@passlock/client 0.9.0

package/src/registration/register.test.ts

@@ -0,0 +1,247 @@
+import { Duplicate, InternalBrowserError } from '@passlock/shared/dist/error/error'
+import { type RouterOps, RpcClient } from '@passlock/shared/dist/rpc/rpc'
+import { Effect as E, Layer as L, Layer, LogLevel, Logger, pipe } from 'effect'
+import { describe, expect, test, vi } from 'vitest'
+import { mock } from 'vitest-mock-extended'
+import { CreateCredential, RegistrationService, RegistrationServiceLive } from './register'
+import * as Fixture from './register.fixture'
+import { UserService } from '../user/user'
+
+
+describe('register should', () => {
+  test('return a valid credential', async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+      const result = yield* _(service.registerPasskey(Fixture.registrationRequest))
+      expect(result).toEqual(Fixture.principal)
+    })
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.createCredentialTest),
+      L.provide(Fixture.userServiceTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.rpcClientTest),
+    )
+
+    const effect = pipe(E.provide(assertions, service), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+
+  test('check if the user is already registered', async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+      yield* _(service.registerPasskey(Fixture.registrationRequest))
+
+      const userService = yield* _(UserService)
+      expect(userService.isExistingUser).toHaveBeenCalled()
+    })
+
+    const userServiceTest = L.effect(
+      UserService,
+      E.sync(() => {
+        const userMock = mock<UserService>()
+
+        userMock.isExistingUser.mockReturnValue(E.succeed(false))
+
+        return userMock
+      }),
+    )
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.createCredentialTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.rpcClientTest),
+      L.provide(userServiceTest),
+    )
+
+    const layers = Layer.merge(service, userServiceTest)
+    const effect = pipe(E.provide(assertions, layers), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+
+  test('pass the registration data to the backend', async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+      yield* _(service.registerPasskey(Fixture.registrationRequest))
+
+      const rpcClient = yield* _(RpcClient)
+      expect(rpcClient.getRegistrationOptions).toHaveBeenCalledWith(Fixture.optionsReq)
+    })
+
+    const rpcClientTest = L.effect(
+      RpcClient,
+      E.sync(() => {
+        const rpcMock = mock<RouterOps>()
+
+        rpcMock.getRegistrationOptions.mockReturnValue(E.succeed(Fixture.optionsRes))
+        rpcMock.verifyRegistrationCredential.mockReturnValue(E.succeed(Fixture.verificationRes))
+
+        return rpcMock
+      }),
+    )
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.createCredentialTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.userServiceTest),
+      L.provide(rpcClientTest),
+    )
+
+    const layers = Layer.merge(service, rpcClientTest)
+    const effect = pipe(E.provide(assertions, layers), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+
+  test('send the new credential to the backend', async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+      yield* _(service.registerPasskey(Fixture.registrationRequest))
+
+      const rpcClient = yield* _(RpcClient)
+      expect(rpcClient.verifyRegistrationCredential).toHaveBeenCalledWith(Fixture.verificationReq)
+    })
+
+    const rpcClientTest = L.effect(
+      RpcClient,
+      E.sync(() => {
+        const rpcMock = mock<RouterOps>()
+
+        rpcMock.getRegistrationOptions.mockReturnValue(E.succeed(Fixture.optionsRes))
+        rpcMock.verifyRegistrationCredential.mockReturnValue(E.succeed(Fixture.verificationRes))
+
+        return rpcMock
+      }),
+    )
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.createCredentialTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.userServiceTest),
+      L.provide(rpcClientTest),
+    )
+
+    const layers = Layer.merge(service, rpcClientTest)
+    const effect = pipe(E.provide(assertions, layers), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+
+  test('short-circuit if the user is already registered', async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+
+      const error = yield* _(service.registerPasskey(Fixture.registrationRequest), E.flip)
+
+      expect(error).toBeInstanceOf(Duplicate)
+    })
+
+    const userServiceTest = L.effect(
+      UserService,
+      E.sync(() => {
+        const userMock = mock<UserService>()
+
+        userMock.isExistingUser.mockReturnValue(E.succeed(true))
+
+        return userMock
+      }),
+    )
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.createCredentialTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.rpcClientTest),
+      L.provide(userServiceTest),
+    )
+
+    const layers = Layer.merge(service, userServiceTest)
+    const effect = pipe(E.provide(assertions, layers), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+
+  test('return an error if we try to re-register a credential', async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+
+      const defect = yield* _(service.registerPasskey(Fixture.registrationRequest), E.flip)
+
+      expect(defect).toBeInstanceOf(Duplicate)
+    })
+
+    const createTest = L.effect(
+      CreateCredential,
+      E.sync(() => {
+        const createTest = vi.fn()
+
+        createTest.mockReturnValue(E.fail(new Duplicate({ message: 'boom!' })))
+
+        return createTest
+      }),
+    )
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.userServiceTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.rpcClientTest),
+      L.provide(createTest),
+    )
+
+    const layers = Layer.merge(service, createTest)
+    const effect = pipe(E.provide(assertions, layers), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+
+  test("throw an error if the browser can't create a credential", async () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(RegistrationService)
+
+      const defect = yield* _(
+        service.registerPasskey(Fixture.registrationRequest),
+        E.catchAllDefect(defect => E.succeed(defect)),
+      )
+
+      expect(defect).toBeInstanceOf(InternalBrowserError)
+    })
+
+    const createTest = L.effect(
+      CreateCredential,
+      E.sync(() => {
+        const createTest = vi.fn()
+
+        createTest.mockReturnValue(E.fail(new InternalBrowserError({ message: 'boom!' })))
+
+        return createTest
+      }),
+    )
+
+    const service = pipe(
+      RegistrationServiceLive,
+      L.provide(Fixture.userServiceTest),
+      L.provide(Fixture.capabilitiesTest),
+      L.provide(Fixture.storageServiceTest),
+      L.provide(Fixture.rpcClientTest),
+      L.provide(createTest),
+    )
+
+    const layers = Layer.merge(service, createTest)
+    const effect = pipe(E.provide(assertions, layers), Logger.withMinimumLogLevel(LogLevel.None))
+
+    return E.runPromise(effect)
+  })
+})

