@owlmeans/client-auth 0.1.0

package/src/manager/components/authentication/control.ts

@@ -0,0 +1,193 @@
+import type { AuthenticationControl } from './types.js'
+import {
+  ALL_SCOPES, AUTHEN_AUTHEN, AUTHEN_INIT, AuthRole, AuthenticationStage, AuthenticationType,
+} from '@owlmeans/auth'
+import type { AllowanceResponse, AllowanceRequest, AuthToken, AuthCredentials } from '@owlmeans/auth'
+import type { ClientContext } from '@owlmeans/client'
+import type { ClientConfig } from '@owlmeans/client-context'
+import type { ClientModule } from '@owlmeans/client-module'
+import { AuthenCredError } from '../../errors.js'
+import { plugins } from '../../plugins/index.js'
+import { EnvelopeKind, makeEnvelopeModel } from '@owlmeans/basic-envelope'
+import type { EnvelopeModel } from '@owlmeans/basic-envelope'
+import { ModuleOutcome } from '@owlmeans/module'
+import { DEFAULT_ALIAS as FLOW_SERVICE, FLOW_STATE } from '@owlmeans/client-flow'
+import type { FlowService, StateResource } from '@owlmeans/client-flow'
+import { CONTROL_STATE_ID } from './consts.js'
+import { ResilientError } from '@owlmeans/error'
+
+export const makeControl = (
+  context: ClientContext<ClientConfig>,
+  callback?: (token: AuthToken) => Promise<boolean>
+): AuthenticationControl => {
+  // @TODO: This control should deal with scopes someway
+  const control: AuthenticationControl = {
+
+    stage: AuthenticationStage.Init,
+
+    type: AuthenticationType.BasicEd25519,
+
+    callback,
+
+    setError: async error => {
+      control.error = ResilientError.ensure(error as Error)
+
+      control.updateStage(AuthenticationStage.Error)
+    },
+
+    requestAllowence: async request => {
+      control.updateStage(AuthenticationStage.Allowence)
+
+      control.request = (request ?? { type: control.type }) as AllowanceRequest
+      control.type = control.request.type as string
+
+      control.beforeAuthenticate = plugins[control.type].beforeAuthenticate
+      control.afterAuthenticate = plugins[control.type].afterAuthenticate
+
+      const module = context.module<ClientModule<AllowanceResponse>>(AUTHEN_INIT)
+      const [allowance] = await module.call({ body: control.request })
+
+      control.allowance = allowance
+
+      control.updateStage(AuthenticationStage.Authenticate)
+    },
+
+    authenticate: async credentials => {
+      control.updateStage(AuthenticationStage.Authentication)
+      try {
+        credentials.type = control.type
+        if (control.allowance?.challenge == null) {
+          throw new AuthenCredError('allowance')
+        }
+        const envelope: EnvelopeModel = makeEnvelopeModel(control.allowance?.challenge, EnvelopeKind.Wrap)
+
+        credentials.challenge = envelope.message()
+        credentials.scopes = credentials.scopes ?? [ALL_SCOPES]
+        credentials.role = credentials.role ?? AuthRole.User
+
+        if (credentials.credential == null || credentials.credential === '') {
+          throw new AuthenCredError('credential')
+        }
+
+        if (credentials.userId == null || credentials.userId === '') {
+          throw new AuthenCredError('userId')
+        }
+
+        if (credentials.challenge == null || credentials.challenge === '') {
+          throw new AuthenCredError('challenge')
+        }
+        
+        if (plugins[control.type].authenticate != null) {
+          // We sign unwrapped challenge (or do something similar)
+          const clientToken = await plugins[control.type].authenticate!(credentials, context)
+
+          if (clientToken.token !== '' && control.beforeAuthenticate != null) {
+            control.beforeAuthenticate(clientToken, context)
+          }
+        }
+
+        // We return back unwrapped challenge
+        credentials.challenge = control.allowance?.challenge
+
+        const [token, status] = await context.module<ClientModule<AuthToken>>(AUTHEN_AUTHEN)
+          .call({ body: credentials })
+
+        if (status === ModuleOutcome.Ok && token.token != null
+          && token.token !== '' && control.afterAuthenticate != null) {
+          const resultingCred = makeEnvelopeModel<AuthCredentials>(token.token, EnvelopeKind.Token).message()
+          await control.afterAuthenticate(resultingCred, context)
+        }
+
+        if (control.callback != null && await control.callback(token)) {
+          return { token: '' }
+        }
+
+        return token
+      } catch (error) {
+        // @TODO we need to move this processing to all respective UI implementations
+        // control.setStage?.(control.stage = AuthenticationStage.Authenticate)
+        throw error
+      }
+    },
+
+    updateStage: stage => {
+      control.stage = stage
+      control.setStage?.(stage)
+    },
+
+    persist: async () => {
+      if (context.hasResource(FLOW_STATE)) {
+        const resource = context.resource<StateResource>(FLOW_STATE)
+        await resource.save({
+          id: CONTROL_STATE_ID, ...{
+            type: control.type,
+            stage: control.stage,
+            allowance: control.allowance,
+          }
+        })
+
+        return true
+      }
+
+      return false
+    },
+    
+    restore: async () => {
+      if (context.hasResource(FLOW_STATE)) {
+        const resource = context.resource<StateResource>(FLOW_STATE)
+        const state = await resource.load(CONTROL_STATE_ID)
+        if (state != null) {
+          const _state = state as unknown as Partial<AuthenticationControl>
+          if (_state.type != null) {
+            control.type = _state.type
+          }
+          control.beforeAuthenticate = plugins[control.type].beforeAuthenticate
+          control.afterAuthenticate = plugins[control.type].afterAuthenticate
+
+          if (_state.stage != null) {
+            control.stage = _state.stage
+          }
+          if (_state.allowance != null) {
+            control.allowance = _state.allowance
+          }
+
+          return true
+        }
+      }
+      return false
+    },
+
+    hasPersistentState: async () => {
+      if (context.hasResource(FLOW_STATE)) {
+        const resource = context.resource<StateResource>(FLOW_STATE)
+        if (null != await resource.load(CONTROL_STATE_ID)) {
+          return true
+        }
+      }
+
+      return false
+    },
+
+    cleanUpState: async () => {
+      if (context.hasResource(FLOW_STATE)) {
+        const resource = context.resource<StateResource>(FLOW_STATE)
+        await resource.delete(CONTROL_STATE_ID)
+      }
+    },
+
+    flow: async () => {
+      const alias = FLOW_SERVICE
+      if (context.hasService(alias)) {
+        const flow = context.service<FlowService>(alias)
+        await flow.ready()
+        if (await flow.supplied) {
+          return flow
+        }
+      }
+
+      return null
+    }
+  }
+
+  return control
+}

