Merge pull request #95 from duo-labs/lib-refresh

lib-refresh

.github/workflows/build_and_test.yml

@@ -15,18 +15,18 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [2.7, 3.5, 3.6, 3.7, 3.8]
+        python-version: ['3.8', '3.9', '3.10']
 
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v1
+      uses: actions/setup-python@v2
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -r flask_demo/requirements.txt
+        pip install -r requirements.txt
     - name: Test with unittest
       run: |
         python -m unittest

.gitignore

@@ -107,3 +107,4 @@ venv.bak/
 # PyWebAuthn
 py_webauthn.env
 webauthn.db
+.DS_Store

.vscode/settings.json

@@ -0,0 +1,7 @@
+{
+  "python.pythonPath": "venv/bin/python",
+  "python.linting.mypyEnabled": false,
+  "python.linting.flake8Enabled": false,
+  "python.formatting.blackPath": "venv/bin/black",
+  "python.linting.enabled": true
+}

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2017 Duo Security, Inc. All rights reserved.
+Copyright (c) 2017-2021 Duo Security, Inc. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions

README.md

@@ -0,0 +1,72 @@
+# py_webauthn
+[![PyPI](https://img.shields.io/pypi/v/webauthn.svg)](https://pypi.python.org/pypi/webauthn) [![GitHub license](https://img.shields.io/badge/license-BSD-blue.svg)](https://raw.githubusercontent.com/duo-labs/py_webauthn/master/LICENSE) ![Pythonic WebAuthn](https://img.shields.io/badge/Pythonic-WebAuthn-brightgreen?logo=python&logoColor=white)
+
+A Python3 implementation of the [WebAuthn API](https://www.w3.org/TR/webauthn-2/) focused on making it easy to leverage the power of WebAuthn.
+
+This library supports all FIDO2-compliant authenticators, including security keys, Touch ID, Face ID, Windows Hello, Android biometrics...and pretty much everything else.
+
+## Installation
+
+This module is available on **PyPI**:
+
+`pip install webauthn`
+
+## Requirements
+
+- Python 3.8 and up
+
+## Usage
+
+The library exposes just a few core methods on the root `webauthn` module:
+
+- `generate_registration_options()`
+- `verify_registration_response()`
+- `generate_authentication_options()`
+- `verify_authentication_response()`
+
+Two additional helper methods are also exposed:
+
+- `options_to_json()`
+- `base64url_to_bytes()`
+
+### Registration
+
+See **examples/registration.py** for practical examples of using `generate_registration_options()` and `verify_registration_response()`.
+
+You can also run these examples with the following:
+
+```sh
+# See "Development" below for venv setup instructions
+venv $> python -m examples.registration
+```
+
+### Authentication
+
+See **examples/authentication.py** for practical examples of using `generate_authentication_options()` and `verify_authentication_response()`.
+
+You can also run these examples with the following:
+
+```sh
+# See "Development" below for venv setup instructions
+venv $> python -m examples.authentication
+```
+
+## Development
+
+### Installation
+
+Set up a virtual environment, and then install the project's requirements:
+
+```sh
+$> python3 -m venv venv
+$> source venv/bin/activate
+venv $> pip install -r requirements.txt
+```
+
+### Testing
+
+Python's unittest module can be used to execute everything in the **tests/** directory:
+
+```sh
+venv $> python -m unittest
+```

