@dfns/sdk 0.1.0-alpha.1

package/codegen/datamodel/Auth/types.d.ts

@@ -0,0 +1,610 @@
+import { Email, EntityId, IntegerPositiveStrict, IsoDatetime, Username } from '../Foundations';
+export type Application = {
+    appId: EntityId;
+    apiToken?: Jwt;
+};
+export type GenericSuccessMessage = {
+    message: string;
+};
+export type UserRegistration = {
+    credential: UserCredentialInformation;
+    user: UserRegistrationInformation;
+};
+export type UserRegistrationChallenge = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+    supportedCredentialKinds: SupportedCredentialKinds;
+    otpUrl: string;
+    challenge: string;
+    authenticatorSelection: AuthenticatorSelection;
+    attestation: AuthenticatorAttestationOptions;
+    pubKeyCredParams: PubKeyCredParams[];
+    excludeCredentials: AllowCredential[];
+};
+export type UserLoginChallenge = {
+    supportedCredentialKinds: SupportedCredentials[];
+    challenge: string;
+    challengeIdentifier: Jwt;
+    externalAuthenticationUrl: string;
+    allowCredentials: AllowCredentials;
+};
+export type UserLogin = {
+    token: Jwt;
+};
+export type UserActionSignature = {
+    userAction: string;
+};
+export type AccessTokenInfoWithPublicKey = {
+    accessToken?: Jwt;
+    dateCreated: IsoDatetime;
+    credId: string;
+    isActive: boolean;
+    kind: AccessTokenKind;
+    linkedUserId: EntityId;
+    linkedAppId: string;
+    name: string;
+    orgId: EntityId;
+    permissionAssignments: PermissionAssignmentInfo[];
+    publicKey: string;
+    tokenId: EntityId;
+};
+export type UserInfo = {
+    username: string;
+    userId: EntityId;
+    kind: UserAuthKind;
+    credentialUuid: EntityId;
+    orgId: EntityId;
+    permissions?: string[];
+    scopes?: string[];
+    isActive: boolean;
+    isServiceAccount: boolean;
+    isRegistered: boolean;
+    permissionAssignments: PermissionAssignmentInfo[];
+};
+export type UserAccessTokenInformation = {
+    userInfo: UserInfo;
+    accessTokens: AccessTokenInfoWithPublicKey[];
+};
+export type AppInfoWithPublicKey = {
+    appId: EntityId;
+    kind: ApplicationKind;
+    orgId: EntityId;
+    expectedRpId: string;
+    name: string;
+    isActive: boolean;
+    expectedOrigin: string;
+    permissionAssignments: PermissionAssignmentInfo[];
+    accessTokens: AccessTokenInfoWithPublicKey[];
+};
+export type CredentialInfo = {
+    credentialId: string;
+    credentialUuid: EntityId;
+    dateCreated: IsoDatetime;
+    isActive: boolean;
+    kind: CredentialKind;
+    name: string;
+    publicKey?: string;
+    relyingPartyId: string;
+    origin: string;
+};
+export type AvailableOrg = {
+    /**
+     * The ID of the organization.
+     */
+    orgId: EntityId;
+    /**
+     * The ID of an application that can be used to log into the given org.
+     */
+    appId: EntityId;
+};
+export type UserRecoveryChallenge = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+    supportedCredentialKinds: SupportedCredentialKinds;
+    otpUrl: string;
+    challenge: string;
+    authenticatorSelection: AuthenticatorSelection;
+    attestation: AuthenticatorAttestationOptions;
+    pubKeyCredParams: PubKeyCredParams[];
+    excludeCredentials: AllowCredential[];
+    allowedRecoveryCredentials: AllowRecoveryCredential[];
+};
+export type UserRegistrationBase = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+};
+export type Fido2Options = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+    kind: CredentialKind.Fido2;
+    challenge: string;
+    excludeCredentials: ExcludeCredentials[];
+    authenticatorSelection: AuthenticatorSelection;
+    /**
+     * Tells the authenticator that it needs to identify itself to the server, so that the server can verify the device is secure.
+     *
+     * none: Tells the authenticator that it does not need to provide an attestation document.
