[Fix] Separate Username from Id

_example/storage.go

@@ -7,6 +7,8 @@ import (
 
 	"github.com/egregors/passkey"
 	"github.com/go-webauthn/webauthn/webauthn"
+
+	"github.com/mstarongithub/passkey"
 )
 
 type Storage struct {
@@ -53,6 +55,18 @@ func (s *Storage) SaveUser(user passkey.User) {
 	s.users[user.WebAuthnName()] = user
 }
 
+func (s *Storage) GetUserByWebAuthnId(id []byte) passkey.User {
+	s.uMu.Lock()
+	defer s.uMu.Unlock()
+
+	// Storage implementation assumes that username == webauthn Id
+	if user, ok := s.users[string(id)]; ok {
+		return user
+	} else {
+		return nil
+	}
+}
+
 // -- Session storage methods --
 
 func (s *Storage) GenSessionID() (string, error) {

handlers.go

@@ -37,7 +37,11 @@ func (p *Passkey) beginRegistration(w http.ResponseWriter, r *http.Request) {
 	t, err := p.sessionStore.GenSessionID()
 	if err != nil {
 		p.l.Errorf("can't generate session id: %s", err.Error())
-		JSONResponse(w, fmt.Sprintf("can't generate session id: %s", err.Error()), http.StatusInternalServerError)
+		JSONResponse(
+			w,
+			fmt.Sprintf("can't generate session id: %s", err.Error()),
+			http.StatusInternalServerError,
+		)
 
 		return
 	}
@@ -70,7 +74,7 @@ func (p *Passkey) finishRegistration(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// TODO: username != user id? need to check
-	user := p.userStore.GetOrCreateUser(string(session.UserID)) // Get the user
+	user := p.userStore.GetUserByWebAuthnId(session.UserID) // Get the user
 
 	credential, err := p.webAuthn.FinishRegistration(user, *session, r)
 	if err != nil {
@@ -120,7 +124,11 @@ func (p *Passkey) beginLogin(w http.ResponseWriter, r *http.Request) {
 	t, err := p.sessionStore.GenSessionID()
 	if err != nil {
 		p.l.Errorf("can't generate session id: %s", err.Error())
-		JSONResponse(w, fmt.Sprintf("can't generate session id: %s", err.Error()), http.StatusInternalServerError)
+		JSONResponse(
+			w,
+			fmt.Sprintf("can't generate session id: %s", err.Error()),
+			http.StatusInternalServerError,
+		)
 
 		return
 	}
@@ -146,7 +154,7 @@ func (p *Passkey) finishLogin(w http.ResponseWriter, r *http.Request) {
 	session, _ := p.sessionStore.GetSession(sid.Value) // FIXME: cover invalid session
 
 	// TODO: username != user id? need to check
-	user := p.userStore.GetOrCreateUser(string(session.UserID)) // Get the user
+	user := p.userStore.GetUserByWebAuthnId(session.UserID) // Get the user
 
 	credential, err := p.webAuthn.FinishLogin(user, *session, r)
 	if err != nil {
@@ -173,7 +181,11 @@ func (p *Passkey) finishLogin(w http.ResponseWriter, r *http.Request) {
 	t, err := p.sessionStore.GenSessionID()
 	if err != nil {
 		p.l.Errorf("can't generate session id: %s", err.Error())
-		JSONResponse(w, fmt.Sprintf("can't generate session id: %s", err.Error()), http.StatusInternalServerError)
+		JSONResponse(
+			w,
+			fmt.Sprintf("can't generate session id: %s", err.Error()),
+			http.StatusInternalServerError,
+		)
 
 		return
 	}

ifaces.go

@@ -16,6 +16,7 @@ type User interface {
 
 type UserStore interface {
 	GetOrCreateUser(userID string) User
+	GetUserByWebAuthnId(id []byte) User
 	SaveUser(User)
 }