-
Notifications
You must be signed in to change notification settings - Fork 0
Server Endpoints
Rain Zhang edited this page Nov 6, 2025
·
2 revisions
- Introduction
- API Architecture Overview
- General Endpoints
- Simple Mode Endpoints
- Advanced Mode Endpoints
- Authentication Flows
- Security Considerations
- Frontend Integration
- Error Handling
- Rate Limiting and Protection
The Post-Quantum WebAuthn Platform provides a comprehensive RESTful API for WebAuthn authentication using the FIDO2 library. The platform supports both simple and advanced authentication modes, with built-in post-quantum cryptographic algorithm support and extensive metadata service capabilities.
The server is built on Flask and provides endpoints for credential registration, authentication, metadata management, and cryptographic operations. All endpoints follow RESTful principles and use JSON for request/response payloads.
The server follows a modular architecture with separate route handlers for different authentication modes:
graph TB
subgraph "Flask Application"
App[Flask App]
Config[Configuration]
end
subgraph "Route Modules"
General[General Routes]
Simple[Simple Mode Routes]
Advanced[Advanced Mode Routes]
end
subgraph "Core Services"
Storage[Credential Storage]
Attestation[Attestation Verification]
Metadata[Metadata Service]
Crypto[Cryptographic Operations]
end
App --> General
App --> Simple
App --> Advanced
General --> Metadata
Simple --> Storage
Simple --> Attestation
Advanced --> Storage
Advanced --> Attestation
Storage --> Crypto
Attestation --> Crypto
Diagram sources
- server/server/app.py
- server/server/config.py
Section sources
- server/server/app.py
- server/server/config.py
Retrieves the base verified FIDO Metadata Service (MDS) snapshot.
Request:
- Method: GET
- Headers: None required
- Query Parameters: None
Response:
{
"entries": [
{
"aaid": "string",
"aaguid": "string",
"description": "string",
"authenticatorVersion": "string",
"upv": [{"version": "string", "effectiveDate": "string"}],
"statusReports": [
{
"status": "string",
"effectiveDate": "string",
"authenticatorVersion": "string"
}
],
"metadataStatement": {
"legalHeader": "string",
"aaid": "string",
"aaguid": "string",
"description": "string",
"authenticatorVersion": "string",
"upv": [{"version": "string", "effectiveDate": "string"}],
"authenticationAlgorithms": ["string"],
"publicKeyAlgAndEncodings": ["string"],
"attestationTypes": ["string"],
"userVerificationDetails": [[{"methods": ["string"]}]],
"keyProtection": "string",
"matcherProtection": "string",
"cryptoStrength": "string",
"attachmentHint": "string",
"tcDisplay": "string",
"attestationRootCertificates": ["string"],
"icon": "string"
}
}
]
}Status Codes:
- 200: Success
- 404: Verified metadata snapshot not available
- 500: Verified metadata snapshot is corrupted
Lists custom uploaded metadata entries.
Request:
- Method: GET
- Headers: None required
- Query Parameters: None
Response:
{
"items": [
{
"filename": "string",
"originalFilename": "string",
"size": "string",
"lastModified": "string",
"contentType": "string",
"contentHash": "string",
"entries": [
{
"aaid": "string",
"aaguid": "string",
"description": "string",
"authenticatorVersion": "string",
"upv": [{"version": "string", "effectiveDate": "string"}],
"statusReports": [
{
"status": "string",
"effectiveDate": "string",
"authenticatorVersion": "string"
}
]
}
]
}
]
}Uploads custom metadata files for processing.
Request:
- Method: POST
- Headers:
Content-Type: multipart/form-data - Body: Form data with
filesfield containing JSON files
Response:
{
"items": [
{
"filename": "string",
"originalFilename": "string",
"size": "string",
"lastModified": "string",
"contentType": "string",
"contentHash": "string",
"entries": [
{
"aaid": "string",
"aaguid": "string",
"description": "string",
"authenticatorVersion": "string",
"upv": [{"version": "string", "effectiveDate": "string"}],
"statusReports": [
{
"status": "string",
"effectiveDate": "string",
"authenticatorVersion": "string"
}
]
}
]
}
],
"errors": ["string"]
}Deletes a custom metadata entry.
