Skip to content

nealfennimore/passkeys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

178 Commits

.github/workflows

.github/workflows

 
 

.vscode

.vscode

 
 

__mocks__/@cfworker

__mocks__/@cfworker

 
 

scripts

scripts

 
 

src

src

 
 

.gitignore

.gitignore

 
 

.prettierignore

.prettierignore

 
 

.prettierrc.json

.prettierrc.json

 
 

README.md

README.md

 
 

jest.config.ts

jest.config.ts

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

tailwind.config.js

tailwind.config.js

 
 

tsconfig.json

tsconfig.json

 
 

wrangler.toml

wrangler.toml

 
 

Repository files navigation

Passkeys Demo

Warning

This passkeys demo is not secure. It still needs input validation on everything, however it is at least a somewhat reasonable way of architecting and storing passkeys.

Architecture

  • Cloudflare workers for server endpoints
  • Cloudflare KV for temporary cache
  • Cloudflare D1 for storing public keys and user information
  • Github pages for the client code

Database

See database schema.

erDiagram
	users {
        text id PK "Stored as UUID"
		timestamp created_at
    }
    public_keys {
        text kid PK "Stored as UUID"
        blob pubkey
        blob attestation_data
		int cose_alg
		blob sign_counter
		text user_id FK "Stored as UUID"
		timestamp created_at
		timestamp updated_at
    }

	users ||--|{ public_keys: contains

Cache

All challenges expire in 5 minutes. All sessions expire in 24 hours.

erDiagram
	challenges {
        string session_type "Key of 'session_uuid:webauthn_type'"
		string challenge "Random challenge generated for session"
    }

	sessions {
		string session_id "Session UUID"
		string user_id "UUID of user"
	}

Passkeys Flows

Any user can have any username they want in this passkeys demo. The client browser generates the user id that will belong to that username, and that user id (which is an uuid v4) is the only piece of information that's stored about the user, along with their public key, and optional attestation data.

Since there's no identifiable user information, this can be considered an anonymous passkey implementation. As such, you'd be missing a way of keeping in touch with your users were you to implement the same demo.

Attestation

sequenceDiagram
	participant A as Authenticator
	participant C as Client
	participant S as Server


	note over C, S: API /attestation/generate
	C ->> S: Get a challenge
	S -->> C: Receive challenge

	C ->> A: Generate a key pair
	note right of A: Authenticator stores private key
	A -->> C: Return public key

	note over C, S: API /attestation/store
	C ->> S: Send pubkey and challenge
	note left of S: Store pubkey
	S -->> C: Success

Assertion

sequenceDiagram
	participant A as Authenticator
	participant C as Client
	participant S as Server

	note over C, S: API /assertion/generate
	C ->> S: Get a challenge
	S -->> C: Receive challenge

	C ->> A: Send challenge to use for signing
	A -->> C: Return signature

	note over C, S: API /assertion/verify
	C ->> S: Send signature
	note left of S: Server verifies signature
	S -->> C: Successfully verified

About

Passkeys demo using Cloudflare Workers, KV, and D1

passkeys.neal.codes

Topics

typescript webauthn passkey webauthn-demo passkeys passkeys-demo

Resources

Readme
Activity

Stars

66 stars

Watchers

5 watching

Forks

5 forks
Report repository

Releases

No releases published

Contributors 2

Languages