feat: follow REST standard for getting passkey options

nicolastemciuc · nicolastemciuc · commit 4445c4d8c54c · 2026-01-16T17:10:26.000-03:00
diff --git a/app/controllers/devise/passkeys_authentication_options_controller.rb b/app/controllers/devise/passkeys_authentication_options_controller.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeysAuthenticationOptionsController < DeviseController
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_get(
+          user_verification: "required"
+        )
+
+      # Store challenge in session for later verification
+      session[:authentication_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+  end
+end
diff --git a/app/controllers/devise/passkeys_controller.rb b/app/controllers/devise/passkeys_controller.rb
@@ -2,7 +2,7 @@
 
 module Devise
   class PasskeysController < DeviseController
-    before_action :authenticate_scope!, only: %i[new create destroy options_for_create]
+    before_action :authenticate_scope!
 
     def new; end
 
@@ -32,38 +32,6 @@ def destroy
       redirect_to after_update_path
     end
 
-    def options_for_get
-      passkey_authentication_options =
-        WebAuthn::Credential.options_for_get(
-          user_verification: "required"
-        )
-
-      # Store challenge in session for later verification
-      session[:authentication_challenge] = passkey_authentication_options.challenge
-
-      render json: passkey_authentication_options
-    end
-
-    def options_for_create
-      create_passkey_options =
-        WebAuthn::Credential.options_for_create(
-          user: {
-            id: resource.webauthn_id,
-            name: resource_human_palatable_identifier
-          },
-          exclude: resource.passkeys.pluck(:external_id),
-          authenticator_selection: {
-            resident_key: "required",
-            user_verification: "required"
-          }
-        )
-
-      # Store challenge in session for later verification
-      session[:webauthn_challenge] = create_passkey_options.challenge
-
-      render json: create_passkey_options
-    end
-
     private
 
     def authenticate_scope!
@@ -90,12 +58,5 @@ def verify_and_save_passkey(passkey_from_params)
     def after_update_path
       new_passkey_path(resource_name)
     end
-
-    def resource_human_palatable_identifier
-      authentication_keys = resource.class.authentication_keys
-      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
-
-      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
-    end
   end
 end
diff --git a/app/controllers/devise/passkeys_registration_options_controller.rb b/app/controllers/devise/passkeys_registration_options_controller.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeysRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.passkeys.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "required",
+            user_verification: "required"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end
diff --git a/lib/devise/webauthn/helpers/credentials_helper.rb b/lib/devise/webauthn/helpers/credentials_helper.rb
@@ -10,7 +10,7 @@ def passkey_creation_form_for(resource, form_classes: nil, &block)
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_create(data: { options_url: options_for_create_passkeys_path(resource) }) do
+          tag.webauthn_create(data: { options_url: passkeys_registration_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
@@ -23,7 +23,7 @@ def login_with_passkey_button(text = nil, session_path:, button_classes: nil, fo
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_get(data: { options_url: options_for_get_passkeys_path(resource) }) do
+          tag.webauthn_get(data: { options_url: passkeys_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
 
             concat f.button(text, type: "submit", class: button_classes, &block)
diff --git a/lib/devise/webauthn/routes.rb b/lib/devise/webauthn/routes.rb
@@ -6,10 +6,11 @@ class Mapper
       protected
 
       def devise_passkey_authentication(_mapping, controllers)
-        resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys] do
-          get :options_for_get, on: :collection
-          get :options_for_create, on: :collection
-        end
+        resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys]
+        resources :passkeys_authentication_options, only: %i[index],
+                                                    controller: controllers[:passkeys_authentication_options]
+        resources :passkeys_registration_options, only: %i[index],
+                                                  controller: controllers[:passkeys_registration_options]
       end
 
       def devise_two_factor_authentication(_mapping, controllers)
diff --git a/lib/devise/webauthn/url_helpers.rb b/lib/devise/webauthn/url_helpers.rb
@@ -22,8 +22,10 @@ module Webauthn
     #
     module UrlHelpers
       {
-        passkeys: [nil, :options_for_get, :options_for_create],
+        passkeys: [nil],
         passkey: [nil, :new],
+        passkeys_authentication_options: [nil],
+        passkeys_registration_options: [nil],
         two_factor_authentication: [nil, :new],
         second_factor_webauthn_credentials: [nil, :options_for_get, :options_for_create],
         second_factor_webauthn_credential: [nil, :new]
diff --git a/lib/generators/devise/webauthn/templates/controllers/passkeys_authentication_options_controller.rb.tt b/lib/generators/devise/webauthn/templates/controllers/passkeys_authentication_options_controller.rb.tt
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeysAuthenticationOptionsController < Devise::PasskeysController
+  # GET /resource/authentication_options
+  # def index
+  #   super
+  # end
+end
diff --git a/lib/generators/devise/webauthn/templates/controllers/passkeys_registration_options_controller.rb.tt b/lib/generators/devise/webauthn/templates/controllers/passkeys_registration_options_controller.rb.tt
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeysRegistrationOptionsController < Devise::PasskeysController
+  # GET /resource/passkeys
+  # def index
+  #   super
+  # end
+end
diff --git a/spec/requests/devise/passkeys_authentication_options_controller_spec.rb b/spec/requests/devise/passkeys_authentication_options_controller_spec.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::PasskeysAuthenticationOptionsController, type: :request do
+  describe "GET #index" do
+    it "stores the challenge in session and returns it as json" do
+      get account_passkeys_authentication_options_path
+
+      expect(response).to have_http_status(:ok)
+
+      json = response.parsed_body
+      expect(json["challenge"]).to be_present
+      expect(session[:authentication_challenge]).to eq(json["challenge"])
+    end
+
+    it "generates a new challenge on each request" do
+      get account_passkeys_authentication_options_path
+      first_challenge = session[:authentication_challenge]
+
+      get account_passkeys_authentication_options_path
+      second_challenge = session[:authentication_challenge]
+
+      expect(first_challenge).to be_present
+      expect(second_challenge).not_to eq(first_challenge)
+    end
+  end
+end
diff --git a/spec/requests/devise/passkeys_controller_spec.rb b/spec/requests/devise/passkeys_controller_spec.rb
@@ -31,7 +31,7 @@
     context "when user is authenticated" do
       before do
         sign_in user, scope: :account
-        get options_for_create_account_passkeys_path # To set the challenge in session
+        get account_passkeys_registration_options_path # To set the challenge in session
       end
 
