@prove-identity/prove-auth 2.4.5 → 2.7.0

package/build/lib/index.d.ts

@@ -1,5 +1,6 @@
 import { VERSION } from './proveauth/version';
 import AuthenticatorBuilder, { AuthMessageHandler, DeviceRole, MobileAuthImplementation } from './proveauth/authenticator-builder';
+import DeviceContextOptions, { BuildConfig } from './proveauth/device-context-options';
 import AuthMessage from './proveauth/internal/auth-message';
 import { AuthResponseStatus } from './proveauth/internal/auth-response-status';
 import { LoggerFactory, LogWriter, LogLevel, Logger } from './proveauth/common/logger';
@@ -9,4 +10,5 @@ import Authenticator from './proveauth/authenticator';
 import { PhoneValidationError } from './proveauth/internal/phone-number-input';
 import { OtpError, OtpStartStep, OtpStartInput, OtpStartStepFn, OtpFinishStep, OtpFinishInput, OtpFinishStepFn, OtpFinishResult, OtpFinishResultType } from './proveauth/otp';
 import { InstantLinkStartInput, InstantLinkStartStep, InstantLinkStartStepFn } from './proveauth/instantlink';
-export { VERSION, AuthFinishStep, AuthFinishStepFn, AuthFinishStepInput, Authenticator, AuthenticatorBuilder, AuthMessage, AuthMessageHandler, AuthResponseStatus, CancelablePromise, DeviceRole, InstantLinkStartStep, InstantLinkStartInput, InstantLinkStartStepFn, Logger, LoggerFactory, LogLevel, LogWriter, MobileAuthImplementation, OtpFinishStep, OtpFinishInput, OtpFinishResult, OtpFinishStepFn, OtpFinishResultType, OtpStartStep, OtpStartInput, OtpStartStepFn, OtpError, PhoneValidationError, };
+import UserConsentStep, { UserConsentOutput, UserConsentStepFn } from './proveauth/user-consent-step';
+export { VERSION, AuthFinishStep, AuthFinishStepFn, AuthFinishStepInput, Authenticator, AuthenticatorBuilder, AuthMessage, AuthMessageHandler, AuthResponseStatus, CancelablePromise, DeviceRole, InstantLinkStartStep, InstantLinkStartInput, InstantLinkStartStepFn, Logger, LoggerFactory, LogLevel, LogWriter, MobileAuthImplementation, OtpFinishStep, OtpFinishInput, OtpFinishResult, OtpFinishStepFn, OtpFinishResultType, OtpStartStep, OtpStartInput, OtpStartStepFn, OtpError, PhoneValidationError, BuildConfig, DeviceContextOptions, UserConsentStep, UserConsentStepFn, UserConsentOutput, };

package/build/lib/index.js

@@ -26,13 +26,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.PhoneValidationError = exports.OtpError = exports.OtpFinishResultType = exports.MobileAuthImplementation = exports.LogLevel = exports.LoggerFactory = exports.DeviceRole = exports.CancelablePromise = exports.AuthResponseStatus = exports.AuthenticatorBuilder = exports.VERSION = void 0;
+exports.BuildConfig = exports.PhoneValidationError = exports.OtpError = exports.OtpFinishResultType = exports.MobileAuthImplementation = exports.LogLevel = exports.LoggerFactory = exports.DeviceRole = exports.CancelablePromise = exports.AuthResponseStatus = exports.AuthenticatorBuilder = exports.VERSION = void 0;
 const version_1 = require("./proveauth/version");
 Object.defineProperty(exports, "VERSION", { enumerable: true, get: function () { return version_1.VERSION; } });
 const authenticator_builder_1 = __importStar(require("./proveauth/authenticator-builder"));
 exports.AuthenticatorBuilder = authenticator_builder_1.default;
 Object.defineProperty(exports, "DeviceRole", { enumerable: true, get: function () { return authenticator_builder_1.DeviceRole; } });
 Object.defineProperty(exports, "MobileAuthImplementation", { enumerable: true, get: function () { return authenticator_builder_1.MobileAuthImplementation; } });
+const device_context_options_1 = require("./proveauth/device-context-options");
+Object.defineProperty(exports, "BuildConfig", { enumerable: true, get: function () { return device_context_options_1.BuildConfig; } });
 const auth_response_status_1 = require("./proveauth/internal/auth-response-status");
 Object.defineProperty(exports, "AuthResponseStatus", { enumerable: true, get: function () { return auth_response_status_1.AuthResponseStatus; } });
 const logger_1 = require("./proveauth/common/logger");

