strangerlabs / webauthn Goto Github PK

If you are using the cookie-session package instead of express-session, the app works fine until you try to logout.

The logout method calls req.session.destroy() which doesn't exist in the other package, so you get

TypeError: req.session.destroy is not a function

Can we add a check or state that this package needs to be used with express-session? Something like:

if (typeof req.session.destroy === 'function') {
  ...
} else {
 req.session = null;
}

I can PR if you'd like.

The following packages are missing in the example/package.json

• webauthn
• nodemon

To simply start the example by npm start we have to add these packages to the package.json

User verification should be set to discouraged by default. It should still be possible to set uv = 'required' with an option, but leaving it undefined can have unexpected side effects.

It would be nice if there was a way to debug the unoptimized client code from the example app. Having npm run dev start the express backend as well as copy the static assets would probably do it.

Someone might want to add multiple authenticators to one user.
That's currently not possible.

There should a possibility to specify an amount of possible authenticators allowed for one user.

Backwards compatible example here: Mik13@9bf709f

Hi there,

First of all, this is an really AWESOME repo!!
It guided me through some of the implementations that I would not have even known!

Just to point out this little issue when I am running the example. I think in Webauthn.js, it's better to modify line 30, 31
usernameField: 'username', userFields: ['username', 'name'],
So that there won't be mismatch between the parameters from the front-end and back-end

Best,

Ru

FYI I gave this a whirl and it works great with most keys (U2F, FIDO, MacBook fingerprint), but here's a device where it fails to work:

• MacBook Pro (Model A1989)
• OS X 10.14.5
• Chrome 74.0.3729.169 (64 bit)
• Fingerprint sensor

const webauthn = require('./Webauthn')

y = {
    "publicKey": "BE6dYDmxeWIXbCM6DYqU3Yxg1PynoYl0rLei25QXksxicNIXH0iGtDW05IrbiwrXIzE9NI5-UdsP_pdFKkcHG-E",
    fmt: "fido-u2f"
}
x = {
    "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFXPgtka3OAAI1vMYKZIsLJfHwVQMAgADpMeDIZQ9uUOKrShQMWdsX9Px2Uo3ZVoCZFpBkr_CQ9tsHHfdu7foaUKxY1UMZiERyeGUo4yq37METlvOwPjZtVXr4NdhoDF4nxiGr2eaHfg-XC3fqkKZUN36H63xxcEDlczfpx-vcbdw_ZtPRHKgQZiqw2gRSmBpTxCPVtX-3pQECAyYgASFYIE6dYDmxeWIXbCM6DYqU3Yxg1PynoYl0rLei25QXksxiIlggcNIXH0iGtDW05IrbiwrXIzE9NI5-UdsP_pdFKkcHG-E",
    "signature": "MEUCIQCtiRBFexiFuwXDL_JirFkG_xyFsPgS7GzjYJ3Mr3j86QIgT3fYOtqCmMtKxCpo7pDlEIfaxiyPyqcqVYQVwpFQw84",
    "userHandle": "ODY1MTg2NDItZjgzMC00ODI5LWI2MDYtYjFiMzA1ZDRmYWRk",
    "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJZaGZNc2hDMWJNTV9aeTVCSzBRZ3VGNWZpRXY1bk9EVE5IaVpTSVJzak04Iiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo3MTAwIiwidHlwZSI6IndlYmF1dGhuLmdldCJ9"
}
t = webauthn.verifyAuthenticatorAssertionResponse(x, y)
console.log('y', t.verified)

With the device, attestation works, but assertion fails.

I'll be looking into it more and will report in if I figure out the solution.

Thanks for the great work here. Cheers.

This isn't an issue, just a question. If no one wants to answer or this is not the appropriate place to ask this question please let me know. Thank you in advance for your time.

I was wondering why convert the buffer values to base64 and not utf-8 or another string encoding? I'm genuinely curious about what, if any, reasons are behind this choice.

Dear strangerlabs-team,
first of all, thanks for all the effort with this project!

I've tried to use the client within chrome (with static delivery via express.static), but it does not work, because the imports does not work because they require a .js at the end.

