So I am tasked with having a user either sign in with a username/password combination or they can sign on with their CAC card. I know that I will need to use a card reader to do so but I am completely lost on what to do. I have not been able to find a way to use a card reader from the browser for a CAC card sign in.
What response will I get from scanning a CAC card? Will I be able to at least get an ID from it to associate it with a user account?
If you are creating a web app, which it seems like you are, it will be basic client certificate authentication. The fact that the client certificate required is coming from the CAC card doesn't change much for the server.
There are quite a few node packages that can implement client certificate authentication. Here is one of them for instance. I would initially let the user(s) login via username/password authentication, then present them with a page that will link their CAC card to their user. You can also just implement the authentication with the CAC card without linking a user and card.
You can use the PCSC smartcard package to read the actual card, which can be found here. Please bear in mind that you will also need the correct CA certificates loaded on the PC to be able to verify the trust of the certificates. If this app is for a government customer, make sure you work closely with their security team to make sure you meet all their requirements.