feat(WebAuthn): formalize storage adapter

README.md

@@ -69,7 +69,6 @@ const webauthn = new WebAuthn({
   // store: {
   //   put: async (id, value) => {/* return <void> */},
   //   get: async (id) => {/* return User */},
-  //   search: async (search) => {/* return { [username]: User } */},
   //   delete: async (id) => {/* return boolean */},
   // },
   rpName: 'Stranger Labs, Inc.',
@@ -157,28 +156,65 @@ redirected to the supplied URL.
 ### Storage Adapater
 
 Storage adapters provide an interface to the WebAuthn RP to store and retrieve
-data necessary for authentication, such as authenticator public keys. Storage
-adapters must implement the following interface:
-
-**`async get (id)`**
+data necessary for authentication, such as authenticator public keys. You can
+use the provided LevelDB adapter or write your own to interface with your
+database.
+
+The WebAuthnUser object interface is as follows:
+
+```ts
+interface Credential {
+  // The credential format (for now this is the string "fido-u2f").
+  fmt: string,
+
+  // base64url encoded credential ID returned by the authenticator on
+  // registration.
+  credID: string,
+
+  // PKCS#8-encoded encoded public key as a base64url string.
+  publicKey: string,
+
+  // Signature counter (https://w3c.github.io/webauthn/#signature-counter) for
+  // the credential.
+  counter: number,
+
+  // Credential transport
+  // (https://w3c.github.io/webauthn/#dom-publickeycredentialdescriptor-transports).
+  transports: string[],
+};
+
+interface WebAuthnUser {
+  // base64url-encoded sequence of 32 random bytes that identifies the user
+  // uniquely, generated by WebAuthn. Avoid replacing this ID with something
+  // else, user IDs in WebAuthn must be random.
+  id: string,
+
+  // List of credentials associated to the user.
+  credentials: Credential[],
+};
+```
 
-Retrieves and returns the previously stored object with the provided `id`.
+Additionally, `WebAuthnUser` will have any attributes declared on
+`options.userFields` set.
 
-**`async put (id, value)`**
+Storage adapters must implement the following interface:
 
-Stores an object so that it may be retrieved with the provided `id`. Returns
-nothing.
+```ts
+async function get (id: string): WebAuthnUser
+```
 
-**`async search (startsWith, [options])`**
+Retrieves and returns the previously stored WebAuthnUser with the provided `id`.
 
-Returns a mapping of objects where the `id` of the objects return starts with
-the provided query value. Available options include:
+```ts
+async function put (id: string, webAuthnUser: WebAuthnUser): void
+```
 
-- `limit`: Return the first N results.
-- `reverse`: Return results in reverse lexicographical order. If used in
-conjunction with limit then the _last_ N results are returned.
+Stores a WebAuthnUser object so that it may be retrieved with the provided `id`.
+Returns nothing.
 
-**`async delete (id)`**
+```ts
+async function delete (id: string): boolean
+```
 
 Delete a previously stored object. Returns a boolean indicating success.
 

client/Client.js

@@ -68,6 +68,9 @@ class Client {
   static preformatMakeCredReq (makeCredReq) {
     makeCredReq.challenge = base64url.decode(makeCredReq.challenge)
     makeCredReq.user.id = base64url.decode(makeCredReq.user.id)
+    for (let excludeCred of makeCredReq.excludeCredentials) {
+      excludeCred.id = base64url.decode(excludeCred.id)
+    }
     return makeCredReq
   }
 
@@ -149,6 +152,10 @@ class Client {
     console.log('REGISTER CREDENTIAL', credential)
 
     const credentialResponse = Client.publicKeyCredentialToJSON(credential)
+    if (credential.response.getTransports)
+      credentialResponse.response.transports = credential.response.getTransports()
+    else
+      credentialResponse.response.transports = []
     console.log('REGISTER RESPONSE', credentialResponse)
 
     return await this.sendWebAuthnResponse(credentialResponse)

example/server.js

@@ -52,7 +52,6 @@ const webauthn = new Webauthn({
   // store: {
   //   put: async (id, value) => {/* return <void> */},
   //   get: async (id) => {/* return User */},
-  //   search: async (search) => {/* return { [username]: User } */},
   //   delete: async (id) => {/* return boolean */},
   // },
   rpName: 'Stranger Labs, Inc.',
@@ -62,15 +61,8 @@ const webauthn = new Webauthn({
 app.use('/webauthn', webauthn.initialize())
 
