1 //Copyright 2014-2015 Google Inc. All rights reserved.
3 //Use of this source code is governed by a BSD-style
4 //license that can be found in the LICENSE file or at
5 //https://developers.google.com/open-source/licenses/bsd
8 * @fileoverview The U2F api.
14 * Namespace for the U2F api.
20 * FIDO U2F Javascript API Version
26 * The U2F extension id
29 // The Chrome packaged app extension ID.
30 // Uncomment this if you want to deploy a server instance that uses
31 // the package Chrome app and does not require installing the U2F Chrome extension.
32 u2f
.EXTENSION_ID
= 'kmendfapggjehodndflmmgagdbamhnfd';
33 // The U2F Chrome extension ID.
34 // Uncomment this if you want to deploy a server instance that uses
35 // the U2F Chrome extension to authenticate.
36 // u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
40 * Message types for messsages to/from the extension
45 'U2F_REGISTER_REQUEST': 'u2f_register_request',
46 'U2F_REGISTER_RESPONSE': 'u2f_register_response',
47 'U2F_SIGN_REQUEST': 'u2f_sign_request',
48 'U2F_SIGN_RESPONSE': 'u2f_sign_response',
49 'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
50 'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
55 * Response status codes
63 'CONFIGURATION_UNSUPPORTED': 3,
64 'DEVICE_INELIGIBLE': 4,
70 * A message for registration requests
72 * type: u2f.MessageTypes,
74 * timeoutSeconds: ?number,
82 * A message for registration responses
84 * type: u2f.MessageTypes,
85 * responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
93 * An error object for responses
95 * errorCode: u2f.ErrorCodes,
96 * errorMessage: ?string
102 * Data object for a single sign request.
103 * @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
109 * Data object for a single sign request.
110 * @typedef {Array<u2f.Transport>}
115 * Data object for a single sign request.
127 * Data object for a sign response.
130 * signatureData: string,
138 * Data object for a registration request.
148 * Data object for a registration response.
152 * transports: Transports,
156 u2f
.RegisterResponse
;
160 * Data object for a registered key.
164 * transports: ?Transports,
172 * Data object for a get API register response.
174 * js_api_version: number
177 u2f
.GetJsApiVersionResponse
;
180 //Low level MessagePort API support
183 * Sets up a MessagePort to the U2F extension using the
184 * available mechanisms.
185 * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
187 u2f
.getMessagePort = function(callback
) {
188 if (typeof chrome
!= 'undefined' && chrome
.runtime
) {
189 // The actual message here does not matter, but we need to get a reply
190 // for the callback to run. Thus, send an empty signature request
191 // in order to get a failure response.
193 type
: u2f
.MessageTypes
.U2F_SIGN_REQUEST
,
196 chrome
.runtime
.sendMessage(u2f
.EXTENSION_ID
, msg
, function() {
197 if (!chrome
.runtime
.lastError
) {
198 // We are on a whitelisted origin and can talk directly
199 // with the extension.
200 u2f
.getChromeRuntimePort_(callback
);
202 // chrome.runtime was available, but we couldn't message
203 // the extension directly, use iframe
204 u2f
.getIframePort_(callback
);
207 } else if (u2f
.isAndroidChrome_()) {
208 u2f
.getAuthenticatorPort_(callback
);
209 } else if (u2f
.isIosChrome_()) {
210 u2f
.getIosPort_(callback
);
212 // chrome.runtime was not available at all, which is normal
213 // when this origin doesn't have access to any extensions.
214 u2f
.getIframePort_(callback
);
219 * Detect chrome running on android based on the browser's useragent.
222 u2f
.isAndroidChrome_ = function() {
223 var userAgent
= navigator
.userAgent
;
224 return userAgent
.indexOf('Chrome') != -1 &&
225 userAgent
.indexOf('Android') != -1;
229 * Detect chrome running on iOS based on the browser's platform.
232 u2f
.isIosChrome_ = function() {
233 return ["iPhone", "iPad", "iPod"].indexOf(navigator
.platform
) > -1;
237 * Connects directly to the extension via chrome.runtime.connect.
