add coments and refactor WebAuthnConfig

Author: marius-se

Sources/WebAuthn/WebAuthnConfig.swift

@@ -21,18 +21,16 @@ public struct WebAuthnConfig {
     /// For example, if the origin is https://login.example.com:1337, then _login.example.com_ or _example.com_ are
     /// valid ids, but not _m.login.example.com_ and not _com_.
     public let relyingPartyID: String
+    /// The domain, with HTTP protocol (e.g. "https://example.com")
     public let relyingPartyOrigin: String
-    public let timeout: TimeInterval
 
     public init(
         relyingPartyDisplayName: String,
         relyingPartyID: String,
-        relyingPartyOrigin: String,
-        timeout: TimeInterval
+        relyingPartyOrigin: String
     ) {
         self.relyingPartyDisplayName = relyingPartyDisplayName
         self.relyingPartyID = relyingPartyID
         self.relyingPartyOrigin = relyingPartyOrigin
-        self.timeout = timeout
     }
 }

Sources/WebAuthn/WebAuthnManager.swift

@@ -12,10 +12,7 @@
 //
 //===----------------------------------------------------------------------===//
 
-import Crypto
 import Foundation
-import Logging
-import SwiftCBOR
 
 public struct WebAuthnManager {
     private let config: WebAuthnConfig
@@ -28,8 +25,16 @@ public struct WebAuthnManager {
     }
 
     /// Generate a new set of registration data to be sent to the client and authenticator.
+    ///
+    /// - Parameters:
+    ///   - user: The user to register.
+    ///   - attestation: The level of attestation to be provided by the authenticator.
+    ///   - publicKeyCredentialParameters: A list of public key algorithms the Relying Party chooses to restrict
+    ///     support to. Defaults to all supported algorithms.
+    /// - Returns: Registration options ready for the browser.
     public func beginRegistration(
         user: WebAuthnUser,
+        timeout: TimeInterval = 60000,
         attestation: AttestationConveyancePreference = .none,
         publicKeyCredentialParameters: [PublicKeyCredentialParameters] = PublicKeyCredentialParameters.supported
     ) throws -> PublicKeyCredentialCreationOptions {
@@ -47,17 +52,25 @@ public struct WebAuthnManager {
             user: userEntity,
             rp: relyingParty,
             pubKeyCredParams: publicKeyCredentialParameters,
-            timeout: config.timeout,
+            timeout: timeout,
             attestation: attestation
         )
     }
 
     /// Take response from authenticator and client and verify credential against the user's credentials and
     /// session data.
+    ///
     /// - Parameters:
-    ///   - challenge: The user to verify against the authenticator response. Base64 encoded.
+    ///   - challenge: The challenge passed to the authenticator within the preceding registration options.
     ///   - credentialCreationData: The value returned from `navigator.credentials.create()`
     ///   - requireUserVerification: Whether or not to require that the authenticator verified the user.
+    ///   - supportedPublicKeyAlgorithms: A list of public key algorithms the Relying Party chooses to restrict
+    ///     support to. Defaults to all supported algorithms.
+    ///   - pemRootCertificatesByFormat: A list of root certificates used for attestation verification.
+    ///     If attestation verification is not required (default behavior) this parameter does nothing.
+    ///   - confirmCredentialIDNotRegisteredYet: For a successful registration ceremony we need to verify that the
+    ///     `credentialId`, generated by the authenticator, is not yet registered for any user. This is a good place to
+    ///     handle that.
     /// - Returns:  A new `Credential` with information about the authenticator and registration
     public func finishRegistration(
         challenge: EncodedBase64,
@@ -97,9 +110,20 @@ public struct WebAuthnManager {
         )
     }
 
