rename package

You're right, thanks.

.github/FUNDING.yml

@@ -1,6 +1,3 @@
-# Help me support this package
-
+# Let's keep it free and up to date
 github: DarkGhostHunter
-patreon: PackagesForLaravel
-ko_fi: DarkGhostHunter
-custom: ['https://www.buymeacoffee.com/darkghosthunter', 'https://paypal.me/darkghosthunter']
+custom: "https://paypal.me/darkghosthunter"

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,5 +1,8 @@
 name: Bug Report
-description: File a bug report
+description: |
+  File a bug report to be fixed.
+
+  Sponsors get priority issues, PRs, fixes and requests. Not a sponsor? [You're a just click away!](https://github.com/sponsors/DarkGhostHunter).
 title: "[X.x] What does happen that is considered an error or bug?"
 labels: ["bug"]
 assignees:
@@ -9,6 +12,7 @@ body:
     attributes:
       value: |
         Thanks for taking the time to fill out this bug report!
+
         The more detailed this bug report is, the faster it can be reviewed and fixed.
   - type: input
     id: version-php-os
@@ -18,6 +22,14 @@ body:
       placeholder: 8.1.2 - Ubuntu 22.04 x64
     validations:
       required: true
+  - type: input
+    id: version-db
+    attributes:
+      label: Database
+      description: Exact DB version using this package, if applicable.
+      placeholder: MySQL 8.0.28
+    validations:
+      required: false
   - type: input
     id: version-laravel
     attributes:
@@ -26,28 +38,12 @@ body:
       placeholder: 9.2.3
     validations:
       required: true
-  - type: input
-    id: version-authenticator
-    attributes:
-      label: Authenticator type
-      description: If applicable, exact authenticator you're using.
-      placeholder: YubiKey 5, iPhone 7s, Samsung Galaxy S11+...
-    validations:
-      required: false
-  - type: input
-    id: version-os-browser
-    attributes:
-      label: OS and Browser versions
-      description: If applicable, exact OS and Browser versions
-      placeholder: Android 12.0 - Chrome 102.0.5005.99
-    validations:
-      required: false
   - type: checkboxes
     id: requirements
     attributes:
       label: Have you done this?
       options:
-        - label: I am willing to share my stack trace and logs
+        - label: I have checked my logs and I'm sure is a bug in this package.
           required: true
         - label: I can reproduce this bug in isolation (vanilla Laravel install)
           required: true
@@ -58,7 +54,7 @@ body:
     attributes:
       label: Expectation
       description: Write what you expect to (correctly) happen.
-      placeholder: When I do this, I expect to this to happen.
+      placeholder: When I do this, I expect to happen that.
     validations:
       required: true
   - type: textarea
@@ -73,7 +69,7 @@ body:
     id: reproduction
     attributes:
       label: Reproduction
-      description: Paste the code to assert in a test, or just comment with the repository with the bug.
+      description: Paste the code to assert in a test, or just comment with the repository with the bug to download.
       render: php
       placeholder: |
         $test = Laragear::make()->break();
@@ -87,27 +83,8 @@ body:
     id: logs
     attributes:
       label: Stack trace & logs
-      description: If you have a stack trace, you can copy it here. You may hide sensible information.
-      placeholder: This is automatically formatted into code, no need for backticks.
+      description: If you have a **full** stack trace, you can copy it here. You may hide sensible information.
+      placeholder: This is automatically formatted into code, no need for ``` backticks.
       render: shell
     validations:
       required: false
-  - type: textarea
-    id: attestation-assertion
-    attributes:
-      label: Attestation / Assertion objects
-      description: If applicable, add the Attestation and Assertion objects you have debugged.
-      placeholder: This is automatically formatted into Javascript, no need for backticks.
-      render: javascript
-    validations:
-      required: false
-  - type: dropdown
-    id: supporter
-    attributes:
-      label: Are you a Patreon supporter?
-      description: Patreon supporters get priority review, fixing and responses. Are you not? [Become one!](https://patreon.com/packagesforlaravel)
-      options:
-        - Yes, with my username
-        - No, don't give priority to this
-    validations:
-      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,5 +1,8 @@
 name: Feature request
-description: Suggest a feature for this package
+description: |
+  Suggest a feature for this package.
+
+  Sponsors get priority issues, PRs, fixes and requests. Not a sponsor? [You're a just click away!](https://github.com/sponsors/DarkGhostHunter).
 title: "[X.x] Add this cool feature for this package"
 labels: ["enhancement"]
 assignees:
@@ -28,7 +31,12 @@ body:
     attributes:
       label: Description
       description: Describe how the feature works
-      placeholder: This new feature would accomplish this, and would be cool to integrate it to the package because...
+      placeholder: |
+        This new feature would accomplish...
+
+        It could be implemented by doing...
+
+        And it would be cool because...
     validations:
       required: true
   - type: textarea
@@ -41,13 +49,3 @@ body:
       render: php
     validations:
       required: true
-  - type: dropdown
-    id: supporter
-    attributes:
-      label: Are you a Patreon supporter?
-      description: Patreon supporters get priority review, fixing and responses. Are you not? [Become one!](https://patreon.com/packagesforlaravel)
-      options:
-        - Yes, with my username
-        - No, don't give priority to this
-    validations:
-      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,23 +1,22 @@
 <!--
-
 Thanks for contributing to this package! We only accept PR to the latest stable version.
 
 If you're pushing a Feature:
 - Title it: "[X.x] This new feature"
 - Describe what the new feature enables
 - Show a small code snippet of the new feature
-- Ensure it doesn't break any feature.
+- Ensure it doesn't break backward compatibility.
 
 If you're pushing a Fix:
 - Title it: "[X.x] FIX: The bug name"
 - Describe how it fixes in a few words.
-- Ensure it doesn't break any feature.
+- Ensure it doesn't break backward compatibility.
 
 All Pull Requests run with extensive tests for stable and latest versions of PHP and Laravel. 
 Ensure your tests pass or your PR may be taken down.
 
