npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

webauthn4js

v3.0.0

Published

Node.js bindings to WebAuthn Go/Wasm library

Downloads

1,694

Readme

This library handles Web Authentication for Node.js applications that wish to implement a passwordless solution for users.

It’s implemented as bindings to the Go WebAuthn library, which has been compiled to Web Assembly. It was inspired by go-webauthn-js but uses Go’s built-in Web Assembly compiler instead of GopherJS.

API documentation is available here.

Example

Here’s an example program which uses WebAuthn4JS to register and authenticate users. It uses Fastify to run a Web server with handlers to allow users to register and login.

A corresponding Web page uses the Web Authentication browser API to interact with the user’s authenticator, such as a FIDO2 token, and then makes requests to the server.

The example is modelled after this example of the Go WebAuthn library.

Server-side

Users are stored in memory so have to re-register when the server is restarted. In a real implementation, you’d store users in a database.

I’ll describe the example bit-by-bit below. You can also find it in test/example/example.mjs. Run it using:

node test/example/example.mjs

Setup

example.mjs

import fs from 'fs';
import { join, dirname } from 'path';
import { fileURLToPath } from 'url';
import mod_fastify from 'fastify';
import fastify_static from 'fastify-static';
import { make_secret_session_data, verify_secret_session_data } from './session.mjs';
import * as schemas from './schemas.mjs';
import makeWebAuthn from 'webauthn4js';
const readFile = fs.promises.readFile;

First the imports. Notice that ``webauthn4js```'s default export is a factory function which will let us make an object to handle Web Authentication registration and login.

const port = 3000;
const __dirname = dirname(fileURLToPath(import.meta.url));

Here we define the port number that the server will listen on and find the directory on the filesystem that we’re running from.

const users = new Map();

The users are kept in memory, indexed by their username.

class ErrorWithStatus extends Error {
    constructor(message, statusCode) {
        super(message);
        this.statusCode = statusCode;
    }
}

Fastify uses statusCode properties on thrown Error objects to return HTTP status codes to the browser. This is just a convenience class.

const keys_dir = join(__dirname, '..', 'keys');

const fastify = mod_fastify({
    logger: true,
    https: {
        key: await readFile(join(keys_dir, 'server.key')),
        cert: await readFile(join(keys_dir, 'server.crt'))
    }
});

fastify.register(fastify_static, {
    root: join(__dirname, '..', 'fixtures'),
    index: 'example.html'
});

Here we configure Fastify to serve over HTTPS the Web page users will use to interact with their authenticators.

const webAuthn = await makeWebAuthn({
    RPDisplayName: 'WebAuthnJS',
    RPID: 'localhost',
    RPOrigins: [`https://localhost:${port}`],
    AuthenticatorSelection: {
        userVerification: 'preferred'
    }
});

Now we make our WebAuthn4JS object which will handle registration and login. Note this example assumes it’s running on localhost.

Registration

async function register(fastify) {
    fastify.get('/:username', {
        schema: schemas.register.get
    }, async request => {
        let user = users.get(request.params.username);
        if (!user) {
            user = {
                id: `user${users.size}`,
                name: request.params.username,
                displayName: request.params.username.split('@')[0],
                iconURL: '',
                credentials: []
            };
            users.set(request.params.username, user);
        }

We set up a GET handler to start the registration of a new credential (public key) for a user. Note in this example we don’t verify user name belongs to the requester. In a real application we might perform email verification or generate unguessable user names, for example.

We generate a unique ID and maintain a list of credentials for each user and store this information in the users Map.

        const excludeCredentials = user.credentials.map(c => ({
            type: 'public-key',
            id: c.id
        }));

This is a list of credentials that the user shouldn’t use for registering with this server. We specify here that the browser shouldn’t use any credential that the user has already registerd.

        const { options, sessionData } = await webAuthn.beginRegistration(
            user,
            cco => {
                cco.excludeCredentials = excludeCredentials;
                return cco;
            });

Now we begin registration, calling beginRegistration and passing in the user and the excluded (existing) credentials.

        return {
            options,
            session_data: await make_secret_session_data(
                request.params.username, 'registration', sessionData)
        };
    });

Once registration has started, we need to return data to the browser so it can ask the user to register using their authenticator. We return the options that WebAuthn4JS generates for the browser’s navigator.credentials.create() call, along with session data that WebAuthn4JS will check when the browser makes its PUT request to complete registration. Note we sign and encrypt this data to ensure it won’t be tampered with.

