2024-08-29 11:44:06 +02:00 · 2024-08-27 13:41:02 +02:00 · 2024-08-27 14:30:16 +02:00
12 changed files with 575 additions and 24 deletions
--- a/bid_main/models.py
+++ b/bid_main/models.py
@ -24,7 +24,7 @@ import user_agents

 from . import fields
 from . import hashers
-from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
+from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, U2fDevice, devices_for_user
 import bid_main.file_utils
 import bid_main.utils

@ -550,6 +550,8 @@ class User(AbstractBaseUser, PermissionsMixin):
                devices_per_category['recovery'].append(device)
            if isinstance(device, EncryptedTOTPDevice):
                devices_per_category['totp'].append(device)
+            if isinstance(device, U2fDevice):
+                devices_per_category['u2f'].append(device)
        return devices_per_category


--- a/bid_main/templates/bid_main/mfa/setup.html
+++ b/bid_main/templates/bid_main/mfa/setup.html
@ -57,6 +57,22 @@ Multi-factor Authentication Setup
  <a href="{% url 'bid_main:mfa_totp' %}" class="btn">Configure a new TOTP device</a>
 </div>

+<div class="bid box mt-3">
+  <h3>Security keys (U2F, WebAuthn, FIDO2)</h3>
+  <p>
+    E.g. yubikey.
+  </p>
+  <ul>
+    {% for d in devices_per_category.u2f %}
+    <li>
+      {{ d.name }}
+      {% if d.last_used_at %}(Last used <abbr title="{{ d.last_used_at }}">{{ d.last_used_at|naturaltime }}</abbr>){% endif %}
+      <a class="btn btn-danger" href="{% url 'bid_main:mfa_delete_device' d.persistent_id %}"><i class="i-trash"></i></a></li>
+    {% endfor %}
+  </ul>
+  <a href="{% url 'bid_main:mfa_u2f' %}" class="btn">Configure a new security key</a>
+</div>
+
 {% if user_can_setup_recovery %}
 <div class="bid box mt-3">
  <h3 id="recovery-codes">Recovery codes</h3>
--- a/bid_main/templates/bid_main/mfa/u2f.html
+++ b/bid_main/templates/bid_main/mfa/u2f.html
@ -0,0 +1,47 @@
+{% extends 'layout.html' %}
+{% load pipeline static %}
+{% load add_form_classes from forms %}
+{% block page_title %}
+Multi-factor Authentication Setup
+{% endblock %}
+
+{% block body %}
+<div class="bid box">
+  <h2>New U2F device</h2>
+  <div class="row">
+    <div class="col-md-6">
+      {% with form=form|add_form_classes %}
+      <form method="post" id="add-u2f-form">{% csrf_token %}
+        {% with field=form.name %}
+          {% include "components/forms/field.html" %}
+        {% endwith %}
+        {% with field=form.credential %}
+          {% include "components/forms/field.html" %}
+        {% endwith %}
+        <button type="submit" class="btn" id="add-u2f-submit">Add security key</button>
+        {% if form.non_field_errors %}
+        <div class="text-danger mt-3">
+          something went wrong
+        </div>
+        {% endif %}
+      </form>
+      {% endwith %}
+    </div>
+  </div>
+</div>
+<script src="{% static 'mfa/js/webauthn-json.js' %}"></script>
+<script>
+    const form = document.getElementById('add-u2f-form');
+    form.addEventListener('submit', async (event) => {
+        event.preventDefault();
+        if (!form.checkValidity()) {
+            return false;
+        }
+        const credentialInput = document.getElementById('id_credential');
+        const credentialCreationOptions = JSON.parse(credentialInput.getAttribute('creation_options'));
+        const credential = await webauthnJSON.create(credentialCreationOptions);
+        credentialInput.value = JSON.stringify(credential);
+        form.submit();
+    });
+</script>
+{% endblock %}
--- a/bid_main/urls.py
+++ b/bid_main/urls.py
@ -171,6 +171,11 @@ urlpatterns = [
        mfa.TotpView.as_view(),
        name='mfa_totp',
    ),
+    path(
+        'mfa/u2f/',
+        mfa.U2fView.as_view(),
+        name='mfa_u2f',
+    ),
    path(
        # using `path` converter because persistent_id contains a slash
        'mfa/delete-device/<path:persistent_id>/',
--- a/bid_main/views/mfa.py
+++ b/bid_main/views/mfa.py
@ -1,6 +1,7 @@
 from base64 import b32encode, b64encode
 from binascii import unhexlify
 from io import BytesIO
+import json

