passwordless server
1.0.91
bitwarden basswions.dev是一個軟件工具包,可幫助開發人員構建Fido2 WebAuthn Passkeys功能,以實現無縫身份驗證流。
使用無密碼。 DEV意味著無需閱讀大量的W3C規範文檔,確定要實現的密碼學或擔心管理存儲的公鑰。 Bitwarden背後的團隊將為您處理。
passwordless-server項目包含API,數據庫和其他核心基礎架構項目,用於後端所有無密碼客戶端的後端。
您可以嘗試通過demoless.dev驅動的Demo Web應用程序在demo.passwordless.dev上。您也可以觀看以下視頻:
開始使用無密碼。 dev:
您可以將無密碼與各種不同的後端平台結合使用 - 有關更多信息,請參見文檔。以下是使用ASP.NET Core和.NET的無密碼SDK的後端集成的示例:
// Add Passwordless to your service container
services . AddPasswordlessSdk ( options =>
{
options . ApiSecret = "your_api_secret" ;
} ) ;
// ...
// Define the /register endpoint
app . MapGet ( "/register" , async ( IPasswordlessClient passwordless , string alias ) =>
{
// Get existing user ID from session or create a new user in your database
var userId = Guid . NewGuid ( ) . ToString ( ) ;
// Provide the userid and an alias to link to this user
var payload = new RegisterOptions ( userId , alias )
{
// Optional: Link this user ID to an alias (e.g. email)
Aliases = [ alias ]
} ;
try
{
var tokenRegistration = await passwordless . CreateRegisterTokenAsync ( payload ) ;
// Return this token to the frontend
return Ok ( tokenRegistration ) ;
}
catch ( PasswordlessApiException e )
{
return new JsonResult ( e . Details )
{
StatusCode = ( int ? ) e . StatusCode ,
} ;
}
} ) ;
// Define the /signin endpoint
app . MapGet ( "/signin" , async ( IPasswordlessClient passwordless , string token ) =>
{
try
{
var verifiedUser = await passwordless . VerifyTokenAsync ( token ) ;
// Sign the user in, set a cookie, etc
return Ok ( verifiedUser ) ;
}
catch ( PasswordlessApiException e )
{
return new JsonResult ( e . Details )
{
StatusCode = ( int ? ) e . StatusCode
} ;
}
} ) ;通過在前端上使用無密碼客戶端來完成設置註冊和簽名流。我們還為幾個前端框架提供第一方集成 - 有關更多信息,請參見文檔。以下是一個簡單的示例,使用香草JavaScript:
安裝:
$ npm install @passwordlessdev/passwordless-client註冊端點:
import Passwordless from '@passwordlessdev/passwordless-client' ;
// Instantiate a passwordless client using your API public key.
const p = new Passwordless . Client ( {
apiKey : "myapplication:public:4364b1a49a404b38b843fe3697b803c8"
} ) ;
// Fetch the registration token from the backend.
const backendUrl = "https://localhost:8002" ;
const registerToken = await fetch ( backendUrl + "/register?userId" + userId ) . then ( r => r . json ( ) ) ;
// Register the token with the end-user's device.
const { token , error } = await p . register ( registerToken ) ;Signin端點:
import Passwordless from '@passwordlessdev/passwordless-client' ;
// Instantiate a passwordless client using your API public key.
const p = new Passwordless . Client ( {
apiKey : 'myapplication:public:4364b1a49a404b38b843fe3697b803c8'
} ) ;
// Generate an authentication token for the user.
// Option 1: Enable browsers to suggest passkeys for any input that has autofill="webauthn" (only works with discoverable passkeys).
const { token , error } = await p . signinWithAutofill ( ) ;
// Option 2: Enables browsers to suggest passkeys by opening a UI prompt (only works with discoverable passkeys).
const { token , error } = await p . signinWithDiscoverable ( ) ;
// Option 3: Use an alias specified by the user.
const email = '[email protected]' ;
const { token , error } = await p . signinWithAlias ( email ) ;
// Option 4: Use a userId if already known, for example if the user is re-authenticating.
const userId = '107fb578-9559-4540-a0e2-f82ad78852f7' ;
const { token , error } = await p . signinWithId ( userId ) ;
if ( error ) {
console . error ( error ) ;
// { errorCode: "unknown_credential", "title": "That credential is not registered with this website", "details": "..."}
}
// Call your backend to verify the token.
const backendUrl = 'https://localhost:8002' ; // Your backend
const verifiedUser = await fetch ( backendUrl + '/signin?token=' + token ) . then ( ( r ) => r . json ( ) ) ;
if ( verifiedUser . success === true ) {
// If successful, proceed!
// verifiedUser.userId = "107fb578-9559-4540-a0e2-f82ad78852f7";
} 我們歡迎代碼貢獻!請提出對main分支機構的任何拉動請求。所有更改都需要證明預期行為的測試。請注意,由於審查負擔,大型代碼更改和工作單位不太可能合併。
歡迎安全審核和反饋。如果報告本質上是敏感的,請打開問題或私下通過電子郵件發送給我們。您可以在Security.md文件中讀取我們的安全策略。我們還在hackerone上運行一個程序。
沒有授予Bitwarden商標,服務標記或徽標的任何權利(除非適用的通知要求可能是必要的),並且使用任何BitWardenen商標必須遵守BitWarden商標準則。
參見貢獻
有關如何自我宿主無密碼dev的說明,請參見自託管目錄。
如果您需要密碼lessss.dev團隊的支持,請向我們發送[email protected]的消息。
