refactor(examples): drop related origins from ceremony examples, add dedicated webauthn_related_origins_hid

Author: AlfioEmanueleFresta

README.md

@@ -70,15 +70,15 @@ WebAuthn examples consume and emit JSON per the [WebAuthn IDL][webauthn].
 
 | Transport                        | FIDO U2F                                                                                                                 | WebAuthn (FIDO2) [^ro]                                                                                                                                                          |
 | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **USB (HID)**                    | `cargo run --example u2f_hid`                                                                                            | `cargo run --features reqwest-related-origins-source --example webauthn_hid`                                                                                                            |
-| **Bluetooth (BLE)**              | `cargo run --example u2f_ble`                                                                                            | `cargo run --features reqwest-related-origins-source --example webauthn_ble`                                                                                                            |
-| **NFC** [^nfc]                   | `cargo run --features nfc-backend-pcsc --example u2f_nfc`<br>`cargo run --features nfc-backend-libnfc --example u2f_nfc` | `cargo run --features nfc-backend-pcsc,reqwest-related-origins-source --example webauthn_nfc`<br>`cargo run --features nfc-backend-libnfc,reqwest-related-origins-source --example webauthn_nfc` |
-| **Hybrid (caBLE v2 + CTAP 2.3)** | —                                                                                                                        | `cargo run --features reqwest-related-origins-source --example webauthn_cable`                                                                                                          |
-| **Hybrid (caBLE v2)**            | —                                                                                                                        | `cargo run --features reqwest-related-origins-source --example webauthn_cable_wss`                                                                                                      |
+| **USB (HID)**                    | `cargo run --example u2f_hid`                                                                                            | `cargo run --example webauthn_hid`                                                                                                            |
+| **Bluetooth (BLE)**              | `cargo run --example u2f_ble`                                                                                            | `cargo run --example webauthn_ble`                                                                                                            |
+| **NFC** [^nfc]                   | `cargo run --features nfc-backend-pcsc --example u2f_nfc`<br>`cargo run --features nfc-backend-libnfc --example u2f_nfc` | `cargo run --features nfc-backend-pcsc --example webauthn_nfc`<br>`cargo run --features nfc-backend-libnfc --example webauthn_nfc` |
+| **Hybrid (caBLE v2 + CTAP 2.3)** | —                                                                                                                        | `cargo run --example webauthn_cable`                                                                                                          |
+| **Hybrid (caBLE v2)**            | —                                                                                                                        | `cargo run --example webauthn_cable_wss`                                                                                                      |
 
 [^nfc]: `nfc-backend-pcsc` is pure userspace and recommended on most systems. `nfc-backend-libnfc` requires the `libnfc` system library. Both can be enabled together; the first FIDO device found by either backend is used.
 
-[^ro]: The WebAuthn ceremony examples wire up the bundled reqwest-backed [related-origins](https://www.w3.org/TR/webauthn-3/#sctn-related-origins) source, which lives behind the optional `reqwest-related-origins-source` feature. Consumers that already ship their own HTTP stack can implement `HttpClient` or `RelatedOriginsSource` directly and omit the feature.
+[^ro]: The ceremony examples run with related origins disabled (they are same-origin, so it never applies). The bundled reqwest-backed [related-origins](https://www.w3.org/TR/webauthn-3/#sctn-related-origins) source is shown in the `webauthn_related_origins_hid` example below, behind the optional `reqwest-related-origins-source` feature. Consumers that ship their own HTTP stack can implement `HttpClient` or `RelatedOriginsSource` directly.
 
 Additional HID-only examples cover specific FIDO2 features and authenticator management:
 
@@ -90,6 +90,9 @@ $ cargo run --example webauthn_prf_hid
 $ cargo run --example prf_replay -- CREDENTIAL_ID FIRST_PRF_INPUT
 $ cargo run --example device_selection_hid
 
+# Related origins (reqwest-backed well-known fetch)
+$ cargo run --features reqwest-related-origins-source --example webauthn_related_origins_hid
+
 # CTAP2 authenticator management
 $ cargo run --example change_pin_hid
 $ cargo run --example bio_enrollment_hid

libwebauthn/Cargo.toml

@@ -142,27 +142,23 @@ required-features = ["nfc"]
 [[example]]
 name = "webauthn_hid"
 path = "examples/ceremony/webauthn_hid.rs"
-required-features = ["reqwest-related-origins-source"]
 
