fix: fix timeout and cache behavior (#500)

asbiin · web-flow · commit 9b68ae9a44bb · 2025-03-11T11:29:49.000+01:00
diff --git a/config/webauthn.php b/config/webauthn.php
@@ -173,10 +173,11 @@
     |--------------------------------------------------------------------------
     |
     | Time that the caller is willing to wait for the call to complete.
+    | See https://webauthn-doc.spomky-labs.com/symfony-bundle/configuration-references#timeout
     |
     */
 
-    'timeout' => 60000,
+    'timeout' => null,
 
     /*
     |--------------------------------------------------------------------------
diff --git a/src/Services/JsonWrapper.php b/src/Services/JsonWrapper.php
@@ -18,7 +18,6 @@ class JsonWrapper implements JsonSerializable
      * @param  T  $data
      */
     public function __construct(
-        private SerializerInterface $loader,
         public mixed $data
     ) {}
 
@@ -37,7 +36,7 @@ public function jsonSerialize(): array
     #[\Override]
     public function __toString()
     {
-        return $this->loader->serialize($this->data, 'json', [
+        return app(SerializerInterface::class)->serialize($this->data, 'json', [
             AbstractObjectNormalizer::SKIP_NULL_VALUES => true,
             JsonEncode::OPTIONS => JSON_THROW_ON_ERROR,
         ]);
diff --git a/src/Services/Webauthn/CreationOptionsFactory.php b/src/Services/Webauthn/CreationOptionsFactory.php
@@ -10,7 +10,6 @@
 use LaravelWebauthn\Facades\Webauthn;
 use Webauthn\AuthenticatorSelectionCriteria;
 use Webauthn\PublicKeyCredentialCreationOptions as PublicKeyCredentialCreationOptionsBase;
-use Webauthn\PublicKeyCredentialDescriptor;
 use Webauthn\PublicKeyCredentialParameters;
 use Webauthn\PublicKeyCredentialRpEntity;
 use Webauthn\PublicKeyCredentialUserEntity;
@@ -51,7 +50,7 @@ public function __invoke(User $user): PublicKeyCredentialCreationOptions
         );
 
         return tap(PublicKeyCredentialCreationOptions::create($publicKey), function (PublicKeyCredentialCreationOptions $result) use ($user): void {
-            $this->cache->put($this->cacheKey($user), (string) $result, $this->timeout);
+            $this->cache->put($this->cacheKey($user), (string) $result, $this->timeoutCache);
         });
     }
 
@@ -74,10 +73,7 @@ private function getUserEntity(User $user): PublicKeyCredentialUserEntity
     private function createCredentialParameters(): array
     {
         return collect($this->algorithmManager->list())
-            ->map(fn ($algorithm): PublicKeyCredentialParameters => new PublicKeyCredentialParameters(
-                PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY,
-                $algorithm
-            ))
+            ->map(fn (int $algorithm): PublicKeyCredentialParameters => PublicKeyCredentialParameters::createPk($algorithm))
             ->toArray();
     }
 
diff --git a/src/Services/Webauthn/CredentialAssertionValidator.php b/src/Services/Webauthn/CredentialAssertionValidator.php
@@ -42,7 +42,7 @@ public function __invoke(?User $user, array $data): bool
             $this->getResponse($publicKeyCredential),
             $this->pullPublicKey($user),
             $this->request->host(),
-            $user->getAuthIdentifier()
+            optional($user)->getAuthIdentifier()
         );
 
         return true;
@@ -60,10 +60,14 @@ protected function pullPublicKey(?User $user): PublicKeyCredentialRequestOptions
                 $value = $this->cache->pull($this->cacheKey(null));
             }
 
+            if ($value === null) {
+                abort(404, 'No public key credential found');
+            }
+
             return $this->loader->deserialize($value, PublicKeyCredentialRequestOptions::class, 'json');
         } catch (\Exception $e) {
             app('webauthn.log')->debug('Webauthn publickKey deserialize error', ['exception' => $e]);
-            abort(404);
+            abort(404, $e->getMessage());
         }
     }
 
diff --git a/src/Services/Webauthn/CredentialAttestationValidator.php b/src/Services/Webauthn/CredentialAttestationValidator.php
@@ -51,10 +51,14 @@ protected function pullPublicKey(User $user): PublicKeyCredentialCreationOptions
         try {
             $value = $this->cache->pull($this->cacheKey($user));
 
