How to use a database on the server to store users, challenges, Authenticator Devices?

[thomasreisinger]

Hi,

Sorry, I'm a newbie and was able to start up the example project. As far I understand all the registrations etc. are kept in memory on the server and lost after a restart.

How can I store users, challenges, authenticator devices as mentioned in example-server.d.ts as JSON in a file on the server or for example in MySQL?

Cheers,
Thomas

[paulf69487623]

Hey @thomasreisinger,

Just another user here, but I thought maybe I could help you along. You can use any storage method that works for your use case. I'm not sure I'd use JSON on a file since it wouldn't scale, but in some cases it might be OK. For MySQL you could use any normal SQL insert/update/delete statements, or you could use any ORM libraries you like.

First, you need to store an object to represent each user. If you already have a user object, you should be able to use that and map the objects to the format. See the UserModel defined in the documentation at https://simplewebauthn.dev/docs/packages/server. Basically its a unique ID as a string, a username as a string, and the challenge as a string. If you already have a user store, you could store the challenge separate from the user. You'd just need to add it to the UserModel object before passing it to SimpleWebAuthn.

Second, you need to store 0 or more Authenticator objects, retrievable by user. The interface for these is immediately below the UserModel above. To authenticate, you need to pass all of the Authenticators for the user to the library. You can store these as individual SQL table fields, you could store it as a JSON blob, or any other method. Just so long as you can assemble them into the right interface and pass them to the library. You'll also need to be able to update the counter field when the authenticator is used, because this is used to help spot cloned authenticators.

Paul

[thomasreisinger]

Thank you for your comprehensive feedback. I will see how far I get with my developer skills and my prototype. Expanding the example FIDO app with persistence capabilities would be nice instead of the in-memory approach.