Closed Vagab closed 1 year ago
@tcannonfodder while working on this pr, I've stumbled a question:
I see we're relying on the users defining the relying_party
method(pun intended), which should return the new relying party. However, in WebAuthn::StrategyHelpers
there's a defined relying_party
which looks into the env. Since the users are going to define the relying_party
themselves, what's the purpose of including it in helpers?
IIRC, the Warden strategy operates in an entirely different context, so it doesn't have access to the relying_party
method the user defines. Instead, it pulls from the request's env
hash to get the relying party that the user set up as part of the request's preamble
I think normally that's exactly right, but in our case it seems that the relying_party
method is actually included into the controller. Moreover, if you remove the relying_party
concern from the template you will get a confusing error:
NameError (undefined local variable or method `env' for #<Users::SessionsController:0x00000000010180>)
which happens bc the #env
method was deprecated in rails 5. But that's not the point, the point is that when the relying_party
method is missing from the controller, the warden will call it's own relying_party
method, and since it's clear that the end user has to define the relying_party
method themselves, the warden's relying_party
method's purpose eludes me.
So with the limited time I had to look at the code I propose the following changes, lmk wyt:
relying_party
method in Warden::WebAuthn
env
to be request.env
? Or am I missing smth? Taking a quick look at the warden code, the env
is supposed to be exactly rack env, so I think either changing env
to request.env
or just alias_method :env, :request_env
if we need it to be precisely env should be good.I'm digging into the code, for both; and an alternative is breaking up the Warden::WebAuthn::StrategyHelpers
; or adjusting how it's used in devise-passkeys
Technically; the env
is a special variable passed to strategies when they're initialized: https://github.com/wardencommunity/warden/blob/88d2f59adf5d650238c1e93072635196aea432dc/lib/warden/strategies/base.rb#L45
What's happening here is that we're including Warden::WebAuthn::StrategyHelpers
in non-strategy parts of the codebase because the module has useful helper method, and the idea is:
If we inherit from the
StrategyHelpers
to get theauthentication_challenge_key
,parsed_credential
,relying_party_key
, etc. ; we'll help maintain consistency between the two Rack middlewares.
However, obviously that approach has some sharp edges. From Warden::WebAuthn
's perspective; we want to keep the relying_party
method the way it is, because in the context of that gem, the naming convention makes sense.
But breaking stuff up too much makes the code a maintenance nightmare. I'm going to see about finding a middle ground; possibly with a Warden::WebAuthn::RackHelpers
that is automatically included when StrategyHelpers
is included
resolves #24