Class: Booth::Core::Webauth::OptionsForCreate

Inherits:
Object
  • Object
show all
Includes:
Logging, Calls
Defined in:
lib/booth/core/webauth/options_for_create.rb

Instance Method Summary collapse

Instance Method Details

#callObject 



15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/booth/core/webauth/options_for_create.rb', line 15

def call
  unless relying_party
    log { "Could not resolve relying party for #{request.host}" }
    return Tron.failure(:missing_relying_party, challenge: nil, as_json: nil,
                                                relying_party_id: nil)
  end

  options = ::WebAuthn::Credential.options_for_create(
    user: {
      id: webauthn_id,
      name: username,
      # Some browsers also support `display_name: "..."`
    },
    # Tell security key to also send its certificate as so called "attachment".
    attestation: 'direct',
    # Completely passwordless authentication should always require interaction/verification.
    authenticator_selection: { user_verification: :required },
    relying_party:,

    # The advantage of excluding already registered devices is that we avoid duplicates.
    # The disadvantage is, when the user manually resets the hardware device.
    # Then the (now pristine) device cannot be used, because the orphan is still in the DB.
    # In that case the user has to delete the orphan first, which seems okay.
    exclude: device_ids_to_exclude,
  )

  Tron.success(:webauthn_options_for_create, challenge: options.challenge,
                                             as_json: options.as_json,
                                             relying_party_id: options.relying_party&.id)
end