feat: allow true userless login (#501)

Author: asbiin

config/webauthn.php

@@ -101,8 +101,8 @@
     |--------------------------------------------------------------------------
     |
     | When using navigation, redirects to these url on success:
-    | - login: after a successfull login.
-    | - register: after a successfull Webauthn key creation.
+    | - login: after a successful login.
+    | - register: after a successful Webauthn key creation.
     |
     | Redirects are not used in case of application/json requests.
     |
@@ -264,26 +264,39 @@
     | See https://www.w3.org/TR/webauthn/#enum-userVerificationRequirement
     |
     | Supported: "required", "preferred", "discouraged".
+    | Forced to "required" when userless is true.
     |
     */
 
     'user_verification' => 'preferred',
 
     /*
     |--------------------------------------------------------------------------
-    | Userless (One touch, Typeless) login
+    | The resident key
     |--------------------------------------------------------------------------
     |
-    | By default, users must input their email to receive a list of credentials
-    | ID to use for authentication, but they can also login without specifying
-    | one if the device can remember them, allowing for true one-touch login.
+    | When userless is set to 'preferred' or 'required', the resident key will be
+    | forced to be 'required' automatically.
     |
     | See https://www.w3.org/TR/webauthn/#enum-residentKeyRequirement
     |
     | Supported: "null", "required", "preferred", "discouraged".
+    | Forced to "required" when userless is true.
+    |
+    */
+
+    'resident_key' => 'preferred',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Userless (One touch, Typeless) login
+    |--------------------------------------------------------------------------
+    |
+    | This activates userless login, also known as one-touch login or typeless
+    | login for devices when they're being registered.
     |
     */
 
-    'userless' => null,
+    'userless' => (bool) env('WEBAUTHN_USERLESS', false),
 
 ];

src/Actions/PrepareAssertionData.php

@@ -11,7 +11,7 @@ class PrepareAssertionData
     /**
      * Get data to authenticate a user.
      */
-    public function __invoke(User $user): PublicKeyCredentialRequestOptions
+    public function __invoke(?User $user): PublicKeyCredentialRequestOptions
     {
         return Webauthn::prepareAssertion($user);
     }

src/Facades/Webauthn.php

@@ -19,6 +19,7 @@
  * @method static bool hasKey(\Illuminate\Contracts\Auth\Authenticatable $user)
  * @method static string redirects(string $redirect, $default = null)
  * @method static string model()
+ * @method static bool userless()
  *
  * @see \LaravelWebauthn\Webauthn
  */

src/Http/Controllers/AuthenticateController.php

@@ -23,6 +23,10 @@ class AuthenticateController extends Controller
     public function create(WebauthnLoginAttemptRequest $request): LoginViewResponse
     {
         $user = $this->createPipeline($request)->then(function ($request) {
+            if (Webauthn::userless() || config('webauthn.user_verification') === 'discouraged') {
+                return null;
+            }
+
             return app(LoginUserRetrieval::class)($request);
         });
 

src/Services/Webauthn.php

@@ -272,4 +272,11 @@ public static function ignoreRoutes(): void
     {
         static::$registersRoutes = false;
     }
+
+    public static function userless(): bool
+    {
+        $userless = config('webauthn.userless');
+
+        return $userless === true || $userless === 'true' || $userless === 'preferred' || $userless === 'required';
+    }
 }

src/Services/Webauthn/CredentialAssertionValidator.php

@@ -56,7 +56,7 @@ protected function pullPublicKey(?User $user): PublicKeyCredentialRequestOptions
         try {
             $value = $this->cache->pull($this->cacheKey($user));
 
-            if ($value === null && in_array(config('webauthn.userless'), ['required', 'preferred'], true)) {
+            if ($value === null && Webauthn::userless()) {
                 $value = $this->cache->pull($this->cacheKey(null));
             }
 

src/WebauthnServiceProvider.php

@@ -81,6 +81,7 @@ public function register(): void
         $this->app->singleton(WebauthnFacade::class, Webauthn::class);
 
         $this->registerResponseBindings();
+        $this->overrideConfiguration();
         $this->bindWebAuthnPackage();
         $this->bindPsrInterfaces();
 
