Correct support links (#54)

You're right, thanks.

.gitattributes

@@ -2,10 +2,12 @@
 # https://www.kernel.org/pub/software/scm/git/docs/gitattributes.html
 
 # Ignore all test and documentation with "export-ignore".
+/.github            export-ignore
 /.gitattributes     export-ignore
 /.gitignore         export-ignore
 /phpunit.xml.dist   export-ignore
+/phpunit.xml        export-ignore
 /tests              export-ignore
 /.editorconfig      export-ignore
-/.github            export-ignore
-/.assets            export-ignore
+/.styleci.yml       export-ignore
+/composer.lock      export-ignore

.github/FUNDING.yml

@@ -1,5 +1,3 @@
-# Help me support this package
-
-patreon: PackagesForLaravel
-ko_fi: DarkGhostHunter
-custom: ['https://www.buymeacoffee.com/darkghosthunter', 'https://paypal.me/darkghosthunter']
+# Let's keep it free and up to date
+github: DarkGhostHunter
+custom: "https://paypal.me/darkghosthunter"

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,5 +1,8 @@
 name: Bug Report
-description: File a bug report
+description: |
+  File a bug report to be fixed.
+
+  Sponsors get priority issues, PRs, fixes and requests. Not a sponsor? [You're a just click away!](https://github.com/sponsors/DarkGhostHunter).
 title: "[X.x] What does happen that is considered an error or bug?"
 labels: ["bug"]
 assignees:
@@ -9,6 +12,7 @@ body:
     attributes:
       value: |
         Thanks for taking the time to fill out this bug report!
+
         The more detailed this bug report is, the faster it can be reviewed and fixed.
   - type: input
     id: version-php-os
@@ -18,6 +22,14 @@ body:
       placeholder: 8.1.2 - Ubuntu 22.04 x64
     validations:
       required: true
+  - type: input
+    id: version-db
+    attributes:
+      label: Database
+      description: Exact DB version using this package, if applicable.
+      placeholder: MySQL 8.0.28
+    validations:
+      required: false
   - type: input
     id: version-laravel
     attributes:
@@ -26,28 +38,12 @@ body:
       placeholder: 9.2.3
     validations:
       required: true
-  - type: input
-    id: version-authenticator
-    attributes:
-      label: Authenticator type
-      description: If applicable, exact authenticator you're using.
-      placeholder: YubiKey 5, iPhone 7s, Samsung Galaxy S11+...
-    validations:
-      required: false
-  - type: input
-    id: version-os-browser
-    attributes:
-      label: OS and Browser versions
-      description: If applicable, exact OS and Browser versions
-      placeholder: Android 12.0 - Chrome 102.0.5005.99
-    validations:
-      required: false
   - type: checkboxes
     id: requirements
     attributes:
       label: Have you done this?
       options:
-        - label: I am willing to share my stack trace and logs
+        - label: I have checked my logs and I'm sure is a bug in this package.
           required: true
         - label: I can reproduce this bug in isolation (vanilla Laravel install)
           required: true
@@ -58,7 +54,7 @@ body:
     attributes:
       label: Expectation
       description: Write what you expect to (correctly) happen.
-      placeholder: When I do this, I expect to this to happen.
+      placeholder: When I do this, I expect to happen that.
     validations:
       required: true
   - type: textarea
@@ -73,7 +69,7 @@ body:
     id: reproduction
     attributes:
       label: Reproduction
-      description: Paste the code to assert in a test, or just comment with the repository with the bug.
+      description: Paste the code to assert in a test, or just comment with the repository with the bug to download.
       render: php
       placeholder: |
         $test = Laragear::make()->break();
@@ -87,27 +83,8 @@ body:
     id: logs
     attributes:
       label: Stack trace & logs
-      description: If you have a stack trace, you can copy it here. You may hide sensible information.
-      placeholder: This is automatically formatted into code, no need for backticks.
+      description: If you have a **full** stack trace, you can copy it here. You may hide sensible information.
+      placeholder: This is automatically formatted into code, no need for ``` backticks.
       render: shell
     validations:
       required: false
-  - type: textarea
-    id: attestation-assertion
-    attributes:
-      label: Attestation / Assertion objects
-      description: If applicable, add the Attestation and Assertion objects you have debugged.
-      placeholder: This is automatically formatted into Javascript, no need for backticks.
-      render: javascript
-    validations:
-      required: false
-  - type: dropdown
-    id: supporter
-    attributes:
-      label: Are you a Patreon supporter?
-      description: Patreon supporters get priority review, fixing and responses. Are you not? [Become one!](https://patreon.com/packagesforlaravel)
-      options:
-        - Yes, with my username
-        - No, don't give priority to this
-    validations:
-      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,5 +1,8 @@
 name: Feature request
-description: Suggest a feature for this package
+description: |
+  Suggest a feature for this package.
+
+  Sponsors get priority issues, PRs, fixes and requests. Not a sponsor? [You're a just click away!](https://github.com/sponsors/DarkGhostHunter).
 title: "[X.x] Add this cool feature for this package"
 labels: ["enhancement"]
 assignees:
@@ -28,7 +31,12 @@ body:
     attributes:
       label: Description
       description: Describe how the feature works
-      placeholder: This new feature would accomplish this, and would be cool to integrate it to the package because...
+      placeholder: |
+        This new feature would accomplish...
+
+        It could be implemented by doing...
+
+        And it would be cool because...
     validations:
       required: true
   - type: textarea
@@ -41,13 +49,3 @@ body:
       render: php
     validations:
       required: true
-  - type: dropdown
-    id: supporter
-    attributes:
-      label: Are you a Patreon supporter?
-      description: Patreon supporters get priority review, fixing and responses. Are you not? [Become one!](https://patreon.com/packagesforlaravel)
-      options:
-        - Yes, with my username
-        - No, don't give priority to this
-    validations:
-      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,23 +1,22 @@
 <!--
-
 Thanks for contributing to this package! We only accept PR to the latest stable version.
 
 If you're pushing a Feature:
 - Title it: "[X.x] This new feature"
 - Describe what the new feature enables
 - Show a small code snippet of the new feature
-- Ensure it doesn't break any feature.
+- Ensure it doesn't break backward compatibility.
 
 If you're pushing a Fix:
 - Title it: "[X.x] FIX: The bug name"
 - Describe how it fixes in a few words.
-- Ensure it doesn't break any feature.
+- Ensure it doesn't break backward compatibility.
 
 All Pull Requests run with extensive tests for stable and latest versions of PHP and Laravel. 
 Ensure your tests pass or your PR may be taken down.
 
-If you're a Patreon supporter, this PR will have priority.
-Not a Patreon supporter? Become one at https://patreon.com/packagesforlaravel
+If you're a Sponsor, this PR will have priority review.
+Not a Sponsor? Become one at https://github.com/sponsors/DarkGhostHunter
 -->
 
 # Description
@@ -29,5 +28,3 @@ This feature/fix allows to...
 ```php
 Laragear::sample();
 ```
-
-<!-- You may delete this section if it's a FIX -->

.github/workflows/php.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow
+
 name: Tests
 
 on:
@@ -5,46 +7,122 @@ on:
   pull_request:
 
 jobs:
-  test:
 
-    runs-on: ubuntu-latest
+  byte_level:
+    name: "0️⃣ Byte-level"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Check file permissions"
+        run: |
+          test "$(find . -type f -not -path './.git/*' -executable)" == ""
+      - name: "Find non-printable ASCII characters"
+        run: |
+          ! LC_ALL=C.UTF-8 find ./src -type f -name "*.php" -print0 | xargs -0 -- grep -PHn "[^ -~]"
+
+  syntax_errors:
+    name: "1️⃣ Syntax errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "8.1"
+          tools: "parallel-lint"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Validate Composer configuration"
+        run: "composer validate --strict"
+
+      - name: "Check source code for syntax errors"
+        run: "composer exec -- parallel-lint src/"
+
+  unit_tests:
+    name: "2️⃣ Unit and Feature tests"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    runs-on: "ubuntu-latest"
     strategy:
-      fail-fast: true
       matrix:
-        php: [ 8.0, 8.1 ]
-        laravel: [ 9.* ]
-        dependency-version: [ prefer-stable, prefer-lowest ]
-        include:
-          - laravel: 9.*
-            testbench: 7.*
-
-    name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }} - ${{ matrix.dependency-version }}
+        php-version:
+          - "8.0"
+          - "8.1"
+          - "8.2"
+        laravel-constraint:
+          - "9.*"
+          - "10.*"
+        dependencies:
+          - "lowest"
+          - "highest"
+        exclude:
+          - php-version: "8.0"
+            laravel-constraint: "10.*"
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
         with:
-          php-version: ${{ matrix.php }}
-          extensions: mbstring, intl
-          coverage: xdebug
+          php-version: "${{ matrix.php-version }}"
+          extensions: "mbstring, intl"
+          coverage: "xdebug"
 
-      - name: Cache dependencies
-        uses: actions/cache@v2
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
         with:
-          path: ~/.composer/cache/files
-          key: ${{ runner.os }}-laravel-${{ matrix.laravel }}-php-${{ matrix.php }}-composer-${{ hashFiles('composer.json') }}
-          restore-keys: ${{ runner.os }}-laravel-${{ matrix.laravel }}-php-${{ matrix.php }}-composer-
+          dependency-versions: "${{ matrix.dependencies }}"
+          composer-options: "--with=laravel/framework:${{ matrix.laravel-constraint }}"
 
