{"id":13683391,"url":"https://github.com/cedarcode/webauthn-ruby","last_synced_at":"2025-11-11T20:01:08.545Z","repository":{"id":32473332,"uuid":"132816323","full_name":"cedarcode/webauthn-ruby","owner":"cedarcode","description":"WebAuthn ruby server library ― Make your Ruby/Rails web server become a conformant WebAuthn Relying Party","archived":false,"fork":false,"pushed_at":"2025-10-31T16:07:02.000Z","size":1781,"stargazers_count":732,"open_issues_count":9,"forks_count":66,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-11-08T06:16:56.601Z","etag":null,"topics":["2fa","2fa-security","authentication","fido2","passkey","passkeys","passwordless","passwordless-login","relying-party","ruby","two-factor-authentication","web-authentication","webauthn","webauthn-library","webauthn-ruby","webauthn-server"],"latest_commit_sha":null,"homepage":"https://rubygems.org/gems/webauthn","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cedarcode.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-05-09T21:49:17.000Z","updated_at":"2025-11-06T16:20:49.000Z","dependencies_parsed_at":"2023-10-14T14:03:36.515Z","dependency_job_id":"ae01369c-1448-4361-a79f-c1e512b2aefe","html_url":"https://github.com/cedarcode/webauthn-ruby","commit_stats":{"total_commits":617,"total_committers":29,"mean_commits":"21.275862068965516","dds":0.3047001620745543,"last_synced_commit":"8b0c3b9d1baa80ae2fd3fcb0bede6c0a14ddc316"},"previous_names":[],"tags_count":43,"template":false,"template_full_name":null,"purl":"pkg:github/cedarcode/webauthn-ruby","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Fwebauthn-ruby","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Fwebauthn-ruby/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Fwebauthn-ruby/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Fwebauthn-ruby/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cedarcode","download_url":"https://codeload.github.com/cedarcode/webauthn-ruby/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Fwebauthn-ruby/sbom","scorecard":{"id":270157,"data":{"date":"2025-08-11","repo":{"name":"github.com/cedarcode/webauthn-ruby","commit":"ad1b787a4ae51ac844002b854a37729f8b912565"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.8,"checks":[{"name":"Maintained","score":9,"reason":"11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":9,"reason":"Found 14/15 approved changesets -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/git.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/cedarcode/webauthn-ruby/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/cedarcode/webauthn-ruby/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/cedarcode/webauthn-ruby/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/cedarcode/webauthn-ruby/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/git.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/cedarcode/webauthn-ruby/git.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/git.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cedarcode/webauthn-ruby/git.yml/master?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-47m2-26rw-j2jw","Warn: Project is vulnerable to: GHSA-7wqh-767x-r66v","Warn: Project is vulnerable to: GHSA-8cgq-6mh2-7j6v","Warn: Project is vulnerable to: GHSA-gjh7-p2fx-99vx","Warn: Project is vulnerable to: GHSA-9j94-67jr-4cqj"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T13:08:50.230Z","repository_id":32473332,"created_at":"2025-08-17T13:08:50.231Z","updated_at":"2025-08-17T13:08:50.231Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":283831386,"owners_count":26902063,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-11T02:00:06.610Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","2fa-security","authentication","fido2","passkey","passkeys","passwordless","passwordless-login","relying-party","ruby","two-factor-authentication","web-authentication","webauthn","webauthn-library","webauthn-ruby","webauthn-server"],"created_at":"2024-08-02T13:02:09.604Z","updated_at":"2025-11-11T20:01:08.526Z","avatar_url":"https://github.com/cedarcode.png","language":"Ruby","readme":"# webauthn-ruby\n\n![banner](assets/webauthn-ruby.png)\n\n[![Gem](https://img.shields.io/gem/v/webauthn.svg?style=flat-square)](https://rubygems.org/gems/webauthn)\n[![Build](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/cedarcode/webauthn-ruby/actions/workflows/build.yml)\n[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-informational.svg?style=flat-square)](https://conventionalcommits.org)\n[![Join the chat at https://gitter.im/cedarcode/webauthn-ruby](https://badges.gitter.im/cedarcode/webauthn-ruby.svg)](https://gitter.im/cedarcode/webauthn-ruby?