package/src/registration/register.ts

@@ -0,0 +1,178 @@
+/**
+ * User & passkey registration effects
+ */
+import {
+  type CredentialCreationOptionsJSON,
+  parseCreationOptionsFromJSON,
+} from '@github/webauthn-json/browser-ponyfill'
+import type { NotSupported } from '@passlock/shared/dist/error/error';
+import { Duplicate, InternalBrowserError } from '@passlock/shared/dist/error/error'
+import type {
+  OptionsErrors,
+  VerificationErrors} from '@passlock/shared/dist/rpc/registration';
+import {
+  OptionsReq,
+  VerificationReq,
+} from '@passlock/shared/dist/rpc/registration'
+import { RpcClient } from '@passlock/shared/dist/rpc/rpc'
+import type {
+  Principal,
+  RegistrationCredential,
+  UserVerification,
+  VerifyEmail,
+} from '@passlock/shared/dist/schema/schema'
+import { Context, Effect as E, Layer, flow, pipe } from 'effect'
+import { Capabilities } from '../capabilities/capabilities'
+import { StorageService } from '../storage/storage'
+import { UserService } from '../user/user'
+
+/* Requests */
+
+export type RegistrationRequest = {
+  email: string
+  firstName: string
+  lastName: string
+  userVerification?: UserVerification
+  verifyEmail?: VerifyEmail
+  redirectUrl?: string
+}
+
+/* Dependencies */
+
+export type CreateCredential = (
+  options: CredentialCreationOptions,
+) => E.Effect<RegistrationCredential, InternalBrowserError | Duplicate>
+export const CreateCredential = Context.GenericTag<CreateCredential>('@services/Create')
+
+/* Errors */
+
+export type RegistrationErrors = NotSupported | OptionsErrors | VerificationErrors
+
+/* Service */
+
+export type RegistrationService = {
+  registerPasskey: (request: RegistrationRequest) => E.Effect<Principal, RegistrationErrors>
+}
+
+export const RegistrationService = Context.GenericTag<RegistrationService>(
+  '@services/RegistrationService',
+)
+
+/* Utilities */
+
+const fetchOptions = (req: OptionsReq) => {
+  return E.gen(function* (_) {
+    yield* _(E.logDebug('Making request'))
+
+    const rpcClient = yield* _(RpcClient)
+    const { publicKey, session } = yield* _(rpcClient.getRegistrationOptions(req))
+
+    yield* _(E.logDebug('Converting Passlock options to CredentialCreationOptions'))
+    const options = yield* _(toCreationOptions({ publicKey }))
+
+    return { options, session }
+  })
+}
+
+const toCreationOptions = (jsonOptions: CredentialCreationOptionsJSON) => {
+  return pipe(
+    E.try(() => parseCreationOptionsFromJSON(jsonOptions)),
+    E.mapError(
+      error =>
+        new InternalBrowserError({
+          message: 'Browser was unable to create credential creation options',
+          detail: String(error.error),
+        }),
+    ),
+  )
+}
+
+const verifyCredential = (req: VerificationReq) => {
+  return E.gen(function* (_) {
+    yield* _(E.logDebug('Making request'))
+
+    const rpcClient = yield* _(RpcClient)
+    const { principal } = yield* _(rpcClient.verifyRegistrationCredential(req))
+
+    return principal
+  })
+}
+
+const isNewUser = (email: string) => {
+  return pipe(
+    UserService,
+    E.flatMap(service => service.isExistingUser({ email })),
+    E.catchTag('BadRequest', () => E.unit),
+    E.flatMap(isExistingUser => {
+      return isExistingUser
+        ? new Duplicate({ message: 'User already has a passkey registered' })
+        : E.unit
+    }),
+  )
+}
+
+/* Effects */
+
+type Dependencies = Capabilities | CreateCredential | StorageService | UserService | RpcClient
+
+export const registerPasskey = (
+  request: RegistrationRequest,
+): E.Effect<Principal, RegistrationErrors, Dependencies> => {
+  const effect = E.gen(function* (_) {
+    yield* _(E.logInfo('Checking if browser supports Passkeys'))
+    const capabilities = yield* _(Capabilities)
+    yield* _(capabilities.passkeySupport)
+
+    yield* _(E.logInfo('Checking if already registered'))
+    yield* _(isNewUser(request.email))
+
+    yield* _(E.logInfo('Fetching registration options from Passlock'))
+    const { options, session } = yield* _(fetchOptions(new OptionsReq(request)))
+
+    yield* _(E.logInfo('Building new credential'))
+    const createCredential = yield* _(CreateCredential)
+    const credential = yield* _(createCredential(options))
+
+    yield* _(E.logInfo('Storing credential public key in Passlock'))
+    const verificationRequest = new VerificationReq({
+      ...request,
+      credential,
+      session,
+    })
+
+    const principal = yield* _(verifyCredential(verificationRequest))
+
+    const storageService = yield* _(StorageService)
+    yield* _(storageService.storeToken(principal))
+    yield* _(E.logDebug('Storing token in local storage'))
+
+    yield* _(E.logDebug('Defering local token deletion'))
+    const delayedClearTokenE = pipe(
+      storageService.clearExpiredToken('passkey'),
+      E.delay('6 minutes'),
+      E.fork,
+    )
+    yield* _(delayedClearTokenE)
+
+    return principal
+  })
+
+  return E.catchTag(effect, 'InternalBrowserError', e => E.die(e))
+}
+
+/* Live */
+
+/* v8 ignore start */
+export const RegistrationServiceLive = Layer.effect(
+  RegistrationService,
+  E.gen(function* (_) {
+    const context = yield* _(
+      E.context<CreateCredential | RpcClient | Capabilities | StorageService | UserService>(),
+    )
+
+    return RegistrationService.of({
+      registerPasskey: flow(registerPasskey, E.provide(context)),
+    })
+  }),
+)
+/* v8 ignore stop */

