generated from Firehed/php-library-template
-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Have the library handle challenge management (#35)
The examples so far have all used sessions to manage the active challenges, but not all applications are stateful in this way - namely, most APIs will not be session-based. Instead, this creates a new `ChallengeManagerInterface` that handles this for applications. For now there's a single implementation that's still session-based, though (via #30 which I'm reworking) other implementations will be provided (e.g. a cache pool). The majority of the change here is updating examples and adding tests. Note that this would be a BC break but since the library is still pre-1.0 it's not a concern for practical purposes.
- Loading branch information
Showing
21 changed files
with
371 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
{ | ||
"symbol-whitelist": [ | ||
"PHP_SESSION_ACTIVE", | ||
"session_status" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
namespace Firehed\WebAuthn; | ||
|
||
interface ChallengeManagerInterface | ||
{ | ||
/** | ||
* Generates a new Challenge, stores it in the backing mechanism, and | ||
* returns it. | ||
* | ||
* @api | ||
*/ | ||
public function createChallenge(): ChallengeInterface; | ||
|
||
/** | ||
* Consumes the challenge associated with the ClientDataJSON value from the | ||
* underlying storage mechanism, and returns that challenge if found. | ||
* | ||
* Implementations MUST ensure that subsequent calls to this method with | ||
* the same value return `null`, regardless of whether the initial call | ||
* returned a value or null. Failure to do so will compromise the security | ||
* of the webauthn protocol. | ||
* | ||
* Implementations MUST NOT use the ClientDataJSON value to construct | ||
* a challenge. They MUST return a previously-stored value if one is found, | ||
* and MAY use $base64Url to search the storage mechanism. | ||
* | ||
* @internal | ||
*/ | ||
public function useFromClientDataJSON(string $base64Url): ?ChallengeInterface; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
namespace Firehed\WebAuthn; | ||
|
||
use BadMethodCallException; | ||
|
||
use function array_key_exists; | ||
use function session_status; | ||
|
||
use const PHP_SESSION_ACTIVE; | ||
|
||
class SessionChallengeManager implements ChallengeManagerInterface | ||
{ | ||
private const SESSION_KEY = 'passkey_challenge'; | ||
|
||
public function __construct() | ||
{ | ||
// Do this later? | ||
if (session_status() !== PHP_SESSION_ACTIVE) { | ||
throw new BadMethodCallException('No active session. Call session_start() before using this.'); | ||
} | ||
} | ||
|
||
public function createChallenge(): ChallengeInterface | ||
{ | ||
$c = ExpiringChallenge::withLifetime(120); | ||
$_SESSION[self::SESSION_KEY] = $c; | ||
return $c; | ||
} | ||
|
||
public function useFromClientDataJSON(string $base64Url): ?ChallengeInterface | ||
{ | ||
if (!array_key_exists(self::SESSION_KEY, $_SESSION)) { | ||
return null; | ||
} | ||
$challenge = $_SESSION[self::SESSION_KEY]; | ||
unset($_SESSION[self::SESSION_KEY]); | ||
// Validate that the stored challenge matches the CDJ value? | ||
return $challenge; | ||
} | ||
} |
Oops, something went wrong.