Request:
- Method: DELETE
- Path Parameters:
stored_filename- The filename of the metadata entry to delete
Response:
{
"deleted": true
}Performs encoding/decoding operations on WebAuthn payloads.
Request:
{
"payload": "string",
"mode": "decode", // or "encode"
"format": "cbor" // when mode is "encode"
}Response:
{
"decoded": "string",
"encoded": "string"
}Decodes WebAuthn payloads.
Request:
{
"payload": "string"
}Response:
{
"decoded": "string"
}Decodes X.509 certificates from attestation statements.
Request:
{
"certificate": "string"
}Response:
{
"details": {
"subject": "string",
"issuer": "string",
"serialNumber": "string",
"validFrom": "string",
"validTo": "string",
"publicKey": {
"algorithm": "string",
"keySize": "string",
"curve": "string"
}
}
}Deletes public key material for a user.
Request:
{
"email": "string"
}Response:
{
"status": "OK"
}Downloads credential data for a user.
Request:
- Method: GET
- Query Parameters:
email- The user's email address
Response: Returns a binary file containing pickled credential data.
Section sources
- server/server/routes/general.py
Initiates the credential registration process.
Request:
{
"credentials": [
{
"credentialId": "string",
"aaguid": "string",
"publicKey": "string",
"algorithm": -7,
"signCount": 0,
"email": "string",
"type": "simple"
}
]
}Response:
{
"publicKey": {
"challenge": "string",
"rp": {
"id": "string",
"name": "string"
},
"user": {
"id": "string",
"name": "string",
"displayName": "string"
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
}
],
"timeout": 90000,
"attestation": "none",
"authenticatorSelection": {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": false,
"userVerification": "discouraged"
}
},
"__session_state": "string"
}Completes the credential registration process.
Request:
{
"id": "string",
"rawId": "string",
"response": {
"attestationObject": "string",
"clientDataJSON": "string"
},
"__session_state": "string"
}Response:
{
"status": "OK",
"algo": "ES256 (ECDSA)",
"storedCredential": {
"type": "simple",
"email": "string",
"userName": "string",
"displayName": "string",
"credentialId": "string",
"aaguid": "string",
"publicKey": "string",
"signCount": 0,
"createdAt": "number",
"attestationFormat": "string",
"properties": {}
},
"relyingParty": {
"attestationFmt": "string",
"createdAt": "string",
"credentialId": "string",
"publicKeyAlgorithm": -7
}
}Initiates the authentication process.
Request:
{
"credentials": [
{
"credentialId": "string",
"aaguid": "string",
"publicKey": "string",
"algorithm": -7,
"signCount": 0,
"email": "string",
"type": "simple"
}
]
}Response:
{
"publicKey": {
"challenge": "string",
"rpId": "string",
"allowCredentials": [
{
"id": "string",
"type": "public-key"
}
],
"timeout": 90000,
"userVerification": "discouraged"
},
"__session_state": "string"
}Completes the authentication process.
Request:
{
"id": "string",
"rawId": "string",
"response": {
"authenticatorData": "string",
"clientDataJSON": "string",
"signature": "string",
"userHandle": "string"
},
"__session_state": "string"
}Response:
{
"status": "OK",
"authenticatedCredentialId": "string",
"signCount": 123
}Manages user credentials.
GET Request: Lists all stored credentials for the current session.
Response:
[
{
"email": "string",
"credentialId": "string",
"userName": "string",
"displayName": "string",
"algorithm": -7,
"type": "WebAuthn",
"createdAt": "number",
"signCount": 0,
"aaguid": "string",
"flags": {
"up": true,
"uv": true,
"at": true,
"ed": false,
"be": false,
"bs": false
},
"attestationFormat": "string",
"authenticatorAttachment": "cross-platform",
"residentKey": false,
"largeBlob": false
}
]DELETE Request: Removes all credentials for the current session.
Response:
{
"status": "OK",
"removed": 5
}Section sources
- server/server/routes/simple.py
Initiates advanced credential registration with custom options.
