-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow multiple credentials during assertion #39
Allow multiple credentials during assertion #39
Conversation
Hey @woodruffw, Thanks so much for the PR! This looks really good. Do you mind making the change you suggested to prevent the breaking change to the API, though? Happy to merge once that's complete! |
Sure, I'll do that first thing tomorrow. Thanks! |
Alright, I've made it so that the @mdedonno1337 brought up a good point in #36 about conflicting (unused) state in |
Based upon the name of the class, I assumed that a user (in the application) will have a WebAuthnUser object (with multiple credentials if needed). |
This looks good to me, @woodruffw! Thanks again for the PR! @mdedonno1337, thanks so much for your PR and other contributions! The intention of the Thanks again everyone! |
Hey @futureimperfect, mind cutting a new release for these changes? I'd love to use this in pypi/warehouse#5795 😄 |
Updates
WebAuthnAssertionOptions
to take a list ofWebAuthnUser
s, each of which becomes the basis for aPublicKeyCredentialDescriptor
.Some additional constraints are introduced:
webauthn_users
listwebauthn_users
must be aWebAuthnUser
WebAuthnUser
must have a valid credential IDWebAuthnUser
s must have the samerp_id
This last constraint isn't explicitly in the specification, but follows from our inclusion of the optional
PublicKeyCredentialRequestOptions.rpId
field. Our other options are to drop that field entirely (in which case the origin's effective domain will be used), or to drop the check and allow the actual verification to fail later on.Edit: This introduces a breaking change to the API. If that's undesirable, I could refactor it to test for a single item first and listify it before continuing on to the rest of the changes. Let me know if that's what you'd like!