Skip to main content

Crate passki

Crate passki 

Source
Expand description

Passki - A WebAuthn/Passkey implementation for Rust

Passki provides a simple and secure way to implement passkey-based authentication in your Rust applications. It handles the WebAuthn protocol for both registration and authentication ceremonies.

§Features

  • Support for multiple cryptographic algorithms (EdDSA/Ed25519, ES256/P-256, RS256/RSA)
  • Replay attack protection via signature counters
  • Flexible authenticator selection and user verification options
  • Credential exclusion to prevent duplicate registrations
  • Type-safe API with comprehensive error handling

§Example

use passki::{
    Passki, AttestationConveyancePreference, ResidentKeyRequirement,
    UserVerificationRequirement, StoredPasskey,
};

// Initialize Passki with your relying party information
let passki = Passki::new(
    "example.com",              // Relying Party ID (domain)
    "https://example.com",      // Relying Party Origin
    "Example Corp"              // Relying Party Name
);

// Registration flow
// Step 1: Start registration and send challenge to client
let user_id = b"unique_user_identifier_12345"; // At least 16 bytes
let (registration_challenge, registration_state) = passki.start_passkey_registration(
    user_id,                                        // User ID (bytes)
    "alice@example.com",                            // Username
    "Alice Smith",                                  // Display name
    60000,                                          // Timeout (ms)
    AttestationConveyancePreference::None,          // Attestation
    ResidentKeyRequirement::Preferred,              // Resident key
    UserVerificationRequirement::Preferred,         // User verification
    None,                                           // Exclude existing credentials
    None,                                           // Extensions (None, or Some(RegistrationExtensions { ... }))
).expect("user_id must be at least 16 bytes");

// Send registration_challenge to client (as JSON)
// Client uses WebAuthn API to create credential

// Step 2: Receive credential from client and complete registration
let stored_passkey = passki.finish_passkey_registration(
    &registration_credential,  // Credential from client
    &registration_state,       // State from step 1
)?;

// Save stored_passkey to your database associated with the user

// Authentication flow
// Step 1: Start authentication and send challenge to client
let (authentication_challenge, authentication_state) = passki.start_passkey_authentication(
    &user_passkeys,                            // User's stored passkeys
    60000,                                     // Timeout (ms)
    UserVerificationRequirement::Preferred,    // User verification
    None,                                      // Extensions (None, or Some(AuthenticationExtensions { ... }))
);

// Send authentication_challenge to client (as JSON)
// Client uses WebAuthn API to sign the challenge

// Step 2: Receive credential from client and verify authentication
let result = passki.finish_passkey_authentication(
    &authentication_credential,  // Credential from client
    &authentication_state,       // State from step 1
    &stored_passkey,             // User's passkey from database
)?;

// Update the counter in your database to prevent replay attacks
stored_passkey.counter = result.counter;

§Security Considerations

  • Always verify that the origin matches your expected domain
  • Store and check signature counters to detect cloned authenticators
  • Use HTTPS in production to prevent man-in-the-middle attacks
  • Store passkeys securely in your database (the public keys are not secret, but credential IDs should be treated as sensitive)
  • Use credential exclusion during registration to prevent duplicate credentials
  • User IDs must be at least 16 bytes for security (recommended: use UUIDs or random bytes)

Structs§

AllowCredential
A credential that is allowed for authentication.
AuthenticationChallenge
Challenge sent to the client to begin passkey authentication.
AuthenticationCredential
Credential data returned by the client after authentication.
AuthenticationExtensions
Extensions included in an authentication challenge.
AuthenticationResult
Result of a successful authentication.
AuthenticationState
Server-side state for a passkey authentication in progress.
AuthenticatorSelection
Authenticator selection criteria for passkey registration.
ClientData
Parsed client data from WebAuthn operations.
ClientExtensionResults
The full clientExtensionResults object returned by the browser.
CredPropsResult
Credential properties returned by the browser after registration.
ExcludeCredential
A credential descriptor for exclusion during registration.
Passki
Main Passki struct for managing passkey registration and authentication.
PasskiError
Error type for Passki operations.
PrfEval
PRF evaluation inputs sent to the authenticator.
PrfExtensionResult
PRF extension result returned by the client.
PrfInput
PRF extension input included in challenges.
PrfResults
PRF outputs returned by the authenticator.
PubKeyCredParam
A public key credential parameter specifying an acceptable algorithm.
RegistrationChallenge
Challenge sent to the client to begin passkey registration.
RegistrationCredential
Credential data returned by the client after registration.
RegistrationExtensions
Extensions included in a registration challenge.
RegistrationState
Server-side state for a passkey registration in progress.
RelyingParty
Information about the relying party (RP).
StoredPasskey
A stored passkey credential.
UserInfo
Information about the user account.

Enums§

AttestationConveyancePreference
Attestation conveyance preference for passkey registration.
ClientDataType
The type of WebAuthn operation.
ResidentKeyRequirement
Resident key requirement for passkey registration.
UserVerificationRequirement
User verification requirement for passkey operations.

Type Aliases§

Result
Convenience type alias for Results that may return any error.