README
This library handles Web Authentication for Node.js applications that wish to implement a passwordless solution for users.
It’s implemented as bindings to the Duo Labs Go WebAuthn library, which has been compiled to Web Assembly. It was inspired by go-webauthn-js but uses Go’s built-in Web Assembly compiler instead of GopherJS.
API documentation is available here.
Example
Here’s an example program which uses WebAuthn4JS to register and authenticate users. It uses Fastify to run a Web server with handlers to allow users to register and login.
A corresponding Web page uses the Web Authentication browser API to interact with the user’s authenticator, such as a FIDO2 token, and then makes requests to the server.
The example is modelled after this example of the Duo Labs library.
Server-side
Users are stored in memory so have to re-register when the server is restarted. In a real implementation, you’d store users in a database.
I’ll describe the example bit-by-bit below. You can also find it in test/example/example.mjs. Run it using:
node test/example/example.mjs
Setup
example.mjs.
import fs from 'fs';
import { join, dirname } from 'path';
import { fileURLToPath } from 'url';
import mod_fastify from 'fastify';
import fastify_static from 'fastify-static';
import { make_secret_session_data, verify_secret_session_data } from './session.mjs';
import * as schemas from './schemas.mjs';
import makeWebAuthn from 'webauthn4js';
const readFile = fs.promises.readFile;
First the imports. Notice that ``webauthn4js```'s default export is a factory function which will let us make an object to handle Web Authentication registration and login.
const port = 3000;
const __dirname = dirname(fileURLToPath(import.meta.url));
Here we define the port number that the server will listen on and find the directory on the filesystem that we’re running from.
const users = new Map();
The users are kept in memory, indexed by their username.
class ErrorWithStatus extends Error {
constructor(message, statusCode) {
super(message);
this.statusCode = statusCode;
}
}
Fastify uses statusCode properties on thrown Error objects to return
HTTP status codes to the browser. This is just a convenience class.
const keys_dir = join(__dirname, '..', 'keys');
const fastify = mod_fastify({
logger: true,
https: {
key: await readFile(join(keys_dir, 'server.key')),
cert: await readFile(join(keys_dir, 'server.crt'))
}
});
fastify.register(fastify_static, {
root: join(__dirname, '..', 'fixtures'),
index: 'example.html'
});
Here we configure Fastify to serve over HTTPS the Web page users will use to interact with their authenticators.
const webAuthn = await makeWebAuthn({
RPDisplayName: 'WebAuthnJS',
RPID: 'localhost',
RPOrigin: `https://localhost:${port}`,
RPIcon: `https://localhost:${port}/logo.png`,
AuthenticatorSelection: {
userVerification: 'preferred'
}
});
Now we make our
WebAuthn4JS
object which will handle registration and login. Note this example
assumes it’s running on localhost.
Registration
async function register(fastify) {
fastify.get('/:username', {
schema: schemas.register.get
}, async request => {
let user = users.get(request.params.username);
if (!user) {
user = {
id: `user${users.size}`,
name: request.params.username,
displayName: request.params.username.split('@')[0],
iconURL: '',
credentials: []
};
users.set(request.params.username, user);
}
We set up a GET handler to start the registration of a new credential (public key) for a user. Note in this example we don’t verify user name belongs to the requester. In a real application we might perform email verification or generate unguessable user names, for example.
We generate a unique ID and maintain a list of credentials for each user
and store this information in the users Map.
const excludeCredentials = user.credentials.map(c => ({
type: 'public-key',
id: c.ID
}));
This is a list of credentials that the user shouldn’t use for registering with this server. We specify here that the browser shouldn’t use any credential that the user has already registerd.
const { options, sessionData } = await webAuthn.beginRegistration(
user,
cco => {
cco.excludeCredentials = excludeCredentials;
return cco;
});
Now we begin registration, calling
beginRegistration
and passing in the user and the excluded (existing) credentials.
return {
options,
session_data: await make_secret_session_data(
request.params.username, 'registration', sessionData)
};
});
Once registration has started, we need to return data to the browser so
it can ask the user to register using their authenticator. We return the
options that WebAuthn4JS generates for the browser’s
navigator.credentials.create()
call, along with session data that WebAuthn4JS will check when the
browser makes its PUT request to complete registration. Note we sign and
encrypt this data to ensure it won’t be tampered with.