    fastify.put('/:username', {
        schema: schemas.register.put
    }, async (request, reply) => {
        const user = users.get(request.params.username);
        if (!user) {
            throw new ErrorWithStatus('no user', 404);
        }

We set up a PUT handler to complete a registration previously started with a GET request for the same user. If the user doesn’t exist then registration wasn’t started and a 404 error is returned.

        const session_data = await verify_secret_session_data(
            request.params.username, 'registration', request.body.session_data);

First we verify the session data to ensure it hasn’t been tampered with.

        let credential;
        try {
            credential = await webAuthn.finishRegistration(
                user, session_data, request.body.ccr);
        } catch (ex) {
            ex.statusCode = 400;
            throw ex;
        }

Then we complete the registration process, calling finishRegistration and receiving a Credential object. Note the credential isn’t yet associated with a user.

        for (const u of users.values()) {
            if (u.credentials.find(c => c.id === credential.id)) {
                throw new ErrorWithStatus('credential in use', 409);
            }
        }

If the credential is in use by any user already, this is an error.

        user.credentials.push(credential);
        reply.code(204);
    });
}

Finally for registration, we associate the credential with the requested user.

Login

async function login(fastify) {
    fastify.get('/:username', {
        schema: schemas.login.get
    }, async request => {
        const user = users.get(request.params.username);
        if (!user) {
            throw new ErrorWithStatus('no user', 404);
        }
        const { options, sessionData } = await webAuthn.beginLogin(user);
        return {
            options,
            session_data: await make_secret_session_data(
                request.params.username, 'login', sessionData)
        };
    });

Login’s GET handler first checks the user exists and then calls beginLogin, passing in the user object. We then return to the browser the options for navigator.credentials.get() and signed and encrypted session data.

    fastify.post('/:username', {
        schema: schemas.login.post
    }, async (request, reply) => {
        const user = users.get(request.params.username);
        if (!user) {
            throw new ErrorWithStatus('no user', 404);
        }
        const session_data = await verify_secret_session_data(
            request.params.username, 'login', request.body.session_data);

Login’s POST handler checks the user exists and verifies the session data it received from the browser.

        let credential;
        try {
            credential = await webAuthn.finishLogin(
                user, session_data, request.body.car);
        } catch (ex) {
            ex.statusCode = 400;
            throw ex;
        }

It then completes the login process by calling finishLogin, passing in the user object, session data and authentication request it received from the browser (i.e. the result of navigator.credentials.get()).

        if (credential.authenticator.cloneWarning) {
            throw new ErrorWithStatus('credential appears to be cloned', 403);
        }
        const user_cred = user.credentials.find(c => c.id === credential.id);
        if (!user_cred) {
            // Should have been checked already in Go by webAuthn.finishLogin
            throw new ErrorWithStatus('no credential', 500);
        }

Here we do a couple of checks on the credential used for login:

  • The credential hasn’t been cloned, i.e. we received a duplicate login request from the same authenticator. This is actually checked by the underlying Go WebAuthn library.

  • The credential belongs to the requested user. Again, this should have already been checked in Go.

        user_cred.authenticator.signCount = credential.authenticator.signCount;
        reply.code(204);
    });
}

Finally for login, we have to update the signCount for the credential in the user’s credentials list. This enables the Go library to check for duplicate requests.

fastify.register(register, {
    prefix: '/register/'
});

fastify.register(login, {
    prefix: '/login/'
});

await fastify.listen(port);

console.log(`Please visit https://localhost:${port}`);

The server-side code ends by registering our handlers with Fastify and then listening for requests.

Browser-side

You can find the browser files in the test/fixtures directory.

It’s driven by the following HTML file, which is served when you connect to the server.

example.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>WebAuthn Demo</title>
    <script src="example.js"></script>
  </head>
  <body>
    <p>
      <label for="email">Username:</label>
      <input type="text" name="username" id="email" placeholder="e.g. [email protected]">
    </p>
    <p>
      <button onclick="registerUser()">Register</button>
      <button onclick="loginUser()">Login</button>
    </p>
  </body>
</html>

The code for registerUser() and loginUser() is contained in test/fixtures/example.js, which I’ll describe now.

example.js

// URLBase64 to ArrayBuffer
function bufferDecode(value) {
    return Uint8Array.from(atob(value
        .replace(/-/g, "+")
        .replace(/_/g, "/")), c => c.charCodeAt(0));
}

