@erwininteractive/mvc 0.3.8 → 0.4.2

package/README.md

@@ -9,6 +9,7 @@ A lightweight, full-featured MVC framework for Node.js 20+ built with TypeScript
 - **Optional Database** - Add Prisma + PostgreSQL when you need it
 - **Optional Redis Sessions** - Scalable session management
 - **JWT Authentication** - Secure token-based auth with bcrypt password hashing
+- **WebAuthn (Passkeys)** - Passwordless authentication with security keys (YubiKey, Touch ID, Face ID)
 - **CLI Tools** - Scaffold apps and generate models/controllers
 
 ## Quick Start
@@ -280,6 +281,45 @@ app.get("/protected", authenticate, (req, res) => {
 
 ---
 
+### WebAuthn (Passkeys)
+
+Passwordless authentication with security keys:
+
+```bash
+npx erwinmvc webauthn
+```
+
+This generates:
+- `src/controllers/WebAuthnController.ts` - Registration and login handlers
+- `src/views/webauthn/` - EJS views for register/login pages
+- Prisma `WebAuthnCredential` model for storing security key data
+
+```typescript
+import {
+  startRegistration,
+  completeRegistration,
+  startAuthentication,
+  completeAuthentication,
+  getRPConfig,
+} from "@erwininteractive/mvc";
+
+const { rpID, rpName } = getRPConfig();
+
+const options = await startRegistration(req, res);
+await completeRegistration(req, res);
+
+const options = await startAuthentication(req, res);
+await completeAuthentication(req, res);
+```
+
+Environment variables:
+- `WEBAUTHN_RP_ID` - Your domain (e.g., "localhost" or "example.com")
+- `WEBAUTHN_RP_NAME` - Your app name (e.g., "ErwinMVC App")
+
+Note: WebAuthn requires HTTPS or localhost.
+
+---
+
 ## CLI Commands
 
 | Command | Description |
@@ -288,6 +328,7 @@ app.get("/protected", authenticate, (req, res) => {
 | `npx erwinmvc generate resource <name>` | Generate model + controller + views |
 | `npx erwinmvc generate controller <name>` | Generate a CRUD controller |
 | `npx erwinmvc generate model <name>` | Generate a database model |
+| `npx erwinmvc webauthn` | Generate WebAuthn authentication (security keys) |
 
 ### Init Options
 

package/dist/cli.js

@@ -6,6 +6,7 @@ const initApp_1 = require("./generators/initApp");
 const generateModel_1 = require("./generators/generateModel");
 const generateController_1 = require("./generators/generateController");
 const generateResource_1 = require("./generators/generateResource");
+const generateWebAuthn_1 = require("./generators/generateWebAuthn");
 const program = new commander_1.Command();
 program
     .name("erwinmvc")
@@ -78,4 +79,19 @@ generate
         process.exit(1);
     }
 });
+// WebAuthn command - generate WebAuthn authentication views and controller
+program
+    .command("webauthn")
+    .alias("w")
+    .description("Generate WebAuthn authentication (security key login)")
+    .option("--skip-migrate", "Skip running Prisma migrate")
+    .action(async (options) => {
+    try {
+        await (0, generateWebAuthn_1.generateWebAuthn)(options);
+    }
+    catch (err) {
+        console.error("Error:", err instanceof Error ? err.message : err);
+        process.exit(1);
+    }
+});
 program.parse();

package/dist/framework/WebAuthn.d.ts

@@ -0,0 +1,10 @@
+import { type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialRequestOptionsJSON } from "@simplewebauthn/server";
+import type { Request, Response } from "express";
+export declare function startRegistration(req: Request, res: Response): Promise<PublicKeyCredentialCreationOptionsJSON>;
+export declare function completeRegistration(req: Request, res: Response): Promise<void>;
+export declare function startAuthentication(req: Request, res: Response): Promise<PublicKeyCredentialRequestOptionsJSON>;
+export declare function completeAuthentication(req: Request, res: Response): Promise<void>;
+export declare function getRPConfig(): {
+    rpID: string;
+    rpName: string;
+};

