Form helpers should not be the ones storing the challenge in the session (#73)

* feat: migrate to use options_for_get

* feat: migrate to use options_for_create

* fix: rubocop offenses

* test: call new endpoints to set the challenge in the session

* test: options_for_get and options_for_create endpoints

* test: set authentication factors

* chore: fetch options endpoints from javascript

* fix: ensure an authenticated user when upgrading security key

* style(rubocop): disable `Metrics/ModuleLength` cop

* test: assert current paths

* feat: follow REST standard for getting passkey options

* feat: follow REST standard for getting security key options

* chore: scope options controllers under passkey and security_key

* test: set the options in the session

* chore: allow generating new controllers

* chore: revert scoping controllers

* docs: update CHANGELOG

---------

Co-authored-by: Joaquin Tomas <joaquintomas2003@gmail.com>

Author: nicolastemciuc

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- Options for getting or creating passkeys and security keys are now served by dedicated Rails controllers and retrieved via JavaScript fetch requests. [#73](https://github.com/cedarcode/devise-webauthn/pull/73) [@nicolastemciuc]
+
 ## [v0.3.0](https://github.com/cedarcode/devise-webauthn/compare/v0.2.2...v0.3.0/) - 2026-01-16
 
 ### Added

app/assets/javascript/devise/webauthn.js

@@ -20,8 +20,8 @@ export class WebauthnCreateElement extends HTMLElement {
       event.preventDefault();
 
       try {
-        const options = JSON.parse(this.getAttribute('data-options-json'));
-        const publicKey = PublicKeyCredential.parseCreationOptionsFromJSON(options);
+        const response = await fetch(this.getAttribute('data-options-url'));
+        const publicKey = PublicKeyCredential.parseCreationOptionsFromJSON(await response.json());
         const credential = await navigator.credentials.create({ publicKey });
 
         this.querySelector('[data-webauthn-target="response"]').value = await this.stringifyRegistrationCredentialWithGracefullyHandlingAuthenticatorIssues(credential);
@@ -101,8 +101,8 @@ export class WebauthnGetElement extends HTMLElement {
       event.preventDefault();
 
       try {
-        const options = JSON.parse(this.getAttribute('data-options-json'));
-        const publicKey = PublicKeyCredential.parseRequestOptionsFromJSON(options);
+        const response = await fetch(this.getAttribute('data-options-url'));
+        const publicKey = PublicKeyCredential.parseRequestOptionsFromJSON(await response.json());
         const credential = await navigator.credentials.get({ publicKey });
 
         this.querySelector('[data-webauthn-target="response"]').value = await this.stringifyAuthenticationCredentialWithGracefullyHandlingAuthenticatorIssues(credential);

app/controllers/devise/passkey_authentication_options_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyAuthenticationOptionsController < DeviseController
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_get(
+          user_verification: "required"
+        )
+
+      # Store challenge in session for later verification
+      session[:authentication_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+  end
+end

app/controllers/devise/passkey_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.passkeys.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "required",
+            user_verification: "required"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

app/controllers/devise/security_key_authentication_options_controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecurityKeyAuthenticationOptionsController < DeviseController
+    before_action :set_resource
+
+    def index
+      security_key_authentication_options =
+        WebAuthn::Credential.options_for_get(
+          allow: @resource.webauthn_credentials.pluck(:external_id),
+          user_verification: "discouraged"
+        )
+
+      # Store challenge in session for later verification
+      session[:two_factor_authentication_challenge] = security_key_authentication_options.challenge
+
+      render json: security_key_authentication_options
+    end
+
+    private
+
+    def set_resource
+      @resource = resource_class.find(session[:current_authentication_resource_id])
+    end
+  end
+end

app/controllers/devise/security_key_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecurityKeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      create_security_key_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.webauthn_credentials.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "discouraged",
+            user_verification: "discouraged"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = create_security_key_options.challenge
+
+      render json: create_security_key_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

lib/devise/webauthn/helpers/credentials_helper.rb

@@ -10,7 +10,7 @@ def passkey_creation_form_for(resource, form_classes: nil, &block)
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_create(data: { options_json: create_passkey_options(resource) }) do
+          tag.webauthn_create(data: { options_url: passkey_registration_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
@@ -23,7 +23,7 @@ def login_with_passkey_button(text = nil, session_path:, button_classes: nil, fo
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_get(data: { options_json: passkey_authentication_options }) do
+          tag.webauthn_get(data: { options_url: passkey_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
 
             concat f.button(text, type: "submit", class: button_classes, &block)
@@ -37,7 +37,9 @@ def security_key_creation_form_for(resource, form_classes: nil, &block)
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_create(data: { options_json: create_security_key_options(resource) }) do
+          tag.webauthn_create(
+            data: { options_url: security_key_registration_options_path(resource) }
+          ) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
@@ -50,7 +52,7 @@ def login_with_security_key_button(text = nil, resource:, button_classes: nil, f
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_get(data: { options_json: security_key_authentication_options(resource) }) do
+          tag.webauthn_get(data: { options_url: security_key_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat f.button(text, type: "submit", class: button_classes, &block)
           end

lib/devise/webauthn/routes.rb

@@ -7,6 +7,10 @@ class Mapper
 
       def devise_passkey_authentication(_mapping, controllers)
         resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys]
+
+        resources :passkey_authentication_options, only: :index,
+                                                   controller: controllers[:passkey_authentication_options]
+        resources :passkey_registration_options, only: :index, controller: controllers[:passkey_registration_options]
       end
 
       def devise_two_factor_authentication(_mapping, controllers)
@@ -17,6 +21,11 @@ def devise_two_factor_authentication(_mapping, controllers)
         resources :second_factor_webauthn_credentials,
                   only: %i[new create update destroy],
                   controller: controllers[:second_factor_webauthn_credentials]
+
+        resources :security_key_authentication_options, only: %i[index],
+                                                        controller: controllers[:security_key_authentication_options]
+        resources :security_key_registration_options, only: %i[index],
+                                                      controller: controllers[:security_key_registration_options]
       end
     end
   end

lib/devise/webauthn/url_helpers.rb

@@ -24,9 +24,13 @@ module UrlHelpers
       {
         passkeys: [nil],
         passkey: [nil, :new],
+        passkey_authentication_options: [nil],
+        passkey_registration_options: [nil],
         two_factor_authentication: [nil, :new],
         second_factor_webauthn_credentials: [nil],
-        second_factor_webauthn_credential: [nil, :new]
+        second_factor_webauthn_credential: [nil, :new],
+        security_key_authentication_options: [nil],
+        security_key_registration_options: [nil]
       }.each do |route, actions|
         %i[path url].each do |path_or_url|
           actions.each do |action|

lib/generators/devise/webauthn/controllers_generator.rb

@@ -9,6 +9,10 @@ class ControllersGenerator < Rails::Generators::Base
         passkeys
         second_factor_webauthn_credentials
         two_factor_authentications
+        passkey_authentication_options
+        passkey_registration_options
+        security_key_authentication_options
+        security_key_registration_options
       ].freeze
 
       desc "Create inherited Devise::Webauthn controllers in your app/controllers folder."