Below is a more comprehensive Delphi example that demonstrates custom endpoints, challenge policies, database-backed credential storage, FIDO Metadata validation, and cross-origin iframe support. The code highlights advanced event handling to enforce security policies. 

sgcWebSockets WebAuthn Server Example

procedure TForm1.ConfigureWebAuthn;
begin
  // Component setup
  FWebAuthn := TsgcWSAPIServer_WebAuthn.Create(nil);
  FWebAuthn.Server := FHTTPServer;
  FWebAuthn.Enabled := True;

  // Endpoint remapping
  FWebAuthn.EndpointOptions.AuthenticationOptions := '/auth/options';
  FWebAuthn.EndpointOptions.AuthenticationVerify  := '/auth/verify';
  FWebAuthn.EndpointOptions.RegistrationOptions   := '/reg/options';
  FWebAuthn.EndpointOptions.RegistrationVerify    := '/reg/verify';

  // Relying-party definition
  with FWebAuthn.WebAuthnOptions do
  begin
    RelyingParty := 'secure.example.com';
    Origins      := 'https://app.example.com;https://login.example.net';
    TopOrigins   := 'https://host.example.org';
    AllowCrossOrigins := True;

    // Cryptographic & UX policies
    Algorithms       := 'ES256,RS256';
    UserVerification := 'preferred';
    Attestation      := 'direct';
    TimeoutMS        := 60000;

    // Challenge settings
    ChallengeOptions.ChallengeSize := 64; // 512-bit challenges
    ChallengeOptions.RandomFunc    := MyCryptoRandom; // custom RNG

    // Metadata Service configuration
    MDS.Enabled            := True;
    MDS.MDS_FileName       := 'mds.json';
    MDS.RootCert_FileName  := 'root.pem';
  end;

  // Hook events
  FWebAuthn.OnWebAuthnRegistrationOptionsRequest := AuthnRegOptionsRequest;
  FWebAuthn.OnWebAuthnRegistrationVerify         := AuthnRegVerify;
  FWebAuthn.OnWebAuthnRegistrationSuccessful     := AuthnRegSuccess;
  FWebAuthn.OnWebAuthnAuthenticationOptionsRequest := AuthnOptionsRequest;
  FWebAuthn.OnWebAuthnAuthenticationVerify         := AuthnVerify;
  FWebAuthn.OnWebAuthnAuthenticationSuccessful     := AuthnSuccess;
end;

Event Implementations

procedure TForm1.AuthnRegOptionsRequest(Sender: TObject;
  const Request: TsgcWebAuthnRequestOptions; Response: TsgcWebAuthnResponseOptions);
begin
  // Verify user is eligible for registration
  if UserExists(Request.Username) then
    raise Exception.Create('Username already registered');

  // Optionally assign a user handle (binary identifier)
  Response.User.ID := HexToBin(UserGUIDToHex(GenerateGUID));
  Response.AuthenticatorSelection.AuthenticatorAttachment := 'platform';
end;

procedure TForm1.AuthnRegVerify(Sender: TObject; const Credential: TsgcWebAuthnCredential; var Success: Boolean);
begin
  // Perform extra attestation validation against MDS entries
  Success := ValidateAttestationWithMDS(Credential);
end;

procedure TForm1.AuthnRegSuccess(Sender: TObject; const Credential: TsgcWebAuthnCredential);
begin
  // Persist credential details in database
  SaveCredentialToDB(
    Credential.Username,
    Credential.CredentialID,
    Credential.PublicKey,
    Credential.SignCount,
    Credential.UserHandle
  );
end;

procedure TForm1.AuthnOptionsRequest(Sender: TObject;
  const Request: TsgcWebAuthnRequestOptions; Response: TsgcWebAuthnResponseOptions);
begin
  // Retrieve all credential IDs for user
  Response.AllowCredentials := LoadCredentialIdsFromDB(Request.Username);
end;

procedure TForm1.AuthnVerify(Sender: TObject; const Credential: TsgcWebAuthnCredential; var Success: Boolean);
var
  StoredCounter: Cardinal;
begin
  // Ensure sign counter increases
  StoredCounter := GetSignCounterFromDB(Credential.CredentialID);
  if Credential.SignCount <= StoredCounter then
    Success := False
  else
    Success := True;
end;

procedure TForm1.AuthnSuccess(Sender: TObject; const Credential: TsgcWebAuthnCredential);
begin
  UpdateSignCounterInDB(Credential.CredentialID, Credential.SignCount);
  IssueSessionToken(Credential.Username);
end;

Key Highlights

  1. Challenge Hardening – By expanding the challenge size and using a cryptographically secure RNG, replay attacks are further mitigated.
  2. Custom User Handles – Assigning a unique binary user handle allows the authenticator to store a privacy-preserving identifier independent of usernames.
  3. Metadata-Based Attestation Validation – The ValidateAttestationWithMDS routine cross-checks authenticator model, status reports, and revocation lists, ensuring only trusted devices are registered.
  4. Sign Counter EnforcementAuthnVerify rejects responses that do not strictly increment the authenticator's counter, detecting cloned credentials.
  5. Database Integration – Credential data, sign counters, and session tokens are stored and updated via external persistence functions, demonstrating how to integrate the component with a real-world backend.
  6. Cross-Origin Iframe Support – Enabled through AllowCrossOrigins and configured TopOrigins, allowing WebAuthn flows initiated from embedded frames (e.g., login widget on different domain).
  7. Attestation Policy – Direct attestation coupled with MDS ensures only approved authenticators can register, useful for enterprise compliance scenarios.
  8. Transport Selection – Though not shown, events can constrain acceptable transports (e.g., USB,NFC,BLE) to tailor which types of authenticators are permitted.