Skip to content

Use libwebauthn for JSON request parsing#116

Open
AlfioEmanueleFresta wants to merge 7 commits intomainfrom
libwebauthn-json
Open

Use libwebauthn for JSON request parsing#116
AlfioEmanueleFresta wants to merge 7 commits intomainfrom
libwebauthn-json

Conversation

@AlfioEmanueleFresta
Copy link
Copy Markdown
Member

@AlfioEmanueleFresta AlfioEmanueleFresta commented Dec 26, 2025
edited
Loading

This PR migrates JSON request parsing to use libwebauthn's WebAuthnIDL::from_json() trait instead of our custom parsing code. This removes ~700 lines of manual parsing in favour of the shared implementation.

Changes

  • Use MakeCredentialRequest::from_json() and GetAssertionRequest::from_json() from libwebauthn
  • Remove intermediate parsing structs (MakeCredentialOptions, GetCredentialOptions, CredentialDescriptor, etc.)
  • Pin libwebauthn to commit d97c80d25bdb974472c40de5e5031db5946ad532 (from Web IDL support 3/N: response JSON serialization libwebauthn#155)

Behavioral changes

Default timeout

The default timeout when not specified by the relying party changes from 300s to 60s:

Allow list transports

Previously we cleared transports from credentials in the allow list as a workaround. This is no longer done - transports now pass through as-is. These are just UI hints and shouldn't affect functionality.

Follow-up

@AlfioEmanueleFresta AlfioEmanueleFresta mentioned this pull request Dec 26, 2025
Open
msirringhaus
msirringhaus requested changes Jan 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@msirringhaus msirringhaus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some questions inline

Comment thread credentialsd/src/credential_service/nfc.rs
Comment thread credentialsd/src/dbus/model.rs Outdated
Comment thread credentialsd/src/dbus/model.rs Outdated
Comment thread credentialsd/src/dbus/model.rs Outdated
Comment thread credentialsd/src/dbus/model.rs Outdated
@iinuwa
Copy link
Copy Markdown
Member

iinuwa commented Feb 19, 2026

The default timeout when not specified by the relying party changes from 300s to 60s:

Haven't looked again at this full PR, but I'd like to preserve the 300 second timeout since that's the minimum timeout recommended by the spec for accessibility reasons.

I created linux-credentials/libwebauthn#172 to do that.

@iinuwa iinuwa mentioned this pull request Mar 13, 2026
Merged
@AlfioEmanueleFresta
Update libwebauthn to 0.3.0
9bb1cab 
Switch from a git rev pin to the published 0.3.0 release on crates.io.

Adapt to new APIs:
- CableQrCodeDevice::new_transient now returns Result<Self, Error>.
- UvUpdate gained a PinNotSet variant; handle it (currently logs an
  error pending UI support for PIN setup).
@AlfioEmanueleFresta
Derive rpId from NavigationContext in gateway
2fbdf14
@AlfioEmanueleFresta
Copy link
Copy Markdown
Member Author

AlfioEmanueleFresta commented May 8, 2026

@iinuwa this is now rebased on libwebauthn v0.3.0 and ready for review. If OK, I'll keep the libwebauthn API change (passing in the pre-parased Origin) as a follow up.

iinuwa
iinuwa requested changes May 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@iinuwa iinuwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this seems fine, but I wasn't able to test due to linux-credentials/libwebauthn#191. I do want to drop the extra lockfiles though, since the one at the workspace root is the effective one.

Comment thread credentialsd/Cargo.lock Outdated
Comment thread credentialsd-common/Cargo.lock Outdated
@AlfioEmanueleFresta
Copy link
Copy Markdown
Member Author

AlfioEmanueleFresta commented May 9, 2026

Thanks for your review @iinuwa.

I was able to reproduce your issue - it appears to be specific to SoloKeys Solo 2 firmware and JSON requests which include a PublicKeyCredentialDescriptor item (eg. within allowlist) with transports populated.

If it works with you, once linux-credentials/libwebauthn#192 lands I'll publish a new libwebauthn version, then open a new credentialsd PR for the bump.

@AlfioEmanueleFresta
Remove unnecessary subdirectory Cargo.lock files
27d59c6 
The workspace root Cargo.lock is the effective one.
@AlfioEmanueleFresta AlfioEmanueleFresta requested a review from iinuwa May 9, 2026 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msirringhaus msirringhaus Awaiting requested review from msirringhaus

@iinuwa iinuwa Awaiting requested review from iinuwa

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlfioEmanueleFresta @iinuwa @msirringhaus