search

passwordless-id / webauthn

Webauthn / passkeys helper library to make your life easier. Client side, server side and demo included.
https://webauthn.passwordless.id
MIT License
454 stars 53 forks source link

Consider incorporating 'synced' status in verifyAuthentication() #69

Closed hjaber closed 3 months ago

hjaber commented 3 months ago

Currently, the verifyAuthentication() function doesn't take into account whether a credential is synced or not.

Unsure of the intention but we potentially don't need to save it during registration if it will not be used during authentication.

//authentication docs
const credentialKey = { // obtained from database by looking up `authentication.id`
    id: "3924HhJdJMy_svnUowT8eoXrOOO6NLP8SK85q2RPxdU",
    publicKey: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgyYqQmUAmDn9J7dR5xl-HlyAA0R2XV5sgQRnSGXbLt_xCrEdD1IVvvkyTmRD16y9p3C2O4PTZ0OF_ZYD2JgTVA==",
    algorithm: "ES256",
    synced: true
} as const
export interface CredentialInfo {
    id: string;
    publicKey: string;
    algorithm: NamedAlgo;
    transports: ExtendedAuthenticatorTransport[];
    //synced?: boolean // add this type?
}
dagnelies commented 3 months ago

The synced is not an attribute to verify. It's rather an information that influences recovery procedures in case of device loss.

dagnelies commented 3 months ago

I also think the doc still has a glitch. I think I moved up the synced attribute in the parent object. In doubt, always check the playground.