examples/authentication.py

@@ -0,0 +1,70 @@
+from webauthn import (
+    generate_authentication_options,
+    verify_authentication_response,
+    options_to_json,
+    base64url_to_bytes,
+)
+from webauthn.helpers.structs import (
+    PublicKeyCredentialDescriptor,
+    UserVerificationRequirement,
+    AuthenticationCredential,
+)
+
+################
+#
+# Examples of using webauthn for authentication ceremonies
+#
+# Authentication responses are representative of WebAuthn credential responses
+# as they would be encoded for transmission from the browser to the RP as JSON. This
+# primarily means byte arrays are encoded as Base64URL on the client.
+#
+################
+
+# Simple Options
+simple_authentication_options = generate_authentication_options(rp_id="example.com")
+
+print("\n[Authentication Options - Simple]")
+print(options_to_json(simple_authentication_options))
+
+# Complex Options
+complex_authentication_options = generate_authentication_options(
+    rp_id="example.com",
+    challenge=b"1234567890",
+    timeout=12000,
+    allow_credentials=[PublicKeyCredentialDescriptor(id=b"1234567890")],
+    user_verification=UserVerificationRequirement.REQUIRED,
+)
+
+print("\n[Authentication Options - Complex]")
+print(options_to_json(complex_authentication_options))
+
+# Authentication Response Verification
+authentication_verification = verify_authentication_response(
+    credential=AuthenticationCredential.parse_raw(
+        """{
+        "id": "ZoIKP1JQvKdrYj1bTUPJ2eTUsbLeFkv-X5xJQNr4k6s",
+        "rawId": "ZoIKP1JQvKdrYj1bTUPJ2eTUsbLeFkv-X5xJQNr4k6s",
+        "response": {
+            "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAAAQ",
+            "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaVBtQWkxUHAxWEw2b0FncTNQV1p0WlBuWmExekZVRG9HYmFRMF9LdlZHMWxGMnMzUnRfM280dVN6Y2N5MHRtY1RJcFRUVDRCVTFULUk0bWFhdm5kalEiLCJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjUwMDAiLCJjcm9zc09yaWdpbiI6ZmFsc2V9",
+            "signature": "iOHKX3erU5_OYP_r_9HLZ-CexCE4bQRrxM8WmuoKTDdhAnZSeTP0sjECjvjfeS8MJzN1ArmvV0H0C3yy_FdRFfcpUPZzdZ7bBcmPh1XPdxRwY747OrIzcTLTFQUPdn1U-izCZtP_78VGw9pCpdMsv4CUzZdJbEcRtQuRS03qUjqDaovoJhOqEBmxJn9Wu8tBi_Qx7A33RbYjlfyLm_EDqimzDZhyietyop6XUcpKarKqVH0M6mMrM5zTjp8xf3W7odFCadXEJg-ERZqFM0-9Uup6kJNLbr6C5J4NDYmSm3HCSA6lp2iEiMPKU8Ii7QZ61kybXLxsX4w4Dm3fOLjmDw",
+            "userHandle": "T1RWa1l6VXdPRFV0WW1NNVlTMDBOVEkxTFRnd056Z3RabVZpWVdZNFpEVm1ZMk5p"
+        },
+        "type": "public-key",
+        "clientExtensionResults": {}
+    }"""
+    ),
+    expected_challenge=base64url_to_bytes(
+        "iPmAi1Pp1XL6oAgq3PWZtZPnZa1zFUDoGbaQ0_KvVG1lF2s3Rt_3o4uSzccy0tmcTIpTTT4BU1T-I4maavndjQ"
+    ),
+    expected_rp_id="localhost",
+    expected_origin="http://localhost:5000",
+    credential_public_key=base64url_to_bytes(
+        "pAEDAzkBACBZAQDfV20epzvQP-HtcdDpX-cGzdOxy73WQEvsU7Dnr9UWJophEfpngouvgnRLXaEUn_d8HGkp_HIx8rrpkx4BVs6X_B6ZjhLlezjIdJbLbVeb92BaEsmNn1HW2N9Xj2QM8cH-yx28_vCjf82ahQ9gyAr552Bn96G22n8jqFRQKdVpO-f-bvpvaP3IQ9F5LCX7CUaxptgbog1SFO6FI6ob5SlVVB00lVXsaYg8cIDZxCkkENkGiFPgwEaZ7995SCbiyCpUJbMqToLMgojPkAhWeyktu7TlK6UBWdJMHc3FPAIs0lH_2_2hKS-mGI1uZAFVAfW1X-mzKL0czUm2P1UlUox7IUMBAAE"
+    ),
+    credential_current_sign_count=0,
+    require_user_verification=True,
+)
+print("\n[Authentication Verification]")
+print(authentication_verification.json(indent=2))
+assert authentication_verification.new_sign_count == 1