feat: webauthn support schema changes, update openapi.yaml (#2163)

Bewinxed · issuedat · commit be2430d99c42 · 2025-09-30T19:12:45.000+02:00
## What kind of change does this PR introduce?

Feature improvement / API cleanup

## What is the current behavior?

- The API returns credential_creation_options and
credential_request_options as separate fields at the root level,
requiring clients to check which is null
- OpenAPI spec doesn't match actual server output (missing publicKey
wrapper that go-webauthn library adds)
- Field naming inconsistent with W3C spec (web_authn vs standard
webauthn)

## What is the new behavior?

1. Challenge response structure changed to discriminated union:
- Before: Check null fields {credential_creation_options?: ...,
credential_request_options?: ...}
- After: Single typed field {type: "create" | "request",
credential_options: {publicKey: ...}}
2. Verify request structure unified:
- Before: {creation_response?: ..., assertion_response?: ...}
- After: {type: "create" | "request", credential_response: ...}
3. RPOrigins changed from comma-separated string to string array
(matches go-webauthn v3 expectations)

## Additional context

This makes the PR for the auth-js library easier.
diff --git a/internal/api/mfa.go b/internal/api/mfa.go
@@ -54,56 +54,51 @@ type EnrollFactorResponse struct {
 
 type ChallengeFactorParams struct {
 	Channel  string          `json:"channel"`
-	WebAuthn *WebAuthnParams `json:"web_authn,omitempty"`
+	WebAuthn *WebAuthnParams `json:"webauthn,omitempty"`
 }
 
 type VerifyFactorParams struct {
 	ChallengeID uuid.UUID       `json:"challenge_id"`
 	Code        string          `json:"code"`
-	WebAuthn    *WebAuthnParams `json:"web_authn,omitempty"`
+	WebAuthn    *WebAuthnParams `json:"webauthn,omitempty"`
 }
 
 type ChallengeFactorResponse struct {
-	ID                        uuid.UUID                        `json:"id"`
-	Type                      string                           `json:"type"`
-	ExpiresAt                 int64                            `json:"expires_at,omitempty"`
-	CredentialRequestOptions  *wbnprotocol.CredentialAssertion `json:"credential_request_options,omitempty"`
-	CredentialCreationOptions *wbnprotocol.CredentialCreation  `json:"credential_creation_options,omitempty"`
+	ID        uuid.UUID              `json:"id"`
+	Type      string                 `json:"type"`
+	ExpiresAt int64                  `json:"expires_at,omitempty"`
+	WebAuthn  *WebAuthnChallengeData `json:"webauthn,omitempty"`
 }
 
-type UnenrollFactorResponse struct {
-	ID uuid.UUID `json:"id"`
+type WebAuthnChallengeData struct {
+	Type              string      `json:"type"` // "create" or "request"
+	CredentialOptions interface{} `json:"credential_options"`
 }
 
 type WebAuthnParams struct {
-	RPID string `json:"rp_id,omitempty"`
-	// Can encode multiple origins as comma separated values like: "origin1,origin2"
-	RPOrigins         string          `json:"rp_origins,omitempty"`
-	AssertionResponse json.RawMessage `json:"assertion_response,omitempty"`
-	CreationResponse  json.RawMessage `json:"creation_response,omitempty"`
+	RPID               string          `json:"rpId,omitempty"`
+	RPOrigins          []string        `json:"rpOrigins,omitempty"`
+	Type               string          `json:"type"` // "create" or "request"
+	CredentialResponse json.RawMessage `json:"credential_response"`
 }
 
-func (w *WebAuthnParams) GetRPOrigins() []string {
-	if w.RPOrigins == "" {
-		return nil
-	}
-	return strings.Split(w.RPOrigins, ",")
+type UnenrollFactorResponse struct {
+	ID uuid.UUID `json:"id"`
 }
 
 func (w *WebAuthnParams) ToConfig() (*webauthn.WebAuthn, error) {
 	if w.RPID == "" {
 		return nil, fmt.Errorf("webAuthn RP ID cannot be empty")
 	}
 
-	origins := w.GetRPOrigins()
-	if len(origins) == 0 {
+	if len(w.RPOrigins) == 0 {
 		return nil, fmt.Errorf("webAuthn RP Origins cannot be empty")
 	}
 
 	var validOrigins []string
 	var invalidOrigins []string
 
-	for _, origin := range origins {
+	for _, origin := range w.RPOrigins {
 		parsedURL, err := url.Parse(origin)
 		if err != nil || (parsedURL.Scheme != "https" && !(parsedURL.Scheme == "http" && parsedURL.Hostname() == "localhost")) || parsedURL.Host == "" {
 			invalidOrigins = append(invalidOrigins, origin)
@@ -514,7 +509,18 @@ func (a *API) challengeWebAuthnFactor(w http.ResponseWriter, r *http.Request) er
 	var ws *models.WebAuthnSessionData
 	var challenge *models.Challenge
 	if factor.IsUnverified() {
-		options, session, err := webAuthn.BeginRegistration(user)
+		// Get existing WebAuthn credentials to exclude duplicates
+		excludeList := []wbnprotocol.CredentialDescriptor{}
+		existingCredentials := user.WebAuthnCredentials()
+		for _, cred := range existingCredentials {
+			excludeList = append(excludeList, wbnprotocol.CredentialDescriptor{
+				Type:         wbnprotocol.PublicKeyCredentialType,
+				CredentialID: cred.ID,
+				Transport:    []wbnprotocol.AuthenticatorTransport{"usb", "nfc"},
+			})
+		}
+
+		options, session, err := webAuthn.BeginRegistration(user, webauthn.WithExclusions(excludeList))
 		if err != nil {
 			return apierrors.NewInternalServerError("Failed to generate WebAuthn registration data").WithInternalError(err)
 		}
@@ -524,9 +530,12 @@ func (a *API) challengeWebAuthnFactor(w http.ResponseWriter, r *http.Request) er
 		challenge = ws.ToChallenge(factor.ID, ipAddress)
 
