feat(auth): add WebAuthn MFA credentials (#1628)

* feat(auth): add WebAuthn MFA credentials * fix(auth): harden WebAuthn MFA review paths * fix(auth): polish WebAuthn error handling * fix(auth): handle duplicate WebAuthn credential races * fix(auth): permit WebAuthn credential params * fix(auth): trim WebAuthn registration controller cleanup * fix(auth): tighten WebAuthn MFA handling * fix(auth): pin WebAuthn relying party config
2026-05-08 13:14:58 +00:00 · 2026-05-03 14:13:28 -06:00
parent faf31b9c91
commit 911aa34ba9
29 changed files with 1117 additions and 10 deletions
--- a/app/javascript/controllers/webauthn_registration_controller.js
+++ b/app/javascript/controllers/webauthn_registration_controller.js
@@ -0,0 +1,67 @@
+import WebauthnController from "controllers/webauthn_controller";
+import {
+  prepareCredentialCreationOptions,
+  serializePublicKeyCredential,
+} from "utils/webauthn";
+
+export default class extends WebauthnController {
+  static targets = ["error", "nickname"];
+  static values = {
+    optionsUrl: String,
+    createUrl: String,
+    unsupportedMessage: String,
+    errorFallback: String,
+  };
+
+  async register(event) {
+    event.preventDefault();
+    this.clearError();
+
+    if (!window.PublicKeyCredential) {
+      this.showError(this.unsupportedMessageValue);
+      return;
+    }
+
+    try {
+      const options = await this.fetchOptions();
+      const credential = await navigator.credentials.create({
+        publicKey: prepareCredentialCreationOptions(options),
+      });
+
+      await this.createCredential(serializePublicKeyCredential(credential));
+    } catch (error) {
+      this.showError(error.message);
+    }
+  }
+
+  async fetchOptions() {
+    const response = await fetch(this.optionsUrlValue, {
+      method: "POST",
+      headers: this.headers,
+      credentials: "same-origin",
+    });
+
+    if (!response.ok) throw new Error(await this.errorMessage(response));
+
+    return response.json();
+  }
+
+  async createCredential(credential) {
+    const response = await fetch(this.createUrlValue, {
+      method: "POST",
+      headers: this.headers,
+      credentials: "same-origin",
+      body: JSON.stringify({
+        credential,
+        webauthn_credential: {
+          nickname: this.hasNicknameTarget ? this.nicknameTarget.value : "",
+        },
+      }),
+    });
+
+    if (!response.ok) throw new Error(await this.errorMessage(response));
+
+    const result = await response.json();
+    window.location.href = result.redirect_url;
+  }
+}