@simplewebauthn/server
Advanced tools
@simplewebauthn/server is a Node.js library that provides server-side functionality for WebAuthn, a web standard for secure authentication using public key cryptography. It helps in implementing registration and authentication flows for WebAuthn, making it easier to integrate strong, passwordless authentication into web applications.
Registration
This feature allows you to generate registration options for a new user and verify the registration response from the client. It ensures that the registration process is secure and follows the WebAuthn protocol.
const { generateRegistrationOptions, verifyRegistrationResponse } = require('@simplewebauthn/server');
// Generate registration options
const options = generateRegistrationOptions({
rpName: 'Example Corp',
rpID: 'example.com',
userID: 'user-id',
userName: 'user@example.com',
attestationType: 'indirect',
authenticatorSelection: {
userVerification: 'preferred',
},
});
// Verify registration response
const verification = verifyRegistrationResponse({
credential: response,
expectedChallenge: options.challenge,
expectedOrigin: 'https://example.com',
expectedRPID: 'example.com',
});Authentication
This feature allows you to generate authentication options for an existing user and verify the authentication response from the client. It ensures that the authentication process is secure and follows the WebAuthn protocol.
const { generateAuthenticationOptions, verifyAuthenticationResponse } = require('@simplewebauthn/server');
// Generate authentication options
const options = generateAuthenticationOptions({
rpID: 'example.com',
userVerification: 'preferred',
});
// Verify authentication response
const verification = verifyAuthenticationResponse({
credential: response,
expectedChallenge: options.challenge,
expectedOrigin: 'https://example.com',
expectedRPID: 'example.com',
authenticator: authenticator,
});fido2-lib is a library for implementing FIDO2 and WebAuthn server functionality. It provides similar features to @simplewebauthn/server, such as registration and authentication flows, but may require more manual setup and configuration.
webauthn is another library for implementing WebAuthn server functionality. It offers a straightforward API for handling registration and authentication, similar to @simplewebauthn/server, but with a different approach to configuration and usage.
This package can be installed from NPM and JSR:
npm install @simplewebauthn/server
deno add jsr:@simplewebauthn/server
You can find in-depth documentation on this package here: https://simplewebauthn.dev/docs/packages/server
SimpleWebAuthn supports all current WebAuthn attestation formats, including:
v13.0.0 - The one where they share a type
Hot on the heels of the last major release, v13 introduces support for registration hints! Refined types and improved attestation trust anchor verification are also included. Last but not least, we say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read on for more information, including refactor advice for dealing with the retirement of @simplewebauthn/types.
Changes:
preferredAuthenticatorType argument can be set when calling
generateRegistrationOptions() to generate options that encourage the browser to direct the user
to register one of three types of authenticators: 'securityKey', 'localDevice', or
'remoteDevice' (a.k.a. opinionated
WebAuthn hints
support) (#653)startRegistration() will recognize hints if specified in optionsJSON
(#652)@typescript/types is being retired. Its types will now be included directly in @simplewebauthn/browser and @simplewebauthn/server.
To refactor existing imports from /types, simply import them from /browser or /server instead:
Before:
import type {
AuthenticationResponseJSON,
RegistrationResponseJSON,
WebAuthnCredential,
} from '@simplewebauthn/types'; // <--
After:
import type {
AuthenticationResponseJSON,
RegistrationResponseJSON,
WebAuthnCredential,
} from '@simplewebauthn/server'; // <--
FAQs
SimpleWebAuthn for Servers
We found that @simplewebauthn/server demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.