We are preparing to implement WebAuthn support for two Meteor-based projects, ozwell.ai and BlueHive. Our goal is to contribute this back to the community and ensure it’s beneficial for everyone.
Before starting, I’d love your input:
Would the community prefer WebAuthn integration into the existing core accounts-2fa package, accounts-passwordless, or should we create a standalone package (e.g., bluehive:accounts-webauthn)?
Your thoughts and advice are greatly appreciated! Looking forward to collaborating and making Meteor even stronger.
I have already implemented this in one of my projects. I store the keys in a separate DB, not on the Users because I use it to lock the screen, and I don’t want to query the Users DB for these tokens.
I can share both server and client side of code, but I’d need to explain some things, we need to sit in a peer coding as I disassemble parts of code from my project and you/we assemble it in a Meteor package. Testing can only be done with valid domains and SSL.
I can start this one. I just realized that I have it into a package already :)). The client side implementation is a bit more … not so straightforward.
I think you should start on working on core package/implementation. It is something that has been already discussed and is on the radar. Honestly my goal was to work on this over the summer anyway so I’m ready to help and champion this as a core package. I see it as a necessity to be in Meteor core and it is a natural extension of the existing account packages.
I created a repo based on my local package and components.
I use React, Redux, MUI 7, and the example is based on these. I think the comments are explanatory and documentations were written with AI.
This package introduces a new collection for storing the WebAuthn tokens and uses a custom package for simpl-schema. This could be eliminated by using Check and Match of Meteor.
The local DB connects to a local MongoDB Server and needs to be adjusted for your port number for MongoDB.
The package focuses on generating and storing the tokens, not specifically in the Accounts context.
To answer the initial question, I think WebAuthn should be available in 2 packages.
Similar to this one I share, an abstract implementation to add the functionality, such as bluehive:webauthn. This would be a direct Meteorization of the NPM package. If I want biometrics without User authentication, can take from this package.
A second package to depend on the first package and implement bluehive:accounts-webauthn.