-If you're a Patreon supporter, this PR will have priority.
-Not a Patreon supporter? Become one at https://patreon.com/packagesforlaravel
+If you're a Sponsor, this PR will have priority review.
+Not a Sponsor? Become one at https://github.com/sponsors/DarkGhostHunter
 -->
 
 # Description
@@ -29,5 +28,3 @@ This feature/fix allows to...
 ```php
 Laragear::sample();
 ```
-
-<!-- You may delete this section if it's a FIX -->

.github/workflows/php.yml

@@ -1,6 +1,6 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow
 
-name: "Tests"
+name: Tests
 
 on:
   push:
@@ -21,6 +21,7 @@ jobs:
       - name: "Find non-printable ASCII characters"
         run: |
           ! LC_ALL=C.UTF-8 find ./src -type f -name "*.php" -print0 | xargs -0 -- grep -PHn "[^ -~]"
+
   syntax_errors:
     name: "1️⃣ Syntax errors"
     runs-on: "ubuntu-latest"
@@ -34,10 +35,8 @@ jobs:
       - name: "Checkout code"
         uses: "actions/checkout@v3"
 
-      - name: "Install dependencies"
-        uses: "ramsey/composer-install@v2"
-        with:
-          dependency-versions: "highest"
+      - name: "Validate Composer configuration"
+        run: "composer validate --strict"
 
       - name: "Check source code for syntax errors"
         run: "composer exec -- parallel-lint src/"
@@ -51,19 +50,26 @@ jobs:
     strategy:
       matrix:
         php-version:
+          - "8.0"
           - "8.1"
-        laravel-constrain:
+          - "8.2"
+        laravel-constraint:
           - "9.*"
+          - "10.*"
         dependencies:
           - "lowest"
           - "highest"
+        exclude:
+          - php-version: "8.0"
+            laravel-constraint: "10.*"
+
     steps:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
           php-version: "${{ matrix.php-version }}"
-          extensions: mbstring, intl
-          coverage: xdebug
+          extensions: "mbstring, intl"
+          coverage: "xdebug"
 
       - name: "Checkout code"
         uses: "actions/checkout@v3"
@@ -72,12 +78,13 @@ jobs:
         uses: "ramsey/composer-install@v2"
         with:
           dependency-versions: "${{ matrix.dependencies }}"
+          composer-options: "--with=laravel/framework:${{ matrix.laravel-constraint }}"
 
       - name: "Execute unit tests"
         run: "composer run-script test"
 
       - name: "Upload coverage to Codecov"
-        uses: "codecov/codecov-action@v2"
+        uses: "codecov/codecov-action@v3"
 
   static_analysis:
     name: "3️⃣ Static Analysis"
@@ -89,19 +96,15 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
           tools: "phpstan"
+          php-version: "latest"
+          coverage: "none"
 
       - name: "Checkout code"
         uses: "actions/checkout@v3"
 
-      - name: "Validate Composer configuration"
-        run: "composer validate --strict"
-
       - name: "Install dependencies"
         uses: "ramsey/composer-install@v2"
-        with:
-          dependency-versions: "highest"
 
       - name: "Execute static analysis"
         run: "composer exec -- phpstan analyze -l 5 src/"
@@ -119,7 +122,7 @@ jobs:
       - name: "Check exported files"
         run: |
           EXPECTED="LICENSE.md,README.md,composer.json"
-          CURRENT="$(git archive HEAD | tar --list --exclude="src" --exclude="src/*" --exclude=".stubs" --exclude=".stubs/*" --exclude="stubs" --exclude="stubs/*" --exclude="lang" --exclude="lang/*" --exclude="config" --exclude="config/*" --exclude="database" --exclude="database/*" --exclude="resources" --exclude="resources/*" --exclude="routes" --exclude="routes/*" | paste -s -d ",")"
+          CURRENT="$(git archive HEAD | tar --list --exclude="src" --exclude="src/*" --exclude=".stubs" --exclude=".stubs/*"  --exclude="routes" --exclude="routes/*" --exclude="stubs" --exclude="stubs/*" --exclude="lang" --exclude="lang/*" --exclude="config" --exclude="config/*" --exclude="database" --exclude="database/*" --exclude="resources" --exclude="resources/*" | paste -s -d ",")"
           echo "CURRENT =${CURRENT}"
           echo "EXPECTED=${EXPECTED}"
           test "${CURRENT}" == "${EXPECTED}"

.gitignore

@@ -4,5 +4,6 @@
 /.vscode
 .php-cs-fixer.cache
 .phpunit.result.cache
+.phpunit.cache
 composer.lock
 phpunit.xml.bak

README.md

@@ -7,7 +7,7 @@
 [![Sonarcloud Status](https://sonarcloud.io/api/project_badges/measure?project=Laragear_WebAuthn&metric=alert_status)](https://sonarcloud.io/dashboard?id=Laragear_WebAuthn)
 [![Laravel Octane Compatibility](https://img.shields.io/badge/Laravel%20Octane-Compatible-success?style=flat&logo=laravel)](https://laravel.com/docs/9.x/octane#introduction)
 
-Authenticate users with fingerprints, patterns and biometric data.
+Authenticate users with Passkeys: fingerprints, patterns and biometric data.
 
 ```php
 // App\Http\Controllers\LoginController.php
@@ -23,9 +23,9 @@ public function login(AssertedRequest $request)
 
 > You want to add two-factor authentication to your app? Check out [Laragear TwoFactor](https://github.com/Laragear/TwoFactor).
 
-## Keep this package free
+## Become a sponsor
 
-[![Patreon](.github/assets/patreon.png)](https://patreon.com/packagesforlaravel)[![Ko-fi](.github/assets/ko-fi.png)](https://ko-fi.com/DarkGhostHunter)[![Buymeacoffee](.github/assets/buymeacoffee.png)](https://www.buymeacoffee.com/darkghosthunter)[![PayPal](.github/assets/paypal.png)](https://www.paypal.com/paypalme/darkghosthunter)
+[![](.github/assets/support.png)](https://github.com/sponsors/DarkGhostHunter)
 
 Your support allows me to keep this package free, up-to-date and maintainable. Alternatively, you can **[spread the word!](http://twitter.com/share?text=I%20am%20using%20this%20cool%20PHP%20package&url=https://github.com%2FLaragear%2FWebAuthn&hashtags=PHP,Laravel)**
 
@@ -42,15 +42,15 @@ Require this package into your project using Composer:
 composer require laragear/webauthn
 ```
 
-## How does it work?
+## How Passkeys work?
 
-WebAuthn authentication process consists in two _ceremonies_: attestation, and assertion.
+Passkeys, hence WebAuthn, consists in two _ceremonies_: attestation, and assertion.
 
-Attestation is the process of asking the authenticator (a phone, laptop, USB key...) to create a private-public key pair, and **register** the public key inside the app. For that to work, the user must exist, and the browser must support WebAuthn, which is what intermediates between the authenticator (OS & device hardware) and the app.
+Attestation is the process of asking the authenticator (a phone, laptop, USB key...) to create a private-public key pair, save the private key internally, and **store** the public key inside the server. For that to work, the browser must support WebAuthn, which is what intermediates between the authenticator (OS & device hardware) and the server.
 
