-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebAuthn Support #153
Comments
Ok, so looking into this it really doesn't seem too hard. The two main go libraries to do this are duo-labs/webauthn and koesie10/webauthn. JS implements it really nicely (https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API). The only issue is actually debugging this. You need a secure context, and the way that we currently do local development, it isn't considered a secure context. (This was actually the main thing stopping me from doing #87). Looking into this a bit more, it's actually not too hard. You need to generate a local certificate and have your computer trust it. Instructions are here, and I'll probably add them to the README at some point. |
Alternatively, if you're using Chrome, you can go to chrome://flags and add "http://app.myhomework.invalid" to the list of "Insecure origins treated as secure". There's also probably a Firefox alternative with about:config. |
This commit adds the dependency github.com/duo-labs/webauthn Related: MyHomeworkSpace/client#153
This enables a secure context in Firefox (and I think chromium) browsers, enabling work on issues such as MyHomeworkSpace/client#153 and MyHomeworkSpace/client#87 without worrying about certificates
I've implemented like half of this so far. The current plan is that a user must have TOTP setup to set up WebAuthn. A user may have both TOTP and WebAuthn setup. A user cannot have WebAuthn setup without TOTP. Here's what's been done so far, and what needs to be done:
Since these features aren't finished yet, I've pushed them to MyHomeworkSpace/client@webauthn and MyHomeworkSpace/api-server@webauthn |
It would be amazing if we could support hardware tokens with U2F 🔒.
The text was updated successfully, but these errors were encountered: