@dfns/sdk-react-native 0.5.10-alpha.3 → 0.6.0-rc.1

package/index.d.ts

@@ -1,11 +1,28 @@
 import { CredentialSigner, CredentialStore, Fido2Assertion, Fido2Attestation, UserActionChallenge, UserRegistrationChallenge } from '@dfns/sdk';
 export declare const DEFAULT_WAIT_TIMEOUT = 60000;
-export type PasskeysOptions = {
+interface PasskeysSignerConf {
+    /**
+     * The relying party identifies your application to users, when users create/use passkeys. (Read more [here](https://www.w3.org/TR/webauthn-2/#relying-party)).
+     * - id: The relying party identifier is a valid domain string identifying the WebAuthn Relying Party.
+     * In other words, its the domain your application is running on, which will be tied to the passkeys that users create.
+     * We advise to use the root domain, not the full domain (eg `acme.com`, not `app.acme.com` nor `foo.app.acme.com`), that way, passkeys created
+     * by your users can be re-used on other subdomains (eg. on `foo.acme.com` and `bar.acme.com`) in the future. Read more [here](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#rp).
+     * - name: A string representing the name of the relying party (e.g. "Acme"). This is the name the user will be presented with when creating or validating a WebAuthn operation.
+     */
+    relyingParty: {
+        id: string;
+        name: string;
+    };
+    /**
+     * Timeout to use for navigotor.credentials calls. That's the time after which if user did not successfully
+     * select and use his passkey, an error will be thrown by webauthn client. Read more [here](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#timeout).
+     * */
     timeout?: number;
-};
+}
 export declare class PasskeysSigner implements CredentialSigner<Fido2Assertion>, CredentialStore<Fido2Attestation> {
     private platform;
-    constructor(options?: PasskeysOptions);
+    constructor(conf: PasskeysSignerConf);
     sign(challenge: UserActionChallenge): Promise<Fido2Assertion>;
     create(challenge: UserRegistrationChallenge): Promise<Fido2Attestation>;
 }
+export {};