package/dist/framework/WebAuthn.js

@@ -0,0 +1,240 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startRegistration = startRegistration;
+exports.completeRegistration = completeRegistration;
+exports.startAuthentication = startAuthentication;
+exports.completeAuthentication = completeAuthentication;
+exports.getRPConfig = getRPConfig;
+const server_1 = require("@simplewebauthn/server");
+const base64url_1 = __importDefault(require("base64url"));
+const RP_ID = process.env.WEBAUTHN_RP_ID || "localhost";
+const RP_NAME = process.env.WEBAUTHN_RP_NAME || "ErwinMVC";
+function getOrigin(req) {
+    const protocol = req.protocol;
+    const host = req.get("host") || "localhost";
+    return `${protocol}://${host}`;
+}
+function bufferToBase64URL(buffer) {
+    const buf = Buffer.isBuffer(buffer) ? buffer : Buffer.from(buffer);
+    return base64url_1.default.encode(buf);
+}
+function base64URLToBuffer(str) {
+    return new Uint8Array(base64url_1.default.toBuffer(str));
+}
+async function startRegistration(req, res) {
+    const { username, displayName } = req.body;
+    if (!username || !displayName) {
+        res.status(400).json({ error: "Username and display name are required" });
+        throw new Error("Validation failed");
+    }
+    const options = await (0, server_1.generateRegistrationOptions)({
+        rpName: RP_NAME,
+        rpID: RP_ID,
+        userName: username,
+        userDisplayName: displayName,
+        timeout: 60000,
+        attestationType: "none",
+        authenticatorSelection: {
+            residentKey: "preferred",
+            userVerification: "preferred",
+        },
+    });
+    req.session.webauthnRegistration = {
+        username,
+        challenge: options.challenge,
+    };
+    return options;
+}
+async function completeRegistration(req, res) {
+    const prisma = getPrismaClient();
+    const { username, challenge } = req.session.webauthnRegistration || {};
+    if (!username || !challenge) {
+        res.status(400).json({ error: "Registration session expired" });
+        return;
+    }
+    const credential = req.body;
+    if (!credential || !credential.id) {
+        res.status(400).json({ error: "Invalid credential data" });
+        return;
+    }
+    let verified;
+    try {
+        verified = await (0, server_1.verifyRegistrationResponse)({
+            response: credential,
+            expectedChallenge: challenge,
+            expectedOrigin: getOrigin(req),
+            expectedRPID: RP_ID,
+        });
+    }
+    catch (err) {
+        res.status(400).json({ error: err instanceof Error ? err.message : "Verification failed" });
+        return;
+    }
+    const { verified: isVerified, registrationInfo } = verified;
+    if (!isVerified || !registrationInfo) {
+        res.status(400).json({ error: "Registration verification failed" });
+        return;
+    }
+    const cred = registrationInfo.credential;
+    const { id: credentialID, publicKey: credentialPublicKey, counter } = cred;
+    try {
+        await prisma.user.create({
+            data: {
+                username,
+                email: `${username}@${RP_ID}`,
+                hashedPassword: "",
+                webauthnCredentials: {
+                    create: {
+                        credentialID: credentialID,
+                        credentialPublicKey: bufferToBase64URL(credentialPublicKey),
+                        counter: counter.toString(),
+                        transports: JSON.stringify(credential.transports || []),
+                    },
+                },
+            },
+        });
+    }
+    catch (err) {
+        res.status(400).json({ error: err instanceof Error ? err.message : "Failed to save credential" });
+        return;
+    }
+    delete req.session.webauthnRegistration;
+    res.json({ success: true });
+}
+async function startAuthentication(req, res) {
+    const prisma = getPrismaClient();
+    const users = await prisma.user.findMany({
+        select: {
+            id: true,
+            username: true,
