feat: follow REST standard for getting passkey options

Author: nicolastemciuc

app/controllers/devise/passkey_authentication_options_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyAuthenticationOptionsController < DeviseController
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_get(
+          user_verification: "required"
+        )
+
+      # Store challenge in session for later verification
+      session[:authentication_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+  end
+end

app/controllers/devise/passkey_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.passkeys.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "required",
+            user_verification: "required"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

app/controllers/devise/passkeys_controller.rb

@@ -2,7 +2,7 @@
 
 module Devise
   class PasskeysController < DeviseController
-    before_action :authenticate_scope!, only: %i[new create destroy options_for_create]
+    before_action :authenticate_scope!
 
     def new; end
 
@@ -32,38 +32,6 @@ def destroy
       redirect_to after_update_path
     end
 
-    def options_for_get
-      passkey_authentication_options =
-        WebAuthn::Credential.options_for_get(
-          user_verification: "required"
-        )
-
-      # Store challenge in session for later verification
-      session[:authentication_challenge] = passkey_authentication_options.challenge
-
-      render json: passkey_authentication_options
-    end
-
-    def options_for_create
-      create_passkey_options =
-        WebAuthn::Credential.options_for_create(
-          user: {
-            id: resource.webauthn_id,
-            name: resource_human_palatable_identifier
-          },
-          exclude: resource.passkeys.pluck(:external_id),
-          authenticator_selection: {
-            resident_key: "required",
-            user_verification: "required"
-          }
-        )
-
-      # Store challenge in session for later verification
-      session[:webauthn_challenge] = create_passkey_options.challenge
-
-      render json: create_passkey_options
-    end
-
     private
 
     def authenticate_scope!
@@ -90,12 +58,5 @@ def verify_and_save_passkey(passkey_from_params)
     def after_update_path
       new_passkey_path(resource_name)
     end
-
-    def resource_human_palatable_identifier
-      authentication_keys = resource.class.authentication_keys
-      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
-
-      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
-    end
   end
 end

lib/devise/webauthn/helpers/credentials_helper.rb

@@ -10,7 +10,7 @@ def passkey_creation_form_for(resource, form_classes: nil, &block)
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_create(data: { options_url: options_for_create_passkeys_path(resource) }) do
+          tag.webauthn_create(data: { options_url: passkey_registration_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
@@ -23,7 +23,7 @@ def login_with_passkey_button(text = nil, session_path:, button_classes: nil, fo
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_get(data: { options_url: options_for_get_passkeys_path(resource) }) do
+          tag.webauthn_get(data: { options_url: passkey_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
 
             concat f.button(text, type: "submit", class: button_classes, &block)

lib/devise/webauthn/routes.rb

@@ -6,10 +6,11 @@ class Mapper
       protected
 
       def devise_passkey_authentication(_mapping, controllers)
-        resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys] do
-          get :options_for_get, on: :collection
-          get :options_for_create, on: :collection
-        end
+        resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys]
+        resources :passkey_authentication_options, only: %i[index],
+                                                   controller: controllers[:passkey_authentication_options]
+        resources :passkey_registration_options, only: %i[index],
+                                                 controller: controllers[:passkey_registration_options]
       end
 
       def devise_two_factor_authentication(_mapping, controllers)

lib/devise/webauthn/url_helpers.rb

@@ -22,8 +22,10 @@ module Webauthn
     #
     module UrlHelpers
       {
-        passkeys: [nil, :options_for_get, :options_for_create],
+        passkeys: [nil],
         passkey: [nil, :new],
+        passkeys_authentication_options: [nil],
+        passkeys_registration_options: [nil],
         two_factor_authentication: [nil, :new],
         second_factor_webauthn_credentials: [nil, :options_for_get, :options_for_create],
         second_factor_webauthn_credential: [nil, :new]

lib/generators/devise/webauthn/templates/controllers/passkeys_authentication_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeysAuthenticationOptionsController < Devise::PasskeysController
+  # GET /resource/authentication_options
+  # def index
+  #   super
+  # end
+end

lib/generators/devise/webauthn/templates/controllers/passkeys_registration_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeysRegistrationOptionsController < Devise::PasskeysController
+  # GET /resource/passkeys
+  # def index
+  #   super
+  # end
+end

spec/requests/devise/passkey_authentication_options_controller_spec.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::PasskeyAuthenticationOptionsController, type: :request do
+  describe "GET #index" do
+    it "stores the challenge in session and returns it as json" do
+      get account_passkeys_authentication_options_path
+
+      expect(response).to have_http_status(:ok)
+
+      json = response.parsed_body
+      expect(json["challenge"]).to be_present
+      expect(session[:authentication_challenge]).to eq(json["challenge"])
+    end
+
+    it "generates a new challenge on each request" do
+      get account_passkeys_authentication_options_path
+      first_challenge = session[:authentication_challenge]
+
+      get account_passkeys_authentication_options_path
+      second_challenge = session[:authentication_challenge]
+
+      expect(first_challenge).to be_present
+      expect(second_challenge).not_to eq(first_challenge)
+    end
+  end
+end

spec/requests/devise/passkey_registration_options_controller_spec.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::PasskeyRegistrationOptionsController, type: :request do
+  let(:user) { Account.create!(email: "test@example.com", password: "password123") }
+
+  describe "GET #index" do
+    context "when user is not authenticated" do
+      it "redirects to the sign-in page" do
+        get account_passkeys_registration_options_path
+        expect(response).to redirect_to(new_account_session_path)
+      end
+    end
+
+    context "when user is authenticated" do
+      before do
+        sign_in user, scope: :account
+      end
+
+      it "returns webauthn create options as json and stores the challenge in session" do
+        get account_passkeys_registration_options_path
+
+        expect(response).to have_http_status(:ok)
+
+        json = response.parsed_body
+        expect(json["challenge"]).to be_present
+
+        expect(session[:webauthn_challenge]).to eq(json["challenge"])
+      end
+
+      it "generates a new challenge on each request" do
+        get account_passkeys_registration_options_path
+        first_challenge = session[:webauthn_challenge]
+
+        get account_passkeys_registration_options_path
+        second_challenge = session[:webauthn_challenge]
+
+        expect(first_challenge).to be_present
+        expect(second_challenge).to be_present
+        expect(second_challenge).not_to eq(first_challenge)
+      end
+    end
+  end
+end