Merge pull request #39 from Laragear/fix/key-length

[1.x] Fixes id length limitation #38

.github/FUNDING.yml

@@ -1,6 +1,3 @@
-# Help me support this package
-
+# Let's keep it free and up to date
 github: DarkGhostHunter
-patreon: PackagesForLaravel
-ko_fi: DarkGhostHunter
-custom: ['https://www.buymeacoffee.com/darkghosthunter', 'https://paypal.me/darkghosthunter']
+custom: "https://paypal.me/darkghosthunter"

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,5 +1,8 @@
 name: Bug Report
-description: File a bug report
+description: |
+  File a bug report to be fixed.
+
+  Sponsors get priority issues, PRs, fixes and requests. Not a sponsor? [You're a just click away!](https://github.com/sponsors/DarkGhostHunter).
 title: "[X.x] What does happen that is considered an error or bug?"
 labels: ["bug"]
 assignees:
@@ -9,6 +12,7 @@ body:
     attributes:
       value: |
         Thanks for taking the time to fill out this bug report!
+
         The more detailed this bug report is, the faster it can be reviewed and fixed.
   - type: input
     id: version-php-os
@@ -18,6 +22,14 @@ body:
       placeholder: 8.1.2 - Ubuntu 22.04 x64
     validations:
       required: true
+  - type: input
+    id: version-db
+    attributes:
+      label: Database
+      description: Exact DB version using this package, if applicable.
+      placeholder: MySQL 8.0.28
+    validations:
+      required: false
   - type: input
     id: version-laravel
     attributes:
@@ -26,28 +38,12 @@ body:
       placeholder: 9.2.3
     validations:
       required: true
-  - type: input
-    id: version-authenticator
-    attributes:
-      label: Authenticator type
-      description: If applicable, exact authenticator you're using.
-      placeholder: YubiKey 5, iPhone 7s, Samsung Galaxy S11+...
-    validations:
-      required: false
-  - type: input
-    id: version-os-browser
-    attributes:
-      label: OS and Browser versions
-      description: If applicable, exact OS and Browser versions
-      placeholder: Android 12.0 - Chrome 102.0.5005.99
-    validations:
-      required: false
   - type: checkboxes
     id: requirements
     attributes:
       label: Have you done this?
       options:
-        - label: I am willing to share my stack trace and logs
+        - label: I have checked my logs and I'm sure is a bug in this package.
           required: true
         - label: I can reproduce this bug in isolation (vanilla Laravel install)
           required: true
@@ -58,7 +54,7 @@ body:
     attributes:
       label: Expectation
       description: Write what you expect to (correctly) happen.
-      placeholder: When I do this, I expect to this to happen.
+      placeholder: When I do this, I expect to happen that.
     validations:
       required: true
   - type: textarea
@@ -73,7 +69,7 @@ body:
     id: reproduction
     attributes:
       label: Reproduction
-      description: Paste the code to assert in a test, or just comment with the repository with the bug.
+      description: Paste the code to assert in a test, or just comment with the repository with the bug to download.
       render: php
       placeholder: |
         $test = Laragear::make()->break();
@@ -87,27 +83,8 @@ body:
     id: logs
     attributes:
       label: Stack trace & logs
-      description: If you have a stack trace, you can copy it here. You may hide sensible information.
-      placeholder: This is automatically formatted into code, no need for backticks.
+      description: If you have a **full** stack trace, you can copy it here. You may hide sensible information.
+      placeholder: This is automatically formatted into code, no need for ``` backticks.
       render: shell
     validations:
       required: false
-  - type: textarea
-    id: attestation-assertion
-    attributes:
-      label: Attestation / Assertion objects
-      description: If applicable, add the Attestation and Assertion objects you have debugged.
-      placeholder: This is automatically formatted into Javascript, no need for backticks.
-      render: javascript
-    validations:
-      required: false
-  - type: dropdown
-    id: supporter
-    attributes:
-      label: Are you a Patreon supporter?
-      description: Patreon supporters get priority review, fixing and responses. Are you not? [Become one!](https://patreon.com/packagesforlaravel)
-      options:
-        - Yes, with my username
-        - No, don't give priority to this
-    validations:
-      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,5 +1,8 @@
 name: Feature request
-description: Suggest a feature for this package
+description: |
+  Suggest a feature for this package.
+
+  Sponsors get priority issues, PRs, fixes and requests. Not a sponsor? [You're a just click away!](https://github.com/sponsors/DarkGhostHunter).
 title: "[X.x] Add this cool feature for this package"
 labels: ["enhancement"]
 assignees:
@@ -28,7 +31,12 @@ body:
     attributes:
       label: Description
       description: Describe how the feature works
-      placeholder: This new feature would accomplish this, and would be cool to integrate it to the package because...
+      placeholder: |
+        This new feature would accomplish...
+
+        It could be implemented by doing...
+
+        And it would be cool because...
     validations:
       required: true
   - type: textarea
@@ -41,13 +49,3 @@ body:
       render: php
     validations:
       required: true
-  - type: dropdown
-    id: supporter
-    attributes:
-      label: Are you a Patreon supporter?
-      description: Patreon supporters get priority review, fixing and responses. Are you not? [Become one!](https://patreon.com/packagesforlaravel)
-      options:
-        - Yes, with my username
-        - No, don't give priority to this
-    validations:
-      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,23 +1,22 @@
 <!--
-
 Thanks for contributing to this package! We only accept PR to the latest stable version.
 
