Struct PasskeyManager 

pub struct PasskeyManager { /* private fields */ }

Owns the Webauthn instance + the user store the manager needs to look up existing credentials for the authenticate flow.

Cheap to clone — both fields are reference-counted.

Implementations

impl PasskeyManager

pub fn new(config: PasskeyConfig, users: Arc<dyn UserStore>) -> Result<Self>

Build the manager from operator config + the auth user store. Errors if the rp_id / origin fail webauthn_rs’s validation (e.g. mismatched host, missing TLD on a bare localhost-ish origin in production).

pub fn config(&self) -> &PasskeyConfig

Borrow the operator config — handy for /well-known/... style admin endpoints + tests.

pub fn users(&self) -> &Arc<dyn UserStore>

Borrow the underlying user store. Phase 8 handlers may need it directly when they upsert the resulting passkey via UserStore::add_passkey.

pub async fn start_registration( &self, user_unique_id: Uuid, user_name: &str, display_name: &str, auth_user_id: Option<&str>, ) -> Result<(CreationChallengeResponse, PasskeyRegistration)>

Step 1 of registration. Returns the challenge to ship to the browser plus the in-progress state to round-trip via the session. The state is short-lived; do NOT persist it long-term.

user_unique_id is the Uuid webauthn_rs uses internally — typically a deterministic UUIDv5 derived from the user’s auth.users.id (or any stable opaque id mapped to UUID space). user_name is the WebAuthn “name” (typically the email); display_name is the human-readable label.

auth_user_id is the canonical opaque id stored on auth.users.id — used to look up existing passkeys so the browser can exclude them from the prompt. Pass None for fresh signups where no row exists yet.

pub fn finish_registration( &self, state: &PasskeyRegistration, response: &RegisterPublicKeyCredential, ) -> Result<Passkey>

Step 2 of registration. Verifies the browser’s RegisterPublicKeyCredential against the stored PasskeyRegistration state and returns the webauthn_rs::prelude::Passkey for the caller to persist via UserStore::add_passkey.

We return the library’s Passkey rather than our crate::store::PasskeyCred so handlers can also stash the serialised form for later re-verification — converting via passkey_to_cred is a one-liner when persistence is wanted.

pub async fn start_authentication( &self, user_id: &str, ) -> Result<(RequestChallengeResponse, PasskeyAuthentication)>

Step 1 of authentication. Loads the user’s stored passkeys via UserStore::list_passkeys (caller passes the user_id) and asks webauthn_rs for a fresh challenge. Returns the challenge to ship to the browser plus the in-progress state to round-trip via the session.

Errors with Error::Passkey when the user has no registered passkeys — callers should fall back to a different auth method instead of presenting an empty challenge.

pub fn start_authentication_with( &self, creds: &[Passkey], ) -> Result<(RequestChallengeResponse, PasskeyAuthentication)>

Variant of PasskeyManager::start_authentication that takes the already-deserialised webauthn_rs::prelude::Passkey list directly. Useful for tests + for any future caller that holds the serialised blob outside of the canonical store layout.

pub fn finish_authentication( &self, state: &PasskeyAuthentication, response: &PublicKeyCredential, ) -> Result<AuthenticatedPasskey>

Step 2 of authentication. Verifies the browser’s PublicKeyCredential and returns the AuthenticatedPasskey result the caller persists (sign-count bump, backup-state changes, etc.) via the user store.

Trait Implementations

impl Clone for PasskeyManager

fn clone(&self) -> PasskeyManager

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.