Struct WebauthnCore 

pub struct WebauthnCore { /* private fields */ }

The Core Webauthn handler.

It provides 4 interfaces methods for registering and then authenticating credentials.

• generate_challenge_register
• register_credential
• generate_challenge_authenticate
• authenticate_credential

Each of these is described in turn, but they will all map to routes in your application. The generate functions return Json challenges that are intended to be processed by the client browser, and the register and authenticate will receive Json that is processed and verified.

These functions return state that you must store and handle correctly for the authentication or registration to proceed correctly.

As a result, it’s very important you read the function descriptions to understand the process as much as possible.

Implementations

impl WebauthnCore

pub fn new_unsafe_experts_only( rp_name: &str, rp_id: &str, allowed_origins: Vec<Url>, authenticator_timeout: Duration, allow_subdomains_origin: Option<bool>, allow_any_port: Option<bool>, ) -> Self

⚠️ ⚠️ ⚠️ THIS IS UNSAFE. AVOID USING THIS DIRECTLY ⚠️ ⚠️ ⚠️

If possible, use the webauthn-rs crate, and it’s safe wrapper instead!

Webauthn as a standard has many traps that in the worst cases, may lead to bypasses and full account compromises. Many of the features of webauthn are NOT security policy, but user interface hints. Many options can NOT be enforced. webauthn-rs handles these correctly. USE webauthn-rs INSTEAD.

If you still choose to continue, and use this directly, be aware that:

• This function signature MAY change WITHOUT NOTICE and WITHIN MINOR VERSIONS
• You MUST understand the webauthn specification in excruciating detail to understand the traps within it
• That you are responsible for UPHOLDING many invariants within webauthn that are NOT DOCUMENTED in the webauthn specification

Seriously. Use webauthn-rs instead.

pub fn get_allowed_origins(&self) -> &[Url]

Get the currently configured origins

pub fn new_challenge_register_builder( &self, user_unique_id: &[u8], user_name: &str, user_display_name: &str, ) -> Result<ChallengeRegisterBuilder, WebauthnError>

Generate a new challenge builder for client registration. This is the first step in the lifecycle of a credential. This function will return a register builder allowing you to customise the parameters that will be sent to the client.

pub fn generate_challenge_register( &self, challenge_builder: ChallengeRegisterBuilder, ) -> Result<(CreationChallengeResponse, RegistrationState), WebauthnError>

Generate a new challenge for client registration from the parameters defined by the ChallengeRegisterBuilder.

This function will return the CreationChallengeResponse which is suitable for serde json serialisation to be sent to the client. The client (generally a web browser) will pass this JSON structure to the navigator.credentials.create() javascript function for registration.

It also returns a RegistrationState, that you must persist. It is strongly advised you associate this RegistrationState with the UserId of the requester.

pub fn register_credential( &self, reg: &RegisterPublicKeyCredential, state: &RegistrationState, attestation_cas: Option<&AttestationCaList>, ) -> Result<Credential, WebauthnError>

Process a credential registration response. This is the output of navigator.credentials.create() which is sent to the webserver from the client.

Given the username you also must provide the associated RegistrationState for this operation to proceed.

On success this returns a new Credential that you must persist and associate with the user.

You need to provide a closure that is able to check if any credential of the same id has already been persisted by your server.

pub fn new_challenge_authenticate_builder( &self, creds: Vec<Credential>, policy: Option<UserVerificationPolicy>, ) -> Result<ChallengeAuthenticateBuilder, WebauthnError>

Generate a new challenge builder for client authentication. This is the first step in authentication of a credential. This function will return an authentication builder allowing you to customise the parameters that will be sent to the client.

If creds is an empty Vec this implies a discoverable authentication attempt.

pub fn generate_challenge_authenticate( &self, challenge_builder: ChallengeAuthenticateBuilder, ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError>

Generate a new challenge for client authentication from the parameters defined by the ChallengeAuthenticateBuilder.

This function will return:

• a RequestChallengeResponse, which is sent to the client (and can be serialised as JSON). A web application would then pass the structure to the browser’s navigator.credentials.create() API to trigger authentication.

• an AuthenticationState, which must be persisted on the server side. Your application must associate the state with a private session ID, to prevent use in other sessions.

pub fn authenticate_credential( &self, rsp: &PublicKeyCredential, state: &AuthenticationState, ) -> Result<AuthenticationResult, WebauthnError>

Process an authenticate response from the authenticator and browser. This is the output of navigator.credentials.get(), which is processed by this function. If the authentication fails, appropriate errors will be returned.

This requires the associated AuthenticationState that was created by generate_challenge_authenticate

On successful authentication, an Ok result is returned. The Ok may contain the CredentialID and associated counter, which you should update for security purposes. If the Ok returns None then the credential does not have a counter.

pub fn rp_name(&self) -> &str

Returns the RP name

Trait Implementations

impl Clone for WebauthnCore

fn clone(&self) -> WebauthnCore

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for WebauthnCore

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.