-Assertion is the process of pushing a cryptographic challenge to the device, which will return back _signed_ by the private key. Upon arrival, the app checks the signature is correct with the stored public key, ready to **log in**.
+Assertion is the process of pushing a cryptographic challenge to the authenticator, which will return back to the server _signed_ by the private key of the device. Upon arrival, the server checks the signature is correct with the stored public key, ready to **log in**.
 
-The private key doesn't leave the authenticator, and there are no shared passwords to save, let alone remember.
+The private key doesn't leave the authenticator, there are no shared passwords stored anywhere, and Passkeys only work on the server domain (like google.com) or subdomain (like auth.google.com).
 
 ## Set up
 
@@ -65,6 +65,10 @@ After that, you can quickly start WebAuthn with the included controllers and hel
 4. [Register the controllers](#4-register-the-routes-and-controllers)
 5. [Use the Javascript helper](#5-use-the-javascript-helper)
 
+> **Info**
+>
+> While you can use Passkeys without users by invoking the _ceremonies_ manually, Laragear WebAuthn is intended to be used with already existing Users.
+
 ### 1. Add the `eloquent-webauthn` driver
 
 Laragear WebAuthn works by extending the Eloquent User Provider with an additional check to find a user for the given WebAuthn Credentials (Assertion). This makes this WebAuthn package compatible with any guard you may have.
@@ -85,7 +89,7 @@ return [
 ];
 ```
 
-The `password_fallback` indicates the User Provider should fall back to validate the password when the request is not a WebAuthn Assertion. It's enabled to seamlessly use both classic and WebAuthn authentication procedures.
+The `password_fallback` indicates the User Provider should fall back to validate the password when the request is not a WebAuthn Assertion. It's enabled to seamlessly use both classic (password) and WebAuthn authentication procedures.
 
 ### 2. Create the `webauthn_credentials` table
 
@@ -152,25 +156,37 @@ This package includes a simple but convenient script to handle WebAuthn Attestat
 php artisan vendor:publish --provider="Laragear\WebAuthn\WebAuthnServiceProvider" --tag="js"
 ```
 
-You will receive the `resources/js/vendor/webauthn/webauthn.js` file which you can include into your authentication views and use it programmatically, anyway you want. For example, [compiling it through Vite](https://laravel.com/docs/9.x/vite#loading-your-scripts-and-styles) into your application global JavaScript.
+You will receive the `resources/js/vendor/webauthn/webauthn.js` file which you can include into your authentication views and use it programmatically
 
 ```html
 <!doctype html>
 <head>
     {{-- ... --}}
- 
-    @vite(['resources/js/app.js', 'resources/js/vendor/webauthn/webauthn.js'])
+
+    <script src="{{ Vite::asset('resources/js/vendor/webauthn/webauthn.js') }}"></script>
+
+    @vite(['resources/js/app.js'])
 </head>
 ```
 
-Once done, you can easily start registering and login in users. For example, for a logged-in user, you may show a registration view in HTML with the following code:
+> **Note**
+>
+> You can also edit the script file to transform it into a module so it can be bundled in your Vite frontend, exporting the class as `export default class WebAuthn { ... }`, and add it to the `@vite` assets.
+>
+> ```html
+> @vite(['resources/js/vendor/webauthn/webauthn.js', 'resources/js/app.js'])
+> ```
+
+Once done, you can easily start registering an user device, and login in users that registered a device previusly.
+
+For example, let's imagine an user logs in normally, and enters its profile view. You may show a WebAuthn registration HTML with the following code:
 
 ```html
 <form id="register-form">
     <button type="submit" value="Register authenticator">
 </form>
 
-<!-- Registering credentials -->
+<!-- Registering authenticator -->
 <script>
     const register = event => {
         event.preventDefault()
@@ -184,7 +200,7 @@ Once done, you can easily start registering and login in users. For example, for
 </script>
 ```
 
-On the other hand, consider a login HTML view with the following code:
+In our Login view, we can use the WebAuthn credentials to log in the user.
 
 ```html
 <form id="login-form">
@@ -210,7 +226,7 @@ On the other hand, consider a login HTML view with the following code:
 </script>
 ```
 
-You can copy-paste this helper into your authentication routes, or import it into a bundler like [Laravel Vite](https://laravel.com/docs/9.x/vite), [Webpack](https://webpack.js.org/), [parcel](https://parceljs.org/), or many more. If the script doesn't suit your needs, you're free to create your own.
+You can copy-paste this helper into your authentication routes, or import it into a bundler like [Laravel Vite](https://laravel.com/docs/9.x/vite), [Webpack](https://webpack.js.org/), [parcel](https://parceljs.org/), or many more, as long you adjust the script to the bundler needs. If the script doesn't suit your needs, you're free to modify it or create your own.
 
 ### Requests and Responses parameters
 
@@ -258,6 +274,8 @@ const webAuthn = new WebAuthn({}, {
 
 Attestation is the _ceremony_ to create WebAuthn Credentials. To create an Attestable Response that the user device can understand, use the `AttestationRequest::toCreate()` form request.
 
+For example, we can create our own `AttestationController` to create it.
+
 ```php
 // app\Http\Controllers\WebAuthn\AttestationController.php
 use Laragear\WebAuthn\Http\Requests\AttestationRequest;
@@ -292,7 +310,12 @@ public function register(AttestedRequest $request)
 {
     $request->validate(['alias' => 'nullable|string']);
 
-    $attestation->save($request->input('alias'));
+    $attestation->save($request->only('alias'));
+    
+    // Same as:
+    // $attestation->save(function ($credentials) use ($request) {
+    //    $credentials->alias = $request->input('alias');
+    // })
 }
 ```
 
@@ -354,6 +377,8 @@ The Assertion procedure also follows a two-step procedure: the user will input i
 
 First, use the `AssertionRequest::toVerify()` form request. It will automatically create an assertion for the user that matches the credentials, or a blank one in case you're using [userless login](#userlessone-touchtypeless-login). Otherwise, you may set stricter validation rules to always ask for credentials.
 
+For example, we can use our own `AssertionController` to handle it.
+
 ```php
 // app\Http\Controllers\WebAuthn\AssertionController.php
 use Laragear\WebAuthn\Http\Requests\AssertionRequest;
@@ -547,7 +572,7 @@ After that, you will receive the `config/webauthn.php` config file with an array
 <?php
 
 return [
-    'relaying_party' => [
+    'relying_party' => [
         'name' => env('WEBAUTHN_NAME', env('APP_NAME')),
         'id'   => env('WEBAUTHN_ID'),
     ],
@@ -559,24 +584,31 @@ return [
 ];
 ```
 
-### Relaying Party Information
+### Relying Party Information
 
 ```php
 return [
-    'relaying_party' => [
+    'relying_party' => [
         'name' => env('WEBAUTHN_NAME', env('APP_NAME')),
         'id'   => env('WEBAUTHN_ID'),
     ],
 ];
 ```
 
-The _Relaying Party_ is just a way to uniquely identify your application in the user device:
+The _Relying Party_ is just a way to uniquely identify your application in the user device:
 
 * `name`: The name of the application. Defaults to the application name.
-* `id`: An unique ID the application, like the site domain. If `null`, the device may fill it internally, usually as the full domain.
+* `id`: An unique ID the application, like the site URL. If `null`, the device _may_ fill it internally, usually as the full domain.
 