 		response = &ChallengeFactorResponse{
-			CredentialCreationOptions: options,
-			Type:                      factor.FactorType,
-			ID:                        challenge.ID,
+			Type: factor.FactorType,
+			ID:   challenge.ID,
+			WebAuthn: &WebAuthnChallengeData{
+				Type:              "create",
+				CredentialOptions: options,
+			},
 		}
 
 	} else if factor.IsVerified() {
@@ -539,9 +548,12 @@ func (a *API) challengeWebAuthnFactor(w http.ResponseWriter, r *http.Request) er
 		}
 		challenge = ws.ToChallenge(factor.ID, ipAddress)
 		response = &ChallengeFactorResponse{
-			CredentialRequestOptions: options,
-			Type:                     factor.FactorType,
-			ID:                       challenge.ID,
+			Type: factor.FactorType,
+			ID:   challenge.ID,
+			WebAuthn: &WebAuthnChallengeData{
+				Type:              "request",
+				CredentialOptions: options,
+			},
 		}
 
 	}
@@ -878,10 +890,10 @@ func (a *API) verifyWebAuthnFactor(w http.ResponseWriter, r *http.Request, param
 	switch {
 	case params.WebAuthn == nil:
 		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "WebAuthn config required")
-	case factor.IsVerified() && params.WebAuthn.AssertionResponse == nil:
-		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "creation_response required to login")
-	case factor.IsUnverified() && params.WebAuthn.CreationResponse == nil:
-		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "assertion_response required to login")
+	case params.WebAuthn.Type != "create" && params.WebAuthn.Type != "request":
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "WebAuthn type must be create or request")
+	case params.WebAuthn.CredentialResponse == nil:
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "credential_response required")
 	default:
 		webAuthn, err = params.WebAuthn.ToConfig()
 		if err != nil {
@@ -899,20 +911,21 @@ func (a *API) verifyWebAuthnFactor(w http.ResponseWriter, r *http.Request, param
 		return apierrors.NewInternalServerError("Database error deleting challenge").WithInternalError(err)
 	}
 
-	if factor.IsUnverified() {
-		parsedResponse, err := wbnprotocol.ParseCredentialCreationResponseBody(bytes.NewReader(params.WebAuthn.CreationResponse))
+	switch params.WebAuthn.Type {
+	case "create":
+		parsedResponse, err := wbnprotocol.ParseCredentialCreationResponseBody(bytes.NewReader(params.WebAuthn.CredentialResponse))
 		if err != nil {
-			return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Invalid credential_creation_response")
+			return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Invalid credential_response")
 		}
 		credential, err = webAuthn.CreateCredential(user, webAuthnSession, parsedResponse)
 		if err != nil {
 			return err
 		}
 
-	} else if factor.IsVerified() {
-		parsedResponse, err := wbnprotocol.ParseCredentialRequestResponseBody(bytes.NewReader(params.WebAuthn.AssertionResponse))
+	case "request":
+		parsedResponse, err := wbnprotocol.ParseCredentialRequestResponseBody(bytes.NewReader(params.WebAuthn.CredentialResponse))
 		if err != nil {
-			return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Invalid credential_request_response")
+			return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Invalid credential_response")
 		}
 		credential, err = webAuthn.ValidateLogin(user, webAuthnSession, parsedResponse)
 		if err != nil {
diff --git a/internal/api/mfa_test.go b/internal/api/mfa_test.go
@@ -718,7 +718,7 @@ func (ts *MFATestSuite) TestChallengeWebAuthnFactor() {
 	factor := models.NewWebAuthnFactor(ts.TestUser, "WebAuthnfactor")
 	validWebAuthnConfiguration := &WebAuthnParams{
 		RPID:      "localhost",
-		RPOrigins: "http://localhost:3000",
+		RPOrigins: []string{"http://localhost:3000"},
 	}
 	require.NoError(ts.T(), ts.API.db.Create(factor), "Error saving new test factor")
 	token := ts.generateAAL1Token(ts.TestUser, &ts.TestSession.ID)
diff --git a/openapi.yaml b/openapi.yaml

Original file line number	Diff line number	Diff line change
`@@ -718,7 +718,7 @@ func (ts *MFATestSuite) TestChallengeWebAuthnFactor() {`
`718`	`718`	`factor := models.NewWebAuthnFactor(ts.TestUser, "WebAuthnfactor")`
`719`	`719`	`validWebAuthnConfiguration := &WebAuthnParams{`
`720`	`720`	`RPID: "localhost",`
`721`		`- RPOrigins: "http://localhost:3000",`
	`721`	`+ RPOrigins: []string{"http://localhost:3000"},`
`722`	`722`	`}`
`723`	`723`	`require.NoError(ts.T(), ts.API.db.Create(factor), "Error saving new test factor")`
`724`	`724`	`token := ts.generateAAL1Token(ts.TestUser, &ts.TestSession.ID)`