+            webauthnCredentials: {
+                select: {
+                    id: true,
+                    credentialID: true,
+                    counter: true,
+                    transports: true,
+                },
+            },
+        },
+    });
+    const allowCredentials = users
+        .map((user) => {
+        return user.webauthnCredentials.map((cred) => ({
+            id: cred.credentialID,
+            transports: JSON.parse(cred.transports || "[]"),
+        }));
+    })
+        .flat();
+    const options = await (0, server_1.generateAuthenticationOptions)({
+        rpID: RP_ID,
+        timeout: 60000,
+        userVerification: "preferred",
+        allowCredentials: allowCredentials.length > 0 ? allowCredentials : undefined,
+    });
+    req.session.webauthnAuthentication = {
+        challenge: options.challenge,
+    };
+    return options;
+}
+async function completeAuthentication(req, res) {
+    const prisma = getPrismaClient();
+    const { challenge } = req.session.webauthnAuthentication || {};
+    if (!challenge) {
+        res.status(400).json({ error: "Authentication session expired" });
+        return;
+    }
+    const credential = req.body;
+    if (!credential || !credential.id) {
+        res.status(400).json({ error: "Invalid credential data" });
+        return;
+    }
+    const credentialID = credential.id;
+    const user = await prisma.user.findFirst({
+        where: {
+            webauthnCredentials: {
+                some: {
+                    credentialID,
+                },
+            },
+        },
+        select: {
+            id: true,
+            username: true,
+            webauthnCredentials: {
+                where: {
+                    credentialID,
+                },
+                select: {
+                    id: true,
+                    credentialID: true,
+                    credentialPublicKey: true,
+                    counter: true,
+                },
+            },
+        },
+    });
+    if (!user || user.webauthnCredentials.length === 0) {
+        res.status(401).json({ error: "Credential not found" });
+        return;
+    }
+    const webauthnCred = user.webauthnCredentials[0];
+    const credentialData = {
+        id: webauthnCred.credentialID,
+        publicKey: base64URLToBuffer(webauthnCred.credentialPublicKey),
+        counter: parseInt(webauthnCred.counter, 10),
+    };
+    let verified;
+    try {
+        verified = await (0, server_1.verifyAuthenticationResponse)({
+            response: credential,
+            expectedChallenge: challenge,
+            expectedOrigin: getOrigin(req),
+            expectedRPID: RP_ID,
+            credential: credentialData,
+        });
+    }
+    catch (err) {
+        res.status(400).json({ error: err instanceof Error ? err.message : "Verification failed" });
+        return;
+    }
+    const { verified: isVerified, authenticationInfo } = verified;
+    if (!isVerified) {
+        res.status(401).json({ error: "Authentication verification failed" });
+        return;
+    }
+    await prisma.webAuthnCredential.update({
+        where: { id: webauthnCred.id },
+        data: {
+            counter: authenticationInfo.newCounter.toString(),
+        },
+    });
+    req.session.userId = user.id;
+    req.session.username = user.username;
+    delete req.session.webauthnAuthentication;
+    res.json({ success: true, username: user.username });
+}
+let _prisma = null;
+let _PrismaClient = null;
+function getPrismaClient() {
+    if (!_prisma) {
+        if (!_PrismaClient) {
+            try {
+                _PrismaClient = require("@prisma/client").PrismaClient;
+            }
+            catch {
+                throw new Error("Prisma is not installed. Run 'npm install @prisma/client prisma' to use database features.");
+            }
+        }
+        _prisma = new _PrismaClient();
+    }
+    return _prisma;
+}
+function getRPConfig() {
+    return {
+        rpID: RP_ID,
+        rpName: RP_NAME,
+    };
+}