+     *
+     * indirect: Tells the authenticator, that it needs to provide attestation information, but it doesn't need to provide any identifying information about the device.
+     *
+     * direct: Tells the authenticator, that it needs to provide attestation information, including information to identify the device.
+     *
+     * enterprise: Tells the authenticator, that it should use enterprise certificates configured on the device for the credentials. For example, smart cards can be supported on Fido2 devices if an enterprise certificate is registered on the device.
+     */
+    attestation: AuthenticatorAttestationOptions;
+    pubKeyCredParams: PubKeyCredParams[];
+};
+export type PublicKeyOptions = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+    kind: CredentialKind.Key;
+    challenge: string;
+    pubKeyCredParams: PubKeyCredParams[];
+    attestation: AuthenticatorAttestationOptions;
+};
+export type AllowCredential = {
+    /**
+     * Must be 'public-key'
+     */
+    type: string;
+    id: string;
+    transports?: string;
+};
+export type RelyingParty = {
+    id: string;
+    name: string;
+};
+export type AuthenticationUserInformation = {
+    id: EntityId;
+    displayName: string;
+    name: string;
+};
+export type PubKeyCredParams = {
+    /**
+     * Must be 'public-key'
+     */
+    type: string;
+    alg: number;
+};
+export type AuthenticatorSelection = {
+    /**
+     * If not given, any authenticator type can be used.
+     *
+     * platform: Authenticator must be built into the system. For example, Windows Hello or Apple Touch ID use a TPM that are integrated into the system.
+     *
+     * cross-platform: Authenticator must be able to move between systems. For example, a yubikey is a USB device that can be plugged into any system.
+     */
+    authenticatorAttachment?: string;
+    /**
+     * discouraged: This tells the authenticator to not use resident keys.
+     *
+     * preferred: This tells the authenticator that resident keys should be used if available.
+     *
+     * required: This tells the authenticator that a resident key is required.
+     */
+    residentKey: AuthenticatorRequirementOptions;
+    requireResidentKey: boolean;
+    /**
+     * Required: Tells the authenticator that the user needs to verify they are in possession of the authenticator device. This usually means the user is prompted for a pin, passcode, or to complete a biometric challenge.
+     *
+     * Preferred: Tells the authenticator that the user should be asked to verify they are in possession of the authenticator device. This usually means the user is prompted for a pin, passcode, or to complete a biometric challenge.
+     * If the user has recently verified their possession the device may choose not to ask the user to verify again.
+     *
+     * Discouraged: Tells the authenticator that the user should not be prompted for possession. This is generally only used when WebAuthn is a second factor.
+     */
+    userVerification: AuthenticatorRequirementOptions;
+};
+export type ExcludeCredentials = {
+    /**
+     * Must be 'public-key'
+     */
+    type: string;
+    id: string;
+    transports: FidoCredentialsTransportKind;
+};
+export type UserCredentialInformation = {
+    uuid: EntityId;
+    kind: CredentialKind;
+    name: string;
+};
+export type UserRegistrationInformation = {
+    id: EntityId;
+    username: string;
+    orgId: EntityId;
+};
+export type AuthenticateUserPasswordInput = {
+    kind: CredentialKind.Password;
+    password: string;
+};
+export type AuthenticateUserFido2Input = {
+    kind: CredentialKind.Fido2;
+    credentialAssertion: Fido2CredentialAssertion;
+};
+export type Fido2CredentialAssertion = {
+    credId: string;
+    clientData: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle: string;
+};
+export type KeyCredentialAssertion = {
+    credId: string;
+    clientData: string;
+    signature: string;
+};
+export type AuthenticateUserKeyInput = {
+    kind: CredentialKind.Key;
+    credentialAssertion: KeyCredentialAssertion;
+};
+export type SupportedCredentialKinds = {
+    firstFactor: CredentialKind[];
+    secondFactor: CredentialKind[];
+};
+export type RegistrationConfirmationFido2 = {
+    credentialKind: CredentialKind.Fido2;
+    credentialInfo: CredentialAssertion;
+};
+export type RegistrationConfirmationKey = {
+    credentialKind: CredentialKind.Key;
+    credentialInfo: CredentialAssertion;
+};
+export type RegistrationConfirmationRecoveryKey = {
+    encryptedPrivateKey?: string;
+    credentialInfo: CredentialAssertion;