package/build/lib/proveauth/authenticator-builder.d.ts

@@ -5,6 +5,9 @@ import { AuthResponseStatus } from './internal/auth-response-status';
 import Platform from './internal/platform';
 import { OtpFinishStep, OtpFinishStepFn, OtpStartStep, OtpStartStepFn } from './otp';
 import { InstantLinkStartStep, InstantLinkStartStepFn } from './instantlink';
+import type { Region } from '@fingerprintjs/fingerprintjs-pro';
+import DeviceContextOptions, { BuildConfig } from './device-context-options';
+import UserConsentStep, { UserConsentStepFn } from './user-consent-step';
 export type AuthMessageHandler = (message: AuthMessage) => Promise<AuthResponseStatus>;
 export declare enum DeviceRole {
     Primary = 0,
@@ -26,9 +29,12 @@ export default class AuthenticatorBuilder {
     private otpStartStep?;
     private otpFinishStep?;
     private instantLinkStartStep?;
-    private forUPK;
-    private instantLinkTestMode;
+    private upkEnabled;
+    private userConsentStep?;
+    private readonly log;
+    private deviceContextOptions?;
     constructor();
+    withDeviceContext(options: DeviceContextOptions): AuthenticatorBuilder;
     withAuthFinishStep(step: AuthFinishStep | AuthFinishStepFn): AuthenticatorBuilder;
     withDisplayName(displayName: string | (() => string | null) | null): AuthenticatorBuilder;
     withAuthMessageHandler(handler: AuthMessageHandler): AuthenticatorBuilder;
@@ -40,5 +46,9 @@ export default class AuthenticatorBuilder {
     withOtpFallback(startStep: OtpStartStep | OtpStartStepFn, finishStep: OtpFinishStep | OtpFinishStepFn): AuthenticatorBuilder;
     withInstantLinkFallback(startStep: InstantLinkStartStep | InstantLinkStartStepFn): AuthenticatorBuilder;
     withUPKEnabled(): this;
+    withUniversalProveKey(step?: UserConsentStep | UserConsentStepFn): this;
+    getUrlsByBuildConfig(buildConfig?: BuildConfig): [string | undefined, string | undefined];
+    getRegionByBuildConfig(buildConfig?: BuildConfig): Region;
+    private getFpPromiseInstanceFromOptions;
     build(): Authenticator;
 }

