feat: add a confirm key route (#503)

Author: asbiin

README.md

@@ -102,10 +102,7 @@ class AppServiceProvider extends ServiceProvider
      */
     public function boot(): void
     {
-        Event::listen(
-            \Illuminate\Auth\Events\Login::class,
-            \LaravelWebauthn\Listeners\LoginViaRemember::class
-        );
+        Event::subscribe(LoginViaRemember::class);
     }
 }
 ```
@@ -278,6 +275,7 @@ These routes are defined:
 | POST `/webauthn/keys`         | `webauthn.store`         | Post data after a WebAuthn register check.                            |
 | DELETE `/webauthn/keys/{id}`  | `webauthn.destroy`       | Delete an existing key.                                               |
 | PUT `/webauthn/keys/{id}`     | `webauthn.update`        | Update key properties (name, ...).                                    |
+| POST `/webauthn/confirm-key`  | `webauthn.key.confirm`   | Post data to test a WebAuthn authentication without login.            |
 
 
 You can customize the first part of the url by setting `prefix` value in the config file.
@@ -445,6 +443,7 @@ However, your browser will refuse to negotiate a relay to your security device w
 - connected HTTPS on port 443 (ports other than 443 will be rejected)
 
 ### Homestead
+
 If you are a Laravel Homestead user, the default is to forward ports. You can switch from NAT/port forwarding to a private network with similar `Homestead.yaml` options:
 
 ```yaml

config/webauthn.php

@@ -103,6 +103,7 @@
     | When using navigation, redirects to these url on success:
     | - login: after a successful login.
     | - register: after a successful Webauthn key creation.
+    | - key-confirmation: after a successful Webauthn key confirmation.
     |
     | Redirects are not used in case of application/json requests.
     |
@@ -111,6 +112,7 @@
     'redirects' => [
         'login' => null,
         'register' => null,
+        'key-confirmation' => null,
     ],
 
     /*

routes/routes.php

@@ -2,6 +2,7 @@
 
 use Illuminate\Support\Facades\Route;
 use LaravelWebauthn\Http\Controllers\AuthenticateController;
+use LaravelWebauthn\Http\Controllers\ConfirmableKeyController;
 use LaravelWebauthn\Http\Controllers\WebauthnKeyController;
 
 $limiterMiddleware = ($limiter = config('webauthn.limiters.login')) !== null
@@ -38,4 +39,6 @@
     Route::post('keys', [WebauthnKeyController::class, 'store'])->name('webauthn.store');
     Route::delete('keys/{id}', [WebauthnKeyController::class, 'destroy'])->name('webauthn.destroy');
     Route::put('keys/{id}', [WebauthnKeyController::class, 'update'])->name('webauthn.update');
+
+    Route::post('confirm-key', [ConfirmableKeyController::class, 'store'])->name('webauthn.key.confirm');
 });

src/Actions/ConfirmKey.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace LaravelWebauthn\Actions;
+
+use Illuminate\Contracts\Auth\StatefulGuard;
+use Illuminate\Http\Request;
+use LaravelWebauthn\Services\Webauthn;
+
+class ConfirmKey
+{
+    /**
+     * Confirm that the given challenge is valid for the given user.
+     */
+    public function __invoke(StatefulGuard $guard, Request $request): bool
+    {
+        return is_null(Webauthn::$confirmKeyUsingCallback)
+            ? $guard->attempt($this->getParams($request))
+            : $this->confirmKeyUsingCustomCallback($request);
+    }
+
+    /**
+     * Confirm the give challenge using a custom callback.
+     */
+    protected function confirmKeyUsingCustomCallback(Request $request): bool
+    {
+        return call_user_func(
+            Webauthn::$confirmKeyUsingCallback,
+            $this->getParams($request)
+        );
+    }
+
+    /**
+     * Get the parameters from the request.
+     */
+    private function getParams(Request $request): array
+    {
+        return $request->only(['id', 'rawId', 'response', 'type']);
+    }
+}

src/Contracts/FailedKeyConfirmedResponse.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace LaravelWebauthn\Contracts;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface FailedKeyConfirmedResponse extends Responsable
+{
+    //
+}

src/Contracts/KeyConfirmedResponse.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace LaravelWebauthn\Contracts;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface KeyConfirmedResponse extends Responsable
+{
+    //
+}

src/Facades/Webauthn.php

@@ -17,7 +17,7 @@
  * @method static bool enabled(\Illuminate\Contracts\Auth\Authenticatable $user)
  * @method static bool canRegister(\Illuminate\Contracts\Auth\Authenticatable $user)
  * @method static bool hasKey(\Illuminate\Contracts\Auth\Authenticatable $user)
- * @method static string redirects(string $redirect, $default = null)
+ * @method static ?string redirects(string $redirect, $default = null)
  * @method static string model()
  * @method static bool userless()
  *

src/Http/Controllers/ConfirmableKeyController.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace LaravelWebauthn\Http\Controllers;
+
+use Illuminate\Contracts\Auth\StatefulGuard;
+use Illuminate\Contracts\Support\Responsable;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\Date;
+use LaravelWebauthn\Actions\ConfirmKey;
+use LaravelWebauthn\Contracts\FailedKeyConfirmedResponse;
+use LaravelWebauthn\Contracts\KeyConfirmedResponse;
+
+class ConfirmableKeyController extends Controller
+{
+    /**
+     * The guard implementation.
+     *
+     * @var \Illuminate\Contracts\Auth\StatefulGuard
+     */
+    protected $guard;
+
+    /**
+     * Create a new controller instance.
+     */
+    public function __construct(StatefulGuard $guard)
+    {
+        $this->guard = $guard;
+    }
+
+    /**
+     * Confirm the user's key.
+     */
+    public function store(Request $request): Responsable
+    {
+        $confirmed = app(ConfirmKey::class)(
+            $this->guard, $request
+        );
+
+        if ($confirmed) {
+            $request->session()->put('auth.password_confirmed_at', Date::now()->unix());
+        }
+
+        return $confirmed
+            ? app(KeyConfirmedResponse::class)
+            : app(FailedKeyConfirmedResponse::class);
+    }
+}

src/Http/Responses/FailedKeyConfirmedResponse.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace LaravelWebauthn\Http\Responses;
+
+use Illuminate\Validation\ValidationException;
+use LaravelWebauthn\Contracts\FailedKeyConfirmedResponse as FailedKeyConfirmedResponseContract;
+
+class FailedKeyConfirmedResponse implements FailedKeyConfirmedResponseContract
+{
+    /**
+     * Create an HTTP response that represents the object.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    #[\Override]
+    public function toResponse($request)
+    {
+        $message = __('Invalid key.');
+
+        if ($request->wantsJson()) {
+            throw ValidationException::withMessages([
+                'key' => [$message],
+            ]);
+        }
+
+        return back()->withErrors(['key' => $message]);
+    }
+}

src/Http/Responses/KeyConfirmedResponse.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace LaravelWebauthn\Http\Responses;
+
+use Illuminate\Http\JsonResponse;
+use LaravelWebauthn\Contracts\KeyConfirmedResponse as KeyConfirmedResponseContract;
+use LaravelWebauthn\Services\Webauthn;
+
+class KeyConfirmedResponse implements KeyConfirmedResponseContract
+{
+    /**
+     * Create an HTTP response that represents the object.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    #[\Override]
+    public function toResponse($request)
+    {
+        return $request->wantsJson()
+            ? new JsonResponse('', 201)
+            : redirect()->intended(Webauthn::redirects('key-confirmation'));
+    }
+}