unchained icon indicating copy to clipboard operation
unchained copied to clipboard
verified publisher icon unchainedshop

WebAuthn

Open pozylon opened this issue 3 years ago • 8 comments

pozylon avatar Jun 08 '22 13:06 pozylon

@Mikearaya This draft is ready to develop Admin UI against it in a separate branch (but not ready for merge), it contains the following changes:

Registration Flow:

Added Mutation.createWebAuthnCredentialCreationOptions(username: String!, extensionOptions: JSON): JSON!
Mutation.createUser: added new input field webAuthnPublicKeyCredentials

Login Flow:

Added Mutation.createWebAuthnCredentialRequestOptions(username: String, extensionOptions: JSON): JSON!
Added Mutation.loginWithWebAuthn(webAuthnPublicKeyCredentials: JSON!): LoginMethodResponse

Device Management:

Added Mutation.addWebAuthnCredentials(credentials: JSON!): User!
Added Mutation.removeWebAuthnCredentials(credentialsId: ID!): User!
Added User.webAuthnCredentials: [WebAuthnCredentials!]!

Research:

  • https://webauthn.guide

pozylon avatar Jun 09 '22 08:06 pozylon

An example registration procedure can be seen here: https://github.com/unchainedshop/unchained/blob/22e2c4766835c0e5d88643c14442791518af9f86/examples/controlpanel/components/account/FormSignUp.jsx#L57

An example login procedure can be seen here: https://github.com/unchainedshop/unchained/blob/22e2c4766835c0e5d88643c14442791518af9f86/examples/controlpanel/components/account/FormSignIn.jsx#L65

I tested it with:

  • Apple Passkey on Safari
  • Yubikey Nano 5C on Safari, Chrome and Firefox
  • Chrome as Device

pozylon avatar Jun 09 '22 08:06 pozylon

Another info: To add a new credential for a logged in user you have to combine createWebAuthnCredentialCreationOptions with addWebAuthnCredentials. It's basically the same like registration with the difference that you don't pass it to createUser but pass it to addWebAuthnCredentials instead.

pozylon avatar Jun 09 '22 08:06 pozylon

@Mikearaya I have rebased it on the new master of unchained

pozylon avatar Jun 23 '22 09:06 pozylon

Rebased on new npm-style Unchained

pozylon avatar Jul 14 '22 12:07 pozylon

@Mikearaya can you review this?

pozylon avatar Aug 03 '22 06:08 pozylon

@Mikearaya e-mail thing is intentional: it should be possible if you use the e-mail as "username" and not as e-mail though?

The thing is, if you sign up with username+webAuthn you should not be able to reset your password through e-mail. Because if you'd be able to set a password by e-mail, the security of WebAuthn is broken and you can bypass.

So these combinations should be allowed:

  1. e-mail + password
  2. username + password
  3. username + webauthn

pozylon avatar Aug 08 '22 07:08 pozylon

@pozylon then all those scenarios work, the only issue I found is being able to register the same device multiple times for a single account. (when testing locally) other than that it looks great :)

Mikearaya avatar Aug 14 '22 17:08 Mikearaya