package/build/lib/proveauth/authenticator-builder.js

@@ -18,6 +18,9 @@ const device_passive_stepup_step_1 = __importDefault(require("./internal/device-
 const device_universal_step_1 = __importDefault(require("./internal/device-universal-step"));
 const device_universal_redirect_steps_1 = require("./internal/device-universal-redirect-steps");
 const main_authenticator_1 = __importDefault(require("./internal/main-authenticator"));
+const logger_1 = require("./common/logger");
+const settings_1 = __importDefault(require("./internal/settings"));
+const device_context_options_1 = require("./device-context-options");
 var DeviceRole;
 (function (DeviceRole) {
     DeviceRole[DeviceRole["Primary"] = 0] = "Primary";
@@ -32,13 +35,17 @@ class AuthenticatorBuilder {
     constructor() {
         this.role = DeviceRole.Primary;
         this.mobileAuthImplementation = MobileAuthImplementation.Fetch;
-        this.forUPK = false;
-        this.instantLinkTestMode = false;
+        this.upkEnabled = false;
+        this.log = logger_1.LoggerFactory.getLogger('authenticator-builder');
         if (typeof window !== 'undefined') {
             this.storage = window.localStorage;
             this.platform = new web_platform_1.WebPlatform();
         }
     }
+    withDeviceContext(options) {
+        this.deviceContextOptions = options;
+        return this;
+    }
     withAuthFinishStep(step) {
         if (typeof step === 'function') {
             this.authFinishStep = {
@@ -103,18 +110,118 @@ class AuthenticatorBuilder {
         return this;
     }
     withUPKEnabled() {
-        this.forUPK = true;
+        return this.withUniversalProveKey();
+    }
+    withUniversalProveKey(step) {
+        if (!step) {
+            this.userConsentStep = { execute: () => Promise.resolve({ consentGranted: true }) };
+        }
+        else if (typeof step === 'function') {
+            this.userConsentStep = { execute: step };
+        }
+        else {
+            this.userConsentStep = step;
+        }
+        this.upkEnabled = this.userConsentStep != null;
         return this;
     }
+    getUrlsByBuildConfig(buildConfig) {
+        switch (buildConfig) {
+            case device_context_options_1.BuildConfig.US_PROD:
+                return [
+                    device_context_options_1.ProveAuthProxyScriptUrl.DEFAULT_US_PROD_SCRIPT_URL.toString(),
+                    device_context_options_1.ProveAuthProxyEndpoint.DEFAULT_US_PROD_ENDPOINT.toString(),
+                ];
+            case device_context_options_1.BuildConfig.US_UAT:
+                return [
+                    device_context_options_1.ProveAuthProxyScriptUrl.DEFAULT_US_UAT_SCRIPT_URL.toString(),
+                    device_context_options_1.ProveAuthProxyEndpoint.DEFAULT_US_UAT_ENDPOINT.toString(),
+                ];
+            case device_context_options_1.BuildConfig.DEV:
+                this.log.debug("Recommended for Prove's internal testing only, BuildConfig.DEV might need custom endpoint URL and custom script URL values to bypass ad blockers");
+                return [undefined, undefined];
+            default:
+                this.log.warn('Unknown BuildConfig value: ' + buildConfig);
+                return [undefined, undefined];
+        }
+    }
+    getRegionByBuildConfig(buildConfig) {
+        var region;
+        switch (buildConfig) {
+            case device_context_options_1.BuildConfig.DEV:
+            case device_context_options_1.BuildConfig.US_PROD:
+            case device_context_options_1.BuildConfig.US_UAT:
+                region = 'us';
+                break;
+            default:
+                this.log.warn('Unknown BuildConfig value, set Region to default value: us');
+                region = 'us';
+                break;
+        }
+        return region;
+    }
+    getFpPromiseInstanceFromOptions(options) {
+        try {
+            const FingerprintJS = require('@fingerprintjs/fingerprintjs-pro');
+            if (!FingerprintJS) {
+                this.log.debug('fingerprintjs package is not installed or failed to load');
