@mostajs/auth 2.5.1 → 3.0.2

package/dist/lib/webauthn.js

@@ -0,0 +1,167 @@
+// @mostajs/auth — WebAuthn / Passkeys (FIDO2) — Lot 5 / v2.10.0+
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+//
+// WebAuthn Level 3 (W3C CR 2024) via @simplewebauthn/server v9.
+//
+// DEUX modes d'usage couverts :
+//   1. Primary login (passwordless) — `signInWithPasskey()` : pas de password,
+//      la passkey EST l'authentification.
+//   2. 2nd factor (post-password) — `verifyAsFactor()` : après password OK, la
+//      passkey est requise comme deuxième touch (admin / banking / sensitive).
+//
+// Stockage agnostique : le consumer fournit `WebAuthnCredentialRepo` (DI) +
+// `WebAuthnChallengeStore` (challenge transient, TTL ~5 min — cookie courte ou
+// row éphémère côté DB).
+//
+// Recovery policy : si l'user perd son device, le fallback est piloté par
+// `RecoveryPolicy` (DI) — typiquement password + email confirmation, ou backup
+// codes via @mostajs/auth/lib/mfa-totp si l'user en a aussi en TOTP.
+//
+// Sécurité (cf. doc 07 §1.5) :
+//   - RP ID = eTLD+1 (ex: 'example.com'), partagé app.example.com et auth.example.com
+//   - Origin doit matcher la liste d'origines acceptées
+//   - Counter check : si counter retourné < counter stocké → cloning détecté → reject
+//   - Conditional UI : mediation='conditional' pour autofill (login form)
+//   - attestation 'none' par défaut (passkeys grand-public) ; 'direct' opt-in entreprise
+import { generateRegistrationOptions as gen8nRegOpts, verifyRegistrationResponse as ver8nRegResp, generateAuthenticationOptions as gen8nAuthOpts, verifyAuthenticationResponse as ver8nAuthResp, } from '@simplewebauthn/server';
+const CHALLENGE_DEFAULT_TTL_SEC = 300;
+export async function startRegistration(args) {
+    const opts = await gen8nRegOpts({
+        rpName: args.config.rpName,
+        rpID: args.config.rpID,
+        userID: args.user.id,
+        userName: args.user.name,
+        userDisplayName: args.user.displayName,
+        attestationType: args.config.attestationType ?? 'none',
+        excludeCredentials: (args.existingCredentials ?? []).map((c) => ({
+            id: c.credentialId,
+            type: 'public-key',
+            transports: c.transports,
+        })),
+        authenticatorSelection: {
+            residentKey: args.config.residentKey ?? 'preferred',
+            userVerification: args.config.userVerification ?? 'preferred',
+            authenticatorAttachment: args.config.authenticatorAttachment,
+        },
+    });
+    const ttlSec = args.config.challengeTtlSec ?? CHALLENGE_DEFAULT_TTL_SEC;
+    await args.challengeStore.put(args.sessionKey, opts.challenge, new Date(Date.now() + ttlSec * 1000));
+    return opts;
+}
+export async function finishRegistration(repo, args) {
+    const challenge = await args.challengeStore.consume(args.sessionKey);
+    if (!challenge)
+        return { ok: false, reason: 'no_challenge' };
+    const verified = await ver8nRegResp({
+        response: args.response,
+        expectedChallenge: challenge.challenge,
+        expectedOrigin: args.config.expectedOrigins,
+        expectedRPID: args.config.rpID,
+        requireUserVerification: (args.config.userVerification ?? 'preferred') === 'required',
+    });
+    if (!verified.verified || !verified.registrationInfo) {
+        return { ok: false, reason: 'verification_failed' };
+    }
+    const info = verified.registrationInfo;
+    const credentialId = info.credential?.id ?? info.credentialID;
+    const credentialPublicKey = info.credential?.publicKey ?? info.credentialPublicKey;
+    const counter = info.credential?.counter ?? info.counter ?? 0;
+    const record = await repo.insert({
+        userId: args.userId,
+        credentialId: typeof credentialId === 'string' ? credentialId : Buffer.from(credentialId).toString('base64url'),
+        publicKey: Buffer.from(credentialPublicKey).toString('base64url'),
+        counter,
+        transports: args.response.response.transports,
+        deviceName: args.deviceName,
+        usage: args.usage ?? 'both',
+        createdAt: new Date(),
+        lastUsedAt: null,
+    });
+    return { ok: true, record };
+}
+export async function startAuthentication(args) {
+    const opts = await gen8nAuthOpts({
+        rpID: args.config.rpID,
+        allowCredentials: args.allowedCredentials?.map((c) => ({
+            id: c.credentialId,
+            type: 'public-key',
+            transports: c.transports,
+        })),
+        userVerification: args.config.userVerification ?? 'preferred',
+    });
+    const ttlSec = args.config.challengeTtlSec ?? CHALLENGE_DEFAULT_TTL_SEC;
+    await args.challengeStore.put(args.sessionKey, opts.challenge, new Date(Date.now() + ttlSec * 1000));
+    return opts;
+}
+/**
+ * Vérifie une réponse d'authentification — utilisable en primary OU 2nd factor selon
+ * `expectedUsage`. Le caller décide ensuite quoi faire avec le `userId` retourné.
