Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: webauthn (passkey) support #149

Merged
merged 79 commits into from
Sep 30, 2024
Merged

feat: webauthn (passkey) support #149

merged 79 commits into from
Sep 30, 2024

Conversation

Gerbuuun
Copy link
Contributor

@Gerbuuun Gerbuuun commented Aug 27, 2024
edited
Loading

resolves #119

This makes use of the @simplewebauthn packages documented here
It is open source but doesn't accept contributions. The maintainers are actively trying to support new runtimes which is exactly what we need for the Nuxt ecosystem

I based the interface on the oauth event handlers already present in this package.

export default defineWebAuthnRegisterEventHandler({
  async onSuccess(event, { authenticator, userName }) {
    // The credential creation has been successful
    // Create user, store credential, etc, etc...
    // Set the user session
  },
  async onError(event, error) {
    // Handle error
  },
  async getOptions(event) {
    // Return your own registration options
  },
})
export default defineWebAuthnAuthenticateEventHandler({
  async getCredential(event, credentialId) {
    // Look up the credential in the DB
    // Return credential (or handle credential not found)
  },
  async onSuccess(event, { authenticator, userName }) {
    // The credential authentication has been successful
    // fetch user, update credential, etc, etc...
    // Set the user session
  },
  async onError(event, error) {
    // Handle error
  },
  async getOptions(event) {
    // Return your own authentication options
    // e.g. allowedCredentials or requireUserVerification
  },
})

By default the challenge is stored in an encrypted cookie because it is not known beforehand what kind of storage is available. In secure connections this works but for better security guarantees the developer can choose to store the challenge server side. (I'd say highly recommended)

export default defineWebAuthnAuthenticateEventHandler({
  async storeChallenge(event, challenge, attemptId) {
    // Store the challenge in a KV store or DB
    await useStorage().setItem(`attempt:${attemptId}`, challenge)
  },
  async getChallenge(event, attemptId) {
    const challenge = await useStorage().getItem(`attempt:${attemptId}`)

    // Make sure to always remove the attempt because they are single use only!
    await useStorage().removeItem(`attempt:${attemptId}`)

    if (!challenge)
      throw createError({ statusCode: 400, message: 'Authentication attempt expired' })

    return challenge
  },
  // ... other functions
})

A getOptions function where the developer can customize the respective options as much as they want. This allows for multiple webauthn implementations in a single project (for example one for passkeys and one for standard physical keys like Yubikey with more strict requirements)

There is a guide for FIDO conformance here https://simplewebauthn.dev/docs/advanced/fido-conformance (not sure if fully possible with my current implementation)

On the frontend it is as simple as:

<script setup lang="ts">
const { register, authenticate } = useWebauthn()
const userName = ref('')

async function submit() {
  await register({ userName: userName.value })
}
</script>

@Gerbuuun

This comment was marked as resolved.

Sign in to view
@Gerbuuun
Copy link
Contributor Author

Ok, I have implemented the changes I proposed. I'm a lot more satisfied with how it looks now.
Let me know your opinions.

Gerbuuun and others added 16 commits August 27, 2024 18:22
@Gerbuuun
refactor: use body instead of query param for attemptId
4554c68
@Gerbuuun
Merge remote-tracking branch 'origin/main' into feat/simplewebauthn-p…
37224a4 
…asskeys
@Gerbuuun
chore: rename passkey terms
e46e1ec
@atinux
chore: improvements
f4ba1c6
@atinux
up
2a3962c
@atinux
lint fix
a8dc0ee
@Gerbuuun
feat: use session to store challenge by default
4249310
@Gerbuuun
feat: base64 encode publicKey by default
3ae788d
@Gerbuuun
chore: types cleanup and typo fixes
6f24e68
@Gerbuuun
feat: improve example and documentation
812e1f0
@Gerbuuun
chore: proofread readme
0197284
@Gerbuuun
fix: typo
bc0769d
@Gerbuuun
docs: add frontend example
70a0f60
@ipanamski @atinux
docs: fix typo
f2b9b59 
Change useServerSession() to useUserSession()
@Barbapapazes @atinux @autofix-ci
refactor: request token
d8bf231 
* refactor: request token

* chore: fix import

* up

* up

* Merge branch 'main' into refactor/request-token

* [autofix.ci] apply automated fixes

* chore: fix types issue

* chore: lint

---------

Co-authored-by: Sébastien Chopin <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
@ahmedrangel @autofix-ci @atinux
feat: add tiktok provider
4e5d0f2 
* feat: add tiktok provider

* docs: add tiktok

* feat: add tiktok .env example

* chore: remove console logs

* [autofix.ci] apply automated fixes

* chore: remove unused authorizationParams

* chore: use new utils

* fix: extends from RequestAccesTokenBody interface

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 25, 2024
edited
Loading

Open in Stackblitz

pnpm add https://pkg.pr.new/atinux/nuxt-auth-utils@149

commit: 616de6b

autofix-ci bot and others added 24 commits September 25, 2024 23:16
@autofix-ci
[autofix.ci] apply automated fixes
a77a7ca
@atinux
fix all types
bbf367c
@autofix-ci
[autofix.ci] apply automated fixes
84cfa0a
@atinux
chore: use logger
3c46d45
@autofix-ci
[autofix.ci] apply automated fixes
74ec35a
@atinux
Update autofix.yml
38b74cc
@atinux
rename to useWebAuthn
0b43a42
@autofix-ci
[autofix.ci] apply automated fixes
e117cf6
@atinux
update readme
d77b6c6
@autofix-ci
[autofix.ci] apply automated fixes
977470b
@Gerbuuun
feat: allow for extra data fields to be included in the registration …
1e9c628 
…body
@autofix-ci
[autofix.ci] apply automated fixes
63c4514
@Gerbuuun
fix: component name
652cdf4
@atinux
Update autofix.yml
f8f2dcd
@atinux
chore: update
309abd4
@atinux
up
09dafe4
@atinux
chore: fix types
56a7301
@atinux
add validateUser method
43ffd40
@atinux
chore: small update
32c2983
@atinux
add allowCredentials and improve validateUser
0ce4015
@atinux
lint
f500bf2
@Gerbuuun
feat: infer registration body and credential data
aa24feb
@Gerbuuun
chore: remove unnecessary generic param
f18c4e3
@atinux
chore: add demo
616de6b
@atinux atinux merged commit a90b173 into atinux:main Sep 30, 2024
4 checks passed
@sandros94
Copy link
Contributor

I was experimenting with this and I've noticed that regardless if registration's onSuccess returns an error or not (for example in storing user or credential information into the database) the device still stores the credential, potentially causing a soft-lock state.

Is this correct? Should I open up an issue?
(I'm only copy-pasting the code examples from this repo and from nuxt-todo-passkey's registration, while slightly, intentionally, breaking things like comment the db write operations)

@Gerbuuun
Copy link
Contributor Author

Yes, the credential creation was successful. That's why the onSuccess is called. If you then fail to properly store it, those credentials still exist. You have to manually remove them from your device or password manager.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Passkey integration