 > WebAuthn authentication only work on the top domain it was registered. 
 
+Instead of modifying the config file, you should use the environment variables to set the name and ID for WebAuthn.
+
+```dotenv
+WEBAUTHN_NAME=SecureBank
+WEBAUTHN_ID=https://auth.securebank.com
+```
+
 ### Challenge configuration
 
 ```php
@@ -617,7 +649,9 @@ No. WebAuthn only stores a cryptographic public key generated randomly by the de
 
 * **Can a phishing site steal WebAuthn credentials and use them in my site to impersonate an user?**
 
-No. WebAuthn _kills the phishing_ because, unlike passwords, the private key never leaves the device.
+No. WebAuthn _kills the phishing_ because, unlike passwords, the private key never leaves the device, and the key-pair is bound to the top-most domain it was registered.
+
+An user bing _phished_ at `staetbank.com` won't be able to login with a key made on the legit site `statebank.com`, as the device won't be able to find it.
 
 * **Can WebAuthn data identify a particular device?**
 
@@ -641,15 +675,15 @@ Yes. If you're not using a [password fallback](#password-fallback), you may need
 
 * **What's the difference between disabling and deleting a credential?**
 
-Disabling a credential doesn't delete it, so it's useful as a blacklisting mechanism and these can also be re-enabled. When the credential is deleted, it goes away forever.
+Disabling a credential doesn't delete it, so it's useful as a blacklisting mechanism and these can also be re-enabled. When the credential is deleted, it goes away forever from the server, so the credential in the authenticator device becomes orphaned.
 
 * **Can a user delete its credentials from its device?**
 
-Yes. If it does, the other part of the credentials in your server gets virtually orphaned. You may want to show the user a list of registered credentials in the application to delete them.
+Yes. If it does, the other part of the credentials in your server gets orphaned. You may want to show the user a list of registered credentials in the application to delete them.
 
 * **How secure is this against passwords or 2FA?**
 
-Extremely secure since it works only on HTTPS (or `localhost`), no password or codes are exchanged nor visible in the screen.
+Extremely secure since it works only on HTTPS (or `localhost`). Also, no password or codes are exchanged nor visible in the screen.
 
 * **Can I deactivate the password fallback? Can I enforce only WebAuthn authentication and nothing else?**
 
@@ -659,9 +693,13 @@ Extremely secure since it works only on HTTPS (or `localhost`), no password or c
 
 [Yes](#5-use-the-javascript-helper), but it's very _basic_.
 
+If you need more complex WebAuthn management, consider using the [`navigator.credentials`](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/credentials) API directly.
+
 * **Does WebAuthn eliminate bots? Can I forget about _captchas_?**
 
-No, you still need to use [captcha](https://github.com/Laragear/ReCaptcha), honeypots, or other mechanisms to stop bots.
+Yes and no. To register users, you still need to use [captcha](https://github.com/Laragear/ReCaptcha), honeypots, or other mechanisms to stop bots.
+
+Once a user is registered, bots won't be able to login because the real user is the only one that has the private key required for WebAuthn.
 
 * **Does this encode/decode the WebAuthn data automatically in the frontend?**
 
@@ -673,11 +711,15 @@ Yes, public keys are encrypted when saved into the database.
 
 * **Does this include WebAuthn credential recovery routes?**
 
-No. You're free to create your own flow for recovery. 
+No. You're free to create your own flow for recovery.
+
+My recommendation is to send an email to the user, pointing to a route that registers a new device, and immediately redirect him to blacklist which credential was lost (or blacklist the only one he has).
 
 * **Can I use my smartphone as authenticator through my PC or Mac?**
 
-It depends. This is entirely up to hardware, OS and browser vendor themselves.
+It depends. 
+
+This is entirely up to hardware, OS and browser vendor themselves, but mostly the OS. Some OS or browsers may offer a way to sync private keys on the cloud, even letting the assertion challenge to be signed remotely instead of transmitting the private key. Please check your target platforms of choice.
 
 * **Why my device doesn't show Windows Hello/Passkey/TouchId/FaceId/pattern/fingerprint authentication?**
 
@@ -687,15 +729,17 @@ You may [check this site for authenticator support](https://webauthn.me/browser-
 
 * **Why my device doesn't work at all with this package?**
 
-This package supports WebAuthn 2.0, which is [W3C Recommendation](https://www.w3.org/TR/webauthn-2). Your device/OS/browser may be using an unsupported version. There are no plans to support older specs.
+This package supports WebAuthn 2.0, which is [W3C Recommendation](https://www.w3.org/TR/webauthn-2). Your device/OS/browser may be using an unsupported version. 
+
+There are no plans to support older WebAuthn specs. The new [WebAuthn 3.0 draft](https://www.w3.org/TR/webauthn-3) spec needs to be finished to be supported.
 
 * **I'm trying to test this in my development server, but it doesn't work**
 
-Use `localhost` exclusively, not `127.0.0.1`, or use a proxy to tunnel your site through HTTPS. WebAuthn only works on `localhost` or under `HTTPS` only.
+Use `localhost` exclusively (not `127.0.0.1` or `::1`) or use a proxy to tunnel your site through HTTPS. WebAuthn only works on `localhost` or under `HTTPS` only.
 
 * **Why this package supports only `none` attestation conveyance?**
 
-Because `direct`, `indirect` and `enterprise` attestations are mostly used on high-security high-risk scenarios, where an entity has total control on the devices used to authenticate.
+Because `direct`, `indirect` and `enterprise` attestations are mostly used on high-security high-risk scenarios, where an entity has total control on the devices used to authenticate. Imagine banks, medical, or military.
 
 If you deem this feature critical for you, [**consider supporting this package**](#keep-this-package-free).
 
@@ -705,7 +749,7 @@ No. The user can use whatever to authenticate in your app. This may be enabled o
 
 * **Everytime I make attestations or assertions, it says no challenge exists!** 
 
-Remember that your WebAuthn routes must use Sessions, because the Challenges are saved there.
+Remember that your WebAuthn routes **must use Sessions**, because the Challenges are stored there.
 
 More information can be retrieved in your [application logs](https://laravel.com/docs/9.x/logging).
 
@@ -724,11 +768,11 @@ These are some details about this WebAuthn implementation:
 
 * Registration (attestation) and Login (assertion) challenges use the current request session.
 * Only one ceremony can be done at a time. 
-* Challenges are pulled from the session on resolution, independently of their result.
