chore: remove unnecessary challenge cookie

* chore: remove unnecessary challenge cookie

* docs: highly recommend using challenges

README.md

@@ -423,7 +423,7 @@ export default defineWebAuthnAuthenticateEventHandler({
 ```
 
 > [!IMPORTANT]
-> By default, the webauthn event handlers will store the challenge in a short lived, encrypted session cookie. This is not recommended for applications that require strong security guarantees. On a secure connection (https) it is highly unlikely for this to cause problems. However, if the connection is not secure, there is a possibility of a man-in-the-middle attack. To prevent this, you should use a database or KV store to store the challenge instead. For this the `storeChallenge` and `getChallenge` functions are provided.
+> Webauthn uses challenges to prevent replay attacks. By default, this module does not make use if this feature. If you want to use challenges (**which is highly recommended**), the `storeChallenge` and `getChallenge` functions are provided. An attempt ID is created and sent with each autentication request. You can use this ID to store the challenge in a database or KV store as shown in the example below.
 
 > ```ts
 > export default defineWebAuthnAuthenticateEventHandler({

src/runtime/server/lib/webauthn/authenticate.ts

@@ -5,7 +5,6 @@ import defu from 'defu'
 import type { AuthenticationResponseJSON } from '@simplewebauthn/types'
 import { getRandomValues } from 'uncrypto'
 import { base64URLStringToBuffer, bufferToBase64URLString } from '@simplewebauthn/browser'
-import { storeChallengeAsSession, getChallengeFromSession } from './utils'
 import { useRuntimeConfig } from '#imports'
 import type { WebAuthnAuthenticateEventHandlerOptions, WebAuthnCredential } from '#auth-utils'
 
@@ -39,15 +38,18 @@ export function defineWebAuthnAuthenticateEventHandler<T extends WebAuthnCredent
       _config.allowCredentials = await allowCredentials(event, body.userName)
     }
 
+    if (!storeChallenge) {
+      _config.challenge = ''
+    }
+
     try {
       if (!body.verify) {
         const options = await generateAuthenticationOptions(_config as GenerateAuthenticationOptionsOpts)
         const attemptId = bufferToBase64URLString(getRandomValues(new Uint8Array(32)))
 
-        if (storeChallenge)
+        if (storeChallenge) {
           await storeChallenge(event, options.challenge, attemptId)
-        else
-          await storeChallengeAsSession(event, options.challenge, attemptId)
+        }
 
         return {
           requestOptions: options,
@@ -58,16 +60,15 @@ export function defineWebAuthnAuthenticateEventHandler<T extends WebAuthnCredent
       if (!body.attemptId)
         throw createError({ statusCode: 400 })
 
-      let challenge: string
-      if (getChallenge)
-        challenge = await getChallenge(event, body.attemptId)
-      else
-        challenge = await getChallengeFromSession(event, body.attemptId)
+      let expectedChallenge = ''
+      if (getChallenge) {
+        expectedChallenge = await getChallenge(event, body.attemptId)
+      }
 
       const credential = await getCredential(event, body.response.id)
       const verification = await verifyAuthenticationResponse({
         response: body.response,
-        expectedChallenge: challenge,
+        expectedChallenge,
         expectedOrigin: url.origin,
         expectedRPID: url.hostname,
         authenticator: {

src/runtime/server/lib/webauthn/register.ts

@@ -6,7 +6,6 @@ import defu from 'defu'
 import type { RegistrationResponseJSON } from '@simplewebauthn/types'
 import { bufferToBase64URLString } from '@simplewebauthn/browser'
 import { getRandomValues } from 'uncrypto'
-import { storeChallengeAsSession, getChallengeFromSession } from './utils'
 import { useRuntimeConfig } from '#imports'
 import type { WebAuthnUser, WebAuthnRegisterEventHandlerOptions } from '#auth-utils'
 
@@ -52,16 +51,19 @@ export function defineWebAuthnRegisterEventHandler<T extends WebAuthnUser>({
       },
     } satisfies GenerateRegistrationOptionsOpts)
 
+    if (!storeChallenge) {
+      _config.challenge = ''
+    }
+
     try {
       if (!body.verify) {
         const options = await generateRegistrationOptions(_config as GenerateRegistrationOptionsOpts)
         const attemptId = bufferToBase64URLString(getRandomValues(new Uint8Array(32)))
 
         // If the developer has stricter storage requirements, they can implement their own storeChallenge function to store the options in a database or KV store
-        if (storeChallenge)
-          await storeChallenge?.(event, options.challenge, attemptId)
-        else
-          await storeChallengeAsSession(event, options.challenge, attemptId)
+        if (storeChallenge) {
+          await storeChallenge(event, options.challenge, attemptId)
+        }
 
         return {
           creationOptions: options,
@@ -76,11 +78,10 @@ export function defineWebAuthnRegisterEventHandler<T extends WebAuthnUser>({
         })
       }
 
-      let expectedChallenge: string
-      if (getChallenge)
+      let expectedChallenge = ''
+      if (getChallenge) {
         expectedChallenge = await getChallenge(event, body.attemptId)
-      else
-        expectedChallenge = await getChallengeFromSession(event, body.attemptId)
+      }
 
       const verification = await verifyRegistrationResponse({
         response: body.response,