Download the PHP package jackmartin/laravel-webauthn without Composer

On this page you can find all versions of the php package jackmartin/laravel-webauthn. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-webauthn

Laravel WebAuthn

Latest Stable Version Total Downloads License

Authenticate users with Passkeys: fingerprints, patterns and biometric data.

[!TIP]

You want to add two-factor authentication to your app? Check out Laragear TwoFactor.

Become a sponsor

Your support allows me to keep this package free, up-to-date and maintainable. Alternatively, you can spread the word!

Requirements

[!TIP]

If you can't enable the ext-sodium extension for whatever reason, you may try installing paragonie/sodium_compat.

Installation

Require this package into your project using Composer:

How Passkeys work?

Passkeys, hence WebAuthn, consists in two ceremonies: attestation, and assertion.

Attestation is the process of asking the authenticator (a phone, laptop, USB key...) to create a private-public key pair, save the private key internally, and store the public key inside your app. For that to work, the browser must support WebAuthn, which is what intermediates between the authenticator (OS & device hardware) and the server.

Assertion is the process of pushing a cryptographic challenge to the authenticator, which will return back to the server signed by the private key of the device. Upon arrival, the server checks the signature is correct with the stored public key, ready to log in.

The private key doesn't leave the authenticator, there are no shared passwords stored anywhere, and Passkeys only work on the server domain (like google.com) or subdomain (like auth.google.com).

Set up

We need to make sure your users can register their devices and authenticate with them.

  1. Publish the files
  2. Add the WebAuthn driver
  3. Implement the contract and trait
  4. Register the controllers (optional)
  5. Use the Javascript helper (optional)

1. Add the WebAuthn driver

Laragear WebAuthn works by extending the Eloquent User Provider with a simple additional check to find a user for the given WebAuthn Credentials (Assertion). This makes this WebAuthn package compatible with any guard you may have.

Simply go into your auth.php configuration file, change the driver from eloquent to eloquent-webauthn, and add the password_fallback to true.

The password_fallback indicates the User Provider should fall back to validate the password when the request is not a WebAuthn Assertion. It's enabled to seamlessly use both classic (password) and WebAuthn authentication procedures.

2. Publish files and migrate

With the single webauthn:install command, you can install the configuration, routes, and migration files.

This will also publish a migration file needed to create a table to hold the WebAuthn Credentials (Passkeys). Once ready, migrate your application to create the table.

[!TIP]

You can changing the table name.

3. Implement the contract and trait

Add the WebAuthnAuthenticatable contract and the WebAuthnAuthentication trait to the User class, or any other that uses authentication.

From here you're ready to work with WebAuthn Authentication. The following steps will help you close the gap to a full implementation.

4. Register the routes and controllers

WebAuthn uses exclusive routes to register and authenticate users. Creating these routes and controller may be cumbersome, specially if it's your first time in the WebAuthn realm, so these are installed automatically at Http\Controllers\WebAuthn when using webauthn:install.

Go into your web.php routes file and register a default set of routes with the \Laragear\WebAuthn\Http\Routes::register() method. Since WebAuthn doesn't require protection for CSRF/XSRF tokens, you may disable it for these routes.

[!TIP]

The @laragear/webpass javascript helper supports adding CSRF/XSRF tokens.

The method allows to use different attestation and assertion paths, and even each of the controllers.

[!INFO]

You can also delete the controllers and implement assertion manually.

5. Use the Javascript helper

This package original Javascript helper has been moved into its own package, called @laragear/webpass. You may use directly in your HTML application by just using JSDelivr CDN:

Alternatively, you may want to include it in your project dependencies if you're using a frontend framework like Vue, React, Angular or Svelte, to name a few.

Once done, you may attest and assert the authenticator using the Webpass object:

The Webpass helper offers more flexibility than just adjusting the WebAuthn ceremony paths. For more information, check the documentation of @laragear/webpass.