+            }
+            else if (!options) {
+                this.log.warn('Prove Key Persistence feature is not enabled');
+            }
+            else {
+                let region = this.getRegionByBuildConfig(options.buildConfig);
+                let [scriptUrl, endpointUrl] = this.getUrlsByBuildConfig(options.buildConfig);
+                if (options.customScriptUrl && options.customEndpointUrl) {
+                    scriptUrl = options.customScriptUrl;
+                    endpointUrl = options.customEndpointUrl;
+                }
+                const scriptUrlPattern = scriptUrl
+                    ? [
+                        `${scriptUrl}?apiKey=<apiKey>&version=<version>&loaderVersion=<loaderVersion>`,
+                        FingerprintJS.defaultScriptUrlPattern,
+                    ]
+                    : [FingerprintJS.defaultScriptUrlPattern];
+                const endpoint = endpointUrl
+                    ? [`${endpointUrl}?region=${region}`, FingerprintJS.defaultEndpoint]
+                    : [FingerprintJS.defaultEndpoint];
+                const fpPromise = FingerprintJS.load({
+                    apiKey: options.publicApiKey,
+                    endpoint: endpoint,
+                    scriptUrlPattern: scriptUrlPattern,
+                    region: region,
+                });
+                const status = fpPromise ? 'successfully' : 'unsuccessfully with null instance';
+                this.log.trace(`Instantiating FingerprintJS ${status}`);
+                return fpPromise;
+            }
+        }
+        catch (error) {
+            this.log.trace('FingerprintJS is not installed or failed to load', error);
+        }
+    }
     build() {
+        var _a;
+        if (!this.platform) {
+            throw new Error('Implementation of Platform is required');
+        }
+        if (!this.storage) {
+            throw new Error('Implementation of Storage is required');
+        }
+        const fpPromise = this.getFpPromiseInstanceFromOptions(this.deviceContextOptions);
+        if (fpPromise) {
+            (_a = this.platform) === null || _a === void 0 ? void 0 : _a.setFpPromise(fpPromise);
+        }
+        const settings = new settings_1.default(this.storage);
+        settings.upkEnabled = this.upkEnabled;
         if (this.role === DeviceRole.Primary) {
-            return new main_authenticator_1.default(this.platform, this.storage, this.authFinishStep, [
-                new device_universal_step_1.default(this.forUPK),
+            return new main_authenticator_1.default(this.platform, settings, this.authFinishStep, [
+                new device_universal_step_1.default(this.upkEnabled),
                 new device_universal_redirect_steps_1.DeviceUniversalRedirectExchangeStep(),
                 new device_universal_redirect_steps_1.DeviceUniversalRedirectFinishStep(),
                 new device_passive_step_1.default(this.getDisplayName, this.role),
                 new device_passive_stepup_step_1.default(this.getDisplayName),
-                new device_passive_silent_step_1.default(this.forUPK),
+                new device_passive_silent_step_1.default(this.upkEnabled, this.userConsentStep),
                 new device_passive_register_step_1.default(),
                 new device_passive_verify_step_1.default(),
                 new mobile_instant_step_1.default(this.mobileAuthImplementation, this.getDeviceIp),
@@ -125,7 +232,7 @@ class AuthenticatorBuilder {
             ]);
         }
         else {
-            return new main_authenticator_1.default(this.platform, this.storage, this.authFinishStep, [
+            return new main_authenticator_1.default(this.platform, settings, this.authFinishStep, [
                 new device_passive_step_1.default(this.getDisplayName, this.role),
                 new mobile_instant_step_1.default(this.mobileAuthImplementation, this.getDeviceIp),
                 new mobile_instantlink_step_1.default(this.instantLinkStartStep, this.getDeviceIp),

