strangerlabs / webauthn Goto Github PK
View Code? Open in Web Editor NEWW3C Web Authentication API Relying Party for Node.js and Express
License: MIT License
W3C Web Authentication API Relying Party for Node.js and Express
License: MIT License
If you are using the cookie-session
package instead of express-session
, the app works fine until you try to logout.
The logout method calls req.session.destroy()
which doesn't exist in the other package, so you get
TypeError: req.session.destroy is not a function
Can we add a check or state that this package needs to be used with express-session
? Something like:
if (typeof req.session.destroy === 'function') {
...
} else {
req.session = null;
}
I can PR if you'd like.
The following packages are missing in the example/package.json
To simply start the example by npm start
we have to add these packages to the package.json
User verification should be set to discouraged
by default. It should still be possible to set uv = 'required'
with an option, but leaving it undefined
can have unexpected side effects.
It would be nice if there was a way to debug the unoptimized client code from the example app. Having npm run dev
start the express backend as well as copy the static assets would probably do it.
Someone might want to add multiple authenticators to one user.
That's currently not possible.
There should a possibility to specify an amount of possible authenticators allowed for one user.
Backwards compatible example here: Mik13@9bf709f
Hi there,
First of all, this is an really AWESOME repo!!
It guided me through some of the implementations that I would not have even known!
Just to point out this little issue when I am running the example. I think in Webauthn.js, it's better to modify line 30, 31
usernameField: 'username', userFields: ['username', 'name'],
So that there won't be mismatch between the parameters from the front-end and back-end
Best,
Ru
FYI I gave this a whirl and it works great with most keys (U2F, FIDO, MacBook fingerprint), but here's a device where it fails to work:
const webauthn = require('./Webauthn')
y = {
"publicKey": "BE6dYDmxeWIXbCM6DYqU3Yxg1PynoYl0rLei25QXksxicNIXH0iGtDW05IrbiwrXIzE9NI5-UdsP_pdFKkcHG-E",
fmt: "fido-u2f"
}
x = {
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFXPgtka3OAAI1vMYKZIsLJfHwVQMAgADpMeDIZQ9uUOKrShQMWdsX9Px2Uo3ZVoCZFpBkr_CQ9tsHHfdu7foaUKxY1UMZiERyeGUo4yq37METlvOwPjZtVXr4NdhoDF4nxiGr2eaHfg-XC3fqkKZUN36H63xxcEDlczfpx-vcbdw_ZtPRHKgQZiqw2gRSmBpTxCPVtX-3pQECAyYgASFYIE6dYDmxeWIXbCM6DYqU3Yxg1PynoYl0rLei25QXksxiIlggcNIXH0iGtDW05IrbiwrXIzE9NI5-UdsP_pdFKkcHG-E",
"signature": "MEUCIQCtiRBFexiFuwXDL_JirFkG_xyFsPgS7GzjYJ3Mr3j86QIgT3fYOtqCmMtKxCpo7pDlEIfaxiyPyqcqVYQVwpFQw84",
"userHandle": "ODY1MTg2NDItZjgzMC00ODI5LWI2MDYtYjFiMzA1ZDRmYWRk",
"clientDataJSON": "eyJjaGFsbGVuZ2UiOiJZaGZNc2hDMWJNTV9aeTVCSzBRZ3VGNWZpRXY1bk9EVE5IaVpTSVJzak04Iiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo3MTAwIiwidHlwZSI6IndlYmF1dGhuLmdldCJ9"
}
t = webauthn.verifyAuthenticatorAssertionResponse(x, y)
console.log('y', t.verified)
With the device, attestation works, but assertion fails.
I'll be looking into it more and will report in if I figure out the solution.
Thanks for the great work here. Cheers.
This isn't an issue, just a question. If no one wants to answer or this is not the appropriate place to ask this question please let me know. Thank you in advance for your time.