+    /// Generate options for retrieving a credential via navigator.credentials.get()
+    ///
+    /// - Parameters:
+    ///   - challenge: Optionally generate a challenge on your own. Defaults to `nil` which will let the library
+    ///     generate it.
+    ///   - timeout: How long in milliseconds the browser should give the user to choose an authenticator. This value
+    ///     is a *hint* and may be ignored by the browser.
+    ///   - allowCredentials: A list of credentials registered to the user.
+    ///   - userVerification: The Relying Party's preference for the authenticator's enforcement of the
+    ///     "user verified" flag.
+    /// - Returns: Authentication options ready for the browser.
     public func beginAuthentication(
         challenge: EncodedBase64? = nil,
-        timeout: TimeInterval?,
+        timeout: TimeInterval? = 60000,
         allowCredentials: [PublicKeyCredentialDescriptor]? = nil,
         userVerification: UserVerificationRequirement = .preferred
     ) throws -> PublicKeyCredentialRequestOptions {
@@ -113,6 +137,16 @@ public struct WebAuthnManager {
         )
     }
 
+    /// Verify a response from navigator.credentials.get()
+    ///
+    /// - Parameters:
+    ///   - credential: The value returned from `navigator.credentials.get()`.
+    ///   - expectedChallenge: The challenge passed to the authenticator within the preceding authentication options.
+    ///   - credentialPublicKey: The public key for the credential's ID as provided in a preceding authenticator
+    ///     registration ceremony.
+    ///   - credentialCurrentSignCount: The current known number of times the authenticator was used.
+    ///   - requireUserVerification: Whether or not to require that the authenticator verified the user.
+    /// - Returns: Information about the authenticator
     public func finishAuthentication(
         credential: AuthenticationCredential,
         // clientExtensionResults: ,

Tests/WebAuthnTests/WebAuthnManagerTests+Authentication.swift

@@ -23,13 +23,13 @@ extension WebAuthnManagerTests {
     func testBeginAuthentication() async throws {
         let allowCredentials: [PublicKeyCredentialDescriptor] = [.init(type: "public-key", id: [1, 0, 2, 30])]
         let options = try webAuthnManager.beginAuthentication(
-            timeout: timeout,
+            timeout: 1234,
             allowCredentials: allowCredentials,
             userVerification: .preferred
         )
 
         XCTAssertEqual(options.challenge, challenge.base64EncodedString())
-        XCTAssertEqual(options.timeout, timeout)
+        XCTAssertEqual(options.timeout, 1234)
         XCTAssertEqual(options.rpId, relyingPartyID)
         XCTAssertEqual(options.allowCredentials, allowCredentials)
         XCTAssertEqual(options.userVerification, .preferred)

Tests/WebAuthnTests/WebAuthnManagerTests.swift

@@ -26,14 +26,12 @@ final class WebAuthnManagerTests: XCTestCase {
     let relyingPartyDisplayName = "Testy test"
     let relyingPartyID = "webauthn.io"
     let relyingPartyOrigin = "https://example.com"
-    let timeout: TimeInterval = 6000
 
     override func setUp() {
         let config = WebAuthnConfig(
             relyingPartyDisplayName: relyingPartyDisplayName,
             relyingPartyID: relyingPartyID,
-            relyingPartyOrigin: relyingPartyOrigin,
-            timeout: timeout
+            relyingPartyOrigin: relyingPartyOrigin
         )
         webAuthnManager = .init(config: config, challengeGenerator: .mock(generate: challenge))
     }
@@ -51,7 +49,6 @@ final class WebAuthnManagerTests: XCTestCase {
         XCTAssertEqual(options.challenge, challenge.base64EncodedString())
         XCTAssertEqual(options.rp.id, relyingPartyID)
         XCTAssertEqual(options.rp.name, relyingPartyDisplayName)
-        XCTAssertEqual(options.timeout, timeout)
         XCTAssertEqual(options.user.id, user.userID.toBase64().asString())
         XCTAssertEqual(options.user.displayName, user.displayName)
         XCTAssertEqual(options.user.name, user.name)