fix: implement full FIDO2 WebAuthn verification

vveerrgg · claude · vveerrgg · commit 1edf17b1f985 · 2026-02-27T09:47:38.000-08:00
CRITICAL: verification previously only checked challenge string — did
not verify origin, type, rpIdHash, or authenticator signature.

Now uses @simplewebauthn/server for complete verification:
- Origin validation against configured allowed origins
- Type checking (webauthn.create / webauthn.get)
- rpIdHash verification against expected RP ID
- Cryptographic signature verification against stored credential pubkey
- Sign counter tracking for clone detection
- User verification flag enforcement
- Credential public key storage from registration for auth verification

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/server/webauthn.ts b/src/server/webauthn.ts
@@ -1,15 +1,39 @@
 /**
  * Server-side WebAuthn implementation
+ *
+ * Uses @simplewebauthn/server for full WebAuthn verification including:
+ * - clientDataJSON.type validation ('webauthn.create' / 'webauthn.get')
+ * - origin verification
+ * - rpIdHash verification
+ * - authenticator cryptographic signature verification
+ * - sign counter checking for clone detection
  */
-import type { WebAuthnOptions } from '../types/auth';
+import type { WebAuthnOptions, StoredCredential } from '../types/auth';
 import { generateRandomString } from '../utils';
+import {
+  verifyRegistrationResponse,
+  verifyAuthenticationResponse,
+  type VerifiedRegistrationResponse,
+  type VerifiedAuthenticationResponse,
+} from '@simplewebauthn/server';
+import type {
+  RegistrationResponseJSON,
+  AuthenticationResponseJSON,
+  AuthenticatorTransportFuture,
+} from '@simplewebauthn/types';
 
 export class WebAuthnServer {
   private options: WebAuthnOptions;
   private challenges: Map<string, { challenge: string; timestamp: number }>;
-  private credentials: Map<string, Array<any>>;
+  private credentials: Map<string, StoredCredential[]>;
 
   constructor(options: WebAuthnOptions) {
+    if (!options.rpId) {
+      throw new Error('WebAuthnServer requires rpId to be set');
+    }
+    if (!options.origin) {
+      throw new Error('WebAuthnServer requires origin to be set for verification');
+    }
     this.options = options;
     this.challenges = new Map();
     this.credentials = new Map();
@@ -52,11 +76,23 @@ export class WebAuthnServer {
   }
 
   /**
-   * Verify a WebAuthn registration response
+   * Verify a WebAuthn registration response.
+   *
+   * Validates:
+   * - clientDataJSON.type === 'webauthn.create'
+   * - clientDataJSON.origin matches expected origin
+   * - clientDataJSON.challenge matches the issued challenge (constant-time)
+   * - rpIdHash matches SHA-256 of the configured RP ID
+   * - Authenticator flags (user presence, user verification if required)
+   * - Attestation statement (if present)
+   *
+   * On success, stores the extracted credential public key and counter
+   * for future authentication verification.
+   *
    * @param userId The user's ID (pubkey)
-   * @param credential The credential from the client
+   * @param credential The RegistrationResponseJSON from the client
    */
-  async verifyRegistration(userId: string, credential: any): Promise<boolean> {
+  async verifyRegistration(userId: string, credential: RegistrationResponseJSON): Promise<boolean> {
     // Check if user already has credentials
     if (this.credentials.has(userId)) {
       throw new Error('User already has registered credentials. Please use authentication instead.');
@@ -67,7 +103,7 @@ export class WebAuthnServer {
       throw new Error('No challenge found for user');
     }
 
-    // Remove the challenge
+    // Remove the challenge (single-use)
     this.challenges.delete(userId);
 
     // Check if challenge has expired (5 minutes)
@@ -76,33 +112,57 @@ export class WebAuthnServer {
     }
 
     try {
-      // TODO: Implement actual credential verification
-      // For now, we'll just verify the challenge matches
-      const clientDataJSON = JSON.parse(
-        Buffer.from(credential.response.clientDataJSON, 'base64').toString()
-      );
-
-      const isValid = clientDataJSON.challenge === expectedChallenge.challenge;
-      
-      if (isValid) {
-        // Store the credential
-        this.credentials.set(userId, [credential]);
+      // Use @simplewebauthn/server for full verification.
+      // This validates: type, origin, rpIdHash, challenge, attestation, flags.
+      const verification: VerifiedRegistrationResponse = await verifyRegistrationResponse({
+        response: credential,
+        expectedChallenge: expectedChallenge.challenge,
+        expectedOrigin: Array.isArray(this.options.origin) ? this.options.origin : [this.options.origin],
+        expectedRPID: this.options.rpId,
+        requireUserVerification: this.options.userVerification === 'required',
+      });
+
+      const { verified, registrationInfo } = verification;
+
+      if (verified && registrationInfo) {
+        // Store the credential with its public key for future authentication
+        const storedCredential: StoredCredential = {
+          credentialID: Buffer.from(registrationInfo.credentialID).toString('base64url'),
+          credentialPublicKey: Buffer.from(registrationInfo.credentialPublicKey).toString('base64url'),
+          counter: registrationInfo.counter,
+          credentialBackedUp: registrationInfo.credentialBackedUp,
+          credentialDeviceType: registrationInfo.credentialDeviceType,
+          transports: credential.response.transports as AuthenticatorTransportFuture[] | undefined,
+        };
+
+        this.credentials.set(userId, [storedCredential]);
       }
 