 If you're pushing a Feature:
 - Title it: "[X.x] This new feature"
 - Describe what the new feature enables
 - Show a small code snippet of the new feature
-- Ensure it doesn't break any feature.
+- Ensure it doesn't break backward compatibility.
 
 If you're pushing a Fix:
 - Title it: "[X.x] FIX: The bug name"
 - Describe how it fixes in a few words.
-- Ensure it doesn't break any feature.
+- Ensure it doesn't break backward compatibility.
 
 All Pull Requests run with extensive tests for stable and latest versions of PHP and Laravel. 
 Ensure your tests pass or your PR may be taken down.
 
-If you're a Patreon supporter, this PR will have priority.
-Not a Patreon supporter? Become one at https://patreon.com/packagesforlaravel
+If you're a Sponsor, this PR will have priority review.
+Not a Sponsor? Become one at https://github.com/sponsors/DarkGhostHunter
 -->
 
 # Description
@@ -29,5 +28,3 @@ This feature/fix allows to...
 ```php
 Laragear::sample();
 ```
-
-<!-- You may delete this section if it's a FIX -->

.github/workflows/php.yml

@@ -1,6 +1,6 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow
 
-name: "Tests"
+name: Tests
 
 on:
   push:
@@ -21,6 +21,7 @@ jobs:
       - name: "Find non-printable ASCII characters"
         run: |
           ! LC_ALL=C.UTF-8 find ./src -type f -name "*.php" -print0 | xargs -0 -- grep -PHn "[^ -~]"
+
   syntax_errors:
     name: "1️⃣ Syntax errors"
     runs-on: "ubuntu-latest"
@@ -34,10 +35,8 @@ jobs:
       - name: "Checkout code"
         uses: "actions/checkout@v3"
 
-      - name: "Install dependencies"
-        uses: "ramsey/composer-install@v2"
-        with:
-          dependency-versions: "highest"
+      - name: "Validate Composer configuration"
+        run: "composer validate --strict"
 
       - name: "Check source code for syntax errors"
         run: "composer exec -- parallel-lint src/"
@@ -51,12 +50,18 @@ jobs:
     strategy:
       matrix:
         php-version:
+          - "8.0"
           - "8.1"
+          - "8.2"
         laravel-constrain:
           - "9.*"
+          - "10.*"
         dependencies:
           - "lowest"
           - "highest"
+        exclude:
+          - laravel-constrain: "10.*"
+            php-version: "8.0"
     steps:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
@@ -77,7 +82,7 @@ jobs:
         run: "composer run-script test"
 
       - name: "Upload coverage to Codecov"
-        uses: "codecov/codecov-action@v2"
+        uses: "codecov/codecov-action@v3"
 
   static_analysis:
     name: "3️⃣ Static Analysis"
@@ -89,19 +94,15 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
           tools: "phpstan"
+          php-version: "latest"
+          coverage: "none"
 
       - name: "Checkout code"
         uses: "actions/checkout@v3"
 
-      - name: "Validate Composer configuration"
-        run: "composer validate --strict"
-
       - name: "Install dependencies"
         uses: "ramsey/composer-install@v2"
-        with:
-          dependency-versions: "highest"
 
       - name: "Execute static analysis"
         run: "composer exec -- phpstan analyze -l 5 src/"
@@ -119,7 +120,7 @@ jobs:
       - name: "Check exported files"
         run: |
           EXPECTED="LICENSE.md,README.md,composer.json"
-          CURRENT="$(git archive HEAD | tar --list --exclude="src" --exclude="src/*" --exclude=".stubs" --exclude=".stubs/*" --exclude="stubs" --exclude="stubs/*" --exclude="lang" --exclude="lang/*" --exclude="config" --exclude="config/*" --exclude="database" --exclude="database/*" --exclude="resources" --exclude="resources/*" --exclude="routes" --exclude="routes/*" | paste -s -d ",")"
+          CURRENT="$(git archive HEAD | tar --list --exclude="src" --exclude="src/*" --exclude=".stubs" --exclude=".stubs/*"  --exclude="routes" --exclude="routes/*" --exclude="stubs" --exclude="stubs/*" --exclude="lang" --exclude="lang/*" --exclude="config" --exclude="config/*" --exclude="database" --exclude="database/*" --exclude="resources" --exclude="resources/*" | paste -s -d ",")"
           echo "CURRENT =${CURRENT}"
           echo "EXPECTED=${EXPECTED}"
           test "${CURRENT}" == "${EXPECTED}"