package/src/manager/components/authentication/index.ts

@@ -0,0 +1,4 @@
+
+export * from './component.js'
+export * from './control.js'
+export * from './types.js'

package/src/manager/components/authentication/types.ts

@@ -0,0 +1,74 @@
+import type {
+  AllowanceRequest, AllowanceResponse, AuthCredentials, AuthenticationStage, AuthenticationType,
+  AuthToken
+} from '@owlmeans/auth'
+import type { ModuleContextParams } from '@owlmeans/client'
+import type { FC } from 'react'
+import type { ClientContext } from '@owlmeans/client'
+import type { FlowService } from '@owlmeans/client-flow'
+import type { ResilientError } from '@owlmeans/error'
+
+export type ClientAuthType = AuthenticationType | string
+
+export interface AuthenticationProps extends ModuleContextParams {
+  type?: ClientAuthType
+  callback?: AuthenticationCallback
+  source?: string
+}
+
+export interface TAuthenticationHOC {
+  (Renderer?: AuthenticationRenderer, type?: string): FC<AuthenticationProps>
+}
+
+export interface AuthenticationRendererProps {
+  stage: AuthenticationStage
+  type: ClientAuthType
+  control: AuthenticationControl
+  params: Record<string, unknown>
+}
+
+export interface AuthenticationRenderer extends FC<AuthenticationRendererProps> {
+}
+
+export interface AuthenticationControlState {
+  stage: AuthenticationStage
+  type: ClientAuthType
+  request?: AllowanceRequest
+  allowance?: AllowanceResponse
+  error?: ResilientError
+  source?: string
+}
+
+export interface AuthenticationControl extends AuthenticationControlState {
+  callback?: AuthenticationCallback
+  setStage?: (stage: AuthenticationStage) => void
+  updateStage: (stage: AuthenticationStage) => void
+  requestAllowence: (request?: Partial<AllowanceRequest>) => Promise<void>
+  beforeAuthenticate?: (clientToken: AuthToken, context?: ClientContext) => Promise<void>
+  afterAuthenticate?: (credential: AuthCredentials, context?: ClientContext) => Promise<void>
+  authenticate: ClientAuthenticationMethod
+
+  flow: () => Promise<FlowService | null>
+
+  /**
+   * These methods are used to store control state in cases when the screen is left
+   * during authentication process. E.g. for OIDC authentication on web
+   */
+  persist: () => Promise<boolean>
+  restore: () => Promise<boolean>
+  hasPersistentState: () => Promise<boolean>
+  cleanUpState: () => Promise<void>
+
+  setError: (error: unknown) => Promise<void>
+}
+
+export interface ClientAuthenticationMethod {
+  (
+    credential: Partial<AuthCredentials> & Pick<AuthCredentials, "userId" | "credential">,
+    context?: ClientContext
+  ): Promise<AuthToken>
+}
+
+export interface AuthenticationCallback {
+  (token: AuthToken, ...args: any[]): Promise<boolean>
+}