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\n\u003e WebAuthn ruby server library\n\nMakes your Ruby/Rails web server become a functional [WebAuthn Relying Party](https://www.w3.org/TR/webauthn/#webauthn-relying-party).\n\nTakes care of the [server-side operations](https://www.w3.org/TR/webauthn/#rp-operations) needed to\n[register](https://www.w3.org/TR/webauthn/#registration) or [authenticate](https://www.w3.org/TR/webauthn/#authentication)\na user's [public key credential](https://www.w3.org/TR/webauthn/#public-key-credential) (also called a \"passkey\"), including the necessary cryptographic checks.\n\n## Table of Contents\n\n- [Security](#security)\n- [Background](#background)\n- [Prerequisites](#prerequisites)\n- [Install](#install)\n- [Usage](#usage)\n- [API](#api)\n- [Attestation Statement Formats](#attestation-statement-formats)\n- [Testing Your Integration](#testing-your-integration)\n- [Contributing](#contributing)\n- [License](#license)\n\n## Security\n\nPlease report security vulnerabilities to security@cedarcode.com.\n\n_More_: [SECURITY](SECURITY.md)\n\n## Background\n\n### What is WebAuthn?\n\nWebAuthn (Web Authentication) is a W3C standard for secure public-key authentication on the Web supported by all leading browsers and platforms.\n\n#### Good Intros\n\n- [Guide to Web Authentication](https://webauthn.guide) by Duo\n- [What is WebAuthn?](https://www.yubico.com/webauthn/) by Yubico\n\n#### In Depth\n\n- WebAuthn [W3C Recommendation](https://www.w3.org/TR/webauthn/) (i.e. \"The Standard\")\n- [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) in MDN\n- How to use WebAuthn in native [Android](https://developers.google.com/identity/fido/android/native-apps) or [macOS/iOS/iPadOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication) apps.\n- [Security Benefits for WebAuthn Servers (a.k.a Relying Parties)](https://www.w3.org/TR/webauthn/#sctn-rp-benefits)\n\n## Prerequisites\n\nThis ruby library will help your Ruby/Rails server act as a conforming [_Relying-Party_](https://www.w3.org/TR/webauthn/#relying-party), in WebAuthn terminology. But for the [_Registration_](https://www.w3.org/TR/webauthn/#registration) and [_Authentication_](https://www.w3.org/TR/webauthn/#authentication) ceremonies to fully work, you will also need to add two more pieces to the puzzle, a conforming [User Agent](https://www.w3.org/TR/webauthn/#conforming-user-agents) + [Authenticator](https://www.w3.org/TR/webauthn/#conforming-authenticators) pair.\n\nKnown conformant pairs are, for example:\n\n- Google Chrome for Android 70+ and Android's Fingerprint-based platform authenticator\n- Microsoft Edge and Windows 10 platform authenticator\n- Mozilla Firefox for Desktop and Yubico's Security Key roaming authenticator via USB\n- Safari in iOS 13.3+ and YubiKey 5 NFC via NFC\n\nFor a complete list:\n\n- User Agents (Clients): [Can I Use: Web Authentication API](https://caniuse.com/#search=webauthn)\n- Authenticators: [FIDO certified products](https://fidoalliance.org/certification/fido-certified-products) (search for Type=Authenticator and Specification=FIDO2)\n\n## Install\n\nAdd this line to your application's Gemfile:\n\n```ruby\ngem 'webauthn'\n```\n\nAnd then execute:\n\n    $ bundle\n\nOr install it yourself as:\n\n    $ gem install webauthn\n\n## Usage\n\nYou can find a working example on how to use this gem in a pasword-less login in a __Rails__ app in [webauthn-rails-demo-app](https://github.com/cedarcode/webauthn-rails-demo-app). If you want to see an example on how to use this gem as a second factor authenticator in a __Rails__ application instead, you can check it in [webauthn-2fa-rails-demo](https://github.com/cedarcode/webauthn-2fa-rails-demo).\n\nIf you are migrating an existing application from the legacy FIDO U2F JavaScript API to WebAuthn, also refer to\n[`docs/u2f_migration.md`](docs/u2f_migration.md).