Skip to content

Accessibility changes #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Accessibility changes #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9362f93
Make challenge size readable by others
dscreve Nov 6, 2025
b6aca28
Make Challenge generator public
dscreve Nov 6, 2025
56fed32
Add public API
dscreve Nov 6, 2025
256f0e8
Add public attribute
dscreve Nov 6, 2025
a26e4ae
Adujst KeyedDecodingContainer public extension
dscreve Nov 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions Sources/WebAuthn/Helpers/ChallengeGenerator.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,12 @@
//
//===----------------------------------------------------------------------===//

package struct ChallengeGenerator: Sendable {
public struct ChallengeGenerator: Sendable {
public static let challengeSize: Int = 32
Copy link
Member

@0xTim 0xTim Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this isn't settable, does this need to be public?

Copy link
Contributor Author

@dscreve dscreve Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I need to know the expected size when receiving request...I wouldn't change the behavior, then make it public only as let. I you are okay with make it settable, I can make the change.

Copy link
Collaborator

@dimitribouniol dimitribouniol Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you provide a use case for why the challenge size needs to be known ahead of time? ChallengeGenerator is only really intended to be swappable in this target's tests, so from a user's point of view, the size of the challenge should be an implementation detail that can change freely.

Copy link
Contributor Author

@dscreve dscreve Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, you can change the size of challenge as you want, because this can be retrieved with this value.
The use case is related to a specific architecture where challenge cannot be stored because the authentication service does not run on system that has access to the user database. I need to perform some additional security checks and for that, I need to append variable sized data to the returned challenge. So, I need to know the expected size to extract the original challenge which has been generated by the WebAuthn API and pass it to the API.

Copy link
Collaborator

@dimitribouniol dimitribouniol Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to perform some additional security checks and for that, I need to append variable sized data to the returned challenge

I would suggest ignoring the returned challenge and just using your value then — using it in your scheme provides no additional benefits.

That said, I will once again quote the spec (emphasis in bold mine):

§13.4.3. Cryptographic Challenges
As a cryptographic protocol, Web Authentication is dependent upon randomized challenges to avoid replay attacks. Therefore, the values of both PublicKeyCredentialCreationOptions.challenge and PublicKeyCredentialRequestOptions.challenge MUST be randomly generated by Relying Parties in an environment they trust (e.g., on the server-side), and the returned challenge value in the client’s response MUST match what was generated. This SHOULD be done in a fashion that does not rely upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily until the operation is complete. Tolerating a mismatch will compromise the security of the protocol.

Challenges SHOULD be valid for a duration similar to the upper limit of the recommended range and default for a WebAuthn ceremony timeout.

In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD therefore be at least 16 bytes long.

You really should be storing the challenge, whether in a separate DB, redis or valkey instance, in memory, or even with an extra helper service, and doing anything else without a complete understanding of how to validate that no two challenges can ever be re-used opens up your system to unnecessary security vulnerabilities.


var generate: @Sendable () -> [UInt8]

package static var live: Self {
.init(generate: { [UInt8].random(count: 32) })
.init(generate: { [UInt8].random(count: challengeSize) })
}
}
2 changes: 1 addition & 1 deletion Sources/WebAuthn/Helpers/Duration+Milliseconds.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
//
//===----------------------------------------------------------------------===//

extension Duration {
public extension Duration {
Copy link
Collaborator

@dimitribouniol dimitribouniol Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library shouldn't be making public extensions on external types, as they'll likely conflict if officially added. If you need this, go ahead and copy this extension, but I would push to have this list in the standard library instead.

/// The value of a positive duration in milliseconds, suitable to be encoded in WebAuthn types.
var milliseconds: Int64 {
let (seconds, attoseconds) = self.components
Expand Down
4 changes: 2 additions & 2 deletions Sources/WebAuthn/Helpers/KeyedDecodingContainer+decodeURLEncoded.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
import Foundation

extension KeyedDecodingContainer {
func decodeBytesFromURLEncodedBase64(forKey key: KeyedDecodingContainer.Key) throws -> [UInt8] {
public func decodeBytesFromURLEncodedBase64(forKey key: KeyedDecodingContainer.Key) throws -> [UInt8] {
guard let bytes = try decode(
URLEncodedBase64.self,
forKey: key
Expand All @@ -28,7 +28,7 @@ extension KeyedDecodingContainer {
return bytes
}

func decodeBytesFromURLEncodedBase64IfPresent(forKey key: KeyedDecodingContainer.Key) throws -> [UInt8]? {
public func decodeBytesFromURLEncodedBase64IfPresent(forKey key: KeyedDecodingContainer.Key) throws -> [UInt8]? {
guard let bytes = try decodeIfPresent(
URLEncodedBase64.self,
forKey: key
Expand Down