package/build/lib/proveauth/device-context-options.d.ts

@@ -0,0 +1,19 @@
+export declare enum ProveAuthProxyScriptUrl {
+    DEFAULT_US_UAT_SCRIPT_URL = "https://upk.uat.prove-auth.proveapis.com/vFqZceQyx8/uqLttozA7q",
+    DEFAULT_US_PROD_SCRIPT_URL = "https://upk.prove-auth.proveapis.com/vf82rhgDRK/r4VnwuwPUd"
+}
+export declare enum ProveAuthProxyEndpoint {
+    DEFAULT_US_UAT_ENDPOINT = "https://upk.uat.prove-auth.proveapis.com/vFqZceQyx8/bt9xhGAgQw",
+    DEFAULT_US_PROD_ENDPOINT = "https://upk.prove-auth.proveapis.com/vf82rhgDRK/ePaZsNne4X"
+}
+export declare enum BuildConfig {
+    DEV = "DEV",
+    US_UAT = "US_UAT",
+    US_PROD = "US_PROD"
+}
+export default interface DeviceContextOptions {
+    readonly buildConfig: BuildConfig;
+    readonly publicApiKey: string;
+    readonly customScriptUrl?: string;
+    readonly customEndpointUrl?: string;
+}

package/build/lib/proveauth/device-context-options.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BuildConfig = exports.ProveAuthProxyEndpoint = exports.ProveAuthProxyScriptUrl = void 0;
+var ProveAuthProxyScriptUrl;
+(function (ProveAuthProxyScriptUrl) {
+    ProveAuthProxyScriptUrl["DEFAULT_US_UAT_SCRIPT_URL"] = "https://upk.uat.prove-auth.proveapis.com/vFqZceQyx8/uqLttozA7q";
+    ProveAuthProxyScriptUrl["DEFAULT_US_PROD_SCRIPT_URL"] = "https://upk.prove-auth.proveapis.com/vf82rhgDRK/r4VnwuwPUd";
+})(ProveAuthProxyScriptUrl = exports.ProveAuthProxyScriptUrl || (exports.ProveAuthProxyScriptUrl = {}));
+var ProveAuthProxyEndpoint;
+(function (ProveAuthProxyEndpoint) {
+    ProveAuthProxyEndpoint["DEFAULT_US_UAT_ENDPOINT"] = "https://upk.uat.prove-auth.proveapis.com/vFqZceQyx8/bt9xhGAgQw";
+    ProveAuthProxyEndpoint["DEFAULT_US_PROD_ENDPOINT"] = "https://upk.prove-auth.proveapis.com/vf82rhgDRK/ePaZsNne4X";
+})(ProveAuthProxyEndpoint = exports.ProveAuthProxyEndpoint || (exports.ProveAuthProxyEndpoint = {}));
+var BuildConfig;
+(function (BuildConfig) {
+    BuildConfig["DEV"] = "DEV";
+    BuildConfig["US_UAT"] = "US_UAT";
+    BuildConfig["US_PROD"] = "US_PROD";
+})(BuildConfig = exports.BuildConfig || (exports.BuildConfig = {}));

package/build/lib/proveauth/internal/auth-request.d.ts

@@ -32,6 +32,7 @@ export interface V1ClientDeviceFido2RegisterFinish {
     deviceName: string;
     deviceCapabilities: string[];
     registrations: AuthRegistration[];
+    signals?: Signals;
 }
 export interface V1ClientDeviceFido2VerifyStart {
     deviceId: string;
@@ -50,16 +51,19 @@ export interface WebAuthnAssertion {
 }
 export interface V1ClientDeviceFido2VerifyFinish {
     webAuthnAssertion: WebAuthnAssertion;
+    signals?: Signals;
 }
 export interface V1ClientDevicePassiveRegister {
     deviceName: string;
     deviceCapabilities: string[];
     registrations: PassiveRegistration[];
+    signals?: Signals;
 }
 export interface V1ClientDevicePassiveVerify {
     deviceId: string;
     keyId: string;
     signature: string;
+    signals?: Signals;
 }
 export interface V1ClientUserResponse {
     response: AuthResponseStatus;
@@ -88,3 +92,11 @@ export interface V1ClientOtpStart {
 export interface V1ClientOtpFinish {
     otp: string;
 }
+export interface Signals {
+    fingerprint?: Signal;
+    darwinium?: Signal;
+}
+export interface Signal {
+    results?: string;
+    error?: string;
+}

package/build/lib/proveauth/internal/auth-response.d.ts

@@ -16,6 +16,7 @@ export interface RegisterStartAuthResponse extends AuthResponse {
 }
 export interface RegisterFinishAuthResponseData {
     deviceId: string;
+    passkey: boolean;
 }
 export interface RegisterFinishAuthResponse extends AuthResponse {
     data: RegisterFinishAuthResponseData;