-      return isValid;
+      return verified;
     } catch (error) {
-      throw new Error('Failed to verify registration');
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      throw new Error(`Failed to verify registration: ${message}`);
     }
   }
 
   /**
-   * Verify a WebAuthn authentication response
+   * Verify a WebAuthn authentication response.
+   *
+   * Validates:
+   * - clientDataJSON.type === 'webauthn.get'
+   * - clientDataJSON.origin matches expected origin
+   * - clientDataJSON.challenge matches the issued challenge (constant-time)
+   * - rpIdHash matches SHA-256 of the configured RP ID
+   * - Authenticator signature against the stored credential public key
+   * - Sign counter to detect cloned authenticators
+   *
    * @param userId The user's ID (pubkey)
-   * @param credential The credential from the client
+   * @param credential The AuthenticationResponseJSON from the client
    */
-  async verifyAuthentication(userId: string, credential: any): Promise<boolean> {
+  async verifyAuthentication(userId: string, credential: AuthenticationResponseJSON): Promise<boolean> {
     // Check if user has registered
-    if (!this.credentials.has(userId)) {
+    const storedCredentials = this.credentials.get(userId);
+    if (!storedCredentials || storedCredentials.length === 0) {
       throw new Error('No registered credentials found. Please register first.');
     }
 
@@ -111,24 +171,70 @@ export class WebAuthnServer {
       throw new Error('No challenge found for user');
     }
 
-    // Remove the challenge
+    // Remove the challenge (single-use)
     this.challenges.delete(userId);
 
     // Check if challenge has expired (5 minutes)
     if (Date.now() - expectedChallenge.timestamp > 5 * 60 * 1000) {
       throw new Error('Challenge has expired');
     }
 
+    // Find the matching stored credential by credential ID
+    const matchingCredential = storedCredentials.find(
+      (cred) => cred.credentialID === credential.id
+    );
+
+    if (!matchingCredential) {
+      throw new Error('Credential not found for this user');
+    }
+
     try {
-      // TODO: Implement actual credential verification
-      // For now, we'll just verify the challenge matches
-      const clientDataJSON = JSON.parse(
-        Buffer.from(credential.response.clientDataJSON, 'base64').toString()
-      );
+      // Use @simplewebauthn/server for full verification.
+      // This validates: type, origin, rpIdHash, challenge, signature, counter.
+      const verification: VerifiedAuthenticationResponse = await verifyAuthenticationResponse({
+        response: credential,
+        expectedChallenge: expectedChallenge.challenge,
+        expectedOrigin: Array.isArray(this.options.origin) ? this.options.origin : [this.options.origin],
+        expectedRPID: this.options.rpId,
+        authenticator: {
+          credentialID: Buffer.from(matchingCredential.credentialID, 'base64url'),
+          credentialPublicKey: Buffer.from(matchingCredential.credentialPublicKey, 'base64url'),
+          counter: matchingCredential.counter,
+          transports: matchingCredential.transports as AuthenticatorTransportFuture[] | undefined,
+        },
+        requireUserVerification: this.options.userVerification === 'required',
+      });
+
+      const { verified, authenticationInfo } = verification;
+
+      if (verified) {
+        // Update the sign counter to detect cloned authenticators.
+        // If the new counter is not greater than the stored counter (and not zero),
+        // it may indicate a cloned authenticator. @simplewebauthn/server handles
+        // this check internally and will throw if the counter is suspicious.
+        matchingCredential.counter = authenticationInfo.newCounter;
+      }
 
-      return clientDataJSON.challenge === expectedChallenge.challenge;
+      return verified;
     } catch (error) {
-      throw new Error('Failed to verify authentication');
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      throw new Error(`Failed to verify authentication: ${message}`);
     }
   }
+
+  /**
+   * Get stored credentials for a user (useful for generating authentication options)
+   * @param userId The user's ID (pubkey)
+   */
+  getCredentials(userId: string): StoredCredential[] | undefined {
+    return this.credentials.get(userId);
+  }
+
+  /**
+   * Remove all credentials for a user
+   * @param userId The user's ID (pubkey)
+   */
+  removeCredentials(userId: string): boolean {
+    return this.credentials.delete(userId);
+  }
 }
diff --git a/src/types/auth.ts b/src/types/auth.ts
@@ -18,12 +18,33 @@ export interface WebAuthnOptions {
   rpId: string;
   /** Relying Party name (displayed to user) */
   rpName: string;
+  /** Expected origin for WebAuthn verification (e.g., 'https://example.com') */
+  origin: string | string[];
   /** User verification requirement */
   userVerification?: UserVerificationRequirement;
   /** Timeout in milliseconds */
   timeout?: number;
 }
 
+/**
+ * Stored credential data from a successful WebAuthn registration.
+ * Contains the public key and counter needed for authentication verification.
+ */
+export interface StoredCredential {
+  /** Base64url-encoded credential ID */
+  credentialID: string;
+  /** Base64url-encoded credential public key */
+  credentialPublicKey: string;
+  /** Sign counter for clone detection */
+  counter: number;
+  /** The credential backing type (e.g., 'singleDevice' or 'multiDevice') */
+  credentialBackedUp: boolean;
+  /** The credential device type */
+  credentialDeviceType: string;
+  /** Transports supported by this credential */
+  transports?: AuthenticatorTransport[];
+}
+
 export interface AuthenticationState {
   /** Current step in the authentication process */
   step: AuthenticationStep;