 // Endpoint without passport
-app.get('/authenticators', webauthn.authenticate(), async (req, res) => {
-  res.status(200).json([
-      await webauthn.store.get(req.session.username)
-  ].map(user => user.authenticator))
-})
-
-// Debug
-app.get('/db', async (req, res) => {
-  res.status(200).json(await webauthn.store.search())
+app.get('/credentials', webauthn.authenticate(), async (req, res) => {
+  res.status(200).json((await webauthn.store.get(req.session.username)).credentials)
 })
 
 // Debug

example/src/CredentialCard.js

@@ -0,0 +1,22 @@
+import React from 'react'
+import { Card } from 'react-bootstrap'
+import 'bootstrap/dist/css/bootstrap.min.css'
+
+class CredentialCard extends React.Component {
+  render () {
+    return (
+      <Card>
+        <Card.Body>
+          <Card.Title>{this.props.credential.credID}</Card.Title>
+          <Card.Text>
+            <p><strong>Format: </strong> {this.props.credential.fmt}</p>
+            <p><strong>Counter: </strong> {this.props.credential.counter}</p>
+            <p><strong>Public key: </strong> {this.props.credential.publicKey}</p>
+          </Card.Text>
+        </Card.Body>
+      </Card>
+    )
+  }
+}
+
+export default CredentialCard;

example/src/Login.js

@@ -31,9 +31,7 @@ function Login (props) {
     webauthn.register({ name, username }).then(response => {
       console.log('Register response: ', response)
       setSuccess('Registration successful. Try logging in.')
-    }).catch(error => {
-      setError(error.message)
-    })
+    });
   }
 
   function onLogin () {
@@ -47,7 +45,7 @@ function Login (props) {
         props.onLogin({
           username,
         });
-    }).catch(error => setError(error.message))
+    });
   }
 
   return (

example/src/User.js

@@ -1,6 +1,6 @@
 import React from 'react'
-import { Container, Row, Col, Button } from 'react-bootstrap'
-import AuthenticatorCard from './AuthenticatorCard'
+import { Container, Row, Col, Button, CardColumns } from 'react-bootstrap'
+import CredentialCard from './CredentialCard'
 import Client from 'webauthn/client'
 import 'bootstrap/dist/css/bootstrap.min.css'
 
@@ -9,10 +9,10 @@ class User extends React.Component {
     super(props)
 
     this.state = {
-      authenticators: []
+      credentials: []
     }
 
-    fetch('authenticators', {
+    fetch('credentials', {
       method: 'GET',
       credentials: 'include',
     }).then(response => {
@@ -21,8 +21,8 @@ class User extends React.Component {
         return
       }
       return response.json()
-    }).then(authenticators => {
-      this.setState({ authenticators })
+    }).then(credentials => {
+      this.setState({ credentials })
     })
   }
 
@@ -36,15 +36,17 @@ class User extends React.Component {
         <Row style={{ paddingTop: 80}}>
           <Col>
             <h2>Welcome {this.props.user.username}</h2>
-            <h3>Your authenticators:</h3>
+            <h3>Your credentials:</h3>
           </Col>
           <Col className="text-right">
             <Button variant="primary" onClick={this.logout}>Log Out</Button>
           </Col>
         </Row>
-        {this.state.authenticators.map(authenticator => <Row key={authenticator.credID}>
-          <Col><AuthenticatorCard authenticator={authenticator} /></Col>
-        </Row>)}
+        <CardColumns>
+          {this.state.credentials.map(credential =>
+            <Col key={credential.credID}><CredentialCard credential={credential} /></Col>
+          )}
+        </CardColumns>
       </Container>
     )
   }