package/src/manager/components/index.ts

@@ -0,0 +1,4 @@
+
+export * from './authentication/index.js'
+export * from './tunnel-consumer.js'
+export type * from './types.js'

package/src/manager/components/tunnel-consumer.tsx

@@ -0,0 +1,15 @@
+import { AuthenticationType } from '@owlmeans/auth'
+import { AuthenticationHOC } from './authentication/component.js'
+import type { FC } from 'react'
+import { useMemo } from 'react'
+import { useModule } from '@owlmeans/client'
+import type { TunnelAuthenticationProps } from './types.js'
+
+export const TunnelConsumer: FC<Partial<TunnelAuthenticationProps>> = ({ ...props }) => {
+  const mod = useModule()
+  const Implementation = useMemo(
+    () => AuthenticationHOC(undefined, AuthenticationType.WalletConsumer), []
+  )
+
+  return <Implementation {...mod} {...props} type={AuthenticationType.WalletConsumer}/>
+}

package/src/manager/components/types.ts

@@ -0,0 +1,11 @@
+import type { AuthToken } from '@owlmeans/auth'
+import type { WalletFacade } from '@owlmeans/did'
+import type { AuthenticationProps } from './authentication/types.js'
+
+export interface TunnelAuthenticationProps extends AuthenticationProps {
+  callback: TunnelAuthCallback
+}
+
+export interface TunnelAuthCallback {
+  (token: AuthToken, wallet: WalletFacade): Promise<boolean>
+}

package/src/manager/errors.ts

@@ -0,0 +1,14 @@
+
+import { ResilientError } from '@owlmeans/error'
+import { AuthManagerError } from '@owlmeans/auth'
+
+export class AuthenCredError extends AuthManagerError {
+  public static override typeName: string = `${AuthManagerError.typeName}Cred`
+
+  constructor(message: string = 'error') {
+    super(`cred:${message}`)
+    this.type = AuthenCredError.typeName
+  }
+}
+
+ResilientError.registerErrorClass(AuthenCredError)

package/src/manager/index.ts

@@ -0,0 +1,4 @@
+
+export * from './plugins/index.js'
+export * from './components/index.js'
+export * from './errors.js'

package/src/manager/modules.ts

@@ -0,0 +1,18 @@
+
+import { AUTHEN, AUTHEN_AUTHEN, AUTHEN_INIT, AUTHEN_RELY, CAUTHEN, CAUTHEN_AUTHEN, CAUTHEN_AUTHEN_DEFAULT, CAUTHEN_AUTHEN_TYPED, DISPATCHER } from '@owlmeans/auth'
+import { modules as list } from '@owlmeans/auth-common'
+import { handler } from '@owlmeans/client'
+import { elevate, stab } from '@owlmeans/client-module'
+import { AuthenticationHOC } from './components/authentication/component.js'
+
+elevate(list, AUTHEN)
+elevate(list, AUTHEN_INIT, true)
+elevate(list, AUTHEN_AUTHEN, true)
+elevate(list, AUTHEN_RELY)
+elevate(list, CAUTHEN)
+elevate(list, CAUTHEN_AUTHEN)
+elevate(list, CAUTHEN_AUTHEN_DEFAULT, handler(AuthenticationHOC()))
+elevate(list, CAUTHEN_AUTHEN_TYPED, handler(AuthenticationHOC()))
+elevate(list, DISPATCHER, stab, { force: true })
+
+export const modules = list

