fixes V2: authenticate() function doesn't handle string credentialIds #…

…65
passwordless-id · Aug 1, 2024 · e104419 · e104419
1 parent 1b5a792
commit e104419
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 27 deletions.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -52,11 +52,13 @@ const authentication = await client.authenticate({
   /* Required */
   challenge: "A server-side randomly generated byte array as base64url encoded",
   /* Optional */
-  allowCredentials: ["credential-id-1", "credential-id-2"],
+  allowCredentials: [{id:'my-credential-id', transports:['internal']}, ...],
   timeout: 60000
 })
 ```
 
+If you already know the supported passkeys for the account, passkey selection can be skipped with `allowCredentials`.
+Without, the platform's default passkey slection dialog will be triggered.
 
 The following options are available.
 
@@ -67,7 +69,8 @@ The following options are available.
 | `userVerification`| `preferred` | Whether the user verification (using local authentication like fingerprint, PIN, etc.) is `required`, `preferred` or `discouraged`.
 | `hints` | `[]` | Which device to use as authenticator, by order of preference. Possible values: `client-device`, `security-key`, `hybrid` (delegate to smartphone).
 | `domain` | `window.location.hostname` | By default, the current domain name is used. Also known as "relying party id". You may want to customize it for ...
-| `mediation` | | See https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get#mediation
+| `allowedCredentials` | The list of credentials and the transports it supports. Used to skip passkey selection. Either a list of credential ids (discouraged) or list of credential objects with `id` and supported `transports` (recommended).
+| `autofill` | `false` | See concepts
 
 
 

diff --git a/docs/demos/js/webauthn.min.js b/docs/demos/js/webauthn.min.js
diff --git a/docs/demos/js/webauthn.min.js.map b/docs/demos/js/webauthn.min.js.map
diff --git a/docs/registration.md b/docs/registration.md
@@ -84,7 +84,8 @@ The result `registration` object looks like this:
   "credential": {
     "id": "3924HhJdJMy_svnUowT8eoXrOOO6NLP8SK85q2RPxdU",
     "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgyYqQmUAmDn9J7dR5xl-HlyAA0R2XV5sgQRnSGXbLt_xCrEdD1IVvvkyTmRD16y9p3C2O4PTZ0OF_ZYD2JgTVA==",
-    "algorithm": "ES256"
+    "algorithm": "ES256",
+    "transports": ["internal", "hybrid"]
   },
   "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAAiYcFjK3EuBtuEw3lDcvpYAIN_duB4SXSTMv7L51KME_HqF6zjjujSz_EivOatkT8XVpQECAyYgASFYIIMmKkJlAJg5_Se3UecZfh5cgANEdl1ebIEEZ0hl2y7fIlgg8QqxHQ9SFb75Mk5kQ9esvadwtjuD02dDhf2WA9iYE1Q=",
   "clientData": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiYTdjNjFlZjktZGMyMy00ODA2LWI0ODYtMjQyODkzOGE1NDdlIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ=="

diff --git a/src/client.ts b/src/client.ts
@@ -1,4 +1,4 @@
-import { AuthenticateOptions, AuthenticationJSON, AuthenticatorTransport, PublicKeyCredentialHints, RegisterOptions, RegistrationJSON, User, WebAuthnCreateOptions, WebAuthnGetOptions } from './types.js'
+import { AuthenticateOptions, AuthenticationJSON, Base64URLString, CredentialDescriptor, ExtendedAuthenticatorTransport, PublicKeyCredentialHints, RegisterOptions, RegistrationJSON, User, WebAuthnCreateOptions, WebAuthnGetOptions } from './types.js'
 import * as utils from './utils'
 
 /**
@@ -155,13 +155,7 @@ export async function authenticate(options: AuthenticateOptions): Promise<Authen
     let authOptions: WebAuthnGetOptions = {
         challenge: utils.parseBase64url(options.challenge),
         rpId: options.domain ?? window.location.hostname,
-        allowCredentials: options.allowCredentials?.map(cred => {
-            return {
-                id: utils.parseBase64url(cred.id),
-                type: 'public-key',
-                transports: cred.transports as any,
-            }
-        }),
+        allowCredentials: options.allowCredentials?.map(toPublicKeyCredentialDescriptor),
         hints: options.hints,
         userVerification: options.userVerification,
         timeout: options.timeout,
@@ -204,4 +198,20 @@ export async function authenticate(options: AuthenticateOptions): Promise<Authen
     }
 
     return json
-}
+}
+
+function toPublicKeyCredentialDescriptor(cred: Base64URLString | CredentialDescriptor): PublicKeyCredentialDescriptor {
+    if(typeof cred === 'string') {
+        return {
+            id: utils.parseBase64url(cred),
+            type: 'public-key'
+        }
+    }
+    else {
+        return {
+            id: utils.parseBase64url(cred.id),
+            type: 'public-key',
+            transports: cred.transports as AuthenticatorTransport[]
+        }
+    }
+}
diff --git a/src/parsers.ts b/src/parsers.ts
@@ -99,6 +99,7 @@ export function toRegistrationInfo(registrationJson :RegistrationJSON, authentic
             id: registrationJson.id,
             publicKey: registrationJson.response.publicKey,
             algorithm: getAlgoName(registrationJson.response.publicKeyAlgorithm),
+            transports: registrationJson.response.transports
         },
         synced: authenticator.flags.backupEligibility,
         user: registrationJson.user as UserInfo, // That's specific to this library

diff --git a/src/types.ts b/src/types.ts
@@ -50,11 +50,11 @@ export interface User {
  */
 export interface CredentialDescriptor {
   id: Base64URLString,
-  transports?: AuthenticatorTransport[]
+  transports: ExtendedAuthenticatorTransport[]
 }
 
 export interface AuthenticateOptions extends CommonOptions {
-  allowCredentials?: CredentialDescriptor[]
+  allowCredentials?: (CredentialDescriptor | string)[]
   conditional?: boolean
 }
 
@@ -93,7 +93,7 @@ export interface AuthenticatorAttestationResponseJSON {
   attestationObject: Base64URLString;
   authenticatorData: Base64URLString;
   clientDataJSON: Base64URLString;
-  transports: AuthenticatorTransport[];
+  transports: ExtendedAuthenticatorTransport[];
   publicKey: Base64URLString;
   publicKeyAlgorithm: COSEAlgorithmIdentifier;
 }
@@ -130,15 +130,10 @@ export interface AuthenticatorAssertionResponseJSON {
 /**
  * WebAuthn added transports that are not yet defined in the DOM definitions.
  * However, it's partly obsoleted by the `hints` in the registration/authentication request.
+ * 
+ * https://w3c.github.io/webauthn/#enumdef-authenticatortransport
  */
-export type AuthenticatorTransport =
-  | 'ble'
-  | 'cable'
-  | 'hybrid'
-  | 'internal'
-  | 'nfc'
-  | 'smart-card'
-  | 'usb';
+export type ExtendedAuthenticatorTransport = AuthenticatorTransport | 'smart-card'; // missing in the current DOM types
 
 
 /************************** PARSED **************************/
@@ -203,6 +198,7 @@ export interface CredentialInfo {
   id: string
   publicKey: string
   algorithm: NamedAlgo
+  transports: ExtendedAuthenticatorTransport[]
 }
 
 export interface AuthenticatorInfo {