fastify.put('/:username', {
schema: schemas.register.put
}, async (request, reply) => {
const user = users.get(request.params.username);
if (!user) {
throw new ErrorWithStatus('no user', 404);
}
We set up a PUT handler to complete a registration previously started with a GET request for the same user. If the user doesn’t exist then registration wasn’t started and a 404 error is returned.
const session_data = await verify_secret_session_data(
request.params.username, 'registration', request.body.session_data);
First we verify the session data to ensure it hasn’t been tampered with.
let credential;
try {
credential = await webAuthn.finishRegistration(
user, session_data, request.body.ccr);
} catch (ex) {
ex.statusCode = 400;
throw ex;
}
Then we complete the registration process, calling
finishRegistration
and receiving a
Credential
object. Note the credential isn’t yet associated with a user.
for (const u of users.values()) {
if (u.credentials.find(c => c.ID === credential.ID)) {
throw new ErrorWithStatus('credential in use', 409);
}
}
If the credential is in use by any user already, this is an error.
user.credentials.push(credential);
reply.code(204);
});
}
Finally for registration, we associate the credential with the requested user.
Login
async function login(fastify) {
fastify.get('/:username', {
schema: schemas.login.get
}, async request => {
const user = users.get(request.params.username);
if (!user) {
throw new ErrorWithStatus('no user', 404);
}
const { options, sessionData } = await webAuthn.beginLogin(user);
return {
options,
session_data: await make_secret_session_data(
request.params.username, 'login', sessionData)
};
});
Login’s GET handler first checks the user exists and then calls
beginLogin,
passing in the user object. We then return to the browser the options
for
navigator.credentials.get()
and signed and encrypted session data.
fastify.post('/:username', {
schema: schemas.login.post
}, async (request, reply) => {
const user = users.get(request.params.username);
if (!user) {
throw new ErrorWithStatus('no user', 404);
}
const session_data = await verify_secret_session_data(
request.params.username, 'login', request.body.session_data);
Login’s POST handler checks the user exists and verifies the session data it received from the browser.
let credential;
try {
credential = await webAuthn.finishLogin(
user, session_data, request.body.car);
} catch (ex) {
ex.statusCode = 400;
throw ex;
}
It then completes the login process by calling
finishLogin,
passing in the user object, session data and authentication request it
received from the browser (i.e. the result of
navigator.credentials.get()).
if (credential.Authenticator.CloneWarning) {
throw new ErrorWithStatus('credential appears to be cloned', 403);
}
const user_cred = user.credentials.find(c => c.ID === credential.ID);
if (!user_cred) {
// Should have been checked already in Go by webAuthn.finishLogin
throw new ErrorWithStatus('no credential', 500);
}
Here we do a couple of checks on the credential used for login:
The credential hasn’t been cloned, i.e. we received a duplicate login request from the same authenticator. This is actually checked by the underlying Go WebAuthn library.
The credential belongs to the requested user. Again, this should have already been checked in Go.
user_cred.Authenticator.SignCount = credential.Authenticator.SignCount;
reply.code(204);
});
}
Finally for login, we have to update the SignCount for the credential
in the user’s credentials list. This enables the Go library to check for
duplicate requests.
fastify.register(register, {
prefix: '/register/'
});
fastify.register(login, {
prefix: '/login/'
});
await fastify.listen(port);
console.log(`Please visit https://localhost:${port}`);
The server-side code ends by registering our handlers with Fastify and then listening for requests.
Browser-side
You can find the browser files in the test/fixtures directory.
It’s driven by the following HTML file, which is served when you connect to the server.
example.html.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>WebAuthn Demo</title>
<script src="example.js"></script>
</head>
<body>
<p>
<label for="email">Username:</label>
<input type="text" name="username" id="email" placeholder="e.g. foo@bar.com">
</p>
<p>
<button onclick="registerUser()">Register</button>
<button onclick="loginUser()">Login</button>
</p>
</body>
</html>
The code for registerUser() and loginUser() is contained in
test/fixtures/example.js, which I’ll
describe now.
example.js.
