@pya-platform/auth 0.1.0

package/src/store/passkey-store.ts

@@ -0,0 +1,117 @@
+export interface PasskeyRow {
+  readonly credentialId: string
+  readonly userId: string
+  readonly publicKey: string
+  readonly signCount: number
+  readonly transports: ReadonlyArray<string>
+  readonly label: string | undefined
+  readonly createdAt: number
+  readonly lastUsedAt: number
+  readonly backupEligible: boolean
+  readonly backupState: boolean
+}
+
+interface RawRow {
+  credential_id: string
+  user_id: string
+  public_key: string
+  sign_count: number
+  transports: string | null
+  label: string | null
+  created_at: number
+  last_used_at: number
+  backup_eligible: number
+  backup_state: number
+}
+
+const fromRow = (r: RawRow): PasskeyRow => ({
+  credentialId: r.credential_id,
+  userId: r.user_id,
+  publicKey: r.public_key,
+  signCount: r.sign_count,
+  transports: r.transports === null ? [] : (JSON.parse(r.transports) as string[]),
+  label: r.label ?? undefined,
+  createdAt: r.created_at,
+  lastUsedAt: r.last_used_at,
+  backupEligible: r.backup_eligible === 1,
+  backupState: r.backup_state === 1,
+})
+
+export const findPasskeysByUser = async (
+  db: D1Database,
+  userId: string,
+): Promise<ReadonlyArray<PasskeyRow>> => {
+  const { results } = await db
+    .prepare('SELECT * FROM passkeys WHERE user_id = ?')
+    .bind(userId)
+    .all<RawRow>()
+  return results.map(fromRow)
+}
+
+export const findPasskeyByCredentialId = async (
+  db: D1Database,
+  credentialId: string,
+): Promise<PasskeyRow | undefined> => {
+  const r = await db
+    .prepare('SELECT * FROM passkeys WHERE credential_id = ?')
+    .bind(credentialId)
+    .first<RawRow>()
+  return r === null ? undefined : fromRow(r)
+}
+
+export const insertPasskey = async (
+  db: D1Database,
+  row: Omit<PasskeyRow, 'createdAt' | 'lastUsedAt'>,
+): Promise<void> => {
+  const now = Math.floor(Date.now() / 1000)
+  await db
+    .prepare(
+      `INSERT INTO passkeys
+       (credential_id, user_id, public_key, sign_count, transports, label, created_at, last_used_at, backup_eligible, backup_state)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    )
+    .bind(
+      row.credentialId,
+      row.userId,
+      row.publicKey,
+      row.signCount,
+      JSON.stringify(row.transports),
+      row.label ?? null,
+      now,
+      now,
+      row.backupEligible ? 1 : 0,
+      row.backupState ? 1 : 0,
+    )
+    .run()
+}
+
+export const updatePasskeyUse = async (
+  db: D1Database,
+  credentialId: string,
+  newSignCount: number,
+): Promise<void> => {
+  const now = Math.floor(Date.now() / 1000)
+  await db
+    .prepare('UPDATE passkeys SET sign_count = ?, last_used_at = ? WHERE credential_id = ?')
+    .bind(newSignCount, now, credentialId)
+    .run()
+}
+
+export const deletePasskey = async (
+  db: D1Database,
+  credentialId: string,
+  userId: string,
+): Promise<void> => {
+  await db
+    .prepare('DELETE FROM passkeys WHERE credential_id = ? AND user_id = ?')
+    .bind(credentialId, userId)
+    .run()
+}
+
+export const countPasskeysByUser = async (db: D1Database, userId: string): Promise<number> => {
+  const r = await db
+    .prepare('SELECT COUNT(*) AS n FROM passkeys WHERE user_id = ?')
+    .bind(userId)
+    .first<{ n: number }>()
+  return r?.n ?? 0
+}

package/src/store/session-store.ts

@@ -0,0 +1,50 @@
+import { type SessionRecord, SessionRecordSchema } from '@pya-platform/shared'
+import * as v from 'valibot'
+
+const SESSION_TTL_SEC = 60 * 60 * 24 * 30
+const SLIDING_LAST_SEEN_MIN_SEC = 60
+
+/** Generate an opaque session id (32 random bytes, base64url). */
+export const newSessionId = (): string => {
+  const bytes = new Uint8Array(32)
+  crypto.getRandomValues(bytes)
+  return btoa(String.fromCharCode(...bytes))
+    .replaceAll('+', '-')
+    .replaceAll('/', '_')
+    .replaceAll('=', '')
+}
+
+export const writeSession = async (
+  kv: KVNamespace,
+  sid: string,
+  record: SessionRecord,
+): Promise<void> => {
+  await kv.put(`sess:${sid}`, JSON.stringify(record), {
+    expirationTtl: SESSION_TTL_SEC,
+  })
+}
+
+export const readSession = async (
+  kv: KVNamespace,
+  sid: string,
+): Promise<SessionRecord | undefined> => {
+  const raw = await kv.get(`sess:${sid}`, { type: 'json' })
+  if (raw === null) return undefined
+  const parsed = v.safeParse(SessionRecordSchema, raw)
+  return parsed.success ? parsed.output : undefined
+}
+
+export const touchSession = async (
+  kv: KVNamespace,
+  sid: string,
+  record: SessionRecord,
+): Promise<void> => {
+  const now = Math.floor(Date.now() / 1000)
+  const shouldWrite = now - record.lastSeen >= SLIDING_LAST_SEEN_MIN_SEC
+  if (!shouldWrite) return
+  await writeSession(kv, sid, { ...record, lastSeen: now })
+}
+
+export const deleteSession = async (kv: KVNamespace, sid: string): Promise<void> => {
+  await kv.delete(`sess:${sid}`)
+}