Attestation

Attestation is the ceremony to create WebAuthn Credentials. To create an Attestable Response that the user device can understand, use the AttestationRequest::toCreate() form request.

For example, we can create our own AttestationController to create it.

The device will receive the "instructions" to make a key, and will respond with it. You can use the AttestedRequest form request and its save() method to persist the WebAuthn key if it is valid. The request will automatically return a Validation exception if something fails.

You may pass an array, or a callback, to the save(), which will allow you to modify the underlying WebAuthn Eloquent Model before saving it. For example, we could add an alias for the key present in the Request data.

[!IMPORTANT]

Both AttestationRequest and AttestedRequest require the authenticated user. If the user is not authenticated, an HTTP 403 status code will be returned.

Attestation User verification

By default, the authenticator decides how to verify user when creating a credential. Some may ask to press a "Continue" button to confirm presence, others will verify the User with biometrics, patterns or passwords.

You can override this using fastRegistration() to only check for user presence if possible, or secureRegistration() to actively verify the User.

Userless/One-touch/Typeless Login

This enables one click/tap login, without the need to specify the user credentials (like the email) beforehand.

For this to work, the device has to save the "username id" inside itself. Some authenticators may save it regardless, others may be not compatible. To make this mandatory when creating the WebAuthn Credential, use the userless() method of the AttestationRequest form request.

[!IMPORTANT]

The Authenticator WILL require user verification on login, as it will depend on the authenticator itself.

Multiple credentials per device

By default, during Attestation, the device will be informed about the existing enabled credentials already registered in the application. This way the device can avoid creating another one for the same purpose.

You can enable multiple credentials per device using allowDuplicates(), which in turn will always return an empty list of credentials to exclude. This way the authenticator will think there are no already stored credentials for your app, and create a new one.

Assertion

The Assertion procedure also follows a two-step procedure: the user will input its username, the server will return the IDs of the WebAuthn credentials to use, and the device pick one to sign the response. If you're using userless login, only the challenge is returned.

First, use the AssertionRequest::toVerify() form request. It will automatically create an assertion for the user that matches the credentials, or a blank one in case you're using userless login. Otherwise, you may set stricter validation rules to always ask for credentials.

For example, we can use our own AssertionController to handle it.

After that, you may receive the challenge using the AssertedRequest request object by just type-hinting it in the controller.

Since the authentication is pretty much straightforward, you only need to check if the login() method returns the newly authenticated user or null when it fails. When it's a success, it will take care of regenerating the session for you.

If you need greater control on the Assertion procedure, you may want to Assert manually.

Assertion User Verification

In the same style of attestation user verification, the authenticator decides if it should verify the user on login or not.

You may only require the user presence with fastLogin(), or actively verify the user with secureLogin().

Password Fallback

By default, the eloquent-webauthn can be used to log in users with passwords when the credentials are not a WebAuthn JSON payload. This way, your normal Authentication flow is unaffected:

You may disable the fallback to only allow WebAuthn authentication by setting password_fallback to false. This may force you to handle classic user/password using a separate guard.

Detecting Cloned Credentials

During assertion, the package will automatically detect if a Credential has been cloned by comparing how many times the user has logged in with it.

If it's detected as cloned, the Credential is disabled, a CredentialCloned event is fired, and the Assertion gets denied.

You can use the event to warn the user:

Managing Credentials

The purpose of the WebAuthnAuthenticatable contract is to allow managing credentials within the User instance. The most useful methods are:

You can use these methods to, for example, find a credential to blacklist, or disable WebAuthn completely by flushing all registered devices.

Events

The following events are fired by this package, which you can hook into in your application:

Event Description
CredentialCreated An User has registered a new WebAuthn Credential through Attestation.
CredentialEnabled A disabled WebAuthn Credential was enabled using enable().
CredentialDisabled A enabled WebAuthn Credential was disabled using disable().
CredentialCloned A WebAuthn Credential was detected as cloned dring Assertion.

