Webauthn

from webauthn.helpers import parse_registration_options_json

json_reg_options: dict = get_stored_registration_options(session_id)
parsed_reg_options: PublicKeyCredentialCreationOptions = parse_registration_options_json(
json_reg_options,
)


This same logic applies to calls to `PublicKeyCredentialRequestOptions.parse_obj()` - these calls can be replaced with the new `webauthn.helpers.parse_authentication_options_json()` in this release as well.

**Changes:**

- See **Breaking Changes** below

**Breaking Changes:**

- [Pydantic](https://docs.pydantic.dev/latest/) is no longer used by py_webauthn. If your project
calls any Pydantic-specific methods on classes provided by py_webauthn then you will need to
refactor those calls accordingly. Typical use of py_webauthn should not need any major refactor
related to this change, but please see **Breaking Changes** below ([195](https://github.com/duo-labs/py_webauthn/pull/195))
- `webauthn.helpers.generate_challenge()` now always generates 64 random bytes and no longer accepts any arguments. Refactor your existing calls to remove any arguments ([198](https://github.com/duo-labs/py_webauthn/pull/198))
- `webauthn.helpers.exceptions.InvalidClientDataJSONStructure` has been replaced by `webauthn.helpers.exceptions.InvalidJSONStructure` ([195](https://github.com/duo-labs/py_webauthn/pull/195))
- `webauthn.helpers.json_loads_base64url_to_bytes()` has been removed ([195](https://github.com/duo-labs/py_webauthn/pull/195))
- The `user_id` argument passed into `generate_registration_options()` is now `Optional[bytes]`
instead of a required `str` value. A random sequence of 64 bytes will be generated for `user_id`
if it is `None` ([197](https://github.com/duo-labs/py_webauthn/pull/197))
- There are a few options available to refactor existing calls:

Option 1: Use the `base64url_to_bytes()` helper

If you already store your WebAuthn user ID bytes as base64url-encoded strings then you can simply decode these strings to bytes using an included helper:

**Before:**
py
options = generate_registration_options(
...
user_id: "3ZPk1HGhX_cul7z5UydfZE_vgnUYkOVshDNcvI1ILyQ",
)


**After:**

py
from webauthn.helpers import bytes_to_base64url

options = generate_registration_options(
...
user_id: bytes_to_base64url("3ZPk1HGhX_cul7z5UydfZE_vgnUYkOVshDNcvI1ILyQ"),
)


Option 2: Generate unique WebAuthn-specific identifiers for existing and new users

WebAuthn **strongly** encourages Relying Parties to use 64 randomized bytes for **every** user ID you pass into `navigator.credentials.create()`. This would be a second identifier used exclusively for WebAuthn that you associate along with your typical internal user ID.

py_webauthn includes a `generate_user_handle()` helper that can simplify the task of creating this special user identifier for your existing users in one go:

py
from webauthn.helpers import generate_user_handle

Pseudocode (imagine this is in some kind of migration script)
for user in get_all_users_in_db():
add_webauthn_user_id_to_db_for_user(
current_user=user.id,
webauthn_user_id=generate_user_handle(), Generates 64 random bytes
)


You can also use this method when creating new users to ensure that all subsequent users have a WebAuthn-specific identifier as well:

py
from webauthn.helpers import generate_user_handle

...existing user onboarding logic...

Pseudocode
create_new_user_in_db(
...
webauthn_user_id=generate_user_handle(),
)


Once your users are assigned their second WebAuthn-specific ID you can then pass those bytes into `generate_registration_options()` on subsequent calls:

py
Pseudocode
webauthn_user_id: bytes = get_webauthn_user_id_bytes_from_db(current_user.id)

options = generate_registration_options(
...
user_id=webauthn_user_id,
)


Option 3: Let `generate_registration_options()` generate a user ID for you

When the `user_id` argument is omitted then a random 64-byte identifier will be generated for you:

**Before:**
py
options = generate_registration_options(
...
user_id: "USERIDGOESHERE",
)


**After:**
py
Pseudocode
webauthn_user_id: bytes | None = get_webauthn_user_id_bytes_from_db(
current_user=current_user.id,
)

options = generate_registration_options(
...
user_id=webauthn_user_id,
)

if webauthn_user_id is None:
Pseudocode
store_webauthn_user_id_bytes_in_your_db(
current_user=current_user.id,
webauthn_user_id=options.user.id, Randomly generated 64-bytes
)


Option 4: Encode existing `str` argument to UTF-8 bytes

This technique is a quick win, but can be prone to base64url-related encoding and decoding quirks between browsers. **It is recommended you quickly follow this up with Option 2 or Option 3 above:**

**Before:**
py
options = generate_registration_options(
...
user_id: "USERIDGOESHERE",
)


**After:**

py
options = generate_registration_options(
...
user_id: "USERIDGOESHERE".encode('utf-8'),
)

**Changes:**

- Deprecation warnings related to `cbor2` in projects using `cbor2>=5.5.0` will no longer appear during registration and authentication response verification ([181](https://github.com/duo-labs/py_webauthn/pull/181))

**Changes:**

- The `credential` argument in `verify_registration_response()` and `verify_authentication_response()` can now also be a stringified JSON `str` or a plain JSON `dict` version of a WebAuthn response ([172](https://github.com/duo-labs/py_webauthn/pull/172), [#178](https://github.com/duo-labs/py_webauthn/pull/178))
- Various methods will now raise `webauthn.helpers.exceptions.InvalidCBORData` when there is a problem parsing CBOR-encoded data ([179](https://github.com/duo-labs/py_webauthn/pull/179))
- Updated dependencies to `cbor2==5.4.6` and `cryptography==41.0.4` ([178](https://github.com/duo-labs/py_webauthn/pull/178))

**Changes:**

- Fix parsing error caused by registration responses from certain models of authenticators that incorrectly CBOR-encode their `authData` after creating an Ed25519 public keys ([167](https://github.com/duo-labs/py_webauthn/pull/167))

**Changes:**

- Support use in projects using either Pydantic v1 or v2 ([166](https://github.com/duo-labs/py_webauthn/pull/166))