+    credentialKind: CredentialKind.RecoveryKey;
+};
+export type CredentialAssertion = {
+    credId: string;
+    clientData: string;
+    attestationData: string;
+};
+export type RegistrationConfirmationPassword = {
+    credentialKind: CredentialKind.Password;
+    credentialInfo: PasswordCredentialInformation;
+};
+export type PasswordCredentialInformation = {
+    password: string;
+};
+export type RegistrationConfirmationTotp = {
+    credentialKind: CredentialKind.Totp;
+    credentialInfo: TotpCredentialInformation;
+};
+export type TotpCredentialInformation = {
+    otpCode: string;
+};
+export type AllowCredentials = {
+    webauthn: AllowCredential[];
+    key: AllowCredential[];
+};
+export type SupportedCredentials = {
+    kind: CredentialKind;
+    factor: CredentialFactor;
+    requiresSecondFactor: boolean;
+};
+export type AuthenticateUserTotpInput = {
+    kind: CredentialKind.Totp;
+    otpCode: string;
+};
+export type TotpCredential = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+    kind: CredentialKind.Totp;
+    otpUrl: string;
+};
+export type PasswordCredential = {
+    temporaryAuthenticationToken: Jwt;
+    rp: RelyingParty;
+    user: AuthenticationUserInformation;
+    kind: CredentialKind.Password;
+};
+export type CreateUserCredentialInputBase = {
+    challengeIdentifier: Jwt;
+    credentialName: string;
+};
+export type CreateUserCredentialTotpInput = {
+    challengeIdentifier: Jwt;
+    credentialName: string;
+    credentialKind: CredentialKind.Totp;
+    credentialInfo: TotpCredentialInformation;
+};
+export type CreateUserCredentialPasswordInput = {
+    credentialKind: CredentialKind.Password;
+    credentialInfo: PasswordCredentialInformation;
+    challengeIdentifier: Jwt;
+    credentialName: string;
+};
+export type CreateUserCredentialPublicKeyInput = {
+    challengeIdentifier: Jwt;
+    credentialName: string;
+    credentialKind: CredentialKind.Key;
+    credentialInfo: CredentialAssertion;
+};
+export type CreateUserCredentialFido2Input = {
+    credentialKind: CredentialKind.Fido2;
+    credentialInfo: CredentialAssertion;
+    challengeIdentifier: Jwt;
+    credentialName: string;
+};
+export type HttpRequestInformation = {
+    method: string;
+    scheme: string;
+    authority: string;
+    path: string;
+};
+export type LegacyAuthAttestation = {
+    token: Jwt;
+    decodedToken: DecodedJwt;
+    authIdentity: AuthIdentity;
+};
+export type OrgEmployeeIdentity = {
+    kind: AuthIdentityKind.OrgEmployeeIdentity;
+    orgId: EntityId;
+    employeeId: EntityId;
+    username: Username;
+    scope: string;
+    permissions: string[];
+};
+export type OrgApiKeyIdentity = {
+    kind: AuthIdentityKind.OrgApiKeyIdentity;
+    orgId: EntityId;
+    apiKeyId: EntityId;
+    scope: string;
+    permissions: string[];
+};
+export type DfnsStaffIdentity = {
+    kind: AuthIdentityKind.DfnsStaffIdentity;
+    orgId: EntityId;
+    employeeId: EntityId;
+    username: Username;
+    scope: string;
+    permissions: string[];
+};
+export type DfnsServiceIdentity = {
+    kind: AuthIdentityKind.DfnsService;
+    serviceName: string;
+};
+export type AuthV2SignedAuthAttestation = {
+    authBlock: AuthBlock;
+};
+export type JwtHeader = {
+    alg?: string;
+    b64?: boolean;
+    kid?: string;
+    typ?: string;
+};
+export type DecodedJwt = {
+    payload: JwtPayload;
+    header: JwtHeader;
+};
+export type AuthBlock = {
+    request: Jwt;
+    auth: Jwt;
+};
+export type CreateUserCredentialRecoveryKeyInput = {
+    encryptedPrivateKey?: string;
+    credentialInfo: CredentialAssertion;
+    credentialKind: CredentialKind.RecoveryKey;
+    challengeIdentifier: Jwt;
+    credentialName: string;
+};
+export type PermissionAssignmentInfo = {
+    permissionName: string;
+    permissionId: EntityId;
+    assignmentId: EntityId;
+    operations?: string[];
+};
+export type AllowRecoveryCredential = {
+    id: string;
+    encryptedRecoveryKey: string;
+};
+export type RecoverUserInput = {
+    kind: CredentialKind.RecoveryKey;
+    credentialAssertion: KeyCredentialAssertion;
+};
+export type UserRecoveryCredentials = {
+    firstFactorCredential: RegistrationFirstFactor;
+    secondFactorCredential?: RegistrationSecondFactor;
+    recoveryCredential?: RegistrationConfirmationRecoveryKey;
+};
+export type Jwt = string;
+export type JwtPayload = Record<string, unknown>;
+export type CreateUserActionSignatureChallengeInput = {
+    /**
+     * Human readable explanation of the activity, so that person can understand what is being signed.