-      - name: Install dependencies
+      - name: "Execute unit tests"
+        run: "composer run-script test"
+
+      - name: "Upload coverage to Codecov"
+        uses: "codecov/codecov-action@v3"
+
+  static_analysis:
+    name: "3️⃣ Static Analysis"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          tools: "phpstan"
+          php-version: "latest"
+          coverage: "none"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
+
+      - name: "Execute static analysis"
+        run: "composer exec -- phpstan analyze -l 5 src/"
+
+  exported_files:
+    name: "4️⃣ Exported files"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Checkout code"
+        uses: "actions/checkout@v3"
+
+      - name: "Check exported files"
         run: |
-          composer require "laravel/framework:${{ matrix.laravel }}" "orchestra/testbench:${{ matrix.testbench }}" --no-progress --no-update
-          composer update --${{ matrix.dependency-version }} --prefer-dist --no-progress
-      - name: Run Tests
-        run: composer run-script test
-
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
-
+          EXPECTED="LICENSE.md,README.md,composer.json"
+          CURRENT="$(git archive HEAD | tar --list --exclude="src" --exclude="src/*" --exclude=".stubs" --exclude=".stubs/*"  --exclude="routes" --exclude="routes/*" --exclude="stubs" --exclude="stubs/*" --exclude="lang" --exclude="lang/*" --exclude="config" --exclude="config/*" --exclude="database" --exclude="database/*" --exclude="resources" --exclude="resources/*" | paste -s -d ",")"
+          echo "CURRENT =${CURRENT}"
+          echo "EXPECTED=${EXPECTED}"
+          test "${CURRENT}" == "${EXPECTED}"

.gitignore

@@ -1,7 +1,9 @@
-.idea
-build
-composer.lock
-docs
-vendor
-coverage
+/build
+/vendor
+/.idea
+/.vscode
+.php-cs-fixer.cache
 .phpunit.result.cache
+.phpunit.cache
+composer.lock
+phpunit.xml.bak

README.md

@@ -7,9 +7,10 @@
 [![Sonarcloud Status](https://sonarcloud.io/api/project_badges/measure?project=Laragear_WebAuthn&metric=alert_status)](https://sonarcloud.io/dashboard?id=Laragear_WebAuthn)
 [![Laravel Octane Compatibility](https://img.shields.io/badge/Laravel%20Octane-Compatible-success?style=flat&logo=laravel)](https://laravel.com/docs/9.x/octane#introduction)
 
-Authenticate users with fingerprints, patterns and biometric data.
+Authenticate users with Passkeys: fingerprints, patterns and biometric data.
 
 ```php
+// App\Http\Controllers\LoginController.php
 use Laragear\WebAuthn\Http\Requests\AssertedRequest;
 
 public function login(AssertedRequest $request)
@@ -22,9 +23,9 @@ public function login(AssertedRequest $request)
 
 > You want to add two-factor authentication to your app? Check out [Laragear TwoFactor](https://github.com/Laragear/TwoFactor).
 
-## Keep this package free
+## Become a sponsor
 
-[![Patreon](.assets/patreon.png)](https://patreon.com/packagesforlaravel)[![Ko-fi](.assets/ko-fi.png)](https://ko-fi.com/DarkGhostHunter)[![Buymeacoffee](.assets/buymeacoffee.png)](https://www.buymeacoffee.com/darkghosthunter)[![PayPal](.assets/paypal.png)](https://www.paypal.com/paypalme/darkghosthunter)
+[![](.github/assets/support.png)](https://github.com/sponsors/DarkGhostHunter)
 
 Your support allows me to keep this package free, up-to-date and maintainable. Alternatively, you can **[spread the word!](http://twitter.com/share?text=I%20am%20using%20this%20cool%20PHP%20package&url=https://github.com%2FLaragear%2FWebAuthn&hashtags=PHP,Laravel)**
 
@@ -41,15 +42,15 @@ Require this package into your project using Composer:
 composer require laragear/webauthn
 ```
 
-## How does it work?
+## How Passkeys work?
 
-WebAuthn authentication process consists in two _ceremonies_: attestation, and assertion.
+Passkeys, hence WebAuthn, consists in two _ceremonies_: attestation, and assertion.
 
-Attestation is the process of asking the authenticator (a phone, laptop, USB key...) to create a private-public key pair, and **register** the public key inside the app. For that to work, the user must exist, and the browser must support WebAuthn, which is what intermediates between the authenticator and the app.
+Attestation is the process of asking the authenticator (a phone, laptop, USB key...) to create a private-public key pair, save the private key internally, and **store** the public key inside the server. For that to work, the browser must support WebAuthn, which is what intermediates between the authenticator (OS & device hardware) and the server.
 
-Assertion is the process of pushing a cryptographic challenge to the device, which will return _signed_ by the private key. Upon arrival, the app checks the signature with the public key, ready to **log in**.
+Assertion is the process of pushing a cryptographic challenge to the authenticator, which will return back to the server _signed_ by the private key of the device. Upon arrival, the server checks the signature is correct with the stored public key, ready to **log in**.
 
-The private key doesn't leave the authenticator, and there are no shared passwords to save, let alone remember.
+The private key doesn't leave the authenticator, there are no shared passwords stored anywhere, and Passkeys only work on the server domain (like google.com) or subdomain (like auth.google.com).
 
 ## Set up
 
@@ -64,6 +65,10 @@ After that, you can quickly start WebAuthn with the included controllers and hel
 4. [Register the controllers](#4-register-the-routes-and-controllers)
 5. [Use the Javascript helper](#5-use-the-javascript-helper)
 
+> **Info**
+>
+> While you can use Passkeys without users by invoking the _ceremonies_ manually, Laragear WebAuthn is intended to be used with already existing Users.
+
 ### 1. Add the `eloquent-webauthn` driver
 
 Laragear WebAuthn works by extending the Eloquent User Provider with an additional check to find a user for the given WebAuthn Credentials (Assertion). This makes this WebAuthn package compatible with any guard you may have.
@@ -84,7 +89,7 @@ return [
 ];
 ```
 
-The `password_fallback` indicates the User Provider should fall back to validate the password when the request is not a WebAuthn Assertion. It's enabled to seamlessly use both classic and WebAuthn authentication procedures.
+The `password_fallback` indicates the User Provider should fall back to validate the password when the request is not a WebAuthn Assertion. It's enabled to seamlessly use both classic (password) and WebAuthn authentication procedures.
 
 ### 2. Create the `webauthn_credentials` table
 
@@ -122,7 +127,7 @@ From here you're ready to work with WebAuthn Authentication. The following steps
 
 ### 4. Register the routes and controllers
 
-WebAuthn uses exclusive routes to register and authenticate users. Creating these routes and controller may be cumbersome, specially if it's your first time in the WebAuthn real.
+WebAuthn uses exclusive routes to register and authenticate users. Creating these routes and controller may be cumbersome, specially if it's your first time in the WebAuthn realm.
 
 Instead, go for a quick start and publish the controllers included in Laragear WebAuthn. These controllers will be located at `app\Http\Controllers\WebAuthn`.
 
@@ -151,12 +156,37 @@ This package includes a simple but convenient script to handle WebAuthn Attestat
 php artisan vendor:publish --provider="Laragear\WebAuthn\WebAuthnServiceProvider" --tag="js"
 ```
 
-You will receive the `resources/js/vendor/webauthn/webauthn.js` file which you can include into your authentication views and use it programmatically, anyway you want. For example, compiling it [through Laravel Mix](https://laravel.com/docs/9.x/mix#working-with-scripts) into your application global Javascript.
+You will receive the `resources/js/vendor/webauthn/webauthn.js` file which you can include into your authentication views and use it programmatically
 
 ```html
-<script src="/js/app.js"></script>
+<!doctype html>
+<head>
+    {{-- ... --}}
 
-<!-- Registering credentials -->
+    <script src="{{ Vite::asset('resources/js/vendor/webauthn/webauthn.js') }}"></script>
+
+    @vite(['resources/js/app.js'])
+</head>
+```
+
+> **Note**
+>
+> You can also edit the script file to transform it into a module so it can be bundled in your Vite frontend, exporting the class as `export default class WebAuthn { ... }`, and add it to the `@vite` assets.
+>
+> ```html
+> @vite(['resources/js/vendor/webauthn/webauthn.js', 'resources/js/app.js'])
+> ```
+
+Once done, you can easily start registering an user device, and login in users that registered a device previusly.
+
+For example, let's imagine an user logs in normally, and enters its profile view. You may show a WebAuthn registration HTML with the following code:
+
+```html
+<form id="register-form">
+    <button type="submit" value="Register authenticator">
+</form>
+
+<!-- Registering authenticator -->
 <script>
     const register = event => {
         event.preventDefault()
@@ -168,6 +198,16 @@ You will receive the `resources/js/vendor/webauthn/webauthn.js` file which you c
 
     document.getElementById('register-form').addEventListener('submit', register)
 </script>
+```
+
+In our Login view, we can use the WebAuthn credentials to log in the user.
+
+```html
+<form id="login-form">
+    <input id="email" type="email" value="my@email.com">
+    
+    <button type="submit" value="Log in with your device">
+</form>
 
 <!-- Login users -->
 <script>
@@ -186,7 +226,7 @@ You will receive the `resources/js/vendor/webauthn/webauthn.js` file which you c
 </script>
 ```
 
-You can copy-paste this helper into your authentication routes, or import it into a bundler like [Laravel Vite](https://github.com/laravel/vite-plugin), [Webpack](https://webpack.js.org/), [parcel](https://parceljs.org/), or many more. If the script doesn't suit your needs, you're free to create your own. 
+You can copy-paste this helper into your authentication routes, or import it into a bundler like [Laravel Vite](https://laravel.com/docs/9.x/vite), [Webpack](https://webpack.js.org/), [parcel](https://parceljs.org/), or many more, as long you adjust the script to the bundler needs. If the script doesn't suit your needs, you're free to modify it or create your own.
 
