Callback handling - why base64 encode rawId instead of using id

[truongnmt]

First, thanks for the implementation! Carefully written, also the test was really helpful!

By the way, when I read the credential callback implementation:

webauthn-rails-demo-app/app/controllers/credentials_controller.rb

Line 27 in d9b73e2

external_id: Base64.strict_encode64(webauthn_credential.raw_id)

Why do we have to base64 encode the rawId? Why not use webauthn_credential.id straight away?
As written in spec, id is base64(rawId) already. By manually base64(rawId) and save it to the database, what benefit do we have over saving id?
https://www.w3.org/TR/credential-management-1/#dom-credential-id

Beside, in session_controller we use the base64 encoded rawId to create allow list and send to authenticator.

webauthn-rails-demo-app/app/controllers/sessions_controller.rb

Line 11 in d9b73e2

get_options = WebAuthn::Credential.options_for_get(allow: user.credentials.pluck(:external_id))

So overall, save id returned from authenticator then using that id to send back to authenticator make sense to me.

[Brantron]

Great callout, after using this template as inspiration for my own implementation I came back to make this same issue. Hopefully folks in the future will see this and understand that they can simplify the implementation a bit by using id and not manually encoding the raw_id

[rromanchuk]

@Brantron have you seen a refreshed implementation on the client side anywhere? I don't use UJS, only Turbo + Stimulus, so I need to refactor all the xhr eventing.

I suppose I should just start fresh, using https://github.com/github/webauthn-json/blob/main/src/dev/demo/index.ts as a guide