swift-server · dscreve · Jan 28, 2025 · Jan 29, 2025
diff --git a/Sources/WebAuthn/Helpers/ChallengeGenerator.swift b/Sources/WebAuthn/Helpers/ChallengeGenerator.swift
@@ -11,10 +11,20 @@
 //
 //===----------------------------------------------------------------------===//
 
-package struct ChallengeGenerator: Sendable {
+import Foundation
+
+public struct ChallengeGenerator: Sendable {
     var generate: @Sendable () -> [UInt8]
 
-    package static var live: Self {
-        .init(generate: { [UInt8].random(count: 32) })
+    public static var live: Self {
+        .init(generate: {
+            // try to use secured random generator
+            var bytes = [UInt8](repeating: 0, count: 32)
+            let result = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
+            guard result == errSecSuccess else {
+                return [UInt8].random(count: 32)
+            }
+            return bytes
+        })
     }
 }
diff --git a/Sources/WebAuthn/WebAuthnManager.swift b/Sources/WebAuthn/WebAuthnManager.swift
@@ -59,9 +59,10 @@ public struct WebAuthnManager: Sendable {
         user: PublicKeyCredentialUserEntity,
         timeout: Duration? = .seconds(5*60),
         attestation: AttestationConveyancePreference = .none,
-        publicKeyCredentialParameters: [PublicKeyCredentialParameters] = .supported
+        publicKeyCredentialParameters: [PublicKeyCredentialParameters] = .supported,
+        challenge : [UInt8]? = nil
     ) -> PublicKeyCredentialCreationOptions {
-        let challenge = challengeGenerator.generate()
+        let challenge =  challenge ?? challengeGenerator.generate()
 
         return PublicKeyCredentialCreationOptions(
             challenge: challenge,
@@ -138,9 +139,10 @@ public struct WebAuthnManager: Sendable {
     public func beginAuthentication(
         timeout: Duration? = .seconds(60),
         allowCredentials: [PublicKeyCredentialDescriptor]? = nil,
-        userVerification: UserVerificationRequirement = .preferred
+        userVerification: UserVerificationRequirement = .preferred,
+        challenge : [UInt8]? = nil
     ) throws -> PublicKeyCredentialRequestOptions {
-        let challenge = challengeGenerator.generate()
+        let challenge =  challenge ?? challengeGenerator.generate()
 
         return PublicKeyCredentialRequestOptions(
             challenge: challenge,