package/build/lib/proveauth/internal/auth-session.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="webappsec-credential-management" />
 import AuthMessage from './auth-message';
-import { AuthRequest } from './auth-request';
+import { AuthRequest, Signal } from './auth-request';
 import AuthResponse from './auth-response';
 import AuthTokenClaims, { UserVerificationLevel } from './auth-token-claims';
 import { DeviceRegistration } from './device-auth';
@@ -13,20 +13,25 @@ export default class AuthSession implements AuthSessionIntegration {
     readonly settings: Settings;
     readonly requestSigner: RequestSigner;
     readonly channels: Set<MessageChannel>;
-    lastStep: string | null;
-    credential: CredentialType | null;
-    authMessage: AuthMessage | null;
-    uvLevel: UserVerificationLevel | null;
-    backendUrlOverride: string | null;
+    private readonly log;
+    lastStep?: string;
+    credential?: CredentialType;
+    authMessage?: AuthMessage;
+    uvLevel?: UserVerificationLevel;
+    backendOriginOverride?: string;
     get namespace(): string;
-    get backendUrl(): string;
+    get backendOrigin(): string;
+    set backendOrigin(backendOrigin: string);
     get authId(): string;
     get challenge(): string;
     get next(): string;
     constructor(settings: Settings, platform: Platform, authToken?: string);
     fetchFromBackend(query: string, body: AuthRequest): Promise<AuthResponse>;
-    createMessageChannel(endpointPath: string, onClose: () => void, onError: (message: string) => void, onMessage: (data: string) => void): MessageChannel;
+    createMessageChannel(query: string, onClose: () => void, onError: (message: string) => void, onMessage: (data: string) => void): MessageChannel;
     closeAllMessageChannels(): void;
     getDeviceRegistration(): Promise<DeviceRegistration | null>;
+    embedFpResultToDeviceRegistration(registration: DeviceRegistration): Promise<DeviceRegistration>;
+    getFingerprintData(): Promise<Signal | undefined>;
+    shouldCollectFP(): boolean;
     private parseJwt;
 }

