Closed truongnmt closed 1 year ago
Great callout, after using this template as inspiration for my own implementation I came back to make this same issue. Hopefully folks in the future will see this and understand that they can simplify the implementation a bit by using id
and not manually encoding the raw_id
@Brantron have you seen a refreshed implementation on the client side anywhere? I don't use UJS, only Turbo + Stimulus, so I need to refactor all the xhr eventing.
I suppose I should just start fresh, using https://github.com/github/webauthn-json/blob/main/src/dev/demo/index.ts as a guide
First, thanks for the implementation! Carefully written, also the test was really helpful!
By the way, when I read the credential callback implementation: https://github.com/cedarcode/webauthn-rails-demo-app/blob/d9b73e20a7272e8d9f7a26c48ec49e5100295939/app/controllers/credentials_controller.rb#L27
Why do we have to base64 encode the
rawId
? Why not usewebauthn_credential.id
straight away? As written in spec,id
isbase64(rawId)
already. By manuallybase64(rawId)
and save it to the database, what benefit do we have over savingid
? https://www.w3.org/TR/credential-management-1/#dom-credential-idBeside, in
session_controller
we use the base64 encodedrawId
to create allow list and send to authenticator. https://github.com/cedarcode/webauthn-rails-demo-app/blob/d9b73e20a7272e8d9f7a26c48ec49e5100295939/app/controllers/sessions_controller.rb#L11So overall, save
id
returned from authenticator then using thatid
to send back to authenticator make sense to me.