first commit

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[docker-compose.yml]
+indent_size = 4

.env.example

@@ -0,0 +1,58 @@
+APP_NAME=Laravel
+APP_ENV=local
+APP_KEY=
+APP_DEBUG=true
+APP_URL=http://localhost
+
+LOG_CHANNEL=stack
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=laravel
+DB_USERNAME=root
+DB_PASSWORD=
+
+BROADCAST_DRIVER=log
+CACHE_DRIVER=file
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=sync
+SESSION_DRIVER=file
+SESSION_LIFETIME=120
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_MAILER=smtp
+MAIL_HOST=mailhog
+MAIL_PORT=1025
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+MAIL_FROM_ADDRESS="[email protected]"
+MAIL_FROM_NAME="${APP_NAME}"
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+AWS_BUCKET=
+AWS_USE_PATH_STYLE_ENDPOINT=false
+
+PUSHER_APP_ID=
+PUSHER_APP_KEY=
+PUSHER_APP_SECRET=
+PUSHER_HOST=
+PUSHER_PORT=443
+PUSHER_SCHEME=https
+PUSHER_APP_CLUSTER=mt1
+
+VITE_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
+VITE_PUSHER_HOST="${PUSHER_HOST}"
+VITE_PUSHER_PORT="${PUSHER_PORT}"
+VITE_PUSHER_SCHEME="${PUSHER_SCHEME}"
+VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

.gitattributes

@@ -0,0 +1,11 @@
+* text=auto
+
+*.blade.php diff=html
+*.css diff=css
+*.html diff=html
+*.md diff=markdown
+*.php diff=php
+
+/.github export-ignore
+CHANGELOG.md export-ignore
+.styleci.yml export-ignore

.gitignore

@@ -0,0 +1,19 @@
+/node_modules
+/public/build
+/public/hot
+/public/storage
+/storage/*.key
+/vendor
+.env
+.env.backup
+.env.production
+.phpunit.result.cache
+Homestead.json
+Homestead.yaml
+auth.json
+npm-debug.log
+yarn-error.log
+/.fleet
+/.idea
+/.vscode
+/.yarn

README.md

@@ -0,0 +1 @@
+# Laravel Passkeys Demo

app/Auth/CredentialSourceRepository.php

@@ -0,0 +1,52 @@
+<?php
+
+namespace App\Auth;
+
+use App\Models\Authenticator;
+use App\Models\User;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialSourceRepository;
+use Webauthn\PublicKeyCredentialUserEntity;
+
+class CredentialSourceRepository implements PublicKeyCredentialSourceRepository
+{
+    public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource
+    {
+        ray('findOneByCredentialId');
+        ray($publicKeyCredentialId);
+        ray(base64_encode($publicKeyCredentialId));
+
+        $authenticator = Authenticator::where('credential_id', base64_encode($publicKeyCredentialId))->first();
+
+        if (!$authenticator) {
+            return null;
+        }
+
+        ray($authenticator);
+
+        return PublicKeyCredentialSource::createFromArray($authenticator->public_key);
+    }
+
+    public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array
+    {
+        ray('findAllForUserEntity');
+        ray($publicKeyCredentialUserEntity);
+        ray($publicKeyCredentialUserEntity->getName());
+        ray($publicKeyCredentialUserEntity->getId());
+
+        return User::with('authenticators')->where('id', $publicKeyCredentialUserEntity->getId())->first()->authenticators->toArray();
+    }
+
+    public function saveCredentialSource(PublicKeyCredentialSource $publicKeyCredentialSource): void
+    {
+        ray('saveCredentialSource');
+        ray($publicKeyCredentialSource);
+
+        $user = User::where('id', $publicKeyCredentialSource->getUserHandle())->firstOrFail();
+
+        $user->authenticators()->save(new Authenticator([
+            'credential_id' => $publicKeyCredentialSource->getPublicKeyCredentialId(),
+            'public_key' => $publicKeyCredentialSource->jsonSerialize(),
+        ]));
+    }
+}

app/Console/Kernel.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Console;
+
+use Illuminate\Console\Scheduling\Schedule;
+use Illuminate\Foundation\Console\Kernel as ConsoleKernel;
+
+class Kernel extends ConsoleKernel
+{
+    /**
+     * Define the application's command schedule.
+     *
+     * @param  \Illuminate\Console\Scheduling\Schedule  $schedule
+     * @return void
+     */
+    protected function schedule(Schedule $schedule)
+    {
+        // $schedule->command('inspire')->hourly();
+    }
+
+    /**
+     * Register the commands for the application.
+     *
+     * @return void
+     */
+    protected function commands()
+    {
+        $this->load(__DIR__.'/Commands');
+
+        require base_path('routes/console.php');
+    }
+}

app/Exceptions/Handler.php

@@ -0,0 +1,50 @@
+<?php
+
+namespace App\Exceptions;
+
+use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
+use Throwable;
+
+class Handler extends ExceptionHandler
+{
+    /**
+     * A list of exception types with their corresponding custom log levels.
+     *
+     * @var array<class-string<\Throwable>, \Psr\Log\LogLevel::*>
+     */
+    protected $levels = [
+        //
+    ];
+
+    /**
+     * A list of the exception types that are not reported.
+     *
+     * @var array<int, class-string<\Throwable>>
+     */
+    protected $dontReport = [
+        //
+    ];
+
+    /**
+     * A list of the inputs that are never flashed to the session on validation exceptions.
+     *
+     * @var array<int, string>
+     */
+    protected $dontFlash = [
+        'current_password',
+        'password',
+        'password_confirmation',
+    ];
+
+    /**
+     * Register the exception handling callbacks for the application.
+     *
+     * @return void
+     */
+    public function register()
+    {
+        $this->reportable(function (Throwable $e) {
+            //
+        });
+    }
+}

