
*/
protected function validateWebAuthn(WebAuthnAuthenticatable $user, array $credentials): bool
{
try {
// When we hit this method, we already have the user for the credential, so we will
// pass it to the Assertion Validation data, thus avoiding fetching it again.
$this->validator
->send(new AssertionValidation(new JsonTransport($credentials), $user))
->thenReturn();
} catch (AssertionException $e) {
// If we're debugging, like under local development, push the error to the logger.
if (config('app.debug')) {
logger($e->getMessage());
}
return false;
}
+ // If the dev has ID-on-session enabled, set it.
+ if (config('webauthn.auth.set_id')) {
+ $this->session->put(
+ config('webauthn.auth.session_key', '_webauthn.credential_id'),
+ $credentials['id']
+ ):
+ }
return true;
}
Please check these requirements
Description
When a user logs in via Assertion, a session key should be set with the ID of the credential used to login via assertion.
This would help developers to check which device the user is using, and reject disabling the current device by mistake by simple id comparison: If the Credential ID is equal to the Session Credential ID, don't allow to disable it.
Implementation should be in the guard. Assertion pipelines should be kept as-is as the feature is authentication-session-specific.
Code sample