infinisil
commented
2 years ago I talked about this with @ErinvanderVeen. We came to this conclusion:
- Don't call these things registries. While they resemble registries to the degree that you register an identifier to a specific format in the server, these are only the supported formats. More formats could be registered but not implemented. So the existing name of
SupportedAttestationStatementFormatsis good. - Don't introduce the
WebAuthnRegistriestype. Breaking compatibility is alright once we start supporting extensions. Also, we have to break compatibility anyways, even with aWebAuthnRegistriestype if it gets an additional field (unless we don't export the direct constructors/deconstructors) - Keep
allSupportedFormats - In order to bring uniformity to decoding, just introduce a
decodeCredentialRegistrationthat doesn't take aSupportedAttestationStatementFormats, while still providing a prime version,decodeCredentialRegistration'which does have the supported formats as an argument. By doing this we allow library users to stay backwards compatible if they use the non-prime version. This later then also works for extensions, at which point we will also introduce adecodeCredentialAuthentication', but keep thedecodeCredentialAuthenticationwith the same type
Makes sure that we won't have to break compatibility in the future when extensions are implemented, see #35
SupportedAttestationStatementFormatstoAttestationStatementFormatRegistryWebAuthnRegistriestype, currently only consisting of anAttestationStatementFormatRegistryand use it throughout instead of the latterallSupportedFormats :: AttestationStatementFormatRegistrywithsupportedRegistries :: WebAuthnRegistriesWebAuthnRegistries, but also the authentication response decoding, so that we later don't have to break compatibility when extensions are implemented