// ArrayBuffer to URLBase64
function bufferEncode(value) {
    return btoa(String.fromCharCode.apply(null, new Uint8Array(value)))
        .replace(/\+/g, "-")
        .replace(/\//g, "_")
        .replace(/=/g, "");
}

First some functions to decode data we receive from the server and encode data we send to the server. WebAuthn4JS (and the Go library) expect data to be base64 encoded.

async function registerUser() { // eslint-disable-line no-unused-vars
    const username = document.getElementById('email').value;
    try {
        const get_response = await fetch(`/register/${username}`);
        if (!get_response.ok) {
            throw new Error(`Registration GET failed with ${get_response.status}`);
        }
        const { options, session_data } = await get_response.json();

To register, we first make a GET request to the server in order to get the options we should pass to navigator.credentials.create().

        const { publicKey } = options;
        publicKey.challenge = bufferDecode(publicKey.challenge);
        publicKey.user.id = bufferDecode(publicKey.user.id);
        if (publicKey.excludeCredentials) {
            for (const c of publicKey.excludeCredentials) {
                c.id = bufferDecode(c.id);
            }
        }

Then we decode the options that are base64 encoded.

        const credential = await navigator.credentials.create(options);
        const { id, rawId, type, response: cred_response } = credential;
        const { attestationObject, clientDataJSON } = cred_response;

Now we can call navigator.credentials.create(). The browser will ask the user to interact with their authenticator to sign the challenge that the server sent in the options.

        const put_response = await fetch(`/register/${username}`, {
            method: 'PUT',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({
                ccr: {
                    id,
                    rawId: bufferEncode(rawId),
                    type,
                    response: {
                        attestationObject: bufferEncode(attestationObject),
                        clientDataJSON: bufferEncode(clientDataJSON)
                    }
                },
                session_data
            })
        });
        if (!put_response.ok) {
            throw new Error(`Registration PUT failed with ${put_response.status}`);
        }
    } catch (ex) {
        console.error(ex);
        return alert(`Failed to register ${username}`);
    }
    alert(`Successfully registered ${username}`);
}

To complete registration, we make a PUT request to the server with the result from navigator.credentials.create(), base64 encoding as necessary.

async function loginUser() { // eslint-disable-line no-unused-vars
    const username = document.getElementById('email').value;
    try {
        const get_response = await fetch(`/login/${username}`);
        if (!get_response.ok) {
            throw new Error(`Login GET failed with ${get_response.status}`);
        }

To login, we first make a GET request to the server in order to get the options we should pass to navigator.credentials.get().

        const { options, session_data } = await get_response.json();
        const { publicKey } = options;
        publicKey.challenge = bufferDecode(publicKey.challenge);
        for (const c of publicKey.allowCredentials) {
            c.id = bufferDecode(c.id);
        }

Then we decode the options that are base64 encoded.

        const assertion = await navigator.credentials.get(options);
        const { id, rawId, type, response: assertion_response } = assertion;
        const { authenticatorData, clientDataJSON, signature, userHandle } = assertion_response;

Now we can call navigator.credentials.get(). The browser will ask the user to interact with their authenticator to sign the challenge that the server sent in the options.

        const post_response = await fetch(`/login/${username}`, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({
                car: {
                    id,
                    rawId: bufferEncode(rawId),
                    type,
                    response: {
                        authenticatorData: bufferEncode(authenticatorData),
                        clientDataJSON: bufferEncode(clientDataJSON),
                        signature: bufferEncode(signature),
                        userHandle: bufferEncode(userHandle)
                    }
                },
                session_data
            })
        });
        if (!post_response.ok) {
            throw new Error(`Login POST failed with ${post_response.status}`);
        }
    } catch (ex) {
        console.error(ex);
        return alert(`Failed to log in ${username}`);
    }
    alert(`Successfully logged in ${username}`);
}

To complete login, we make a POST request to the server with the result from navigator.credentials.get(), base 64 encoding as necessary.

Typescript

Typescript definitions can be found in index.d.ts and typescript/webauthn.d.ts. The latter is automatically generated from the Go WebAuthn library using json-schema-to-zod and zod-to-ts.

A Typescript version of the example can be found in typescript/example.ts.

Installation

npm install webauthn4js

Licence

The licence for WebAuthn4JS is here.

The licence for the Go WebAuthn library is here.

I’ve also modified wasm_exec.js from Go’s distribution. I’ve included the original here and Go’s licence here. The modified version is here.

Test

grunt test

Coverage

grunt coverage

c8 results are available here.

Coveralls page is here.

Lint

grunt lint