feat: test webauthn platform auth

[ndom91]

NOTE:

• It's a good idea to open an issue first to discuss potential changes.
• Please make sure that you are NOT opening a PR to fix a potential security vulnerability. Instead, please follow the Security guidelines to disclose the issue to us confidentially.

☕️ Reasoning

Big time WIP

Note:

• https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285
• https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential#getting_an_existing_instance_of_publickeycredential
• https://simplewebauthn.dev/docs/packages/server

Screenshot:

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

Please scout and link issues that might be solved by this PR.

Fixes: INSERT_ISSUE_LINK_HERE

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	❌ Failed (Inspect)			May 9, 2023 5:13pm

3 Ignored Deployments

Name	Status	Preview	Comments	Updated (UTC)
auth-docs-nextra	⬜️ Ignored (Inspect)			May 9, 2023 5:13pm
next-auth	⬜️ Ignored (Inspect)			May 9, 2023 5:13pm
next-auth-docs	⬜️ Ignored (Inspect)			May 9, 2023 5:13pm

[bradennapier]

in case you haven't seen it, this library made it fairly easy to implement into my app via Cloudflare sqlite and provides good conventions for some of the confusing aspects

https://simplewebauthn.dev/

[ndom91]

in case you haven't seen it, this library made it fairly easy to implement into my app via Cloudflare sqlite and provides good conventions for some of the confusing aspects

simplewebauthn.dev

Yeah thanks for pointing that out! I did stumble upon that during my research, but wanted to give it a shot implementing it from scratch myself, because it seem(ed) to be just a few Web APIs.

Do you have any additional experience with webauthn/passkeys? Is this route looking correct at least? 😅

[bradennapier]

because it seem(ed) to be just a few Web APIs.

WebAuthN is notoriously ... not fun to work with :-) especially when it first came out!

---

I implemented it out of curiosity to see if it was as cool as it seemed using that package. I haven't reviewed your code yet but I will take a look. It worked great! There are a few caveats though that can cause the UX to not display things properly which is annoying

IIRC the main one was because a critical piece is still behind a feature flag on chrome:

chrome://flags/#webauthn-conditional-ui

It also seemed to conflict a lot with 1password which was annoying but 1password has said they are basically going full in on pass keys https://www.future.1password.com/passkeys/

Oh wow that demo is so nice!

[bradennapier]

As for the code here - it seems to be only the UX -- the hardest part tends to be serializing the binary values over the wire properly and such (which @simplewebauthn did for me). Looks right so far from my quick pass! Since Chrome and Apple both link to that simplewebauthn package its prob worth basically just studying their general process though!

You should definitely implement conditional mediation - it makes the process a LOT cleaner https://chromestatus.com/feature/5144633101778944

Chrome also has: https://developer.chrome.com/docs/devtools/webauthn/

[ndom91]

@bradennapier alright awesome, thanks a ton for all the info! I'll probably just end up pulling in that lib then 😅

Since you do seem to have a good amt of experience with it, do you mind if I ping you for a review later when this is closer to being ready? 🙏

[bradennapier]

Ofc - I am eager to see the result! I think pass keys will be insanely transformative !

[ndom91]

Closing in favor of the work done here: #8808