.gitignore

@@ -4,5 +4,6 @@
 /.vscode
 .php-cs-fixer.cache
 .phpunit.result.cache
+.phpunit.cache
 composer.lock
 phpunit.xml.bak

README.md

@@ -23,9 +23,9 @@ public function login(AssertedRequest $request)
 
 > You want to add two-factor authentication to your app? Check out [Laragear TwoFactor](https://github.com/Laragear/TwoFactor).
 
-## Keep this package free
+## Become a sponsor
 
-[![Patreon](.github/assets/patreon.png)](https://patreon.com/packagesforlaravel)[![Ko-fi](.github/assets/ko-fi.png)](https://ko-fi.com/DarkGhostHunter)[![Buymeacoffee](.github/assets/buymeacoffee.png)](https://www.buymeacoffee.com/darkghosthunter)[![PayPal](.github/assets/paypal.png)](https://www.paypal.com/paypalme/darkghosthunter)
+[![](.github/assets/support.png)](https://github.com/sponsors/DarkGhostHunter)
 
 Your support allows me to keep this package free, up-to-date and maintainable. Alternatively, you can **[spread the word!](http://twitter.com/share?text=I%20am%20using%20this%20cool%20PHP%20package&url=https://github.com%2FLaragear%2FWebAuthn&hashtags=PHP,Laravel)**
 
@@ -258,6 +258,8 @@ const webAuthn = new WebAuthn({}, {
 
 Attestation is the _ceremony_ to create WebAuthn Credentials. To create an Attestable Response that the user device can understand, use the `AttestationRequest::toCreate()` form request.
 
+For example, we can create our own `AttestationController` to create it.
+
 ```php
 // app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
@@ -354,6 +356,8 @@ The Assertion procedure also follows a two-step procedure: the user will input i
 
 First, use the `AssertionRequest::toVerify()` form request. It will automatically create an assertion for the user that matches the credentials, or a blank one in case you're using [userless login](#userlessone-touchtypeless-login). Otherwise, you may set stricter validation rules to always ask for credentials.
 
+For example, we can use our own `AssertionController` to handle it.
+
 ```php
 // app\Http\Controllers\WebAuthn\AssertionController.php
 use Laragear\WebAuthn\Http\Requests\AssertionRequest;
@@ -547,7 +551,7 @@ After that, you will receive the `config/webauthn.php` config file with an array
 <?php
 
 return [
-    'relaying_party' => [
+    'relying_party' => [
         'name' => env('WEBAUTHN_NAME', env('APP_NAME')),
         'id'   => env('WEBAUTHN_ID'),
     ],
@@ -559,24 +563,31 @@ return [
 ];
 ```
 
-### Relaying Party Information
+### Relying Party Information
 
 ```php
 return [
-    'relaying_party' => [
+    'relying_party' => [
         'name' => env('WEBAUTHN_NAME', env('APP_NAME')),
         'id'   => env('WEBAUTHN_ID'),
     ],
 ];
 ```
 
-The _Relaying Party_ is just a way to uniquely identify your application in the user device:
+The _Relying Party_ is just a way to uniquely identify your application in the user device:
 
 * `name`: The name of the application. Defaults to the application name.
-* `id`: An unique ID the application, like the site domain. If `null`, the device may fill it internally, usually as the full domain.
+* `id`: An unique ID the application, like the site URL. If `null`, the device _may_ fill it internally, usually as the full domain.
 
 > WebAuthn authentication only work on the top domain it was registered. 
 
+Instead of modifying the config file, you should use the environment variables to set the name and ID for WebAuthn.
+
+```dotenv
+WEBAUTHN_NAME=SecureBank
+WEBAUTHN_ID=https://auth.securebank.com
+```
+
 ### Challenge configuration
 