package/dist/framework/index.d.ts

@@ -2,4 +2,5 @@ export { createMvcApp, startServer } from "./App";
 export type { MvcAppOptions, MvcApp } from "./App";
 export { getPrismaClient, disconnectPrisma } from "./db";
 export { hashPassword, verifyPassword, signToken, verifyToken, authenticate, } from "./Auth";
+export { startRegistration, completeRegistration, startAuthentication, completeAuthentication, getRPConfig, } from "./WebAuthn";
 export { registerControllers, registerController } from "./Router";

package/dist/framework/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.registerController = exports.registerControllers = exports.authenticate = exports.verifyToken = exports.signToken = exports.verifyPassword = exports.hashPassword = exports.disconnectPrisma = exports.getPrismaClient = exports.startServer = exports.createMvcApp = void 0;
+exports.registerController = exports.registerControllers = exports.getRPConfig = exports.completeAuthentication = exports.startAuthentication = exports.completeRegistration = exports.startRegistration = exports.authenticate = exports.verifyToken = exports.signToken = exports.verifyPassword = exports.hashPassword = exports.disconnectPrisma = exports.getPrismaClient = exports.startServer = exports.createMvcApp = void 0;
 // App factory and server
 var App_1 = require("./App");
 Object.defineProperty(exports, "createMvcApp", { enumerable: true, get: function () { return App_1.createMvcApp; } });
@@ -16,6 +16,13 @@ Object.defineProperty(exports, "verifyPassword", { enumerable: true, get: functi
 Object.defineProperty(exports, "signToken", { enumerable: true, get: function () { return Auth_1.signToken; } });
 Object.defineProperty(exports, "verifyToken", { enumerable: true, get: function () { return Auth_1.verifyToken; } });
 Object.defineProperty(exports, "authenticate", { enumerable: true, get: function () { return Auth_1.authenticate; } });
+// WebAuthn
+var WebAuthn_1 = require("./WebAuthn");
+Object.defineProperty(exports, "startRegistration", { enumerable: true, get: function () { return WebAuthn_1.startRegistration; } });
+Object.defineProperty(exports, "completeRegistration", { enumerable: true, get: function () { return WebAuthn_1.completeRegistration; } });
+Object.defineProperty(exports, "startAuthentication", { enumerable: true, get: function () { return WebAuthn_1.startAuthentication; } });
+Object.defineProperty(exports, "completeAuthentication", { enumerable: true, get: function () { return WebAuthn_1.completeAuthentication; } });
+Object.defineProperty(exports, "getRPConfig", { enumerable: true, get: function () { return WebAuthn_1.getRPConfig; } });
 // Routing
 var Router_1 = require("./Router");
 Object.defineProperty(exports, "registerControllers", { enumerable: true, get: function () { return Router_1.registerControllers; } });

package/dist/generators/generateWebAuthn.d.ts

@@ -0,0 +1,7 @@
+export interface GenerateWebAuthnOptions {
+    skipMigrate?: boolean;
+}
+/**
+ * Generate WebAuthn authentication views and controller.
+ */
+export declare function generateWebAuthn(options?: GenerateWebAuthnOptions): Promise<void>;

