{"id":33111553,"url":"https://github.com/developmeh/passkey-origin-validator","last_synced_at":"2025-11-19T19:02:01.552Z","repository":{"id":296414964,"uuid":"993297482","full_name":"developmeh/passkey-origin-validator","owner":"developmeh","description":"Validates .well-known/webauthn and Passkey ROR checks as implemented by chromium as a reference","archived":false,"fork":false,"pushed_at":"2025-05-30T20:17:34.000Z","size":55,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-05-30T21:21:18.131Z","etag":null,"topics":["passkeys","related-origin-requests","webauthn","well-known-uri"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/developmeh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-30T14:46:53.000Z","updated_at":"2025-05-30T20:17:38.000Z","dependencies_parsed_at":"2025-05-30T21:21:38.148Z","dependency_job_id":"7f671ae9-dbd7-4545-95b0-514910c41ca9","html_url":"https://github.com/developmeh/passkey-origin-validator","commit_stats":null,"previous_names":["developmeh/passkey-origin-validator"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/developmeh/passkey-origin-validator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developmeh%2Fpasskey-origin-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developmeh%2Fpasskey-origin-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developmeh%2Fpasskey-origin-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developmeh%2Fpasskey-origin-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/developmeh","download_url":"https://codeload.github.com/developmeh/passkey-origin-validator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developmeh%2Fpasskey-origin-validator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285309405,"owners_count":27149893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-19T02:00:05.673Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["passkeys","related-origin-requests","webauthn","well-known-uri"],"created_at":"2025-11-15T01:00:38.814Z","updated_at":"2025-11-19T19:02:01.547Z","avatar_url":"https://github.com/developmeh.png","language":"C++","funding_links":[],"categories":["Dev tools"],"sub_categories":[],"readme":"# Passkey Origin Validator\n\nA tool for validating passkey/WebAuthn origin constraints in .well-known/webauthn endpoints. This tool is based on the Chromium project's implementation of WebAuthn security checking and helps ensure that your WebAuthn implementation follows the same constraints as browsers.\n\nFor detailed information about the project background, label definition, and technical details, please see [project_status.md](project_status.md).\n\n## Installation and Dependencies\n\n### Dependencies\n\n- [Go](https://golang.org/) (version 1.24 or later)\n- [Cobra](https://github.com/spf13/cobra) - A Commander for modern Go CLI interactions\n- [Viper](https://github.com/spf13/viper) - Go configuration with fangs\n\nThese dependencies will be automatically installed when running `make deps`.\n\n### Building\n\n```bash\n# Get dependencies\nmake deps\n\n# Build the application\nmake build\n\n# Clean build artifacts\nmake clean\n\n# Run tests\nmake test\n```\n\n## Command Reference\n\nThe tool provides several commands and flags to validate WebAuthn origin constraints. Here's a comprehensive guide to using each command:\n\n### Global Flags\n\nThese flags can be used with any command:\n\n| Flag | Description |\n|------|-------------|\n| `--config \u003cfile\u003e` | Config file (default is $HOME/.passkey-origin-validator.yaml) |\n| `--debug` | Enable debug logging |\n| `--file \u003cfile\u003e` | Use a local JSON file instead of fetching from a domain |\n| `--example` | Run with example data for testing |\n| `--version`, `-v` | Print version information and exit |\n\n### Count Command\n\nThe `count` command fetches the .well-known/webauthn endpoint for a given domain, parses the JSON response, and counts the number of unique labels.\n\n**Usage:**\n```\npasskey-origin-validator count [domain]\n```\n\n**Arguments:**\n- `domain` (optional): The domain to check. If not provided, defaults to webauthn.io.\n\n**Examples:**\n```bash\n# Count labels for default domain (webauthn.io)\n./build/passkey-origin-validator count\n\n# Count labels with debug logging\n./build/passkey-origin-validator count --debug\n\n# Count labels for specific domain\n./build/passkey-origin-validator count example.com\n\n# Count labels from local file\n./build/passkey-origin-validator count --file ./test.json\n```\n\n**Using with Makefile:**\n```bash\n# Count labels for default domain (webauthn.io)\nmake run\n\n# Count labels with debug logging\nmake run DEBUG=true\n\n# Count labels for specific domain\nmake run DOMAIN=google.com\n\n# Count labels from local file\nmake run FILE=./test.json\n```\n\n### Validate Command\n\nThe `validate` command checks if a caller origin is authorized by a domain's .well-known/webauthn file.\n\n**Usage:**\n```\npasskey-origin-validator validate [domain] --origin \u003corigin\u003e\n```\n\n**Arguments:**\n- `domain` (optional): The domain to check. If not provided, defaults to webauthn.io.