238 * @param {function(u2f.WrappedChromeRuntimePort_)} callback
241 u2f
.getChromeRuntimePort_ = function(callback
) {
242 var port
= chrome
.runtime
.connect(u2f
.EXTENSION_ID
,
243 {'includeTlsChannelId': true});
244 setTimeout(function() {
245 callback(new u2f
.WrappedChromeRuntimePort_(port
));
250 * Return a 'port' abstraction to the Authenticator app.
251 * @param {function(u2f.WrappedAuthenticatorPort_)} callback
254 u2f
.getAuthenticatorPort_ = function(callback
) {
255 setTimeout(function() {
256 callback(new u2f
.WrappedAuthenticatorPort_());
261 * Return a 'port' abstraction to the iOS client app.
262 * @param {function(u2f.WrappedIosPort_)} callback
265 u2f
.getIosPort_ = function(callback
) {
266 setTimeout(function() {
267 callback(new u2f
.WrappedIosPort_());
272 * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
277 u2f
.WrappedChromeRuntimePort_ = function(port
) {
282 * Format and return a sign request compliant with the JS API version supported by the extension.
283 * @param {Array<u2f.SignRequest>} signRequests
284 * @param {number} timeoutSeconds
285 * @param {number} reqId
288 u2f
.formatSignRequest_
=
289 function(appId
, challenge
, registeredKeys
, timeoutSeconds
, reqId
) {
290 if (js_api_version
=== undefined || js_api_version
< 1.1) {
291 // Adapt request to the 1.0 JS API
292 var signRequests
= [];
293 for (var i
= 0; i
< registeredKeys
.length
; i
++) {
295 version
: registeredKeys
[i
].version
,
296 challenge
: challenge
,
297 keyHandle
: registeredKeys
[i
].keyHandle
,
302 type
: u2f
.MessageTypes
.U2F_SIGN_REQUEST
,
303 signRequests
: signRequests
,
304 timeoutSeconds
: timeoutSeconds
,
310 type
: u2f
.MessageTypes
.U2F_SIGN_REQUEST
,
312 challenge
: challenge
,
313 registeredKeys
: registeredKeys
,
314 timeoutSeconds
: timeoutSeconds
,
320 * Format and return a register request compliant with the JS API version supported by the extension..
321 * @param {Array<u2f.SignRequest>} signRequests
322 * @param {Array<u2f.RegisterRequest>} signRequests
323 * @param {number} timeoutSeconds
324 * @param {number} reqId
327 u2f
.formatRegisterRequest_
=
328 function(appId
, registeredKeys
, registerRequests
, timeoutSeconds
, reqId
) {
329 if (js_api_version
=== undefined || js_api_version
< 1.1) {
330 // Adapt request to the 1.0 JS API
331 for (var i
= 0; i
< registerRequests
.length
; i
++) {
332 registerRequests
[i
].appId
= appId
;
334 var signRequests
= [];
335 for (var i
= 0; i
< registeredKeys
.length
; i
++) {
337 version
: registeredKeys
[i
].version
,
338 challenge
: registerRequests
[0],
339 keyHandle
: registeredKeys
[i
].keyHandle
,
344 type
: u2f
.MessageTypes
.U2F_REGISTER_REQUEST
,
345 signRequests
: signRequests
,
346 registerRequests
: registerRequests
,
347 timeoutSeconds
: timeoutSeconds
,
353 type
: u2f
.MessageTypes
.U2F_REGISTER_REQUEST
,
355 registerRequests
: registerRequests
,
356 registeredKeys
: registeredKeys
,
357 timeoutSeconds
: timeoutSeconds
,
364 * Posts a message on the underlying channel.