 ### Requests and Responses parameters
 
@@ -194,9 +234,11 @@ Both `register()` and `login()` accept different parameters for the initial requ
 
 ```javascript
 new WebAuthn().login({
-    email: document.getElementById('email').value, // Initial request to the server
+    // Initial request to the server
+    email: document.getElementById('email').value,
 }, {
-    remember: document.getElementById('remember').checked ? 'on' : null, // Response from the authenticator
+    // Response from the authenticator to the server
+    remember: document.getElementById('remember').checked ? 'on' : null, 
 })
 ```
 
@@ -232,7 +274,10 @@ const webAuthn = new WebAuthn({}, {
 
 Attestation is the _ceremony_ to create WebAuthn Credentials. To create an Attestable Response that the user device can understand, use the `AttestationRequest::toCreate()` form request.
 
+For example, we can create our own `AttestationController` to create it.
+
 ```php
+// app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
 
 public function createChallenge(AttestationRequest $request)
@@ -244,6 +289,7 @@ public function createChallenge(AttestationRequest $request)
 The device will receive the "instructions" to make a key, and will respond with it. You can use the `AttestedRequest` form request and its `save()` method to persist the WebAuthn key if it is valid. The request will automatically return a Validation exception if something fails.
 
 ```php
+// app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestedRequest;
 
 public function register(AttestedRequest $attestation)
@@ -257,13 +303,19 @@ public function register(AttestedRequest $attestation)
 You may pass an array, or a callback, to the `save()`, which will allow you to modify the underlying WebAuthn Eloquent Model before saving it. For example, we could add an alias for the key present in the Request data.
 
 ```php
+// app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestedRequest;
 
 public function register(AttestedRequest $request)
 {
     $request->validate(['alias' => 'nullable|string']);
 
-    $attestation->save($request->input('alias'));
+    $attestation->save($request->only('alias'));
+    
+    // Same as:
+    // $attestation->save(function ($credentials) use ($request) {
+    //    $credentials->alias = $request->input('alias');
+    // })
 }
 ```
 
@@ -276,6 +328,7 @@ By default, the authenticator decides how to verify user when creating a credent
 You can override this using `fastRegistration()` to only check for user presence if possible, or `secureRegistration()` to actively verify the User.
 
 ```php
+// app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
 
 public function createChallenge(AttestationRequest $request)
@@ -291,6 +344,7 @@ Userless/One-touch/Typeless login This enables one click/tap login, without the
 For this to work, the device has to save the "username id" inside itself. Some authenticators _may_ save it regardless, others may be not compatible. To make this mandatory when creating the WebAuthn Credential, use the `userless()` method of the `AttestationRequest` form request.
 
 ```php
+// app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
 
 public function registerDevice(AttestationRequest $request)
@@ -308,6 +362,7 @@ By default, during Attestation, the device will be informed about the existing e
 You can enable multiple credentials per device using `allowDuplicates()`, which in turn will always return an empty list of credentials to exclude. This way the authenticator will _think_ there are no already stored credentials for your app.
 
 ```php
+// app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
 
 public function registerDevice(AttestationRequest $request)
@@ -322,7 +377,10 @@ The Assertion procedure also follows a two-step procedure: the user will input i
 
 First, use the `AssertionRequest::toVerify()` form request. It will automatically create an assertion for the user that matches the credentials, or a blank one in case you're using [userless login](#userlessone-touchtypeless-login). Otherwise, you may set stricter validation rules to always ask for credentials.
 
+For example, we can use our own `AssertionController` to handle it.
+
 ```php
+// app\Http\Controllers\WebAuthn\AssertionController.php
 use Laragear\WebAuthn\Http\Requests\AssertionRequest;
 
 public function createChallenge(AssertionRequest $request)
@@ -338,6 +396,7 @@ After that, you may receive the challenge using the `AssertedRequest` request ob
 Since the authentication is pretty much straightforward, you only need to check if the `login()` method returns the newly authenticated user or `null` when it fails. When it's a success, it will take care of [regenerating the session](https://laravel.com/docs/9.x/session#regenerating-the-session-id) for you.
 
 ```php
+// app\Http\Controllers\WebAuthn\AssertionController.php
 use Laragear\WebAuthn\Http\Requests\AssertedRequest;
 
 public function createChallenge(AssertedRequest $request)
@@ -361,6 +420,7 @@ In the same style of [attestation user verification](#attestation-user-verificat
 You may only require the user presence with `fastLogin()`, or actively verify the user with `secureLogin()`.
 
 ```php
+// app\Http\Controllers\WebAuthn\AssertionController.php
 use Laragear\WebAuthn\Http\Requests\AssertionRequest;
 
 public function createChallenge(AssertionRequest $request)
@@ -376,6 +436,7 @@ public function createChallenge(AssertionRequest $request)
 By default, the `eloquent-webauthn` can be used to log in users with passwords when the credentials are not a WebAuthn JSON payload. This way, your normal Authentication flow is unaffected:
 
 ```php
+// app\Http\Controllers\Auth\LoginController.php
 use Illuminate\Support\Facades\Auth;
 
 public function login(Request $request)
@@ -448,7 +509,7 @@ If you want to manually Attest and Assert users, you may instance their respecti
 
 All of these pipelines **require** the current Request to work, as is used to generate Challenges in the Session and validate different parts of the authentication data.
 
-For example, you may manually authenticate a user with its WebAuthn Credentials `AssertionValidator` pipeline.
+For example, you may manually authenticate a user with its WebAuthn Credentials `AssertionValidator` pipeline. We can just type-hint a pipeline in a Controller action argument and Laravel will automatically inject the instance to it.
 
 ```php
 use Laragear\WebAuthn\Assertion\Validator\AssertionValidation;
@@ -468,14 +529,30 @@ public function authenticate(Request $request, AssertionValidator $assertion)
 }
 ```
 
-Since these are Laravel Pipelines, you're free to push additional pipes:
+Since these are Laravel Pipelines, you're free to push additional pipes. These pipes can be a class with `handle()`, or just a function that receives the validation procedure.
 
 ```php
 use Laragear\WebAuthn\Assertion\Validator\AssertionValidator;
+use Exception;
 
-public function addPipes(AssertionValidator $attestation)
+public function authenticate(Request $request, AssertionValidator $assertion)
 {
-    $attestation->pipe(VerifyUserIsAwesome::class, NotifyIfAssertionFailed::class);
+    $credential = $assertion
+        ->send(new AssertionValidation($request))
+        // Add new pipes to the validation.
+        ->pipe(function($validation, $next) {
+            if ($validation->user?->isNotAwesome()) {
+                throw new Exception('The user is not awesome');
+            }
+
+            return $next($validation);
+        })
+        ->thenReturn()
+        ->credential;
+    
+    Auth::login($credential->user);
+    
+    return "Welcome aboard, {$credential->user->name}!";
 }
 ```
 
@@ -495,7 +572,7 @@ After that, you will receive the `config/webauthn.php` config file with an array
 <?php
 
 return [
-    'relaying_party' => [
+    'relying_party' => [
         'name' => env('WEBAUTHN_NAME', env('APP_NAME')),
         'id'   => env('WEBAUTHN_ID'),
     ],
@@ -507,24 +584,31 @@ return [
 ];
 ```
 
-### Relaying Party Information
+### Relying Party Information
 
 ```php
 return [
-    'relaying_party' => [
+    'relying_party' => [
         'name' => env('WEBAUTHN_NAME', env('APP_NAME')),
         'id'   => env('WEBAUTHN_ID'),
     ],
 ];
 ```
 
-The _Relaying Party_ is just a way to uniquely identify your application in the user device:
+The _Relying Party_ is just a way to uniquely identify your application in the user device:
 
 * `name`: The name of the application. Defaults to the application name.
-* `id`: An unique ID the application, like the site domain. If `null`, the device may fill it internally, usually as the full domain.
+* `id`: An unique ID the application, like the site URL. If `null`, the device _may_ fill it internally, usually as the full domain.
 
 > WebAuthn authentication only work on the top domain it was registered. 
 
+Instead of modifying the config file, you should use the environment variables to set the name and ID for WebAuthn.
+
+```dotenv
+WEBAUTHN_NAME=SecureBank
+WEBAUTHN_ID=https://auth.securebank.com
+```
+
 ### Challenge configuration
 
 ```php
@@ -541,7 +625,7 @@ The outgoing challenges are random string of bytes. This controls how many bytes
 
 ## Laravel UI, Jetstream, Fortify, Sanctum, Breeze, Inertia and Livewire
 
-In _theory_ this package should work without any problems with these packages, but you may need to override or _redirect_ the authentication flow (read: method codes) to one using WebAuthn.
+In _theory_ this package should work without any problems with these packages, but you may need to override or _redirect_ the authentication flow (read: override methods) to one using WebAuthn.
 
 There is no support for using WebAuthn with these packages because these are meant to be used with classic user-password authentication. Any issue regarding these packages will be shot down with extreme prejudice.
 
@@ -551,7 +635,7 @@ If you think WebAuthn is critical for these packages, [consider supporting this
 
 * **Does this work with any browser?**
 
-[Yes](https://caniuse.com/#feat=webauthn). In the case of old browsers, you should have a fallback detection script. This can be asked with [the included Javascript helper](#5-use-the-javascript-helper) in a breeze:
+[Yes](https://caniuse.com/#feat=webauthn). In the case of old browsers, you should have a fallback detection script. This can be asked with [the included JavaScript helper](#5-use-the-javascript-helper) in a breeze:
 
 ```javascript
 if (WebAuthn.doesntSupportWebAuthn()) {
@@ -563,9 +647,11 @@ if (WebAuthn.doesntSupportWebAuthn()) {
 
 No. WebAuthn only stores a cryptographic public key generated randomly by the device.
 