\n\n### Configuration\n\nIf you have a multi-tenant application or just need to configure WebAuthn differently for separate parts of your application (e.g. if your users authenticate to different subdomains in the same application), we strongly recommend you look at this [Advanced Configuration](docs/advanced_configuration.md) section instead of this.\n\nFor a Rails application this would go in `config/initializers/webauthn.rb`.\n\n```ruby\nWebAuthn.configure do |config|\n  # This value needs to match `window.location.origin` evaluated by\n  # the User Agent during registration and authentication ceremonies.\n  # Multiple origins can be used when needed. Using more than one will imply you MUST configure rp_id explicitely. If you need your credentials to be bound to a single origin but you have more than one tenant, please see [our Advanced Configuration section](https://github.com/cedarcode/webauthn-ruby/blob/master/docs/advanced_configuration.md) instead of adding multiple origins.\n  config.allowed_origins = [\"https://auth.example.com\"]\n\n  # When operating within iframes or embedded contexts, you may need to restrict\n  # which top-level origins are permitted to host WebAuthn ceremonies.\n  #\n  # crossOrigin / topOrigin verification is DISABLED by default:\n  #   config.verify_cross_origin = false\n  #\n  # When `verify_cross_origin` is false, any `crossOrigin` / `topOrigin` values reported by the browser\n  #    are ignored. As a result, credentials created or used within a cross-origin iframe will be treated\n  #    as valid.\n  #\n  # When `verify_cross_origin` is true, you can either:\n  #\n  # (A) Allow only specific top-level origins to embed your ceremony\n  #     (each entry must match the browser-reported `topOrigin` during registration/authentication):\n  #\n  #     config.allowed_top_origins = [\"https://app.example.com\"]\n  #\n  # (B) Forbid ANY cross-origin iframe usage altogether\n  #     (this rejects creation/authentication whenever `crossOrigin` is true):\n  #\n  #     config.allowed_top_origins = []\n  #\n  # Note: if `verify_cross_origin` is not enabled, any values set in `allowed_top_origins`\n  # will be ignored.\n\n  # Relying Party name for display purposes\n  config.rp_name = \"Example Inc.\"\n\n  # Optionally configure a client timeout hint, in milliseconds.\n  # This hint specifies how long the browser should wait for any\n  # interaction with the user.\n  # This hint may be overridden by the browser.\n  # https://www.w3.org/TR/webauthn/#dom-publickeycredentialcreationoptions-timeout\n  # config.credential_options_timeout = 120_000\n\n  # You can optionally specify a different Relying Party ID\n  # (https://www.w3.org/TR/webauthn/#relying-party-identifier)\n  # if it differs from the default one.\n  #\n  # In this case the default would be \"auth.example.com\", but you can set it to\n  # the suffix \"example.com\"\n  #\n  # config.rp_id = \"example.com\"\n\n  # Configure preferred binary-to-text encoding scheme. This should match the encoding scheme\n  # used in your client-side (user agent) code before sending the credential to the server.\n  # Supported values: `:base64url` (default), `:base64` or `false` to disable all encoding.\n  #\n  # config.encoding = :base64url\n\n  # Possible values: \"ES256\", \"ES384\", \"ES512\", \"PS256\", \"PS384\", \"PS512\", \"RS256\", \"RS384\", \"RS512\", \"RS1\"\n  # Default: [\"ES256\", \"PS256\", \"RS256\"]\n  #\n  # config.algorithms \u003c\u003c \"ES384\"\nend\n```\n\n### Credential Registration\n\n\u003e The ceremony where a user, a Relying Party, and the user’s client (containing at least one authenticator) work in concert to create a public key credential and associate it with the user’s Relying Party account. Note that this includes employing a test of user presence or user verification.\n\u003e [[source](https://www.w3.org/TR/webauthn-2/#registration-ceremony)]\n\n#### Initiation phase\n\n```ruby\n# Generate and store the WebAuthn User ID the first time the user registers a credential\nif !user.webauthn_id\n  user.update!(webauthn_id: WebAuthn.generate_user_id)\nend\n\noptions = WebAuthn::Credential.options_for_create(\n  user: { id: user.webauthn_id, name: user.name },\n  exclude: user.credentials.map { |c| c.webauthn_id }\n)\n\n# Store the newly generated challenge somewhere so you can have it\n# for the verification phase.