+     */
+    userActionPayload: string;
+    userActionHttpMethod: string;
+    userActionHttpPath: string;
+    userActionServerKind?: ServerKind;
+};
+export type CreateDelegatedUserLoginInput = {
+    username: string;
+};
+export type CreateUserInput = {
+    email: string;
+    kind: UserAuthKind;
+    publicKey?: string;
+    externalId?: string;
+};
+export type CreateUserRegistrationChallengeInput = {
+    username: string;
+    registrationCode: string;
+    orgId: EntityId;
+};
+export type CreateUserRegistrationInput = {
+    firstFactorCredential: RegistrationFirstFactor;
+    secondFactorCredential?: RegistrationSecondFactor;
+    recoveryCredential?: RegistrationConfirmationRecoveryKey;
+};
+export type CreateUserLoginChallengeInput = {
+    username: string;
+    orgId: EntityId;
+};
+export type CreateUserLoginInput = {
+    challengeIdentifier: Jwt;
+    firstFactor: AuthenticateUserFirstFactor;
+    secondFactor?: AuthenticateUserSecondFactor;
+};
+export type CreateUserCredentialChallengeInput = {
+    kind: CredentialKind;
+};
+export type ActivateCredentialInput = {
+    credentialUuid: EntityId;
+};
+export type CreateSignedAuthAttestationInput = {
+    body?: string;
+    headers: Record<string, string>;
+    isBase64Encoded: boolean;
+    http: HttpRequestInformation;
+};
+export type CreateCodeLoginChallengeInput = {
+    code: string;
+};
+export type CreateUserLoginFromCodeInput = {
+    challengeIdentifier: Jwt;
+};
+export type CreateOrgOwnerInput = {
+    email: Email;
+    publicKey?: string;
+    orgId: EntityId;
+    authBlock: AuthBlock;
+};
+export type CreateAvailableOrgListInput = {
+    /**
+     * The username of the user that is logging into the system.
+     */
+    username: Username;
+    /**
+     * If specified, the API will return only the matching application for the given org ID. This would be used when the user has already given the org they want to log into, but the caller doesn't know the Auth V2 Application ID to use.
+     */
+    orgId?: EntityId;
+    /**
+     * A list of permission names that the caller will be using in their application.
+     *
+     * If the list is not empty, the API will attempt to find an Auth V2 Application that has the majority of the permissions provided.
+     *
+     * If the list is empty or not provided, the API will select the Auth V2 Application with the largest set of permissions.
+     */
+    permissions?: string[];
+    /**
+     * The origin (scheme, hostname, and port) of the server where the request is originating. For example: https://dashboard.dfns.io
+     *
+     * The API will only return orgs that have a Auth V2 Application with a matching origin.
