feat(webauthn): include new credential flags func

[james-d-elliott]

This adds a new function NewCredentialFlags which is leveraged by us to derive the flags that the spec requires implementers store. The addition of this function ensures that added functionality or flags that need to be stored can relatively easily and painlessly be stored and restored by third parties.

[coderabbitai]

Walkthrough

The pull request introduces a new utility function NewCredentialFlags in the webauthn package, which creates a CredentialFlags instance from protocol.AuthenticatorFlags. The CredentialFlags struct is updated to include a new raw field for storing the original flags. Additionally, the NewCredential function is modified to use the new utility function for instantiating the Flags field, centralizing the logic for flag handling and improving code maintainability without changing existing functionality.

Changes

File Path	Change Summary
webauthn/credential.go	- Added method: NewCredentialFlags(flags protocol.AuthenticatorFlags) CredentialFlags
	- Updated struct: CredentialFlags now includes raw protocol.AuthenticatorFlags
	- Modified NewCredential to utilize NewCredentialFlags for instantiating Flags
README.md	- Added new section: "Flags" regarding flag storage recommendations
	- Added new section: "Credential Record" with mapping of specification fields
	- Included guidance on restoring webauthn.Credential and its validation implications
	- Added content on the verification process using the Credential Verify function

Possibly related PRs

• feat: parse credential bytes #258: Modifications to protocol package relevant to credential handling, similar to changes in the main PR regarding CredentialFlags.
• fix(webauthn): expose cred params functions #286: Pertains to the webauthn package and involves credential parameters, relating to the overall handling and structure of credential data.

🐰 In the code where flags do play,
A new function brightens the way.
With raw now stored, oh what a sight,
Credentials handled with pure delight!
So hop along, let’s code and cheer,
For maintainability is finally here! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

webauthn/credential.go (1)

38-49: Well-designed utility function with forward compatibility!

The function is well-documented and follows good design principles by:

• Centralizing flag conversion logic
• Preserving raw flags for future W3C specification changes
• Enabling backward compatibility through flag restoration

The approach of storing raw flags alongside parsed values is a robust pattern for handling evolving specifications. This design allows for:

• Future flag additions without breaking changes
• Runtime recomputation of derived fields
• Validation against original values

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 77b369a and 82a85b9.

📒 Files selected for processing (1)

• webauthn/credential.go (3 hunks)

🔇 Additional comments (2)

webauthn/credential.go (2)

64-66: Good addition of Raw field maintaining backward compatibility

The Raw field is properly added with JSON serialization support and clear documentation.

---

94-94: Good refactor using the new utility function

The change improves maintainability by centralizing flag handling logic in NewCredentialFlags.

Let's verify this is the only place where credential flags are initialized:

✅ Verification successful

Refactoring is correctly implemented and isolated

The verification confirms that:

• NewCredentialFlags is the only place where CredentialFlags struct is initialized
• The struct is used appropriately as a field type and in the utility function
• No other direct initializations of CredentialFlags exist in the codebase

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for direct CredentialFlags struct initialization
ast-grep --pattern 'CredentialFlags{$$$}'

# Search for other potential uses of the flags
rg "CredentialFlags" -A 3

Length of output: 2021

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)

README.md (3)

318-322: Consider rephrasing for clarity and conciseness

The explanation about flag storage evolution could be more direct. Consider this revision:

-It's important to note that the recommendations and requirements for flag storage have changed over the course of the
-evolution of the WebAuthn specification. We at the present time only make the flags classified like this available for
-easy storage however we also make the Protocol Value available. At such a time as these recommendations or requirements
-change we will adapt accordingly. The Protocol Value is a raw representation of the flags and as such is resistant to
-breaking changes whereas the other flags or lack thereof may not be.
+The WebAuthn specification's recommendations for flag storage have evolved over time. While we currently expose specific
+flag classifications for easy storage, we also provide access to the Protocol Value - a raw representation of the flags
+that's resistant to breaking changes. This approach ensures compatibility as the specification continues to evolve.

🧰 Tools

🪛 LanguageTool

[style] ~319-~319: ‘at the present time’ might be wordy. Consider a shorter alternative.
Context: ...ution of the WebAuthn specification. We at the present time only make the flags classified like thi...