app/Http/Controllers/AuthenticationController.php

@@ -0,0 +1,135 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Auth\CredentialSourceRepository;
+use App\Models\User;
+use Cose\Algorithm\Manager;
+use Cose\Algorithm\Signature\ECDSA\ES256;
+use Cose\Algorithm\Signature\ECDSA\ES256K;
+use Cose\Algorithm\Signature\ECDSA\ES384;
+use Cose\Algorithm\Signature\ECDSA\ES512;
+use Cose\Algorithm\Signature\EdDSA\Ed256;
+use Cose\Algorithm\Signature\EdDSA\Ed512;
+use Cose\Algorithm\Signature\RSA\PS256;
+use Cose\Algorithm\Signature\RSA\PS384;
+use Cose\Algorithm\Signature\RSA\PS512;
+use Cose\Algorithm\Signature\RSA\RS256;
+use Cose\Algorithm\Signature\RSA\RS384;
+use Cose\Algorithm\Signature\RSA\RS512;
+use Illuminate\Http\Request;
+use Psr\Http\Message\ServerRequestInterface;
+use Webauthn\AttestationStatement\AttestationObjectLoader;
+use Webauthn\AttestationStatement\AttestationStatementSupportManager;
+use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
+use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\AuthenticatorAssertionResponseValidator;
+use Webauthn\PublicKeyCredentialDescriptor;
+use Webauthn\PublicKeyCredentialLoader;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialUserEntity;
+use Webauthn\TokenBinding\IgnoreTokenBindingHandler;
+
+class AuthenticationController extends Controller
+{
+    public function generateOptions(Request $request)
+    {
+        $user = User::where('email', $request->input('username'))->firstOrFail();
+
+        $userEntity = PublicKeyCredentialUserEntity::create(
+            $user->email,
+            (string) $user->id,
+            $user->name,
+            null,
+        );
+
+        $publicKeyCredentialSourceRepository = new CredentialSourceRepository();
+
+        $registeredAuthenticators = $publicKeyCredentialSourceRepository->findAllForUserEntity($userEntity);
+
+        // We don’t need the Credential Sources, just the associated Descriptors
+        $allowedCredentials = collect($registeredAuthenticators)
+            ->pluck('public_key')
+            ->map(fn ($publicKey) => PublicKeyCredentialSource::createFromArray($publicKey))
+            ->map(
+                fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor()
+            )
+            ->toArray();
+
+        $publicKeyCredentialRequestOptions =
+            PublicKeyCredentialRequestOptions::create(
+                random_bytes(32) // Challenge
+            )
+            ->allowCredentials(...$allowedCredentials);
+
+        $serializedPublicKeyCredentialRequestOptions = $publicKeyCredentialRequestOptions->jsonSerialize();
+
+        $request->session()->put('publicKeyCredentialRequestOptions', $serializedPublicKeyCredentialRequestOptions);
+
+        return $serializedPublicKeyCredentialRequestOptions;
+    }
+
+    public function verify(Request $request, ServerRequestInterface $serverRequest)
+    {
+        $publicKeyCredentialSourceRepository = new CredentialSourceRepository();
+        $tokenBindingHandler = IgnoreTokenBindingHandler::create();
+
+        $attestationStatementSupportManager = AttestationStatementSupportManager::create();
+
+        $attestationStatementSupportManager->add(NoneAttestationStatementSupport::create());
+
+        $extensionOutputCheckerHandler = ExtensionOutputCheckerHandler::create();
+
+        $algorithmManager = Manager::create()->add(
+            ES256::create(),
+            ES256K::create(),
+            ES384::create(),
+            ES512::create(),
+            RS256::create(),
+            RS384::create(),
+            RS512::create(),
+            PS256::create(),
+            PS384::create(),
+            PS512::create(),
+            Ed256::create(),
+            Ed512::create(),
+        );
+
+        $authenticatorAttestationResponseValidator = AuthenticatorAssertionResponseValidator::create(
+            $publicKeyCredentialSourceRepository,
+            $tokenBindingHandler,
+            $extensionOutputCheckerHandler,
+            $algorithmManager,
+        );
+
+        $attestationObjectLoader = AttestationObjectLoader::create(
+            $attestationStatementSupportManager
+        );
+
+        $publicKeyCredentialLoader = PublicKeyCredentialLoader::create(
+            $attestationObjectLoader
+        );
+
+        $publicKeyCredential = $publicKeyCredentialLoader->load(json_encode($request->all()));
+
+        $authenticatorAssertionResponse = $publicKeyCredential->getResponse();
+
+        if (!$authenticatorAssertionResponse instanceof AuthenticatorAssertionResponse) {
+            abort(403, 'Invalid response type');
+        }
+
+        $publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
+            $publicKeyCredential->getRawId(),
+            $authenticatorAssertionResponse,
+            PublicKeyCredentialRequestOptions::createFromArray(session('publicKeyCredentialRequestOptions')),
+            $serverRequest,
+            $authenticatorAssertionResponse->getUserHandle(),
+        );
+
+        $request->session()->forget('publicKeyCredentialRequestOptions');
+
+        ray('log user in now!!!!');
+    }
+}

app/Http/Controllers/Controller.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Foundation\Bus\DispatchesJobs;
+use Illuminate\Foundation\Validation\ValidatesRequests;
+use Illuminate\Routing\Controller as BaseController;
+
+class Controller extends BaseController
+{
+    use AuthorizesRequests, DispatchesJobs, ValidatesRequests;
+}