 ```php

composer.json

@@ -24,7 +24,7 @@
             "name": "Italo Israel Baeza Cabrera",
             "email": "DarkGhostHunter@Gmail.com",
             "role": "Developer",
-            "homepage": "https://patreon.com/packagesforlaravel"
+            "homepage": "https://github.com/sponsors/DarkGhostHunter"
         }
     ],
     "support": {
@@ -32,22 +32,20 @@
         "issues": "https://github.com/Laragear/TwoFactor/issues"
     },
     "require": {
-        "php": ">=8.0.2",
+        "php": "8.*",
         "ext-openssl": "*",
         "ext-json": "*",
-        "illuminate/auth": "9.*",
-        "illuminate/http": "9.*",
-        "illuminate/session": "9.*",
-        "illuminate/support": "9.*",
-        "illuminate/config": "9.*",
-        "illuminate/database": "9.*",
-        "illuminate/encryption": "9.*"
+        "illuminate/auth": "9.*|10.*",
+        "illuminate/http": "9.*|10.*",
+        "illuminate/session": "9.*|10.*",
+        "illuminate/support": "9.*|10.*",
+        "illuminate/config": "9.*|10.*",
+        "illuminate/database": "9.*|10.*",
+        "illuminate/encryption": "9.*|10.*"
     },
     "require-dev": {
-        "orchestra/testbench": "7.*",
-        "phpunit/phpunit": "^9.5",
-        "mockery/mockery": "^1.5",
-        "jetbrains/phpstorm-attributes": "^1.0"
+        "orchestra/testbench": "^7.22|8.*",
+        "jetbrains/phpstorm-attributes": "*"
     },
     "autoload": {
         "psr-4": {
@@ -76,16 +74,8 @@
     },
     "funding": [
         {
-            "type": "Patreon",
-            "url": "https://patreon.com/PackagesForLaravel"
-        },
-        {
-            "type": "Ko-Fi",
-            "url": "https://ko-fi.com/DarkGhostHunter"
-        },
-        {
-            "type": "Buy me a cofee",
-            "url": "https://www.buymeacoffee.com/darkghosthunter"
+            "type": "Github Sponsorship",
+            "url": "https://github.com/sponsors/DarkGhostHunter"
         },
         {
             "type": "Paypal",

config/webauthn.php

@@ -4,11 +4,11 @@ return [
 
     /*
     |--------------------------------------------------------------------------
-    | Relaying Party
+    | Relying Party
     |--------------------------------------------------------------------------
     |
     | We will use your application information to inform the device who is the
-    | relaying party. While only the name is enough, you can further set the
+    | relying party. While only the name is enough, you can further set the
     | a custom domain as ID and even an icon image data encoded as BASE64.
     |
     */

database/migrations/2022_07_01_000000_create_webauthn_credentials.php

@@ -43,7 +43,7 @@ return new class extends Migration {
      */
     protected static function defaultBlueprint(Blueprint $table): void
     {
-        $table->string('id')->primary();
+        $table->string('id', 510)->primary();
 
         $table->morphs('authenticatable', 'webauthn_user_index');
 

phpunit.xml

@@ -1,30 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" backupGlobals="false"
-         backupStaticAttributes="false" colors="true" verbose="true" convertErrorsToExceptions="true"
-         convertNoticesToExceptions="true" convertWarningsToExceptions="true" processIsolation="false"
-         stopOnFailure="false" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.5/phpunit.xsd">
-    <coverage>
-        <include>
-            <directory suffix=".php">src/</directory>
-        </include>
-        <report>
-            <clover outputFile="build/logs/clover.xml"/>
-        </report>
-    </coverage>
-    <testsuites>
-        <testsuite name="Test Suite">
-            <directory>tests</directory>
-            <file>stubs/controllers/WebAuthnLoginController.php</file>
-            <file>stubs/controllers/WebAuthnRegisterController.php</file>
-        </testsuite>
-    </testsuites>
-    <logging>
-        <junit outputFile="build/report.junit.xml"/>
-    </logging>
-    <php>
-        <env name="APP_ENV" value="testing"/>
-        <env name="APP_DEBUG" value="true"/>
-        <env name="APP_KEY" value="AckfSECXIvnK5r28GVIWUAxmbBSjTsmF"/>
-        <env name="DB_CONNECTION" value="testing"/>
-    </php>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" colors="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.0/phpunit.xsd" cacheDirectory=".phpunit.cache">
+  <coverage>
+    <include>
+      <directory suffix=".php">src/</directory>
+      <directory suffix=".php">stubs/controllers</directory>
+    </include>
+    <report>
+      <clover outputFile="build/logs/clover.xml"/>
+    </report>
+  </coverage>
+  <testsuites>
+    <testsuite name="Test Suite">
+      <directory>tests</directory>
+    </testsuite>
+  </testsuites>
+  <php>
+    <includePath>stubs/controllers</includePath>
+    <env name="APP_ENV" value="testing"/>
+    <env name="APP_DEBUG" value="true"/>
+    <env name="APP_KEY" value="AckfSECXIvnK5r28GVIWUAxmbBSjTsmF"/>
+    <env name="DB_CONNECTION" value="testing"/>
+  </php>
 </phpunit>