365 * @param {Object} message
367 u2f
.WrappedChromeRuntimePort_
.prototype.postMessage = function(message
) {
368 this.port_
.postMessage(message
);
373 * Emulates the HTML 5 addEventListener interface. Works only for the
374 * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
375 * @param {string} eventName
376 * @param {function({data: Object})} handler
378 u2f
.WrappedChromeRuntimePort_
.prototype.addEventListener
=
379 function(eventName
, handler
) {
380 var name
= eventName
.toLowerCase();
381 if (name
== 'message' || name
== 'onmessage') {
382 this.port_
.onMessage
.addListener(function(message
) {
383 // Emulate a minimal MessageEvent object
384 handler({'data': message
});
387 console
.error('WrappedChromeRuntimePort only supports onMessage');
392 * Wrap the Authenticator app with a MessagePort interface.
396 u2f
.WrappedAuthenticatorPort_ = function() {
397 this.requestId_
= -1;
398 this.requestObject_
= null;
402 * Launch the Authenticator intent.
403 * @param {Object} message
405 u2f
.WrappedAuthenticatorPort_
.prototype.postMessage = function(message
) {
407 u2f
.WrappedAuthenticatorPort_
.INTENT_URL_BASE_
+
408 ';S.request=' + encodeURIComponent(JSON
.stringify(message
)) +
410 document
.location
= intentUrl
;
414 * Tells what type of port this is.
415 * @return {String} port type
417 u2f
.WrappedAuthenticatorPort_
.prototype.getPortType = function() {
418 return "WrappedAuthenticatorPort_";
423 * Emulates the HTML 5 addEventListener interface.
424 * @param {string} eventName
425 * @param {function({data: Object})} handler
427 u2f
.WrappedAuthenticatorPort_
.prototype.addEventListener = function(eventName
, handler
) {
428 var name
= eventName
.toLowerCase();
429 if (name
== 'message') {
431 /* Register a callback to that executes when
432 * chrome injects the response. */
433 window
.addEventListener(
434 'message', self
.onRequestUpdate_
.bind(self
, handler
), false);
436 console
.error('WrappedAuthenticatorPort only supports message');
441 * Callback invoked when a response is received from the Authenticator.
442 * @param function({data: Object}) callback
443 * @param {Object} message message Object
445 u2f
.WrappedAuthenticatorPort_
.prototype.onRequestUpdate_
=
446 function(callback
, message
) {
447 var messageObject
= JSON
.parse(message
.data
);
448 var intentUrl
= messageObject
['intentURL'];
450 var errorCode
= messageObject
['errorCode'];
451 var responseObject
= null;
452 if (messageObject
.hasOwnProperty('data')) {
453 responseObject
= /** @type {Object} */ (
454 JSON
.parse(messageObject
['data']));
457 callback({'data': responseObject
});
461 * Base URL for intents to Authenticator.
465 u2f
.WrappedAuthenticatorPort_
.INTENT_URL_BASE_
=
466 'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
469 * Wrap the iOS client app with a MessagePort interface.
473 u2f
.WrappedIosPort_ = function() {};
476 * Launch the iOS client app request
477 * @param {Object} message
479 u2f
.WrappedIosPort_
.prototype.postMessage = function(message
) {
480 var str
= JSON
.stringify(message
);
481 var url
= "u2f://auth?" + encodeURI(str
);
482 location
.replace(url
);
486 * Tells what type of port this is.
487 * @return {String} port type
489 u2f
.WrappedIosPort_
.prototype.getPortType = function() {
490 return "WrappedIosPort_";
494 * Emulates the HTML 5 addEventListener interface.
495 * @param {string} eventName
496 * @param {function({data: Object})} handler
498 u2f
.WrappedIosPort_
.prototype.addEventListener = function(eventName
, handler
) {
499 var name
= eventName
.toLowerCase();
500 if (name
!== 'message') {
501 console
.error('WrappedIosPort only supports message');
506 * Sets up an embedded trampoline iframe, sourced from the extension.