\nsession[:creation_challenge] = options.challenge\n\n# Send `options` back to the browser, so that they can be used\n# to call `navigator.credentials.create({ \"publicKey\": options })`\n#\n# You can call `options.as_json` to get a ruby hash with a JSON representation if needed.\n\n# If inside a Rails controller, `render json: options` will just work.\n# I.e. it will encode and convert the options to JSON automatically.\n\n# For your frontend code, you might find @github/webauthn-json npm package useful.\n# Especially for handling the necessary decoding of the options, and sending the\n# `PublicKeyCredential` object back to the server.\n```\n\n#### Verification phase\n\n```ruby\n# Assuming you're using @github/webauthn-json package to send the `PublicKeyCredential` object back\n# in params[:publicKeyCredential]:\nwebauthn_credential = WebAuthn::Credential.from_create(params[:publicKeyCredential])\n\nbegin\n  webauthn_credential.verify(session[:creation_challenge])\n\n  # Store Credential ID, Credential Public Key and Sign Count for future authentications\n  user.credentials.create!(\n    webauthn_id: webauthn_credential.id,\n    public_key: webauthn_credential.public_key,\n    sign_count: webauthn_credential.sign_count\n  )\nrescue WebAuthn::Error =\u003e e\n  # Handle error\nend\n```\n\n### Credential Authentication\n\n\u003e The ceremony where a user, and the user’s client (containing at least one authenticator) work in concert to cryptographically prove to a Relying Party that the user controls the credential private key associated with a previously-registered public key credential (see Registration). Note that this includes a test of user presence or user verification. [[source](https://www.w3.org/TR/webauthn-2/#authentication-ceremony)]\n\n#### Initiation phase\n\n```ruby\noptions = WebAuthn::Credential.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })\n\n# Store the newly generated challenge somewhere so you can have it\n# for the verification phase.\nsession[:authentication_challenge] = options.challenge\n\n# Send `options` back to the browser, so that they can be used\n# to call `navigator.credentials.get({ \"publicKey\": options })`\n\n# You can call `options.as_json` to get a ruby hash with a JSON representation if needed.\n\n# If inside a Rails controller, `render json: options` will just work.\n# I.e. it will encode and convert the options to JSON automatically.\n\n# For your frontend code, you might find @github/webauthn-json npm package useful.\n# Especially for handling the necessary decoding of the options, and sending the\n# `PublicKeyCredential` object back to the server.\n```\n\n#### Verification phase\n\nYou need to look up the stored credential for a user by matching the `id` attribute from the PublicKeyCredential \ninterface returned by the browser to the stored `credential_id`. The corresponding `public_key` and `sign_count` \nattributes must be passed as keyword arguments to the `verify` method call.\n\n```ruby\n# Assuming you're using @github/webauthn-json package to send the `PublicKeyCredential` object back\n# in params[:publicKeyCredential]:\nwebauthn_credential = WebAuthn::Credential.from_get(params[:publicKeyCredential])\n\nstored_credential = user.credentials.find_by(webauthn_id: webauthn_credential.id)\n\nbegin\n  webauthn_credential.verify(\n    session[:authentication_challenge],\n    public_key: stored_credential.public_key,\n    sign_count: stored_credential.sign_count\n  )\n\n  # Update the stored credential sign count with the value from `webauthn_credential.sign_count`\n  stored_credential.update!(sign_count: webauthn_credential.sign_count)\n\n  # Continue with successful sign in or 2FA verification...\n\nrescue WebAuthn::SignCountVerificationError =\u003e e\n  # Cryptographic verification of the authenticator data succeeded, but the signature counter was less then or equal\n  # to the stored value. This can have several reasons and depending on your risk tolerance you can choose to fail or\n  # pass authentication. For more information see https://www.w3.org/TR/webauthn/#sign-counter\nrescue WebAuthn::Error =\u003e e\n  # Handle error\nend\n```\n\n### Extensions\n\n\u003e The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, as defined in Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or an authentication extension.