Ability to add custom authentication function

[trenta3]

I would like to use a custom authentication function for users.
My use case consists in having the user_ids be public keys, and I would like to authenticate them by challenging them to encrypt via their private key a short random string, and checking on the server that it can be decrypted via their ids (corresponding to the public key).

I did not find any mention of it being possible in the documentation, but I am confident it shouldn't be too hard to do.
And thank you for all the effort into developing such a beautiful piece of code!

[appy-one]

That sounds like a nice addition! I would not use the user id as public key though, I'd add a new user field public_key that allows one to change their keys later. Signing in would then require 2 new endpoints to start (challenge) and finish (check) the sign in. If you would like to implement this yourself, let me know!

[trenta3]

Glad you liked it. It seems good to me to add a field to user records, and maybe to give a default implementation, but otherwise I feel that it is necessary to leave the ability to customize such functions to the developer due to the wide variety of keys types (factorisation, elliptic curves or lattice-based) and the various kinds of checks that can be performed (diffie-hellman, message signing, etc). I am still getting familiar with the codebase and I don't have a clear idea of where I would implement those functions. Il ven 29 apr 2022, 16:38 Ewout Stortenbeker ***@***.***> ha scritto:

…

That sounds like a nice addition! I would not use the user id as public key though, I'd add a new user field public_key that allows one to change their keys later. Signing in would then require 2 new endpoints to start (challenge) and finish (check) the sign in. if If you would like to implement this yourself, let me know! — Reply to this email directly, view it on GitHub <#12 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACSTYELZZDYSIPSFNCLSRULVHPX75ANCNFSM5UDN7WPQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[trenta3]

If you can point me to relevant files and just give a couple of instructions about code style I will give it a try.

[appy-one]

I think the easiest way to go about this is if you can provide code that:

• Generates a challenge for the client, preferably in TypeScript. Eg: a function createChallenge that returns (a promise of) a ChallengeRequest object, which contains all necessary details for the client such as the random string to sign/encrypt, method to use etc.
• Signs a challenge client-side with their private key in a function that returns (a promise of) a ChallengeResponse object that can be sent back to the server
• Checks a challenge response server-side with a function that accepts a public key, ChallengeRequest and ChallengeResponse, and returns (a promise of) a boolean indicating if the check passed.

I will then handle the implementation of those into server routes and client requests.

What do you think?