507 * @param {function(MessagePort)} callback
510 u2f
.getIframePort_ = function(callback
) {
512 var iframeOrigin
= 'chrome-extension://' + u2f
.EXTENSION_ID
;
513 var iframe
= document
.createElement('iframe');
514 iframe
.src
= iframeOrigin
+ '/u2f-comms.html';
515 iframe
.setAttribute('style', 'display:none');
516 document
.body
.appendChild(iframe
);
518 var channel
= new MessageChannel();
519 var ready = function(message
) {
520 if (message
.data
== 'ready') {
521 channel
.port1
.removeEventListener('message', ready
);
522 callback(channel
.port1
);
524 console
.error('First event on iframe port was not "ready"');
527 channel
.port1
.addEventListener('message', ready
);
528 channel
.port1
.start();
530 iframe
.addEventListener('load', function() {
531 // Deliver the port to the iframe and initialize
532 iframe
.contentWindow
.postMessage('init', iframeOrigin
, [channel
.port2
]);
540 * Default extension response timeout in seconds.
543 u2f
.EXTENSION_TIMEOUT_SEC
= 30;
546 * A singleton instance for a MessagePort to the extension.
547 * @type {MessagePort|u2f.WrappedChromeRuntimePort_}
553 * Callbacks waiting for a port
554 * @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
557 u2f
.waitingForPort_
= [];
560 * A counter for requestIds.
567 * A map from requestIds to client callbacks
568 * @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
569 * |function((u2f.Error|u2f.SignResponse)))>}
572 u2f
.callbackMap_
= {};
575 * Creates or retrieves the MessagePort singleton to use.
576 * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
579 u2f
.getPortSingleton_ = function(callback
) {
583 if (u2f
.waitingForPort_
.length
== 0) {
584 u2f
.getMessagePort(function(port
) {
586 u2f
.port_
.addEventListener('message',
587 /** @type {function(Event)} */ (u2f
.responseHandler_
));
589 // Careful, here be async callbacks. Maybe.
590 while (u2f
.waitingForPort_
.length
)
591 u2f
.waitingForPort_
.shift()(u2f
.port_
);
594 u2f
.waitingForPort_
.push(callback
);
599 * Handles response messages from the extension.
600 * @param {MessageEvent.<u2f.Response>} message
603 u2f
.responseHandler_ = function(message
) {
604 var response
= message
.data
;
605 var reqId
= response
['requestId'];
606 if (!reqId
|| !u2f
.callbackMap_
[reqId
]) {
607 console
.error('Unknown or missing requestId in response.');
610 var cb
= u2f
.callbackMap_
[reqId
];
611 delete u2f
.callbackMap_
[reqId
];
612 cb(response
['responseData']);
616 * Dispatches an array of sign requests to available U2F tokens.
617 * If the JS API version supported by the extension is unknown, it first sends a
618 * message to the extension to find out the supported API version and then it sends
620 * @param {string=} appId
621 * @param {string=} challenge
622 * @param {Array<u2f.RegisteredKey>} registeredKeys
623 * @param {function((u2f.Error|u2f.SignResponse))} callback
624 * @param {number=} opt_timeoutSeconds
626 u2f
.sign = function(appId
, challenge
, registeredKeys
, callback
, opt_timeoutSeconds
) {
627 if (js_api_version
=== undefined) {
628 // Send a message to get the extension to JS API version, then send the actual sign request.
630 function (response
) {
631 js_api_version
= response
['js_api_version'] === undefined ? 0 : response
['js_api_version'];
632 console
.log("Extension JS API Version: ", js_api_version
);
633 u2f
.sendSignRequest(appId
, challenge
, registeredKeys
, callback
, opt_timeoutSeconds
);
636 // We know the JS API version. Send the actual sign request in the supported API version.
637 u2f
.sendSignRequest(appId
, challenge
, registeredKeys
, callback
, opt_timeoutSeconds
);
642 * Dispatches an array of sign requests to available U2F tokens.
643 * @param {string=} appId
644 * @param {string=} challenge
645 * @param {Array<u2f.RegisteredKey>} registeredKeys
646 * @param {function((u2f.Error|u2f.SignResponse))} callback
647 * @param {number=} opt_timeoutSeconds
649 u2f
.sendSignRequest = function(appId
, challenge
, registeredKeys
, callback
, opt_timeoutSeconds
) {
650 u2f
.getPortSingleton_(function(port
) {
651 var reqId
= ++u2f
.reqCounter_
;
652 u2f
.callbackMap_
[reqId
] = callback
;
653 var timeoutSeconds
= (typeof opt_timeoutSeconds
!== 'undefined' ?