package/src/manager/plugins/basic-ed25519.tsx

@@ -0,0 +1,42 @@
+import { AuthenticationStage, AuthenticationType } from '@owlmeans/auth'
+import type { AuthenticationPlugin } from './types.js'
+import { useEffect } from 'react'
+import { makeKeyPairModel } from '@owlmeans/basic-keys'
+import { AuthenCredError } from '../errors.js'
+
+export const ed25519BasicUIPlugin: AuthenticationPlugin = {
+  type: AuthenticationType.BasicEd25519,
+
+  Implementation: Renderer => ({ type, stage, control, params }) => {
+
+    type = type ?? AuthenticationType.BasicEd25519
+    Renderer = Renderer ?? ed25519BasicUIPlugin.Renderer
+
+    // BasicEd25519 authentication request allowance unconditionally 
+    // (no input or additional challenges required)
+    useEffect(() => {
+      if (control.stage === AuthenticationStage.Init) {
+        void control.requestAllowence()
+      }
+    }, [type])
+
+    if (Renderer == null) {
+      throw new SyntaxError('Renderer is not defined for BasicEd25519 plugin')
+    }
+
+    return <Renderer type={type} stage={stage} control={control} params={params} />
+  },
+
+  authenticate: async credentials => {
+    const key = makeKeyPairModel(credentials.credential)
+
+    if (credentials.userId !== key.exportAddress()) {
+      throw new AuthenCredError('credentials-missmatch')
+    }
+
+    credentials.credential = await key.sign(credentials.challenge)
+
+    // We don't use it - just type compatibility
+    return { token: '' }
+  }
+}

package/src/manager/plugins/exports.ts

@@ -0,0 +1,5 @@
+export type * from './types.js'
+export * from './tunnel/index.js'
+export * from './basic-ed25519.js'
+export * from './re-captcha.js'
+export * from './tunnel-consumer.js'

package/src/manager/plugins/index.ts

@@ -0,0 +1,13 @@
+import type { ClientAuthType } from '../components/index.js'
+
+import { AuthenticationType } from '@owlmeans/auth'
+import { ed25519BasicUIPlugin } from './basic-ed25519.js'
+import { AuthenticationPlugin } from './types.js'
+import { reCaptchaPlugin } from './re-captcha.js'
+import { tunnelConsumerUIPlugin } from './tunnel-consumer.js'
+
+export const plugins: { [type: ClientAuthType]: AuthenticationPlugin } = {}
+
+plugins[AuthenticationType.BasicEd25519] = ed25519BasicUIPlugin
+plugins[AuthenticationType.ReCaptcha] = reCaptchaPlugin
+plugins[AuthenticationType.WalletConsumer] = tunnelConsumerUIPlugin

package/src/manager/plugins/re-captcha.tsx

@@ -0,0 +1,31 @@
+import { AuthenticationStage, AuthenticationType } from '@owlmeans/auth'
+import type { AuthenticationPlugin } from './types.js'
+import { useEffect } from 'react'
+
+export const reCaptchaPlugin: AuthenticationPlugin = {
+  type: AuthenticationType.ReCaptcha,
+
+  Implementation: Renderer => ({ type, stage, control, params }) => {
+    Renderer = Renderer ?? reCaptchaPlugin.Renderer
+
+    // ReCaptcha authentication requests allowance unconditionally 
+    // (no input or additional challenges required)
+    useEffect(() => {
+      if (control.stage === AuthenticationStage.Init) {
+        void control.requestAllowence({ type, source: control.source })
+      }
+    }, [type])
+
+    if (Renderer == null) {
+      throw new SyntaxError('Renderer is not defined for ReCaptcha plugin')
+    }
+
+    return <Renderer type={type} stage={stage} control={control} params={params} />
+  },
+
+  /**
+   * Actually we don't need to do anything here cause ReCaptcha server
+   * did it for us.
+   */
+  authenticate: async () => ({ token: '' })
+}