Request:
{
"publicKey": {
"rp": {
"id": "string",
"name": "string"
},
"user": {
"id": "string",
"name": "string",
"displayName": "string"
},
"challenge": "string",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -50
}
],
"timeout": 90000,
"attestation": "none",
"authenticatorSelection": {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": false,
"userVerification": "preferred"
},
"extensions": {
"credProps": true,
"minPinLength": true,
"largeBlob": {
"support": "write"
}
}
}
}Response:
{
"publicKey": {
"challenge": "string",
"rp": {
"id": "string",
"name": "string"
},
"user": {
"id": "string",
"name": "string",
"displayName": "string"
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -50
}
],
"timeout": 90000,
"attestation": "none",
"authenticatorSelection": {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": false,
"userVerification": "preferred"
},
"extensions": {
"credProps": true,
"minPinLength": true,
"largeBlob": {
"support": "write"
}
}
},
"__session_state": "string",
"warnings": ["string"]
}Completes advanced credential registration.
Request:
{
"__credential_response": {
"id": "string",
"rawId": "string",
"response": {
"attestationObject": "string",
"clientDataJSON": "string"
}
},
"__session_state": "string"
}Response:
{
"status": "OK",
"storedCredential": {
"type": "advanced",
"email": "string",
"userName": "string",
"displayName": "string",
"credentialId": "string",
"aaguid": "string",
"publicKey": "string",
"signCount": 0,
"createdAt": "number",
"attestationFormat": "string",
"properties": {}
},
"relyingParty": {
"attestationFmt": "string",
"createdAt": "string",
"credentialId": "string",
"publicKeyAlgorithm": -50
}
}Initiates advanced authentication with custom options.
Request:
{
"publicKey": {
"rpId": "string",
"challenge": "string",
"allowCredentials": [
{
"id": "string",
"type": "public-key"
}
],
"timeout": 90000,
"userVerification": "preferred",
"extensions": {
"prf": {
"eval": {
"first": "string",
"second": "string"
}
}
}
}
}Response:
{
"publicKey": {
"challenge": "string",
"rpId": "string",
"allowCredentials": [
{
"id": "string",
"type": "public-key"
}
],
"timeout": 90000,
"userVerification": "preferred",
"extensions": {
"prf": {
"eval": {
"first": "string",
"second": "string"
}
}
}
},
"__session_state": "string"
}Completes advanced authentication.
Request:
{
"__assertion_response": {
"id": "string",
"rawId": "string",
"response": {
"authenticatorData": "string",
"clientDataJSON": "string",
"signature": "string",
"userHandle": "string"
}
},
"__session_state": "string"
}Response:
{
"status": "OK",
"authenticatedCredentialId": "string",
"signCount": 123
}Section sources
- server/server/routes/advanced.py
sequenceDiagram
participant Client as Frontend Client
participant Server as WebAuthn Server
participant Authenticator as Authenticator Device
Client->>Server : POST /api/register/begin
Server-->>Client : Registration Options
Client->>Authenticator : Create Credential
Authenticator-->>Client : Credential Response
Client->>Server : POST /api/register/complete
Server->>Server : Verify Attestation
Server-->>Client : Registration Result
Client->>Server : POST /api/authenticate/begin
Server-->>Client : Authentication Options
Client->>Authenticator : Authenticate
Authenticator-->>Client : Assertion Response
Client->>Server : POST /api/authenticate/complete
Server->>Server : Verify Signature
Server-->>Client : Authentication Result
Diagram sources
- server/server/static/scripts/simple/auth-simple.js
- server/server/routes/simple.py
sequenceDiagram
participant Client as Frontend Client
participant Server as WebAuthn Server
participant Authenticator as Authenticator Device
Client->>Server : POST /api/advanced/register/begin
Server-->>Client : Custom Registration Options
Client->>Authenticator : Create Credential with Extensions
Authenticator-->>Client : Credential Response
Client->>Server : POST /api/advanced/register/complete
Server->>Server : Verify Attestation & Extensions
Server-->>Client : Registration Result
Client->>Server : POST /api/advanced/authenticate/begin
Server-->>Client : Custom Authentication Options
Client->>Authenticator : Authenticate with Extensions
Authenticator-->>Client : Assertion Response
