Form helpers should not be the ones storing the challenge in the session

app/assets/javascript/devise/webauthn.js

@@ -20,8 +20,8 @@ export class WebauthnCreateElement extends HTMLElement {
       event.preventDefault();
 
       try {
-        const options = JSON.parse(this.getAttribute('data-options-json'));
-        const publicKey = PublicKeyCredential.parseCreationOptionsFromJSON(options);
+        const response = await fetch(this.getAttribute('data-options-url'));
+        const publicKey = PublicKeyCredential.parseCreationOptionsFromJSON(await response.json());
         const credential = await navigator.credentials.create({ publicKey });
 
         this.querySelector('[data-webauthn-target="response"]').value = await this.stringifyRegistrationCredentialWithGracefullyHandlingAuthenticatorIssues(credential);
@@ -101,8 +101,8 @@ export class WebauthnGetElement extends HTMLElement {
       event.preventDefault();
 
       try {
-        const options = JSON.parse(this.getAttribute('data-options-json'));
-        const publicKey = PublicKeyCredential.parseRequestOptionsFromJSON(options);
+        const response = await fetch(this.getAttribute('data-options-url'));
+        const publicKey = PublicKeyCredential.parseRequestOptionsFromJSON(await response.json());
         const credential = await navigator.credentials.get({ publicKey });
 
         this.querySelector('[data-webauthn-target="response"]').value = await this.stringifyAuthenticationCredentialWithGracefullyHandlingAuthenticatorIssues(credential);

app/controllers/devise/passkey_authentication_options_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyAuthenticationOptionsController < DeviseController
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_get(
+          user_verification: "required"
+        )
+
+      # Store challenge in session for later verification
+      session[:authentication_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+  end
+end

app/controllers/devise/passkey_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class PasskeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      passkey_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.passkeys.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "required",
+            user_verification: "required"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = passkey_options.challenge
+
+      render json: passkey_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

app/controllers/devise/security_key_authentication_options_controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecurityKeyAuthenticationOptionsController < DeviseController
+    before_action :set_resource
+
+    def index
+      security_key_authentication_options =
+        WebAuthn::Credential.options_for_get(
+          allow: @resource.webauthn_credentials.pluck(:external_id),
+          user_verification: "discouraged"
+        )
+
+      # Store challenge in session for later verification
+      session[:two_factor_authentication_challenge] = security_key_authentication_options.challenge
+
+      render json: security_key_authentication_options
+    end
+
+    private
+
+    def set_resource
+      @resource = resource_class.find(session[:current_authentication_resource_id])
+    end
+  end
+end

app/controllers/devise/security_key_registration_options_controller.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecurityKeyRegistrationOptionsController < DeviseController
+    before_action :authenticate_scope!
+
+    def index
+      create_security_key_options =
+        WebAuthn::Credential.options_for_create(
+          user: {
+            id: resource.webauthn_id,
+            name: resource_human_palatable_identifier
+          },
+          exclude: resource.webauthn_credentials.pluck(:external_id),
+          authenticator_selection: {
+            resident_key: "discouraged",
+            user_verification: "discouraged"
+          }
+        )
+
+      # Store challenge in session for later verification
+      session[:webauthn_challenge] = create_security_key_options.challenge
+
+      render json: create_security_key_options
+    end
+
+    private
+
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!", force: true)
+      self.resource = send(:"current_#{resource_name}")
+    end
+
+    def resource_human_palatable_identifier
+      authentication_keys = resource.class.authentication_keys
+      authentication_keys = authentication_keys.keys if authentication_keys.is_a?(Hash)
+
+      authentication_keys.filter_map { |authentication_key| resource.public_send(authentication_key) }.first
+    end
+  end
+end

lib/devise/webauthn/helpers/credentials_helper.rb

@@ -10,7 +10,7 @@ def passkey_creation_form_for(resource, form_classes: nil, &block)
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_create(data: { options_json: create_passkey_options(resource) }) do
+          tag.webauthn_create(data: { options_url: passkey_registration_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
@@ -23,7 +23,7 @@ def login_with_passkey_button(text = nil, session_path:, button_classes: nil, fo
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_get(data: { options_json: passkey_authentication_options }) do
+          tag.webauthn_get(data: { options_url: passkey_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
 
             concat f.button(text, type: "submit", class: button_classes, &block)
@@ -37,7 +37,9 @@ def security_key_creation_form_for(resource, form_classes: nil, &block)
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_create(data: { options_json: create_security_key_options(resource) }) do
+          tag.webauthn_create(
+            data: { options_url: security_key_registration_options_path(resource) }
+          ) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
@@ -50,7 +52,7 @@ def login_with_security_key_button(text = nil, resource:, button_classes: nil, f
           method: :post,
           class: form_classes
         ) do |f|
-          tag.webauthn_get(data: { options_json: security_key_authentication_options(resource) }) do
+          tag.webauthn_get(data: { options_url: security_key_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat f.button(text, type: "submit", class: button_classes, &block)
           end

lib/devise/webauthn/routes.rb

@@ -7,6 +7,10 @@ class Mapper
 
       def devise_passkey_authentication(_mapping, controllers)
         resources :passkeys, only: %i[new create destroy], controller: controllers[:passkeys]
+        resources :passkey_authentication_options, only: %i[index],
+                                                   controller: controllers[:passkey_authentication_options]
+        resources :passkey_registration_options, only: %i[index],
+                                                 controller: controllers[:passkey_registration_options]
       end
 
       def devise_two_factor_authentication(_mapping, controllers)
@@ -17,6 +21,10 @@ def devise_two_factor_authentication(_mapping, controllers)
         resources :second_factor_webauthn_credentials,
                   only: %i[new create update destroy],
                   controller: controllers[:second_factor_webauthn_credentials]
+        resources :security_key_authentication_options, only: %i[index],
+                                                        controller: controllers[:security_key_authentication_options]
+        resources :security_key_registration_options, only: %i[index],
+                                                      controller: controllers[:security_key_registration_options]
       end
     end
   end