+* Challenges are pulled (retrieved and deleted from source) from the session on resolution, independently of their result.
 * All challenges and ceremonies expire at 60 seconds.
 * WebAuthn User Handle is UUID v4, reusable if another credential exists.
 * Credentials can be blacklisted (enabled/disabled).
-* Public Keys are encrypted in the database automatically.
+* Public Keys are encrypted by with application key in the database automatically.
 
 If you discover any security related issues, please email darkghosthunter@gmail.com instead of using the issue tracker.
 

composer.json

@@ -1,6 +1,6 @@
 {
-    "name": "laragear/webauthn",
-    "description": "Authenticate your users with biometric data, devices or USB keys.",
+    "name": "kletellier/webauthn",
+    "description": "Authenticate users with Passkeys: fingerprints, patterns and biometric data.",
     "type": "library",
     "license": "MIT",
     "minimum-stability": "stable",
@@ -24,30 +24,33 @@
             "name": "Italo Israel Baeza Cabrera",
             "email": "DarkGhostHunter@Gmail.com",
             "role": "Developer",
-            "homepage": "https://patreon.com/packagesforlaravel"
+            "homepage": "https://github.com/sponsors/DarkGhostHunter"
+        },
+        {
+            "name": "Gregory Letellier",
+            "email": "register@gletellier.com",
+            "role": "Developer"
         }
     ],
     "support": {
-        "source": "https://github.com/Laragear/TwoFactor",
-        "issues": "https://github.com/Laragear/TwoFactor/issues"
+        "source": "https://github.com/Laragear/WebAuthn",
+        "issues": "https://github.com/Laragear/WebAuthn/issues"
     },
     "require": {
-        "php": ">=8.0.2",
+        "php": "8.*",
         "ext-openssl": "*",
         "ext-json": "*",
-        "illuminate/auth": "9.*",
-        "illuminate/http": "9.*",
-        "illuminate/session": "9.*",
-        "illuminate/support": "9.*",
-        "illuminate/config": "9.*",
-        "illuminate/database": "9.*",
-        "illuminate/encryption": "9.*"
+        "illuminate/auth": "9.*|10.*",
+        "illuminate/http": "9.*|10.*",
+        "illuminate/session": "9.*|10.*",
+        "illuminate/support": "9.*|10.*",
+        "illuminate/config": "9.*|10.*",
+        "illuminate/database": "9.*|10.*",
+        "illuminate/encryption": "9.*|10.*"
     },
     "require-dev": {
-        "orchestra/testbench": "7.*",
-        "phpunit/phpunit": "^9.5",
-        "mockery/mockery": "^1.5",
-        "jetbrains/phpstorm-attributes": "^1.0"
+        "orchestra/testbench": "^7.22|8.*",
+        "jetbrains/phpstorm-attributes": "*"
     },
     "autoload": {
         "psr-4": {
@@ -76,16 +79,8 @@
     },
     "funding": [
         {
-            "type": "Patreon",
-            "url": "https://patreon.com/PackagesForLaravel"
-        },
-        {
-            "type": "Ko-Fi",
-            "url": "https://ko-fi.com/DarkGhostHunter"
-        },
-        {
-            "type": "Buy me a cofee",
-            "url": "https://www.buymeacoffee.com/darkghosthunter"
+            "type": "Github Sponsorship",
+            "url": "https://github.com/sponsors/DarkGhostHunter"
         },
         {
             "type": "Paypal",

config/webauthn.php

@@ -4,11 +4,11 @@ return [
 
     /*
     |--------------------------------------------------------------------------
-    | Relaying Party
+    | Relying Party
     |--------------------------------------------------------------------------
     |
     | We will use your application information to inform the device who is the
-    | relaying party. While only the name is enough, you can further set the
+    | relying party. While only the name is enough, you can further set the
     | a custom domain as ID and even an icon image data encoded as BASE64.
     |
     */

database/migrations/2022_07_01_000000_create_webauthn_credentials.php

@@ -43,7 +43,7 @@ return new class extends Migration {
      */
     protected static function defaultBlueprint(Blueprint $table): void
     {
-        $table->string('id')->primary();
+        $table->string('id', 510)->primary();
 
         $table->morphs('authenticatable', 'webauthn_user_index');
 

phpunit.xml

@@ -1,30 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" backupGlobals="false"
-         backupStaticAttributes="false" colors="true" verbose="true" convertErrorsToExceptions="true"
-         convertNoticesToExceptions="true" convertWarningsToExceptions="true" processIsolation="false"
-         stopOnFailure="false" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.5/phpunit.xsd">
-    <coverage>
-        <include>
-            <directory suffix=".php">src/</directory>
-        </include>
-        <report>
-            <clover outputFile="build/logs/clover.xml"/>
-        </report>
-    </coverage>
-    <testsuites>
-        <testsuite name="Test Suite">
-            <directory>tests</directory>
-            <file>stubs/controllers/WebAuthnLoginController.php</file>
-            <file>stubs/controllers/WebAuthnRegisterController.php</file>
-        </testsuite>
-    </testsuites>
-    <logging>
-        <junit outputFile="build/report.junit.xml"/>
-    </logging>
-    <php>
-        <env name="APP_ENV" value="testing"/>
-        <env name="APP_DEBUG" value="true"/>
-        <env name="APP_KEY" value="AckfSECXIvnK5r28GVIWUAxmbBSjTsmF"/>
-        <env name="DB_CONNECTION" value="testing"/>
-    </php>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" colors="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.0/phpunit.xsd" cacheDirectory=".phpunit.cache">
+  <coverage>
+    <include>
+      <directory suffix=".php">src/</directory>
+      <directory suffix=".php">stubs/controllers</directory>
+    </include>
+    <report>
+      <clover outputFile="build/logs/clover.xml"/>
+    </report>
+  </coverage>
+  <testsuites>
+    <testsuite name="Test Suite">
+      <directory>tests</directory>
+    </testsuite>
+  </testsuites>
+  <php>
+    <includePath>stubs/controllers</includePath>
+    <env name="APP_ENV" value="testing"/>
+    <env name="APP_DEBUG" value="true"/>
+    <env name="APP_KEY" value="AckfSECXIvnK5r28GVIWUAxmbBSjTsmF"/>
+    <env name="DB_CONNECTION" value="testing"/>
+  </php>
 </phpunit>

resources/js/webauthn.js

@@ -156,7 +156,9 @@ class WebAuthn {
      * @returns {Promise<Response>}
      */
     #fetch(data, route, headers = {}) {
-        return fetch(route, {
+        const url = new URL(route, window.location.origin).href;
+        
+        return fetch(url, {
             method: "POST",
             credentials: this.#includeCredentials ? "include" : "same-origin",
             redirect: "error",
@@ -313,6 +315,7 @@ class WebAuthn {
         const publicKeyCredential = this.#parseOutgoingCredentials(credentials);
 
         Object.assign(publicKeyCredential, response);
+        Object.assign(publicKeyCredential, request);
 
         return await this.#fetch(publicKeyCredential, this.#routes.register).then(WebAuthn.#handleResponse);
