Struct webauthn_rs_core::core::WebauthnCore

source · 
pub struct WebauthnCore { /* private fields */ }
Expand description

This is the core of the Webauthn operations. It provides 4 interfaces that you will likely use the most:

  • generate_challenge_register
  • register_credential
  • generate_challenge_authenticate
  • authenticate_credential

Each of these is described in turn, but they will all map to routes in your application. The generate functions return Json challenges that are intended to be processed by the client browser, and the register and authenticate will receive Json that is processed and verified.

These functions return state that you must store and handle correctly for the authentication or registration to proceed correctly.

As a result, it’s very important you read the function descriptions to understand the process as much as possible.

Implementations§

source§

impl WebauthnCore

source

pub fn new_unsafe_experts_only( rp_name: &str, rp_id: &str, allowed_origins: Vec<Url>, authenticator_timeout: Option<u32>, allow_subdomains_origin: Option<bool>, allow_any_port: Option<bool> ) -> Self

⚠️ ⚠️ ⚠️ THIS IS UNSAFE. AVOID USING THIS DIRECTLY ⚠️ ⚠️ ⚠️

If possible, use the webauthn-rs crate, and it’s safe wrapper instead!

Webauthn as a standard has many traps that in the worst cases, may lead to bypasses and full account compromises. Many of the features of webauthn are NOT security policy, but user interface hints. Many options can NOT be enforced. webauthn-rs handles these correctly. USE webauthn-rs INSTEAD.

If you still choose to continue, and use this directly, be aware that:

  • This function signature MAY change WITHOUT NOTICE and WITHIN MINOR VERSIONS
  • That you are responsible for UPHOLDING many invariants within webauthn that are NOT DOCUMENTED
  • You MUST understand the webauthn specification in excruciating detail to understand the traps within it

Seriously. Use webauthn-rs instead.

source

pub fn get_allowed_origins(&self) -> &[Url]

Get the currently configured origins

source

pub fn generate_challenge_register( &self, user_unique_id: &[u8], user_name: &str, user_display_name: &str, user_verification_required: bool ) -> Result<(CreationChallengeResponse, RegistrationState), WebauthnError>

Generate a new challenge for client registration. Same as generate_challenge_register_options but with simple, default options

source

pub fn generate_challenge_register_options( &self, user_unique_id: &[u8], user_name: &str, user_display_name: &str, attestation: AttestationConveyancePreference, policy: Option<UserVerificationPolicy>, exclude_credentials: Option<Vec<CredentialID>>, extensions: Option<RequestRegistrationExtensions>, credential_algorithms: Vec<COSEAlgorithm>, require_resident_key: bool, authenticator_attachment: Option<AuthenticatorAttachment>, experimental_reject_passkeys: bool ) -> Result<(CreationChallengeResponse, RegistrationState), WebauthnError>

Generate a new challenge for client registration. This is the first step in the lifecycle of a credential. This function will return the creationchallengeresponse which is suitable for serde json serialisation to be sent to the client. The client (generally a web browser) will pass this JSON structure to the navigator.credentials.create() javascript function for registration.

It also returns a RegistrationState, that you must persist. It is strongly advised you associate this RegistrationState with the UserId of the requester.

source

pub fn register_credential( &self, reg: &RegisterPublicKeyCredential, state: &RegistrationState, attestation_cas: Option<&AttestationCaList> ) -> Result<Credential, WebauthnError>

Process a credential registration response. This is the output of navigator.credentials.create() which is sent to the webserver from the client.

Given the username you also must provide the associated RegistrationState for this operation to proceed.

On success this returns a new Credential that you must persist and associate with the user.

You need to provide a closure that is able to check if any credential of the same id has already been persisted by your server.

source

pub fn generate_challenge_authenticate( &self, creds: Vec<Credential>, extensions: Option<RequestAuthenticationExtensions> ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError>

Authenticate a set of credentials, deriving the correct user verification policy for them in a secure manner.

source

pub fn generate_challenge_authenticate_credential( &self, cred: Credential, policy: Option<UserVerificationPolicy>, extensions: Option<RequestAuthenticationExtensions> ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError>

Authenticate a single credential, with the ability to override the userVerification policy requested, or extensions in use. If userVerification is None, the policy from registration is used.

NOTE: Over-riding the UserVerificationPolicy may have SECURITY consequences. You should understand how this interacts with the single credential in use, and how that may impact your system security.

If in doubt, do NOT use this function!

source

pub fn generate_challenge_authenticate_policy( &self, creds: Vec<Credential>, policy: UserVerificationPolicy, extensions: Option<RequestAuthenticationExtensions>, allow_backup_eligible_upgrade: bool ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError>

Authenticate a set of credentials allowing the user verification policy to be set.

NOTE: Over-riding the UserVerificationPolicy may have SECURITY consequences. You should understand how this interacts with the single credential in use, and how that may impact your system security.

If in doubt, do NOT use this function!

source

pub fn generate_challenge_authenticate_discoverable( &self, policy: UserVerificationPolicy, extensions: Option<RequestAuthenticationExtensions> ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError>

Begin a discoverable authentication session.

source

pub fn authenticate_credential( &self, rsp: &PublicKeyCredential, state: &AuthenticationState ) -> Result<AuthenticationResult, WebauthnError>

Process an authenticate response from the authenticator and browser. This is the output of navigator.credentials.get(), which is processed by this function. If the authentication fails, appropriate errors will be returned.

This requires the associated AuthenticationState that was created by generate_challenge_authenticate

On successful authentication, an Ok result is returned. The Ok may contain the CredentialID and associated counter, which you should update for security purposes. If the Ok returns None then the credential does not have a counter.

source

pub fn rp_name(&self) -> &str

Returns the RP name

Trait Implementations§

source§

impl Clone for WebauthnCore

source§

fn clone(&self) -> WebauthnCore

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for WebauthnCore

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
§

impl<'a, T> AsTaggedExplicit<'a> for Twhere T: 'a,

§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self>

§

impl<'a, T> AsTaggedImplicit<'a> for Twhere T: 'a,

§

fn implicit( self, class: Class, constructed: bool, tag: u32 ) -> TaggedParser<'a, Implicit, Self>

source§

impl<T> Borrow<T> for Twhere T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for Twhere U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for Twhere V: MultiLane<T>,

§

fn vzip(self) -> V

source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more