From bf2308c3e828a6c2235d98d3c01a128ee5512ae9 Mon Sep 17 00:00:00 2001
From: Dimitri Bouniol <dimitribouniol@mochidev.com>
Date: Thu, 9 Oct 2025 06:09:39 -0700
Subject: [PATCH 1/2] Added unsafe setters for changing the challenge returned
 by the manager

Closes #72
---
 .../PublicKeyCredentialRequestOptions.swift         | 13 +++++++++++--
 .../PublicKeyCredentialCreationOptions.swift        | 11 ++++++++++-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift b/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
index 0eed662..e1bfda5 100644
--- a/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
+++ b/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
@@ -21,8 +21,17 @@ import Foundation
 public struct PublicKeyCredentialRequestOptions: Sendable {
     /// A challenge that the authenticator signs, along with other data, when producing an authentication assertion.
     ///
-    /// When encoding using `Encodable` this is encoded as base64url.
-    public var challenge: [UInt8]
+    /// The Relying Party should store the challenge temporarily until the authentication flow is complete. When encoding using `Encodable` this is encoded as base64url.
+    ///
+    /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol. See ``setUnsafeChallenge(_:)``.
+    public private(set) var challenge: [UInt8]
+
+    /// Unsafely change the challenge that will be delivered to the client.
+    ///
+    /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol.
+    public mutating func setUnsafeChallenge(_ newValue: [UInt8]) {
+        challenge = newValue
+    }
 
     /// A time, in seconds, that the caller is willing to wait for the call to complete. This is treated as a
     /// hint, and may be overridden by the client.
diff --git a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
index 7a37164..7f2bae0 100644
--- a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
+++ b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
@@ -25,7 +25,16 @@ public struct PublicKeyCredentialCreationOptions: Sendable {
     ///
     /// The Relying Party should store the challenge temporarily until the registration flow is complete. When
     /// encoding using `Encodable`, the challenge is base64url encoded.
-    public let challenge: [UInt8]
+    ///
+    /// - Warning: Although the challenge can be changed, dooing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol. See ``setUnsafeChallenge(_:)``.
+    public private(set) var challenge: [UInt8]
+    
+    /// Unsafely change the challenge that will be delivered to the client.
+    ///
+    /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol.
+    public mutating func setUnsafeChallenge(_ newValue: [UInt8]) {
+        challenge = newValue
+    }
 
     /// Contains names and an identifier for the user account performing the registration.
     public var user: PublicKeyCredentialUserEntity

From 495b3aed272f2587bed8495c814f26552fd9f8ec Mon Sep 17 00:00:00 2001
From: Dimitri Bouniol <dimitribouniol@mochidev.com>
Date: Mon, 3 Nov 2025 03:13:08 -0800
Subject: [PATCH 2/2] Renamed setUnsafeChallenge to unsafeSetChallenge

---
 .../Authentication/PublicKeyCredentialRequestOptions.swift    | 4 ++--
 .../Registration/PublicKeyCredentialCreationOptions.swift     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift b/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
index e1bfda5..0bd428a 100644
--- a/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
+++ b/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
@@ -23,13 +23,13 @@ public struct PublicKeyCredentialRequestOptions: Sendable {
     ///
     /// The Relying Party should store the challenge temporarily until the authentication flow is complete. When encoding using `Encodable` this is encoded as base64url.
     ///
-    /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol. See ``setUnsafeChallenge(_:)``.
+    /// - SeeAlso: See ``unsafeSetChallenge(_:)`` for updating the challenge.
     public private(set) var challenge: [UInt8]
 
     /// Unsafely change the challenge that will be delivered to the client.
     ///
     /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol.
-    public mutating func setUnsafeChallenge(_ newValue: [UInt8]) {
+    public mutating func unsafeSetChallenge(_ newValue: [UInt8]) {
         challenge = newValue
     }
 
diff --git a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
index 7f2bae0..539afcc 100644
--- a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
+++ b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
@@ -26,13 +26,13 @@ public struct PublicKeyCredentialCreationOptions: Sendable {
     /// The Relying Party should store the challenge temporarily until the registration flow is complete. When
     /// encoding using `Encodable`, the challenge is base64url encoded.
     ///
-    /// - Warning: Although the challenge can be changed, dooing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol. See ``setUnsafeChallenge(_:)``.
+    /// - SeeAlso: See ``unsafeSetChallenge(_:)`` for updating the challenge.
     public private(set) var challenge: [UInt8]
     
     /// Unsafely change the challenge that will be delivered to the client.
     ///
     /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol.
-    public mutating func setUnsafeChallenge(_ newValue: [UInt8]) {
+    public mutating func unsafeSetChallenge(_ newValue: [UInt8]) {
         challenge = newValue
     }