-* **Can a phishing site steal WebAuthn credentials and use them in my site?**
+* **Can a phishing site steal WebAuthn credentials and use them in my site to impersonate an user?**
 
-No. WebAuthn _kills the phishing_ because, unlike passwords, the private key never leaves the device. 
+No. WebAuthn _kills the phishing_ because, unlike passwords, the private key never leaves the device, and the key-pair is bound to the top-most domain it was registered.
+
+An user bing _phished_ at `staetbank.com` won't be able to login with a key made on the legit site `statebank.com`, as the device won't be able to find it.
 
 * **Can WebAuthn data identify a particular device?**
 
@@ -585,63 +671,75 @@ Not by default, but [you can enable it](#multiple-credentials-per-device).
 
 * **If a user loses his device, can he register a new device?**
 
-Yes. If you're not using a [password fallback](#password-fallback), you may need to create a logic to register a new device using an email. It's assumed he is reading his email using a trusted device.
+Yes. If you're not using a [password fallback](#password-fallback), you may need to create a logic to register a new device using an email or SMS. It's assumed he is reading his email using a trusted device.
 
 * **What's the difference between disabling and deleting a credential?**
 
-Disabling a credential doesn't delete it, so it's useful as a blacklisting mechanism and these can also be re-enabled. When the credential is deleted, it goes away forever.
+Disabling a credential doesn't delete it, so it's useful as a blacklisting mechanism and these can also be re-enabled. When the credential is deleted, it goes away forever from the server, so the credential in the authenticator device becomes orphaned.
 
 * **Can a user delete its credentials from its device?**
 
-Yes. If it does, the other part of the credentials in your server gets virtually orphaned. You may want to show the user a list of registered credentials in the application to delete them.
+Yes. If it does, the other part of the credentials in your server gets orphaned. You may want to show the user a list of registered credentials in the application to delete them.
 
 * **How secure is this against passwords or 2FA?**
 
-Extremely secure since it works only on HTTPS (or `localhost`), no password or codes are exchanged nor visible in the screen.
+Extremely secure since it works only on HTTPS (or `localhost`). Also, no password or codes are exchanged nor visible in the screen.
 
-* **Can I deactivate the password fallback? Can I enforce only WebAuthn authentication?**
+* **Can I deactivate the password fallback? Can I enforce only WebAuthn authentication and nothing else?**
 
 [Yes](#password-fallback). Just be sure to create recovery helpers to avoid locking out your users.
 
-* **Does this includes a frontend Javascript?**
+* **Does this include JavaScript to handle WebAuthn in the frontend?**
 
 [Yes](#5-use-the-javascript-helper), but it's very _basic_.
 
+If you need more complex WebAuthn management, consider using the [`navigator.credentials`](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/credentials) API directly.
+
 * **Does WebAuthn eliminate bots? Can I forget about _captchas_?**
 
-No, you still need to use [captcha](https://github.com/Laragear/ReCaptcha), honeypots, or other mechanisms to stop bots.
+Yes and no. To register users, you still need to use [captcha](https://github.com/Laragear/ReCaptcha), honeypots, or other mechanisms to stop bots.
 
-* **Does this encodes/decode the WebAuthn data automatically in the frontend?**
+Once a user is registered, bots won't be able to login because the real user is the only one that has the private key required for WebAuthn.
+
+* **Does this encode/decode the WebAuthn data automatically in the frontend?**
 
 Yes, the included [WebAuthn Helper](#5-use-the-javascript-helper) does it automatically for you.
 
-* **Does this encrypts the public keys?**
+* **Does this encrypt the public keys?**
 
 Yes, public keys are encrypted when saved into the database.
 
-* **Does this include a credential recovery routes?**
+* **Does this include WebAuthn credential recovery routes?**
 
 No. You're free to create your own flow for recovery.
 
+My recommendation is to send an email to the user, pointing to a route that registers a new device, and immediately redirect him to blacklist which credential was lost (or blacklist the only one he has).
+
 * **Can I use my smartphone as authenticator through my PC or Mac?**
 
-It depends. This is entirely up to hardware, OS and browser vendor themselves.
+It depends. 
+
+This is entirely up to hardware, OS and browser vendor themselves, but mostly the OS. Some OS or browsers may offer a way to sync private keys on the cloud, even letting the assertion challenge to be signed remotely instead of transmitting the private key. Please check your target platforms of choice.
 
 * **Why my device doesn't show Windows Hello/Passkey/TouchId/FaceId/pattern/fingerprint authentication?**
 
-By default, this WebAuthn implementation accepts _almost_ everything. Some combinations of devices, OS and Web browsers may differ on what to make available for WebAuthn authentication. For example, Windows 7 only supports USB keys. 
+By default, this WebAuthn implementation accepts _almost_ everything. Some combinations of devices, OS and Web browsers may differ on what to make available for WebAuthn authentication. 
+
+You may [check this site for authenticator support](https://webauthn.me/browser-support).
 
 * **Why my device doesn't work at all with this package?**
 
-This package supports WebAuthn 2.0, which is [W3C Recommendation](https://www.w3.org/TR/webauthn-2). Your device/OS/browser may be using an unsupported version. There are no plans to support older specs.
+This package supports WebAuthn 2.0, which is [W3C Recommendation](https://www.w3.org/TR/webauthn-2). Your device/OS/browser may be using an unsupported version. 
+
+There are no plans to support older WebAuthn specs. The new [WebAuthn 3.0 draft](https://www.w3.org/TR/webauthn-3) spec needs to be finished to be supported.
 
 * **I'm trying to test this in my development server, but it doesn't work**
 
-Use `localhost` exclusively, not `127.0.0.1`, or use a proxy to tunnel your site through HTTPS. WebAuthn only works on `localhost` or under `HTTPS` only.
+Use `localhost` exclusively (not `127.0.0.1` or `::1`) or use a proxy to tunnel your site through HTTPS. WebAuthn only works on `localhost` or under `HTTPS` only.
 
 * **Why this package supports only `none` attestation conveyance?**
 
-Because `direct`, `indirect` and `enterprise` attestations are mostly used on high-security high-risk scenarios, where an entity has total control on the devices used to authenticate. 
+Because `direct`, `indirect` and `enterprise` attestations are mostly used on high-security high-risk scenarios, where an entity has total control on the devices used to authenticate. Imagine banks, medical, or military.
 
 If you deem this feature critical for you, [**consider supporting this package**](#keep-this-package-free).
 
@@ -651,7 +749,9 @@ No. The user can use whatever to authenticate in your app. This may be enabled o
 
 * **Everytime I make attestations or assertions, it says no challenge exists!** 
 
-Remember that your WebAuthn routes must use Sessions, because the Challenge gets saved there.
+Remember that your WebAuthn routes **must use Sessions**, because the Challenges are stored there.
+
+More information can be retrieved in your [application logs](https://laravel.com/docs/9.x/logging).
 
 ## Laravel Octane Compatibility
 
@@ -668,11 +768,11 @@ These are some details about this WebAuthn implementation:
 
 * Registration (attestation) and Login (assertion) challenges use the current request session.
 * Only one ceremony can be done at a time. 
-* Challenges are pulled from the session on resolution, independently of their result.
+* Challenges are pulled (retrieved and deleted from source) from the session on resolution, independently of their result.
 * All challenges and ceremonies expire at 60 seconds.
 * WebAuthn User Handle is UUID v4, reusable if another credential exists.
 * Credentials can be blacklisted (enabled/disabled).
-* Public Keys are encrypted in the database automatically.
+* Public Keys are encrypted by with application key in the database automatically.
 
 If you discover any security related issues, please email darkghosthunter@gmail.com instead of using the issue tracker.
 

composer.json

@@ -1,6 +1,6 @@
 {
     "name": "laragear/webauthn",
-    "description": "Authenticate your users with biometric data, devices or USB keys.",
+    "description": "Authenticate users with Passkeys: fingerprints, patterns and biometric data.",
     "type": "library",
     "license": "MIT",
     "minimum-stability": "stable",
@@ -24,29 +24,28 @@
             "name": "Italo Israel Baeza Cabrera",
             "email": "DarkGhostHunter@Gmail.com",
             "role": "Developer",
-            "homepage": "https://patreon.com/packagesforlaravel"
+            "homepage": "https://github.com/sponsors/DarkGhostHunter"
         }
     ],
     "support": {
-        "source": "https://github.com/Laragear/TwoFactor",
-        "issues": "https://github.com/Laragear/TwoFactor/issues"
+        "source": "https://github.com/Laragear/WebAuthn",
+        "issues": "https://github.com/Laragear/WebAuthn/issues"
     },
     "require": {
-        "php" : ">=8.0.2",
+        "php": "8.*",
         "ext-openssl": "*",
         "ext-json": "*",
-        "illuminate/auth": "9.*",
-        "illuminate/http": "9.*",
-        "illuminate/session": "9.*",
-        "illuminate/support": "9.*",
-        "illuminate/config": "9.*",
-        "illuminate/database": "9.*",
-        "illuminate/encryption": "9.*"
+        "illuminate/auth": "9.*|10.*",
+        "illuminate/http": "9.*|10.*",
+        "illuminate/session": "9.*|10.*",
+        "illuminate/support": "9.*|10.*",
+        "illuminate/config": "9.*|10.*",
+        "illuminate/database": "9.*|10.*",
+        "illuminate/encryption": "9.*|10.*"
     },
     "require-dev": {
-        "orchestra/testbench": "7.*",
-        "phpunit/phpunit": "^9.5",
-        "mockery/mockery": "^1.5"
+        "orchestra/testbench": "^7.22|8.*",
+        "jetbrains/phpstorm-attributes": "*"
     },
     "autoload": {
         "psr-4": {
@@ -75,16 +74,8 @@
     },
     "funding": [
         {
-            "type": "Patreon",
-            "url": "https://patreon.com/PackagesForLaravel"
-        },
-        {
-            "type": "Ko-Fi",
-            "url": "https://ko-fi.com/DarkGhostHunter"
-        },
-        {
-            "type": "Buy me a cofee",
-            "url": "https://www.buymeacoffee.com/darkghosthunter"
+            "type": "Github Sponsorship",
+            "url": "https://github.com/sponsors/DarkGhostHunter"
         },
         {
             "type": "Paypal",

config/webauthn.php

@@ -4,11 +4,11 @@ return [
 
     /*
     |--------------------------------------------------------------------------
-    | Relaying Party
+    | Relying Party
     |--------------------------------------------------------------------------
     |
     | We will use your application information to inform the device who is the
-    | relaying party. While only the name is enough, you can further set the
+    | relying party. While only the name is enough, you can further set the
     | a custom domain as ID and even an icon image data encoded as BASE64.
     |
     */

database/migrations/2022_07_01_000000_create_webauthn_credentials.php

@@ -43,7 +43,7 @@ return new class extends Migration {
      */
     protected static function defaultBlueprint(Blueprint $table): void
     {
-        $table->string('id')->primary();
+        $table->string('id', 510)->primary();
 