src/AttestationChallengeBuilder.js

@@ -87,39 +87,31 @@ class AttestationChallengeBuilder {
     return this
   }
 
-  addCredentialExclusion (options = {}) {
-    const { AuthenticatorTransport, PublicKeyCredentialType } = Dictionaries
-    let { excludeCredentials = [] } = this.result
-
-    if (!Array.isArray(excludeCredentials)) {
-      excludeCredentials = [excludeCredentials]
-    }
-
-    if (Array.isArray(options)) {
-      options.forEach(option => this.addCredentialRequest(option))
-      return this
-    }
+  addCredentialExclusion (credentials) {
+    if (typeof credentials === 'undefined')
+      credentials = []
 
-    const { type, id, transports = [] } = options
+    if (!Array.isArray(credentials))
+      credentials = [credentials]
 
-    if (
-      !type
-      || !id
-      || !Object.values(PublicKeyCredentialType).includes(type)
-      || !Array.isArray(transports)
-    ) {
-      throw new Error('Invalid PublicKeyCredentialDescriptor. See https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialdescriptor')
-    }
+    const { AuthenticatorTransport, PublicKeyCredentialType } = Dictionaries
+    let { excludeCredentials = [] } = this.result
 
-    const transportValues = Object.values(AuthenticatorTransport)
-    transports.forEach(transport => {
-      if (!transportValues.includes(transport)) {
-        throw new Error('Invalid AuthenticatorTransport. See https://www.w3.org/TR/webauthn/#enumdef-authenticatortransport')
+    credentials.map(credential => ({
+      type: credential.type || 'public-key',
+      id: credential.id,
+      transports: credential.transports || [],
+    })).forEach(excluded => {
+      if (
+        !excluded.type
+        || !excluded.id
+        || !Object.values(PublicKeyCredentialType).includes(excluded.type)
+        || !Array.isArray(excluded.transports)
+      ) {
+        throw new Error('Invalid PublicKeyCredentialDescriptor:', excluded, '. See https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialdescriptor')
       }
-    })
-
-    // Add credential request
-    excludeCredentials.push({ type, id, transports })
+      excludeCredentials.push(excluded)
+    });
 
     this.result.excludeCredentials = excludeCredentials
     return this
@@ -180,7 +172,7 @@ class AttestationChallengeBuilder {
 
   build (override = {}) {
     const challenge = base64url(crypto.randomBytes(32))
-    const { rp, user, attestation, pubKeyCredParams } = this.result
+    const { rp, user, attestation, pubKeyCredParams, excludeCredentials } = this.result
 
     if (!rp) {
       throw new Error('Requires RP information')
@@ -199,6 +191,10 @@ class AttestationChallengeBuilder {
       this.addCredentialRequest({ type: 'public-key', alg: -7 })
     }
 
+    if (!excludeCredentials) {
+      this.addCredentialExclusion()
+    }
+
     return { ...this.result, ...override, challenge }
   }
 }

src/LevelAdapter.js

@@ -60,30 +60,6 @@ class LevelAdapter {
       throw err
     }
   }
-
-  async search (startsWith = '', options = {}) {
-    if (typeof startsWith === 'object') {
-      options = startsWith
-      startsWith = options.startsWith || options.gte || options.search
-    }
-
-    const { limit = -1, reverse = false, lte } = options
-
-    return await new Promise((resolve, reject) => {
-      const data = {}
-
-      // Get all values that start with `startsWith`
-      this.db.createReadStream({
-        gte: startsWith,
-        lte: lte ? lte : `${startsWith}\uffff`,
-        limit,
-        reverse,
-      })
-        .on('data', item => data[item.key] = item.value)
-        .on('end', () => resolve(data))
-        .on('error', err => reject(err))
-    })
-  }
 }
 
 /**

src/MemoryAdapter.js

@@ -41,15 +41,6 @@ class MemoryAdapter {
 
     return false
   }
-
-  async search (id = '') {
-    return Object.entries(this.db)
-      .filter(([key]) => key.startsWith(id))
-      .reduce((state, [key, value]) => {
-        state[key] = value
-        return state
-      }, {})
-  }
 }
 
 /**