package/dist/generators/generateWebAuthn.js

@@ -0,0 +1,89 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateWebAuthn = generateWebAuthn;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const ejs_1 = __importDefault(require("ejs"));
+const child_process_1 = require("child_process");
+const paths_1 = require("./paths");
+/**
+ * Generate WebAuthn authentication views and controller.
+ */
+async function generateWebAuthn(options = {}) {
+    console.log("Generating WebAuthn authentication...");
+    const controllersDir = path_1.default.resolve("src/controllers");
+    if (!fs_1.default.existsSync(controllersDir)) {
+        fs_1.default.mkdirSync(controllersDir, { recursive: true });
+    }
+    const viewsDir = path_1.default.resolve("src/views/webauthn");
+    if (!fs_1.default.existsSync(viewsDir)) {
+        fs_1.default.mkdirSync(viewsDir, { recursive: true });
+    }
+    // Generate controller
+    const controllerTemplatePath = path_1.default.join((0, paths_1.getTemplatesDir)(), "webauthnController.ts.ejs");
+    const controllerTemplate = fs_1.default.readFileSync(controllerTemplatePath, "utf-8");
+    const controllerContent = ejs_1.default.render(controllerTemplate, {
+        controllerName: "WebAuthnController",
+        resourcePath: "webauthn",
+    });
+    fs_1.default.writeFileSync(path_1.default.join(controllersDir, "WebAuthnController.ts"), controllerContent);
+    console.log("Created src/controllers/WebAuthnController.ts");
+    // Generate views
+    const viewTemplatePath = path_1.default.join((0, paths_1.getTemplatesDir)(), "webauthnView.ejs.ejs");
+    const views = [
+        { name: "register", title: "Register Security Key" },
+        { name: "login", title: "Log in with Security Key" },
+        { name: "authenticate", title: "Two-Factor Authentication" },
+    ];
+    for (const view of views) {
+        const viewTemplate = fs_1.default.readFileSync(viewTemplatePath, "utf-8");
+        const viewContent = ejs_1.default.render(viewTemplate, {
+            title: view.title,
+            viewName: view.name,
+        });
+        fs_1.default.writeFileSync(path_1.default.join(viewsDir, `${view.name}.ejs`), viewContent);
+        console.log(`Created src/views/webauthn/${view.name}.ejs`);
+    }
+    // Run migrations if prisma exists
+    if (!options.skipMigrate) {
+        const schemaPath = path_1.default.resolve("prisma/schema.prisma");
+        if (fs_1.default.existsSync(schemaPath)) {
+            console.log("\nRunning Prisma migrate...");
+            try {
+                (0, child_process_1.execSync)("npx prisma migrate dev --name add_webauthn_credentials", {
+                    stdio: "inherit",
+                });
+            }
+            catch {
+                console.error("Migration failed. You may need to run it manually.");
+            }
+            console.log("\nGenerating Prisma client...");
+            try {
+                (0, child_process_1.execSync)("npx prisma generate", { stdio: "inherit" });
+            }
+            catch {
+                console.error("Failed to generate Prisma client.");
+            }
+        }
+    }
+    console.log(`
+WebAuthn authentication created successfully!
+
+Routes:
+  GET    /webauthn/register      -> register (display registration form)
+  POST   /webauthn/register      -> completeRegistration (process registration)
+  GET    /webauthn/login         -> login (display login form)
+  POST   /webauthn/login         -> completeAuthentication (process login)
+  GET    /webauthn/authenticate  -> authenticate (2FA challenge)
+  POST   /webauthn/authenticate  -> completeAuthentication (2FA completion)
+
+Required environment variables:
+  WEBAUTHN_RP_ID     - Your domain (e.g., "localhost" or "example.com")
+  WEBAUTHN_RP_NAME   - Your app name (e.g., "ErwinMVC App")
+
+Note: WebAuthn requires a secure context (HTTPS or localhost).
+`);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@erwininteractive/mvc",
-  "version": "0.3.8",
+  "version": "0.4.2",
   "description": "A lightweight, full-featured MVC framework for Node.js with Express, Prisma, and EJS",
   "main": "dist/framework/index.js",
   "types": "dist/framework/index.d.ts",
@@ -39,6 +39,8 @@
   },
   "dependencies": {
     "@prisma/client": "^6.0.0",
+    "@simplewebauthn/server": "^13.3.0",
+    "base64url": "^3.0.1",
     "bcryptjs": "^2.4.3",
     "commander": "^12.1.0",
     "connect-redis": "^7.1.1",

package/prisma/schema.prisma

@@ -12,8 +12,28 @@ model User {
     email          String   @unique
     hashedPassword String
     role           String   @default("user")
+    username       String?  @unique
     createdAt      DateTime @default(now())
     updatedAt      DateTime @updatedAt
 