+ */
+export async function finishAuthentication(repo, args) {
+    const challenge = await args.challengeStore.consume(args.sessionKey);
+    if (!challenge)
+        return { ok: false, reason: 'no_challenge' };
+    const credentialId = args.response.id;
+    const stored = await repo.findByCredentialId(credentialId);
+    if (!stored)
+        return { ok: false, reason: 'unknown_credential' };
+    // Vérifie que le credential supporte le mode demandé
+    if (args.expectedUsage === 'primary' && stored.usage === 'factor') {
+        return { ok: false, reason: 'wrong_usage' };
+    }
+    if (args.expectedUsage === 'factor' && stored.usage === 'primary') {
+        return { ok: false, reason: 'wrong_usage' };
+    }
+    let verified;
+    try {
+        verified = await ver8nAuthResp({
+            response: args.response,
+            expectedChallenge: challenge.challenge,
+            expectedOrigin: args.config.expectedOrigins,
+            expectedRPID: args.config.rpID,
+            credential: {
+                id: stored.credentialId,
+                publicKey: new Uint8Array(Buffer.from(stored.publicKey, 'base64url')),
+                counter: stored.counter,
+                transports: stored.transports,
+            },
+            requireUserVerification: (args.config.userVerification ?? 'preferred') === 'required',
+        });
+    }
+    catch {
+        return { ok: false, reason: 'verification_failed' };
+    }
+    if (!verified.verified || !verified.authenticationInfo) {
+        return { ok: false, reason: 'verification_failed' };
+    }
+    const newCounter = verified.authenticationInfo.newCounter ?? stored.counter;
+    // Anti-cloning : counter doit être strictement croissant (sauf cas counter = 0
+    // pour passkeys synced — Apple/Google laissent counter à 0 toujours).
+    const isPasskeySynced = stored.counter === 0 && newCounter === 0;
+    if (!isPasskeySynced && newCounter <= stored.counter) {
+        return { ok: false, reason: 'counter_mismatch' };
+    }
+    await repo.updateAfterUse(stored.id, { counter: newCounter, lastUsedAt: new Date() });
+    return { ok: true, userId: stored.userId, credentialId, method: 'webauthn' };
+}
+export async function listPasskeys(repo, userId) {
+    const all = await repo.findByUser(userId);
+    return all.map((c) => ({
+        id: c.id,
+        deviceName: c.deviceName,
+        usage: c.usage,
+        createdAt: c.createdAt,
+        lastUsedAt: c.lastUsedAt,
+        transports: c.transports,
+    }));
+}
+/** Le caller DOIT exiger une preuve fraîche d'identité avant d'appeler — on supprime point. */
+export async function removePasskey(repo, args) {
+    const cred = await repo.findById(args.credentialId);
+    if (!cred)
+        return { ok: false, reason: 'not_found' };
+    if (cred.userId !== args.userId)
+        return { ok: false, reason: 'not_owner' };
+    await repo.delete(cred.id);
+    return { ok: true };
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mostajs/auth",
-  "version": "2.5.1",
-  "description": "Authentication — NextAuth, password hashing, session management",
+  "version": "3.0.2",
+  "description": "Authentication — complete: email/password (Argon2id) + OAuth + magic link + MFA TOTP + WebAuthn/Passkeys + RGPD lifecycle + device_flow/pkce events + accountId propagation server↔client",
   "author": "Dr Hamid MADANI <drmdh@msn.com>",
   "license": "AGPL-3.0-or-later",
   "type": "module",
@@ -78,6 +78,76 @@
       "import": "./dist/lib/password-reset.js",
       "default": "./dist/lib/password-reset.js"
     },
+    "./lib/refresh-tokens": {
+      "types": "./dist/lib/refresh-tokens.d.ts",
+      "import": "./dist/lib/refresh-tokens.js",
+      "default": "./dist/lib/refresh-tokens.js"
+    },
+    "./lib/auth-rate-limit": {
+      "types": "./dist/lib/auth-rate-limit.d.ts",
+      "import": "./dist/lib/auth-rate-limit.js",
+      "default": "./dist/lib/auth-rate-limit.js"
+    },
+    "./lib/auth-events": {
+      "types": "./dist/lib/auth-events.d.ts",
+      "import": "./dist/lib/auth-events.js",
+      "default": "./dist/lib/auth-events.js"
+    },
+    "./lib/oauth-primitives": {
+      "types": "./dist/lib/oauth-primitives.d.ts",
+      "import": "./dist/lib/oauth-primitives.js",