 from django.conf import settings
 from django.db import transaction
@ -12,11 +13,13 @@ from django.views.generic.base import View
 from django.views.generic.edit import DeleteView, FormView
 from django_otp.models import Device
 from django_otp.util import random_hex
+from fido2.webauthn import AttestedCredentialData
 import qrcode

 from . import mixins
-from mfa.forms import DisableMfaForm, TotpMfaForm
-from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
+from mfa.fido2 import register_begin
+from mfa.forms import DisableMfaForm, TotpMfaForm, U2fMfaForm
+from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, U2fDevice, devices_for_user
 import bid_main.tasks


@ -89,17 +92,14 @@ class InvalidateRecoveryView(mixins.MfaRequiredIfConfiguredMixin, View):


 class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
+    form_class = TotpMfaForm
    success_url = reverse_lazy('bid_main:mfa')
    template_name = "bid_main/mfa/totp.html"

-    def get_form(self, *args, **kwargs):
-        kwargs = self.get_form_kwargs()
-        key = self.request.POST.get('key', random_hex(20))
-        kwargs['initial']['key'] = key
-        return TotpMfaForm(**kwargs)
-
    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
+        key = self.request.POST.get('key', random_hex(20))
+        kwargs['initial']['key'] = key
        kwargs['user'] = self.request.user
        return kwargs

@ -129,6 +129,40 @@ class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
        return super().form_valid(form)


+class U2fView(mixins.MfaRequiredIfConfiguredMixin, FormView):
+    form_class = U2fMfaForm
+    success_url = reverse_lazy('bid_main:mfa')
+    template_name = "bid_main/mfa/u2f.html"
+
+    def get_form_kwargs(self):
+        kwargs = super().get_form_kwargs()
+        rp_id = self.request.get_host().split(':')[0]  # remove port, required by webauthn
+        kwargs['rp_id'] = rp_id
+        kwargs['user'] = self.request.user
+
+        if self.request.method == 'GET':
+            credentials = [
+                AttestedCredentialData(d.credential)
+                for d in U2fDevice.objects.filter(user=self.request.user).all()
+            ]
+            credential_creation_options, state = register_begin(
+                rp_id, self.request.user, credentials,
+            )
+            self.request.session['u2f_create_state'] = dict(state)
+            kwargs['credential_creation_options'] = json.dumps(dict(credential_creation_options))
+        if self.request.method == 'POST':
+            kwargs['state'] = self.request.session.pop('u2f_create_state', None)
+
+        return kwargs
+
+    @transaction.atomic
+    def form_valid(self, form):
+        form.save()
+        if self.request.user.confirmed_email_at:
+            bid_main.tasks.send_new_mfa_device_email(self.request.user.pk, 'u2f')
+        return super().form_valid(form)
+
+
 class DeleteDeviceView(mixins.MfaRequiredMixin, DeleteView):
    model = Device
    template_name = "bid_main/mfa/delete_device.html"
--- a/blenderid/settings.py
+++ b/blenderid/settings.py
@ -108,6 +108,7 @@ AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
 ]

+FIDO2_RP_NAME = "Blender ID"
 OTP_TOTP_ISSUER = "id.blender.org"

