Overview
WebAuthn
Enable passwordless authentication
MedusaJS WebAuthn Authentication
๐ Passwordless Authentication for MedusaJS using WebAuthn - The Modern, Secure Authentication Standard
๐ Features
- Passwordless authentication using WebAuthn
- Support for hardware and software security keys
- Enhanced security with public key cryptography
- Seamless integration with MedusaJS
๐ WebAuthn Workflow
1234567891011flowchart TDA[User Starts Registration] --> B[Request Registration Options]B --> C[Browser Creates Credential]C --> D[Send Credential to Server]D --> E[Server Verifies & Saves Credential]F[User Starts Login] --> G[Request Authentication Options]G --> H[User Interacts with Security Key]H --> I[Browser Generates Authentication Assertion]I --> J[Server Verifies Assertion]J --> K[User Authenticated]
Detailed Authentication Flow
- Registration
- User initiates registration
- Server generates registration options
- Browser creates a unique cryptographic credential
- Credential verified and saved on server
- Authentication
- User starts login process
- Server generates authentication challenge
- User authenticates with security key
- Server verifies the cryptographic assertion
- User granted access
๐ฆ Installation
Install the package using npm:
1npm install @vymalo/medusa-webauthn
Or using yarn:
1yarn add @vymalo/medusa-webauthn
๐ Configuration
Plugin Configuration
1234567891011121314151617181920plugins: [{resolve: "@vymalo/medusa-webauthn",options: {rpName: process.env.WEBAUTHN_RP_NAME, // Relying Party NamerpID: process.env.WEBAUTHN_RP_ID, // Relying Party IDorigin: process.env.WEBAUTHN_ORIGIN, // Origin of your application},},],projectConfig: {http: {authMethodsPerActor: {customer: ["webauthn"], // Enable WebAuthn for customers},},},modules: [
๐ก๏ธ Security Architecture
1234567891011graph TDA[User Device] -->|Public Key| B[Server]B -->|Challenge| AA -->|Signed Challenge| BB -->|Verify Signature| Asubgraph Cryptographic ProcessPK[Public Key Cryptography]Challenge[Challenge Generation]Signature[Signature Verification]end
Key Security Concepts
- No Shared Secrets: Uses public-key cryptography
- Phishing Resistant: Bound to specific origin and application
- Hardware Key Support: Works with security keys like YubiKey
- Multi-Factor Capable: Can combine with other authentication methods
๐ง Environment Variables
- Copy to clipboard
WEBAUTHN_RP_NAME
: Your application's name - Copy to clipboard
WEBAUTHN_RP_ID
: Domain of your application - Copy to clipboard
WEBAUTHN_ORIGIN
: Full origin URL
๐ฆ Dependencies
- Copy to clipboard
@simplewebauthn/server
- Copy to clipboard
@simplewebauthn/types
- Copy to clipboard
superjson
๐ค Contributing
Contributions are welcome! Please submit pull requests or open issues.
๐ก๏ธ Security Reporting
If you discover a security vulnerability, please contact [your security contact].