Closed smessmer closed 9 months ago
Sure I think we can make this configurable. Should be an easy PR if you want to submit it?
Which solution do you prefer? Config in WebauthnBuilder
or parameter in the flow?
I think WebauthnBuilder - timeouts per-flow seem confusing and don't really have a great benefit. The actual security properties here are from the unique challenges rather than timeouts. Should be an Option<> type though where None means to use the default.
Is your feature request related to a problem? Please describe. On Android, users need to fulfill some eligibility requirements (e.g. device screen lock is set up, Google Account is logged in) to be able to store Passkeys in Google's Password Manager. If we try to create a passkey but those requirements aren't met, then the operating system can ask the user to fix that (e.g. set up a screen lock) right in the passkey creation flow, but that needs extra time and most users will timeout the default 60 seconds webauthn-rs sets for passkey challenges. Can this be made configurable so that we can set a longer timeout?
Describe the solution you'd like A way to configure timeouts. Either as a setting in
WebauthnBuilder
that allows us to change the default, or as a parameter when we're actually creating the challenges.Describe alternatives you've considered Manually post-processing the challenge json returned by
webauthn-rs
. It works but it's ugly.