Last call for changes! - Githubissues

kanidm / webauthn-rs

An implementation of webauthn components for Rustlang servers

Mozilla Public License 2.0

491 stars 80 forks source link

Last call for changes! #167

Closed Firstyear closed 2 years ago

Firstyear commented 2 years ago

Last call for ideas! I want to do the next release soon and stop changing the api so much, so now is your time to give constructive feedback! From my side I will commit a fido metadata service library and parser first before I do the release, currently I'm thinking to do the next release on 16th of August.

@agrinman @benwis @devsnek @yaleman @ericmarkmartin

devsnek commented 2 years ago

All good here. Only thing that comes to mind was my suggestion about changing the finish methods to return the mutated credential, but that's not really needed.

benwis commented 2 years ago

For our use case, I think we're solid. We're not doing anything fancy though. I'll be sure to post if I come up with anything in testing over the next few days.

Firstyear commented 2 years ago

All good here. Only thing that comes to mind was my suggestion about changing the finish methods to return the mutated credential, but that's not really needed.

I did look into it, and the reason I chose not to implement it is:

Most passkeys will never actually need updating because they lack an internal counter
Passkeys already assume the backup state bit is true WRT to security, so even if this flagged changed, it doesn't impact anything
It can be simulated with needs_update + credential_id to find then pre-clone the credential before you apply the update

ericmarkmartin commented 2 years ago

If we're trying to stabilize a bit here, should we think about pulling the ephemeral module?

Firstyear commented 2 years ago

@ericmarkmartin It's already been removed :) the whole interface has a huge set of changes.

aseigler commented 2 years ago

Last call for ideas! I want to do the next release soon and stop changing the api so much, so now is your time to give constructive feedback! From my side I will commit a fido metadata service library and parser first before I do the release, currently I'm thinking to do the next release on 16th of August.

@agrinman @benwis @devsnek @yaleman @ericmarkmartin

Any chance you'd want to tackle ECC key usage in the TPM attestation type? The only thing that really changes much is the unique part of pubArea.

Firstyear commented 2 years ago

@aseigler I don't have any samples sadly, so I can't really validate or confirm it works. But it also isn't api breaking to add that later.

aseigler commented 2 years ago

@aseigler I don't have any samples sadly, so I can't really validate or confirm it works. But it also isn't api breaking to add that later.

I can help with samples and validation. True it won't break api.

Firstyear commented 2 years ago

@aseigler If you put it through the compat test https://webauthn.firstyear.id.au/compat_test and submit the json in a report, we can implement it :)

aseigler commented 2 years ago

~~Will do tomorrow morning~~ Done!

Firstyear commented 2 years ago

Thanks everyone! I've just published 4.3 (because of some earlier version hiccups). Thank you all for your support, ideas and contributions! Happy-authenticating!