Error:
GET https://localhost:3001/js/webauthn/client/Client net::ERR_ABORTED 404 (Not Found)

As far as I know, NodeJS does not care about the ".js" at the end of import, and with the .js Chrome would understand it, so I think that would be a nice addition to the project.

This commit would show the changes, if the idea will get accepted: Mik13@6cdbd75

Best regards

The storage interface should more easily allow developers to integrate this library with their existing user models, especially for relational databases.

• The documentation should include the fields that are expected to be stored and their types.
• search should probably be removed since it's not being used.
• We should be careful that the design makes sense after #12 is implemented (e.g. we might want to be able to delete individual credentials).

It could also be a good idea to change the attribute user.authenticator to user.webauthnCredential since not all authenticators are webauthn authenticators and in theory the same user could have multiple credentials on the same authenticator, but this is a little bikesheddy :)

Blocked on #12

Any way you could add support for attestation: 'none' when doing the registration challenge? I want to be able to use U2F without having the browser prompt the user for extended information.

Thanks.

Attestation type should be changeable, because "direct" (the only possibility currently) is not always wanted and/or needed.

Maybe we can allow indirect and none too (for this, the none format must be implemented too).

Example here: Mik13@0896449

The website linked in the repos description seems to be down.

It appears that the DNS entry does not exist (anymore):

nslookup webauthn.strangerlabs.io
Server:		10.204.0.1
Address:	10.204.0.1#53

** server can't find webauthn.strangerlabs.io: NXDOMAIN

Thanks for working on WebAuthn, super important.

I am building MeshCentral (https://www.npmjs.com/package/meshcentral) and really need to support YubiKey, FIDO and FIDO2 (WehAuthn). I support it now using some dependency libraries I don't like and would like to start using a more supported library. One of the requirements I have is to make MeshCentral work on Node 6.0.0 and higher. So far it's not been an issue at all, however the "await" and "async" syntax in this library breaks older node versions. Is there a work around for this?

Also, I am using "forge" as my crypto and would like to use that as the crypto provider. i wonder if there could be an option for this. Right now, it looks like I am going to have to build something custom. Any opinions would be great.

Hiya! Would you consider migrating to typescript? Codebase at the moment does not seem to be huge. I could rewrite it with ts.

Since we added the ability to change the attestation type (as per #11, #19) I seem to always be getting a direct attestation. This might also be due to my particular kind of authenticator.

The library should support and default to none attestation, as requiring it has some privacy implications and includes dissuading language on browsers. Also, validating the attestation means the backend has to talk to the FIDO MDS which adds complexity that a developer might not need in their application.

added 104 packages from 224 contributors, removed 129 packages, updated 398 packages and audited 891680 packages in 81.255s
found 16330 vulnerabilities (3 moderate, 16326 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

😱

The client should expose any errors thrown on the register, login, or logout methods instead of logging them and returning undefined.

Add tests, at the very least to cover the following scenarios:

• Constructing a webauthn object with nonsensical parameters.
• Generating a challenge.
• Creating a credential (response with an attestation).
  • Error cases (using the credential creation steps from the spec)
  • Correct case
  • With and without attestation
  • With and without UV
• Getting an assertion (response with the assertion).
  • Error cases (using the verifying an assertion steps from the spec)
  • Correct case
  • With and without UV
• login with matching credential and without matching credential.

As @nsatragno is doing work to improve this project I’m wondering whether this library is ultimately only to be seen as a demo or if work should be put into it, to get it production ready and make it the de-facto default js implementation of WebAuthn.

If there‘s a chance that this will become the reference implementation what should a roadmap look like and how should it be structured?

• Should the library expose a client library and a server library
• How modular should the server be
• Should adapters and other utilities be hosted in this repo (monorepo?)

I would love to see this become a production ready library and thanks to everyone involved!

Currently AttestationChallengeBuilder.setAuthenticator throws an error if config.authenticator is not cross-platform or platform

This field is not mandatory. If not provided a browser prompt is presented (@see https://webauthn.io/).

I suggest to remove

Currently, everything is logged to console, which might pollute things like syslog etc.

There should be a possibility, to change the logger, like this: Mik13@929ed75