package/src/storage/storage.fixture.ts

@@ -0,0 +1,33 @@
+import type { Principal } from '@passlock/shared/dist/schema/schema'
+import { Effect as E, Layer, pipe } from 'effect'
+import { mock } from 'vitest-mock-extended'
+import { Storage, StorageServiceLive } from './storage'
+
+// Frontend receives dates as objects
+export const principal: Principal = {
+  token: 'token',
+  subject: {
+    id: '1',
+    email: 'john.doe@gmail.com',
+    firstName: 'john',
+    lastName: 'doe',
+    emailVerified: false,
+  },
+  authStatement: {
+    authType: 'passkey',
+    userVerified: false,
+    authTimestamp: new Date(0),
+  },
+  expireAt: new Date(100),
+}
+
+const storageTest = Layer.effect(
+  Storage,
+  E.sync(() => mock<Storage>()),
+)
+
+export const testLayers = (storage: Layer.Layer<Storage> = storageTest) => {
+  const storageService = pipe(StorageServiceLive, Layer.provide(storage))
+
+  return Layer.merge(storage, storageService)
+}

package/src/storage/storage.test.ts

@@ -0,0 +1,196 @@
+import { Effect as E, Layer, LogLevel, Logger, identity, pipe } from 'effect'
+import { describe, expect, test } from 'vitest'
+import { mock } from 'vitest-mock-extended'
+import { Storage, StorageService, clearExpiredToken, clearToken, getToken } from './storage'
+import { principal, testLayers } from './storage.fixture'
+
+// eslint chokes on expect(storage.setItem) etc
+/* eslint @typescript-eslint/unbound-method: 0 */
+
+describe('storeToken should', () => {
+  test('set the token in local storage', () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(StorageService)
+      yield* _(service.storeToken(principal))
+
+      const storage = yield* _(Storage)
+      expect(storage.setItem).toHaveBeenCalled()
+    })
+
+    const effect = pipe(
+      E.provide(assertions, testLayers()),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+
+  test('with the key passlock:passkey:token', () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(StorageService)
+      yield* _(service.storeToken(principal))
+
+      const storage = yield* _(Storage)
+      expect(storage.setItem).toHaveBeenCalledWith('passlock:passkey:token', expect.any(String))
+    })
+
+    const effect = pipe(
+      E.provide(assertions, testLayers()),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+
+  test('with the value token:expiry', () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(StorageService)
+      yield* _(service.storeToken(principal))
+
+      const storage = yield* _(Storage)
+      const token = principal.token
+      const expiry = principal.expireAt.getTime()
+      expect(storage.setItem).toHaveBeenCalledWith('passlock:passkey:token', `${token}:${expiry}`)
+    })
+
+    const effect = pipe(
+      E.provide(assertions, testLayers()),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+})
+
+describe('getToken should', () => {
+  test('get the token from local storage', () => {
+    const assertions = E.gen(function* (_) {
+      const service = yield* _(StorageService)
+      yield* _(service.getToken('passkey'))
+
+      const storage = yield* _(Storage)
+      expect(storage.getItem).toHaveBeenCalled()
+      expect(storage.getItem).toHaveBeenCalledWith('passlock:passkey:token')
