I'm thrilled to introduce passkey-go, a new Go library I built to make implementing server-side WebAuthn (Passkey) verification significantly simpler and more robust in your Go applications.
While WebAuthn offers powerful, phishing-resistant authentication, its specification can be quite complex to implement correctly on the server side. My goal with passkey-go was to abstract away the low-level parsing and cryptographic details, providing both a high-level, easy-to-use API for common tasks and the flexibility for more advanced, step-by-step verification.
Here's what passkey-go offers:
Effortless Verification: The VerifyAssertion function provides a single, high-level call to validate authentication responses, handling all cryptographic checks, origin verification, and sign count validation for you.
Flexible Registration: For registration, the library offers clear, sequential steps to parse attestation objects, extract authenticator data, and convert COSE keys to *ecdsa.PublicKey for storage.
Granular Control: If you need more control, you can use the ParseAssertion, ParseClientDataJSON, VerifyAssertionSignature, and CheckSignCount functions to perform verification step-by-step.
Secure by Design: It focuses on handling the core verification logic correctly, ensuring signature validation, challenge matching, and preventing replay attacks through signCount checks.
Clear Error Handling: PasskeyError types help you map common WebAuthn-related issues directly to appropriate HTTP statuses, simplifying API error responses.
Minimalist Design: passkey-go focuses solely on the WebAuthn verification logic. It doesn't dictate how you store challenges or credentials, giving you full control over your user and data management.
ES256 Support: Adheres to WebAuthn recommendations by exclusively supporting ES256 (ECDSA w/ SHA-256) for robust security.
Go-Idiomatic: Designed with Go developers in mind, providing clear function signatures and standard error handling.
This library handles the complex parts of WebAuthn verification, allowing you to integrate secure Passkey authentication quickly without getting bogged down in the spec's intricacies.
You can find the repository and more detailed usage examples here: https://github.com/aethiopicuschan/passkey-go
I'm keen to hear your thoughts, feedback, and any suggestions for future improvements. Feel free to open issues or pull requests on GitHub!
Thanks for checking it out!