\n\n**Required Flags:**\n- `--origin \u003corigin\u003e`: The caller origin to validate (e.g., https://example.com)\n\n**Examples:**\n```bash\n# Validate origin against default domain\n./build/passkey-origin-validator validate --origin https://example.com\n\n# Validate origin against specific domain\n./build/passkey-origin-validator validate --origin https://example.com google.com\n\n# Validate origin against local file\n./build/passkey-origin-validator validate --origin https://example.com --file ./test.json\n```\n\n**Using with Makefile:**\n```bash\n# Validate origin against default domain\nmake validate ORIGIN=https://example.com\n\n# Validate origin against specific domain\nmake validate ORIGIN=https://example.com DOMAIN=google.com\n\n# Validate origin against local file\nmake validate ORIGIN=https://example.com FILE=./test.json\n```\n\n### Example Data\n\nYou can run the tool with example data to see how it works without making actual HTTP requests:\n\n```bash\n# Run with example data\n./build/passkey-origin-validator --example\n\n# Using Makefile\nmake mock\n```\n\nThis will demonstrate the functionality with predefined test cases, showing both successful and failed validations.\n\n## Configuration\n\nThe tool can be configured using a YAML configuration file. By default, it looks for a file named `.passkey-origin-validator.yaml` in your home directory. You can specify a different configuration file using the `--config` flag.\n\n### Configuration File Format\n\nThe configuration file uses YAML format and supports the following options:\n\n| Option | Type | Description |\n|--------|------|-------------|\n| `debug` | boolean | Enable debug logging |\n| `default_domain` | string | Default domain to check if not specified |\n| `file` | string | Use a local JSON file instead of fetching from a domain |\n| `example` | boolean | Run with example data for testing |\n| `origin` | string | Default caller origin to validate (for validate command) |\n| `timeout` | integer | HTTP request timeout in seconds |\n| `max_labels` | integer | Maximum number of labels allowed |\n\n### Sample Configuration File\n\nA sample configuration file is provided in the repository as `sample-config.yaml`. You can copy this file to your home directory and customize it:\n\n```bash\n# Copy the sample config to your home directory\ncp sample-config.yaml ~/.passkey-origin-validator.yaml\n```\n\nHere's the content of the sample configuration file:\n\n```yaml\n# Sample configuration file for passkey-origin-validator\n# Save this as $HOME/.passkey-origin-validator.yaml or specify with --config flag\n\n# Enable debug logging\ndebug: false\n\n# Default domain to check if not specified\ndefault_domain: \"https://webauthn.io\"\n\n# Use a local JSON file instead of fetching from a domain\n# file: \"./test.json\"\n\n# Run with example data for testing\nexample: false\n\n# Default caller origin to validate (for validate command)\n# origin: \"https://example.com\"\n\n# HTTP request timeout in seconds\ntimeout: 10\n\n# Maximum number of labels allowed\nmax_labels: 5\n```\n\n### Using the Configuration File\n\nTo use the configuration file:\n\n1. Create a YAML file with your desired configuration options\n2. Save it as `.passkey-origin-validator.yaml` in your home directory, or\n3. Specify the path to your config file with the `--config` flag:\n\n```bash\n./build/passkey-origin-validator --config /path/to/your/config.yaml count\n```\n\nConfiguration values in the file can be overridden by command-line flags. For example, if your config file has `debug: false` but you run with `--debug`, debug logging will be enabled for that run.\n\n## Debugging\n\nThe tool provides debug logging that can be enabled with the `--debug` flag or by setting `DEBUG=true` when using the Makefile. Debug logging provides additional information about:\n\n- The domain being tested\n- The maximum number of labels allowed\n- The number of unique labels found\n- The list of labels found\n- Whether the number of labels exceeds the limit\n- JSON parsing details\n\nExample:\n```bash\n# Enable debug logging with direct command\n./build/passkey-origin-validator count --debug\n\n# Enable debug logging with Makefile\nmake run DEBUG=true\n```\n\n## Exit Status\n\nThe tool returns different exit codes depending on the result:\n\n| Exit Code | Description |\n|-----------|-------------|\n| `0` | Success (number of labels is within the limit) |\n| `1` | Error (failed to fetch or parse the .well-known/webauthn endpoint) |\n| `2` | Warning (number of labels exceeds the limit) |\n| `3` | Validation failure (caller origin is not authorized) |\n\n## CI/CD Pipeline\n\nThis project uses GitHub Actions for automated testing and releasing. The workflow is configured in the `.github/workflows/ci.yml` file and consists of two jobs:\n\n1. **Test Job**: Runs the project's tests on every pull request and commit to the master branch.\n2. **Release Job**: Creates a release binary using GoReleaser when a tag is pushed to the repository.\n\n### Creating a Release\n\nTo create a new release:\n\n1. Ensure all your changes are committed and pushed to the master branch\n2. Create and push a new tag:\n\n```bash\ngit tag -a v1.0.0 -m \"Release v1.0.0\"\ngit push origin v1.0.0\n```\n\nThis will trigger the release job in the GitHub Actions workflow, which will:\n- Build binaries for multiple platforms (Linux, macOS, Windows)\n- Create archives of the binaries\n- Generate checksums\n- Create a GitHub release with the binaries and changelog\n\nThe release configuration is defined in the `.goreleaser.yml` file.\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevelopmeh%2Fpasskey-origin-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevelopmeh%2Fpasskey-origin-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevelopmeh%2Fpasskey-origin-validator/lists"}