feat: store id instead of encoded raw_id on external_id column

nicolastemciuc · nicolastemciuc · commit 3f0ebd79687f · 2025-08-11T13:22:54.000-03:00
With webauthn-json the create() method expects createOptions of type JSON. However, for using the browser's native API, the create() call must receive the options in type CredentialCreationOptions. To pass from JSON to CredentialCreationOptions the method parseRequestOptionsFromJSON is used. parseRequestOptionsFromJSON in turn, expects to receive this format: https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialcreationoptionsjson Therefore, the credential ids inside excludeCredentials need to be of type Base64URLString, which is not the case now. As of now, the raw_id is being strict encoded which still doesn't comply with being of type Base64URLString. Instead of strictly encoding the raw_id, the id attribute starts being stored. The id is a base64url encoded version of PublicKeyCredential.rawId.
diff --git a/app/controllers/credentials_controller.rb b/app/controllers/credentials_controller.rb
@@ -25,7 +25,7 @@ def callback
       webauthn_credential.verify(session[:current_registration]["challenge"], user_verification: true)
 
       credential = current_user.credentials.find_or_initialize_by(
-        external_id: Base64.strict_encode64(webauthn_credential.raw_id)
+        external_id: webauthn_credential.id
       )
 
       if credential.update(
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
@@ -37,7 +37,7 @@ def callback
       webauthn_credential.verify(session[:current_registration]["challenge"], user_verification: true)
 
       user.credentials.build(
-        external_id: Base64.strict_encode64(webauthn_credential.raw_id),
+        external_id: webauthn_credential.id,
         nickname: params[:credential_nickname],
         public_key: webauthn_credential.public_key,
         sign_count: webauthn_credential.sign_count
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -31,7 +31,7 @@ def callback
     user = User.find_by(username: session[:current_authentication]["username"])
     raise "user #{session[:current_authentication]["username"]} never initiated sign up" unless user
 
-    credential = user.credentials.find_by(external_id: Base64.strict_encode64(webauthn_credential.raw_id))
+    credential = user.credentials.find_by(external_id: webauthn_credential.id)
 
     begin
       webauthn_credential.verify(
diff --git a/test/controllers/registrations_controller_test.rb b/test/controllers/registrations_controller_test.rb
@@ -47,7 +47,7 @@ class RegistrationsControllerTest < ActionDispatch::IntegrationTest
       username: "bob",
       credentials: [
         Credential.new(
-          external_id: Base64.strict_encode64(webauthn_credential.raw_id),
+          external_id: webauthn_credential.id,
           nickname: "Bob's USB Key",
           public_key: webauthn_credential.public_key,
           sign_count: webauthn_credential.sign_count

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ def callback`
`25`	`25`	`webauthn_credential.verify(session[:current_registration]["challenge"], user_verification: true)`
`26`	`26`
`27`	`27`	`credential = current_user.credentials.find_or_initialize_by(`
`28`		`- external_id: Base64.strict_encode64(webauthn_credential.raw_id)`
	`28`	`+ external_id: webauthn_credential.id`
`29`	`29`	`)`
`30`	`30`
`31`	`31`	`if credential.update(`