search

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework
MIT License
423 stars 54 forks source link

Example App #649

Open Zaszczyk opened 1 month ago

Zaszczyk commented 1 month ago

Description

Could you provide example app implementing the framework? It is pretty hard to implement all actions using the docs.

Spomky commented 1 month ago

Hi @Zaszczyk,

There is a simple demo application (based on Symfony). I don't know of any simple PHP application similar to this one.

albanx commented 2 weeks ago

Same here, quite hard to follow the docs, in a step by step usage tutorial, the documentation do not provide a line of progression. I was planning to create a tutorial end to end but I have not been able to integrate it myself.

Spomky commented 2 weeks ago

What kind of application are you looking for? I will take the time to update the documentation and improve the progress to make the implementation easier, but I need to know what is blocking you.

Thanks

albanx commented 2 weeks ago

For example in the https://webauthn-doc.spomky-labs.com/pure-php/authenticator-registration page, it is not clear what to store once the registration has been completed You can store the Public Key Credential Source ($publicKeyCredentialSource).

Should I store the complete object serialized or just part of it like credentialPublicKey?

albanx commented 2 weeks ago

I managed to make a working app, using this library but was quite hard from the documentation. For example this section

<?php

declare(strict_types=1);

$publicKeyCredentialSource = $publicKeyCredentialSourceRepository->findOneByCredentialId(
    $publicKeyCredential->rawId
);
if ($publicKeyCredentialSource === null) {
   // Throw an exception if the credential is not found.
   // It can also be rejected depending on your security policy (e.g. disabled by the user because of loss)
}

$publicKeyCredentialSource = $authenticatorAssertionResponseValidator->check(
    $publicKeyCredentialSource,
    $authenticatorAssertionResponse,
    $publicKeyCredentialRequestOptions,
    'my-application.com',
    $userEntity?->id // Should be `null` if the user entity is not known before this step
);

// Optional, but highly recommended, you can save the credential source as it may be modified
// during the verification process (counter may be higher).
$publicKeyCredentialSourceRepository->saveCredential($publicKeyCredentialSource);

is missing quite a loft of info like how to create the $authenticatorAssertionResponseValidator, what is the $publicKeyCredentialSourceRepository repository DB looks like, does not explicity highlight that the $csmFactory->requestCeremony() is different from the register one.

Is there a way to contribute to the documentation website, or that is propertary?