         $table->morphs('authenticatable', 'webauthn_user_index');
 

phpunit.xml

@@ -1,11 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" backupGlobals="false"
-         backupStaticAttributes="false" colors="true" verbose="true" convertErrorsToExceptions="true"
-         convertNoticesToExceptions="true" convertWarningsToExceptions="true" processIsolation="false"
-         stopOnFailure="false" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.5/phpunit.xsd">
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" colors="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.0/phpunit.xsd" cacheDirectory=".phpunit.cache">
   <coverage>
     <include>
       <directory suffix=".php">src/</directory>
+      <directory suffix=".php">stubs/controllers</directory>
     </include>
     <report>
       <clover outputFile="build/logs/clover.xml"/>
@@ -14,14 +12,10 @@
   <testsuites>
     <testsuite name="Test Suite">
       <directory>tests</directory>
-            <file>stubs/controllers/WebAuthnLoginController.php</file>
-            <file>stubs/controllers/WebAuthnRegisterController.php</file>
     </testsuite>
   </testsuites>
-    <logging>
-        <junit outputFile="build/report.junit.xml"/>
-    </logging>
   <php>
+    <includePath>stubs/controllers</includePath>
     <env name="APP_ENV" value="testing"/>
     <env name="APP_DEBUG" value="true"/>
     <env name="APP_KEY" value="AckfSECXIvnK5r28GVIWUAxmbBSjTsmF"/>

resources/js/webauthn.js

@@ -61,25 +61,49 @@ class WebAuthn {
      * @param routes {{registerOptions: string, register: string, loginOptions: string, login: string}}
      * @param headers {{string}}
      * @param includeCredentials {boolean}
-     * @param xsrfToken {string|null}
+     * @param xcsrfToken {string|null} Either a csrf token (40 chars) or xsrfToken (224 chars)
      */
-    constructor(routes = {}, headers = {}, includeCredentials = false, xsrfToken = null) {
+    constructor(routes = {}, headers = {}, includeCredentials = false, xcsrfToken = null) {
         Object.assign(this.#routes, routes);
         Object.assign(this.#headers, headers);
 
         this.#includeCredentials = includeCredentials;
 
+        let xsrfToken;
+        let csrfToken;
+
+        if (xcsrfToken === null) {
             // If the developer didn't issue an XSRF token, we will find it ourselves.
-        this.#headers["X-CSRF-TOKEN"] ??= xsrfToken ?? WebAuthn.#firstInputWithXsrfToken;
+            xsrfToken = WebAuthn.#XsrfToken;
+            csrfToken = WebAuthn.#firstInputWithCsrfToken;
+        } else{
+            // Check if it is a CSRF or XSRF token
+            if (xcsrfToken.length === 40) {
+                csrfToken = xcsrfToken;
+            } else if (xcsrfToken.length === 224) {
+                xsrfToken = xcsrfToken;
+            } else {
+                throw new TypeError('CSRF token or XSRF token provided does not match requirements. Must be 40 or 224 characters.');
+            }
+        }
+
+        if (xsrfToken !== null) {
+            this.#headers["X-XSRF-TOKEN"] ??= xsrfToken;
+        } else if (csrfToken !== null) {
+            this.#headers["X-CSRF-TOKEN"] ??= csrfToken;
+        } else {
+            // We didn't find it, and since is required, we will bail out.
+            throw new TypeError('Ensure a CSRF/XSRF token is manually set, or provided in a cookie "XSRF-TOKEN" or or there is meta tag named "csrf-token".');
+        }
     }
 
     /**
-     * Returns the XSRF token if it exists as a form input tag.
+     * Returns the CSRF token if it exists as a form input tag.
      *
      * @returns string
      * @throws TypeError
      */
-    static get #firstInputWithXsrfToken() {
+    static get #firstInputWithCsrfToken() {
         // First, try finding an CSRF Token in the head.
         let token = Array.from(document.head.getElementsByTagName("meta"))
             .find(element => element.name === "csrf-token");
@@ -96,10 +120,33 @@ class WebAuthn {
             return token.value;
         }
 
-        // We didn't find it, and since is required, we will bail out.
-        throw new TypeError('Ensure a CSRF token is manually set, or there is meta tag named "csrf-token".');
+        return null;
     }
 
+    /**
+     * Returns the value of the XSRF token if it exists in a cookie.
+     *
+     * Inspired by https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#example_2_get_a_sample_cookie_named_test2
+     *
+     * @returns {?string}
+     */
+     static get #XsrfToken() {
+        const cookie = document.cookie.split(";").find((row) => /^\s*(X-)?[XC]SRF-TOKEN\s*=/.test(row));
+        // We must remove all '%3D' from the end of the string.
+        // Background:
+        // The actual binary value of the CSFR value is encoded in Base64.
+        // If the length of original, binary value is not a multiple of 3 bytes,
+        // the encoding gets padded with `=` on the right; i.e. there might be
+        // zero, one or two `=` at the end of the encoded value.
+        // If the value is sent from the server to the client as part of a cookie,
+        // the `=` character is URL-encoded as `%3D`, because `=` is already used
+        // to separate a cookie key from its value.
+        // When we send back the value to the server as part of an AJAX request,
+        // Laravel expects an unpadded value.
+        // Hence, we must remove the `%3D`.
+        return cookie ? cookie.split("=")[1].trim().replaceAll("%3D", "") : null;
+    };
+
     /**
      * Returns a fetch promise to resolve later.
      *
@@ -109,7 +156,9 @@ class WebAuthn {
      * @returns {Promise<Response>}
      */
     #fetch(data, route, headers = {}) {
-        return fetch(route, {
+        const url = new URL(route, window.location.origin).href;
+        
+        return fetch(url, {
             method: "POST",
             credentials: this.#includeCredentials ? "include" : "same-origin",
             redirect: "error",
@@ -266,6 +315,7 @@ class WebAuthn {
         const publicKeyCredential = this.#parseOutgoingCredentials(credentials);
 
         Object.assign(publicKeyCredential, response);
+        Object.assign(publicKeyCredential, request);
 
         return await this.#fetch(publicKeyCredential, this.#routes.register).then(WebAuthn.#handleResponse);
     }

routes/webauthn.php

@@ -4,14 +4,17 @@ use App\Http\Controllers\WebAuthn\WebAuthnLoginController;
 use App\Http\Controllers\WebAuthn\WebAuthnRegisterController;
 use Illuminate\Support\Facades\Route;
 
-Route::middleware('web')->group(static function (): void {
-    Route::post('webauthn/register/options', [WebAuthnRegisterController::class, 'options'])
-        ->name('webauthn.register.options');
-    Route::post('webauthn/register', [WebAuthnRegisterController::class, 'register'])
-        ->name('webauthn.register');
-
-    Route::post('webauthn/login/options', [WebAuthnLoginController::class, 'options'])
-        ->name('webauthn.login.options');
-    Route::post('webauthn/login', [WebAuthnLoginController::class, 'login'])
-        ->name('webauthn.login');
+Route::middleware('web')
+    ->group(static function (): void {
+        Route::controller(WebAuthnRegisterController::class)
+            ->group(static function (): void {
+                Route::post('webauthn/register/options', 'options')->name('webauthn.register.options');
+                Route::post('webauthn/register', 'register')->name('webauthn.register');
+            });
+
+        Route::controller(WebAuthnLoginController::class)
+            ->group(static function (): void {
+                Route::post('webauthn/login/options', 'options')->name('webauthn.login.options');
+                Route::post('webauthn/login', 'login')->name('webauthn.login');
+            });
     });

src/Assertion/Creator/Pipes/CreateAssertionChallenge.php

@@ -33,6 +33,7 @@ class CreateAssertionChallenge
         $options = [];
 
         if ($assertion->acceptedCredentials?->isNotEmpty()) {
+            // @phpstan-ignore-next-line
             $options['credentials'] = $assertion->acceptedCredentials->map->getKey()->toArray();
         }
 

src/Assertion/Creator/Pipes/MayRetrieveCredentialsIdForUser.php

@@ -36,10 +36,11 @@ class MayRetrieveCredentialsIdForUser
      * Adapt all credentials into an `allowCredentials` digestible array.
      *
      * @param  \Illuminate\Database\Eloquent\Collection<int, \Laragear\WebAuthn\Models\WebAuthnCredential>  $credentials
-     * @return \Illuminate\Support\Collection<int, array>
+     * @return \Illuminate\Support\Collection<int, array{id?: mixed, type: string, transports?: non-empty-array<int, string>}>
      */
     protected function parseCredentials(EloquentCollection $credentials): Collection
     {
+        // @phpstan-ignore-next-line
         return $credentials->map(static function (WebAuthnCredential $credential): array {
             return array_filter([
                 'id' => $credential->getKey(),

