前端成长记录

English

中文
日本語
繁體中文(台)
繁體中文(港)

English

中文
日本語
繁體中文(台)
繁體中文(港)

Dark Mode

⚠️ This article was written in 2022. Some content may be outdated.

WebAuthn Passkeys: Passwordless Authentication

·1 min read·189 字·Frontend

We recently implemented WebAuthn Passkeys 无密码认证, and accumulated quite a bit of experience. Here's a summary for reference, hoping it helps those doing similar work.

Core Concepts

The key lies in understanding the core logic:

javascript
function setCSP(req, res, next) {
  const nonce = crypto.randomBytes(16).toString('base64')
  res.setHeader('Content-Security-Policy', [
    "default-src 'self'",
    `script-src 'self' 'nonce-${nonce}'`,
    "style-src 'self' 'unsafe-inline'",
    "img-src 'self' data: https:",
    "connect-src 'self' https://api.example.com",
    "frame-ancestors 'none'"
  ].join('; '))
  next()
}

Performance optimization should be tailored to specific scenarios; not all cases require over-optimization.

In-Depth Analysis

We can improve it in the following ways:

javascript
function setCSP(req, res, next) {
  const nonce = crypto.randomBytes(16).toString('base64')
  res.setHeader('Content-Security-Policy', [
    "default-src 'self'",
    `script-src 'self' 'nonce-${nonce}'`,
    "style-src 'self' 'unsafe-inline'",
    "img-src 'self' data: https:",
    "connect-src 'self' https://api.example.com",
    "frame-ancestors 'none'"
  ].join('; '))
  next()
}

This approach has been running stably in production for over six months and has been practically validated.

Implementation Experience

Let's start with the basic implementation:

javascript
function setCSP(req, res, next) {
  const nonce = crypto.randomBytes(16).toString('base64')
  res.setHeader('Content-Security-Policy', [
    "default-src 'self'",
    `script-src 'self' 'nonce-${nonce}'`,
    "style-src 'self' 'unsafe-inline'",
    "img-src 'self' data: https:",
    "connect-src 'self' https://api.example.com",
    "frame-ancestors 'none'"
  ].join('; '))
  next()
}

This code demonstrates the basic usage. In real projects, you also need to consider error handling and edge cases.

Optimization Strategies

Building on this foundation, we can further optimize:

javascript
function setCSP(req, res, next) {
  const nonce = crypto.randomBytes(16).toString('base64')
  res.setHeader('Content-Security-Policy', [
    "default-src 'self'",
    `script-src 'self' 'nonce-${nonce}'`,
    "style-src 'self' 'unsafe-inline'",
    "img-src 'self' data: https:",
    "connect-src 'self' https://api.example.com",
    "frame-ancestors 'none'"
  ].join('; '))
  next()
}

This pattern is very practical in large projects and can significantly reduce maintenance costs.

Summary

  • Stay updated with the community; technical solutions need continuous iteration
  • Don't adopt new technology just for the sake of it
  • Code examples are for reference only and need to be adjusted according to your business scenario
  • WebAuthn Passkeys 无密码认证 is not a silver bullet; choose based on your project scale and tech stack

MIT Licensed

前端成长记录 2018 - 2026