一键导入
webauthn-contract-tests
How to lock WebAuthn begin-ceremony API response shapes against browser/client challenge mismatches
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
How to lock WebAuthn begin-ceremony API response shapes against browser/client challenge mismatches
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | webauthn-contract-tests |
| description | How to lock WebAuthn begin-ceremony API response shapes against browser/client challenge mismatches |
| domain | api-design |
| confidence | high |
| source | earned |
Use this when changing WebAuthn/passkey registration or login endpoints. Browser APIs are strict about where challenge, rpId, and credential IDs live, and schema wrapper mismatches can appear as missing challenge data on Safari/PWA clients.
options.challenge is non-empty when the API contract says options is passed to navigator.credentials.get({ publicKey: options }).rpId and at least one allowCredentials entry in the regression to catch credential loading or base64url encoding regressions.See src/api/handlers/webauthn_test.go:
TestWebAuthnHandlerLoginBeginReturnsRequestOptionsWithChallengeTestWebAuthnHandlerLoginFinishExpiredSessionTestWebAuthnHandlerLoginFinishMissingSessionBeginLogin returns HTTP 200; that can still hide a missing or incorrectly nested challenge.CredentialAssertion wrapper under another options key unless the frontend explicitly expects options.publicKey.challenge.Reuse the shared museum tray renderer across authenticated and public coin presentations.
Extend existing coin share cards with feature-specific context without duplicating renderers.
How to test GORM many-to-many relationships with join tables that have custom timestamp fields (beyond CreatedAt/UpdatedAt)