resources/js/webauthn.js

@@ -156,7 +156,9 @@ class WebAuthn {
      * @returns {Promise<Response>}
      */
     #fetch(data, route, headers = {}) {
-        return fetch(route, {
+        const url = new URL(route, window.location.origin).href;
+        
+        return fetch(url, {
             method: "POST",
             credentials: this.#includeCredentials ? "include" : "same-origin",
             redirect: "error",
@@ -313,6 +315,7 @@ class WebAuthn {
         const publicKeyCredential = this.#parseOutgoingCredentials(credentials);
 
         Object.assign(publicKeyCredential, response);
+        Object.assign(publicKeyCredential, request);
 
         return await this.#fetch(publicKeyCredential, this.#routes.register).then(WebAuthn.#handleResponse);
     }

routes/webauthn.php

@@ -4,14 +4,17 @@ use App\Http\Controllers\WebAuthn\WebAuthnLoginController;
 use App\Http\Controllers\WebAuthn\WebAuthnRegisterController;
 use Illuminate\Support\Facades\Route;
 
-Route::middleware('web')->group(static function (): void {
-    Route::post('webauthn/register/options', [WebAuthnRegisterController::class, 'options'])
-        ->name('webauthn.register.options');
-    Route::post('webauthn/register', [WebAuthnRegisterController::class, 'register'])
-        ->name('webauthn.register');
+Route::middleware('web')
+    ->group(static function (): void {
+        Route::controller(WebAuthnRegisterController::class)
+            ->group(static function (): void {
+                Route::post('webauthn/register/options', 'options')->name('webauthn.register.options');
+                Route::post('webauthn/register', 'register')->name('webauthn.register');
+            });
 
-    Route::post('webauthn/login/options', [WebAuthnLoginController::class, 'options'])
-        ->name('webauthn.login.options');
-    Route::post('webauthn/login', [WebAuthnLoginController::class, 'login'])
-        ->name('webauthn.login');
-});
+        Route::controller(WebAuthnLoginController::class)
+            ->group(static function (): void {
+                Route::post('webauthn/login/options', 'options')->name('webauthn.login.options');
+                Route::post('webauthn/login', 'login')->name('webauthn.login');
+            });
+    });

src/Attestation/Validator/Pipes/CheckRelyingPartyHashSame.php

@@ -35,6 +35,6 @@ class CheckRelyingPartyHashSame extends BaseCheckRelyingPartyHashSame
      */
     protected function relyingPartyId(AssertionValidation|AttestationValidation $validation): string
     {
-        return $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url');
+        return $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url');
     }
 }

src/Attestation/Validator/Pipes/MakeWebAuthnCredential.php

@@ -41,7 +41,7 @@ class MakeWebAuthnCredential
             'alias' => $validation->request->json('response.alias'),
 
             'counter' => $validation->attestationObject->authenticatorData->counter,
-            'rp_id' => $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url'),
+            'rp_id' => $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url'),
             'origin' => $validation->clientDataJson->origin,
             'transports' => $validation->request->json('response.transports'),
             'aaguid' => Uuid::fromBytes($validation->attestationObject->authenticatorData->attestedCredentialData->aaguid),

src/Models/WebAuthnCredential.php

@@ -95,7 +95,7 @@ class WebAuthnCredential extends Model
      *
      * @var array<int, string>
      */
-    protected $visible = ['id', 'origin', 'alias', 'aaguid', 'attestation_format', 'disabled_at', 'is_enabled'];
+    protected $visible = ['id', 'origin', 'alias', 'aaguid', 'attestation_format', 'disabled_at'];
 
     /**
      * @phpstan-ignore-next-line

src/SharedPipes/CheckRelyingPartyHashSame.php

@@ -39,11 +39,11 @@ abstract class CheckRelyingPartyHashSame
     public function handle(AttestationValidation|AssertionValidation $validation, Closure $next): mixed
     {
         // This way we can get the app RP ID on attestation, and the Credential RP ID
-        // on assertion. The credential will have the same Relaying Party ID on both
+        // on assertion. The credential will have the same Relying Party ID on both
         // the authenticator and the application so on assertion both should match.
-        $relayingParty = parse_url($this->relyingPartyId($validation), PHP_URL_HOST);
+        $relyingParty = parse_url($this->relyingPartyId($validation), PHP_URL_HOST);
 