 ROOT_URLCONF = "blenderid.urls"
--- a/mfa/fido2.py
+++ b/mfa/fido2.py
@ -0,0 +1,38 @@
+from django.conf import settings
+from fido2.server import Fido2Server
+from fido2.webauthn import (
+    PublicKeyCredentialRpEntity,
+    PublicKeyCredentialUserEntity,
+    ResidentKeyRequirement,
+    UserVerificationRequirement,
+)
+import fido2.features
+
+# needed to automatically convert between bytes and base64url
+fido2.features.webauthn_json_mapping.enabled = True
+
+
+def get_fido2server(rp_id):
+    return Fido2Server(
+        PublicKeyCredentialRpEntity(
+            id=rp_id,
+            name=settings.FIDO2_RP_NAME,
+        )
+    )
+
+
+def register_begin(rp_id, user, credentials=[]):
+    return get_fido2server(rp_id).register_begin(
+        PublicKeyCredentialUserEntity(
+            display_name=user.email,
+            id=user.pk.to_bytes(8, 'big'),
+            name=user.email,
+        ),
+        credentials,
+        resident_key_requirement=ResidentKeyRequirement.DISCOURAGED,
+        user_verification=UserVerificationRequirement.DISCOURAGED,
+    )
+
+
+def register_complete(rp_id, state, credential):
+    return get_fido2server(rp_id).register_complete(state, credential)
--- a/mfa/forms.py
+++ b/mfa/forms.py
@ -8,7 +8,21 @@ from django.utils.translation import gettext_lazy as _
 from django_otp.oath import TOTP
 from otp_agents.views import OTPTokenForm

-from mfa.models import EncryptedTOTPDevice
+from mfa.fido2 import register_complete
+from mfa.models import EncryptedTOTPDevice, U2fDevice
+
+
+def _sign(payload):
+    signer = TimestampSigner()
+    return signer.sign(payload)
+
+
+def _verify_signature(payload, signature, max_age=3600):
+    signer = TimestampSigner()
+    try:
+        return payload == signer.unsign(signature, max_age=max_age)
+    except BadSignature:
+        return False


 class MfaForm(OTPTokenForm):
@ -95,9 +109,7 @@ class TotpMfaForm(forms.Form):

    def __init__(self, *args, **kwargs):
        self.user = kwargs.pop('user', None)
-        kwargs['initial']['signature'] = self.sign(
-            f"{self.user.email}_{kwargs['initial']['key']}"
-        )
+        kwargs['initial']['signature'] = _sign(f"{self.user.email}_{kwargs['initial']['key']}")
        super().__init__(*args, **kwargs)

    def clean(self):
@ -105,7 +117,7 @@ class TotpMfaForm(forms.Form):
        code = self.data.get('code')
        key = self.data.get('key')
        signature = self.cleaned_data.get('signature')
-        if not self.verify_signature(f'{self.user.email}_{key}', signature):
+        if not _verify_signature(f'{self.user.email}_{key}', signature):
            raise forms.ValidationError(_('Invalid signature'))
        self.cleaned_data['key'] = key
        if not TOTP(unhexlify(key)).verify(int(code), tolerance=1):
@ -117,16 +129,32 @@ class TotpMfaForm(forms.Form):
        name = self.cleaned_data.get('name')
        EncryptedTOTPDevice.objects.create(encrypted_key=key, key='', name=name, user=self.user)

-    @classmethod
-    def sign(cls, payload):
-        signer = TimestampSigner()
-        return signer.sign(payload)

-    @classmethod
-    def verify_signature(cls, payload, signature, max_age=3600):
+class U2fMfaForm(forms.Form):
+    credential = forms.JSONField(widget=forms.HiddenInput)
+    name = forms.CharField(
+        max_length=U2fDevice._meta.get_field('name').max_length,
+        widget=forms.TextInput(
+            attrs={"placeholder": "device name (for your convenience)"},
+        ),
+    )

