AshAuthentication.Phoenix.Plug.RequireWebAuthn (ash_authentication_phoenix v3.0.0-rc.6)

View Source

A plug that enforces WebAuthn second-factor verification for routes.

Behaviour

When called against a request that has a current_user:

  • If the user has no registered passkeys, fires the on_unconfigured action (default :redirect_to_setup).
  • If the user has passkeys but the current request lacks :webauthn_verified_at metadata (or it's older than :max_age), fires the on_unverified action (default :redirect_to_verify).
  • Otherwise, passes through.

When the request has no current user, the plug passes through — pair it with your auth pipeline so a user is loaded first.

Usage

pipeline :require_webauthn do
  plug AshAuthentication.Phoenix.Plug.RequireWebAuthn,
    resource: MyApp.Accounts.User
end

scope "/secure", MyAppWeb do
  pipe_through [:browser, :require_authenticated, :require_webauthn]
  # ...
end

Options

  • :resource — required. The user resource module.

  • :strategy — the WebAuthn strategy name. Defaults to the first WebAuthn strategy on the resource.

  • :on_unconfigured — what to do when the user has no passkeys:

    • :halt — return a 403.
    • :redirect_to_setup (default) — redirect to :setup_path.
    • {:redirect, path} — redirect to path.

  • :on_unverified — what to do when the user has passkeys but the request isn't verified:

    • :halt — return a 403.
    • :redirect_to_verify (default) — redirect to :verify_path.
    • {:redirect, path} — redirect to path.

  • :setup_path — defaults to "/webauthn-setup".

  • :verify_path — defaults to "/webauthn-verify".

  • :max_age — maximum age (seconds) of :webauthn_verified_at before re-verification is required. nil (default) means no expiry.

  • :current_user_assign — defaults to :current_user.

  • :setup_error_message — flash text when redirecting to setup.

  • :verify_error_message — flash text when redirecting to verify.