src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php

@@ -56,6 +56,7 @@ class CheckCredentialIsForUser
      */
     protected function validateUser(AssertionValidation $validation): void
     {
+        // @phpstan-ignore-next-line
         if ($validation->credential->authenticatable()->isNot($validation->user)) {
             throw AssertionException::make('User is not owner of the stored credential.');
         }

src/Attestation/AuthenticatorData.php

@@ -18,7 +18,7 @@ use function unpack;
 /**
  * MIT License
  *
- * Copyright © 2021 Lukas Buchs
+ * Copyright (c) 2021 Lukas Buchs
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -76,10 +76,10 @@ class AuthenticatorData
      * @param  string  $relyingPartyIdHash
      * @param  object  $flags
      * @param  int  $counter
-     * @param  object{aaguid: int|bool, credentialId: string, credentialPublicKey: string}  $attestedCredentialData
+     * @param  object  $attestedCredentialData
      * @param  array  $extensionData
      */
-    public function __construct(
+    final public function __construct(
         public string $relyingPartyIdHash,
         public object $flags,
         public int $counter,
@@ -366,13 +366,21 @@ class AuthenticatorData
     protected static function readFlags(string $binFlag): object
     {
         $flags = (object) [
+            // @phpstan-ignore-next-line
             'bit_0' => (bool) ($binFlag & 1),
+            // @phpstan-ignore-next-line
             'bit_1' => (bool) ($binFlag & 2),
+            // @phpstan-ignore-next-line
             'bit_2' => (bool) ($binFlag & 4),
+            // @phpstan-ignore-next-line
             'bit_3' => (bool) ($binFlag & 8),
+            // @phpstan-ignore-next-line
             'bit_4' => (bool) ($binFlag & 16),
+            // @phpstan-ignore-next-line
             'bit_5' => (bool) ($binFlag & 32),
+            // @phpstan-ignore-next-line
             'bit_6' => (bool) ($binFlag & 64),
+            // @phpstan-ignore-next-line
             'bit_7' => (bool) ($binFlag & 128),
             'userPresent' => false,
             'userVerified' => false,

src/Attestation/Creator/Pipes/AddUserDescriptor.php

@@ -23,6 +23,7 @@ class AddUserDescriptor
         $config = $attestable->user->webAuthnData();
 
         // Create a new User UUID if it doesn't existe already in the credentials.
+        // @phpstan-ignore-next-line
         $config['id'] = $attestable->user->webAuthnCredentials()->value('user_id')
             ?: Str::uuid()->getHex()->toString();
 

src/Attestation/Creator/Pipes/MayPreventDuplicateCredentials.php

@@ -39,6 +39,7 @@ class MayPreventDuplicateCredentials
         return $user
             ->webAuthnCredentials()
             ->get(['id', 'transports'])
+            // @phpstan-ignore-next-line
             ->map(static function (WebAuthnCredential $credential): array {
                 return array_filter([
                     'id'=> $credential->getKey(),

src/Attestation/Formats/Format.php

@@ -8,7 +8,7 @@ use Laragear\WebAuthn\Attestation\AuthenticatorData;
 /**
  * MIT License
  *
- * Copyright © 2021 Lukas Buchs
+ * Copyright (c) 2021 Lukas Buchs
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal

src/Attestation/Validator/Pipes/CheckRelyingPartyHashSame.php

@@ -35,6 +35,6 @@ class CheckRelyingPartyHashSame extends BaseCheckRelyingPartyHashSame
      */
     protected function relyingPartyId(AssertionValidation|AttestationValidation $validation): string
     {
-        return $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url');
+        return $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url');
     }
 }

src/Attestation/Validator/Pipes/MakeWebAuthnCredential.php

@@ -41,7 +41,7 @@ class MakeWebAuthnCredential
             'alias' => $validation->request->json('response.alias'),
 
             'counter' => $validation->attestationObject->authenticatorData->counter,
-            'rp_id' => $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url'),
+            'rp_id' => $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url'),
             'origin' => $validation->clientDataJson->origin,
             'transports' => $validation->request->json('response.transports'),
             'aaguid' => Uuid::fromBytes($validation->attestationObject->authenticatorData->attestedCredentialData->aaguid),

src/Auth/WebAuthnUserProvider.php

@@ -46,10 +46,11 @@ class WebAuthnUserProvider extends EloquentUserProvider
      */
     public function retrieveByCredentials(array $credentials)
     {
-        if (class_implements($this->model, WebAuthnAuthenticatable::class) && $this->isSignedChallenge($credentials)) {
+        if (in_array(WebAuthnAuthenticatable::class, class_implements($this->model, true), true) && $this->isSignedChallenge($credentials)) {
             /** @noinspection PhpIncompatibleReturnTypeInspection */
             return $this->newModelQuery()
                 ->whereHas('webAuthnCredentials', static function (Builder $query) use ($credentials): void {
+                    // @phpstan-ignore-next-line
                     $query->whereKey($credentials['id'])->whereEnabled();
                 })
                 ->first();

src/ByteBuffer.php

@@ -49,8 +49,8 @@ use function unpack;
  * ---
  * MIT License
  *
- * Copyright © 2021 Lukas Buchs
- * Copyright © 2018 Thomas Bleeker (CBOR & ByteBuffer part)
+ * Copyright (c) 2021 Lukas Buchs
+ * Copyright (c) 2018 Thomas Bleeker (CBOR & ByteBuffer part)
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -86,7 +86,7 @@ class ByteBuffer implements JsonSerializable, Jsonable, Stringable
      * @param  string  $binaryData
      * @param  int  $dataLength
      */
-    public function __construct(protected string $binaryData, protected int $dataLength = 0)
+    final public function __construct(protected string $binaryData, protected int $dataLength = 0)
     {
         $this->dataLength = strlen($binaryData);
     }
@@ -194,7 +194,7 @@ class ByteBuffer implements JsonSerializable, Jsonable, Stringable
      * Returns the value of a single unsigned 16-bit integer.
      *
      * @param  int  $offset
-     * @return mixed
+     * @return int
      */
     public function getUint16Val(int $offset = 0): int
     {
@@ -209,7 +209,7 @@ class ByteBuffer implements JsonSerializable, Jsonable, Stringable
      * Returns the value of a single unsigned 32-bit integer.
      *
      * @param  int  $offset
-     * @return mixed
+     * @return int
      */
     public function getUint32Val(int $offset = 0): int
     {
@@ -404,7 +404,7 @@ class ByteBuffer implements JsonSerializable, Jsonable, Stringable
             throw new InvalidArgumentException('ByteBuffer: Invalid base64 url string');
         }
 
-        return new ByteBuffer($bin);
+        return new static($bin);
     }
 
     /**
@@ -415,11 +415,14 @@ class ByteBuffer implements JsonSerializable, Jsonable, Stringable
      */
     public static function fromBase64(string $base64): static
     {
-        if (false === $bin = base64_decode($base64)) {
+        /** @var string|false $bin */
+        $bin = base64_decode($base64);
+
+        if (false === $bin) {
             throw new InvalidArgumentException('ByteBuffer: Invalid base64 string');
         }
 
-        return new ByteBuffer($bin);
+        return new static($bin);
     }
 
     /**

src/CborDecoder.php

@@ -34,8 +34,8 @@ use function sprintf;
  * ---
  * MIT License
  *
- * Copyright © 2021 Lukas Buchs
- * Copyright © 2018 Thomas Bleeker (CBOR & ByteBuffer part)
+ * Copyright (c) 2021 Lukas Buchs
+ * Copyright (c) 2018 Thomas Bleeker (CBOR & ByteBuffer part)
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -248,7 +248,7 @@ class CborDecoder
      * @param  \Laragear\WebAuthn\ByteBuffer  $buf
      * @param $offset
      * @return \Laragear\WebAuthn\ByteBuffer|array|bool|float|int|string|null
-     * @throws \Laragear\WebAuthn\Exceptions\DataException
+     * @throws \Laragear\WebAuthn\Exceptions\DataException|\InvalidArgumentException
      */
     protected static function parseItemData(
         int $type,

src/Challenge.php

@@ -17,7 +17,7 @@ class Challenge
      * @param  bool  $verify
      * @param  array  $properties
      */
-    public function __construct(
+    final public function __construct(
         public ByteBuffer $data,
         public int $timeout,
         public bool $verify = true,

src/Contracts/WebAuthnAuthenticatable.php

@@ -41,7 +41,8 @@ interface WebAuthnAuthenticatable
     /**
      * Returns a queryable relationship for its WebAuthn Credentials.
      *
-     * @return \Illuminate\Database\Eloquent\Relations\MorphMany&\Laragear\WebAuthn\Models\WebAuthnCredential
+     * @phpstan-ignore-next-line
+     * @return \Illuminate\Database\Eloquent\Relations\MorphMany|\Laragear\WebAuthn\Models\WebAuthnCredential
      */
     public function webAuthnCredentials(): MorphMany;
 }

src/Exceptions/AssertionException.php

@@ -11,7 +11,7 @@ class AssertionException extends ValidationException implements WebAuthnExceptio
      * Create a new Assertion Exception with the error message.
      *
      * @param  string  $message
-     * @return \Laragear\WebAuthn\Exceptions\AssertionException
+     * @return static
      */
     public static function make(string $message): static
     {

src/Exceptions/AttestationException.php

@@ -11,7 +11,7 @@ class AttestationException extends ValidationException implements WebAuthnExcept
      * Create a new Attestation Exception with the error message.
      *
      * @param  string  $message
-     * @return \Laragear\WebAuthn\Exceptions\AttestationException
+     * @return static
      */
     public static function make(string $message): static
     {

src/Http/Requests/AssertedRequest.php

@@ -48,15 +48,18 @@ class AssertedRequest extends FormRequest
      * Logs in the user for this assertion request.
      *
      * @param  string|null  $guard
-     * @return \Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable&\Illuminate\Contracts\Auth\Authenticatable|null
+     * @phpstan-ignore-next-line
+     * @return \Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable|\Illuminate\Contracts\Auth\Authenticatable|null
      */
     public function login(string $guard = null, bool $remember = null, bool $destroySession = false): ?WebAuthnAuthenticatable
     {
+        /** @var \Illuminate\Contracts\Auth\StatefulGuard $auth */
         $auth = Auth::guard($guard);
 
         if ($auth->attempt($this->validated(), $remember ?? $this->hasRemember())) {
             $this->session()->regenerate($destroySession);
 