-        signer = TimestampSigner()
+    def __init__(self, *args, **kwargs):
+        credential_creation_options = kwargs.pop('credential_creation_options', None)
+        self.rp_id = kwargs.pop('rp_id', None)
+        self.state = kwargs.pop('state', None)
+        self.user = kwargs.pop('user', None)
+        super().__init__(*args, **kwargs)
+        self.fields['credential'].widget.attrs['creation_options'] = credential_creation_options
+
+    def save(self):
+        credential = self.cleaned_data.get('credential')
+        name = self.cleaned_data.get('name')
+        auth_data = None
        try:
-            return payload == signer.unsign(signature, max_age=max_age)
-        except BadSignature:
-            return False
+            auth_data = register_complete(self.rp_id, self.state, credential)
+        except Exception:
+            raise forms.ValidationError(_('Verification failed'))
+        U2fDevice.objects.create(
+            user=self.user, credential=auth_data.credential_data, name=name,
+        )
--- a/mfa/migrations/0002_u2fdevice.py
+++ b/mfa/migrations/0002_u2fdevice.py
@ -0,0 +1,81 @@
+# Generated by Django 4.2.13 on 2024-08-19 14:38
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('mfa', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='U2fDevice',
+            fields=[
+                (
+                    'id',
+                    models.BigAutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name='ID'
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='The human-readable name of this device.', max_length=64
+                    ),
+                ),
+                (
+                    'confirmed',
+                    models.BooleanField(default=True, help_text='Is this device ready for use?'),
+                ),
+                (
+                    'throttling_failure_timestamp',
+                    models.DateTimeField(
+                        blank=True,
+                        default=None,
+                        help_text='A timestamp of the last failed verification attempt. Null if last attempt succeeded.',
+                        null=True,
+                    ),
+                ),
+                (
+                    'throttling_failure_count',
+                    models.PositiveIntegerField(
+                        default=0, help_text='Number of successive failed attempts.'
+                    ),
+                ),
+                (
+                    'created_at',
+                    models.DateTimeField(
+                        auto_now_add=True,
+                        help_text='The date and time when this device was initially created in the system.',
+                        null=True,
+                    ),
+                ),
+                (
+                    'last_used_at',
+                    models.DateTimeField(
+                        blank=True,
+                        help_text='The most recent date and time this device was used.',
+                        null=True,
+                    ),
+                ),
+                ('credential', models.BinaryField()),
+                (
+                    'user',
+                    models.ForeignKey(
+                        help_text='The user that this device belongs to.',
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                'verbose_name': 'U2F device',
+                'abstract': False,
+            },
+        ),
+    ]
--- a/mfa/models.py
+++ b/mfa/models.py
@ -11,6 +11,7 @@ the upstream implementation as much as possible.
 from binascii import unhexlify

 from django.db import models, transaction
+from django_otp.models import Device, ThrottlingMixin, TimestampMixin
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from nacl_encrypted_fields.fields import NaClCharField
@ -75,6 +76,13 @@ class EncryptedTOTPDevice(TOTPDevice):
        return unhexlify(self.encrypted_key.encode())


+class U2fDevice(TimestampMixin, ThrottlingMixin, Device):
+    credential = models.BinaryField()
+
+    class Meta(Device.Meta):
+        verbose_name = "U2F device"
+
+
 def devices_for_user(user):
    """ A more specific replacement for upstream devices_for_user.