 [[example]]
 name = "webauthn_ble"
 path = "examples/ceremony/webauthn_ble.rs"
-required-features = ["reqwest-related-origins-source"]
 
 [[example]]
 name = "webauthn_nfc"
 path = "examples/ceremony/webauthn_nfc.rs"
-required-features = ["nfc", "reqwest-related-origins-source"]
+required-features = ["nfc"]
 
 [[example]]
 name = "webauthn_cable"
 path = "examples/ceremony/webauthn_cable.rs"
-required-features = ["reqwest-related-origins-source"]
 
 [[example]]
 name = "webauthn_cable_wss"
 path = "examples/ceremony/webauthn_cable_wss.rs"
-required-features = ["reqwest-related-origins-source"]
 
 [[example]]
 name = "webauthn_extensions_hid"
@@ -176,6 +172,11 @@ path = "examples/features/webauthn_preflight_hid.rs"
 name = "webauthn_prf_hid"
 path = "examples/features/webauthn_prf_hid.rs"
 
+[[example]]
+name = "webauthn_related_origins_hid"
+path = "examples/features/webauthn_related_origins_hid.rs"
+required-features = ["reqwest-related-origins-source"]
+
 [[example]]
 name = "prf_replay"
 path = "examples/features/prf_replay.rs"

libwebauthn/examples/ceremony/webauthn_ble.rs

@@ -2,8 +2,7 @@ use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
     DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest,
-    MaxRegistrableLabels, OriginValidation, RelatedOrigins, RequestOrigin, RequestSettings,
-    ReqwestRelatedOriginsSource, WebAuthnIDLResponse as _,
+    OriginValidation, RelatedOrigins, RequestOrigin, RequestSettings, WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::ble::list_devices;
@@ -53,14 +52,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                     "attestation": "none"
                 }
                 "#;
-        let related_origins = ReqwestRelatedOriginsSource::new()?;
         let settings = RequestSettings {
             origin: OriginValidation::Validate {
                 public_suffix_list: &psl,
-                related_origins: RelatedOrigins::Enabled {
-                    source: &related_origins,
-                    max_labels: MaxRegistrableLabels::default(),
-                },
+                related_origins: RelatedOrigins::Disabled,
             },
         };
         let make_credentials_request: MakeCredentialRequest =

libwebauthn/examples/ceremony/webauthn_cable.rs

@@ -11,9 +11,8 @@ use qrcode::render::unicode;
 use qrcode::QrCode;
 
 use libwebauthn::ops::webauthn::{
-    DatFilePublicSuffixList, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels,
-    OriginValidation, RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
-    WebAuthnIDLResponse as _,
+    DatFilePublicSuffixList, JsonFormat, MakeCredentialRequest, OriginValidation, RelatedOrigins,
+    RequestOrigin, RequestSettings, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::{Channel as _, Device};
 use libwebauthn::webauthn::WebAuthn;
@@ -59,14 +58,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let psl = DatFilePublicSuffixList::from_system_file().expect(
         "PSL not available; install the publicsuffix-list package or pass an explicit path",
     );
-    let related_origins = ReqwestRelatedOriginsSource::new()?;
     let settings = RequestSettings {
         origin: OriginValidation::Validate {
             public_suffix_list: &psl,
-            related_origins: RelatedOrigins::Enabled {
-                source: &related_origins,
-                max_labels: MaxRegistrableLabels::default(),
-            },
+            related_origins: RelatedOrigins::Disabled,
         },
     };
 

libwebauthn/examples/ceremony/webauthn_hid.rs

@@ -2,9 +2,8 @@ use std::error::Error;
 use std::time::Duration;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, OriginValidation,
-    RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
-    SystemPublicSuffixList, WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, OriginValidation, RelatedOrigins,
+    RequestOrigin, RequestSettings, SystemPublicSuffixList, WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::hid::list_devices;
@@ -33,14 +32,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let psl = SystemPublicSuffixList::auto().expect(
             "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
         );
-        let related_origins = ReqwestRelatedOriginsSource::new()?;
         let settings = RequestSettings {
             origin: OriginValidation::Validate {
                 public_suffix_list: &psl,
-                related_origins: RelatedOrigins::Enabled {
-                    source: &related_origins,
-                    max_labels: MaxRegistrableLabels::default(),
-                },
+                related_origins: RelatedOrigins::Disabled,
             },
         };
         let request_json = r#"

