passwordless server
1.0.91
bitwarden basswions.dev是一个软件工具包,可帮助开发人员构建Fido2 WebAuthn Passkeys功能,以实现无缝身份验证流。
使用无密码。DEV意味着无需阅读大量的W3C规范文档,确定要实现的密码学或担心管理存储的公钥。 Bitwarden背后的团队将为您处理。
passwordless-server项目包含API,数据库和其他核心基础架构项目,用于后端所有无密码客户端的后端。
您可以尝试通过demoless.dev驱动的Demo Web应用程序在demo.passwordless.dev上。您也可以观看以下视频:
开始使用无密码。dev:
您可以将无密码与各种不同的后端平台结合使用 - 有关更多信息,请参见文档。以下是使用ASP.NET Core和.NET的无密码SDK的后端集成的示例:
// Add Passwordless to your service container
services . AddPasswordlessSdk ( options =>
{
options . ApiSecret = "your_api_secret" ;
} ) ;
// ...
// Define the /register endpoint
app . MapGet ( "/register" , async ( IPasswordlessClient passwordless , string alias ) =>
{
// Get existing user ID from session or create a new user in your database
var userId = Guid . NewGuid ( ) . ToString ( ) ;
// Provide the userid and an alias to link to this user
var payload = new RegisterOptions ( userId , alias )
{
// Optional: Link this user ID to an alias (e.g. email)
Aliases = [ alias ]
} ;
try
{
var tokenRegistration = await passwordless . CreateRegisterTokenAsync ( payload ) ;
// Return this token to the frontend
return Ok ( tokenRegistration ) ;
}
catch ( PasswordlessApiException e )
{
return new JsonResult ( e . Details )
{
StatusCode = ( int ? ) e . StatusCode ,
} ;
}
} ) ;
// Define the /signin endpoint
app . MapGet ( "/signin" , async ( IPasswordlessClient passwordless , string token ) =>
{
try
{
var verifiedUser = await passwordless . VerifyTokenAsync ( token ) ;
// Sign the user in, set a cookie, etc
return Ok ( verifiedUser ) ;
}
catch ( PasswordlessApiException e )
{
return new JsonResult ( e . Details )
{
StatusCode = ( int ? ) e . StatusCode
} ;
}
} ) ;通过在前端上使用无密码客户端来完成设置注册和签名流。我们还为几个前端框架提供第一方集成 - 有关更多信息,请参见文档。以下是一个简单的示例,使用香草JavaScript:
安装:
$ npm install @passwordlessdev/passwordless-client注册端点:
import Passwordless from '@passwordlessdev/passwordless-client' ;
// Instantiate a passwordless client using your API public key.
const p = new Passwordless . Client ( {
apiKey : "myapplication:public:4364b1a49a404b38b843fe3697b803c8"
} ) ;
// Fetch the registration token from the backend.
const backendUrl = "https://localhost:8002" ;
const registerToken = await fetch ( backendUrl + "/register?userId" + userId ) . then ( r => r . json ( ) ) ;
// Register the token with the end-user's device.
const { token , error } = await p . register ( registerToken ) ;Signin端点:
import Passwordless from '@passwordlessdev/passwordless-client' ;
// Instantiate a passwordless client using your API public key.
const p = new Passwordless . Client ( {
apiKey : 'myapplication:public:4364b1a49a404b38b843fe3697b803c8'
} ) ;
// Generate an authentication token for the user.
// Option 1: Enable browsers to suggest passkeys for any input that has autofill="webauthn" (only works with discoverable passkeys).
const { token , error } = await p . signinWithAutofill ( ) ;
// Option 2: Enables browsers to suggest passkeys by opening a UI prompt (only works with discoverable passkeys).
const { token , error } = await p . signinWithDiscoverable ( ) ;
// Option 3: Use an alias specified by the user.
const email = '[email protected]' ;
const { token , error } = await p . signinWithAlias ( email ) ;
// Option 4: Use a userId if already known, for example if the user is re-authenticating.
const userId = '107fb578-9559-4540-a0e2-f82ad78852f7' ;
const { token , error } = await p . signinWithId ( userId ) ;
if ( error ) {
console . error ( error ) ;
// { errorCode: "unknown_credential", "title": "That credential is not registered with this website", "details": "..."}
}
// Call your backend to verify the token.
const backendUrl = 'https://localhost:8002' ; // Your backend
const verifiedUser = await fetch ( backendUrl + '/signin?token=' + token ) . then ( ( r ) => r . json ( ) ) ;
if ( verifiedUser . success === true ) {
// If successful, proceed!
// verifiedUser.userId = "107fb578-9559-4540-a0e2-f82ad78852f7";
} 我们欢迎代码贡献!请提出对main分支机构的任何拉动请求。所有更改都需要证明预期行为的测试。请注意,由于审查负担,大型代码更改和工作单位不太可能合并。
欢迎安全审核和反馈。如果报告本质上是敏感的,请打开问题或私下通过电子邮件发送给我们。您可以在Security.md文件中读取我们的安全策略。我们还在hackerone上运行一个程序。
没有授予Bitwarden商标,服务标记或徽标的任何权利(除非适用的通知要求可能是必要的),并且使用任何BitWardenen商标必须遵守BitWarden商标准则。
参见贡献
有关如何自我宿主无密码dev的说明,请参见自托管目录。
如果您需要密码lessss.dev团队的支持,请向我们发送[email protected]的消息。