@ -84,4 +92,5 @@ def devices_for_user(user):
    return [
        *EncryptedRecoveryDevice.objects.filter(user=user).all(),
        *EncryptedTOTPDevice.objects.filter(user=user).all(),
+        *U2fDevice.objects.filter(user=user).all(),
    ]
--- a/mfa/static/mfa/js/webauthn-json.js
+++ b/mfa/static/mfa/js/webauthn-json.js
@ -0,0 +1,289 @@
+// https://github.com/github/webauthn-json 
+// via https://github.com/pennersr/django-allauth/blob/main/allauth/mfa/static/mfa/js/webauthn-json.js
+//
+// The MIT License (MIT)
+// 
+// Copyright (c) 2019 GitHub, Inc.
+// Copyright (c) 2010-2021 Raymond Penners and contributors
+// 
+// Permission is hereby granted, free of charge, to any person
+// obtaining a copy of this software and associated documentation
+// files (the "Software"), to deal in the Software without
+// restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the
+// Software is furnished to do so, subject to the following
+// conditions:
+// 
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+// 
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+// OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+// WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+// OTHER DEALINGS IN THE SOFTWARE.
+
+'use strict';
+(() => {
+  const __defProp = Object.defineProperty
+  const __export = (target, all) => {
+    for (const name in all) { __defProp(target, name, { get: all[name], enumerable: true }) }
+  }
+  const __async = (__this, __arguments, generator) => {
+    return new Promise((resolve, reject) => {
+      const fulfilled = (value) => {
+        try {
+          step(generator.next(value))
+        } catch (e) {
+          reject(e)
+        }
+      }
+      const rejected = (value) => {
+        try {
+          step(generator.throw(value))
+        } catch (e) {
+          reject(e)
+        }
+      }
+      var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected)
+      step((generator = generator.apply(__this, __arguments)).next())
+    })
+  }
+
+  // src/webauthn-json/index.ts
+  const webauthn_json_exports = {}
+  __export(webauthn_json_exports, {
+    create: () => create,
+    get: () => get,
+    schema: () => schema,
+    supported: () => supported
+  })
+
+  // src/webauthn-json/base64url.ts
+  function base64urlToBuffer (baseurl64String) {
+    const padding = '=='.slice(0, (4 - baseurl64String.length % 4) % 4)
+    const base64String = baseurl64String.replace(/-/g, '+').replace(/_/g, '/') + padding
+    const str = atob(base64String)
+    const buffer = new ArrayBuffer(str.length)
+    const byteView = new Uint8Array(buffer)
+    for (let i = 0; i < str.length; i++) {
+      byteView[i] = str.charCodeAt(i)
+    }
+    return buffer
+  }
+  function bufferToBase64url (buffer) {
+    const byteView = new Uint8Array(buffer)
+    let str = ''
+    for (const charCode of byteView) {
+      str += String.fromCharCode(charCode)
+    }
+    const base64String = btoa(str)
+    const base64urlString = base64String.replace(/\+/g, '-').replace(
+      /\//g,
+      '_'
+    ).replace(/=/g, '')
+    return base64urlString
+  }
+
+  // src/webauthn-json/convert.ts
+  const copyValue = 'copy'
+  const convertValue = 'convert'
+  function convert (conversionFn, schema2, input) {
+    if (schema2 === copyValue) {
+      return input
+    }
+    if (schema2 === convertValue) {
+      return conversionFn(input)
+    }
+    if (schema2 instanceof Array) {
+      return input.map((v) => convert(conversionFn, schema2[0], v))
+    }
+    if (schema2 instanceof Object) {
+      const output = {}
+      for (const [key, schemaField] of Object.entries(schema2)) {
+        if (schemaField.derive) {
+          const v = schemaField.derive(input)
+          if (v !== void 0) {
+            input[key] = v
+          }
+        }
+        if (!(key in input)) {
+          if (schemaField.required) {
+            throw new Error(`Missing key: ${key}`)
+          }
+          continue
+        }
+        if (input[key] == null) {
+          output[key] = null
+          continue
+        }
+        output[key] = convert(
+          conversionFn,
+          schemaField.schema,
+          input[key]
+        )
+      }
+      return output
+    }
+  }
+  function derived (schema2, derive) {
+    return {
+      required: true,
+      schema: schema2,
+      derive
+    }
+  }
+  function required (schema2) {
+    return {
+      required: true,
+      schema: schema2
+    }
+  }
+  function optional (schema2) {
+    return {
+      required: false,
+      schema: schema2
+    }
+  }
+
+  // src/webauthn-json/basic/schema.ts
+  const publicKeyCredentialDescriptorSchema = {
+    type: required(copyValue),
+    id: required(convertValue),
+    transports: optional(copyValue)
+  }