Manually Attesting and Asserting

If you want to manually Attest and Assert users, you may instance their respective pipelines used for both WebAuthn Ceremonies:

Pipeline Description
AttestationCreator Creates a request to create a WebAuthn Credential.
AttestationValidator Validates a response with the WebAuthn Credential and stores it.
AssertionCreator Creates a request to validate a WebAuthn Credential.
AssertionValidator Validates a response for a WebAuthn Credential.

All of these pipelines require the current Request to work, as is used to generate Challenges in the Session and validate different parts of the authentication data.

For example, you may manually authenticate a user with its WebAuthn Credentials AssertionValidator pipeline. We can just type-hint a pipeline in a Controller action argument and Laravel will automatically inject the instance to it.

Since these are Laravel Pipelines, you're free to push additional pipes. These pipes can be a class with handle(), or just a function that receives the validation procedure.

[!WARNING]

The pipes list and the pipes themselves are not covered by API changes, and are marked as internal. These may change between versions without notice.

Migrations

This package comes with a migration file that extends a special class that takes most of the heavy lifting for you. You only need to create additional columns if you need to.

If you need to modify the table, or adjust the data, after is created or before is dropped, you may use the afterUp() and beforeDown() methods of the migration file, respectively.

UUID or ULID morphs

There may be some scenarios where your authenticatable User is using a different type of primary ID in the database, like UUID or ULID. If this is the case, you may change the morph type accordingly with the $morphType property.

Advanced Configuration

Laragear WebAuthn was made to work out-of-the-box, but you can override the configuration by simply publishing the config file.

After that, you will receive the config/webauthn.php config file with an array like this:

Relying Party Information

The Relying Party is just a way to uniquely identify your application in the user device:

[!WARNING]

WebAuthn authentication only work on the top domain it was registered.

Instead of modifying the config file, you should use the environment variables to set the name and ID for WebAuthn.

Challenge configuration

The outgoing challenges are random string of bytes. This controls how many bytes, the seconds which the challenge is valid, and the session key used to store the challenge while its being resolved by the device.

Laravel UI, Jetstream, Fortify, Sanctum, Breeze, Inertia and Livewire

In theory this package should work without any problems with these packages, but you may need to override or redirect the authentication flow (read: override methods) to one using WebAuthn.

There is no support for using WebAuthn with these packages because these are meant to be used with classic user-password authentication. Any issue regarding these packages will be shot down with extreme prejudice.

If you think WebAuthn is critical for these packages, consider supporting this package.

FAQ

Yes. In the case of old browsers, you should have a fallback detection script. This can be asked with the included JavaScript helper in a breeze:

No. WebAuthn only stores a cryptographic public key generated randomly by the device.

No. WebAuthn kills the phishing because, unlike passwords, the private key never leaves the device, and the key-pair is bound to the top-most domain it was registered.

An user bing phished at staetbank.com won't be able to login with a key made on the legit site statebank.com, as the device won't be able to find it.

No, unless explicitly requested and consented. This package doesn't support other attestation conveyances than none, so it's never transmitted.

Yes, as long you are hashing them as you should. This is done by Laravel by default. You can also disable them.

Yes.

Not by default, but you can enable it.

Yes. If you're not using a password fallback, you may need to create a logic to register a new device using an email or SMS. It's assumed he is reading his email using a trusted device.

Disabling a credential doesn't delete it, so it's useful as a blacklisting mechanism and these can also be re-enabled. When the credential is deleted, it goes away forever from the server, so the credential in the authenticator device becomes orphaned.

Yes. If it does, the other part of the credentials in your server gets orphaned. You may want to show the user a list of registered credentials in the application to delete them.

Extremely secure since it works only on HTTPS (or localhost). Also, no password or codes are exchanged nor visible in the screen.

