feat: remove registration store for passkeys

Cargo.toml

@@ -54,6 +54,7 @@ reqwest = { version = "0.12.22", features = ["json", "rustls-tls"] }
 schemars = "0.8.21"
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = { workspace = true }
+serde_plain = "1.0.2"
 sha2 = { workspace = true }
 strum = "0.27.2"
 strum_macros = "0.27.1"
@@ -71,9 +72,8 @@ tracing-subscriber = { version = "0.3.20", default-features = false, features =
   "json",
 ] }
 uuid = { workspace = true }
-# TODO/FIXME: Investigate how dangerous this is considering we're going to be tracking used challenges
 webauthn-rs = { version = "0.5.2", features = [
-  "danger-allow-state-serialisation",
+  "danger-allow-state-serialisation", # see webauthn.rs for details
   "conditional-ui",
   "workaround-google-passkey-specific-issues",
 ] }

src/auth.rs

@@ -253,13 +253,7 @@ impl AuthHandler {
             .finish_passkey_registration(&user_provided_credential, &passkey_state)?;
 
         let credential_id = verified_passkey.cred_id().clone();
-        let factor = Factor::new_passkey(
-            verified_passkey,
-            serde_json::to_value(credential.clone()).map_err(|err| {
-                tracing::info!(message = "Failed to serialize passkey credential", error = ?err);
-                ErrorResponse::internal_server_error()
-            })?,
-        );
+        let factor = Factor::new_passkey(verified_passkey);
         let factor_to_lookup = FactorToLookup::from_passkey(URL_SAFE_NO_PAD.encode(credential_id));
 
         Ok((factor, factor_to_lookup))
@@ -317,7 +311,6 @@ impl AuthHandler {
             .filter_map(|factor| {
                 if let FactorKind::Passkey {
                     webauthn_credential,
-                    registration: _,
                 } = &factor.kind
                 {
                     Some(webauthn_credential.into())

src/backup_storage.rs

@@ -545,7 +545,6 @@ mod tests {
                 id: test_primary_factor_id.clone(),
                 kind: FactorKind::Passkey {
                     webauthn_credential: serde_json::from_value(test_webauthn_credential).unwrap(),
-                    registration: json!({}),
                 },
                 created_at: DateTime::default(),
             }],

src/types/backup_metadata.rs

@@ -66,8 +66,12 @@ impl Factor {
             id: self.id.clone(),
             created_at: self.created_at.timestamp(),
             kind: match &self.kind {
-                FactorKind::Passkey { registration, .. } => ExportedFactorKind::Passkey {
-                    registration: registration.clone(),
+                FactorKind::Passkey {
+                    webauthn_credential,
+                    ..
+                } => ExportedFactorKind::Passkey {
+                    credential_id: serde_plain::to_string(webauthn_credential.cred_id())
+                        .unwrap_or_default(),
                 },
                 FactorKind::OidcAccount {
                     account,
@@ -124,12 +128,7 @@ impl Factor {
 #[allow(clippy::large_enum_variant)]
 pub enum FactorKind {
     #[serde(rename_all = "camelCase")]
-    Passkey {
-        webauthn_credential: Passkey,
-        // Registration object presented by the client when signing up. Used by the client to be
-        // to register the passkey in Turnkey later, not during initial sign up.
-        registration: serde_json::Value,
-    },
+    Passkey { webauthn_credential: Passkey },
     #[serde(rename_all = "camelCase")]
     OidcAccount {
         account: OidcAccountKind,
@@ -182,12 +181,11 @@ impl PartialEq for FactorKind {
 
 impl Factor {
     #[must_use]
-    pub fn new_passkey(webauthn_credential: Passkey, registration: serde_json::Value) -> Self {
+    pub fn new_passkey(webauthn_credential: Passkey) -> Self {
         Self {
             id: Uuid::new_v4().to_string(),
             kind: FactorKind::Passkey {
                 webauthn_credential,
-                registration,
             },
             created_at: Utc::now(),
         }
@@ -269,12 +267,10 @@ pub struct ExportedFactor {
 #[serde(rename_all = "SCREAMING_SNAKE_CASE", tag = "kind")]
 #[allow(clippy::large_enum_variant)]
 pub enum ExportedFactorKind {
+    /// For Passkey, we export (using String because of incompatibility with `JsonSchema`):
+    /// - the credential ID (type: `CredentialID`) as a base64-url-safe-no-pad string
     #[serde(rename_all = "camelCase")]
-    Passkey {
-        // Registration object presented by the client when signing up. Used by the client to be
-        // to register the passkey in Turnkey later, not during initial sign up.
-        registration: serde_json::Value,
-    },
+    Passkey { credential_id: String },
     #[serde(rename_all = "camelCase")]
     OidcAccount {
         account: ExportedOidcAccountKind,
@@ -403,11 +399,9 @@ mod tests {
 
         let factor_1 = FactorKind::Passkey {
             webauthn_credential: passkey.clone(),
-            registration: json!([1]),
         };
         let factor_2 = FactorKind::Passkey {
             webauthn_credential: passkey,
-            registration: json!([2]),
         };
 
         assert_eq!(factor_1, factor_2);

src/webauthn.rs

@@ -1,3 +1,10 @@
+//! This module contains specific logic for `WebAuthn` operations (used for Passkey serialization and deserialization).
+//!
+//! Particularly for the `webauthn-rs` crate we use the `danger-allow-state-serialisation` feature flag. This
+//! is required to serialize and deserialize the `PasskeyRegistration` and `PasskeyAuthentication` structs. It
+//! is safe because the states are kept server-accessible only (stored in the encrypted Challenge token, see `ChallengeManager`).
+//! Reference: <https://docs.rs/webauthn-rs/latest/webauthn_rs/#allow-serialising-registration-and-authentication-state>
+
 use crate::types::ErrorResponse;
 use serde_json::Value;
 use webauthn_rs::prelude::PublicKeyCredential;