+     */
+    origin: string;
+};
+export type CreateAccessTokenInput = {
+    daysValid?: IntegerPositiveStrict;
+    name: string;
+    permissionId?: EntityId;
+    publicKey: string;
+    externalId?: string;
+};
+export type UpdateAccessTokenInput = {
+    name?: string;
+    externalId?: string;
+};
+export type UpdateUserInput = {
+    externalId?: string;
+    publicKey?: string;
+};
+export type UpdateApplicationInput = {
+    externalId?: string;
+    name?: string;
+};
+export type CreateApplicationInput = {
+    name: string;
+    relyingPartyId: string;
+    origin: string;
+    permissionId?: EntityId;
+    kind: ApplicationKind;
+    daysValid?: IntegerPositiveStrict;
+    publicKey?: string;
+    externalId?: string;
+};
+export type CreateUserRecoveryInput = {
+    recovery: RecoverUserInput;
+    newCredentials: UserRecoveryCredentials;
+};
+export type CreateUserRecoveryChallengeInput = {
+    username: string;
+    verificationCode: string;
+    orgId: EntityId;
+    credentialId: string;
+};
+export type CreateUserCredentialInput = CreateUserCredentialTotpInput | CreateUserCredentialPasswordInput | CreateUserCredentialPublicKeyInput | CreateUserCredentialFido2Input | CreateUserCredentialRecoveryKeyInput;
+export type UserCredentialChallenge = Fido2Options | PublicKeyOptions | TotpCredential | PasswordCredential;
+export type SignedAuthAttestation = LegacyAuthAttestation | AuthV2SignedAuthAttestation;
+export type RegistrationFirstFactor = RegistrationConfirmationFido2 | RegistrationConfirmationKey | RegistrationConfirmationPassword;
+export type RegistrationSecondFactor = RegistrationConfirmationFido2 | RegistrationConfirmationKey | RegistrationConfirmationTotp;
+export type AuthenticateUserFirstFactor = AuthenticateUserPasswordInput | AuthenticateUserFido2Input | AuthenticateUserKeyInput;
+export type AuthenticateUserSecondFactor = AuthenticateUserFido2Input | AuthenticateUserKeyInput | AuthenticateUserTotpInput;
+export type AuthIdentity = OrgEmployeeIdentity | OrgApiKeyIdentity | DfnsStaffIdentity | DfnsServiceIdentity;
+export declare enum CredentialKind {
+    Fido2 = "Fido2",
+    Key = "Key",
+    Password = "Password",
+    Totp = "Totp",
+    RecoveryKey = "RecoveryKey"
+}
+export declare enum UserKind {
+    CustomerEmployee = "CustomerEmployee",
+    DfnsStaff = "DfnsStaff",
+    EndUser = "EndUser",
+    Pat = "Pat",
+    Application = "Application",
+    ServiceAccount = "ServiceAccount"
+}
+export declare enum AuthenticatorRequirementOptions {
+    required = "required",
+    preferred = "preferred",
+    discouraged = "discouraged"
+}
+export declare enum AuthenticatorAttestationOptions {
+    none = "none",
+    indirect = "indirect",
+    direct = "direct",
+    enterprise = "enterprise"
+}
+export declare enum ApplicationKind {
+    ServerSideApplication = "ServerSideApplication",
+    ClientSideApplication = "ClientSideApplication"
+}
+export declare enum FidoCredentialsTransportKind {
+    usb = "usb",
+    nfc = "nfc",
+    ble = "ble",
+    internal = "internal",
+    hybrid = "hybrid"
+}
+export declare enum CredentialFactor {
+    first = "first",
+    second = "second",
+    either = "either"
+}
+export declare enum ServerKind {
+    Api = "Api",
+    Staff = "Staff"
+}
+export declare enum AccessTokenKind {
+    ServiceAccount = "ServiceAccount",
+    Pat = "Pat",
+    Application = "Application"
+}
+export declare enum UserAuthKind {
+    EndUser = "EndUser",
+    CustomerEmployee = "CustomerEmployee",
+    DfnsStaff = "DfnsStaff"
+}
+export declare enum AuthIdentityKind {
+    DfnsStaffIdentity = "DfnsStaffIdentity",
+    OrgEmployeeIdentity = "OrgEmployeeIdentity",
+    OrgApiKeyIdentity = "OrgApiKeyIdentity",
+    DfnsService = "DfnsService"
+}