+  const simplifiedExtensionsSchema = {
+    appid: optional(copyValue),
+    appidExclude: optional(copyValue),
+    credProps: optional(copyValue)
+  }
+  const simplifiedClientExtensionResultsSchema = {
+    appid: optional(copyValue),
+    appidExclude: optional(copyValue),
+    credProps: optional(copyValue)
+  }
+  const credentialCreationOptions = {
+    publicKey: required({
+      rp: required(copyValue),
+      user: required({
+        id: required(convertValue),
+        name: required(copyValue),
+        displayName: required(copyValue)
+      }),
+      challenge: required(convertValue),
+      pubKeyCredParams: required(copyValue),
+      timeout: optional(copyValue),
+      excludeCredentials: optional([publicKeyCredentialDescriptorSchema]),
+      authenticatorSelection: optional(copyValue),
+      attestation: optional(copyValue),
+      extensions: optional(simplifiedExtensionsSchema)
+    }),
+    signal: optional(copyValue)
+  }
+  const publicKeyCredentialWithAttestation = {
+    type: required(copyValue),
+    id: required(copyValue),
+    rawId: required(convertValue),
+    authenticatorAttachment: optional(copyValue),
+    response: required({
+      clientDataJSON: required(convertValue),
+      attestationObject: required(convertValue),
+      transports: derived(
+        copyValue,
+        (response) => {
+          let _a
+          return ((_a = response.getTransports) == null ? void 0 : _a.call(response)) || []
+        }
+      )
+    }),
+    clientExtensionResults: derived(
+      simplifiedClientExtensionResultsSchema,
+      (pkc) => pkc.getClientExtensionResults()
+    )
+  }
+  const credentialRequestOptions = {
+    mediation: optional(copyValue),
+    publicKey: required({
+      challenge: required(convertValue),
+      timeout: optional(copyValue),
+      rpId: optional(copyValue),
+      allowCredentials: optional([publicKeyCredentialDescriptorSchema]),
+      userVerification: optional(copyValue),
+      extensions: optional(simplifiedExtensionsSchema)
+    }),
+    signal: optional(copyValue)
+  }
+  const publicKeyCredentialWithAssertion = {
+    type: required(copyValue),
+    id: required(copyValue),
+    rawId: required(convertValue),
+    authenticatorAttachment: optional(copyValue),
+    response: required({
+      clientDataJSON: required(convertValue),
+      authenticatorData: required(convertValue),
+      signature: required(convertValue),
+      userHandle: required(convertValue)
+    }),
+    clientExtensionResults: derived(
+      simplifiedClientExtensionResultsSchema,
+      (pkc) => pkc.getClientExtensionResults()
+    )
+  }
+  var schema = {
+    credentialCreationOptions,
+    publicKeyCredentialWithAttestation,
+    credentialRequestOptions,
+    publicKeyCredentialWithAssertion
+  }
+
+  // src/webauthn-json/basic/api.ts
+  function createRequestFromJSON (requestJSON) {
+    return convert(base64urlToBuffer, credentialCreationOptions, requestJSON)
+  }
+  function createResponseToJSON (credential) {
+    return convert(
+      bufferToBase64url,
+      publicKeyCredentialWithAttestation,
+      credential
+    )
+  }
+  function create (requestJSON) {
+    return __async(this, null, function * () {
+      const credential = yield navigator.credentials.create(
+        createRequestFromJSON(requestJSON)
+      )
+      return createResponseToJSON(credential)
+    })
+  }
+  function getRequestFromJSON (requestJSON) {
+    return convert(base64urlToBuffer, credentialRequestOptions, requestJSON)
+  }
+  function getResponseToJSON (credential) {
+    return convert(
+      bufferToBase64url,
+      publicKeyCredentialWithAssertion,
+      credential
+    )
+  }
+  function get (requestJSON) {
+    return __async(this, null, function * () {
+      const credential = yield navigator.credentials.get(
+        getRequestFromJSON(requestJSON)
+      )
+      return getResponseToJSON(credential)
+    })
+  }
+
+  // src/webauthn-json/basic/supported.ts
+  function supported () {
+    return !!(navigator.credentials && navigator.credentials.create && navigator.credentials.get && window.PublicKeyCredential)
+  }
+
+  // src/webauthn-json/browser-global.ts
+  globalThis.webauthnJSON = webauthn_json_exports
+})()
+// # sourceMappingURL=webauthn-json.browser-global.js.map
--- a/requirements.txt
+++ b/requirements.txt
@ -22,6 +22,7 @@ django-otp-agents==1.0.1
 django-pipeline==3.1.0 ; python_version >= "3.8" and python_version < "4"
 dj-database-url==2.2.0
 docutils==0.14 ; python_version >= "3.8" and python_version < "4"
+fido2==1.1.3
 htmlmin==0.1.12 ; python_version >= "3.8" and python_version < "4"
 idna==2.8 ; python_version >= "3.8" and python_version < "4"
 importlib-metadata==3.6.0 ; python_version >= "3.8" and python_version < "4"