-        if ($this->authenticatorData($validation)->hasNotSameRPIdHash($relayingParty)) {
+        if ($this->authenticatorData($validation)->hasNotSameRPIdHash($relyingParty)) {
             static::throw($validation, 'Response has different Relying Party ID hash.');
         }
 

src/SharedPipes/CheckRelyingPartyIdContained.php

@@ -40,11 +40,11 @@ abstract class CheckRelyingPartyIdContained
     public function handle(AttestationValidation|AssertionValidation $validation, Closure $next): mixed
     {
         if (!$host = parse_url($validation->clientDataJson->origin, PHP_URL_HOST)) {
-            static::throw($validation, 'Relaying Party ID is invalid.');
+            static::throw($validation, 'Relying Party ID is invalid.');
         }
 
         $current = parse_url(
-            $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url'), PHP_URL_HOST
+            $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url'), PHP_URL_HOST
         );
 
         // Check the host is the same or is a subdomain of the current config domain.
@@ -52,6 +52,6 @@ abstract class CheckRelyingPartyIdContained
             return $next($validation);
         }
 
-        static::throw($validation, 'Relaying Party ID not scoped to current.');
+        static::throw($validation, 'Relying Party ID not scoped to current.');
     }
 }

src/WebAuthn.php

@@ -31,20 +31,19 @@ class WebAuthn
      */
     public static function routes(): void
     {
-        Route::middleware('web')->group(static function (): void {
-            Route::post('webauthn/register/options')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class, 'options'])
-                ->name('webauthn.register.options');
-            Route::post('webauthn/register')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class, 'register'])
-                ->name('webauthn.register');
+        Route::middleware('web')
+            ->group(static function (): void {
+                Route::controller(\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class)
+                    ->group(static function (): void {
+                        Route::post('webauthn/register/options', 'options')->name('webauthn.register.options');
+                        Route::post('webauthn/register', 'register')->name('webauthn.register');
+                    });
 
-            Route::post('webauthn/login/options')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class, 'options'])
-                ->name('webauthn.login.options');
-            Route::post('webauthn/login')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class, 'login'])
-                ->name('webauthn.login');
+                Route::controller(\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class)
+                    ->group(static function (): void {
+                        Route::post('webauthn/login/options', 'options')->name('webauthn.login.options');
+                        Route::post('webauthn/login', 'login')->name('webauthn.login');
+                    });
         });
     }
 }

src/WebAuthnAuthentication.php

@@ -4,9 +4,9 @@ namespace Laragear\WebAuthn;
 
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Relations\MorphMany;
+use Illuminate\Support\Facades\Date;
 use JetBrains\PhpStorm\ArrayShape;
 use Laragear\WebAuthn\Models\WebAuthnCredential;
-use function in_array;
 
 /**
  * @property-read \Illuminate\Database\Eloquent\Collection<int, \Laragear\WebAuthn\Models\WebAuthnCredential> $webAuthnCredentials
@@ -38,20 +38,17 @@ trait WebAuthnAuthentication
      */
     public function flushCredentials(string ...$except): void
     {
-        if ($this->relationLoaded('webAuthnCredentials') && $this->webAuthnCredentials instanceof Collection) {
-            $partitioned = $this->webAuthnCredentials
-                ->partition(static function (WebAuthnCredential $credential) use ($except): bool {
-                    return in_array($credential->getKey(), $except, true);
-                });
-
-            $partitioned->first()->each->delete();
-
-            $this->setRelation('webAuthnCredentials', $partitioned->last());
+        if (! $this->relationLoaded('webAuthnCredentials')) {
+            $this->webAuthnCredentials()->whereKeyNot($except)->delete();
 
             return;
         }
 
-        $this->webAuthnCredentials()->whereKeyNot($except)->delete();
+        if ($this->webAuthnCredentials instanceof Collection && $this->webAuthnCredentials->isNotEmpty()) {
+            $this->webAuthnCredentials->whereNotIn('id', $except)->each->delete();
+
+            $this->setRelation('webAuthnCredentials', $this->webAuthnCredentials->whereIn('id', $except));
+        }
     }
 
