This document records the current compliance-oriented design of @sourceregistry/node-webauthn.
The library is split into:
serverThe relying-party authority. It generates options, validates client data, parses authenticator data, verifies signatures, and enforces policy.clientA thin browser adapter. It converts JSON-safe values into browser-native WebAuthn options, callsnavigator.credentials, and serializes the resulting credential payloads.
This keeps the security-sensitive behavior on the server while preserving a simple client API.
- Random challenge generation and verification
clientDataJSONvalidation for:- ceremony
type challengeorigin- stable malformed-JSON rejection
- ceremony
- RP ID hash verification in authenticator data
- Authenticator flag parsing for:
- UP
- UV
- BE
- BS
- AT
- ED
- Signature verification for authentication assertions
- Optional authentication credential ID binding
- Signature counter replay detection
- JSON-safe option builders for registration and authentication
- Registration attestation verification for:
nonepackedself attestationpackedcertificate-based attestation with optional trust anchors
fido-u2fattestation verification with optional trust anchorsappleattestation verification using the Apple nonce extension and credential public-key bindingandroid-keyattestation verification using the Android key attestation extension and credential public-key bindingandroid-safetynetattestation verification with JWS signature, nonce, timestamp, and CTS profile checkstpmattestation verification withcertInfo,pubArea, and credential public-key binding checks- Authenticator extension data parsing
- Client extension result transport through the client/server helpers
- Attestation trust modes:
nonepermissivestrict
- Optional metadata provider hooks for relying-party trust policy
- CA and
keyCertSignchecks when a certificate issues another certificate in the attestation path - Lightweight extension policy enforcement for:
credPropsappidappidExcludelargeBlob
- Full FIDO Metadata Service integration is not implemented yet
- Certificate revocation checking is not implemented yet
- Extension handling currently validates only a practical subset of extension result shapes
- Cross-origin ceremony support is intentionally rejected for now
- WebAuthn Level 3 https://www.w3.org/TR/webauthn-3/
- Registration ceremony verification https://www.w3.org/TR/webauthn-3/#sctn-registering-a-new-credential
- Authentication assertion verification https://www.w3.org/TR/webauthn-3/#sctn-verifying-assertion
- Authenticator data https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
- Attestation object https://www.w3.org/TR/webauthn-3/#sctn-attestation
- Packed attestation statement format https://www.w3.org/TR/webauthn-3/#sctn-packed-attestation
- FIDO U2F attestation statement format https://www.w3.org/TR/webauthn-3/#sctn-fido-u2f-attestation
- Apple anonymous attestation https://www.w3.org/TR/webauthn-3/#sctn-apple-anonymous-attestation
- Android key attestation statement format https://www.w3.org/TR/webauthn-3/#sctn-android-key-attestation
- Android SafetyNet attestation statement format https://www.w3.org/TR/webauthn-3/#sctn-android-safetynet-attestation
- TPM attestation statement format https://www.w3.org/TR/webauthn-3/#sctn-tpm-attestation
- Client extension processing https://www.w3.org/TR/webauthn-3/#client-extension-processing
The default API should remain easy:
createRegistrationOptions(...)verifyRegistrationResponse(...)createAuthenticationOptions(...)verifyAuthenticationResponse(...)
Advanced verification, including richer attestation formats and trust policy, should be added incrementally without forcing that complexity onto every consumer.