Below is a more comprehensive Delphi example that demonstrates custom endpoints, challenge policies, database-backed credential storage, FIDO Metadata validation, and cross-origin iframe support. The code highlights advanced event handling to enforce security policies.
sgcWebSockets WebAuthn Server Example
Event Implementations
Key Highlights
- Challenge Hardening – By expanding the challenge size and using a cryptographically secure RNG, replay attacks are further mitigated.
- Custom User Handles – Assigning a unique binary user handle allows the authenticator to store a privacy-preserving identifier independent of usernames.
- Metadata-Based Attestation Validation – The
ValidateAttestationWithMDSroutine cross-checks authenticator model, status reports, and revocation lists, ensuring only trusted devices are registered. - Sign Counter Enforcement –
AuthnVerifyrejects responses that do not strictly increment the authenticator's counter, detecting cloned credentials. - Database Integration – Credential data, sign counters, and session tokens are stored and updated via external persistence functions, demonstrating how to integrate the component with a real-world backend.
- Cross-Origin Iframe Support – Enabled through
AllowCrossOriginsand configuredTopOrigins, allowing WebAuthn flows initiated from embedded frames (e.g., login widget on different domain). - Attestation Policy – Direct attestation coupled with MDS ensures only approved authenticators can register, useful for enterprise compliance scenarios.
- Transport Selection – Though not shown, events can constrain acceptable transports (e.g.,
USB,NFC,BLE) to tailor which types of authenticators are permitted.