Draft: Browser client (PoC)

[olastor]

see #18

Uncleaned proof-of-concept for having a browser-compatible plugin version. Supports generation of four types of credentials (symmetric, symmetric with separate identity, asymmetric, asymmetric with separate identity) and encryption/decryption, but with a new format (so old recipients/identities can't be used).

⚠️ use only for testing purposes!

cd web/
pnpm i
pnpm run dev
# go to http://localhost:5173/

Notes

• Two new format versions had to be introduced (3: symmetric, 4: asymmetric) for this which would also need to be implemented in the golang code; the old format doesn't work in the browser out of the box. Reasons:
  • The webauthn prf extension adds a fixed context string to the salt.
  • The relying party ID needs to be customizable and needs to be included as information either in the stanza or the identity
• The PIN flag must always be true in the browser. The webauthn spec seems to always require UV here. Not yet tested if a token without a set PIN works.
• The recipient/identity is always bound to one specific origin. That means if you'd run this web app on "example.com", then in the browser you could never use the generated recipient/identity on "localhost" or any other domain. This is because the JS code can only use credentials for the current origin. For the cli, this doesn't matter, though.
• The typage package doesn't support plugins, so I had to create a custom version that does.
• The main plugin code is in src/util/plugin.ts.

Considerations for the future

• Maybe there's a way to bundle this into the plugin binary and add a --browser flag that spawns a temporary server on localhost and opens the browser interface.
• The golang plugin code would need to be changed for the new format versions.
• There is no plugin support in the typage package yet. This small project might need to wait until there's an official implementation for that.
• The plugin code could be published as a NPM package.