Client->>Server : POST /api/advanced/authenticate/complete
Server->>Server : Verify Signature & Extensions
Server-->>Client : Authentication Result
Diagram sources
- server/server/static/scripts/advanced/auth-advanced.js
- server/server/routes/advanced.py
All endpoints implement comprehensive input validation:
- JSON Schema Validation: Requests are validated against expected schemas
- Binary Data Validation: Base64, hexadecimal, and CBOR data is properly encoded/decoded
- Parameter Sanitization: User inputs are sanitized to prevent injection attacks
- Type Checking: All parameters are checked for correct types
- Secure Session Management: Sessions use secure cookies with appropriate attributes
- State Validation: All registration/authentication states are validated
- CSRF Protection: Implemented through session-based CSRF tokens
- Session Expiration: Sessions expire after timeout periods
- Post-Quantum Algorithms: Supports ML-DSA algorithms (-50, -49, -48) for quantum resistance
- Strong Randomness: Uses cryptographically secure random number generators
- Secure Key Storage: Private keys are securely stored and never exposed
- Algorithm Negotiation: Supports both classical and post-quantum algorithms
The server performs comprehensive attestation verification:
- Certificate Chain Validation: Verifies certificate trust chains
- Root Certificate Pinning: Validates against known root certificates
- AAGUID Matching: Ensures authenticator identity matches metadata
- RP ID Hash Verification: Validates relying party identifier
Section sources
- server/server/attestation.py
- server/server/config.py
The server provides seamless integration with JavaScript clients through well-defined APIs:
- Direct API Calls: Simple endpoints for straightforward integration
- Automatic State Management: Session state is handled automatically
- Error Handling: Comprehensive error reporting with user-friendly messages
- Customizable Options: Full control over registration/authentication parameters
- Extension Support: Complete support for WebAuthn extensions
- Real-time Validation: Immediate feedback on configuration errors
The server works with standard WebAuthn libraries:
- webauthn-json: Standard WebAuthn JSON ponyfill
- FIDO2 Library: Underlying FIDO2 implementation
- Custom Extensions: Support for proprietary extensions
Section sources
- server/server/static/scripts/simple/auth-simple.js
- server/server/static/scripts/advanced/auth-advanced.js
All endpoints return standardized error responses:
{
"error": "Error description",
"code": "ERROR_CODE",
"details": "Additional error details"
}| Status Code | Error Type | Description |
|---|---|---|
| 400 | BAD_REQUEST | Invalid request format or missing required parameters |
| 404 | NOT_FOUND | Resource not found |
| 500 | INTERNAL_ERROR | Server-side error during processing |
| 501 | NOT_IMPLEMENTED | Feature not supported |
- STATE_EXPIRED: Authentication state has expired
- INVALID_SIGNATURE: Signature verification failed
- INVALID_CHALLENGE: Challenge validation failed
- UNKNOWN_CREDENTIAL: Credential not found
The server provides mechanisms for error recovery:
- State Reset: Authentication states can be reset
- Retry Logic: Built-in retry mechanisms for transient failures
- Graceful Degradation: Fallback to simpler authentication modes
The server implements several security protections:
- Challenge Validation: Each authentication requires a fresh challenge
- Signature Counter: Monitors signature counts to detect replay attacks
- Duplicate Detection: Prevents credential reuse attacks
- Timeout Enforcement: Limits authentication ceremony duration
- Secure Cookies: Sessions use secure, HTTP-only cookies
- Session Rotation: Sessions are rotated periodically
- Cross-Site Request Forgery: Protection against CSRF attacks
- Session Timeout: Automatic session expiration
The server provides comprehensive logging:
- Authentication Events: Logs all authentication attempts
- Error Tracking: Detailed error logging for debugging
- Performance Metrics: Tracks API response times
- Security Events: Monitors suspicious activities
Section sources
- server/server/storage.py
- server/server/config.py