[6.x] Fix creating passkeys with JSON session serialization (#14448)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Jason Varga <jason@pixelfear.com>

Author: 3 people

src/Auth/WebAuthn/WebAuthn.php

@@ -31,7 +31,7 @@ public function prepareAssertion(): PublicKeyCredentialRequestOptions
     {
         $challenge = random_bytes(32);
 
-        session()->put('webauthn.challenge', $challenge);
+        session()->put('webauthn.challenge', base64_encode($challenge));
 
         return $this->getRequestOptions($challenge);
     }
@@ -42,7 +42,7 @@ public function validateAssertion(User $user, array $credentials): bool
 
         $passkey = $this->getPasskey($user, $publicKeyCredential);
 
-        $options = $this->getRequestOptions(session()->pull('webauthn.challenge'));
+        $options = $this->getRequestOptions(base64_decode(session()->pull('webauthn.challenge')));
 
         $publicKeyCredentialSource = $this->assertionResponseValidator->check(
             $passkey->credential(),
@@ -79,7 +79,7 @@ public function prepareAttestation(User $user): PublicKeyCredentialCreationOptio
     {
         $challenge = random_bytes(16);
 
-        session()->put('webauthn.challenge', $challenge);
+        session()->put('webauthn.challenge', base64_encode($challenge));
 
         return $this->getCreationOptions($user, $challenge);
     }
@@ -92,7 +92,7 @@ public function validateAttestation(User $user, array $credentials, string $name
             throw new Exception(__('Invalid credentials.'));
         }
 
-        $options = $this->getCreationOptions($user, session()->pull('webauthn.challenge'));
+        $options = $this->getCreationOptions($user, base64_decode(session()->pull('webauthn.challenge')));
 
         $publicKeyCredentialSource = $this->attestationResponseValidator->check(
             $publicKeyCredential->response,

tests/Auth/WebAuthn/WebAuthnTest.php

@@ -56,7 +56,7 @@ public function it_prepares_assertion_with_challenge()
 
         $this->assertInstanceOf(PublicKeyCredentialRequestOptions::class, $options);
         $this->assertNotNull(session('webauthn.challenge'));
-        $this->assertEquals(32, strlen(session('webauthn.challenge')));
+        $this->assertEquals(32, strlen(base64_decode(session('webauthn.challenge'))));
         $this->assertEquals(PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_REQUIRED, $options->userVerification);
     }
 
@@ -84,11 +84,11 @@ public function it_stores_challenge_in_session()
         // Challenge should be stored in session for later verification
         $storedChallenge = session('webauthn.challenge');
         $this->assertNotNull($storedChallenge);
-        $this->assertEquals(32, strlen($storedChallenge));
+        $this->assertEquals(32, strlen(base64_decode($storedChallenge)));
 
         // The challenge in the options should be the same binary value
         // (base64url encoding happens during serialization, not in the object)
-        $this->assertEquals($storedChallenge, $options->challenge);
+        $this->assertEquals(base64_decode($storedChallenge), $options->challenge);
     }
 
     #[Test]
@@ -180,7 +180,7 @@ public function it_validates_assertion_successfully()
 
         $credentials = ['id' => 'credential-id', 'rawId' => 'raw-id', 'response' => [], 'type' => 'public-key'];
         $challenge = random_bytes(32);
-        session()->put('webauthn.challenge', $challenge);
+        session()->put('webauthn.challenge', base64_encode($challenge));
 
         // Create real objects
         $publicKeyCredential = new PublicKeyCredential(
@@ -219,6 +219,7 @@ public function it_validates_assertion_successfully()
         $this->mockAssertionValidator
             ->shouldReceive('check')
             ->once()
+            ->withArgs(fn ($credential, $response, $options) => $options->challenge === $challenge)
             ->andReturn($updatedCredentialSource);
 
         $result = $this->webauthn->validateAssertion($mockUser, $credentials);
@@ -234,7 +235,6 @@ public function it_throws_exception_when_no_matching_passkey()
         $user->save();
 
         $credentials = ['id' => 'credential-id', 'rawId' => 'raw-id', 'response' => [], 'type' => 'public-key'];
-        session()->put('webauthn.challenge', random_bytes(32));
 
         $publicKeyCredential = new PublicKeyCredential(
             'public-key',

tests/Feature/Auth/PasskeyLoginTest.php

@@ -65,9 +65,10 @@ public function it_stores_challenge_in_session_for_later_verification()
         // Verify the session has been populated
         $this->assertNotNull(session('webauthn.challenge'));
 
-        // The session challenge is the binary form (32 bytes)
+        // The session challenge is base64 encoded (32 bytes -> 44 chars)
         // The response challenge is the base64url encoded form
-        $this->assertEquals(32, strlen(session('webauthn.challenge')));
+        $this->assertEquals(44, strlen(session('webauthn.challenge')));
+        $this->assertEquals(32, strlen(base64_decode(session('webauthn.challenge'))));
         $this->assertIsString($responseChallenge);
     }
 

tests/Feature/Auth/StorePasskeyTest.php

@@ -69,7 +69,7 @@ public function it_stores_challenge_in_session_during_creation()
         $responseChallenge = $response->json('challenge');
 
         $this->assertNotNull(session('webauthn.challenge'));
-        $this->assertEquals(16, strlen(session('webauthn.challenge')));
+        $this->assertEquals(16, strlen(base64_decode(session('webauthn.challenge'))));
         $this->assertIsString($responseChallenge);
     }