WebAuthn setup unauthorized

[YasuhiroYoshida]

I have a clean-slate Rails 8 application with rodauth-rails.
As an added security, I am adding Passkeys functionality.
It's great up until I click "Setup WebAuthn Authentication" which produces an 401 error.

Example:

Started POST "/webauthn-setup" for 172.18.0.1 at 2025-01-21 13:54:32 +0900
Processing by RodauthController#webauthn_setup as HTML
  Parameters: {"authenticity_token" => "[FILTERED]", "webauthn_setup_challenge" => "B2WFw9QS_N-Lg1VJRWfEi-rCWVBAoa_a94cwdFfWFgo", "webauthn_setup_challenge_hmac" => "e5K1QskYSCYqlg3pXiU895v7nBtW3RlVXbTk5Qbp458", "webauthn_setup" => "{\"type\":\"public-key\",\"id\":\"wspvixcK-gynD2bHwe9kRA\",\"rawId\":\"wspvixcK-gynD2bHwe9kRA\",\"response\":{\"attestationObject\":\"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAOqbjWZNAR0hPOS2tIy1ddQAEMLKb4sXCvoMpw9mx8HvZESlAQIDJiABIVggLw65K5adiARFSAItV8pfqvMV2uQZpzRUT-Pjm-gQyDIiWCBgKNEzrnezb-WLPCLEPJvXm1T8Np67V-VEYeSS4YzKHg\",\"clientDataJSON\":\"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiQjJXRnc5UVNfTi1MZzFWSlJXZkVpLXJDV1ZCQW9hX2E5NGN3ZEZmV0ZnbyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImNyb3NzT3JpZ2luIjpmYWxzZX0\"}}"}
  Sequel (1.1ms)  SELECT CAST(current_setting('server_version_num') AS integer) AS v
  ↳ app/misc/rodauth_app.rb:32:in 'block in <class:RodauthApp>'
  Sequel (0.9ms)  SELECT * FROM "users" WHERE (("id" = 26) AND (("status" = 2) OR (("status" = 1) AND ("id" IN (SELECT "id" FROM "user_verification_keys" WHERE ((CAST("requested_at" AS timestamp) + make_interval(secs := 86400)) > CURRENT_TIMESTAMP)))))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:32:in 'block in <class:RodauthApp>'
  Rendering layout layouts/application.html.erb
  Rendering rodauth/webauthn_setup.html.erb within layouts/application
  Sequel (0.5ms)  SELECT "webauthn_id" FROM "user_webauthn_user_ids" WHERE ("id" = 26) LIMIT 1
  ↳ app/views/rodauth/webauthn_setup.html.erb:2
  Sequel (0.5ms)  SELECT "webauthn_id" FROM "user_webauthn_keys" WHERE ("user_id" = 26)
  ↳ app/views/rodauth/webauthn_setup.html.erb:2
  Rendered rodauth/webauthn_setup.html.erb within layouts/application (Duration: 13.3ms | GC: 0.0ms)
  Rendered layouts/_favicon.html.erb (Duration: 1.0ms | GC: 0.0ms)
  Rendered layouts/_header.html.erb (Duration: 2.2ms | GC: 0.0ms)
  Rendered layouts/_flash.html.erb (Duration: 4.4ms | GC: 0.0ms)
  Rendered layouts/_footer.html.erb (Duration: 0.9ms | GC: 0.0ms)
  Rendered layout layouts/application.html.erb (Duration: 42.8ms | GC: 0.0ms)
Completed 401 Unauthorized in 546ms (Views: 49.6ms | ActiveRecord: 3.0ms (4 queries, 0 cached) | GC: 0.0ms)


Started GET "/webauthn-setup-js" for 172.18.0.1 at 2025-01-21 13:54:33 +0900
Processing by RodauthController#webauthn_setup_js as */*
Completed 200 OK in 269ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)

app/misc/rodauth_app.rb:32 is where r.rodauth goes inside RodauthApp like this

class RodauthApp < Rodauth::Rails::App
  # primary configuration
  configure RodauthMain

  # secondary configuration
  # configure RodauthAdmin, :admin

  route do |r|
    rodauth.load_memory # autologin remembered users

    r.rodauth # route rodauth requests

I read Janko's articles and watched his videos many times. I don't think I have screwed up anything. It would be nice if I could get hints to solve this issue.

But I believe what I need the most is how to debug rodauth(-rails). The usual binding.pry or debugger won't work; it stops at the breakpoint, but it is unresponsive to my input. How does everyone debug for rodauth(-rails)?

[janko]

Is setting up passkeys working for you in the official Rails demo app? If yes, can you spot differences with your app? If not, could you share a fresh Rails app that reproduces the issue?

Rodauth shouldn't be returning 401s unless in JSON mode or maybe performing HTTP Basic Auth, so I'm surprised your getting one.

[YasuhiroYoshida]

There are so many differences between my app and the official Rails demo app. I probably won't be able to find the culprit 🤷‍♂️

[janko]

If you had a clean-slate Rails 8 app, theoretically if you create a new Rails app, install Rodauth, then enable the WebAuthn, you should be able to reproduce the issue, right? Are you able to go over the behavior that you changed from newly generated app and see if anything can cause the response?

I assumed passkey creation failed based on the SQL logs you provided, but you say it was successful. It doesn't appear Rodauth attempted to redirect to another endpoint after it created the passkeys, otherwise that would be visible in the logs.

[janko]

But when I log out and try to log in, it won't let me with the passkeys.

It doesn't find the passkeys stored in the database?

Both apps won't say anything else. So much is hidden.

As I said, I'm not convinced this this 401 response is coming from Rodauth, because it doesn't do that in HTML mode. I think it's coming from application code or some other gem.

[janko]

Just tried in a fresh Rails 8 app, where I only installed Rodauth and added WebAuthn, and passkey creation works successfully (with a 302 redirect) 🤷🏻‍♂️ Let me know if you were able to figure it out.

Also, if you find that rodauth-rails hides something about how it works in a way that other Rails engines like Devise don't, I would be glad to hear about it so that I can improve transparency where possible 😉

[YasuhiroYoshida]

It was my mistake. I apologize.

As I read through the code and documentations and watched the videos, I reproduced many authentication patterns. And at one point It seems I failed to have my code revert to the original state; the password input field was missing.

After I recovered the input field, it started working. Webauthn setup with such input field was not familiar to me and I didn't find it strange when it was missing for a while.

As for debugging, I stopped running the default bin/dev and moved the contents outside of it for now. It started allowing me to remote-debug. But I am sure there would be more elegant solutions, and I hope somebody will chip in with them.

🙏