Comments (8)
Spomky
commented on June 30, 2024
Hi @srigi,
I am aware of that and is will fixed soon. Have a look at the #47. I pushed the code few hours ago and this will be available in v1.2.
The demo will be updated as well with a react frontend instead a plain old form + twig templates.
from webauthn-framework.
moderndeveloperllc
commented on June 30, 2024
@srigi FWIW, you can implement without Symfony if you want. I'm using this library with a Zend Expressive middleware pipeline.
from webauthn-framework.
Spomky
commented on June 30, 2024
I answered too quickly . Here is a more precise answer.
This authentication mechanism needs at least 2 requests:
- the first one to get a
PublicKeyCredentialRequestOptionsobject - the second one to send the assertion computed by the authenticator using the PublicKeyCredentialRequestOptions object
The firewall have to keep track of the PublicKeyCredentialRequestOptions object sent to the authenticator. It is used by the validator to verify the assertion received from the client (especially to prevent challenge forgery attacks). Thus this authentication mechanism cannot be stateless.
I use PHP sessions as it is a convenient and secured way to manage that.
Once your user is logged in, nothing prevent you from issuing access tokens or whatever you need the consume your REST api in a stateless manner.
The react app I am preparing for the demo doesn't care of the session cookie received by the Symfony application. In the demo, the only requirement during the login process is to set credentials to "same-site" as the cookies are secure, httponly and samesite is strict.
As suggested by @moderndeveloperllc, other alternatives exist (e.g. routes with an ID of the PublicKeyCredentialRequestOptions).
Anyway, the idea to implement a custom storage is a nice idea. This could be achieved using a new firewall option and a default storage based on cookies.
from webauthn-framework.
Spomky
commented on June 30, 2024
Hi @srigi,
I merged the Json Firewall to the v1.2 branch few days ago.
This new firewall will ease the use of script apps (e.g. Vue or React apps).
I will add 2 new options to this firewall within the next days: success_handler and failure_handler.
These handlers will allow you to customize the responses returned by the firewall. For example, you will be able to generate an access token (e.g. using LexikJWTAuthenticationBundle) and return it the way you want (in the response body or through the query/fragment of a redirect uri).
In any cases, the PHP session will still be used by this firewall as explained earlier. However, with these handlers you will access the request and thus the session that could be deleted if needed.
from webauthn-framework.
Spomky
commented on June 30, 2024
@srigi please have a look at #51. This PR will help you to fix that issue.
from webauthn-framework.
Spomky
commented on June 30, 2024
Closing as merged in v1.2.
from webauthn-framework.
srigi
commented on June 30, 2024
@Spomky sorry for not responding. I was dealing with other projects.
PR #51 looks great, thank you very much.
from webauthn-framework.
github-actions
commented on June 30, 2024
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from webauthn-framework.
Related Issues (20)
- Deprecation of PublicKeyCredentialSourceRepository HOT 3
- Type-Error HOT 8
- Secure Payment Request
- Webauthn\CollectedClientData::createFormJson not working HOT 2
- Paramater `residentKey` will be ignored when Initializing AuthenticatorSelectionCriteria HOT 4
- Can be removed in 4.8.x HOT 2
- MDS-Sentry Support
- Compatibility with php 7.4? HOT 4
- PublicKeyCredentialUserEntity::createFromArray uses wrong base64 decoder HOT 5
- Unable to create the response object when deserializing AttestationResponse HOT 2
- Webauthn 3
- backupEligible breakage in 4.8.0 HOT 1
- Please update docs for 4.8 (deprecations toward 5.0) HOT 6
- TypeError in AuthenticationExtensionsDenormalizer HOT 2
- Incorrect deprecations HOT 2
- How/where to report a security issue? HOT 3
- Supported versions? HOT 5
- Incorrect message for PropertyInfoExtractor HOT 3
- Move state validation back into the value objects HOT 3
- "Unable to create the response object" when adding a 1Password passkey HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-framework.