package/build/lib/proveauth/internal/auth-session.js

@@ -12,9 +12,12 @@ class AuthSession {
         var _a;
         return ((_a = this.claims) === null || _a === void 0 ? void 0 : _a.auth.ans) || this.settings.namespace;
     }
-    get backendUrl() {
+    get backendOrigin() {
         var _a;
-        return ((_a = this.claims) === null || _a === void 0 ? void 0 : _a.auth.endp) || this.backendUrlOverride;
+        return this.backendOriginOverride || ((_a = this.claims) === null || _a === void 0 ? void 0 : _a.auth.endp);
+    }
+    set backendOrigin(backendOrigin) {
+        this.backendOriginOverride = backendOrigin;
     }
     get authId() {
         var _a;
@@ -31,11 +34,7 @@ class AuthSession {
     constructor(settings, platform, authToken) {
         var _a, _b;
         this.channels = new Set();
-        this.lastStep = null;
-        this.credential = null;
-        this.authMessage = null;
-        this.uvLevel = null;
-        this.backendUrlOverride = null;
+        this.log = logger_1.LoggerFactory.getLogger('auth-session');
         this.platform = platform;
         this.authToken = authToken;
         this.settings = settings;
@@ -73,7 +72,7 @@ class AuthSession {
                     headers.set('PA-Signature', signature.signature);
                 }
                 this.platform
-                    .fetch(this.backendUrl + query, {
+                    .fetch(this.backendOrigin + query, {
                     mode: 'cors',
                     method: method,
                     headers: headers,
@@ -94,41 +93,56 @@ class AuthSession {
                 .catch(reject);
         });
     }
-    createMessageChannel(endpointPath, onClose, onError, onMessage) {
+    createMessageChannel(query, onClose, onError, onMessage) {
         if (!this.authToken) {
             throw new Error('Authentication token is not initialized, cannot create MessageChannel');
         }
         const KEEP_ALIVE_INTERVAL = 30000;
-        const endpoint = this.backendUrl.replace(/^http/, 'ws');
-        const channel = this.platform.createMessageChannel(endpoint + endpointPath);
-        const log = logger_1.LoggerFactory.getLogger('web-message-channel');
+        const endpoint = this.backendOrigin.replace(/^http/, 'ws');
+        const channel = this.platform.createMessageChannel(endpoint + query);
+        var pongReceived = true;
         const keepAlive = setInterval(() => {
-            log.trace('Sending keep-alive message');
-            channel.send('');
-        }, KEEP_ALIVE_INTERVAL);
-        channel.addEventListener('close', (_) => {
-            if (keepAlive) {
+            if (pongReceived) {
+                this.log.trace('Sending ping message');
+                pongReceived = false;
+                channel.send('ping');
+            }
+            else {
+                this.log.error('Failed to receive ping response in time, closing the channel');
                 clearInterval(keepAlive);
+                channel.close();
+                onError('Channel communication stalled');
+                this.channels.delete(channel);
             }
+        }, KEEP_ALIVE_INTERVAL);
+        channel.addEventListener('close', (_) => {
+            clearInterval(keepAlive);
             onClose();
             this.channels.delete(channel);
         });
         channel.addEventListener('error', (event) => {
+            clearInterval(keepAlive);
             if ('message' in event) {
                 onError(event['message']);
             }
             else {
                 onError(event.toString());
             }
+            this.channels.delete(channel);
         });
         channel.addEventListener('message', (event) => {
             if ('origin' in event && event['origin'] !== endpoint) {
                 onError('Unexpected origin');
             }
             else {
-                var data = event.data;
+                const data = event.data;
                 if (data && typeof data === 'string') {
-                    onMessage(data);
+                    if (data === 'pong') {
+                        pongReceived = true;
+                    }
+                    else {
+                        onMessage(data);
+                    }
                 }
                 else {
                     onMessage(event.toString());
@@ -150,13 +164,76 @@ class AuthSession {
                 .getRegistration(this.namespace)
                 .then((registration) => {
                 if (registration) {
-                    this.backendUrlOverride = registration === null || registration === void 0 ? void 0 : registration.endpoint;
+                    if (!this.backendOriginOverride) {
+                        this.backendOriginOverride = registration.endpoint;
+                        this.log.debug('backend URL overridden with ' + this.backendOriginOverride);
+                    }
+                    else {
+                        this.log.debug('Not overriding backend URL since it has been already set');
+                    }
                 }
                 resolve(registration);
             })
                 .catch(reject);
         });
     }
+    embedFpResultToDeviceRegistration(registration) {
+        return new Promise((resolve) => {
+            this.getFingerprintData()
+                .then((result) => {
+                if (result) {
+                    registration.setFpSignal(result);
+                }
+                resolve(registration);
+            })
+                .catch((error) => {
+                const errorMsg = `Unexpected error happened during Fingerprint data collection: ${error.toString}`;
+                this.log.warn(errorMsg);
+                registration.setFpSignal({ error: errorMsg });
+            });
+        });
+    }
+    getFingerprintData() {
+        return new Promise((resolve) => {
+            var fpPromise = this.platform.getFpPromise();
+            if (!this.shouldCollectFP()) {
+                this.log.debug('Fingerprint is not enabled from AuthToken');
+                resolve(undefined);
+            }
+            else if (!fpPromise) {
+                const msg = 'Found null instance of Fingerprint, check if your input API key is valid';
+                this.log.warn(msg);
+                resolve({ error: msg });
+            }
+            else {
+                fpPromise
+                    .then((fp) => fp.get())
+                    .then((result) => {
+                    if (result.sealedResult) {
+                        this.log.debug(`FP result: ${result.sealedResult}`);
+                        resolve({ results: result.sealedResult });
+                    }
+                    else {
+                        const msg = 'Cannot found sealed result in Fingerprint returned payload';
+                        this.log.warn(msg);
+                        resolve({ error: msg });
+                    }
+                })
+                    .catch((error) => {
+                    const msg = `Error in collecting Fingerprint data: ${error.toString}`;
+                    this.log.warn(msg);
+                    resolve({ error: msg });
+                });
+            }
+        });
+    }
+    shouldCollectFP() {
+        var _a, _b, _c;
+        if ((_c = (_b = (_a = this.claims) === null || _a === void 0 ? void 0 : _a.auth.subs.dev) === null || _b === void 0 ? void 0 : _b.sgnls) === null || _c === void 0 ? void 0 : _c.fpt) {
+            return true;
+        }
+        return false;
+    }
     parseJwt(token) {
         return JSON.parse(atob(token.split('.')[1]));
     }