package/index.js

@@ -15,16 +15,20 @@ const b64UrlSafeToStandard = (urlSafe) => {
 // react-native-passkey is incorrect encoding the credId with standard base64 for
 // some reason. we have to undo that.
 class AndroidPasskeys {
-    constructor(options) {
-        this.options = options;
+    constructor(conf) {
+        this.conf = conf;
+        if (!this.conf?.relyingParty?.id || !this.conf?.relyingParty?.name) {
+            throw new sdk_1.DfnsError(-1, `Relying party ID and name must be specified in the WebauthnSigner initializer`);
+        }
     }
     async sign(challenge) {
+        checkSpecifiedRpIdIsWhitelisted(this.conf.relyingParty.id, challenge.allowedRelyingParties);
         const request = {
             challenge: challenge.challenge,
             allowCredentials: challenge.allowCredentials.webauthn,
-            rpId: challenge.rp.id,
+            rpId: this.conf.relyingParty.id,
             userVerification: challenge.userVerification,
-            timeout: this.options?.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
+            timeout: this.conf.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
         };
         const credential = await react_native_passkey_1.Passkey.authenticate(request);
         return {
@@ -39,10 +43,11 @@ class AndroidPasskeys {
         };
     }
     async create(challenge) {
+        checkSpecifiedRpIdIsWhitelisted(this.conf.relyingParty.id, challenge.allowedRelyingParties);
         const request = {
             challenge: challenge.challenge,
             pubKeyCredParams: challenge.pubKeyCredParams,
-            rp: challenge.rp,
+            rp: this.conf.relyingParty,
             user: {
                 displayName: challenge.user.displayName,
                 id: (0, utils_1.toBase64Url)(challenge.user.id),
@@ -54,7 +59,7 @@ class AndroidPasskeys {
                 type: v.type,
             })),
             authenticatorSelection: challenge.authenticatorSelection,
-            timeout: this.options?.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
+            timeout: this.conf.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
         };
         const result = await react_native_passkey_1.Passkey.register(request);
         return {
@@ -71,19 +76,23 @@ class AndroidPasskeys {
 // are standard base64 encoded instead of base64url encoded. we have to convert the
 // encoding in both directions.
 class iOSPasskeys {
-    constructor(options) {
-        this.options = options;
+    constructor(conf) {
+        this.conf = conf;
+        if (!this.conf?.relyingParty?.id || !this.conf?.relyingParty?.name) {
+            throw new sdk_1.DfnsError(-1, `Relying party ID and name must be specified in the WebauthnSigner initializer`);
+        }
     }
     async sign(challenge) {
+        checkSpecifiedRpIdIsWhitelisted(this.conf.relyingParty.id, challenge.allowedRelyingParties);
         const request = {
             challenge: b64UrlSafeToStandard(challenge.challenge),
             allowCredentials: challenge.allowCredentials.webauthn.map(({ id, type }) => ({
                 id: b64UrlSafeToStandard(id),
                 type,
             })),
-            rpId: challenge.rp.id,
+            rpId: this.conf.relyingParty.id,
             userVerification: 'preferred',
-            timeout: this.options?.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
+            timeout: this.conf.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
         };
         const credential = await react_native_passkey_1.Passkey.authenticate(request);
         return {
@@ -98,10 +107,11 @@ class iOSPasskeys {
         };
     }
     async create(challenge) {
+        checkSpecifiedRpIdIsWhitelisted(this.conf.relyingParty.id, challenge.allowedRelyingParties);
         const request = {
             challenge: b64UrlSafeToStandard(challenge.challenge),
             pubKeyCredParams: challenge.pubKeyCredParams,
-            rp: challenge.rp,
+            rp: this.conf.relyingParty,
             user: {
                 displayName: challenge.user.displayName,
                 id: (0, utils_1.toBase64Url)(challenge.user.id),
@@ -113,7 +123,7 @@ class iOSPasskeys {
                 type,
             })),
             authenticatorSelection: challenge.authenticatorSelection,
-            timeout: this.options?.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
+            timeout: this.conf.timeout ?? exports.DEFAULT_WAIT_TIMEOUT,
         };
         const result = await react_native_passkey_1.Passkey.register(request);
         return {
@@ -127,13 +137,13 @@ class iOSPasskeys {
     }
 }
 class PasskeysSigner {
-    constructor(options) {
+    constructor(conf) {
         switch (react_native_1.Platform.OS) {
             case 'android':
-                this.platform = new AndroidPasskeys(options);
+                this.platform = new AndroidPasskeys(conf);
                 break;
             case 'ios':
-                this.platform = new iOSPasskeys(options);
+                this.platform = new iOSPasskeys(conf);
                 break;
             default:
                 throw new sdk_1.DfnsError(-1, `${react_native_1.Platform.OS} is not supported`);
@@ -147,3 +157,8 @@ class PasskeysSigner {
     }
 }
 exports.PasskeysSigner = PasskeysSigner;
+const checkSpecifiedRpIdIsWhitelisted = (rpId, allowedRpIds) => {
+    if (!allowedRpIds.includes(rpId)) {
+        throw new sdk_1.DfnsError(-1, `The specified relying party id is not whitelisted in the Dfns organisation. Ask your Dfns admin to whitelist rpId "${rpId}" first, or use a whitelisted one: (${allowedRpIds.join(', ')})`);
+    }
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dfns/sdk-react-native",
-  "version": "0.5.10-alpha.3",
+  "version": "0.6.0-rc.1",
   "dependencies": {
     "buffer": "6.0.3",
     "cross-fetch": "3.1.6",
@@ -9,7 +9,7 @@
     "uuid": "9.0.0"
   },
   "peerDependencies": {
-    "@dfns/sdk": "0.5.10-alpha.3"
+    "@dfns/sdk": "0.6.0-rc.1"
   },
   "main": "./index.js",
   "type": "commonjs"