package/src/manager/plugins/tunnel/consts.ts

@@ -0,0 +1,12 @@
+
+import type { JSONSchemaType } from 'ajv'
+import type { PinForm } from './types.js'
+
+export const PinSchema: JSONSchemaType<PinForm> = {
+  type: 'object',
+  properties: {
+    pin: { type: 'string', minLength: 2, maxLength: 12 }
+  },
+  required: ['pin'],
+  additionalProperties: false,
+}

package/src/manager/plugins/tunnel/index.ts

@@ -0,0 +1,5 @@
+
+export type * from './types.js'
+export * from './consts.js'
+export * from './wallet.js'
+

package/src/manager/plugins/tunnel/types.ts

@@ -0,0 +1,15 @@
+import type { AuthenticationRendererProps } from '../../components/authentication/types.js'
+import type { FC } from 'react'
+import type { Connection } from '@owlmeans/socket'
+
+export interface TunnelAuthenticationRenderer extends FC<TunnelAuthenticationRendererProps> {
+}
+
+export interface TunnelAuthenticationRendererProps extends AuthenticationRendererProps {
+  conn: Connection | null
+  submit: (data: PinForm) => Promise<void>
+}
+
+export interface PinForm {
+  pin: string
+}

package/src/manager/plugins/tunnel/wallet.ts

@@ -0,0 +1,43 @@
+import type { WalletFacade } from '@owlmeans/did'
+import type { Connection } from '@owlmeans/socket'
+import { base64, base64urlnopad } from '@scure/base'
+
+export const createWalletFacade = (conn: Connection): WalletFacade => {
+  const facade: WalletFacade = {
+    sign: async (entityId, payload, opts) => {
+      const result: string = await conn.call('sign', entityId, base64.encode(payload), opts)
+
+      return base64urlnopad.decode(result)
+    },
+
+    createKey: async (entityId, opts) => {
+      return await conn.call('createKey', entityId, opts)
+    },
+
+    getEntityKey: async (entityId, opts) => {
+      return await conn.call('getEntityKey', entityId, opts)
+    },
+
+    getMasterDid: async opts => {
+      return await conn.call('getMasterDid', opts)
+    },
+
+    selectKey: async opts => {
+      return await conn.call('selectKey', opts)
+    },
+
+    getPublicDetails: async (did, opts) => {
+      return await conn.call('getPublicDetails', did, opts)
+    },
+
+    requestPermissions: async (methods, opts) => {
+      return await conn.call('requestPermissions', methods, opts)
+    },
+
+    close: async () => {
+      await conn.close()
+    }
+  }
+
+  return facade
+}

