├── public
    ├── index.html
    ├── signup.html
    ├── profile.html
    └── login.html
├── package.json
└── index.js


/public/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <title>Passkeys</title>
 7 | </head>
 8 | <body>
 9 |     
10 | </body>
11 | </html>


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "web-authentication",
 3 |   "version": "1.0.0",
 4 |   "description": "",
 5 |   "main": "index.js",
 6 |   "scripts": {
 7 |     "dev": "nodemon index.js"
 8 |   },
 9 |   "keywords": [],
10 |   "author": "",
11 |   "license": "ISC",
12 |   "devDependencies": {
13 |     "nodemon": "^3.1.0"
14 |   },
15 |   "dependencies": {
16 |     "@simplewebauthn/server": "^10.0.0",
17 |     "express": "^4.19.2"
18 |   }
19 | }
20 | 


--------------------------------------------------------------------------------
/public/signup.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <title>Signup</title>
 7 | </head>
 8 | <body>
 9 |     <form id="register-form">
10 |         <input type="text" placeholder="username" id="username" />
11 |         <input type="password" placeholder="password" id="password" />
12 |         <button type="submit">Register</button>
13 |     </form>
14 | 
15 |     <script>
16 |         const form = document.getElementById('register-form');
17 | 
18 |         const usernameField = document.getElementById('username')
19 |         const passwordField = document.getElementById('password')
20 | 
21 |         form.addEventListener('submit', async e => {
22 |             e.preventDefault()
23 | 
24 |             const response = await fetch('/register', {
25 |                 method: 'POST',
26 |                 headers: {
27 |                     'Content-Type': 'application/json'
28 |                 },
29 |                 body: JSON.stringify({ 
30 |                     username: usernameField.value, 
31 |                     password: passwordField.value
32 |                 })
33 |             })
34 | 
35 |             const result = await response.json();
36 |             const { id } = result
37 | 
38 |             window.location.replace(`http://localhost:3000/profile.html?userId=${id}`)
39 |             
40 |         })
41 |     </script>
42 | </body>
43 | </html>


--------------------------------------------------------------------------------
/public/profile.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <title>Profile</title>
 7 | </head>
 8 | <body>
 9 |     <h1>Profile Page</h1>
10 |     <button id="register-passkey-btn">Register Passkey</button>
11 | 
12 |     <script src="https://unpkg.com/@simplewebauthn/browser/dist/bundle/index.umd.min.js"></script>
13 |     <script>
14 |         const registerPasskeyBtn = document.getElementById('register-passkey-btn');
15 | 
16 |         registerPasskeyBtn.addEventListener('click', async (e) => {
17 |             const url = new URL(window.location)
18 |             const userId = url.searchParams.get('userId')
19 | 
20 |             const response = await fetch('/register-challenge', {
21 |                 method: 'POST',
22 |                 headers: {
23 |                     'Content-Type': 'application/json'
24 |                 },
25 |                 body: JSON.stringify({ userId })
26 |             })
27 | 
28 |             const challengeResult = await response.json()
29 |             const { options } = challengeResult // Server side challenge
30 | 
31 |             const authenticationResult = await SimpleWebAuthnBrowser.startRegistration({...options, })
32 |             console.log(authenticationResult)
33 | 
34 |             await fetch('/register-verify', {
35 |                 method: 'POST',
36 |                 headers: {
37 |                     'Content-Type': 'application/json'
38 |                 },
39 |                 body: JSON.stringify({ userId, cred: authenticationResult })
40 |             })
41 | 
42 |         })
43 |     </script>
44 | </body>
45 | </html>


--------------------------------------------------------------------------------
/public/login.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <title>Login</title>
 7 | </head>
 8 | <body>
 9 |     <form id="login-form">
10 |         <input type="text" placeholder="userId" id="userId" />
11 |         <button type="submit">Login with Passkey</button>
12 |     </form>
13 | 
14 |     <script src="https://unpkg.com/@simplewebauthn/browser/dist/bundle/index.umd.min.js"></script>
15 |     <script>
16 |          const form = document.getElementById('login-form');
17 |          const userIdField = document.getElementById('userId')
18 | 
19 |          form.addEventListener('submit', async e => {
20 |             e.preventDefault()
21 |             const userId = userIdField.value;
22 |             
23 |             const response = await fetch('/login-challenge', {
24 |                 method: 'POST',
25 |                 headers: {
26 |                     'Content-Type': 'application/json'
27 |                 },
28 |                 body: JSON.stringify({ userId })
29 |             })
30 | 
31 |             const challengeResult = await response.json()
32 |             const { options } = challengeResult // Server side challenge
33 | 
34 |             const authenticationResult = await SimpleWebAuthnBrowser.startAuthentication(options)
35 |             console.log(authenticationResult)
36 | 
37 |             await fetch('/login-verify', {
38 |                 method: 'POST',
39 |                 headers: {
40 |                     'Content-Type': 'application/json'
41 |                 },
42 |                 body: JSON.stringify({ userId, cred: authenticationResult })
43 |             })
44 |          })
45 | 
46 |     </script>
47 | </body>
48 | </html>