+            if ($value === null) {
+                abort(404, 'No public key credential found');
+            }
+
             return $this->loader->deserialize($value, PublicKeyCredentialCreationOptions::class, 'json');
         } catch (\Exception $e) {
             app('webauthn.log')->debug('Webauthn publicKey deserialize error', ['exception' => $e]);
-            abort(404);
+            abort(404, $e->getMessage());
         }
     }
 
diff --git a/src/Services/Webauthn/OptionsFactory.php b/src/Services/Webauthn/OptionsFactory.php
@@ -16,7 +16,12 @@ abstract class OptionsFactory extends CredentialValidator
     /**
      * Timeout in milliseconds.
      */
-    protected int $timeout;
+    protected ?int $timeout = null;
+
+    /**
+     * Timeout in milliseconds.
+     */
+    protected ?int $timeoutCache;
 
     public function __construct(
         Request $request,
@@ -26,7 +31,13 @@ public function __construct(
         parent::__construct($request, $cache);
 
         $this->challengeLength = (int) $config->get('webauthn.challenge_length', 32);
-        $this->timeout = (int) $config->get('webauthn.timeout', 60000);
+        $timeout = $config->get('webauthn.timeout');
+        if ($timeout !== null) {
+            $this->timeout = (int) $timeout;
+            $this->timeoutCache = $this->timeout / 1000;
+        } else {
+            $this->timeoutCache = self::getDefaultTimeoutCache($config);
+        }
     }
 
     /**
@@ -38,4 +49,20 @@ protected function getChallenge(): string
     {
         return \random_bytes($this->challengeLength);
     }
+
+    /**
+     * See https://webauthn-doc.spomky-labs.com/symfony-bundle/configuration-references#timeout
+     */
+    private static function getDefaultTimeoutCache(Config $config): ?int
+    {
+        switch ($config->get('webauthn.user_verification', 'preferred')) {
+            case 'discouraged':
+                return 180;
+            case 'preferred':
+            case 'required':
+                return 600;
+            default:
+                return null;
+        }
+    }
 }
diff --git a/src/Services/Webauthn/RequestOptionsFactory.php b/src/Services/Webauthn/RequestOptionsFactory.php
@@ -41,7 +41,7 @@ public function __invoke(?User $user): PublicKeyCredentialRequestOptions
         );
 
         return tap(PublicKeyCredentialRequestOptions::create($publicKey), function (PublicKeyCredentialRequestOptions $result) use ($user): void {
-            $this->cache->put($this->cacheKey($user), (string) $result, $this->timeout);
+            $this->cache->put($this->cacheKey($user), (string) $result, $this->timeoutCache);
         });
     }
 
