Skip to content
Laravel Webauthn support
Branch: master
Clone or download
dependabot and asbiin chore(deps): bump web-token/jwt-signature from 1.3.3 to 1.3.5 (#38)
Bumps [web-token/jwt-signature](https://github.com/web-token/jwt-signature) from 1.3.3 to 1.3.5.
- [Release notes](https://github.com/web-token/jwt-signature/releases)
- [Commits](web-token/jwt-signature@v1.3.3...v1.3.5)

Signed-off-by: dependabot[bot] <support@dependabot.com>
Latest commit 2f9ab1c Apr 25, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci feat: add attestation statement support manager (#3) Apr 4, 2019
config feat: add javascript and other resources files (#24) Apr 18, 2019
database/migrations fix: fix some contracts binding (#6) Apr 6, 2019
resources
scripts/tests
src fix: name the destroy route (#32) Apr 18, 2019
tests feat: add javascript and other resources files (#24) Apr 18, 2019
.editorconfig fix: fix javascript resource in case no key is registered yet (#30) Apr 18, 2019
.gitignore feat: add attestation statement support manager (#3) Apr 4, 2019
.styleci.yml First commit Mar 30, 2019
CHANGELOG.md
LICENSE First commit Mar 30, 2019
README.md docs: add documentation (#31) Apr 18, 2019
composer.json fix: use safe php functions (#25) Apr 16, 2019
composer.lock chore(deps): bump web-token/jwt-signature from 1.3.3 to 1.3.5 (#38) Apr 25, 2019
phpstan.neon fix: use safe php functions (#25) Apr 16, 2019
phpunit.xml feat: add a new Webauthn::enabled function (#2) Apr 2, 2019
psalm.xml feat: add callback URL in session (#19) Apr 11, 2019
sonar-project.properties feat: init repository (#1) Mar 30, 2019

README.md

Webauthn adapter for Laravel

LaravelWebauthn is an adapter to use Webauthn on Laravel.

Latest Version Downloads Circle CI Coverage Status

Installation

You may use Composer to install this package into your Laravel project:

composer require asbiin/laravel-webauthn

You don't need to add this package to your service providers.

Support

This package supports Laravel 5.8 and newer, and has been tested with php 7.2 and newer versions.

It's based on web-auth/webauthn-framework.

Configuration

You can publish the LaravelWebauthn configuration in a file named config/webauthn.php, and resources. Just run this artisan command:

php artisan laravelwebauthn:publish

If desired, you may disable LaravelWebauthn entirely using the enabled configuration option:

'enabled' => false,

Usage

You will find an example of usage on this repository: asbiin/laravel-webauthn-example.

Add LaravelWebauthn middleware

Add this in the $routeMiddleware array of your app/Http/Kernel.php file:

  'webauthn' => \LaravelWebauthn\Http\Middleware\WebauthnMiddleware::class,

You can use this middleware in your routes.php file:

Route::middleware(['auth', 'webauthn'])->group(function () {
    Route::get('/home', 'HomeController@index')->name('home');
    ...
}

This way user would have to validates their key on login.

Authenticate

The middleware will open the page defined in webauthn.authenticate.view configuration. The default value will open webauthn::authenticate page. The basics are:

  <!-- load javascript part -->
  <script src="{!! secure_asset('vendor/webauthn/webauthn.js') !!}"></script>
...
  <!-- form to send datas to -->
  <form method="POST" action="{{ route('webauthn.auth') }}" id="form">
    @csrf
    <input type="hidden" name="data" id="data" />
  </form>
...
  <!-- script part to run the sign part -->
  <script>
    var publicKey = {!! json_encode($publicKey) !!};

    var webauthn = new WebAuthn();

    webauthn.sign(
      publicKey,
      function (datas) {
        $('#data').val(JSON.stringify(datas)),
        $('#form').submit();
      }
    );
  </script>

The webauthn.authenticate.postSuccessCallback configuration is used to redirect the submit form to the callback url: it's the page the user tried to access first.

If the value is false, the webauthn.authenticate.postSuccessRedirectRoute is used as a redirect route.

If postSuccessCallback is false and postSuccessRedirectRoute is empty, the return will be JSON form:

{
    result: true,
    callback: 'http://localhost',
}

Register a new key

To register a new key, open /webauthn/register or go to route('webauthn.register'), or any of your implementation.

The controller will open the page defined in webauthn.register.view configuration. The default value will open webauthn::register page. The basics are:

  <!-- load javascript part -->
  <script src="{!! secure_asset('vendor/webauthn/webauthn.js') !!}"></script>
...
  <!-- form to send datas to -->
  <form method="POST" action="{{ route('webauthn.auth') }}" id="form">
    @csrf
    <input type="hidden" name="register" id="register" />
    <input type="hidden" name="name" id="name" />
  </form>
...
  <!-- script part to run the sign part -->
  <script>
    var publicKey = {!! json_encode($publicKey) !!};

    var webauthn = new WebAuthn();

    webauthn.register(
      publicKey,
      function (datas) {
        $('#register').val(JSON.stringify(datas)),
        $('#form').submit();
      }
    );
  </script>

The webauthn.register.postSuccessRedirectRoute configuration is used to redirect the submit form after the registration.

If postSuccessRedirectRoute is empty, the return will be JSON form:

{
    result: true,
    id: 42,
    object => 'webauthnKey',
    name => 'name of the key',
    counter => 12,
}

Urls

These url are used

  • GET /webauthn/auth / route('webauthn.login') The login page.

  • POST /webauthn/auth / route('webauthn.auth') Post datas after a WebAuthn login validate.

  • GET /webauthn/register / route('webauthn.register') Get datas to register a new key

  • POST /webauthn/register / route('webauthn.create') Post datas after a WebAuthn register check

  • DELETE /webauthn/{id} / route('webauthn.destroy') Get register datas

Events

Events are dispatched by LaravelWebauthn:

  • \LaravelWebauthn\Events\WebauthnLoginData on creating authentication datas
  • \LaravelWebauthn\Events\WebauthnLogin on login with WebAuthn check
  • \LaravelWebauthn\Events\WebauthnRegisterData on creating register datas
  • \LaravelWebauthn\Events\WebauthnRegister on registering a new key

License

Author: Alexis Saettler

Copyright © 2019.

Licensed under the MIT License. View license.

You can’t perform that action at this time.