I was wondering why convert the buffer values to base64 and not utf-8 or another string encoding? I'm genuinely curious about what, if any, reasons are behind this choice.
Dear strangerlabs-team,
first of all, thanks for all the effort with this project!
I've tried to use the client within chrome (with static delivery via express.static), but it does not work, because the imports does not work because they require a .js at the end.
Error:
GET https://localhost:3001/js/webauthn/client/Client net::ERR_ABORTED 404 (Not Found)
As far as I know, NodeJS does not care about the ".js" at the end of import, and with the .js Chrome would understand it, so I think that would be a nice addition to the project.
This commit would show the changes, if the idea will get accepted: Mik13@6cdbd75
Best regards
The storage interface should more easily allow developers to integrate this library with their existing user models, especially for relational databases.
search
should probably be removed since it's not being used.delete
individual credentials).It could also be a good idea to change the attribute user.authenticator
to user.webauthnCredential
since not all authenticators are webauthn authenticators and in theory the same user could have multiple credentials on the same authenticator, but this is a little bikesheddy :)
Blocked on #12
Any way you could add support for attestation: 'none' when doing the registration challenge? I want to be able to use U2F without having the browser prompt the user for extended information.
Thanks.
Attestation type should be changeable, because "direct" (the only possibility currently) is not always wanted and/or needed.
Maybe we can allow indirect and none too (for this, the none format must be implemented too).
Example here: Mik13@0896449
The website linked in the repos description seems to be down.
It appears that the DNS entry does not exist (anymore):
nslookup webauthn.strangerlabs.io
Server: 10.204.0.1
Address: 10.204.0.1#53
** server can't find webauthn.strangerlabs.io: NXDOMAIN
Thanks for working on WebAuthn, super important.
I am building MeshCentral (https://www.npmjs.com/package/meshcentral) and really need to support YubiKey, FIDO and FIDO2 (WehAuthn). I support it now using some dependency libraries I don't like and would like to start using a more supported library. One of the requirements I have is to make MeshCentral work on Node 6.0.0 and higher. So far it's not been an issue at all, however the "await" and "async" syntax in this library breaks older node versions. Is there a work around for this?
Also, I am using "forge" as my crypto and would like to use that as the crypto provider. i wonder if there could be an option for this. Right now, it looks like I am going to have to build something custom. Any opinions would be great.
Hiya! Would you consider migrating to typescript? Codebase at the moment does not seem to be huge. I could rewrite it with ts.
The library should support and default to none
attestation, as requiring it has some privacy implications and includes dissuading language on browsers. Also, validating the attestation means the backend has to talk to the FIDO MDS which adds complexity that a developer might not need in their application.
added 104 packages from 224 contributors, removed 129 packages, updated 398 packages and audited 891680 packages in 81.255s
found 16330 vulnerabilities (3 moderate, 16326 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
😱
The client should expose any errors thrown on the register
, login
, or logout
methods instead of logging them and returning undefined
.
Add tests, at the very least to cover the following scenarios:
webauthn
object with nonsensical parameters.response
with an attestation).
response
with the assertion).
login
with matching credential and without matching credential.As @nsatragno is doing work to improve this project I’m wondering whether this library is ultimately only to be seen as a demo or if work should be put into it, to get it production ready and make it the de-facto default js implementation of WebAuthn.
If there‘s a chance that this will become the reference implementation what should a roadmap look like and how should it be structured?
I would love to see this become a production ready library and thanks to everyone involved!
Currently AttestationChallengeBuilder.setAuthenticator
throws an error if config.authenticator
is not cross-platform
or platform
This field is not mandatory. If not provided a browser prompt is presented (@see https://webauthn.io/).
I suggest to remove
webauthn/src/AttestationChallengeBuilder.js
Lines 157 to 161 in d8d63d2
Currently, everything is logged to console, which might pollute things like syslog etc.
There should be a possibility, to change the logger, like this: Mik13@929ed75
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.