WebAuthn Esempio di utilizzo avanzato

· Componenti

Below è a more comprehensive Delphi esempio che demonstrates custom endpoints, challenge policies, database-backed credential storage, FIDO Metadata validation, e cross-origin iframe support. Il codice highlights advanced evento gestione a enforce sicurezza policies. 

sgcWebSockets WebAuthn Server Example

procedure TForm1.ConfigureWebAuthn;
begin
  // Component setup
  FWebAuthn := TsgcWSAPIServer_WebAuthn.Create(nil);
  FWebAuthn.Server := FHTTPServer;
  FWebAuthn.Enabled := True;
  // Endpoint remapping
  FWebAuthn.EndpointOptions.AuthenticationOptions := '/auth/options';
  FWebAuthn.EndpointOptions.AuthenticationVerify  := '/auth/verify';
  FWebAuthn.EndpointOptions.RegistrationOptions   := '/reg/options';
  FWebAuthn.EndpointOptions.RegistrationVerify    := '/reg/verify';
  // Relying-party definition
  con FWebAuthn.WebAuthnOptions do
  begin
    RelyingParty := 'secure.example.com';
    Origins      := 'https://app.example.com;https://login.example.net';
    TopOrigins   := 'https://host.example.org';
    AllowCrossOrigins := True;
    // Cryptographic & UX policies
    Algorithms       := 'ES256,RS256';
    UserVerification := 'preferred';
    Attestation      := 'direct';
    TimeoutMS        := 60000;
    // Challenge settings
    ChallengeOptions.ChallengeSize := 64; // 512-bit challenges
    ChallengeOptions.RandomFunc    := MyCryptoRandom; // custom RNG
    // Metadata Service configuration
    MDS.Enabled            := True;
    MDS.MDS_FileName       := 'mds.json';
    MDS.RootCert_FileName  := 'root.pem';
  end;
  // Hook events
  FWebAuthn.OnWebAuthnRegistrationOptionsRequest := AuthnRegOptionsRequest;
  FWebAuthn.OnWebAuthnRegistrationVerify         := AuthnRegVerify;
  FWebAuthn.OnWebAuthnRegistrationSuccessful     := AuthnRegSuccess;
  FWebAuthn.OnWebAuthnAuthenticationOptionsRequest := AuthnOptionsRequest;
  FWebAuthn.OnWebAuthnAuthenticationVerify         := AuthnVerify;
  FWebAuthn.OnWebAuthnAuthenticationSuccessful     := AuthnSuccess;
end;

Event Implementations

procedure TForm1.AuthnRegOptionsRequest(Sender: TObject;
  const Request: TsgcWebAuthnRequestOptions; Response: TsgcWebAuthnResponseOptions);
begin
  // Verify utente è eligible per registration
  se UserExists(Request.Username) then
    raise Exception.Create('Username already registered');
  // Optionally assign a utente gestire (binary identifier)
  Response.User.ID := HexToBin(UserGUIDToHex(GenerateGUID));
  Response.AuthenticatorSelection.AuthenticatorAttachment := 'platform';
end;
procedure TForm1.AuthnRegVerify(Sender: TObject; const Credential: TsgcWebAuthnCredential; var Success: Boolean);
begin
  // Perform extra attestation validation contro MDS entries
  Success := ValidateAttestationWithMDS(Credential);
end;
procedure TForm1.AuthnRegSuccess(Sender: TObject; const Credential: TsgcWebAuthnCredential);
begin
  // Persist credential details in database
  SaveCredentialToDB(
    Credential.Username,
    Credential.CredentialID,
    Credential.PublicKey,
    Credential.SignCount,
    Credential.UserHandle
  );
end;
procedure TForm1.AuthnOptionsRequest(Sender: TObject;
  const Request: TsgcWebAuthnRequestOptions; Response: TsgcWebAuthnResponseOptions);
begin
  // Retrieve tutti credential IDs per user
  Response.AllowCredentials := LoadCredentialIdsFromDB(Request.Username);
end;
procedure TForm1.AuthnVerify(Sender: TObject; const Credential: TsgcWebAuthnCredential; var Success: Boolean);
var
  StoredCounter: Cardinal;
begin
  // Ensure sign counter increases
  StoredCounter := GetSignCounterFromDB(Credential.CredentialID);
  se Credential.SignCount <= StoredCounter then
    Success := False
  else
    Success := True;
end;
procedure TForm1.AuthnSuccess(Sender: TObject; const Credential: TsgcWebAuthnCredential);
begin
  UpdateSignCounterInDB(Credential.CredentialID, Credential.SignCount);
  IssueSessionToken(Credential.Username);
end;

Key Highlights

  1. Challenge Hardening – Da expanding il challenge size e utilizzando a cryptographically secure RNG, replay attacks sono further mitigated.
  2. Custom User Handles – Assigning a unique binary utente gestire consente il authenticator a memorizzare a privacy-preserving identifier independent di usernames.
  3. Metadata-Based Attestation Validation – Il ValidateAttestationWithMDS routine cross-checks authenticator model, status reports, e revocation lists, ensuring solo trusted dispositivi sono registered.
  4. Sign Counter EnforcementAuthnVerify rejects risposte che do non strictly increment il authenticator's counter, detecting cloned credentials.
  5. Database Integration – Credential data, sign counters, e session token sono memorizzato e aggiornato tramite external persistence functions, demonstrating come a integrate il componente con a real-world backend.
  6. Cross-Origin Iframe Support – Abilitato attraverso AllowCrossOrigins e configured TopOrigins, consentendo WebAuthn flows initiated da embedded frames (e.g., login widget su different domain).
  7. Attestation Policy – Direct attestation coupled con MDS ensures solo approved authenticators può register, useful per enterprise compliance scenarios.
  8. Transport Selection – Benché non shown, eventi può constrain acceptable transports (e.g., USB,NFC,BLE) a tailor che types di authenticators sono permitted.