-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[passkey] initial draft #474
base: main
Are you sure you want to change the base?
Conversation
}); | ||
} | ||
|
||
export async function registerCredential( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to the registerCredential, there needs to be more methods verifying whether or not the credential was actually backedup (parse the registration response, verify backup eligibility and backup state), otherwise people will shoot themselves in the foot and create non-backedup credentials.
See https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-66.md#authenticator-data
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additionally we need support for identifying incompetent / malicious authenticators via AAGUID. see https://github.com/aptos-foundation/AIPs/blob/main/aips/aip-66.md#incompetent--malicious-authenticators
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
Can I just expose this method
verifyAuthenticationResponse
to user? Its return typeVerifiedAuthenticationResponse
includecredentialDeviceType
andcredentialBackedUp
-
Should we implement a policy that only allows the use of password managers on the list https://github.com/passkeydeveloper/passkey-authenticator-aaguids/blob/main/aaguid.json ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For context on my general thought process here, overall I'd like to provide strong / safe defaults on passkey registration for the user with the ability to override them if a developer wants to.
- Yes you're on the right track, the
verifyAuthenticationResponse
method parsesBE
andBS
and returns theVerifiedAuthenticationResponse
. To make it easier for the user we can just check to make sure both are set to true to determine if the credential is backed up. - Per the point above, yes, I think it may make sense to have a strong default for users that allows for authenticators that are well known and
guaranteedto be backed up.iCloud Keychain (Managed)
,iCloud Keychain
, andGoogle Password Manager
for example.1Password
andDashlane
may also be acceptable but I'm not confident on the rest of them at this moment.
@@ -0,0 +1,3 @@ | |||
module.exports = { | |||
presets: [["@babel/preset-env", { targets: { node: "current" } }]], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the reason for adding babel? the sdk uses tsup as the bundle tool
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is for babel-jest
Some imports from @simplewebauthn/browser
broke jest, and I couldn't find a way to successfully run it using only ts-jest
, so I introduced bable-jest
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. I'd prefer not to introduce another bundle tool and keep the existing one. Also, to reduce potential errors, and to not increase the package size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, but I have spent two days, still cannot run jest with only ts-jest
, looking forward to any suggestions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, the solution I found is from MasterKale/SimpleWebAuthn#293
* @returns {Promise<*>} | ||
* | ||
*/ | ||
const balance = async (aptos: Aptos, name: string, address: AccountAddress) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we keep this example in a node env - same as all the other examples on the SDK? https://github.com/aptos-labs/aptos-ts-sdk/blob/main/examples/typescript/keyless.ts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will have a try, but it maybe hard. Passkey (webauthn) requires browser API for interactive authentication process.
Please also include functions for ECDSA Public Key recovery: https://github.com/aptos-labs/aptos-ts-sdk/pull/194/files#diff-0d9fbf024d51030ac58aa3709e3eed1a07f4d45b5f65affd1211bff56dacb9b4R1. |
Added |
export async function recoverPublicKey( | ||
authenticatorData: Uint8Array, | ||
clientDataJSON: Uint8Array, | ||
signature: Uint8Array, | ||
) { | ||
const shaClientDataJSON = await sha256(clientDataJSON); | ||
const message = concatenateUint8Arrays(authenticatorData, shaClientDataJSON); | ||
|
||
const result = await recoverPublicKeyFromMessageAndSignature(message, signature); | ||
return result; | ||
} | ||
|
||
export async function recoverPublicKeyFromMessageAndSignature(message: Uint8Array, signature: Uint8Array) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding this in.
- Can we add tests for these methods that use the Passkey classes below? We want to make sure users can recover the public key associated with their passkey credential from one or more valid ECDSA signatures in the event that that the relying party loses or misplaces the user's public key.
- Also lets include a button in the UI for the
examples/typescript/passkey
folder that tests this
}); | ||
} | ||
|
||
export async function registerCredential( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For context on my general thought process here, overall I'd like to provide strong / safe defaults on passkey registration for the user with the ability to override them if a developer wants to.
- Yes you're on the right track, the
verifyAuthenticationResponse
method parsesBE
andBS
and returns theVerifiedAuthenticationResponse
. To make it easier for the user we can just check to make sure both are set to true to determine if the credential is backed up. - Per the point above, yes, I think it may make sense to have a strong default for users that allows for authenticators that are well known and
guaranteedto be backed up.iCloud Keychain (Managed)
,iCloud Keychain
, andGoogle Password Manager
for example.1Password
andDashlane
may also be acceptable but I'm not confident on the rest of them at this moment.
Also I'm not sure if SimpleWebAuthn provides this but I think it would be good to provide a method like
And this method should be checked in the happy path for passkey registration. See https://passkeys.dev/device-support/ for more info |
390d5bc
to
fa185dd
Compare
Description
This submission adds basic support for passkey to the SDK, and also includes corresponding tests.
Test Plan
There still some errors in api tests, especially the submission part of passkey transactions
Related Links
This submission mainly referenced the
passkeySigning
branch.