MasterKale
commented
2 years ago I'm abandoning this work because I think it's better left up to integration libraries to control how SimpleWebAuthn gets called. I'll instead focus on updating the docs website to offer guidance on how best to call WebAuthn for those discrete use cases that the community has settled on:
- MFA
- Passwordless
- Passkeys
See https://github.com/MasterKale/SimpleWebAuthn/issues/160#issuecomment-1086675526 for more context
I started thinking about #160 again, about how I might offer opinionated ways of leveraging WebAuthn. Part of this was recently motivated by my recent realization that "we" (in the "WebAuthn community" sense) need to switch from "WebAuthn is great, have you heard of it" to "WebAuthn is great, here are the small number of ways that you can properly use it".
For a while I didn't feel like I had a good idea for avoiding ugly method names like
getMFARegistrationOptions()orverifyPWLAuthenticationResponse(). Earlier this week, though, I had an epiphany that I can use the same mechanism I used in #140 to export "mode" helpers instead.Example
Change this:
To this:
And now no matter the options you pass into these methods some options will be overriden to always require user verification so that users fulfill "something you have" and "something you are"/"something you know" in a single authenticator interaction.
Later, if you decide you want lean into discoverable credentials more, you can update the package name and start generating options and verifying responses without needing to know the exact combination of options that will prompt the user to choose a credential to auth with without them needing to enter a username or email address:
By keeping the call signatures and return types the same, these opinionated helpers can be swapped out without needing to rewrite any of the code that call the methods.