The Rails app in my current company uses custom authentication, and for a hack week I wanted to add support for passkeys. For this I wanted to try leveraging Rodauth's implementation, by using Rodauth as a library.
This PR extends the internal_request feature with support for WebAuthn actions. Initially, the *_params methods were returning webauthn-ruby's credential objects, but that required manually HMAC'ing the challenge. So, I used the same approach as otp_setup_params and returned the data as a hash. I like that this encapsulates webauthn-ruby usage within Rodauth, and the caller just deals with plain hashes.
The webauthn feature adds webauthn_setup_params, webauthn_setup, webauthn_auth_params, webauthn_auth and webauthn_remove methods, the webauthn_login feature adds webauthn_login_params and webauthn_login methods, while the webauthn_autofill feature makes webauthn_login_params not require the login param. The webauthn_login method is the only one that returns something (account ID); I was deciding whether I should make webauthn_setup return the credential ID, but realized the caller can already retrieve it from the navigator.credentials.create result.
I tested this in a sample app, and everything seems to be working correctly 🙂
The Rails app in my current company uses custom authentication, and for a hack week I wanted to add support for passkeys. For this I wanted to try leveraging Rodauth's implementation, by using Rodauth as a library.
This PR extends the internal_request feature with support for WebAuthn actions. Initially, the
*_params
methods were returning webauthn-ruby's credential objects, but that required manually HMAC'ing the challenge. So, I used the same approach asotp_setup_params
and returned the data as a hash. I like that this encapsulates webauthn-ruby usage within Rodauth, and the caller just deals with plain hashes.The webauthn feature adds
webauthn_setup_params
,webauthn_setup
,webauthn_auth_params
,webauthn_auth
andwebauthn_remove
methods, the webauthn_login feature addswebauthn_login_params
andwebauthn_login
methods, while the webauthn_autofill feature makeswebauthn_login_params
not require the login param. Thewebauthn_login
method is the only one that returns something (account ID); I was deciding whether I should makewebauthn_setup
return the credential ID, but realized the caller can already retrieve it from thenavigator.credentials.create
result.I tested this in a sample app, and everything seems to be working correctly 🙂