Unable to use custom ChallengeGenerator

[dscreve]

ChallengeGenerator::generate is internal...Then creation of custom ChallengeGenerator is not permitted...and WebAuthnManager::challengeGenerator is private.

[0xTim]

@dscreve what are you looking to do with a custom challenge generator? It's an internal implementation detail at the moment

[dscreve]

I’m running a stateless environment : I cannot store challenge in session but I need to check if challenge is trusted and can be used in current context. So I need to put custom info in it (even if it contains random data).David ScrèveLe 12 juil. 2024 à 19:19, Tim Condon ***@***.***> a écrit : @dscreve what are you looking to do with a custom challenge generator? It's an internal implementation detail at the moment —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[dimitribouniol]

Nothing is preventing you from repackaging PublicKeyCredentialCreationOptions with your own challenge, though the challenge must be independently verifiable, otherwise you open yourself up to replay attacks.

ie. Just make your own codable type with similar fields. The JS side can also transform this in any way you need, the browser isn't requesting this directly.

[dscreve]

Actually, implicit init function is internal, making creation of PublicKeyCredentialCreationOptions  impossible.David ScrèveLe 12 juil. 2024 à 21:35, Dimitri Bouniol ***@***.***> a écrit : Nothing is preventing you from repackaging PublicKeyCredentialCreationOptions with your own challenge, though the challenge must be independently verifiable, otherwise you open yourself up to replay attacks. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>