\n\n\u003e When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set of extensions. These extensions will be invoked during the requested ceremony if they are supported by the WebAuthn Client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call (for authentication extensions) or create() call (for registration extensions) to the WebAuthn client. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]\n\nExtensions can be requested in the initiation phase in both Credential Registration and Authentication ceremonies by adding the extension parameter when generating the options for create/get:\n\n```ruby\n# Credential Registration\ncreation_options = WebAuthn::Credential.options_for_create(\n  user: { id: user.webauthn_id, name: user.name },\n  exclude: user.credentials.map { |c| c.webauthn_id },\n  extensions: { appidExclude: domain.to_s }\n)\n\n# OR\n\n# Credential Authentication\noptions = WebAuthn::Credential.options_for_get(\n  allow: user.credentials.map { |c| c.webauthn_id },\n  extensions: { appid: domain.to_s }\n)\n```\n\nConsequently, after these `options` are sent to the WebAuthn client:\n\n\u003e The WebAuthn client performs client extension processing for each extension that the client supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.\n\n\u003e For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value), and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions).\n\n\u003e The authenticator, in turn, performs additional processing for the extensions that it supports, and returns the CBOR authenticator extension output for each as specified by the extension. Part of the client extension processing for authenticator extensions is to use the authenticator extension output as an input to creating the client extension output. [[source](https://www.w3.org/TR/webauthn-2/#sctn-extensions)]\n\nFinally, you can check the values returned for each extension by calling `client_extension_outputs` and `authenticator_extension_outputs` respectively.\nFor example, following the initialization phase for the Credential Authentication ceremony specified in the above example:\n\n```ruby\nwebauthn_credential = WebAuthn::Credential.from_get(credential_get_result_hash)\n\nwebauthn_credential.client_extension_outputs #=\u003e { \"appid\" =\u003e true }\nwebauthn_credential.authenticator_extension_outputs #=\u003e nil\n```\n\nA list of all currently defined extensions:\n\n  - [Last published version](https://www.w3.org/TR/webauthn-2/#sctn-defined-extensions)\n  - [Next version (in draft)](https://w3c.github.io/webauthn/#sctn-defined-extensions)\n\n## API\n\n#### `WebAuthn.generate_user_id`\n\nGenerates a [WebAuthn User Handle](https://www.w3.org/TR/webauthn-2/#user-handle) that follows the WebAuthn spec recommendations.\n\n```ruby\nWebAuthn.generate_user_id # \"lWoMZTGf_ml2RoY5qPwbwrkxrvTqWjGOxEoYBgxft3zG-LlrICvE-y8bxFi06zMyIOyNsJoWx4Fa2TOqoRmnxA\"\n```\n\n#### `WebAuthn::Credential.options_for_create(options)`\n\nHelper method to build the necessary [PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialcreationoptions)\nto be used in the client-side code to call `navigator.credentials.create({ \"publicKey\": publicKeyCredentialCreationOptions })`.\n\n```ruby\ncreation_options = WebAuthn::Credential.options_for_create(\n  user: { id: user.webauthn_id, name: user.name }\n  exclude: user.credentials.map { |c| c.webauthn_id }\n)\n\n# Store the newly generated challenge somewhere so you can have it\n# for the verification phase.\nsession[:creation_challenge] = creation_options.challenge\n\n# Send `creation_options` back to the browser, so that they can be used\n# to call `navigator.credentials.create({ \"publicKey\": creationOptions })`\n#\n# You can call `creation_options.as_json` to get a ruby hash with a JSON representation if needed.\n\n# If inside a Rails controller, `render json: creation_options` will just work.\n# I.e. it will encode and convert the options to JSON automatically.\n```\n\n#### `WebAuthn::Credential.options_for_get([options])`\n\nHelper method to build the necessary [PublicKeyCredentialRequestOptions](https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialrequestoptions)\nto be used in the client-side code to call `navigator.credentials.get({ \"publicKey\": publicKeyCredentialRequestOptions })`.