Users can login with WebAuthn

[joeacarstairs]

For #33, I really want users to be able to log in securely so they can get their subscription details, amend and cancel them all from the website, securely. I'm going to do this with WebAuthn.

TODO:

• Authentication. Get it working with a nice log in page.
• Separate username (for users to identify their account) from user ID (for machines to identify their account). The W3C recommends that the user ID does not contain personally identifying information
• Try and think of abuse cases. If any: test.
• Try and think of edge cases. Test them all.

Some WebAuthn resources

Here's a guide to WebAuthn. It links to two TypeScript libraries for implementing the WebAuthn standard. SimpleWebAuthn looks the best: it has lots more stars and contributors on GitHub, and has a thorough (if not always brilliantly easy-to-follow) guide. The other library mentioned was passwordless-id/webauthn.

Thought process on why WebAuthn

I am not keen on doing password authentication. Passwords have terrible UX, being easily lost or forgotten. With passwords, we would also have to take responsibility for keeping the passwords secure both 'at rest' and 'in motion'. Plus, they're not very secure, since passwords can be stolen.

I looked into OAuth, but it turns out that's a way for users to authorize access to third-party resources, not first-party as in this case.

The best solution I can find seems to be WebAuthn. Right now, the UX is not fantastic for many users, but it's still better than passwords. Since WebAuthn is an open standard to which lots of heavy lifters (W3C, Google, Mozilla, Yubico, Microsoft et al) have committed, the UX is likely to get better over time. If you happen to have a means of biometric authentication, such as a fingerprint scanner, or a physical key, such as a YubiKey, the UX is already pretty good. Again, since it is an open standard with lots of backing, it should be robust well into the future. And, since it uses public-key cryptography, it's much more secure than password authentication.

So, I'm going to implement WebAuthn. However, since it is a new technology and the UX isn't great for all users yet, I should avoid keeping critical functionality behind this authentication flow. Authentication should enable an enhanced experience; it should not be a prerequisite for the basics.

[joeacarstairs]

I've set everything up for registration, and verification is WIP. Before I go any further with verification, I should check that registration works end-to-end as expected