utils.randomChallenge => server.randomChallenge

passwordless-id · Aug 7, 2024 · 78ad12f · 78ad12f
1 parent c72d17c
commit 78ad12f
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 20 deletions.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -29,13 +29,16 @@ sequenceDiagram
 4. The server parses and verifies the authentication payload
 
 
-1️⃣ Requesting challenge
-------------------------
+1️⃣ Requesting a challenge from the server
+-----------------------------------------
 
-The challenge is basically a [nonce](https://en.wikipedia.org/wiki/nonce) to avoid replay attacks. It must be a byte array encoded as *base64url* string.
+The challenge is basically a [nonce](https://en.wikipedia.org/wiki/nonce) to avoid replay attacks.
+It must be a truly random and non-deterministic byte buffer encoded as *byte64url*.
 
-```
-const challenge = /* request it from server */
+```js
+import { server } from '@passwordless-id/webauthn'
+
+const challenge = server.randomChallenge()
 ```
 
 Remember it on the server side during a certain amount of time and "consume" it once used.

diff --git a/docs/demos/js/debugger.js b/docs/demos/js/debugger.js
@@ -7,7 +7,7 @@ const app = new Vue({
         registration: {
             options: {
                 user: "Arnaud",
-                challenge: webauthn.utils.randomChallenge(),
+                challenge: webauthn.server.randomChallenge(),
                 hints: [],
                 userVerification: 'preferred',
                 discoverable: 'preferred',
@@ -20,7 +20,7 @@ const app = new Vue({
         authentication: {
             credentialId: null,
             options: {
-                challenge: webauthn.utils.randomChallenge(),
+                challenge: webauthn.server.randomChallenge(),
                 hints: [],
                 authenticatorType: 'auto',
                 userVerification: 'required',

diff --git a/docs/demos/js/playground.js b/docs/demos/js/playground.js
@@ -28,7 +28,7 @@ const app = new Vue({
         registration: {
             options: {
                 user: "Arnaud",
-                challenge: webauthn.utils.randomChallenge(),
+                challenge: webauthn.server.randomChallenge(),
                 hints: [],
                 userVerification: 'preferred',
                 discoverable: 'preferred',
@@ -41,7 +41,7 @@ const app = new Vue({
         authentication: {
             credentialId: null,
             options: {
-                challenge: webauthn.utils.randomChallenge(),
+                challenge: webauthn.server.randomChallenge(),
                 hints: [],
                 authenticatorType: 'auto',
                 userVerification: 'required',

diff --git a/docs/registration.md b/docs/registration.md
@@ -22,17 +22,19 @@ sequenceDiagram
 ```
 
 
-1️⃣ Requesting the challenge from the server
--------------------------------------------
+1️⃣ Requesting a challenge from the server
+-----------------------------------------
 
 The challenge is basically a [nonce](https://en.wikipedia.org/wiki/nonce) to avoid replay attacks.
-This challenge should truly random and not deterministic.
+It must be a truly random and non-deterministic byte buffer encoded as *byte64url*.
 
-```
-const challenge = /* request it from server */
+```js
+import { server } from '@passwordless-id/webauthn'
+
+const challenge = server.randomChallenge()
 ```
 
-Remember the request on the server side during a certain amount of time and "consume" it once used.
+Remember the challenge on the server side during a certain amount of time and "consume" it once used.
 
 > There are two ways to deal with remembering the challenge. Either store it in a global cache containing all challenges, or by creating a (cookie based) session directly and storing it as part of the session data.
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@passwordless-id/webauthn",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "A small wrapper around the webauthn protocol to make one's life easier.",
 
   "type": "module",

diff --git a/src/server.ts b/src/server.ts
@@ -3,6 +3,14 @@ import { parseAuthenticator, parseClient, toAuthenticationInfo } from "./parsers
 import { AuthenticationJSON, NamedAlgo, RegistrationJSON, RegistrationInfo, AuthenticationInfo, Base64URLString, CollectedClientData, UserInfo, CredentialInfo, AuthenticatorInfo, AuthenticatorParsed } from "./types";
 import * as utils from './utils'
 
+
+export async function randomChallenge() {
+    const buffer = crypto.getRandomValues(new Uint8Array(16)); // 128 bits
+    return utils.toBase64url(buffer);
+}
+
+
+
 async function isValid(validator :any, value :any) :Promise<boolean> {
    if(typeof validator === 'function') {
         const res = validator(value)

diff --git a/src/utils.ts b/src/utils.ts
@@ -4,10 +4,6 @@
 
 import { Base64URLString } from "./types"
 
-export function randomChallenge() {
-    return crypto.randomUUID()
-}
-
 
 export function toBuffer(txt :string) :ArrayBuffer {
     return Uint8Array.from(txt, c => c.charCodeAt(0)).buffer