package/build/lib/proveauth/internal/auth-token-claims.d.ts

@@ -27,8 +27,12 @@ export interface Authenticators {
     otp?: OtpAuthenticator;
     unvsl?: UniversalAuthenticator;
 }
+export interface Signals {
+    fpt?: boolean;
+}
 export interface DeviceAuthSubjectClaim {
     auths: Authenticators;
+    sgnls?: Signals;
 }
 export interface MobileAuthSubjectClaim {
     auths: Authenticators;

package/build/lib/proveauth/internal/device-auth.d.ts

@@ -1,4 +1,4 @@
-import { AuthRegistration } from './auth-request';
+import { AuthRegistration, Signal, Signals } from './auth-request';
 export interface DeviceRegistrationOptions {
     namespace: string;
     endpoint: string;
@@ -9,9 +9,12 @@ export interface DeviceRegistration {
     readonly algorithm: string;
     readonly endpoint: string;
     deviceId: string | null;
+    fingerprint?: Signal;
     sign: (data: string) => Promise<string>;
     getPublicKey: () => Promise<string>;
     getAuthRegistration: (challenge: string) => Promise<AuthRegistration>;
+    setFpSignal: (fpSignal: Signal) => void;
+    getSignals: () => Signals | undefined;
 }
 export default interface DeviceAuth {
     createRegistration: (options: DeviceRegistrationOptions) => Promise<DeviceRegistration>;

package/build/lib/proveauth/internal/device-passive-register-step.js

@@ -18,23 +18,23 @@ class DevicePassiveRegisterStep {
                 .getDeviceRegistration()
                 .then((devRegistration) => {
                 if (devRegistration) {
-                    this.finishRegistration(session, [this.getFido2Registration(session)])
-                        .then(resolve)
-                        .catch(reject);
+                    session.embedFpResultToDeviceRegistration(devRegistration).then((devRegistration) => {
+                        this.finishRegistration(session, [this.getFido2Registration(session)], devRegistration.getSignals())
+                            .then(resolve)
+                            .catch(reject);
+                    });
                 }
                 else {
                     session.platform.deviceAuth
                         .createRegistration({
                         namespace: session.namespace,
-                        endpoint: session.backendUrl,
+                        endpoint: session.backendOrigin,
                     })
+                        .then((devRegistration) => session.embedFpResultToDeviceRegistration(devRegistration))
                         .then((devRegistration) => {
                         devRegistration
                             .getAuthRegistration(session.challenge)
-                            .then((authRegistration) => this.finishRegistration(session, [
-                            this.getFido2Registration(session),
-                            authRegistration,
-                        ]))
+                            .then((authRegistration) => this.finishRegistration(session, [this.getFido2Registration(session), authRegistration], devRegistration.getSignals()))
                             .then((next) => {
                             devRegistration.deviceId = session.settings.deviceId;
                             session.platform.deviceAuth
@@ -50,13 +50,14 @@ class DevicePassiveRegisterStep {
                 .catch(reject);
         });
     }
-    finishRegistration(session, registrations) {
+    finishRegistration(session, registrations, signals) {
         return new Promise((resolve, reject) => {
             session
                 .fetchFromBackend('/v1/client/device/fido2/register/finish', {
                 deviceName: session.platform.getPlatformName(),
                 deviceCapabilities: session.platform.getDeviceCapabilities(),
                 registrations: registrations,
+                signals: signals,
             })
                 .then((response) => {
                 if (response.error) {

package/build/lib/proveauth/internal/device-passive-silent-step.d.ts

@@ -1,11 +1,13 @@
 import AuthSession from './auth-session';
 import AuthStep from './auth-step';
+import UserConsentStep from '../user-consent-step';
 export default class DevicePassiveSilentStep implements AuthStep {
     static readonly NAME = "device/passive/silent";
-    private readonly log;
     readonly name = "device/passive/silent";
-    private forUPK;
-    constructor(forUPK: boolean);
+    private readonly log;
+    private readonly forUPK;
+    private readonly userConsentStep;
+    constructor(forUPK: boolean, userConsentStep?: UserConsentStep);
     execute(session: AuthSession): Promise<string>;
     private getBackendRegisterEndpoint;
     private getBackendVerifyEndpoint;