package/src/webauthn.ts

@@ -0,0 +1,112 @@
+import {
+  type AuthenticationResponseJSON,
+  type AuthenticatorTransportFuture,
+  type PublicKeyCredentialCreationOptionsJSON,
+  type PublicKeyCredentialRequestOptionsJSON,
+  type RegistrationResponseJSON,
+  type VerifiedAuthenticationResponse,
+  type VerifiedRegistrationResponse,
+  generateAuthenticationOptions,
+  generateRegistrationOptions,
+  verifyAuthenticationResponse,
+  verifyRegistrationResponse,
+} from '@simplewebauthn/server'
+import type { PasskeyRow } from './store/passkey-store.ts'
+
+const rpName = 'PyaEats'
+
+const expectedOrigins = (env: Env): ReadonlyArray<string> =>
+  (env.WEBAUTHN_ORIGINS ?? '')
+    .split(',')
+    .map((s) => s.trim())
+    .filter((s) => s.length > 0)
+
+const rpID = (env: Env): string => env.WEBAUTHN_RP_ID ?? 'pyaeats-site.pages.dev'
+
+const base64urlToUint8 = (s: string): Uint8Array<ArrayBuffer> => {
+  const padded = s
+    .replace(/-/g, '+')
+    .replace(/_/g, '/')
+    .padEnd(s.length + ((4 - (s.length % 4)) % 4), '=')
+  const bin = atob(padded)
+  const ab = new ArrayBuffer(bin.length)
+  const buf = new Uint8Array(ab)
+  for (let i = 0; i < bin.length; i += 1) buf[i] = bin.charCodeAt(i)
+  return buf
+}
+
+export const genAuthOptions = async (
+  env: Env,
+  passkeys: ReadonlyArray<PasskeyRow>,
+): Promise<PublicKeyCredentialRequestOptionsJSON> =>
+  generateAuthenticationOptions({
+    rpID: rpID(env),
+    allowCredentials: passkeys.map((p) => ({
+      id: p.credentialId,
+      transports: p.transports as AuthenticatorTransportFuture[],
+    })),
+    userVerification: 'preferred',
+    timeout: 60_000,
+  })
+
+export const genRegOptions = async (
+  env: Env,
+  userId: string,
+  userEmail: string,
+  existing: ReadonlyArray<PasskeyRow>,
+): Promise<PublicKeyCredentialCreationOptionsJSON> =>
+  generateRegistrationOptions({
+    rpName,
+    rpID: rpID(env),
+    userID: new TextEncoder().encode(userId) as Uint8Array<ArrayBuffer>,
+    userName: userEmail,
+    excludeCredentials: existing.map((p) => ({
+      id: p.credentialId,
+      transports: p.transports as AuthenticatorTransportFuture[],
+    })),
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred',
+    },
+    timeout: 60_000,
+    attestationType: 'none',
+  })
+
+export const verifyAuth = async (
+  env: Env,
+  assertion: AuthenticationResponseJSON,
+  expectedChallenge: string,
+  passkey: PasskeyRow,
+): Promise<VerifiedAuthenticationResponse> =>
+  verifyAuthenticationResponse({
+    response: assertion,
+    expectedChallenge,
+    expectedOrigin: expectedOrigins(env) as string[],
+    expectedRPID: rpID(env),
+    credential: {
+      id: passkey.credentialId,
+      publicKey: base64urlToUint8(passkey.publicKey),
+      counter: passkey.signCount,
+      transports: passkey.transports as AuthenticatorTransportFuture[],
+    },
+    requireUserVerification: false,
+  })
+
+export const verifyReg = async (
+  env: Env,
+  attestation: RegistrationResponseJSON,
+  expectedChallenge: string,
+): Promise<VerifiedRegistrationResponse> =>
+  verifyRegistrationResponse({
+    response: attestation,
+    expectedChallenge,
+    expectedOrigin: expectedOrigins(env) as string[],
+    expectedRPID: rpID(env),
+    requireUserVerification: false,
+  })
+
+export const uint8ToBase64url = (bytes: Uint8Array): string => {
+  let bin = ''
+  for (const b of bytes) bin += String.fromCharCode(b)
+  return btoa(bin).replaceAll('+', '-').replaceAll('/', '_').replaceAll('=', '')
+}

package/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "noEmit": true,
+    "types": ["@cloudflare/workers-types"]
+  },
+  "include": ["src/**/*.ts"]
+}