Overall I'm hopeful that people will actually put the (relatively little) work in to actually deliver WebAuthn on more web sites because it has both better security and a nicer UX flow. Win win. But, as to this particular article:
The code snippet elides two really important values: userIdBuffer and challengeBuffer. I get why - they're complicated and not very exciting to the intended audience. But they're also vitally important, so I think it would have been worth putting it non-zero effort.
userIdBuffer needs to be some sort of unchanging unique identifier for the user. Probably pick suitably large random values in an indexed table or something. It might be tempting to stick the row ID from your user table or similar in here, but that's actually a bad idea you'll likely regret.
challengeBuffer needs to be actual random bytes. Hey, the Javascript interpreter has... No. The random bytes need to be chosen fresh by the backend server where you're authenticating users. And they must be actual cryptographic quality randomness, not a Mersenne Twister from your utility library.
The code snippet elides two really important values: userIdBuffer and challengeBuffer. I get why - they're complicated and not very exciting to the intended audience. But they're also vitally important, so I think it would have been worth putting it non-zero effort.
userIdBuffer needs to be some sort of unchanging unique identifier for the user. Probably pick suitably large random values in an indexed table or something. It might be tempting to stick the row ID from your user table or similar in here, but that's actually a bad idea you'll likely regret.
challengeBuffer needs to be actual random bytes. Hey, the Javascript interpreter has... No. The random bytes need to be chosen fresh by the backend server where you're authenticating users. And they must be actual cryptographic quality randomness, not a Mersenne Twister from your utility library.