// Base64 to ArrayBuffer
function bufferDecode(value) {
return Uint8Array.from(atob(value), c => c.charCodeAt(0));
}
// ArrayBuffer to URLBase64
function bufferEncode(value) {
return btoa(String.fromCharCode.apply(null, new Uint8Array(value)))
.replace(/\+/g, "-")
.replace(/\//g, "_")
.replace(/=/g, "");
}
First some functions to decode data we receive from the server and encode data we send to the server. WebAuthn4JS (and the Go library) expect data to be base64 encoded.
async function registerUser() { // eslint-disable-line no-unused-vars
const username = document.getElementById('email').value;
try {
const get_response = await fetch(`/register/${username}`);
if (!get_response.ok) {
throw new Error(`Registration GET failed with ${get_response.status}`);
}
const { options, session_data } = await get_response.json();
To register, we first make a GET request to the server in order to get
the options we should pass to navigator.credentials.create().
const { publicKey } = options;
publicKey.challenge = bufferDecode(publicKey.challenge);
publicKey.user.id = bufferDecode(publicKey.user.id);
if (publicKey.excludeCredentials) {
for (const c of publicKey.excludeCredentials) {
c.id = bufferDecode(c.id);
}
}
Then we decode the options that are base64 encoded.
const credential = await navigator.credentials.create(options);
const { id, rawId, type, response: cred_response } = credential;
const { attestationObject, clientDataJSON } = cred_response;
Now we can call navigator.credentials.create(). The browser will ask
the user to interact with their authenticator to sign the challenge that
the server sent in the options.
const put_response = await fetch(`/register/${username}`, {
method: 'PUT',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
ccr: {
id,
rawId: bufferEncode(rawId),
type,
response: {
attestationObject: bufferEncode(attestationObject),
clientDataJSON: bufferEncode(clientDataJSON)
}
},
session_data
})
});
if (!put_response.ok) {
throw new Error(`Registration PUT failed with ${put_response.status}`);
}
} catch (ex) {
console.error(ex);
return alert(`Failed to register ${username}`);
}
alert(`Successfully registered ${username}`);
}
To complete registration, we make a PUT request to the server with the
result from navigator.credentials.create(), base64 encoding as
necessary.
async function loginUser() { // eslint-disable-line no-unused-vars
const username = document.getElementById('email').value;
try {
const get_response = await fetch(`/login/${username}`);
if (!get_response.ok) {
throw new Error(`Login GET failed with ${get_response.status}`);
}
To login, we first make a GET request to the server in order to get the
options we should pass to navigator.credentials.get().
const { options, session_data } = await get_response.json();
const { publicKey } = options;
publicKey.challenge = bufferDecode(publicKey.challenge);
for (const c of publicKey.allowCredentials) {
c.id = bufferDecode(c.id);
}
Then we decode the options that are base64 encoded.
const assertion = await navigator.credentials.get(options);
const { id, rawId, type, response: assertion_response } = assertion;
const { authenticatorData, clientDataJSON, signature, userHandle } = assertion_response;
Now we can call navigator.credentials.get(). The browser will ask the
user to interact with their authenticator to sign the challenge that the
server sent in the options.
const post_response = await fetch(`/login/${username}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
car: {
id,
rawId: bufferEncode(rawId),
type,
response: {
authenticatorData: bufferEncode(authenticatorData),
clientDataJSON: bufferEncode(clientDataJSON),
signature: bufferEncode(signature),
userHandle: bufferEncode(userHandle)
}
},
session_data
})
});
if (!post_response.ok) {
throw new Error(`Login POST failed with ${post_response.status}`);
}
} catch (ex) {
console.error(ex);
return alert(`Failed to log in ${username}`);
}
alert(`Successfully logged in ${username}`);
}
To complete login, we make a POST request to the server with the result
from navigator.credentials.get(), base 64 encoding as necessary.
Typescript
Typescript definitions can be found in index.d.ts and typescript/webauthn.d.ts. The latter is automatically generated from the Duo Labs Go WebAuthn library using jsonschema and json-schema-to-typescript.
A Typescript version of the example can be found in typescript/example.ts.
Installation
npm install webauthn4js
Licence
The licence for WebAuthn4JS is here.
The licence for Duo Labs Go WebAuthn library is here.
I’ve also modified
wasm_exec.js
from Go’s distribution. I’ve included the original
here and Go’s licence here.
The modified version is here.
Test
grunt test
Coverage
grunt coverage
c8 results are available here.
Coveralls page is here.
Lint
grunt lint