Skip to content

Commit

Permalink
Added 'discoverable' attribute (see #34)
Browse files Browse the repository at this point in the history
  • Loading branch information
dagnelies committed Oct 4, 2023
1 parent 2687022 commit 6001112
Show file tree
Hide file tree
Showing 9 changed files with 44 additions and 18 deletions.
21 changes: 16 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -360,8 +360,8 @@ Unlike the [WebAuthn protocol](https://w3c.github.io/webauthn/), some defaults a
- The `username` is used for both the protocol level user "name" and "displayName"


Options
-------
Common options
--------------

The following options are available for both `register` and `authenticate`.

Expand All @@ -372,10 +372,21 @@ The following options are available for both `register` and `authenticate`.
- `'local'`: use the local device (using TouchID, FaceID, Windows Hello or PIN)
- `'roaming'`: use a roaming device (security key or connected phone)
- `'both'`: prompt the user to choose between local or roaming device. The UI and user interaction in this case is platform specific.
- `attestation`: (Only for registration) If enabled, the device attestation and clientData will be provided as base64 encoded binary data. Note that this is not available on some platforms. *(Default: false)*
- `debug`: If enabled, parses the "data" objects and provide it in a "debug" properties.
- `userHandle`: (Only for registration) The `userHandle` can be used to re-register credentials for an existing user, thus overriding the current the key pair and username for that `userHandle`. *The default here is based on a hash of the `username`, and thus has some security implications as described in [issue](https://github.com/passwordless-id/webauthn/issues/29). For optimal security and privacy, it is recommended to set the `userHandle` to a random 64 bytes value.*
- `mediation`: (Only for authentication) See https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get#mediation


Registration options
--------------------

- `discoverable`: (`'discouraged'`, `'preferred'` or `'required'`) If the credential is "discoverable", it can be selected using `authenticate` without providing credential IDs. In that case, a native pop-up will appear for user selection. This may have an impact on the "passkeys" user experience and syncing behavior of the key. *(Default: 'preferred')*
- `attestation`: If enabled, the device attestation and clientData will be provided as base64 encoded binary data. Note that this is not available on some platforms. *(Default: false)*
- `userHandle`: The `userHandle` can be used to re-register credentials for an existing user, thus overriding the current the key pair and username for that `userHandle`. *The default here is based on a hash of the `username`, and thus has some security implications as described in [issue](https://github.com/passwordless-id/webauthn/issues/29). For optimal security and privacy, it is recommended to set the `userHandle` to a random 64 bytes value.*


Authentication options
----------------------

- `mediation`: See https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get#mediation


Parsing data
Expand Down
1 change: 1 addition & 0 deletions demos/js/playground.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import {client, server, parsers, utils} from '../../dist/webauthn.min.js'
options: {
authenticatorType: 'auto',
userVerification: 'required',
discoverable: 'preferred',
timeout: 60000,
attestation: false,
},
Expand Down
19 changes: 14 additions & 5 deletions demos/playground.html
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,6 @@ <h2 class="title">Registration</h2>
<div class="hint">Which device to use as authenticator.</div>
</b-field>

<b-field label="Timeout" horizontal>
<b-input v-model="registration.options.timeout" placeholder="60000" expanded></b-input>
<div class="hint">Number of milliseconds the user has to respond to the biometric/PIN check.</div>
</b-field>

<b-field label="userVerification" horizontal>
<b-select v-model="registration.options.userVerification" expanded>
<option>required</option>
Expand All @@ -66,6 +61,20 @@ <h2 class="title">Registration</h2>
</b-select>
<div class="hint">Whether a biometric/PIN check is required or not. This filters out security keys not having this capability.</div>
</b-field>

<b-field label="discoverable" horizontal>
<b-select v-model="registration.options.discoverable" expanded>
<option>required</option>
<option>preferred</option>
<option>discouraged</option>
</b-select>
<div class="hint">A "discoverable" credential can be selected using `authenticate` without providing credential IDs. Instead, a native pop-up will appear for user selection. This may have an impact on the "passkeys" user experience and syncing behavior of the key.</div>
</b-field>

<b-field label="Timeout" horizontal>
<b-input v-model="registration.options.timeout" placeholder="60000" expanded></b-input>
<div class="hint">Number of milliseconds the user has to respond to the biometric/PIN check.</div>
</b-field>

<b-field label="debug" horizontal>
<b-checkbox v-model="registration.options.debug" expanded></b-checkbox>
Expand Down
2 changes: 1 addition & 1 deletion dist/webauthn.min.js

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions dist/webauthn.min.js.map

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@passwordless-id/webauthn",
"version": "1.2.6",
"version": "1.3.0",
"description": "A small wrapper around the webauthn protocol to make one's life easier.",
"type": "module",
"main": "dist/esm/index.js",
Expand Down
8 changes: 6 additions & 2 deletions src/client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,10 @@ function getAlgoName(num :NumAlgo) :NamedAlgo {
* 'local': use the local device (using TouchID, FaceID, Windows Hello or PIN)
* 'roaming': use a roaming device (security key or connected phone)
* 'both': prompt the user to choose between local or roaming device. The UI and user interaction in this case is platform specific.
* @param {boolean} [attestation=false] If enabled, the device attestation and clientData will be provided as Base64url encoded binary data.
* @param {boolean} [options.attestation=false] If enabled, the device attestation and clientData will be provided as Base64url encoded binary data.
* Note that this is not available on some platforms.
* @param {'discouraged'|'preferred'|'required'} [options.discoverable] If the credential is "discoverable", it can be selected using `authenticate` without providing credential IDs.
* A native pop-up will appear for user selection. This may have an impact on "passkeys" user experience and syncing behavior.
*/
export async function register(username :string, challenge :string, options? :RegisterOptions) :Promise<RegistrationEncoded> {
options = options ?? {}
Expand All @@ -93,8 +95,10 @@ export async function register(username :string, challenge :string, options? :Re
authenticatorSelection: {
userVerification: options.userVerification ?? "required", // Webauthn default is "preferred"
authenticatorAttachment: await getAuthAttachment(options.authenticatorType ?? "auto"),
residentKey: options.discoverable ?? 'preferred', // official default is 'discouraged'
requireResidentKey: (options.discoverable === 'required') // mainly for backwards compatibility, see https://www.w3.org/TR/webauthn/#dictionary-authenticatorSelection
},
attestation: "direct" // options.attestation ? "direct" : "none"
attestation: options.attestation ? "direct" : "none"
}

if(options.debug)
Expand Down
1 change: 1 addition & 0 deletions src/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ export interface AuthenticationParsed {
export interface RegisterOptions extends CommonOptions {
userHandle?: string
attestation?: boolean
discoverable?: ResidentKeyRequirement
}


Expand Down

0 comments on commit 6001112

Please sign in to comment.