passkey auto-upgrade need to skip user presence & verification check

[nov]

new iOS / macOS now support passkey auto upgrade.
it doesn't support neither UV nor UP, and both flags are false by default.

to accept such attestations, those changes are needed.

[nov]

is this repository still active?

[santiagorodriguez96]

Hey @nov! Thank you for taking the time to add this!

I'm wondering if this means we can deprecate the config silent_authentication – which was initially added to pass conformance tests – as it feels to me that it will be easier to understand the purpose of this new user_presence param. That would probably mean that we should support this param for the assertion response tho.

Other than that, I think we should also add some tests as part of this PR.

[nov]

In my app, I want to require UV & UP on normal registration, but want to skip them only on the auto upgrade flow.
So, I'm not sure whether RP-wide config is not needed anymore or not.

Plus, I don't know any authenticators which won't require UV nor UP on authentication.
iOS / iPadOS / macOS's passkey auto upgrade implementation is only the case which omit UV & UP right now.

[nov]

and added specs.

[santiagorodriguez96]

Thanks for the specs!

Just one more thing: I realized that we should also add this into the newer relying party API (with the respective specs):

https://github.com/cedarcode/webauthn-ruby/blob/b90c6fd/lib/webauthn/relying_party.rb#L84-L90

Sorry for not catching that before 😅

[nov]

I'm not familiar with the newer API, but is this something you're expecting?
8641f07

[santiagorodriguez96]

That looks good @nov! Thank you so much! 💯

[nov]

Thanks for your review :-)
Do you have any eta when to be released?

[santiagorodriguez96]

No problem!

Before releasing I would like to give a take a last tweak at how this new param and the existent silent_authentication configuration work together 🙂

I'm planning on tackling this on Friday. After that I will release a new version!