Yes. Just be sure to create recovery helpers to avoid locking out your users.

It's encouraged to use Webpass package.

Alternatively, for complex WebAuthn management, consider using the navigator.credentials API directly.

This happens because you forgot the first step, using the WebAuthn driver to authenticate users.

Yes and no. To register users, you still need to use captcha, honeypots, or other mechanisms to stop bots from filling forms.

Once a user is registered, bots won't be able to log in because the real user is the only one that has the private key required for WebAuthn.

Yes, the Webpass helper does it automatically for you.

Yes, public keys are encrypted when saved into the database with your app key.

Since public keys are encrypted with your app key, older public keys will become useless. To change that, create a console command that decrypts (with the old key) and re-encrypts the public_key column of the table where the authentication data is.

No. You're free to create your own flow for recovery.

My recommendation is to email the user, pointing to a route that registers a new device, and immediately redirect him to blacklist which credential was lost (or blacklist the only one he has).

Usually.

While this is entirely up to hardware, OS and browser vendor themselves, modern platforms will show a QR code, push notification, or ask to bring closer your smartphone to complete the WebAuthn ceremony. Please check your target platforms of choice.

By default, this WebAuthn works on almost everything. Some combinations of devices, OS and Web browsers may differ on what to make available for WebAuthn authentication.

You may check this site for authenticator support.

This package supports WebAuthn 2.0, which is W3C Recommendation. Your device/OS/browser may be using an unsupported version.

There are no plans to support older WebAuthn specs. The new WebAuthn 3.0 draft spec needs to be finished to be supported.

Use localhost exclusively (not 127.0.0.1 or ::1) or use a proxy to tunnel your site through HTTPS. WebAuthn only works on localhost or under HTTPS only.

Because direct, indirect and enterprise attestations are mostly used on high-security high-risk scenarios, where an entity has total control on the devices used to authenticate. Imagine banks, medical, or military.

If you deem this feature critical for you, consider supporting this package.

No. The user can use whatever to authenticate in your app. This may be enabled on future versions.

Remember that your WebAuthn routes must use Sessions, because the Challenges are stored there.

Session are automatically started on the web route group, or using the StartSession middleware directly. You can check this on your HTTP Kernel Middleware.

If you have debugging enabled, like on development environments, the assertion data is logged in your application logs.

The rest of errors are thrown as-is. You may want to log them manually using Laravel's Error Handler depending on the case.

Yes. Instead of using webauthn:install, use vendor:publish and follow the prompts.

Some authenticators can create EdDSA 25519 public keys, which are part of W3C WebAuthn 3.0 draft. These keys are shorter and don't require too much computational power to verify, which opens the usage for low-power or "passive" authenticators (like smart-cards).

If sodium or the paragonie/sodium-compat package are not installed, the server won't report EdDSA 25519 compatibility to the authenticator, and any EdDSA 25519 public key previously stored will fail validation.

Consider also that there are no signs of EdDSA 25519 incorporation into PHP ext-openssl extension.

Laravel Octane Compatibility

There should be no problems using this package with Laravel Octane.

Security

These are some details about this WebAuthn implementation you should be aware of.

If you discover any security related issues, please email [email protected] instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Contains Code from Lukas Buchs WebAuthn 2.0 implementation. The MIT License (MIT) where applicable.

Laravel is a Trademark of Taylor Otwell. Copyright © 2011-2022 Laravel LLC.


All versions of laravel-webauthn with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1
ext-json Version *
ext-openssl Version *
illuminate/auth Version 10.*|11.*
illuminate/config Version 10.*|11.*
illuminate/database Version 10.*|11.*
illuminate/encryption Version 10.*|11.*
illuminate/http Version 10.*|11.*
illuminate/session Version 10.*|11.*
illuminate/support Version 10.*|11.*
laragear/meta-model Version ^1.1
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package jackmartin/laravel-webauthn contains the following files

Loading the files please wait ....