+    })
+
+    const storageTest = Layer.effect(
+      Storage,
+      E.sync(() => {
+        const mockStorage = mock<Storage>()
+        const expiry = Date.now() + 1000
+        mockStorage.getItem.mockReturnValue(`token:${expiry}`)
+        return mockStorage
+      }),
+    )
+
+    const effect = pipe(
+      E.provide(assertions, testLayers(storageTest)),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+
+  test('filter out expired tokens', () => {
+    const assertions = pipe(
+      getToken('passkey'),
+      E.match({
+        onSuccess: identity,
+        onFailure: () => undefined,
+      }),
+      E.flatMap(result =>
+        E.sync(() => {
+          expect(result).toBeUndefined()
+        }),
+      ),
+    )
+
+    const storageTest = Layer.effect(
+      Storage,
+      E.sync(() => {
+        const mockStorage = mock<Storage>()
+        const expiry = Date.now() - 1000
+        mockStorage.getItem.mockReturnValue(`token:${expiry}`)
+        return mockStorage
+      }),
+    )
+
+    const effect = pipe(
+      E.provide(assertions, testLayers(storageTest)),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+})
+
+describe('clearToken should', () => {
+  test('clear the token in local storage', () => {
+    const assertions = E.gen(function* (_) {
+      const storage = yield* _(Storage)
+      yield* _(clearToken('passkey'))
+      expect(storage.removeItem).toHaveBeenCalledWith('passlock:passkey:token')
+    })
+
+    const effect = pipe(
+      E.provide(assertions, testLayers()),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+})
+
+describe('clearExpiredToken should', () => {
+  test('clear an expired token from local storage', () => {
+    const assertions = E.gen(function* (_) {
+      const storage = yield* _(Storage)
+      yield* _(clearExpiredToken('passkey'))
+      expect(storage.getItem).toHaveBeenCalledWith('passlock:passkey:token')
+      expect(storage.removeItem).toHaveBeenCalledWith('passlock:passkey:token')
+    })
+
+    const storageTest = Layer.effect(
+      Storage,
+      E.sync(() => {
+        const mockStorage = mock<Storage>()
+        const expiry = Date.now() - 1000
+        mockStorage.getItem.mockReturnValue(`token:${expiry}`)
+        return mockStorage
+      }),
+    )
+
+    const effect = pipe(
+      E.provide(assertions, testLayers(storageTest)),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+
+  test('leave a live token in local storage', () => {
+    const assertions = E.gen(function* (_) {
+      const storage = yield* _(Storage)
+      yield* _(clearExpiredToken('passkey'))
+      expect(storage.getItem).toHaveBeenCalledWith('passlock:passkey:token')
+      expect(storage.removeItem).not.toHaveBeenCalled()
+    })
+
+    const storageTest = Layer.effect(
+      Storage,
+      E.sync(() => {
+        const mockStorage = mock<Storage>()
+        const expiry = Date.now() + 1000
+        mockStorage.getItem.mockReturnValue(`token:${expiry}`)
+        return mockStorage
+      }),
+    )
+
+    const effect = pipe(
+      E.provide(assertions, testLayers(storageTest)),
+      Logger.withMinimumLogLevel(LogLevel.None),
+    )
+
+    E.runSync(effect)
+  })
+})