lib/devise/webauthn/url_helpers.rb

@@ -24,9 +24,13 @@ module UrlHelpers
       {
         passkeys: [nil],
         passkey: [nil, :new],
+        passkey_authentication_options: [nil],
+        passkey_registration_options: [nil],
         two_factor_authentication: [nil, :new],
         second_factor_webauthn_credentials: [nil],
-        second_factor_webauthn_credential: [nil, :new]
+        second_factor_webauthn_credential: [nil, :new],
+        security_key_authentication_options: [nil],
+        security_key_registration_options: [nil]
       }.each do |route, actions|
         %i[path url].each do |path_or_url|
           actions.each do |action|

lib/generators/devise/webauthn/templates/controllers/passkey_authentication_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeyAuthenticationOptionsController < Devise::PasskeyAuthenticationOptionsController
+  # GET /resource/passkey_authentication_options
+  # def index
+  #   super
+  # end
+end

lib/generators/devise/webauthn/templates/controllers/passkey_registration_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>PasskeyRegistrationOptionsController < Devise::PasskeyRegistrationOptionsController
+  # GET /resource/passkey_registration_options
+  # def index
+  #   super
+  # end
+end

lib/generators/devise/webauthn/templates/controllers/security_key_authentication_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>SecurityKeyAuthenticationOptionsController < Devise::SecurityKeyAuthenticationOptionsController
+  # GET /resource/security_key_authentication_options
+  # def index
+  #   super
+  # end
+end

lib/generators/devise/webauthn/templates/controllers/security_key_registration_options_controller.rb.tt

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class <%= @scope_prefix %>SecurityKeyRegistrationOptionsController < Devise::SecurityKeyRegistrationOptionsController
+  # GET /resource/securiy_key_registration_options
+  # def index
+  #   super
+  # end
+end

spec/requests/devise/passkey_authentication_options_controller_spec.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::PasskeyAuthenticationOptionsController, type: :request do
+  describe "GET #index" do
+    it "stores the challenge in session and returns it as json" do
+      get account_passkey_authentication_options_path
+
+      expect(response).to have_http_status(:ok)
+
+      json = response.parsed_body
+      expect(json["challenge"]).to be_present
+      expect(session[:authentication_challenge]).to eq(json["challenge"])
+    end
+
+    it "generates a new challenge on each request" do
+      get account_passkey_authentication_options_path
+      first_challenge = session[:authentication_challenge]
+
+      get account_passkey_authentication_options_path
+      second_challenge = session[:authentication_challenge]
+
+      expect(first_challenge).to be_present
+      expect(second_challenge).not_to eq(first_challenge)
+    end
+  end
+end

spec/requests/devise/passkey_registration_options_controller_spec.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::PasskeyRegistrationOptionsController, type: :request do
+  let(:user) { Account.create!(email: "test@example.com", password: "password123") }
+
+  describe "GET #index" do
+    context "when user is not authenticated" do
+      it "redirects to the sign-in page" do
+        get account_passkey_registration_options_path
+        expect(response).to redirect_to(new_account_session_path)
+      end
+    end
+
+    context "when user is authenticated" do
+      before do
+        sign_in user, scope: :account
+      end
+
+      it "returns webauthn create options as json and stores the challenge in session" do
+        get account_passkey_registration_options_path
+
+        expect(response).to have_http_status(:ok)
+
+        json = response.parsed_body
+        expect(json["challenge"]).to be_present
+
+        expect(session[:webauthn_challenge]).to eq(json["challenge"])
+      end
+
+      it "generates a new challenge on each request" do
+        get account_passkey_registration_options_path
+        first_challenge = session[:webauthn_challenge]
+
+        get account_passkey_registration_options_path
+        second_challenge = session[:webauthn_challenge]
+
+        expect(first_challenge).to be_present
+        expect(second_challenge).to be_present
+        expect(second_challenge).not_to eq(first_challenge)
+      end
+    end
+  end
+end

spec/requests/devise/passkeys_controller_spec.rb

@@ -31,7 +31,7 @@
     context "when user is authenticated" do
       before do
         sign_in user, scope: :account
-        get new_account_passkey_path # To set the challenge in session
+        get account_passkey_registration_options_path # To set the challenge in session
       end
 
       context "with valid parameters" do

spec/requests/devise/second_factor_webauthn_credentials_controller_spec.rb

@@ -41,7 +41,7 @@
     context "when user is authenticated" do
       before do
         sign_in user
-        get new_account_second_factor_webauthn_credential_path # To set the challenge in session
+        get account_security_key_registration_options_path # To set the challenge in session
       end
 
       context "with valid parameters" do

spec/requests/devise/security_key_authentication_options_controller_spec.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Devise::SecurityKeyAuthenticationOptionsController, type: :request do
+  let(:user) { Account.create!(email: "test@example.com", password: "password123") }
+
+  describe "GET #index" do
+    before do
+      user.passkeys.create!(
+        external_id: "external-id",
+        name: "My Passkey",
+        public_key: "public-key",
+        sign_count: 0
+      )
+
+      post account_session_path, params: {
+        account: {
+          email: user.email,
+          password: "password123"
+        }
+      }
+    end
+
+    it "returns authentication options and stores the challenge in the session" do
+      get account_security_key_authentication_options_path
+
+      expect(response).to have_http_status(:ok)
+
+      body = response.parsed_body
+      expect(body).to include("challenge")
+
+      expect(session[:two_factor_authentication_challenge]).to eq(body["challenge"])
+    end
+  end
+end