Skip to main content

Crate passki

Crate passki 

Source
Expand description

Passki - A WebAuthn/Passkey implementation for Rust

Passki provides a simple and secure way to implement passkey-based authentication in your Rust applications. It handles the WebAuthn protocol for both registration and authentication ceremonies.

§Features

  • Support for multiple cryptographic algorithms (EdDSA/Ed25519, ES256/P-256, RS256/RSA)
  • Full WebAuthn Level 2 compliance
  • Replay attack protection via signature counters
  • Flexible authenticator selection and user verification options
  • Credential exclusion to prevent duplicate registrations
  • Type-safe API with comprehensive error handling

§Example

use passki::{
    Passki, AttestationConveyancePreference, ResidentKeyRequirement,
    UserVerificationRequirement, StoredPasskey,
};

// Initialize Passki with your relying party information
let passki = Passki::new(
    "example.com",              // Relying Party ID (domain)
    "https://example.com",      // Relying Party Origin
    "Example Corp"              // Relying Party Name
);

// Registration flow
// Step 1: Start registration and send challenge to client
let user_id = b"unique_user_identifier_12345"; // At least 16 bytes
let (registration_challenge, registration_state) = passki.start_passkey_registration(
    user_id,                                        // User ID (bytes)
    "alice@example.com",                            // Username
    "Alice Smith",                                  // Display name
    60000,                                          // Timeout (ms)
    AttestationConveyancePreference::None,          // Attestation
    ResidentKeyRequirement::Preferred,              // Resident key
    UserVerificationRequirement::Preferred,         // User verification
    None,                                           // Exclude existing credentials
).expect("user_id must be at least 16 bytes");

// Send registration_challenge to client (as JSON)
// Client uses WebAuthn API to create credential

// Step 2: Receive credential from client and complete registration
let stored_passkey = passki.finish_passkey_registration(
    &registration_credential,  // Credential from client
    &registration_state,       // State from step 1
)?;

// Save stored_passkey to your database associated with the user

// Authentication flow
// Step 1: Start authentication and send challenge to client
let (authentication_challenge, authentication_state) = passki.start_passkey_authentication(
    &user_passkeys,                            // User's stored passkeys
    60000,                                     // Timeout (ms)
    UserVerificationRequirement::Preferred,    // User verification
);

// Send authentication_challenge to client (as JSON)
// Client uses WebAuthn API to sign the challenge

// Step 2: Receive credential from client and verify authentication
let result = passki.finish_passkey_authentication(
    &authentication_credential,  // Credential from client
    &authentication_state,       // State from step 1
    &stored_passkey,             // User's passkey from database
)?;

// Update the counter in your database to prevent replay attacks
stored_passkey.counter = result.counter;

§Security Considerations

  • Always verify that the origin matches your expected domain
  • Store and check signature counters to detect cloned authenticators
  • Use HTTPS in production to prevent man-in-the-middle attacks
  • Store passkeys securely in your database (the public keys are not secret, but credential IDs should be treated as sensitive)
  • Use credential exclusion during registration to prevent duplicate credentials
  • User IDs must be at least 16 bytes for security (recommended: use UUIDs or random bytes)

Structs§

AllowCredential
A credential that is allowed for authentication.
AuthenticationChallenge
Challenge sent to the client to begin passkey authentication.
AuthenticationCredential
Credential data returned by the client after authentication.
AuthenticationResult
Result of a successful authentication.
AuthenticationState
Server-side state for a passkey authentication in progress.
AuthenticatorSelection
Authenticator selection criteria for passkey registration.
ClientData
Parsed client data from WebAuthn operations.
ExcludeCredential
A credential descriptor for exclusion during registration.
Passki
Main Passki struct for managing passkey registration and authentication.
PasskiError
Error type for Passki operations.
PubKeyCredParam
A public key credential parameter specifying an acceptable algorithm.
RegistrationChallenge
Challenge sent to the client to begin passkey registration.
RegistrationCredential
Credential data returned by the client after registration.
RegistrationState
Server-side state for a passkey registration in progress.
RelyingParty
Information about the relying party (RP).
StoredPasskey
A stored passkey credential.
UserInfo
Information about the user account.

Enums§

AttestationConveyancePreference
Attestation conveyance preference for passkey registration.
ClientDataType
The type of WebAuthn operation.
ResidentKeyRequirement
Resident key requirement for passkey registration.
UserVerificationRequirement
User verification requirement for passkey operations.

Type Aliases§

Result
Convenience type alias for Results that may return any error.