Re: [webauthn] Add `challengeUrl` (#2152) from Eric Stern via GitHub on 2024-10-10 (public-webauthn@w3.org from October 2024)

From: Eric Stern via GitHub <sysbot+gh@w3.org>
Date: Thu, 10 Oct 2024 18:07:43 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2405743419-1728583661-sysbot+gh@w3.org>

>  If there is a specific problem that RPs are going to often run into then we should probably try to accommodate that.

The challenge I see here is that any given backend stack tends to have its own unique requirements (this has certainly been the case at every company I've worked at), such that I expect relatively few would be able to benefit from this enhancement. Beyond what's already been discussed with sessions and authn, automatic CSRF mitigation rules applied by frameworks come to mind.

As an alternative, I wonder if instead of accepting only a string, accepting any [fetch resource parameter](https://developer.mozilla.org/en-US/docs/Web/API/Window/fetch#resource) (i.e. `string` or `Request`) could work instead. It would provide most of the flexibility of the `challengeCallback` approach while still offering a simple/recommended default path with very little additional complexity in the browser-side implementation. 

If a string is passed, use that as you've already described with some default semantics; if you provide a `Request` then it would be used exactly as-is with the general caveats already applied (the response must be `ok`, have a `content-type` of `application/octet-stream`, and a `content-length` of >=16 bytes)

Internally something like this:

```javascript
let request
if (typeof challengeUrl === "string") {
  request = new Request(challengeUrl, {
    headers: { Expect: 'application/octet-stream' },
    method: 'POST', 
    // ... (others as specified)
  })
} else {
  request = challengeUrl
}
const response = await fetch(request)
if (!response.ok) {
 // fail the webauthn process
}
const challenge = await response.arrayBuffer()
// continue as if a challenge had been provided directly
```

Thoughts?

-- 
GitHub Notification of comment by Firehed
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2152#issuecomment-2405743419 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 October 2024 18:07:44 UTC