py_webauthn
py_webauthn copied to clipboard
duo-labs
Add credential protection policy and large blob support
We needed support for large blobs and credential protection policy in our project, which py_webauthn didn't provide. We added the appropriate structs and options to genereate_registration_options which worked fine for us.
closes #127
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
I neglected to thank you for submitting this PR: thank you! I've been meaning to sit down and think about extension support with a bit more abstract API that wouldn't require you to know all of the values for a given extension.
For example, why not have an optional require_large_blob_support: bool argument to generate_registration_options(), since the only option in AuthenticationExtensionsLargeBlobInputs that's valid for registration is support? Technically require_large_blob_support=False would do the same thing as setting support: "preferred" because the spec itself states:
Otherwise (i.e. support is absent or has the value preferred):
So there's no need to even include the value if you're not going to set it to "required".
And for authentication you can specify either read or write, but not both. Therefore I could see adding a write_large_blob: Optional[bytes] = None and read_large_blog: bool = False to generate_authentication_options(), and error out when both are set, so that the developer using the method doesn't need to be aware of the intricacies of the spec - we can remove most of the footguns for them.
These are the angles from which I was going to approach adding support for extensions like largeBlob. Since you're interested in the feature, though, I'm curious to hear what you think about this approach.
