npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@nomost/u2f-api

v1.0.7

Published

Promisified U2F API for browsers

Downloads

7,523

Readme

npm version build status

u2f-api

U2F API for browsers

History

  • 1.0.0
    • Support for custom promise libraries removed
    • Promises no longer cancellable

API

Support

U2F has for a long time been supported in Chrome, although not with the standard window.u2f methods, but through a built-in extension. Nowadays, browsers seem to use window.u2f to expose the functionality.

Supported browsers are:

  • Chrome, using Chrome-specific hacks
  • Opera, using Chrome-specific hacks
  • Firefox 58+, although not proper support for facets
    • multi-domain registrations will work differently from Chrome

Safari and other browsers still lack U2F support.

Since 0.1.0, this library supports the standard window.u2f methods.

The library should be complemented with server-side functionality, e.g. using the u2f package.

Basics

u2f-api exports two main functions and an error "enum". The main functions are register() and sign(), although since U2F isn't widely supported, the functions isSupported() as well as ensureSupport() helps you build applications which can use U2F only when the client supports it.

Check or ensure support

import { isSupported } from 'u2f-api'

isSupported(): Promise< Boolean > // Doesn't throw/reject
import { ensureSupport } from 'u2f-api'

ensureSupport(): Promise< void > // Throws/rejects if not supported

Register

import { register } from 'u2f-api'

register(
  registerRequests: RegisterRequest[],
  signRequests: SignRequest[], // optional
  timeout: number // optional
): Promise< RegisterResponse >

The registerRequests can be either a RegisterRequest or an array of such. The optional signRequests must be, unless ignored, an array of SignRequests. The optional timeout is in seconds, and will default to an implementation specific value, e.g. 30.

Sign

import { sign } from 'u2f-api'

sign(
  signRequests: SignRequest[],
  timeout: number // optional
): Promise< SignResponse >

The values and interpretation of the arguments are the same as with register( ).

Errors

register() and sign() can return rejected promises. The rejection error is an Error object with a metaData property containing code and type. The code is a numerical value describing the type of the error, and type is the name of the error, as defined by the ErrorCodes enum in the "FIDO U2F Javascript API" specification. They are:

OK = 0 // u2f-api will never throw errors with this code
OTHER_ERROR = 1
BAD_REQUEST = 2
CONFIGURATION_UNSUPPORTED = 3
DEVICE_INELIGIBLE = 4
TIMEOUT = 5

Usage

Loading the library

The library is promisified and will use the built-in native promises of the browser, ~~unless another promise library is injected~~ (deprecated since 1.0).

var u2fApi = require( 'u2f-api' ); // CommonJS
import u2fApi from 'u2f-api' // ES modules

Registering a passkey

With registerRequestsFromServer somehow received from the server, the client code becomes:

u2fApi.register( registerRequestsFromServer )
.then( sendRegisterResponseToServer )
.catch( ... );

Signing a passkey

With signRequestsFromServer also received from the server somehow:

u2fApi.sign( signRequestsFromServer )
.then( sendSignResponseToServer )
.catch( ... );

Example with checks for client support

u2fApi.isSupported( )
.then( function( supported ) {
	if ( supported )
	{
		return u2fApi.sign( signRequestsFromServer )
		.then( sendSignResponseToServer );
	}
	else
	{
		... // Other authentication method
	}
} )
.catch( ... );

Example implementation

U2F is a challenge-response protocol. The server sends a challenge to the client, which responds with a response.

This library is intended to be used in the client (the browser). There is another package intended for server-side: https://www.npmjs.com/package/u2f

Common problems

If you get BAD_REQUEST, the most common situations are that you either don't use https (which you must), or that the AppID doesn't match the server URI. In fact, the AppID must be exactly the base URI to your server (such as https://your-server.com), including the port if it isn't 443.

For more information, please see https://developers.yubico.com/U2F/Libraries/Client_error_codes.html and https://developers.yubico.com/U2F/App_ID.html