WebAuthn setup unauthorized

[YasuhiroYoshida]

I have a clean-slate Rails 8 application with rodauth-rails.
As an added security, I am adding Passkeys functionality.
It's great up until I click "Setup WebAuthn Authentication" which produces an 401 error.

Example:

Started POST "/webauthn-setup" for 172.18.0.1 at 2025-01-21 13:54:32 +0900
Processing by RodauthController#webauthn_setup as HTML
  Parameters: {"authenticity_token" => "[FILTERED]", "webauthn_setup_challenge" => "B2WFw9QS_N-Lg1VJRWfEi-rCWVBAoa_a94cwdFfWFgo", "webauthn_setup_challenge_hmac" => "e5K1QskYSCYqlg3pXiU895v7nBtW3RlVXbTk5Qbp458", "webauthn_setup" => "{\"type\":\"public-key\",\"id\":\"wspvixcK-gynD2bHwe9kRA\",\"rawId\":\"wspvixcK-gynD2bHwe9kRA\",\"response\":{\"attestationObject\":\"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NZAAAAAOqbjWZNAR0hPOS2tIy1ddQAEMLKb4sXCvoMpw9mx8HvZESlAQIDJiABIVggLw65K5adiARFSAItV8pfqvMV2uQZpzRUT-Pjm-gQyDIiWCBgKNEzrnezb-WLPCLEPJvXm1T8Np67V-VEYeSS4YzKHg\",\"clientDataJSON\":\"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiQjJXRnc5UVNfTi1MZzFWSlJXZkVpLXJDV1ZCQW9hX2E5NGN3ZEZmV0ZnbyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImNyb3NzT3JpZ2luIjpmYWxzZX0\"}}"}
  Sequel (1.1ms)  SELECT CAST(current_setting('server_version_num') AS integer) AS v
  ↳ app/misc/rodauth_app.rb:32:in 'block in <class:RodauthApp>'
  Sequel (0.9ms)  SELECT * FROM "users" WHERE (("id" = 26) AND (("status" = 2) OR (("status" = 1) AND ("id" IN (SELECT "id" FROM "user_verification_keys" WHERE ((CAST("requested_at" AS timestamp) + make_interval(secs := 86400)) > CURRENT_TIMESTAMP)))))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:32:in 'block in <class:RodauthApp>'
  Rendering layout layouts/application.html.erb
  Rendering rodauth/webauthn_setup.html.erb within layouts/application
  Sequel (0.5ms)  SELECT "webauthn_id" FROM "user_webauthn_user_ids" WHERE ("id" = 26) LIMIT 1
  ↳ app/views/rodauth/webauthn_setup.html.erb:2
  Sequel (0.5ms)  SELECT "webauthn_id" FROM "user_webauthn_keys" WHERE ("user_id" = 26)
  ↳ app/views/rodauth/webauthn_setup.html.erb:2
  Rendered rodauth/webauthn_setup.html.erb within layouts/application (Duration: 13.3ms | GC: 0.0ms)
  Rendered layouts/_favicon.html.erb (Duration: 1.0ms | GC: 0.0ms)
  Rendered layouts/_header.html.erb (Duration: 2.2ms | GC: 0.0ms)
  Rendered layouts/_flash.html.erb (Duration: 4.4ms | GC: 0.0ms)
  Rendered layouts/_footer.html.erb (Duration: 0.9ms | GC: 0.0ms)
  Rendered layout layouts/application.html.erb (Duration: 42.8ms | GC: 0.0ms)
Completed 401 Unauthorized in 546ms (Views: 49.6ms | ActiveRecord: 3.0ms (4 queries, 0 cached) | GC: 0.0ms)


Started GET "/webauthn-setup-js" for 172.18.0.1 at 2025-01-21 13:54:33 +0900
Processing by RodauthController#webauthn_setup_js as */*
Completed 200 OK in 269ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)

app/misc/rodauth_app.rb:32 is where r.rodauth goes inside RodauthApp like this

class RodauthApp < Rodauth::Rails::App
  # primary configuration
  configure RodauthMain

  # secondary configuration
  # configure RodauthAdmin, :admin

  route do |r|
    rodauth.load_memory # autologin remembered users

    r.rodauth # route rodauth requests

I read Janko's articles and watched his videos many times. I don't think I have screwed up anything. It would be nice if I could get hints to solve this issue.

But I believe what I need the most is how to debug rodauth(-rails). The usual binding.pry or debugger won't work; it stops at the breakpoint, but it is unresponsive to my input. How does everyone debug for rodauth(-rails)?

[janko]

Is setting up passkeys working for you in the official Rails demo app? If yes, can you spot differences with your app? If not, could you share a fresh Rails app that reproduces the issue?

Rodauth shouldn't be returning 401s unless in JSON mode or maybe performing HTTP Basic Auth, so I'm surprised your getting one.

[YasuhiroYoshida]

Thank you for the suggestions.

My app returns a 401 error. But it seems to manage to set up passkeys as I see new records in the tables.

The official Rails demo app returns a 200 and seems to manage to set up passkeys as I see new records in the tables. But when I log out and try to log in, it won't let me with the passkeys.

Both apps won't say anything else. So much is hidden.

As for debugging I've been failing to find solutions that work. I really wish to know what's going on.

[YasuhiroYoshida]

There are so many differences between my app and the official Rails demo app. I probably won't be able to find the culprit 🤷‍♂️

[janko]

If you had a clean-slate Rails 8 app, theoretically if you create a new Rails app, install Rodauth, then enable the WebAuthn, you should be able to reproduce the issue, right? Are you able to go over the behavior that you changed from newly generated app and see if anything can cause the response?

I assumed passkey creation failed based on the SQL logs you provided, but you say it was successful. It doesn't appear Rodauth attempted to redirect to another endpoint after it created the passkeys, otherwise that would be visible in the logs.

[janko]

But when I log out and try to log in, it won't let me with the passkeys.

It doesn't find the passkeys stored in the database?

Both apps won't say anything else. So much is hidden.

As I said, I'm not convinced this this 401 response is coming from Rodauth, because it doesn't do that in HTML mode. I think it's coming from application code or some other gem.

[janko]

Just tried in a fresh Rails 8 app, where I only installed Rodauth and added WebAuthn, and passkey creation works successfully (with a 302 redirect) 🤷🏻‍♂️ Let me know if you were able to figure it out.

Also, if you find that rodauth-rails hides something about how it works in a way that other Rails engines like Devise don't, I would be glad to hear about it so that I can improve transparency where possible 😉