From 4fae38b8d6eb5df3f5fe1290bfd16c45de1fa0dd Mon Sep 17 00:00:00 2001
From: Matthew Miller <matthew@millerti.me>
Date: Sun, 9 Aug 2020 22:05:51 -0700
Subject: Add default authenticator selection options

---
 .../server/src/attestation/generateAttestationOptions.ts   | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'packages/server/src')

diff --git a/packages/server/src/attestation/generateAttestationOptions.ts b/packages/server/src/attestation/generateAttestationOptions.ts
index f2d41f2..8c57e0a 100644
--- a/packages/server/src/attestation/generateAttestationOptions.ts
+++ b/packages/server/src/attestation/generateAttestationOptions.ts
@@ -50,6 +50,18 @@ export const supportedCOSEAlgorithmIdentifiers: COSEAlgorithmIdentifier[] = [
   -65535,
 ];
 
+/**
+ * Set up some default authenticator selection options as per the latest spec:
+ * https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria
+ *
+ * Helps with some older platforms (e.g. Android 7.0 Nougat) that may not be aware of these
+ * defaults.
+ */
+const defaultAuthenticatorSelection: AuthenticatorSelectionCriteria = {
+  requireResidentKey: false,
+  userVerification: 'preferred',
+};
+
 /**
  * Filter out known bad/deprecated/etc... algorithm ID's so they're not used for new attestations.
  * See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
@@ -92,7 +104,7 @@ export default function generateAttestationOptions(
     attestationType = 'none',
     excludedCredentialIDs = [],
     suggestedTransports = ['usb', 'ble', 'nfc', 'internal'],
-    authenticatorSelection,
+    authenticatorSelection = defaultAuthenticatorSelection,
     extensions,
     supportedAlgorithmIDs = defaultSupportedAlgorithmIDs,
   } = options;
-- 
cgit v1.2.3