Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

42 Improve Token Security & Extend wac.install #50

Merged
merged 115 commits into from
Sep 18, 2023
Merged

42 Improve Token Security & Extend wac.install #50

merged 115 commits into from
Sep 18, 2023

Conversation

type1fool
Copy link
Collaborator

@type1fool type1fool commented Sep 13, 2023
edited
Loading

Overview

Resolves #42
Resolves #41

This PR contains two major changes:

  • Tokens are stored in session cookies instead of window.sessionStorage.
  • The wac.install Mix Task has been extended to generate more files and inject routes into the app's router.

Changes

  • Replaced TokenComponent with Session controller
  • Updated wac.install to add options for bypassing generators
  • Updated generators:
    • Contexts
    • Fixtures
    • Migrations
    • Schemas
    • Tests
  • Added generators:
    • Controllers
    • LiveViews
    • Router
    • Session Hooks
  • Moved schemas into Identity context
  • Updated JS hooks to use ESM syntax
  • Bumped to v0.6.0

Video Demo

https://youtu.be/GGWM_ZM3xlg

Tests

WebauthnComponents

mix test

...EVENTS_OMITTED...

Finished in 0.1 seconds (0.1s async, 0.00s sync)
10 tests, 0 failures

Randomized with seed 373636

Fresh Demo App w/ WAC

mix test
.......................
Finished in 0.2 seconds (0.2s async, 0.00s sync)
23 tests, 0 failures

Randomized with seed 313260

UI Screenshots

The following screenshots were captured in Chrome on MacOS.

/sign-in

 image image

Validation

Invalid Email

image

Valid Email

image

Registration

 image image image

Authentication

 image image image image

🚨 Firefox

 Firefox does not appear to support MacOS Passkeys by default. After attempting to register a user in Firefox, the browser prompted to activate the authenticator, but nothing happened when I pressed the laptop's TouchID. image

Collaborators

  1. @type1fool
  2. @doorgan

@type1fool type1fool self-assigned this Sep 13, 2023
@type1fool
Copy link
Collaborator Author

type1fool commented Sep 13, 2023
edited
Loading

Example Success Output

mix wac.install
==> webauthn_components
Compiling 1 file (.ex)
==> passkeys
* creating lib/passkeys/identity.ex
* creating lib/passkeys/identity/user.ex
* creating lib/passkeys/identity/user_key.ex
* creating lib/passkeys/identity/user_token.ex
* creating priv/repo/migrations/20230913020225_users.exs
* creating priv/repo/migrations/20230913020226_user_keys.exs
* creating priv/repo/migrations/20230913020227_user_tokens.exs
* creating test/passkeys/identity_test.exs
* creating test/support/user_fixtures.ex
* creating lib/passkeys_web/controllers/session.ex
* creating lib/passkeys_web/session_hooks/assign_user.ex
* creating lib/passkeys_web/session_hooks/require_user.ex
* creating lib/passkeys_web/live/authentication_live.ex
* creating lib/passkeys_web/live/authentication_live.html.heex
* updating lib/passkeys_web/router.ex

✅ Successfully scaffolded WebauthnComponents for Elixir.Passkeys

📚 Resources

- Repo: https://github.com/liveshowy/webauthn_components
- Hex:  https://hex.pm/packages/webauthn_components
- Docs: https://hexdocs.pm/webauthn_components/readme.html

Example Error Output

mix wac.install
Compiling 1 file (.ex)
* creating lib/passkeys/identity.ex
* creating lib/passkeys/identity/user.ex
* creating lib/passkeys/identity/user_key.ex
* creating lib/passkeys/identity/user_token.ex
* creating priv/repo/migrations/20230913020344_users.exs
* creating priv/repo/migrations/20230913020345_user_keys.exs
* creating priv/repo/migrations/20230913020346_user_tokens.exs
* creating test/passkeys/identity_test.exs
* creating test/support/user_fixtures.ex
* creating lib/passkeys_web/controllers/session.ex
* creating lib/passkeys_web/session_hooks/assign_user.ex
* creating lib/passkeys_web/session_hooks/require_user.ex
* creating lib/passkeys_web/live/authentication_live.ex
* creating lib/passkeys_web/live/authentication_live.html.heex
** (Wac.Gen.RouterError) 🫣 Unable to find the first router scope

🙏 Please review the WebauthnComponents issue tracker and open a new issue if necessary.
👉 https://github.com/liveshowy/webauthn_components/issues
👇 For debugging, please include this error and the stacktrace below:

    (webauthn_components 0.6.0) lib/wac_gen/router.ex:95: Wac.Gen.Router.insert_routes/2
    (webauthn_components 0.6.0) lib/wac_gen/router.ex:52: Wac.Gen.Router.update_router/1
    (webauthn_components 0.6.0) lib/mix/tasks/wac.install.ex:106: Mix.Tasks.Wac.Install.run/1
    (mix 1.15.4) lib/mix/task.ex:447: anonymous fn/3 in Mix.Task.run_task/5
    (mix 1.15.4) lib/mix/cli.ex:92: Mix.CLI.run_task/2
    /Users/owenbickford/.asdf/installs/elixir/1.15.4-otp-26/bin/mix:2: (file)
    (elixir 1.15.4) lib/code.ex:1435: Code.require_file/2

@type1fool type1fool added enhancement New feature or request security labels Sep 13, 2023
@type1fool
authenticate user key found in repo matches authenticator
a61cb09
@type1fool
add fixtures
e95f98a
@type1fool
test registration_successful message
2adf555
@type1fool
fix alias
f449d9b
@type1fool
cleanup comments
fd2e742
@type1fool
add basic guidance about passkeys
e55ea5c
@type1fool
auth_component: improve error handling
3eb4042
@type1fool
add attestation attrs
f45953f
@type1fool
update guidance summary appearance
c843dab
@type1fool
add invalid attestation test
9fc2b5f
@type1fool
update description
c458cb7
@type1fool
update readme, rm usage doc for now
929cf7c
@type1fool
reorganize the readme, extract webauthn flows to new file
c21ff4a
@type1fool
wip: webauthn flow updates
007bca9
@type1fool
add page_controller.ex, update app.html.ex
9d763cb
@type1fool
add flash messages to session.ex
3ef2814
@type1fool
adjust default flash placement
36b84e4
@type1fool
update flow diagrams
077a1d4
@type1fool
cleanup
d0cede5
@type1fool
update documentation
5ec40f0
@type1fool
fix typespecs
c74be72
@type1fool
add webauthn_flows.md to doc extras
7da6df9
@type1fool type1fool marked this pull request as ready for review September 17, 2023 21:43
@type1fool type1fool merged commit bb8cbc0 into main Sep 18, 2023
1 check passed
@type1fool type1fool deleted the 42-improve-token-security branch September 18, 2023 23:53
@type1fool type1fool mentioned this pull request Oct 25, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@type1fool type1fool

Labels
enhancement New feature or request security
Projects
None yet
Milestone
No milestone
2 participants
@type1fool @houllette