     }

routes/webauthn.php

@@ -4,14 +4,17 @@ use App\Http\Controllers\WebAuthn\WebAuthnLoginController;
 use App\Http\Controllers\WebAuthn\WebAuthnRegisterController;
 use Illuminate\Support\Facades\Route;
 
-Route::middleware('web')->group(static function (): void {
-    Route::post('webauthn/register/options', [WebAuthnRegisterController::class, 'options'])
-        ->name('webauthn.register.options');
-    Route::post('webauthn/register', [WebAuthnRegisterController::class, 'register'])
-        ->name('webauthn.register');
+Route::middleware('web')
+    ->group(static function (): void {
+        Route::controller(WebAuthnRegisterController::class)
+            ->group(static function (): void {
+                Route::post('webauthn/register/options', 'options')->name('webauthn.register.options');
+                Route::post('webauthn/register', 'register')->name('webauthn.register');
+            });
 
-    Route::post('webauthn/login/options', [WebAuthnLoginController::class, 'options'])
-        ->name('webauthn.login.options');
-    Route::post('webauthn/login', [WebAuthnLoginController::class, 'login'])
-        ->name('webauthn.login');
-});
+        Route::controller(WebAuthnLoginController::class)
+            ->group(static function (): void {
+                Route::post('webauthn/login/options', 'options')->name('webauthn.login.options');
+                Route::post('webauthn/login', 'login')->name('webauthn.login');
+            });
+    });

src/Attestation/Validator/Pipes/CheckRelyingPartyHashSame.php

@@ -35,6 +35,6 @@ class CheckRelyingPartyHashSame extends BaseCheckRelyingPartyHashSame
      */
     protected function relyingPartyId(AssertionValidation|AttestationValidation $validation): string
     {
-        return $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url');
+        return $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url');
     }
 }

src/Attestation/Validator/Pipes/MakeWebAuthnCredential.php

@@ -41,7 +41,7 @@ class MakeWebAuthnCredential
             'alias' => $validation->request->json('response.alias'),
 
             'counter' => $validation->attestationObject->authenticatorData->counter,
-            'rp_id' => $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url'),
+            'rp_id' => $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url'),
             'origin' => $validation->clientDataJson->origin,
             'transports' => $validation->request->json('response.transports'),
             'aaguid' => Uuid::fromBytes($validation->attestationObject->authenticatorData->attestedCredentialData->aaguid),

src/Models/WebAuthnCredential.php

@@ -95,7 +95,7 @@ class WebAuthnCredential extends Model
      *
      * @var array<int, string>
      */
-    protected $visible = ['id', 'origin', 'alias', 'aaguid', 'attestation_format', 'disabled_at', 'is_enabled'];
+    protected $visible = ['id', 'origin', 'alias', 'aaguid', 'attestation_format', 'disabled_at'];
 
     /**
      * @phpstan-ignore-next-line

src/SharedPipes/CheckRelyingPartyHashSame.php

@@ -39,11 +39,11 @@ abstract class CheckRelyingPartyHashSame
     public function handle(AttestationValidation|AssertionValidation $validation, Closure $next): mixed
     {
         // This way we can get the app RP ID on attestation, and the Credential RP ID
-        // on assertion. The credential will have the same Relaying Party ID on both
+        // on assertion. The credential will have the same Relying Party ID on both
         // the authenticator and the application so on assertion both should match.
-        $relayingParty = parse_url($this->relyingPartyId($validation), PHP_URL_HOST);
+        $relyingParty = parse_url($this->relyingPartyId($validation), PHP_URL_HOST);
 
-        if ($this->authenticatorData($validation)->hasNotSameRPIdHash($relayingParty)) {
+        if ($this->authenticatorData($validation)->hasNotSameRPIdHash($relyingParty)) {
             static::throw($validation, 'Response has different Relying Party ID hash.');
         }
 

src/SharedPipes/CheckRelyingPartyIdContained.php

@@ -40,11 +40,11 @@ abstract class CheckRelyingPartyIdContained
     public function handle(AttestationValidation|AssertionValidation $validation, Closure $next): mixed
     {
         if (!$host = parse_url($validation->clientDataJson->origin, PHP_URL_HOST)) {
-            static::throw($validation, 'Relaying Party ID is invalid.');
+            static::throw($validation, 'Relying Party ID is invalid.');
         }
 
         $current = parse_url(
-            $this->config->get('webauthn.relaying_party.id') ?? $this->config->get('app.url'), PHP_URL_HOST
+            $this->config->get('webauthn.relying_party.id') ?? $this->config->get('app.url'), PHP_URL_HOST
         );
 
         // Check the host is the same or is a subdomain of the current config domain.
@@ -52,6 +52,6 @@ abstract class CheckRelyingPartyIdContained
             return $next($validation);
         }
 
-        static::throw($validation, 'Relaying Party ID not scoped to current.');
+        static::throw($validation, 'Relying Party ID not scoped to current.');
     }
 }

src/WebAuthn.php

@@ -4,9 +4,6 @@ namespace Laragear\WebAuthn;
 
 use Illuminate\Support\Facades\Route;
 
-/**
- * @internal
- */
 class WebAuthn
 {
     // Constants for user verification in Attestation and Assertion.
@@ -31,20 +28,19 @@ class WebAuthn
      */
     public static function routes(): void
     {
-        Route::middleware('web')->group(static function (): void {
-            Route::post('webauthn/register/options')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class, 'options'])
-                ->name('webauthn.register.options');
-            Route::post('webauthn/register')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class, 'register'])
-                ->name('webauthn.register');
+        Route::middleware('web')
+            ->group(static function (): void {
+                Route::controller(\App\Http\Controllers\WebAuthn\WebAuthnRegisterController::class)
+                    ->group(static function (): void {
+                        Route::post('webauthn/register/options', 'options')->name('webauthn.register.options');
+                        Route::post('webauthn/register', 'register')->name('webauthn.register');
+                    });
 
-            Route::post('webauthn/login/options')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class, 'options'])
-                ->name('webauthn.login.options');
-            Route::post('webauthn/login')
-                ->uses([\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class, 'login'])
-                ->name('webauthn.login');
+                Route::controller(\App\Http\Controllers\WebAuthn\WebAuthnLoginController::class)
+                    ->group(static function (): void {
+                        Route::post('webauthn/login/options', 'options')->name('webauthn.login.options');