+    webauthnCredentials WebAuthnCredential[]
+
     @@map("users")
 }
+
+model WebAuthnCredential {
+    id             Int      @id @default(autoincrement())
+    credentialID   String   @unique
+    credentialPublicKey String
+    counter        Int
+    attestationType String   @default("none")
+    aaguid         String?
+    transports     String?
+    createdAt      DateTime @default(now())
+    updatedAt      DateTime @updatedAt
+
+    user           User     @relation(fields: [userID], references: [id], onDelete: Cascade)
+    userID         Int
+
+    @@map("webauthn_credentials")
+}

package/templates/webauthnController.ts.ejs

@@ -0,0 +1,53 @@
+import type { Request, Response } from "express";
+import {
+  startRegistration,
+  completeRegistration,
+  startAuthentication,
+  completeAuthentication,
+} from "@erwininteractive/mvc";
+
+/**
+ * Display the registration form
+ */
+export async function register(req: Request, res: Response): Promise<void> {
+  res.render("webauthn/register", {
+    title: "Register Security Key",
+    success: req.query.success === "true",
+    error: req.query.error || null,
+  });
+}
+
+/**
+ * Process registration response
+ */
+export async function completeRegister(req: Request, res: Response): Promise<void> {
+  try {
+    await completeRegistration(req, res);
+  } catch (err) {
+    const error = err instanceof Error ? err.message : err;
+    res.redirect("/webauthn/register?error=" + encodeURIComponent(error));
+  }
+}
+
+/**
+ * Display the login form
+ */
+export async function login(req: Request, res: Response): Promise<void> {
+  res.render("webauthn/login", {
+    title: "Log in with Security Key",
+    error: req.query.error || null,
+  });
+}
+
+/**
+ * Process authentication response
+ */
+export async function completeLogin(req: Request, res: Response): Promise<void> {
+  try {
+    await completeAuthentication(req, res);
+    res.redirect("/dashboard");
+  } catch (err) {
+    const error = err instanceof Error ? err.message : err;
+    res.redirect("/webauthn/login?error=" + encodeURIComponent(error));
+  }
+}

package/templates/webauthnView.ejs.ejs

@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title><%= title %></title>
+  <script src="https://cdn.jsdelivr.net/npm/@simplewebauthn/browser@9"></script>
+  <style>
+    body { font-family: Arial, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .form-group { margin-bottom: 15px; }
+    label { display: block; margin-bottom: 5px; }
+    input { width: 100%; padding: 8px; box-sizing: border-box; }
+    button { padding: 10px 20px; cursor: pointer; }
+    .error { color: red; margin-bottom: 15px; }
+    .success { color: green; margin-bottom: 15px; }
+  </style>
+</head>
+<body>
+  <h1><%= title %></h1>
+
+  <% if (error) { %>
+    <div class="error"><%= error %></div>
+  <% } %>
+
+  <form id="webauthnForm" method="POST">
+    <div class="form-group">
+      <label for="username">Username:</label>
+      <input type="text" id="username" name="username" required>
+    </div>
+
+    <button type="submit"><%= title %></button>
+  </form>
+
+  <script>
+    document.getElementById('webauthnForm').addEventListener('submit', async function(e) {
+      e.preventDefault();
+      
+      const username = document.getElementById('username').value;
+      const response = await fetch('/webauthn/start-authentication', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ username })
+      });
+
+      const options = await response.json();
+      
+      if (options.error) {
+        alert(options.error);
+        return;
+      }
+
+      try {
+        const credential = await startAuthentication(options);
+        window.location.href = '/webauthn/complete?token=' + encodeURIComponent(JSON.stringify(credential));
+      } catch (err) {
+        alert('Authentication failed: ' + err.message);
+      }
+    });
+  </script>
+</body>
+</html>