Skip to content

Are responses compatible with @simplewebauthn/server? #58

New issue
New issue
Open
Open
Are responses compatible with @simplewebauthn/server?#58
@deathemperor

Description

@deathemperor
deathemperor
opened on Dec 31, 2025

@peterferguson thank you for the repo.

I was not sure how to verify the passkey authentication responses so I try using https://simplewebauthn.dev/docs/packages/server#2-verify-authentication-response but couldn't get it pass the publickey verification

import { verifyAuthenticationResponse } from "@simplewebauthn/server";
import { isoBase64URL } from "@simplewebauthn/server/helpers";

// response from expo
  /**
   * 
{
  "authenticatorAttachment": null,
  "clientExtensionResults": {
    "largeBlob": {
      "blob": null,
      "supported": true,
      "written": null
    },
    "prf": {
      "enabled": true,
      "results": null
    }
  },
  "id": "4F-gBsVBtoRavK0hdLKOE5LBFYk",
  "rawId": "4F-gBsVBtoRavK0hdLKOE5LBFYk",
  "response": {
    "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYOmP-2kJDGJC6Fr-EeByEHg7eZdrNoqDAMCtJqtrllr1dAAAAAPv8MAcVTk7MjAtuAgVX170AFOBfoAbFQbaEWrytIXSyjhOSwRWJpQECAyYgASFYINH-EKfAEB1eJe9LhlMXQlNujFQOgjqg-g2v9pB1sC69IlggXGlTD9_CO6YowPHWsaZyxBciDqxAPHmZ6d6RXZgiumM",
    "authenticatorData": null,
    "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiWm1sNmVnIiwib3JpZ2luIjoiaHR0cHM6Ly9wYXBheWEuYXNpYSJ9",
    "getPublicKey": [Function getPublicKey
    ],
    "publicKey": "0f4Qp8AQHV4l70uGUxdCU26MVA6COqD6Da_2kHWwLr1caVMP38I7pijA8daxpnLEFyIOrEA8eZnp3pFdmCK6Yw",
    "publicKeyAlgorithm": null,
    "transports": null
  },
  "type": "public-key"
}
   */

  const test = {
    authenticatorData: "OmP-2kJDGJC6Fr-EeByEHg7eZdrNoqDAMCtJqtrllr0dAAAAAA",
    clientDataJWT: "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiWm1sNmVnIiwib3JpZ2luIjoiaHR0cHM6Ly9wYXBheWEuYXNpYSJ9",
    credentialId: "4F-gBsVBtoRavK0hdLKOE5LBFYk",
    signature: "MEQCIBFPTmijAkuFIeApGZF724mkc-MAbKZpTbv7Dj8OAesiAiANgwVDz5YP16UCR9lRkE4LYMVg-cryr4yhKZC2U-P3tg",
    userHandle: "MWU2ZThjYTEtZTU0Ny00NzMyLTg3NzUtNGJlMmQyNzVlOTZk",
  };

  const publicKey = isoBase64URL.toBuffer("0f4Qp8AQHV4l70uGUxdCU26MVA6COqD6Da_2kHWwLr1caVMP38I7pijA8daxpnLEFyIOrEA8eZnp3pFdmCK6Yw", "base64");

  console.log({ publicKey });

  let verification;
  try {
    verification = await verifyAuthenticationResponse({
      credential: {
        id: test.credentialId,
        counter: 0,
        publicKey,
        transports: [],
      },
      expectedChallenge: () => true,
      expectedOrigin: "https://papaya.asia",
      expectedRPID: "papaya.asia",
      response: {
        id: test.credentialId,
        clientExtensionResults: {},
        rawId: test.credentialId,
        response: {
          authenticatorData: test.authenticatorData,
          clientDataJSON: test.clientDataJWT,
          signature: test.signature,
          userHandle: test.userHandle,
        },
        type: "public-key",
      },
    });
  } catch (error) {
    console.error(error);
  }

I try decoding the publickey before passing to verifyAuthenticationResponse with no luck.

with isoBase64URL.toBuffer from @simplewebauthn/server/helpers

Error: Unsupported or not well formed at 1
    at decodeNext (/Users/deathemperor/papaya/papaya/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor.js:218:11)
    at decodeTag (/Users/deathemperor/papaya/papaya/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor.js:164:33)
    at decodeNext (/Users/deathemperor/papaya/papaya/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor.js:194:20)
    at decodePartialCBOR (/Users/deathemperor/papaya/papaya/node_modules/@levischuck/tiny-cbor/esm/cbor/cbor.js:354:16)
    at Object.decodeFirst (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/helpers/iso/isoCBOR.js:26:30)
    at decodeCredentialPublicKey (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/helpers/decodeCredentialPublicKey.js:3:65)
    at verifySignature (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/helpers/verifySignature.js:17:25)

with Buffer.from()

TypeError: cosePublicKey.get is not a function
    at isCOSEPublicKeyEC2 (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/helpers/cose.js:12:31)
    at Object.verify (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/helpers/iso/isoCrypto/verify.js:11:9)
    at verifySignature (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/helpers/verifySignature.js:22:57)
    at verifyAuthenticationResponse (/Users/deathemperor/papaya/papaya/node_modules/@simplewebauthn/server/esm/authentication/verifyAuthenticationResponse.js:154:25)

any suggestions on how to verify on back-end?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions