How does Passkey Implementation work

[RentfireFounder]

Hey, I was trying to read the code (and learn Passkey).

I noticed in loginOptionsHandler this code to be there:

export const loginOptionsHandler = async function (request, reply) {
  try {
    //set the PR's ID value
    const appURL = new URL(config.ORIGIN);
    const rpID = appURL.hostname;

    //set registration options
    const opts = {
      userVerification: "preferred",
      timeout: 60000,
      rpID,
    };

    //generate options
    const generatedOptions = await generateAuthenticationOptions(opts);

    //fetch cookies (we'll need session id. session id is set on page load in ui.routes.js)
    const cookies = parse(request.headers.cookie);

    //persist the challenge with the associated session id for the verification step in loginVerification.js
    await this.db.insert(this.storage).values({
      sessionID: cookies.sessionID,
      data: generatedOptions.challenge,
    });

    //send the reply
    return generatedOptions;
  } catch (err) {
    throw { statusCode: err.statusCode, message: err.message };
  }
};

Here it says session id is set on page load in ui.routes.js

if session id is set in login route, doesn't that make passkey redundant? like isn't passkey meant to be replacement for login email and password

[authcompanion]

Hi @RentfireFounder - yup you're completely right. The session_id, in this case, is used only temporarily used to keep track of challenges generated by the passkey flow - it then gets discarded/deleted. So it's not really a session used for replacing passkey; it's just helping setup our passkey auth. Here's the guide I used for that specific implementation: https://simplewebauthn.dev/docs/advanced/passkeys#remembering-challenges

The whole doc is worth the read as you're learning passkeys: https://simplewebauthn.dev/docs/advanced/passkeys#introduction

[authcompanion]

@RentfireFounder let me know if can help with anything else.