     /**
@@ -64,13 +61,14 @@ trait WebAuthnAuthentication
     {
         if ($this->relationLoaded('webAuthnCredentials') && $this->webAuthnCredentials instanceof Collection) {
             $this->webAuthnCredentials
-                ->each(static function (WebAuthnCredential $credential) use ($except): bool {
-                    if ($credential->isEnabled() && in_array($credential->getKey(), $except, true)) {
+                ->when($except)->whereNotIn('id', $except)
+                ->each(static function (WebAuthnCredential $credential): void {
+                    if ($credential->isEnabled()) {
                         $credential->disable();
                     }
                 });
         } else {
-            $this->webAuthnCredentials()->whereKeyNot($except)->update(['is_enabled' => false]);
+            $this->webAuthnCredentials()->whereKeyNot($except)->whereEnabled()->update(['disabled_at' => Date::now()]);
         }
     }
 

src/WebAuthnServiceProvider.php

@@ -45,6 +45,7 @@ class WebAuthnServiceProvider extends ServiceProvider
         if ($this->app->runningInConsole()) {
             $this->publishesMigrations(static::MIGRATIONS);
             $this->publishes([static::ROUTES => $this->app->basePath('routes/webauthn.php')], 'routes');
+            $this->publishes([static::CONFIG => $this->app->configPath('webauthn.php')], 'config');
             // @phpstan-ignore-next-line
             $this->publishes([static::CONTROLLERS => $this->app->path('Http/Controllers/WebAuthn')], 'controllers');
             $this->publishes([static::JS => $this->app->resourcePath('js/vendor/webauthn')], 'js');

tests/Assertion/ValidationTest.php

@@ -457,7 +457,7 @@ class ValidationTest extends TestCase
         $this->request->setJson(new ParameterBag($invalid));
 
         $this->expectException(AssertionException::class);
-        $this->expectExceptionMessage('Assertion Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Assertion Error: Relying Party ID not scoped to current.');
 
         $this->validate();
     }
@@ -477,7 +477,7 @@ class ValidationTest extends TestCase
         $this->request->setJson(new ParameterBag($invalid));
 
         $this->expectException(AssertionException::class);
-        $this->expectExceptionMessage('Assertion Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Assertion Error: Relying Party ID not scoped to current.');
 
         $this->validate();
     }

tests/Attestation/CreatorTest.php

@@ -80,7 +80,7 @@ class CreatorTest extends TestCase
             ]);
     }
 
-    public function test_uses_relaying_party_config(): void
+    public function test_uses_relying_party_config(): void
     {
         config(['webauthn.relying_party' => [
             'id' => 'https://foo.bar',

tests/Attestation/ValidationTest.php

@@ -504,7 +504,7 @@ class ValidationTest extends TestCase
     public function test_rp_id_fails_if_not_equal(): void
     {
         $this->expectException(AttestationException::class);
-        $this->expectExceptionMessage('Attestation Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.');
 
         $invalid = FakeAuthenticator::attestationResponse();
 
@@ -524,7 +524,7 @@ class ValidationTest extends TestCase
     public function test_rp_id_fails_if_not_contained(): void
     {
         $this->expectException(AttestationException::class);
-        $this->expectExceptionMessage('Attestation Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.');
 
         $invalid = FakeAuthenticator::attestationResponse();
 
@@ -546,7 +546,7 @@ class ValidationTest extends TestCase
         $this->app->when(CheckRelyingPartyHashSame::class)
             ->needs(ConfigContract::class)
             ->give(static function (): Repository {
-                return tap(new Repository())->set('webauthn.relaying_party.id', 'https://otherhost.com');
+                return tap(new Repository())->set('webauthn.relying_party.id', 'https://otherhost.com');
             });
 
         $this->expectException(AttestationException::class);

tests/FakeAuthenticator.php

@@ -6,8 +6,8 @@ use JetBrains\PhpStorm\ArrayShape;
 
 class FakeAuthenticator
 {
-    public const CREDENTIAL_ID = '-VOLFKPY-_FuMI_sJ7gMllK76L3VoRUINj6lL_Z3qDg';
-    public const CREDENTIAL_ID_RAW = '+VOLFKPY+/FuMI/sJ7gMllK76L3VoRUINj6lL/Z3qDg=';
+    public const CREDENTIAL_ID = 'owBYu_waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi-nK3I54J6ILj70pJzR_6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd-ShQZ95eHoc8SA_-8vzCyfmy-wI_K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A';
+    public const CREDENTIAL_ID_RAW = 'owBYu/waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi+nK3I54J6ILj70pJzR/6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd+ShQZ95eHoc8SA/+8vzCyfmy+wI/K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A=';
 
     public const ATTESTATION_USER = [
         'id' => 'e8af6f703f8042aa91c30cf72289aa07',

