Skip to content

Change browser-side webauthn lib to webauthn-json

Maxime Besson requested to merge fix-fido2-webauthn-json into v2.0

The initial implementation of WebAuthn in LLNG used the webauthn-ui js library to ease interaction with the browser's WebAuthn API.

However this library is starting to show its limitations:

  • No support for Conditional UI
  • No support for extensions other than appID
  • No support for returning transports

This MR replaces this lib with webauthn-json:

  • Smaller in size
  • Simpler API
  • Compatible with the JSON types used in draft WebAuthn specifications (PublicKeyCredentialCreationOptionsJSON/RegistrationResponseJSON etc.)

In order to avoid template regressions, and ease future migrations, I removed all mentions of .js files from the webauthn templates. They are now injected by perl code (with $req->customScript) which in my opinion is a better UI/backend separation than mentionning JS scripts in template files.

Let me know if everything is OK regarding licencing, copyright, etc (webauthn-json uses the MIT licence)

Merge request reports

Loading