+            // @phpstan-ignore-next-line
             return $auth->user();
         }
 

src/Http/Requests/AssertionRequest.php

@@ -121,7 +121,7 @@ class AssertionRequest extends FormRequest
      */
     protected function findUser(WebAuthnAuthenticatable|array|int|string|null $credentials): ?WebAuthnAuthenticatable
     {
-        if (!$credentials) {
+        if ($credentials === null) {
             return null;
         }
 
@@ -133,7 +133,9 @@ class AssertionRequest extends FormRequest
         // retrieve by its ID, otherwise we will fall back to credentials. Once done, we
         // will check it uses WebAuthn if is not null, otherwise we'll fail miserably.
         $user = is_string($credentials) || is_int($credentials)
+            // @phpstan-ignore-next-line
             ? Auth::guard($this->guard)->getProvider()->retrieveById($credentials)
+            // @phpstan-ignore-next-line
             : Auth::guard($this->guard)->getProvider()->retrieveByCredentials($credentials);
 
         if ($user && ! $user instanceof WebAuthnAuthenticatable) {

src/Models/WebAuthnCredential.php

@@ -9,7 +9,7 @@ use Laragear\WebAuthn\Events\CredentialDisabled;
 use Laragear\WebAuthn\Events\CredentialEnabled;
 
 /**
- * @mixin \Illuminate\Database\Eloquent\Builder<\Laragear\WebAuthn\Models\WebAuthnCredential>
+ * @mixin \Illuminate\Database\Eloquent\Builder
  *
  * @method static \Illuminate\Database\Eloquent\Builder|static query()
  * @method \Illuminate\Database\Eloquent\Builder|static newQuery()
@@ -22,10 +22,10 @@ use Laragear\WebAuthn\Events\CredentialEnabled;
  * @method \Laragear\WebAuthn\Models\WebAuthnCredential firstOr($columns = ['*'], \Closure $callback = null)
  * @method \Laragear\WebAuthn\Models\WebAuthnCredential firstWhere($column, $operator = null, $value = null, $boolean = 'and')
  * @method \Laragear\WebAuthn\Models\WebAuthnCredential updateOrCreate(array $attributes, array $values = [])
- * @method static|null first($columns = ['*'])
+ * @method ?static first($columns = ['*'])
  * @method static static findOrFail($id, $columns = ['*'])
  * @method static static findOrNew($id, $columns = ['*'])
- * @method static static|null find($id, $columns = ['*'])
+ * @method static ?null find($id, $columns = ['*'])
  *
  * @property-read string $id
  *
@@ -95,10 +95,11 @@ class WebAuthnCredential extends Model
      *
      * @var array<int, string>
      */
-    protected $visible = ['id', 'origin', 'alias', 'aaguid', 'attestation_format', 'disabled_at', 'is_enabled'];
+    protected $visible = ['id', 'origin', 'alias', 'aaguid', 'attestation_format', 'disabled_at'];
 
     /**
-     * @return \Illuminate\Database\Eloquent\Relations\MorphTo&\Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable
+     * @phpstan-ignore-next-line
+     * @return \Illuminate\Database\Eloquent\Relations\MorphTo|\Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable
      */
     public function authenticatable(): MorphTo
     {
@@ -113,6 +114,7 @@ class WebAuthnCredential extends Model
      */
     protected function scopeWhereEnabled(Builder $query): Builder
     {
+        // @phpstan-ignore-next-line
         return $query->whereNull('disabled_at');
     }
     /**
@@ -123,6 +125,7 @@ class WebAuthnCredential extends Model
      */
     protected function scopeWhereDisabled(Builder $query): Builder
     {
+        // @phpstan-ignore-next-line
         return $query->whereNotNull('disabled_at');
     }
 

src/SharedPipes/CheckRelyingPartyHashSame.php

@@ -39,11 +39,11 @@ abstract class CheckRelyingPartyHashSame
     public function handle(AttestationValidation|AssertionValidation $validation, Closure $next): mixed
     {
         // This way we can get the app RP ID on attestation, and the Credential RP ID
-        // on assertion. The credential will have the same Relaying Party ID on both
+        // on assertion. The credential will have the same Relying Party ID on both
         // the authenticator and the application so on assertion both should match.
-        $relayingParty = parse_url($this->relyingPartyId($validation), PHP_URL_HOST);
+        $relyingParty = parse_url($this->relyingPartyId($validation), PHP_URL_HOST);
 
-        if ($this->authenticatorData($validation)->hasNotSameRPIdHash($relayingParty)) {
+        if ($this->authenticatorData($validation)->hasNotSameRPIdHash($relyingParty)) {
             static::throw($validation, 'Response has different Relying Party ID hash.');
         }
 

src/SharedPipes/CheckRelyingPartyIdContained.php

@@ -40,11 +40,11 @@ abstract class CheckRelyingPartyIdContained
     public function handle(AttestationValidation|AssertionValidation $validation, Closure $next): mixed
     {
         if (!$host = parse_url($validation->clientDataJson->origin, PHP_URL_HOST)) {
-            static::throw($validation, 'Relaying Party ID is invalid.');
+            static::throw($validation, 'Relying Party ID is invalid.');
         }
 
         $current = parse_url(
-            $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url'), PHP_URL_HOST
+            $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url'), PHP_URL_HOST
         );
 
         // Check the host is the same or is a subdomain of the current config domain.
@@ -52,6 +52,6 @@ abstract class CheckRelyingPartyIdContained
             return $next($validation);
         }
 
-        static::throw($validation, 'Relaying Party ID not scoped to current.');
+        static::throw($validation, 'Relying Party ID not scoped to current.');
     }
 }

src/WebAuthn.php

@@ -4,9 +4,6 @@ namespace Laragear\WebAuthn;
 
 use Illuminate\Support\Facades\Route;
 
-/**
- * @internal
- */
 class WebAuthn
 {
     // Constants for user verification in Attestation and Assertion.
@@ -31,20 +28,19 @@ class WebAuthn
      */
     public static function routes(): void
     {
-        Route::middleware('web')->group(static function (): void {
-            Route::post('webauthn/register/options')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class, 'options'])
-                ->name('webauthn.register.options');
-            Route::post('webauthn/register')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class, 'register'])
-                ->name('webauthn.register');
+        Route::middleware('web')
+            ->group(static function (): void {
+                Route::controller(\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class)
+                    ->group(static function (): void {
+                        Route::post('webauthn/register/options', 'options')->name('webauthn.register.options');
+                        Route::post('webauthn/register', 'register')->name('webauthn.register');
+                    });
 
-            Route::post('webauthn/login/options')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class, 'options'])
-                ->name('webauthn.login.options');
-            Route::post('webauthn/login')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class, 'login'])
-                ->name('webauthn.login');
+                Route::controller(\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class)
+                    ->group(static function (): void {
+                        Route::post('webauthn/login/options', 'options')->name('webauthn.login.options');
+                        Route::post('webauthn/login', 'login')->name('webauthn.login');
+                    });
         });
     }
 }

src/WebAuthnAuthentication.php

@@ -4,9 +4,9 @@ namespace Laragear\WebAuthn;
 
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Relations\MorphMany;
+use Illuminate\Support\Facades\Date;
 use JetBrains\PhpStorm\ArrayShape;
 use Laragear\WebAuthn\Models\WebAuthnCredential;
-use function in_array;
 
 /**
  * @property-read \Illuminate\Database\Eloquent\Collection<int, \Laragear\WebAuthn\Models\WebAuthnCredential> $webAuthnCredentials
@@ -38,20 +38,17 @@ trait WebAuthnAuthentication
      */
     public function flushCredentials(string ...$except): void
     {
-        if ($this->relationLoaded('webAuthnCredentials') && $this->webAuthnCredentials instanceof Collection) {
-            $partitioned = $this->webAuthnCredentials
-                ->partition(static function (WebAuthnCredential $credential) use ($except): bool {
-                    return in_array($credential->getKey(), $except, true);
-                });
-
-            $partitioned->first()->each->delete();
-
-            $this->setRelation('webAuthnCredentials', $partitioned->last());
+        if (! $this->relationLoaded('webAuthnCredentials')) {
+            $this->webAuthnCredentials()->whereKeyNot($except)->delete();
 
             return;
         }
 
-        $this->webAuthnCredentials()->whereKeyNot($except)->delete();
+        if ($this->webAuthnCredentials instanceof Collection && $this->webAuthnCredentials->isNotEmpty()) {
+            $this->webAuthnCredentials->whereNotIn('id', $except)->each->delete();
+
+            $this->setRelation('webAuthnCredentials', $this->webAuthnCredentials->whereIn('id', $except));
+        }
     }
 
     /**
@@ -64,13 +61,14 @@ trait WebAuthnAuthentication
     {
         if ($this->relationLoaded('webAuthnCredentials') && $this->webAuthnCredentials instanceof Collection) {
             $this->webAuthnCredentials
-                ->each(static function (WebAuthnCredential $credential) use ($except): bool {
-                    if ($credential->isEnabled() && in_array($credential->getKey(), $except, true)) {
+                ->when($except)->whereNotIn('id', $except)
+                ->each(static function (WebAuthnCredential $credential): void {
+                    if ($credential->isEnabled()) {
                         $credential->disable();
                     }
                 });
         } else {
-            $this->webAuthnCredentials()->whereKeyNot($except)->update(['is_enabled' => false]);
+            $this->webAuthnCredentials()->whereKeyNot($except)->whereEnabled()->update(['disabled_at' => Date::now()]);
         }
     }
 

src/WebAuthnServiceProvider.php

@@ -45,6 +45,8 @@ class WebAuthnServiceProvider extends ServiceProvider
         if ($this->app->runningInConsole()) {
             $this->publishesMigrations(static::MIGRATIONS);
             $this->publishes([static::ROUTES => $this->app->basePath('routes/webauthn.php')], 'routes');
+            $this->publishes([static::CONFIG => $this->app->configPath('webauthn.php')], 'config');
+            // @phpstan-ignore-next-line
             $this->publishes([static::CONTROLLERS => $this->app->path('Http/Controllers/WebAuthn')], 'controllers');
             $this->publishes([static::JS => $this->app->resourcePath('js/vendor/webauthn')], 'js');
         }

tests/Assertion/ValidationTest.php

@@ -457,7 +457,7 @@ class ValidationTest extends TestCase
         $this->request->setJson(new ParameterBag($invalid));
 
         $this->expectException(AssertionException::class);
-        $this->expectExceptionMessage('Assertion Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Assertion Error: Relying Party ID not scoped to current.');
 
         $this->validate();
     }
@@ -477,7 +477,7 @@ class ValidationTest extends TestCase
         $this->request->setJson(new ParameterBag($invalid));
 
         $this->expectException(AssertionException::class);
-        $this->expectExceptionMessage('Assertion Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Assertion Error: Relying Party ID not scoped to current.');
 
         $this->validate();
     }

tests/Attestation/CreatorTest.php

@@ -80,7 +80,7 @@ class CreatorTest extends TestCase
             ]);
     }
 
-    public function test_uses_relaying_party_config(): void
+    public function test_uses_relying_party_config(): void
     {
         config(['webauthn.relying_party' => [
             'id' => 'https://foo.bar',

tests/Attestation/ValidationTest.php

@@ -504,7 +504,7 @@ class ValidationTest extends TestCase
     public function test_rp_id_fails_if_not_equal(): void
     {
         $this->expectException(AttestationException::class);
-        $this->expectExceptionMessage('Attestation Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.');
 
         $invalid = FakeAuthenticator::attestationResponse();
 
@@ -524,7 +524,7 @@ class ValidationTest extends TestCase
     public function test_rp_id_fails_if_not_contained(): void
     {
         $this->expectException(AttestationException::class);
-        $this->expectExceptionMessage('Attestation Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.');
 
         $invalid = FakeAuthenticator::attestationResponse();
 
@@ -546,7 +546,7 @@ class ValidationTest extends TestCase
         $this->app->when(CheckRelyingPartyHashSame::class)
             ->needs(ConfigContract::class)
             ->give(static function (): Repository {
-                return tap(new Repository())->set('webauthn.relaying_party.id', 'https://otherhost.com');
+                return tap(new Repository())->set('webauthn.relying_party.id', 'https://otherhost.com');
             });
 
         $this->expectException(AttestationException::class);

tests/FakeAuthenticator.php

@@ -6,8 +6,8 @@ use JetBrains\PhpStorm\ArrayShape;
 
 class FakeAuthenticator
 {
-    public const CREDENTIAL_ID = '-VOLFKPY-_FuMI_sJ7gMllK76L3VoRUINj6lL_Z3qDg';
-    public const CREDENTIAL_ID_RAW = '+VOLFKPY+/FuMI/sJ7gMllK76L3VoRUINj6lL/Z3qDg=';
+    public const CREDENTIAL_ID = 'owBYu_waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi-nK3I54J6ILj70pJzR_6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd-ShQZ95eHoc8SA_-8vzCyfmy-wI_K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A';
+    public const CREDENTIAL_ID_RAW = 'owBYu/waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi+nK3I54J6ILj70pJzR/6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd+ShQZ95eHoc8SA/+8vzCyfmy+wI/K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A=';
 
     public const ATTESTATION_USER = [
         'id' => 'e8af6f703f8042aa91c30cf72289aa07',

tests/ServiceProviderTest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\File;
+use Illuminate\Support\Fluent;
+use Illuminate\Support\ServiceProvider;
+use Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable;
+use Laragear\WebAuthn\WebAuthnAuthentication;
+use Laragear\WebAuthn\WebAuthnServiceProvider;
+
+class ServiceProviderTest extends TestCase
+{
+    public function test_merges_config(): void
+    {
+        static::assertSame(
+            File::getRequire(WebAuthnServiceProvider::CONFIG),
+            $this->app->make('config')->get('webauthn')
+        );
+    }
+
+    public function test_publishes_config(): void
+    {
+        static::assertSame(
+            [WebAuthnServiceProvider::CONFIG => $this->app->configPath('webauthn.php')],
+            ServiceProvider::$publishGroups['config']
+        );
+    }
+
+    /**
+     * @define-env usesCustomTestTime
+     */
+    public function test_publishes_migrations(): void
+    {
+        static::assertSame(
+            [
+                realpath(WebAuthnServiceProvider::MIGRATIONS . '/2022_07_01_000000_create_webauthn_credentials.php') =>
+                    $this->app->databasePath("migrations/2020_01_01_163025_create_webauthn_credentials.php"),
+            ],
+            ServiceProvider::pathsToPublish(WebAuthnServiceProvider::class, 'migrations')
+        );
+    }
+
+    protected function usesCustomTestTime()
+    {
+        $this->travelTo(Carbon::create(2020, 01, 01, 16, 30, 25));
+    }
+
+    public function test_bounds_user(): void
+    {
+        static::assertNull($this->app->make(WebAuthnAuthenticatable::class));
+
+        $user = new class extends Fluent implements WebAuthnAuthenticatable {
+            use WebAuthnAuthentication;
+        };
+
+        $this->app->instance(Authenticatable::class, $user);
+
+        static::assertSame($user, $this->app->make(WebAuthnAuthenticatable::class));
+    }
+
+    public function test_publishes_routes_file(): void
+    {
+        static::assertSame(
+            [WebAuthnServiceProvider::ROUTES => $this->app->basePath('routes/webauthn.php')],
+            ServiceProvider::$publishGroups['routes']
+        );
+    }
+}

tests/WebAuthnAuthenticationTest.php

@@ -0,0 +1,260 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Support\Carbon;
+use Laragear\WebAuthn\Models\WebAuthnCredential;
+use Ramsey\Uuid\Uuid;
+use function now;
+
+class WebAuthnAuthenticationTest extends TestCase
+{
+    protected Stubs\WebAuthnAuthenticatableUser $user;
+
+    protected function afterRefreshingDatabase(): void
+    {
+        $this->user = Stubs\WebAuthnAuthenticatableUser::forceCreate([
+            'name' => FakeAuthenticator::ATTESTATION_USER['displayName'],
+            'email' => FakeAuthenticator::ATTESTATION_USER['name'],
+            'password' => 'test_password',
+        ]);
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id',
+            'user_id' => Uuid::NIL,
+            'counter' => 0,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+    }
+
+    public function test_shows_webauthn_data(): void
+    {
+        static::assertSame([
+            'name' => FakeAuthenticator::ATTESTATION_USER['name'],
+            'displayName' => FakeAuthenticator::ATTESTATION_USER['displayName'],
+        ], $this->user->webAuthnData());
+    }
+
+    public function test_flushes_all_credentials(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->flushCredentials();
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 0);
+    }
+
+    public function test_flushes_all_credentials_using_loaded_relation(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        static::assertCount(2, $this->user->webAuthnCredentials);
+
+        $this->user->flushCredentials();
+
+        static::assertEmpty($this->user->webAuthnCredentials);
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 0);
+    }
+
+    public function test_flushes_all_credentials_except_given_id(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->flushCredentials('test_id_2');
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 1);
+        $this->assertDatabaseMissing(WebAuthnCredential::class, [
+            'id' => 'test_id'
+        ]);
+    }
+
+    public function test_flushes_all_credentials_using_loaded_relation_except_given_id(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        static::assertCount(2, $this->user->webAuthnCredentials);
+
+        $this->user->flushCredentials('test_id_2');
+
+        static::assertCount(1, $this->user->webAuthnCredentials);
+        static::assertTrue($this->user->webAuthnCredentials->contains('id', 'test_id_2'));
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 1);
+        $this->assertDatabaseMissing(WebAuthnCredential::class, [
+            'id' => 'test_id'
+        ]);
+    }
+
+    public function test_disables_all_credentials(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()->subMinute()
+        ])->save();
+
+        $this->user->disableAllCredentials();
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->subMinute()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_with_loaded_relation(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()->subMinute()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        $this->user->disableAllCredentials();
+
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id')->isDisabled());
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id_2')->isDisabled());
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->subMinute()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_except_one(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+
+        $this->user->disableAllCredentials('test_id');
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => null,
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_with_loaded_relation_except_one(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        $this->user->disableAllCredentials('test_id_2');
+
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id')->isDisabled());
+        static::assertFalse($this->user->webAuthnCredentials->firstWhere('id', 'test_id_2')->isDisabled());
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => null,
+        ]);
+    }
+}