libwebauthn/examples/ceremony/webauthn_nfc.rs

@@ -1,9 +1,8 @@
 use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, OriginValidation,
-    RelatedOrigins, RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource,
-    SystemPublicSuffixList, WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, OriginValidation, RelatedOrigins,
+    RequestOrigin, RequestSettings, SystemPublicSuffixList, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::nfc::{get_nfc_device, is_nfc_available};
 use libwebauthn::transport::{Channel as _, Device};
@@ -31,14 +30,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let psl = SystemPublicSuffixList::auto().expect(
         "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
     );
-    let related_origins = ReqwestRelatedOriginsSource::new()?;
     let settings = RequestSettings {
         origin: OriginValidation::Validate {
             public_suffix_list: &psl,
-            related_origins: RelatedOrigins::Enabled {
-                source: &related_origins,
-                max_labels: MaxRegistrableLabels::default(),
-            },
+            related_origins: RelatedOrigins::Disabled,
         },
     };
     let make_credentials_request = MakeCredentialRequest::prepare(

libwebauthn/examples/features/webauthn_related_origins_hid.rs

@@ -0,0 +1,85 @@
+//! HID make-credential with related origins enabled.
+//!
+//! The bundled reqwest-backed [`ReqwestRelatedOriginsSource`] fetches
+//! `https://<rp.id>/.well-known/webauthn` when the request's rp.id is not a
+//! registrable suffix of the caller origin. This demo is same-origin
+//! (`example.org`), so the source is wired but the fetch is not triggered. It
+//! fires when rp.id and the origin sit on different registrable domains, with
+//! the RP listing the caller origin in its well-known document.
+
+use std::error::Error;
+use std::time::Duration;
+
+use libwebauthn::ops::webauthn::{
+    JsonFormat, MakeCredentialRequest, MaxRegistrableLabels, OriginValidation, RelatedOrigins,
+    RequestOrigin, RequestSettings, ReqwestRelatedOriginsSource, SystemPublicSuffixList,
+    WebAuthnIDLResponse as _,
+};
+use libwebauthn::transport::hid::list_devices;
+use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::webauthn::WebAuthn;
+
+#[path = "../common/mod.rs"]
+mod common;
+
+const TIMEOUT: Duration = Duration::from_secs(10);
+
+#[tokio::main]
+pub async fn main() -> Result<(), Box<dyn Error>> {
+    common::setup_logging();
+
+    let devices = list_devices().await.unwrap();
+    println!("Devices found: {:?}", devices);
+
+    for mut device in devices {
+        println!("Selected HID authenticator: {}", &device);
+        let mut channel = device.channel().await?;
+        channel.wink(TIMEOUT).await?;
+
+        let request_origin: RequestOrigin =
+            "https://example.org".try_into().expect("Invalid origin");
+        let psl = SystemPublicSuffixList::auto().expect(
+            "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
+        );
+        let related_origins = ReqwestRelatedOriginsSource::new()?;
+        let settings = RequestSettings {
+            origin: OriginValidation::Validate {
+                public_suffix_list: &psl,
+                related_origins: RelatedOrigins::Enabled {
+                    source: &related_origins,
+                    max_labels: MaxRegistrableLabels::default(),
+                },
+            },
+        };
+        let request_json = r#"
+            {
+                "rp": { "id": "example.org", "name": "Example Relying Party" },
+                "user": {
+                    "id": "MTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2Nzg",
+                    "name": "alice",
+                    "displayName": "Alice"
+                },
+                "challenge": "MTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2Nzg",
+                "pubKeyCredParams": [{"type": "public-key", "alg": -7}],
+                "timeout": 60000,
+                "excludeCredentials": [],
+                "authenticatorSelection": { "residentKey": "discouraged", "userVerification": "preferred" },
+                "attestation": "none"
+            }
+            "#;
+        let request = MakeCredentialRequest::prepare(&request_origin, request_json, &settings)
+            .await
+            .expect("Failed to parse request JSON");
+
+        let state_recv = channel.get_ux_update_receiver();
+        tokio::spawn(common::handle_uv_updates(state_recv));
+
+        let response = retry_user_errors!(channel.webauthn_make_credential(&request)).unwrap();
+        let response_json = response
+            .to_json_string(&request, JsonFormat::Prettified)
+            .expect("Failed to serialize MakeCredential response");
+        println!("WebAuthn MakeCredential response (JSON):\n{response_json}");
+    }
+
+    Ok(())
+}