webauthn : Web Authentication API in Go
Overview 
This project provides a low-level and a high-level API to use the Web Authentication API (WebAuthn).
Install
go get github.com/koesie10/webauthn
High-level API
The high-level API can be used with the net/http package and simplifies the low-level API. It is located in the webauthn subpackage. It is intended
for use with e.g. fetch or XMLHttpRequest JavaScript clients.
First, make sure your user entity implements User. Then, create a new entity
implements Authenticator that stores each authenticator the user
registers.
Then, either make your existing repository implement AuthenticatorStore
or create a new repository.
Finally, you can create the main WebAuthn struct supplying the
Config options:
w, err := webauthn.New(&webauthn.Config{
// A human-readable identifier for the relying party (i.e. your app), intended only for display.
RelyingPartyName: "webauthn-demo",
// Storage for the authenticator.
AuthenticatorStore: storage,
})
Then, you can use the methods defined, such as StartRegistration
to handle registration and login. Every handler requires a Session, which stores
intermediate registration/login data. If you use gorilla/sessions, use
webauthn.WrapMap(session.Values). Read the documentation for complete information
on what parameters need to be passed and what values are returned.
For example, a handler for finish registration might look like this:
func (r *http.Request, rw http.ResponseWriter) {
ctx := r.Context()
// Get the user in some way, in this case from the context
user, ok := UserFromContext(ctx)
if !ok {
rw.WriteHeader(http.StatusForbidden)
return
}
// Get or create a session in some way, in this case from the context
sess := SessionFromContext(ctx)
// Then call FinishRegistration to register the authenticator to the user
h.webauthn.FinishRegistration(r, rw, user, webauthn.WrapMap(sess))
}
A complete demo application using the high-level API which implements all of these interfaces and stores data in memory is available
here.
JavaScript examples
This class is an example that can be used to handle the registration and login phases. It can be used as follows:
const w = new WebAuthn();
// Registration
w.register().then(() => {
alert('This authenticator has been registered.');
}).catch(err => {
console.error(err);
alert('Failed to register: ' + err);
});
// Login
w.login().then(() => {
alert('You have been logged in.');
}).catch(err => {
console.error(err);
alert('Failed to login: ' + err);
});
Or, with latest async/await paradigm:
const w = new WebAuthn();
// Registration
try {
await w.register();
alert('This authenticator has been registered.');
} catch (err) {
console.error(err)
alert('Failed to register: ' + err);
}
// Login
try {
await w.login();
alert('You have been logged in.');
} catch(err) {
console.error(err);
alert('Failed to login: ' + err);
}
Low-level API
The low-level closely resembles the specification and the high-level API should be preferred. However, if you would like to use the low-level
API, the main entry points are:
License
MIT.