(EN_WORDINESS_PREMIUM_AT_THE_PRESENT_TIME)

---

Line range hint 331-349: Consider adding a code example for credential verification

The verification section would benefit from a practical example showing how to use the Credential.Verify() function with a metadata provider. This would help implementers better understand the verification process.

Would you like me to provide a code example demonstrating credential verification with a metadata provider?

🧰 Tools

🪛 LanguageTool

[style] ~319-~319: ‘at the present time’ might be wordy. Consider a shorter alternative.
Context: ...ution of the WebAuthn specification. We at the present time only make the flags classified like thi...

(EN_WORDINESS_PREMIUM_AT_THE_PRESENT_TIME)

---

[style] ~329-~329: To make your writing clearer, consider a more direct alternative.
Context: ...e, and only store the
individual flags as a means to perform compliance related decisions.

St...

(AS_A_MEANS_TO)

---

329-329: Improve phrasing for clarity

Consider revising this line for more direct communication:

-individual flags as a means to perform compliance related decisions.
+individual flags for performing compliance-related decisions.

🧰 Tools

🪛 LanguageTool

[style] ~329-~329: To make your writing clearer, consider a more direct alternative.
Context: ...e, and only store the
individual flags as a means to perform compliance related decisions.

St...

(AS_A_MEANS_TO)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 82a85b9 and 00e78c9.

📒 Files selected for processing (2)

• README.md (1 hunks)
• webauthn/credential.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• webauthn/credential.go

🧰 Additional context used

🪛 LanguageTool

README.md

[style] ~319-~319: ‘at the present time’ might be wordy. Consider a shorter alternative.
Context: ...ution of the WebAuthn specification. We at the present time only make the flags classified like thi...

(EN_WORDINESS_PREMIUM_AT_THE_PRESENT_TIME)

---

[style] ~329-~329: To make your writing clearer, consider a more direct alternative.
Context: ...e, and only store the
individual flags as a means to perform compliance related decisions.

St...

(AS_A_MEANS_TO)

🔇 Additional comments (1)

README.md (1)

Line range hint 316-349: Documentation changes look good!

The new sections effectively document the credential flags functionality, storage recommendations, and verification process. The content is well-structured and provides valuable guidance for implementers.

🧰 Tools

🪛 LanguageTool

[style] ~319-~319: ‘at the present time’ might be wordy. Consider a shorter alternative.
Context: ...ution of the WebAuthn specification. We at the present time only make the flags classified like thi...

(EN_WORDINESS_PREMIUM_AT_THE_PRESENT_TIME)

---

[style] ~329-~329: To make your writing clearer, consider a more direct alternative.
Context: ...e, and only store the
individual flags as a means to perform compliance related decisions.

St...

(AS_A_MEANS_TO)

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)

README.md (3)

316-330: Improve clarity and grammar in the Flags section

The technical content is accurate, but the text could be clearer. Consider these refinements:

-It's important to note that the recommendations and requirements for flag storage have changed over the course of the
-evolution of the WebAuthn specification. We at the present time only make the flags classified like this available for
-easy storage however we also make the Protocol Value available. At such a time as these recommendations or requirements
-change we will adapt accordingly. The Protocol Value is a raw representation of the flags and as such is resistant to
-breaking changes whereas the other flags or lack thereof may not be.
+The recommendations and requirements for flag storage have evolved throughout the WebAuthn specification's development.
+Currently, we provide both classified flags for easy storage and the Protocol Value. While we will adapt the classified
+flags as specifications change, the Protocol Value, being a raw representation of the flags, remains resistant to
+breaking changes.

-Implementers are therefore encouraged to use
+Therefore, implementers should use

🧰 Tools

🪛 LanguageTool

[style] ~319-~319: ‘at the present time’ might be wordy. Consider a shorter alternative.
Context: ...ution of the WebAuthn specification. We at the present time only make the flags classified like thi...

(EN_WORDINESS_PREMIUM_AT_THE_PRESENT_TIME)

---

[uncategorized] ~320-~320: Possible missing comma found.
Context: ...lassified like this available for
easy storage however we also make the Protocol Value...

