WebAuthn

MedusaJS WebAuthn Authentication

🔐 Passwordless Authentication for MedusaJS using WebAuthn - The Modern, Secure Authentication Standard

🌟 Features

• Passwordless authentication using WebAuthn
• Support for hardware and software security keys
• Enhanced security with public key cryptography
• Seamless integration with MedusaJS

🔒 WebAuthn Workflow

1flowchart TD
2    A[User Starts Registration] --> B[Request Registration Options]
3    B --> C[Browser Creates Credential]
4    C --> D[Send Credential to Server]
5    D --> E[Server Verifies & Saves Credential]
6    
7    F[User Starts Login] --> G[Request Authentication Options]
8    G --> H[User Interacts with Security Key]
9    H --> I[Browser Generates Authentication Assertion]
10    I --> J[Server Verifies Assertion]
11    J --> K[User Authenticated]

Detailed Authentication Flow

1. Registration

   • User initiates registration
   • Server generates registration options
   • Browser creates a unique cryptographic credential
   • Credential verified and saved on server

2. Authentication

   • User starts login process
   • Server generates authentication challenge
   • User authenticates with security key
   • Server verifies the cryptographic assertion
   • User granted access

📦 Installation

Install the package using npm:

npm install @vymalo/medusa-webauthn

Or using yarn:

yarn add @vymalo/medusa-webauthn

🚀 Configuration

Plugin Configuration

1plugins: [
2  {
3    resolve: "@vymalo/medusa-webauthn",
4    options: {
5      rpName: process.env.WEBAUTHN_RP_NAME,     // Relying Party Name
6      rpID: process.env.WEBAUTHN_RP_ID,         // Relying Party ID
7      origin: process.env.WEBAUTHN_ORIGIN,      // Origin of your application
8    },
9  },
10],
11
12projectConfig: {
13  http: {
14    authMethodsPerActor: {
15      customer: ["webauthn"], // Enable WebAuthn for customers
16    },
17  },
18},
19
20modules: [
21  {
22    resolve: "@medusajs/medusa/auth",
23    dependencies: ["webauthn_api"],
24    options: {
25      providers: [
26        {
27          resolve: "@vymalo/medusa-webauthn/auth",
28          id: "webauthn",
29          options: {},
30        },
31      ],
32    },
33  }
34]

🛡️ Security Architecture

1graph TD
2    A[User Device] -->|Public Key| B[Server]
3    B -->|Challenge| A
4    A -->|Signed Challenge| B
5    B -->|Verify Signature| A
6    
7    subgraph Cryptographic Process
8    PK[Public Key Cryptography]
9    Challenge[Challenge Generation]
10    Signature[Signature Verification]
11    end

Key Security Concepts

• No Shared Secrets: Uses public-key cryptography
• Phishing Resistant: Bound to specific origin and application
• Hardware Key Support: Works with security keys like YubiKey
• Multi-Factor Capable: Can combine with other authentication methods

🔧 Environment Variables

• WEBAUTHN_RP_NAME: Your application's name
• WEBAUTHN_RP_ID: Domain of your application
• WEBAUTHN_ORIGIN: Full origin URL

📦 Dependencies

• @simplewebauthn/server
• @simplewebauthn/types
• superjson

🤝 Contributing

Contributions are welcome! Please submit pull requests or open issues.

🛡️ Security Reporting

If you discover a security vulnerability, please contact [your security contact].

📄 License

Check the license

🔗 Related Projects

• WebAuthn Specification
• MedusaJS
• SimpleWebAuthn