+      "default": "./dist/lib/oauth-primitives.js"
+    },
+    "./lib/oauth-providers": {
+      "types": "./dist/lib/oauth-providers.d.ts",
+      "import": "./dist/lib/oauth-providers.js",
+      "default": "./dist/lib/oauth-providers.js"
+    },
+    "./lib/oauth-linking": {
+      "types": "./dist/lib/oauth-linking.d.ts",
+      "import": "./dist/lib/oauth-linking.js",
+      "default": "./dist/lib/oauth-linking.js"
+    },
+    "./lib/magic-link": {
+      "types": "./dist/lib/magic-link.d.ts",
+      "import": "./dist/lib/magic-link.js",
+      "default": "./dist/lib/magic-link.js"
+    },
+    "./lib/mfa-totp": {
+      "types": "./dist/lib/mfa-totp.d.ts",
+      "import": "./dist/lib/mfa-totp.js",
+      "default": "./dist/lib/mfa-totp.js"
+    },
+    "./lib/webauthn": {
+      "types": "./dist/lib/webauthn.d.ts",
+      "import": "./dist/lib/webauthn.js",
+      "default": "./dist/lib/webauthn.js"
+    },
+    "./lib/account-lifecycle": {
+      "types": "./dist/lib/account-lifecycle.d.ts",
+      "import": "./dist/lib/account-lifecycle.js",
+      "default": "./dist/lib/account-lifecycle.js"
+    },
+    "./components/MfaEnrollDialog": {
+      "types": "./dist/components/MfaEnrollDialog.d.ts",
+      "import": "./dist/components/MfaEnrollDialog.js",
+      "default": "./dist/components/MfaEnrollDialog.js"
+    },
+    "./components/MfaChallenge": {
+      "types": "./dist/components/MfaChallenge.d.ts",
+      "import": "./dist/components/MfaChallenge.js",
+      "default": "./dist/components/MfaChallenge.js"
+    },
+    "./components/PasskeyRegisterButton": {
+      "types": "./dist/components/PasskeyRegisterButton.d.ts",
+      "import": "./dist/components/PasskeyRegisterButton.js",
+      "default": "./dist/components/PasskeyRegisterButton.js"
+    },
+    "./components/PasskeyLoginButton": {
+      "types": "./dist/components/PasskeyLoginButton.d.ts",
+      "import": "./dist/components/PasskeyLoginButton.js",
+      "default": "./dist/components/PasskeyLoginButton.js"
+    },
     "./lib/apikey-provider": {
       "types": "./dist/lib/apikey-provider.d.ts",
       "import": "./dist/lib/apikey-provider.js",
@@ -88,6 +158,16 @@
       "import": "./dist/lib/credentials-provider.js",
       "default": "./dist/lib/credentials-provider.js"
     },
+    "./lib/credentials-verify": {
+      "types": "./dist/lib/credentials-verify.d.ts",
+      "import": "./dist/lib/credentials-verify.js",
+      "default": "./dist/lib/credentials-verify.js"
+    },
+    "./lib/remote-credentials-provider": {
+      "types": "./dist/lib/remote-credentials-provider.d.ts",
+      "import": "./dist/lib/remote-credentials-provider.js",
+      "default": "./dist/lib/remote-credentials-provider.js"
+    },
     "./lib/check-request": {
       "types": "./dist/lib/check-request.d.ts",
       "import": "./dist/lib/check-request.js",
@@ -126,12 +206,22 @@
   "scripts": {
     "build": "tsc && npm run fix-esm",
     "fix-esm": "find dist -name '*.js' -exec sed -i -E \"s|from '(\\\\.{1,2}/[^']+)'(;?)|from '\\\\1.js'\\\\2|g; s|from \\\"(\\\\.{1,2}/[^\\\"]+)\\\"(;?)|from \\\"\\\\1.js\\\"\\\\2|g\" {} \\; && find dist -name '*.js' -exec sed -i -E \"s|\\\\.js\\\\.js|.js|g; s|\\\\.json\\\\.js|.json|g; s|\\\\.css\\\\.js|.css|g\" {} \\;",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "test": "bash test-scripts/run-tests.sh",
+    "test:unit": "node --import tsx test-scripts/test-unit.ts",
+    "test:refresh": "node --import tsx test-scripts/test-refresh-tokens.ts",
+    "test:rate-limit": "node --import tsx test-scripts/test-rate-limit.ts",
+    "test:events": "node --import tsx test-scripts/test-auth-events.ts"
   },
   "dependencies": {
     "@mostajs/config": "^1.0.0",
     "@mostajs/net": "^2.0.0",
-    "bcryptjs": "^2.4.3"
+    "@node-rs/argon2": "^2.0.2",
+    "@simplewebauthn/browser": "^9.0.1",
+    "@simplewebauthn/server": "^9.0.3",
+    "bcryptjs": "^2.4.3",
+    "otplib": "^12.0.1",
+    "qrcode": "^1.5.4"
   },
   "peerDependencies": {
     "@mostajs/rbac": ">=1.0.0",
@@ -145,6 +235,7 @@
     "@mostajs/rbac": "^2.0.3",
     "@types/bcryptjs": "^2.4.0",
     "@types/node": "^25.3.3",
+    "@types/qrcode": "^1.5.6",
     "@types/react": "^19.0.0",
     "next": "^15.0.0",
     "react": "^19.0.0",