Struct webauthn_rs::Webauthn

pub struct Webauthn<T> { /* fields omitted */ }

This is the core of the Webauthn operations. It provides 4 interfaces that you will likely use the most:

• generate_challenge_response
• register_credential
• generate_challenge_authenticate
• authenticate_credential

Each of these is described in turn, but they will all map to routes in your application. The generate functions return Json challenges that are intended to be processed by the client browser, and the register and authenticate will recieve Json that is processed and verified.

These functions return state that you must store and handle correctly for the authentication or registration to proceed correctly.

As a result, it's very important you read the function descriptions to understand the process as much as possible.

Implementations

impl<T> Webauthn<T>

pub fn new(config: T) -> Self where
    T: WebauthnConfig, 

Create a new Webauthn instance with the supplied configuration. The config type will recieve and interact with various callbacks to allow the lifecycle and application handling of Credentials to be customised for your application.

You should see the Documentation for WebauthnConfig, which is the main part of the code you will interact with for site-specific customisation.

pub fn generate_challenge_register(
    &mut self,
    user_name: &String,
    policy: Option<UserVerificationPolicy>
) -> Result<(CreationChallengeResponse, RegistrationState), WebauthnError> where
    T: WebauthnConfig, 

Generate a new challenge for client registration. Same as generate_challenge_register_options but default options

pub fn generate_challenge_register_options(
    &mut self,
    user_id: UserId,
    user_name: String,
    user_display_name: String,
    exclude_credentials: Option<Vec<CredentialID>>,
    policy: Option<UserVerificationPolicy>
) -> Result<(CreationChallengeResponse, RegistrationState), WebauthnError> where
    T: WebauthnConfig, 

Generate a new challenge for client registration. This is the first step in the lifecycle of a credential. This function will return the CreationChallengeResponse which is suitable for Serde JSON serialisation to be sent to the client. The client (generally a webbrowser) will pass this JSON structure to the navigator.credentials.create() javascript function for registration.

It also returns a RegistratationState, that you must persist. It is strongly advised you associate this RegistrationState with the UserId of the requestor.

At this time we deviate from the standard and base64 some fields, but we are investigating how to avoid this (https://github.com/Firstyear/webauthn-rs/issues/5)

pub fn register_credential(
    &self,
    reg: RegisterPublicKeyCredential,
    state: RegistrationState,
    does_exist_fn: impl Fn(&CredentialID) -> Result<bool, ()>
) -> Result<Credential, WebauthnError> where
    T: WebauthnConfig, 

Process a credential registration response. This is the output of navigator.credentials.create() which is sent to the webserver from the client.

Given the username you also must provide the associated RegistrationState for this operation to proceed.

On success this returns a new Credential that you must persist and associate with the user.

Optionally, you may provide a closure that is able to check if any credential of the same id has already been persisted by your server.

At this time we deviate from the standard and base64 some fields, but we are investigating how to avoid this (https://github.com/Firstyear/webauthn-rs/issues/5)

pub fn generate_challenge_authenticate(
    &mut self,
    creds: Vec<Credential>,
    policy: Option<UserVerificationPolicy>
) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError> where
    T: WebauthnConfig, 

Generate a challenge for an authenticate request for a user. You must supply the set of credentials that exist for the user that may be used in this authentication request. If an empty credential set is supplied, the authentication will fail.

This challenge is supplied to to the client javascript function navigator.credentials.get().

You must persist the AuthenticationState that is returned. You should associate this by UserId. The AuthenticationState is required for the authenticate_credential function to operate correctly.

At this time we deviate from the standard and base64 some fields, but we are investigating how to avoid this (https://github.com/Firstyear/webauthn-rs/issues/5)

pub fn authenticate_credential(
    &mut self,
    rsp: PublicKeyCredential,
    state: AuthenticationState
) -> Result<Option<(CredentialID, Counter)>, WebauthnError> where
    T: WebauthnConfig, 

Process an authenticate response from the authenticator and browser. This is the output of navigator.credentials.get(), which is processed by this function. If the authentication fails, appropriate errors will be returned.

This requireds the associated AuthenticationState that was created by generate_challenge_authenticate

On successful authentication, an Ok result is returned. The Ok may contain the credentialid and associated counter, which you should update for security purposes. If the Ok returns None then the credential does not have a counter.

At this time we deviate from the standard and base64 some fields, but we are investigating how to avoid this (https://github.com/Firstyear/webauthn-rs/issues/5)

Trait Implementations

impl<T: Debug> Debug for Webauthn<T>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.