(AI_HYDRA_LEO_MISSING_COMMA)

---

[uncategorized] ~328-~328: A comma might be missing here.
Context: ...using the individual flags to store the value store the Protocol Value, and only stor...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

[style] ~329-~329: To make your writing clearer, consider a more direct alternative.
Context: ...e, and only store the
individual flags as a means to perform compliance related decisions.

N...

(AS_A_MEANS_TO)

---

331-347: Add impact assessment details to the Notable Changes section

The section effectively explains the breaking change, but consider adding:

1. How to identify affected credentials
2. Estimated impact on different types of deployments
3. Recommended testing approach before applying changes

🧰 Tools

🪛 LanguageTool

[style] ~346-~346: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: ...observed.

The values can be obtained prior to validating the parsed response similar ...

(EN_WORDINESS_PREMIUM_PRIOR_TO)

---

[uncategorized] ~346-~346: Possible missing comma found.
Context: ...obtained prior to validating the parsed response similar to the example below:

...

(AI_HYDRA_LEO_MISSING_COMMA)

</details>

</details>

---

`348-374`: **Fix code example formatting**

The code example is helpful, but contains formatting inconsistencies:

1. Replace hard tabs with spaces for consistent rendering
2. Consider adding error handling for the `NewCredentialFlags` call
3. Add a comment explaining what to do with the `flags` value after obtaining it

```diff
func FinishLogin(w http.ResponseWriter, r *http.Request) {
  // Abstract Business Logic: Get the WebAuthn User. 
  user := datastore.GetUser()

  // Abstract Business Logic: Get the WebAuthn Session Data. 
  session := datastore.GetSession()

  parsedResponse, err := protocol.ParseCredentialRequestResponse(r)
  if err != nil {
    // Handle Error and return.
    return
  }

  // Handle updating the appropriate credential using the flags value.
  flags := webauthn.NewCredentialFlags(parsedResponse.Response.AuthenticatorData.Flags)
+  
+  // Update the credential's flags in your storage
+  credential := user.GetCredential() // Get the credential to update
+  credential.Flags = flags
+  user.UpdateCredential(credential)
}

🧰 Tools

🪛 Markdownlint (0.35.0)

352-352: Column: 1
Hard tabs

(MD010, no-hard-tabs)

---

353-353: Column: 1
Hard tabs

(MD010, no-hard-tabs)

---

354-354: Column: 1
Hard tabs

(MD010, no-hard-tabs)

---

355-355: Column: 1
Hard tabs

(MD010, no-hard-tabs)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 00e78c9 and b5ecd1d.

📒 Files selected for processing (2)

• README.md (1 hunks)
• webauthn/credential.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• webauthn/credential.go

🧰 Additional context used

🪛 LanguageTool

README.md

[style] ~319-~319: ‘at the present time’ might be wordy. Consider a shorter alternative.
Context: ...ution of the WebAuthn specification. We at the present time only make the flags classified like thi...

(EN_WORDINESS_PREMIUM_AT_THE_PRESENT_TIME)

---

[uncategorized] ~320-~320: Possible missing comma found.
Context: ...lassified like this available for
easy storage however we also make the Protocol Value...

(AI_HYDRA_LEO_MISSING_COMMA)

---

[uncategorized] ~328-~328: A comma might be missing here.
Context: ...using the individual flags to store the value store the Protocol Value, and only stor...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

[style] ~329-~329: To make your writing clearer, consider a more direct alternative.
Context: ...e, and only store the
individual flags as a means to perform compliance related decisions.

N...

(AS_A_MEANS_TO)

---

[style] ~346-~346: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: ...observed.

The values can be obtained prior to validating the parsed response similar ...

(EN_WORDINESS_PREMIUM_PRIOR_TO)

---

[uncategorized] ~346-~346: Possible missing comma found.
Context: ...obtained prior to validating the parsed response similar to the example below:

...

(AI_HYDRA_LEO_MISSING_COMMA)

</details>

</details>
<details>
<summary>🪛 Markdownlint (0.35.0)</summary>

<details>
<summary>README.md</summary>

352-352: Column: 1
Hard tabs

(MD010, no-hard-tabs)

---

353-353: Column: 1
Hard tabs

(MD010, no-hard-tabs)

---

354-354: Column: 1
Hard tabs

(MD010, no-hard-tabs)

---

355-355: Column: 1
Hard tabs

(MD010, no-hard-tabs)

</details>

</details>

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->