       context "with valid parameters" do
@@ -118,62 +118,4 @@
       end
     end
   end
-
-  # rubocop:disable RSpec/MultipleExpectations
-  describe "GET #options_for_get" do
-    it "returns authentication options and stores the challenge in the session" do
-      get options_for_get_account_passkeys_path
-
-      expect(response).to have_http_status(:ok)
-      expect(response.media_type).to eq("application/json")
-
-      body = response.parsed_body
-      expect(body).to include("challenge")
-      expect(session[:authentication_challenge]).to be_present
-    end
-  end
-
-  describe "GET #options_for_create" do
-    context "when user is authenticated" do
-      before do
-        sign_in user, scope: :account
-      end
-
-      it "returns passkey creation options and stores the challenge in the session" do
-        get options_for_create_account_passkeys_path
-
-        expect(response).to have_http_status(:ok)
-        expect(response.media_type).to eq("application/json")
-
-        body = response.parsed_body
-        expect(body).to include("challenge")
-        expect(body.dig("user", "name")).to eq(user.email)
-        expect(session[:webauthn_challenge]).to be_present
-      end
-
-      it "includes existing passkeys in the excludeCredentials list" do
-        user.passkeys.create!(
-          external_id: "existing-external-id",
-          name: "Existing Passkey",
-          public_key: "public-key",
-          sign_count: 0
-        )
-
-        get options_for_create_account_passkeys_path
-
-        body = response.parsed_body
-        exclude_credentials = body["excludeCredentials"] || []
-
-        expect(exclude_credentials.size).to eq(user.passkeys.count)
-      end
-    end
-
-    context "when user is not authenticated" do
-      it "redirects to the sign-in page" do
-        get options_for_create_account_passkeys_path
-        expect(response).to redirect_to(new_account_session_path)
-      end
-    end
-  end
-  # rubocop:enable RSpec/MultipleExpectations
 end
diff --git a/spec/requests/devise/passkeys_registration_options_controller_spec.rb b/spec/requests/devise/passkeys_registration_options_controller_spec.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::PasskeysRegistrationOptionsController, type: :request do
+  let(:user) { Account.create!(email: "test@example.com", password: "password123") }
+
+  describe "GET #index" do
+    context "when user is not authenticated" do
+      it "redirects to the sign-in page" do
+        get account_passkeys_registration_options_path
+        expect(response).to redirect_to(new_account_session_path)
+      end
+    end
+
+    context "when user is authenticated" do
+      before do
+        sign_in user, scope: :account
+      end
+
+      it "returns webauthn create options as json and stores the challenge in session" do
+        get account_passkeys_registration_options_path
+
+        expect(response).to have_http_status(:ok)
+
+        json = response.parsed_body
+        expect(json["challenge"]).to be_present
+
+        expect(session[:webauthn_challenge]).to eq(json["challenge"])
+      end
+
+      it "generates a new challenge on each request" do
+        get account_passkeys_registration_options_path
+        first_challenge = session[:webauthn_challenge]
+
+        get account_passkeys_registration_options_path
+        second_challenge = session[:webauthn_challenge]
+
+        expect(first_challenge).to be_present
+        expect(second_challenge).to be_present
+        expect(second_challenge).not_to eq(first_challenge)
+      end
+    end
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,10 @@ module Webauthn`
`22`	`22`	`#`
`23`	`23`	`module UrlHelpers`
`24`	`24`	`{`
`25`		`- passkeys: [nil, :options_for_get, :options_for_create],`
	`25`	`+ passkeys: [nil],`
`26`	`26`	`passkey: [nil, :new],`
	`27`	`+ passkeys_authentication_options: [nil],`
	`28`	`+ passkeys_registration_options: [nil],`
`27`	`29`	`two_factor_authentication: [nil, :new],`
`28`	`30`	`second_factor_webauthn_credentials: [nil, :options_for_get, :options_for_create],`
`29`	`31`	`second_factor_webauthn_credential: [nil, :new]`