\n\n```ruby\nrequest_options = WebAuthn::Credential.options_for_get(allow: user.credentials.map { |c| c.webauthn_id })\n\n# Store the newly generated challenge somewhere so you can have it\n# for the verification phase.\nsession[:authentication_challenge] = request_options.challenge\n\n# Send `request_options` back to the browser, so that they can be used\n# to call `navigator.credentials.get({ \"publicKey\": requestOptions })`\n\n# You can call `request_options.as_json` to get a ruby hash with a JSON representation if needed.\n\n# If inside a Rails controller, `render json: request_options` will just work.\n# I.e. it will encode and convert the options to JSON automatically.\n```\n\n#### `WebAuthn::Credential.from_create(credential_create_result)`\n\n```ruby\ncredential_with_attestation = WebAuthn::Credential.from_create(params[:publicKeyCredential])\n```\n\n#### `WebAuthn::Credential.from_get(credential_get_result)`\n\n```ruby\ncredential_with_assertion = WebAuthn::Credential.from_get(params[:publicKeyCredential])\n```\n\n#### `PublicKeyCredentialWithAttestation#verify(challenge)`\n\nVerifies the created WebAuthn credential is [valid](https://www.w3.org/TR/webauthn-2/#sctn-registering-a-new-credential).\n\n```ruby\ncredential_with_attestation.verify(session[:creation_challenge])\n```\n\n#### `PublicKeyCredentialWithAssertion#verify(challenge, public_key:, sign_count:)`\n\nVerifies the asserted WebAuthn credential is [valid](https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion).\n\nMainly, that the client provided a valid cryptographic signature for the corresponding stored credential public\nkey, among other extra validations.\n\n```ruby\ncredential_with_assertion.verify(\n  session[:authentication_challenge],\n  public_key: stored_credential.public_key,\n  sign_count: stored_credential.sign_count\n)\n```\n\n#### `PublicKeyCredential#client_extension_outputs`\n\n```ruby\ncredential = WebAuthn::Credential.from_create(params[:publicKeyCredential])\n\ncredential.client_extension_outputs\n```\n\n#### `PublicKeyCredential#authenticator_extension_outputs`\n\n```ruby\ncredential = WebAuthn::Credential.from_create(params[:publicKeyCredential])\n\ncredential.authenticator_extension_outputs\n```\n\n## Attestation\n\n### Attestation Statement Formats\n\n| Attestation Statement Format | Supported? |\n| -------- | :--------: |\n| packed (self attestation) | Yes |\n| packed (x5c attestation) | Yes |\n| tpm (x5c attestation) | Yes |\n| android-key | Yes |\n| android-safetynet | Yes |\n| apple | Yes |\n| fido-u2f | Yes |\n| none | Yes |\n\n### Attestation Types\n\nYou can define what trust policy to enforce by setting `acceptable_attestation_types` config to a subset of `['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']` and `attestation_root_certificates_finders` to an object that responds to `#find` and returns the corresponding root certificate for each registration. The `#find` method will be called passing keyword arguments `attestation_format`, `aaguid` and `attestation_certificate_key_id`.\n\n## Testing Your Integration\n\nThe Webauthn spec requires for data that is signed and authenticated. As a result, it can be difficult to create valid test authenticator data when testing your integration. webauthn-ruby exposes [WebAuthn::FakeClient](https://github.com/cedarcode/webauthn-ruby/blob/master/lib/webauthn/fake_client.rb) for you to use in your tests. Example usage can be found in [webauthn-ruby/spec/webauthn/authenticator_assertion_response_spec.rb](https://github.com/cedarcode/webauthn-ruby/blob/master/spec/webauthn/authenticator_assertion_response_spec.rb).\n\n## Contributing\n\nSee [the contributing file](CONTRIBUTING.md)!\n\nBug reports, feature suggestions, and pull requests are welcome on GitHub at https://github.com/cedarcode/webauthn-ruby.\n\n## License\n\nThe library is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n","funding_links":[],"categories":["Ruby","Server Libraries","Library"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedarcode%2Fwebauthn-ruby","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcedarcode%2Fwebauthn-ruby","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedarcode%2Fwebauthn-ruby/lists"}