654 opt_timeoutSeconds
: u2f
.EXTENSION_TIMEOUT_SEC
);
655 var req
= u2f
.formatSignRequest_(appId
, challenge
, registeredKeys
, timeoutSeconds
, reqId
);
656 port
.postMessage(req
);
661 * Dispatches register requests to available U2F tokens. An array of sign
662 * requests identifies already registered tokens.
663 * If the JS API version supported by the extension is unknown, it first sends a
664 * message to the extension to find out the supported API version and then it sends
665 * the register request.
666 * @param {string=} appId
667 * @param {Array<u2f.RegisterRequest>} registerRequests
668 * @param {Array<u2f.RegisteredKey>} registeredKeys
669 * @param {function((u2f.Error|u2f.RegisterResponse))} callback
670 * @param {number=} opt_timeoutSeconds
672 u2f
.register = function(appId
, registerRequests
, registeredKeys
, callback
, opt_timeoutSeconds
) {
673 if (js_api_version
=== undefined) {
674 // Send a message to get the extension to JS API version, then send the actual register request.
676 function (response
) {
677 js_api_version
= response
['js_api_version'] === undefined ? 0: response
['js_api_version'];
678 console
.log("Extension JS API Version: ", js_api_version
);
679 u2f
.sendRegisterRequest(appId
, registerRequests
, registeredKeys
,
680 callback
, opt_timeoutSeconds
);
683 // We know the JS API version. Send the actual register request in the supported API version.
684 u2f
.sendRegisterRequest(appId
, registerRequests
, registeredKeys
,
685 callback
, opt_timeoutSeconds
);
690 * Dispatches register requests to available U2F tokens. An array of sign
691 * requests identifies already registered tokens.
692 * @param {string=} appId
693 * @param {Array<u2f.RegisterRequest>} registerRequests
694 * @param {Array<u2f.RegisteredKey>} registeredKeys
695 * @param {function((u2f.Error|u2f.RegisterResponse))} callback
696 * @param {number=} opt_timeoutSeconds
698 u2f
.sendRegisterRequest = function(appId
, registerRequests
, registeredKeys
, callback
, opt_timeoutSeconds
) {
699 u2f
.getPortSingleton_(function(port
) {
700 var reqId
= ++u2f
.reqCounter_
;
701 u2f
.callbackMap_
[reqId
] = callback
;
702 var timeoutSeconds
= (typeof opt_timeoutSeconds
!== 'undefined' ?
703 opt_timeoutSeconds
: u2f
.EXTENSION_TIMEOUT_SEC
);
704 var req
= u2f
.formatRegisterRequest_(
705 appId
, registeredKeys
, registerRequests
, timeoutSeconds
, reqId
);
706 port
.postMessage(req
);
712 * Dispatches a message to the extension to find out the supported
714 * If the user is on a mobile phone and is thus using Google Authenticator instead
715 * of the Chrome extension, don't send the request and simply return 0.
716 * @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
717 * @param {number=} opt_timeoutSeconds
719 u2f
.getApiVersion = function(callback
, opt_timeoutSeconds
) {
720 u2f
.getPortSingleton_(function(port
) {
721 // If we are using Android Google Authenticator or iOS client app,
722 // do not fire an intent to ask which JS API version to use.
723 if (port
.getPortType
) {
725 switch (port
.getPortType()) {
726 case 'WrappedIosPort_':
727 case 'WrappedAuthenticatorPort_':
735 callback({ 'js_api_version': apiVersion
});
738 var reqId
= ++u2f
.reqCounter_
;
739 u2f
.callbackMap_
[reqId
] = callback
;
741 type
: u2f
.MessageTypes
.U2F_GET_API_VERSION_REQUEST
,
742 timeoutSeconds
: (typeof opt_timeoutSeconds
!== 'undefined' ?
743 opt_timeoutSeconds
: u2f
.EXTENSION_TIMEOUT_SEC
),
746 port
.postMessage(req
);