@@ -121,6 +122,17 @@ public function registerResponseBindings(): void
         $this->app->singleton(UpdateResponseContract::class, UpdateResponse::class);
     }
 
+    /**
+     * Override the configuration for userless WebAuthn.
+     */
+    protected function overrideConfiguration(): void
+    {
+        if (Webauthn::userless()) {
+            $this->app['config']->set('webauthn.user_verification', 'required');
+            $this->app['config']->set('webauthn.resident_key', 'required');
+        }
+    }
+
     /**
      * Bind all the WebAuthn package services to the Service Container.
      */
@@ -192,9 +204,9 @@ protected function bindWebAuthnPackage(): void
         $this->app->bind(
             AuthenticatorSelectionCriteria::class,
             fn ($app) => new AuthenticatorSelectionCriteria(
-                authenticatorAttachment: $app['config']->get('webauthn.attachment_mode', 'null'),
+                authenticatorAttachment: $app['config']->get('webauthn.attachment_mode'),
                 userVerification: $app['config']->get('webauthn.user_verification', 'preferred'),
-                residentKey: $app['config']->get('webauthn.userless')
+                residentKey: $app['config']->get('webauthn.resident_key', 'preferred')
             )
         );
         $this->app->bind(

tests/Unit/Actions/AttemptToAuthenticateTest.php

@@ -9,6 +9,7 @@
 use LaravelWebauthn\Facades\Webauthn;
 use LaravelWebauthn\Services\Webauthn as WebauthnService;
 use LaravelWebauthn\Tests\FeatureTestCase;
+use PHPUnit\Framework\Attributes\Test;
 
 class AttemptToAuthenticateTest extends FeatureTestCase
 {
@@ -20,9 +21,7 @@ protected function tearDown(): void
         WebauthnService::$authenticateUsingCallback = null;
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_get_user_request()
     {
         $user = $this->user();
@@ -36,9 +35,7 @@ public function it_get_user_request()
         $this->assertEquals(1, $result);
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_fails_with_request()
     {
         $user = $this->user();
@@ -51,9 +48,7 @@ public function it_fails_with_request()
         app(AttemptToAuthenticate::class)->handle($request, fn () => 1);
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_get_user_with_callback()
     {
         $user = $this->user();
@@ -72,9 +67,7 @@ public function it_get_user_with_callback()
         $this->assertEquals(1, $result);
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_fails_with_callback()
     {
         $user = $this->user();

tests/Unit/Actions/DeleteKeyTest.php

@@ -7,14 +7,13 @@
 use LaravelWebauthn\Actions\DeleteKey;
 use LaravelWebauthn\Models\WebauthnKey;
 use LaravelWebauthn\Tests\FeatureTestCase;
+use PHPUnit\Framework\Attributes\Test;
 
 class DeleteKeyTest extends FeatureTestCase
 {
     use DatabaseTransactions;
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_delete_key()
     {
         $user = $this->user();
@@ -29,9 +28,7 @@ public function it_delete_key()
         ]);
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_fails_if_wrong_user()
     {
         $user = $this->user();
@@ -41,9 +38,7 @@ public function it_fails_if_wrong_user()
         app(DeleteKey::class)($user, $webauthnKey->id);
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_fails_if_wrong_id()
     {
         $user = $this->user();

tests/Unit/Actions/LoginUserRetrievalTest.php

@@ -7,14 +7,13 @@
 use Illuminate\Validation\ValidationException;
 use LaravelWebauthn\Actions\LoginUserRetrieval;
 use LaravelWebauthn\Tests\FeatureTestCase;
+use PHPUnit\Framework\Attributes\Test;
 
 class LoginUserRetrievalTest extends FeatureTestCase
 {
     use DatabaseTransactions;
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_get_user_request()
     {
         $user = $this->user();
@@ -26,9 +25,7 @@ public function it_get_user_request()
         $this->assertEquals($user, $result);
     }
 
-    /**
-     * @test
-     */
+    #[Test]
     public function it_get_user_fail()
     {
         $request = $this->app->make(Request::class);