Overview
Icon for WebAuthn

WebAuthn

Enable passwordless authentication

MedusaJS WebAuthn Authentication

๐Ÿ” Passwordless Authentication for MedusaJS using WebAuthn - The Modern, Secure Authentication Standard

๐ŸŒŸ Features

  • Passwordless authentication using WebAuthn
  • Support for hardware and software security keys
  • Enhanced security with public key cryptography
  • Seamless integration with MedusaJS

๐Ÿ”’ WebAuthn Workflow

flowchart TD
A[User Starts Registration] --> B[Request Registration Options]
B --> C[Browser Creates Credential]
C --> D[Send Credential to Server]
D --> E[Server Verifies & Saves Credential]
F[User Starts Login] --> G[Request Authentication Options]
G --> H[User Interacts with Security Key]
H --> I[Browser Generates Authentication Assertion]
I --> J[Server Verifies Assertion]
J --> K[User Authenticated]

Detailed Authentication Flow

  1. Registration
    • User initiates registration
    • Server generates registration options
    • Browser creates a unique cryptographic credential
    • Credential verified and saved on server
  2. Authentication
    • User starts login process
    • Server generates authentication challenge
    • User authenticates with security key
    • Server verifies the cryptographic assertion
    • User granted access

๐Ÿ“ฆ Installation

Install the package using npm:

npm install @vymalo/medusa-webauthn

Or using yarn:

yarn add @vymalo/medusa-webauthn

๐Ÿš€ Configuration

Plugin Configuration

plugins: [
{
resolve: "@vymalo/medusa-webauthn",
options: {
rpName: process.env.WEBAUTHN_RP_NAME, // Relying Party Name
rpID: process.env.WEBAUTHN_RP_ID, // Relying Party ID
origin: process.env.WEBAUTHN_ORIGIN, // Origin of your application
},
},
],
projectConfig: {
http: {
authMethodsPerActor: {
customer: ["webauthn"], // Enable WebAuthn for customers
},
},
},
modules: [

๐Ÿ›ก๏ธ Security Architecture

graph TD
A[User Device] -->|Public Key| B[Server]
B -->|Challenge| A
A -->|Signed Challenge| B
B -->|Verify Signature| A
subgraph Cryptographic Process
PK[Public Key Cryptography]
Challenge[Challenge Generation]
Signature[Signature Verification]
end

Key Security Concepts

  • No Shared Secrets: Uses public-key cryptography
  • Phishing Resistant: Bound to specific origin and application
  • Hardware Key Support: Works with security keys like YubiKey
  • Multi-Factor Capable: Can combine with other authentication methods

๐Ÿ”ง Environment Variables

  • Copy to clipboardWEBAUTHN_RP_NAME: Your application's name
  • Copy to clipboardWEBAUTHN_RP_ID: Domain of your application
  • Copy to clipboardWEBAUTHN_ORIGIN: Full origin URL

๐Ÿ“ฆ Dependencies

  • Copy to clipboard@simplewebauthn/server
  • Copy to clipboard@simplewebauthn/types
  • Copy to clipboardsuperjson

๐Ÿค Contributing

Contributions are welcome! Please submit pull requests or open issues.

๐Ÿ›ก๏ธ Security Reporting

If you discover a security vulnerability, please contact [your security contact].

๐Ÿ“„ License

Check the license

You may also like

Browse all integrations

Build your own

Develop your own custom integraiton

Build your own integration with our API to speed up your processes. Make your integration available via npm for it to be shared in our Library with the broader Medusa community.

gift card interface

Ready to build your custom commerce setup?