Comments (8)
Hi @srigi,
I am aware of that and is will fixed soon. Have a look at the #47. I pushed the code few hours ago and this will be available in v1.2.
The demo will be updated as well with a react frontend instead a plain old form + twig templates.
from webauthn-framework.
@srigi FWIW, you can implement without Symfony if you want. I'm using this library with a Zend Expressive middleware pipeline.
from webauthn-framework.
I answered too quickly . Here is a more precise answer.
This authentication mechanism needs at least 2 requests:
- the first one to get a
PublicKeyCredentialRequestOptions
object - the second one to send the assertion computed by the authenticator using the PublicKeyCredentialRequestOptions object
The firewall have to keep track of the PublicKeyCredentialRequestOptions
object sent to the authenticator. It is used by the validator to verify the assertion received from the client (especially to prevent challenge forgery attacks). Thus this authentication mechanism cannot be stateless.
I use PHP sessions as it is a convenient and secured way to manage that.
Once your user is logged in, nothing prevent you from issuing access tokens or whatever you need the consume your REST api in a stateless manner.
The react app I am preparing for the demo doesn't care of the session cookie received by the Symfony application. In the demo, the only requirement during the login process is to set credentials
to "same-site"
as the cookies are secure, httponly and samesite is strict.
As suggested by @moderndeveloperllc, other alternatives exist (e.g. routes with an ID of the PublicKeyCredentialRequestOptions
).
Anyway, the idea to implement a custom storage is a nice idea. This could be achieved using a new firewall option and a default storage based on cookies.
from webauthn-framework.
Hi @srigi,
I merged the Json Firewall to the v1.2 branch few days ago.
This new firewall will ease the use of script apps (e.g. Vue or React apps).
I will add 2 new options to this firewall within the next days: success_handler
and failure_handler
.
These handlers will allow you to customize the responses returned by the firewall. For example, you will be able to generate an access token (e.g. using LexikJWTAuthenticationBundle) and return it the way you want (in the response body or through the query/fragment of a redirect uri).
In any cases, the PHP session will still be used by this firewall as explained earlier. However, with these handlers you will access the request and thus the session that could be deleted if needed.
from webauthn-framework.
@srigi please have a look at #51. This PR will help you to fix that issue.
from webauthn-framework.
Closing as merged in v1.2.
from webauthn-framework.
@Spomky sorry for not responding. I was dealing with other projects.
PR #51 looks great, thank you very much.
from webauthn-framework.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from webauthn-framework.
Related Issues (20)
- Deprecation of PublicKeyCredentialSourceRepository HOT 3
- Type-Error HOT 8
- Secure Payment Request
- Webauthn\CollectedClientData::createFormJson not working HOT 2
- Paramater `residentKey` will be ignored when Initializing AuthenticatorSelectionCriteria HOT 4
- Can be removed in 4.8.x HOT 2
- MDS-Sentry Support
- Compatibility with php 7.4? HOT 4
- PublicKeyCredentialUserEntity::createFromArray uses wrong base64 decoder HOT 5
- Unable to create the response object when deserializing AttestationResponse HOT 2
- Webauthn 3
- backupEligible breakage in 4.8.0 HOT 1
- Please update docs for 4.8 (deprecations toward 5.0) HOT 6
- TypeError in AuthenticationExtensionsDenormalizer HOT 2
- Incorrect deprecations HOT 2
- How/where to report a security issue? HOT 3
- Supported versions? HOT 5
- Incorrect message for PropertyInfoExtractor HOT 3
- Move state validation back into the value objects HOT 3
- "Unable to create the response object" when adding a 1Password passkey HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-framework.