+                        Route::post('webauthn/login', 'login')->name('webauthn.login');
+                    });
         });
     }
 }

src/WebAuthnAuthentication.php

@@ -4,9 +4,9 @@ namespace Laragear\WebAuthn;
 
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Relations\MorphMany;
+use Illuminate\Support\Facades\Date;
 use JetBrains\PhpStorm\ArrayShape;
 use Laragear\WebAuthn\Models\WebAuthnCredential;
-use function in_array;
 
 /**
  * @property-read \Illuminate\Database\Eloquent\Collection<int, \Laragear\WebAuthn\Models\WebAuthnCredential> $webAuthnCredentials
@@ -38,20 +38,17 @@ trait WebAuthnAuthentication
      */
     public function flushCredentials(string ...$except): void
     {
-        if ($this->relationLoaded('webAuthnCredentials') && $this->webAuthnCredentials instanceof Collection) {
-            $partitioned = $this->webAuthnCredentials
-                ->partition(static function (WebAuthnCredential $credential) use ($except): bool {
-                    return in_array($credential->getKey(), $except, true);
-                });
-
-            $partitioned->first()->each->delete();
-
-            $this->setRelation('webAuthnCredentials', $partitioned->last());
+        if (! $this->relationLoaded('webAuthnCredentials')) {
+            $this->webAuthnCredentials()->whereKeyNot($except)->delete();
 
             return;
         }
 
-        $this->webAuthnCredentials()->whereKeyNot($except)->delete();
+        if ($this->webAuthnCredentials instanceof Collection && $this->webAuthnCredentials->isNotEmpty()) {
+            $this->webAuthnCredentials->whereNotIn('id', $except)->each->delete();
+
+            $this->setRelation('webAuthnCredentials', $this->webAuthnCredentials->whereIn('id', $except));
+        }
     }
 
     /**
@@ -64,13 +61,14 @@ trait WebAuthnAuthentication
     {
         if ($this->relationLoaded('webAuthnCredentials') && $this->webAuthnCredentials instanceof Collection) {
             $this->webAuthnCredentials
-                ->each(static function (WebAuthnCredential $credential) use ($except): bool {
-                    if ($credential->isEnabled() && in_array($credential->getKey(), $except, true)) {
+                ->when($except)->whereNotIn('id', $except)
+                ->each(static function (WebAuthnCredential $credential): void {
+                    if ($credential->isEnabled()) {
                         $credential->disable();
                     }
                 });
         } else {
-            $this->webAuthnCredentials()->whereKeyNot($except)->update(['is_enabled' => false]);
+            $this->webAuthnCredentials()->whereKeyNot($except)->whereEnabled()->update(['disabled_at' => Date::now()]);
         }
     }
 

src/WebAuthnServiceProvider.php

@@ -45,6 +45,7 @@ class WebAuthnServiceProvider extends ServiceProvider
         if ($this->app->runningInConsole()) {
             $this->publishesMigrations(static::MIGRATIONS);
             $this->publishes([static::ROUTES => $this->app->basePath('routes/webauthn.php')], 'routes');
+            $this->publishes([static::CONFIG => $this->app->configPath('webauthn.php')], 'config');
             // @phpstan-ignore-next-line
             $this->publishes([static::CONTROLLERS => $this->app->path('Http/Controllers/WebAuthn')], 'controllers');
             $this->publishes([static::JS => $this->app->resourcePath('js/vendor/webauthn')], 'js');

tests/Assertion/ValidationTest.php

@@ -457,7 +457,7 @@ class ValidationTest extends TestCase
         $this->request->setJson(new ParameterBag($invalid));
 
         $this->expectException(AssertionException::class);
-        $this->expectExceptionMessage('Assertion Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Assertion Error: Relying Party ID not scoped to current.');
 
         $this->validate();
     }
@@ -477,7 +477,7 @@ class ValidationTest extends TestCase
         $this->request->setJson(new ParameterBag($invalid));
 
         $this->expectException(AssertionException::class);
-        $this->expectExceptionMessage('Assertion Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Assertion Error: Relying Party ID not scoped to current.');
 
         $this->validate();
     }

tests/Attestation/CreatorTest.php

@@ -80,7 +80,7 @@ class CreatorTest extends TestCase
             ]);
     }
 
-    public function test_uses_relaying_party_config(): void
+    public function test_uses_relying_party_config(): void
     {
         config(['webauthn.relying_party' => [
             'id' => 'https://foo.bar',

tests/Attestation/ValidationTest.php

@@ -504,7 +504,7 @@ class ValidationTest extends TestCase
     public function test_rp_id_fails_if_not_equal(): void
     {
         $this->expectException(AttestationException::class);
-        $this->expectExceptionMessage('Attestation Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.');
 
         $invalid = FakeAuthenticator::attestationResponse();
 
@@ -524,7 +524,7 @@ class ValidationTest extends TestCase
     public function test_rp_id_fails_if_not_contained(): void
     {
         $this->expectException(AttestationException::class);
-        $this->expectExceptionMessage('Attestation Error: Relaying Party ID not scoped to current.');
+        $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.');
 
         $invalid = FakeAuthenticator::attestationResponse();
 
@@ -546,7 +546,7 @@ class ValidationTest extends TestCase
         $this->app->when(CheckRelyingPartyHashSame::class)
             ->needs(ConfigContract::class)
             ->give(static function (): Repository {
-                return tap(new Repository())->set('webauthn.relaying_party.id', 'https://otherhost.com');
+                return tap(new Repository())->set('webauthn.relying_party.id', 'https://otherhost.com');
             });
 
         $this->expectException(AttestationException::class);

tests/FakeAuthenticator.php

@@ -6,8 +6,8 @@ use JetBrains\PhpStorm\ArrayShape;
 
 class FakeAuthenticator
 {
-    public const CREDENTIAL_ID = '-VOLFKPY-_FuMI_sJ7gMllK76L3VoRUINj6lL_Z3qDg';
-    public const CREDENTIAL_ID_RAW = '+VOLFKPY+/FuMI/sJ7gMllK76L3VoRUINj6lL/Z3qDg=';
+    public const CREDENTIAL_ID = 'owBYu_waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi-nK3I54J6ILj70pJzR_6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd-ShQZ95eHoc8SA_-8vzCyfmy-wI_K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A';
+    public const CREDENTIAL_ID_RAW = 'owBYu/waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi+nK3I54J6ILj70pJzR/6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd+ShQZ95eHoc8SA/+8vzCyfmy+wI/K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A=';
 
     public const ATTESTATION_USER = [
         'id' => 'e8af6f703f8042aa91c30cf72289aa07',

tests/ServiceProviderTest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\File;
+use Illuminate\Support\Fluent;
+use Illuminate\Support\ServiceProvider;