tests/ServiceProviderTest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\File;
+use Illuminate\Support\Fluent;
+use Illuminate\Support\ServiceProvider;
+use Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable;
+use Laragear\WebAuthn\WebAuthnAuthentication;
+use Laragear\WebAuthn\WebAuthnServiceProvider;
+
+class ServiceProviderTest extends TestCase
+{
+    public function test_merges_config(): void
+    {
+        static::assertSame(
+            File::getRequire(WebAuthnServiceProvider::CONFIG),
+            $this->app->make('config')->get('webauthn')
+        );
+    }
+
+    public function test_publishes_config(): void
+    {
+        static::assertSame(
+            [WebAuthnServiceProvider::CONFIG => $this->app->configPath('webauthn.php')],
+            ServiceProvider::$publishGroups['config']
+        );
+    }
+
+    /**
+     * @define-env usesCustomTestTime
+     */
+    public function test_publishes_migrations(): void
+    {
+        static::assertSame(
+            [
+                realpath(WebAuthnServiceProvider::MIGRATIONS . '/2022_07_01_000000_create_webauthn_credentials.php') =>
+                    $this->app->databasePath("migrations/2020_01_01_163025_create_webauthn_credentials.php"),
+            ],
+            ServiceProvider::pathsToPublish(WebAuthnServiceProvider::class, 'migrations')
+        );
+    }
+
+    protected function usesCustomTestTime()
+    {
+        $this->travelTo(Carbon::create(2020, 01, 01, 16, 30, 25));
+    }
+
+    public function test_bounds_user(): void
+    {
+        static::assertNull($this->app->make(WebAuthnAuthenticatable::class));
+
+        $user = new class extends Fluent implements WebAuthnAuthenticatable {
+            use WebAuthnAuthentication;
+        };
+
+        $this->app->instance(Authenticatable::class, $user);
+
+        static::assertSame($user, $this->app->make(WebAuthnAuthenticatable::class));
+    }
+
+    public function test_publishes_routes_file(): void
+    {
+        static::assertSame(
+            [WebAuthnServiceProvider::ROUTES => $this->app->basePath('routes/webauthn.php')],
+            ServiceProvider::$publishGroups['routes']
+        );
+    }
+}

tests/WebAuthnAuthenticationTest.php

@@ -0,0 +1,260 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Support\Carbon;
+use Laragear\WebAuthn\Models\WebAuthnCredential;
+use Ramsey\Uuid\Uuid;
+use function now;
+
+class WebAuthnAuthenticationTest extends TestCase
+{
+    protected Stubs\WebAuthnAuthenticatableUser $user;
+
+    protected function afterRefreshingDatabase(): void
+    {
+        $this->user = Stubs\WebAuthnAuthenticatableUser::forceCreate([
+            'name' => FakeAuthenticator::ATTESTATION_USER['displayName'],
+            'email' => FakeAuthenticator::ATTESTATION_USER['name'],
+            'password' => 'test_password',
+        ]);
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id',
+            'user_id' => Uuid::NIL,
+            'counter' => 0,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+    }
+
+    public function test_shows_webauthn_data(): void
+    {
+        static::assertSame([
+            'name' => FakeAuthenticator::ATTESTATION_USER['name'],
+            'displayName' => FakeAuthenticator::ATTESTATION_USER['displayName'],
+        ], $this->user->webAuthnData());
+    }
+
+    public function test_flushes_all_credentials(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->flushCredentials();
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 0);
+    }
+
+    public function test_flushes_all_credentials_using_loaded_relation(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        static::assertCount(2, $this->user->webAuthnCredentials);
+
+        $this->user->flushCredentials();
+
+        static::assertEmpty($this->user->webAuthnCredentials);
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 0);
+    }
+
+    public function test_flushes_all_credentials_except_given_id(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->flushCredentials('test_id_2');
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 1);
+        $this->assertDatabaseMissing(WebAuthnCredential::class, [
+            'id' => 'test_id'
+        ]);
+    }
+
+    public function test_flushes_all_credentials_using_loaded_relation_except_given_id(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        static::assertCount(2, $this->user->webAuthnCredentials);
+
+        $this->user->flushCredentials('test_id_2');
+
+        static::assertCount(1, $this->user->webAuthnCredentials);
+        static::assertTrue($this->user->webAuthnCredentials->contains('id', 'test_id_2'));
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 1);
+        $this->assertDatabaseMissing(WebAuthnCredential::class, [
+            'id' => 'test_id'
+        ]);
+    }
+
+    public function test_disables_all_credentials(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()->subMinute()
+        ])->save();
+
+        $this->user->disableAllCredentials();
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->subMinute()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_with_loaded_relation(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()->subMinute()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        $this->user->disableAllCredentials();
+
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id')->isDisabled());
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id_2')->isDisabled());
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->subMinute()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_except_one(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+
+        $this->user->disableAllCredentials('test_id');
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => null,
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_with_loaded_relation_except_one(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        $this->user->disableAllCredentials('test_id_2');
+
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id')->isDisabled());
+        static::assertFalse($this->user->webAuthnCredentials->firstWhere('id', 'test_id_2')->isDisabled());
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => null,
+        ]);
+    }
+}