--------------------------------------------------------------------------------
/index.js:
--------------------------------------------------------------------------------
  1 | const express = require('express')
  2 | const crypto = require("node:crypto");
  3 | const { 
  4 |     generateRegistrationOptions, 
  5 |     verifyRegistrationResponse, 
  6 |     generateAuthenticationOptions, 
  7 |     verifyAuthenticationResponse 
  8 | } = require('@simplewebauthn/server')
  9 | 
 10 | 
 11 | if (!globalThis.crypto) {
 12 |     globalThis.crypto = crypto;
 13 | }
 14 | 
 15 | const PORT = 3000
 16 | const app = express();
 17 | 
 18 | app.use(express.static('./public'))
 19 | app.use(express.json())
 20 | 
 21 | // States
 22 | const userStore = {}
 23 | const challengeStore = {}
 24 | 
 25 | app.post('/register', (req, res) => {
 26 |     const { username, password } = req.body
 27 |     const id = `user_${Date.now()}`
 28 | 
 29 |     const user = {
 30 |         id,
 31 |         username,
 32 |         password
 33 |     }
 34 | 
 35 |     userStore[id] = user
 36 | 
 37 |     console.log(`Register successfull`, userStore[id])
 38 | 
 39 |     return res.json({ id })
 40 | 
 41 | })
 42 | 
 43 | app.post('/register-challenge', async (req, res) => {
 44 |     const { userId } = req.body
 45 | 
 46 |     if (!userStore[userId]) return res.status(404).json({ error: 'user not found!' })
 47 | 
 48 |     const user = userStore[userId]
 49 | 
 50 |     const challengePayload = await generateRegistrationOptions({
 51 |         rpID: 'localhost',
 52 |         rpName: 'My Localhost Machine',
 53 |         attestationType: 'none',
 54 |         userName: user.username,
 55 |         timeout: 30_000,
 56 |     })
 57 | 
 58 |     challengeStore[userId] = challengePayload.challenge
 59 | 
 60 |     return res.json({ options: challengePayload })
 61 | 
 62 | })
 63 | 
 64 | app.post('/register-verify', async (req, res) => {
 65 |     const { userId, cred }  = req.body
 66 |     
 67 |     if (!userStore[userId]) return res.status(404).json({ error: 'user not found!' })
 68 | 
 69 |     const user = userStore[userId]
 70 |     const challenge = challengeStore[userId]
 71 | 
 72 |     const verificationResult = await verifyRegistrationResponse({
 73 |         expectedChallenge: challenge,
 74 |         expectedOrigin: 'http://localhost:3000',
 75 |         expectedRPID: 'localhost',
 76 |         response: cred,
 77 |     })
 78 | 
 79 |     if (!verificationResult.verified) return res.json({ error: 'could not verify' });
 80 |     userStore[userId].passkey = verificationResult.registrationInfo
 81 | 
 82 |     return res.json({ verified: true })
 83 | 
 84 | })
 85 | 
 86 | app.post('/login-challenge', async (req, res) => {
 87 |     const { userId } = req.body
 88 |     if (!userStore[userId]) return res.status(404).json({ error: 'user not found!' })
 89 |     
 90 |     const opts = await generateAuthenticationOptions({
 91 |         rpID: 'localhost',
 92 |     })
 93 | 
 94 |     challengeStore[userId] = opts.challenge
 95 | 
 96 |     return res.json({ options: opts })
 97 | })
 98 | 
 99 | 
100 | app.post('/login-verify', async (req, res) => {
101 |     const { userId, cred }  = req.body
102 | 
103 |     if (!userStore[userId]) return res.status(404).json({ error: 'user not found!' })
104 |     const user = userStore[userId]
105 |     const challenge = challengeStore[userId]
106 | 
107 |     const result = await verifyAuthenticationResponse({
108 |         expectedChallenge: challenge,
109 |         expectedOrigin: 'http://localhost:3000',
110 |         expectedRPID: 'localhost',
111 |         response: cred,
112 |         authenticator: user.passkey
113 |     })
114 | 
115 |     if (!result.verified) return res.json({ error: 'something went wrong' })
116 |     
117 |     // Login the user: Session, Cookies, JWT
118 |     return res.json({ success: true, userId })
119 | })
120 | 
121 | 
122 | app.listen(PORT, () => console.log(`Server started on PORT:${PORT}`))


--------------------------------------------------------------------------------