+use Laragear\WebAuthn\Contracts\WebAuthnAuthenticatable;
+use Laragear\WebAuthn\WebAuthnAuthentication;
+use Laragear\WebAuthn\WebAuthnServiceProvider;
+
+class ServiceProviderTest extends TestCase
+{
+    public function test_merges_config(): void
+    {
+        static::assertSame(
+            File::getRequire(WebAuthnServiceProvider::CONFIG),
+            $this->app->make('config')->get('webauthn')
+        );
+    }
+
+    public function test_publishes_config(): void
+    {
+        static::assertSame(
+            [WebAuthnServiceProvider::CONFIG => $this->app->configPath('webauthn.php')],
+            ServiceProvider::$publishGroups['config']
+        );
+    }
+
+    /**
+     * @define-env usesCustomTestTime
+     */
+    public function test_publishes_migrations(): void
+    {
+        static::assertSame(
+            [
+                realpath(WebAuthnServiceProvider::MIGRATIONS . '/2022_07_01_000000_create_webauthn_credentials.php') =>
+                    $this->app->databasePath("migrations/2020_01_01_163025_create_webauthn_credentials.php"),
+            ],
+            ServiceProvider::pathsToPublish(WebAuthnServiceProvider::class, 'migrations')
+        );
+    }
+
+    protected function usesCustomTestTime()
+    {
+        $this->travelTo(Carbon::create(2020, 01, 01, 16, 30, 25));
+    }
+
+    public function test_bounds_user(): void
+    {
+        static::assertNull($this->app->make(WebAuthnAuthenticatable::class));
+
+        $user = new class extends Fluent implements WebAuthnAuthenticatable {
+            use WebAuthnAuthentication;
+        };
+
+        $this->app->instance(Authenticatable::class, $user);
+
+        static::assertSame($user, $this->app->make(WebAuthnAuthenticatable::class));
+    }
+
+    public function test_publishes_routes_file(): void
+    {
+        static::assertSame(
+            [WebAuthnServiceProvider::ROUTES => $this->app->basePath('routes/webauthn.php')],
+            ServiceProvider::$publishGroups['routes']
+        );
+    }
+}

tests/WebAuthnAuthenticationTest.php

@@ -0,0 +1,260 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Support\Carbon;
+use Laragear\WebAuthn\Models\WebAuthnCredential;
+use Ramsey\Uuid\Uuid;
+use function now;
+
+class WebAuthnAuthenticationTest extends TestCase
+{
+    protected Stubs\WebAuthnAuthenticatableUser $user;
+
+    protected function afterRefreshingDatabase(): void
+    {
+        $this->user = Stubs\WebAuthnAuthenticatableUser::forceCreate([
+            'name' => FakeAuthenticator::ATTESTATION_USER['displayName'],
+            'email' => FakeAuthenticator::ATTESTATION_USER['name'],
+            'password' => 'test_password',
+        ]);
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id',
+            'user_id' => Uuid::NIL,
+            'counter' => 0,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+    }
+
+    public function test_shows_webauthn_data(): void
+    {
+        static::assertSame([
+            'name' => FakeAuthenticator::ATTESTATION_USER['name'],
+            'displayName' => FakeAuthenticator::ATTESTATION_USER['displayName'],
+        ], $this->user->webAuthnData());
+    }
+
+    public function test_flushes_all_credentials(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->flushCredentials();
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 0);
+    }
+
+    public function test_flushes_all_credentials_using_loaded_relation(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        static::assertCount(2, $this->user->webAuthnCredentials);
+
+        $this->user->flushCredentials();
+
+        static::assertEmpty($this->user->webAuthnCredentials);
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 0);
+    }
+
+    public function test_flushes_all_credentials_except_given_id(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->flushCredentials('test_id_2');
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 1);
+        $this->assertDatabaseMissing(WebAuthnCredential::class, [
+            'id' => 'test_id'
+        ]);
+    }
+
+    public function test_flushes_all_credentials_using_loaded_relation_except_given_id(): void
+    {
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        static::assertCount(2, $this->user->webAuthnCredentials);
+
+        $this->user->flushCredentials('test_id_2');
+
+        static::assertCount(1, $this->user->webAuthnCredentials);
+        static::assertTrue($this->user->webAuthnCredentials->contains('id', 'test_id_2'));
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 1);
+        $this->assertDatabaseMissing(WebAuthnCredential::class, [
+            'id' => 'test_id'
+        ]);
+    }
+
+    public function test_disables_all_credentials(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()->subMinute()
+        ])->save();
+
+        $this->user->disableAllCredentials();
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->subMinute()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_with_loaded_relation(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+            'disabled_at' => now()->subMinute()
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        $this->user->disableAllCredentials();
+
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id')->isDisabled());
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id_2')->isDisabled());
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->subMinute()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_except_one(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+
+        $this->user->disableAllCredentials('test_id');
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => null,
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+    }
+
+    public function test_disables_all_credentials_with_loaded_relation_except_one(): void
+    {
+        $this->travelTo(Carbon::now()->startOfSecond());
+
+        $this->user->webAuthnCredentials()->make()->forceFill([
+            'id' => 'test_id_2',
+            'user_id' => Uuid::NIL,
+            'counter' => 10,
+            'rp_id' => 'http://localhost',
+            'origin' => 'http://localhost:8000',
+            'aaguid' => Uuid::NIL,
+            'public_key' => 'test_key',
+            'attestation_format' => 'none',
+        ])->save();
+
+        $this->user->load('webAuthnCredentials');
+
+        $this->user->disableAllCredentials('test_id_2');
+
+        static::assertTrue($this->user->webAuthnCredentials->firstWhere('id', 'test_id')->isDisabled());
+        static::assertFalse($this->user->webAuthnCredentials->firstWhere('id', 'test_id_2')->isDisabled());
+
+        $this->assertDatabaseCount(WebAuthnCredential::class, 2);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id',
+            'disabled_at' => now()->toDateTimeString(),
+        ]);
+        $this->assertDatabaseHas(WebAuthnCredential::class, [
+            'id' => 'test_id_2',
+            'disabled_at' => null,
+        ]);
+    }
+}