docs: add WebAuthn fixtures how-to#592
Conversation
Task-first how-to for WebAuthn ceremony validation using uselesskey-webauthn's deterministic registration and assertion fixtures. Mirrors the structure of test-oidc-jwks-validation.md and test-tls-chain-validation.md (positive path + negative paths + what-this-does-not-prove + scanner-safety boundary).
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9416805ee6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| bytes the validator hashed (`authenticator_data || | ||
| sha256(client_data_json)`). |
There was a problem hiding this comment.
Correct signature input to raw clientDataJSON
For these fixtures the assertion signature is generated over the raw client_data_json, not sha256(client_data_json): build_assertion concatenates auth_data.as_slice() with client_data_json.as_slice() before calling mock_signature. Users following this step will hash the client data first and either reject every valid AssertionFixture or write tests against bytes the crate never produces.
Useful? React with 👍 / 👎.
Pure docs PR. Task-first how-to for WebAuthn ceremony validation. Part of the Phase 4 task-first user-paths sweep.
File added
docs/how-to/test-webauthn-validation.md— how-to that walks a downstream WebAuthn validator through generatingRegistrationFixture/AssertionFixturefromuselesskey-webauthn, what each component (client_data_json,authenticator_data,attestation_object, COSE EC2 credential public key,signature,sign_count,aaguid) contains, how to verify the ceremony, and how to test failure paths (wrong RP ID, wrong origin, wrong challenge, tampered authenticator data, replayed sign count). Closes the same shape as the OIDC and TLS how-tos: positive path, negative paths, what this proves, what this does not prove, scanner-safety boundary.Notes
WebAuthnFactoryExtsurface (webauthn_registration/webauthn_assertion) andWebAuthnSpec::packedconstructor — verified againstcrates/uselesskey-webauthn/src/lib.rs.attStmt.sigandAssertionFixture.signatureare SHA-256 digests, not ECDSA signatures, and there is no real attestation trust path.