承接 davidearl/webauthn 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

davidearl/webauthn

Composer 安装命令:

composer require davidearl/webauthn

包简介

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)

README 文档

README

webauthn allows for log in or second factor authentication for web sites that support the protocol in browsers that also support it, using a physical key (such as a Yubikey 2 security key or Google's Titan USB key), biometrics such as fingerprints and face recognition, and now even your Windows 10 login PIN.

Webauthn was announced for Firefox 60 in May 2018 and also later added to Chrome 67 later in 2018.

Windows 10 version 1903 distributed in summer 2019 links the Windows password-less login system to webauthn, meaning that the same methods used to log in to Windows 10 can now also be used to log in to (or as second factor authentication for) web sites supporting webauthn. Somewhere along the line Android also added webauthn support for fingerprint readers. Chrome and Firefox on Mac also support webauthn via MacBook built-in fingerprint readers and also USB keys (Yubico 2/5, Titan). Sadly, iOS is lagging behind as of August 2019: nothing on iPhone or iPad supports webauthn, to my knowledge.

The idea of the age of password-less logins was widely broadcast in the technical press when Firefox 60 first came out. But the reality is the whole thing is just too complicated for easy adoption. It needs another layer to simplify it for routine use.

There are a couple examples in Javascript (see the "coffee" example). But the whole point is that the challenge and authentication must be done server-side. There are also now implementations for Go, Ruby, Python, Java and .NET at webauthn.io, but PHP support is very limited, hence this library.

Webauthn is fiendishly complicated, not so much in the cryptography as the way the structures are packed and named. Unnecessarily so (CBOR? What? Surely browsers could have unpacked it from that even if space is at such a premium that keys themselves require this weird binary format; and why not produce the key in PEM format. And so on).

So I spent quite a while translating the "coffee" example into a PHP class for Yubico 2 keys, while doing the minimum at the browser side (just unpacking enough to put into a convenient JSON form to transport to the server), and I thought I would share it. Several others have since helped with support for broader application with fingerprints and Windows Hello.

Changes 8 Dec 2022

To prevent a possible replay of a login, the user's webauthn string is now passed by reference to prepareForLogin and authenticate, both of which modify it. The string should now be saved with the user in your user after these calls, as well as when registering. This saves and then cross-checks and clears the challenge data sent to the key, so that it cannot be re-used.

Changes from branch 0.1.0

The original code was updated in August 2019 by a number of contributors (thank you!) to use composer for dependencies and update name space, class and method names into line with conventions.

As a result, if you downloaded the original code, the various names in your code will need to be updated. Now \Davidearl for the namespace (upper case D), class name and the directory where it lives is now WebAuthn, and the method names are camelCase.

If you want the code with the original names, download branch 0.1.0. That will not be updated in future.

Dependencies

This requires

  • PHP CBOR library: can be installed using composer install in the project directory
  • phpseclib, ditto
  • A recent openssl included in PHP (openssl_verify in particular)
  • PHP 5.6.1 or later (preferably PHP 7.4 or 8.1; not tested with PHP 8.2, which has some significant changes to property declarations)

Example

The example code is live at https://webauthn.davidearl.uk.

To host the example yourself,

  • put the code in the document hierarchy for your server (say https://example.com/webauthn),
  • install CBOR etc. using composer install
  • visit yoururl/example (e.g.https://example.com/webauthn/example)

If you put all the directories in webauthn at your document root and add an index.php as follows, you can run it at the top level as e.g. https://example.com (use your domain name, obviously).

<?php chdir('example'); include_once('index.php');

davidearl/webauthn 适用场景与选型建议

davidearl/webauthn 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 47.38k 次下载、GitHub Stars 达 136, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 davidearl/webauthn 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 davidearl/webauthn 我们能提供哪些服务?
定制开发 / 二次开发

基于 davidearl/webauthn 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 47.38k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 136
  • 点击次数: 21
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 136
  • Watchers: 13
  • Forks: 24
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 未知