Skip to content

Commit

Permalink
Update CHANGELOG for v2.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
MasterKale committed Jan 11, 2024
1 parent ea38d30 commit c1b6c09
Showing 1 changed file with 139 additions and 0 deletions.
139 changes: 139 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,144 @@
# Changelog

## v2.0.0

**Changes:**

- See **Breaking Changes** below

**Breaking Changes:**

- [Pydantic](https://docs.pydantic.dev/latest/) is no longer used by py_webauthn. If your project
calls any Pydantic-specific methods on classes provided by py_webauthn then you will need to
refactor those calls accordingly. Typical use of py_webauthn should not need any major refactor
related to this change, but please see **Breaking Changes** below ([#195](https://github.com/duo-labs/py_webauthn/pull/195))
- `webauthn.helpers.generate_challenge()` now always generates 64 random bytes and no longer accepts any arguments. Refactor your existing calls to remove any arguments ([#198](https://github.com/duo-labs/py_webauthn/pull/198))
- `webauthn.helpers.exceptions.InvalidClientDataJSONStructure` has been replaced by `webauthn.helpers.exceptions.InvalidJSONStructure` ([#195](https://github.com/duo-labs/py_webauthn/pull/195))
- `webauthn.helpers.json_loads_base64url_to_bytes()` has been removed ([#195](https://github.com/duo-labs/py_webauthn/pull/195))
- The `user_id` argument passed into `generate_registration_options()` is now `Optional[bytes]`
instead of a required `str` value. A random sequence of 64 bytes will be generated for `user_id`
if it is `None` ([#197](https://github.com/duo-labs/py_webauthn/pull/197))
- There are a few options available to refactor existing calls:

### Option 1: Use the `base64url_to_bytes()` helper

If you already store your WebAuthn user ID bytes as base64url-encoded strings then you can simply decode these strings to bytes using an included helper:

**Before:**
```py
options = generate_registration_options(
# ...
user_id: "3ZPk1HGhX_cul7z5UydfZE_vgnUYkOVshDNcvI1ILyQ",
)
```

**After:**

```py
from webauthn.helpers import bytes_to_base64url

options = generate_registration_options(
# ...
user_id: bytes_to_base64url("3ZPk1HGhX_cul7z5UydfZE_vgnUYkOVshDNcvI1ILyQ"),
)
```

### Option 2: Generate unique WebAuthn-specific identifiers for existing and new users

WebAuthn **strongly** encourages Relying Parties to use 64 randomized bytes for **every** user ID you pass into `navigator.credentials.create()`. This would be a second identifier used exclusively for WebAuthn that you associate along with your typical internal user ID.

py_webauthn includes a `generate_user_handle()` helper that can simplify the task of creating this special user identifier for your existing users in one go:

```py
from webauthn.helpers import generate_user_handle

# Pseudocode (imagine this is in some kind of migration script)
for user in get_all_users_in_db():
add_webauthn_user_id_to_db_for_user(
current_user=user.id,
webauthn_user_id=generate_user_handle(), # Generates 64 random bytes
)
```

You can also use this method when creating new users to ensure that all subsequent users have a WebAuthn-specific identifier as well:

```py
from webauthn.helpers import generate_user_handle

# ...existing user onboarding logic...

# Pseudocode
create_new_user_in_db(
# ...
webauthn_user_id=generate_user_handle(),
)
```

Once your users are assigned their second WebAuthn-specific ID you can then pass those bytes into `generate_registration_options()` on subsequent calls:

```py
# Pseudocode
webauthn_user_id: bytes = get_webauthn_user_id_bytes_from_db(current_user.id)

options = generate_registration_options(
# ...
user_id=webauthn_user_id,
)
```

### Option 3: Let `generate_registration_options()` generate a user ID for you

When the `user_id` argument is omitted then a random 64-byte identifier will be generated for you:

**Before:**
```py
options = generate_registration_options(
# ...
user_id: "USERIDGOESHERE",
)
```

**After:**
```py
# Pseudocode
webauthn_user_id: bytes | None = get_webauthn_user_id_bytes_from_db(
current_user=current_user.id,
)

options = generate_registration_options(
# ...
user_id=webauthn_user_id,
)

if webauthn_user_id is None:
# Pseudocode
store_webauthn_user_id_bytes_in_your_db(
current_user=current_user.id,
webauthn_user_id=options.user.id, # Randomly generated 64-bytes
)
```

### Option 4: Encode existing `str` argument to UTF-8 bytes

This technique is a quick win, but can be prone to base64url-related encoding and decoding quirks between browsers. **It is recommended you quickly follow this up with Option 2 or Option 3 above:**

**Before:**
```py
options = generate_registration_options(
# ...
user_id: "USERIDGOESHERE",
)
```

**After:**

```py
options = generate_registration_options(
# ...
user_id: "USERIDGOESHERE".encode('utf-8'),
)
```

## v1.11.1

**Changes:**
Expand Down

0 comments on commit c1b6c09

Please sign in to comment.