feat/improve-bytes-subclass-mypy-support

mypy.ini

@@ -1,6 +1,11 @@
 [mypy]
+plugins = pydantic.mypy
+
 python_version = 3.8
 
+[pydantic-mypy]
+init_typed=True
+
 [mypy-asn1crypto.*]
 ignore_missing_imports = True
 

webauthn/authentication/verify_authentication_response.py

@@ -18,7 +18,6 @@
     PublicKeyCredentialType,
     TokenBindingStatus,
     WebAuthnBaseModel,
-    BytesLike,
 )
 
 
@@ -27,7 +26,7 @@ class VerifiedAuthentication(WebAuthnBaseModel):
     Information about a verified authentication of which an RP can make use
     """
 
-    credential_id: BytesLike
+    credential_id: bytes
     new_sign_count: int
 
 

webauthn/helpers/structs.py

@@ -1,8 +1,9 @@
 from enum import Enum
 from typing import List, Literal, Optional
 
-from pydantic import BaseModel
+from pydantic import BaseModel, validator
 from pydantic.validators import strict_bytes_validator
+from pydantic.fields import ModelField
 
 from .bytes_to_base64url import bytes_to_base64url
 from .cose import COSEAlgorithmIdentifier
@@ -30,35 +31,30 @@ class Config:
         alias_generator = snake_case_to_camel_case
         allow_population_by_field_name = True
 
+    @validator("*", pre=True, allow_reuse=True)
+    def _validate_bytes_fields(cls, v, field: ModelField):
+        """
+        Allow for Pydantic models to define fields as `bytes`, but allow consuming projects to
+        specify bytes-adjacent values (bytes subclasses, memoryviews, etc...) that otherwise
+        function like `bytes`. Keeps the library Pythonic.
+        """
+        if field.type_ != bytes:
+            return v
 
-class BytesLike(bytes):
-    """
-    Custom type to use as an annotation in Pydantic models. This helps us be a better dependency
-    and get along with other libraries like mongoengine that use "clever" bytes subclasses that
-    otherwise act like normal `bytes` type.
-
-    BaseModel properties with this type will accept either `bytes` OR a subclass of `bytes`.
-
-    See the following issues on GitHub for more context:
-
-    - https://github.com/duo-labs/py_webauthn/issues/110
-    - https://github.com/duo-labs/py_webauthn/issues/113
-    """
-
-    @classmethod
-    def __get_validators__(cls):
-        yield cls.validate
-
-    @classmethod
-    def validate(cls, v):
         if isinstance(v, bytes):
-            return v
+            """
+            Return raw bytes from subclasses as well
+
+            `strict_bytes_validator()` performs a similar check to this, but it passes through the
+            subclass as-is and Pydantic then rejects it. Passing the subclass into `bytes()` lets us
+            return `bytes` and make Pydantic happy.
+            """
+            return bytes(v)
         elif isinstance(v, memoryview):
             return v.tobytes()
         else:
             return strict_bytes_validator(v)
 
-
 ################
 #
 # Fundamental data structures
@@ -243,7 +239,7 @@ class PublicKeyCredentialUserEntity(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialuserentity
     """
 
-    id: BytesLike
+    id: bytes
     name: str
     display_name: str
 
@@ -273,7 +269,7 @@ class PublicKeyCredentialDescriptor(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialdescriptor
     """
 
-    id: BytesLike
+    id: bytes
     type: Literal[
         PublicKeyCredentialType.PUBLIC_KEY
     ] = PublicKeyCredentialType.PUBLIC_KEY
@@ -314,7 +310,7 @@ class CollectedClientData(WebAuthnBaseModel):
     """
 
     type: ClientDataType
-    challenge: BytesLike
+    challenge: bytes
     origin: str
     cross_origin: Optional[bool] = None
     token_binding: Optional[TokenBinding] = None
@@ -345,7 +341,7 @@ class PublicKeyCredentialCreationOptions(WebAuthnBaseModel):
 
     rp: PublicKeyCredentialRpEntity
     user: PublicKeyCredentialUserEntity
-    challenge: BytesLike
+    challenge: bytes
     pub_key_cred_params: List[PublicKeyCredentialParameters]
     timeout: Optional[int] = None
     exclude_credentials: Optional[List[PublicKeyCredentialDescriptor]] = None
@@ -363,8 +359,8 @@ class AuthenticatorAttestationResponse(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#authenticatorattestationresponse
     """
 
-    client_data_json: BytesLike
-    attestation_object: BytesLike
+    client_data_json: bytes
+    attestation_object: bytes
 
 
 class RegistrationCredential(WebAuthnBaseModel):
@@ -381,7 +377,7 @@ class RegistrationCredential(WebAuthnBaseModel):
     """
 
     id: str
-    raw_id: BytesLike
+    raw_id: bytes
     response: AuthenticatorAttestationResponse
     transports: Optional[List[AuthenticatorTransport]] = None
     type: Literal[
@@ -436,9 +432,9 @@ class AttestedCredentialData(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#attested-credential-data
     """
 
-    aaguid: BytesLike
-    credential_id: BytesLike
-    credential_public_key: BytesLike
+    aaguid: bytes
+    credential_id: bytes
+    credential_public_key: bytes
 
 
 class AuthenticatorData(WebAuthnBaseModel):
@@ -455,7 +451,7 @@ class AuthenticatorData(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#sctn-attested-credential-data
     """
 
-    rp_id_hash: BytesLike
+    rp_id_hash: bytes
     flags: AuthenticatorDataFlags
     sign_count: int
     attested_credential_data: Optional[AttestedCredentialData] = None
@@ -498,7 +494,7 @@ class PublicKeyCredentialRequestOptions(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options
     """
 
-    challenge: BytesLike
+    challenge: bytes
     timeout: Optional[int] = None
     rp_id: Optional[str] = None
     allow_credentials: Optional[List[PublicKeyCredentialDescriptor]] = []
@@ -519,9 +515,9 @@ class AuthenticatorAssertionResponse(WebAuthnBaseModel):
     https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse
     """
 
-    client_data_json: BytesLike
-    authenticator_data: BytesLike
-    signature: BytesLike
+    client_data_json: bytes
+    authenticator_data: bytes
+    signature: bytes
     user_handle: Optional[bytes] = None
 
 
@@ -538,7 +534,7 @@ class AuthenticationCredential(WebAuthnBaseModel):
     """
 
     id: str
-    raw_id: BytesLike
+    raw_id: bytes
     response: AuthenticatorAssertionResponse
     type: Literal[
         PublicKeyCredentialType.PUBLIC_KEY

webauthn/registration/verify_registration_response.py

@@ -17,7 +17,6 @@
     RegistrationCredential,
     TokenBindingStatus,
     WebAuthnBaseModel,
-    BytesLike,
 )
 from .formats.android_key import verify_android_key
 from .formats.android_safetynet import verify_android_safetynet
@@ -42,14 +41,14 @@ class VerifiedRegistration(WebAuthnBaseModel):
         `attestation_object`: The raw attestation object for later scrutiny
     """
 
-    credential_id: BytesLike
-    credential_public_key: BytesLike
+    credential_id: bytes
+    credential_public_key: bytes
     sign_count: int
     aaguid: str
     fmt: AttestationFormat
     credential_type: PublicKeyCredentialType
     user_verified: bool
-    attestation_object: BytesLike
+    attestation_object: bytes
 
 
 expected_token_binding_statuses = [