diff --git a/tests/Unit/Services/Webauthn/CreationOptionsFactoryTest.php b/tests/Unit/Services/Webauthn/CreationOptionsFactoryTest.php
@@ -0,0 +1,128 @@
+<?php
+
+namespace LaravelWebauthn\Tests\Unit\Services\Webauthn;
+
+use Illuminate\Contracts\Cache\Repository as Cache;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use LaravelWebauthn\Services\Webauthn\RequestOptionsFactory;
+use LaravelWebauthn\Tests\FeatureTestCase;
+use PHPUnit\Framework\Attributes\Test;
+use Webauthn\PublicKeyCredentialRequestOptions;
+
+class CreationOptionsFactoryTest extends FeatureTestCase
+{
+    use DatabaseTransactions;
+
+    #[Test]
+    public function create_options_factory()
+    {
+        $user = $this->user();
+
+        $option = app(RequestOptionsFactory::class)($user);
+
+        $this->assertInstanceOf(PublicKeyCredentialRequestOptions::class, $option->data);
+        $this->assertNotNull($option->data->challenge);
+        $this->assertEquals(32, strlen($option->data->challenge));
+        $this->assertNull($option->data->timeout);
+    }
+
+    #[Test]
+    public function create_options_factory_timeout()
+    {
+        config(['webauthn.timeout' => 300000]);
+
+        $user = $this->user();
+
+        $this->mock(Cache::class, function ($mock) {
+            $mock->shouldReceive('put')
+                ->withArgs(function ($key, $value, $timeout) {
+                    $this->assertEquals(300, $timeout);
+
+                    return true;
+                })
+                ->andReturnTrue();
+        });
+
+        $option = app(RequestOptionsFactory::class)($user);
+
+        $this->assertInstanceOf(PublicKeyCredentialRequestOptions::class, $option->data);
+        $this->assertNotNull($option->data->challenge);
+        $this->assertEquals(32, strlen($option->data->challenge));
+        $this->assertEquals(300000, $option->data->timeout);
+    }
+
+    #[Test]
+    public function create_options_factory_discouraged()
+    {
+        config(['webauthn.user_verification' => 'discouraged']);
+
+        $user = $this->user();
+
+        $this->mock(Cache::class, function ($mock) {
+            $mock->shouldReceive('put')
+                ->withArgs(function ($key, $value, $timeout) {
+                    $this->assertEquals(180, $timeout);
+
+                    return true;
+                })
+                ->andReturnTrue();
+        });
+
+        $option = app(RequestOptionsFactory::class)($user);
+
+        $this->assertInstanceOf(PublicKeyCredentialRequestOptions::class, $option->data);
+        $this->assertNotNull($option->data->challenge);
+        $this->assertEquals(32, strlen($option->data->challenge));
+        $this->assertNull($option->data->timeout);
+    }
+
+    #[Test]
+    public function create_options_factory_required()
+    {
+        config(['webauthn.user_verification' => 'required']);
+
+        $user = $this->user();
+
+        $this->mock(Cache::class, function ($mock) {
+            $mock->shouldReceive('put')
+                ->withArgs(function ($key, $value, $timeout) {
+                    $this->assertEquals(600, $timeout);
+
+                    return true;
+                })
+                ->andReturnTrue();
+        });
+
+        $option = app(RequestOptionsFactory::class)($user);
+
+        $this->assertInstanceOf(PublicKeyCredentialRequestOptions::class, $option->data);
+        $this->assertNotNull($option->data->challenge);
+        $this->assertEquals(32, strlen($option->data->challenge));
+        $this->assertNull($option->data->timeout);
+    }
+
+    #[Test]
+    public function create_options_factory_preferred()
+    {
+        config(['webauthn.user_verification' => 'preferred']);
+
+        $user = $this->user();
+
+        $this->mock(Cache::class, function ($mock) {
+            $mock->shouldReceive('put')
+                ->withArgs(function ($key, $value, $timeout) {
+                    $this->assertEquals(600, $timeout);
+
+                    return true;
+                })
+                ->andReturnTrue();
+        });
+
+        $option = app(RequestOptionsFactory::class)($user);
+
+        $this->assertInstanceOf(PublicKeyCredentialRequestOptions::class, $option->data);
+        $this->assertNotNull($option->data->challenge);
+        $this->assertEquals(32, strlen($option->data->challenge));
+        $this->assertNull($option->data->timeout);
+    }
+}
diff --git a/tests/Unit/Services/Webauthn/CredentialAssertionValidatorTest.php b/tests/Unit/Services/Webauthn/CredentialAssertionValidatorTest.php
diff --git a/tests/Unit/Services/Webauthn/CredentialAttestationValidatorTest.php b/tests/Unit/Services/Webauthn/CredentialAttestationValidatorTest.php
diff --git a/tests/Unit/Services/WebauthnTest.php b/tests/Unit/Services/WebauthnTest.php

Original file line number	Diff line number	Diff line change
`@@ -173,10 +173,11 @@`
`173`	`173`	`\|--------------------------------------------------------------------------`
`174`	`174`	`\|`
`175`	`175`	`\| Time that the caller is willing to wait for the call to complete.`
	`176`	`+ \| See https://webauthn-doc.spomky-labs.com/symfony-bundle/configuration-references#timeout`
`176`	`177`	`\|`
`177`	`178`	`*/`
`178`	`179`
`179`		`- 'timeout' => 60000,`
	`180`	`+ 'timeout' => null,`
`180`	`181`
`181`	`182`	`/*`
`182`	`183`	`\|--------------------------------------------------------------------------`
Original file line number	Diff line number	Diff line change
`@@ -51,10 +51,14 @@ protected function pullPublicKey(User $user): PublicKeyCredentialCreationOptions`
`51`	`51`	`try {`
`52`	`52`	`$value = $this->cache->pull($this->cacheKey($user));`
`53`	`53`
	`54`	`+ if ($value === null) {`
	`55`	`+ abort(404, 'No public key credential found');`
	`56`	`+ }`
	`57`	`+`
`54`	`58`	`return $this->loader->deserialize($value, PublicKeyCredentialCreationOptions::class, 'json');`
`55`	`59`	`} catch (\Exception $e) {`
`56`	`60`	`app('webauthn.log')->debug('Webauthn publicKey deserialize error', ['exception' => $e]);`
`57`		`- abort(404);`
	`61`	`+ abort(404, $e->getMessage());`
`58`	`62`	`}`
`59`	`63`	`}`
`60`	`64`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ public function __invoke(?User $user): PublicKeyCredentialRequestOptions`
`41`	`41`	`);`
`42`	`42`
`43`	`43`	`return tap(PublicKeyCredentialRequestOptions::create($publicKey), function (PublicKeyCredentialRequestOptions $result) use ($user): void {`
`44`		`- $this->cache->put($this->cacheKey($user), (string) $result, $this->timeout);`
	`44`	`+ $this->cache->put($this->cacheKey($user), (string) $result, $this->timeoutCache);`
`45`	`45`	`});`
`46`	`46`	`}`
`47`	`47`