package/src/manager/plugins/tunnel-consumer.tsx

@@ -0,0 +1,100 @@
+import { useWs } from '@owlmeans/client-socket'
+import { AUTH_SCOPE, AUTHEN_RELY, AuthenticationStage, AuthenticationType, AuthRole } from '@owlmeans/auth'
+import type { AllowanceRequest, AllowanceResponse, Auth, AuthCredentials } from '@owlmeans/auth'
+import type { AuthenticationPlugin } from './types.js'
+import type { PinForm, TunnelAuthenticationRenderer } from './tunnel/types.js'
+import { useCallback, useEffect } from 'react'
+import type { Connection } from '@owlmeans/socket'
+import { isEventMessage, SocketTimeout } from '@owlmeans/socket'
+import type { AuthenticationControl } from '../components/authentication/types.js'
+import { RELY_ACTION_TIMEOUT, RELY_PIN_PERFIX } from '@owlmeans/auth-common'
+import { createWalletFacade } from './tunnel/wallet.js'
+
+export const tunnelConsumerUIPlugin: AuthenticationPlugin = {
+  type: AuthenticationType.WalletConsumer,
+
+  Implementation: renderer => ({ type, stage, control, params }) => {
+    type = type ?? AuthenticationType.WalletConsumer
+    const Renderer: TunnelAuthenticationRenderer | undefined = renderer
+      ?? tunnelConsumerUIPlugin.Renderer
+
+    const connection = useWs(AUTHEN_RELY)
+
+    if (Renderer == null) {
+      throw new SyntaxError('Renderer is not defined for WalletConsumer plugin')
+    }
+
+    useEffect(() => {
+      if (connection != null) {
+        control.updateStage(AuthenticationStage.Allowence)
+        connection.auth<AllowanceRequest, AllowanceResponse>(
+          AuthenticationStage.Init, { type: AuthenticationType.RelyHandshake }
+        ).then(async (allowance: AllowanceResponse) => {
+          control.allowance = allowance
+          control.updateStage(AuthenticationStage.Authenticate)
+
+          connection.defaultCallTimeout = RELY_ACTION_TIMEOUT * 1000
+        })
+
+        connection.authenticate = async (stage: AuthenticationStage, payload: any) => {
+          if (stage === AuthenticationStage.Authenticated) {
+            try {
+              if (control.callback == null) {
+                throw new SyntaxError('Tunnel consumer requires a callback to provide connection object')
+              }
+              await control.callback(payload, createWalletFacade(connection))
+              control.updateStage(AuthenticationStage.Authentication)
+            } catch (e) {
+              await connection.close()
+              await control.setError(e)
+            }
+          }
+          return [null, null as any]
+        }
+
+        return connection.listen(async message => {
+          if (isEventMessage(message) && message.event === 'close') {
+            await control.setError(new SocketTimeout('rely'))
+          }
+        })
+      }
+    }, [connection])
+
+    const submit = useCallback(
+      connection != null ? makeSubmit(connection, control) : async () => void 0
+      , [connection != null]
+    )
+
+    return <Renderer type={type} stage={stage} control={control} conn={connection} params={params} submit={submit} />
+  },
+
+  authenticate: async _credentials => {
+    // We don't use it - just type compatibility
+    return { token: '' }
+  }
+}
+
+const makeSubmit = (conn: Connection, control: AuthenticationControl) => async (data: PinForm) => {
+  await control.updateStage(AuthenticationStage.Authentication)
+  try {
+    const auth = await conn.auth<AuthCredentials, Auth>(AuthenticationStage.Authenticate, {
+      challenge: control.allowance?.challenge ?? '',
+      credential: RELY_PIN_PERFIX + data.pin,
+      type: control.type,
+      role: AuthRole.Guest,
+      userId: '',
+      scopes: [AUTH_SCOPE]
+    })
+
+    if (conn.stage === AuthenticationStage.Authenticated) {
+      if (control.callback == null) {
+        throw new SyntaxError('Tunnel consumer requires a callback to provide connection object')
+      }
+      await control.callback(auth, createWalletFacade(conn))
+    }
+    // (auth)
+  } catch (e) {
+    await conn.close()
+    await control.setError(e)
+  }
+}

package/src/manager/plugins/types.ts

@@ -0,0 +1,14 @@
+import type { FC } from 'react'
+import type { AuthenticationControl, AuthenticationRenderer, AuthenticationRendererProps, } from '../components/authentication/types.js'
+
+export interface AuthenticationPlugin extends Pick<
+  AuthenticationControl, "beforeAuthenticate" | "afterAuthenticate"
+>, Pick<Partial<AuthenticationControl>, "authenticate"> {
+  type: string
+  Implementation: PluginImplemnetation
+  Renderer?: AuthenticationRenderer
+}
+
+export interface PluginImplemnetation {
+  (Renderer?: AuthenticationRenderer): FC<AuthenticationRendererProps>
+}

package/src/modules.ts

@@ -0,0 +1,13 @@
+
+import { elevate, stab } from '@owlmeans/client-module'
+import { modules as list } from '@owlmeans/auth-common'
+import { CAUTHEN_FLOW_ENTER, DISPATCHER_AUTHEN } from '@owlmeans/auth'
+import type { ClientModule } from '@owlmeans/client-module'
+
+elevate(list, DISPATCHER_AUTHEN)
+
+export const modules: ClientModule[] = list as ClientModule[]
+
+export const setupExternalAuthentication = (service: string) => {
+  elevate(list, CAUTHEN_FLOW_ENTER, stab, { routeOptions: { overrides: { service } } })
+}