@things-factory/auth-base 7.0.1-rc.7 → 7.0.1-rc.8

package/dist-server/constants/error-code.d.ts

@@ -15,6 +15,6 @@ export declare const PASSWORD_PATTERN_NOT_MATCHED = "password should match the r
 export declare const USER_DUPLICATED = "user duplicated";
 export declare const PASSWORD_USED_PAST = "password used in the past";
 export declare const VERIFICATION_ERROR = "user or verification token not found";
+export declare const AUTHN_VERIFICATION_FAILED = "authn verification failed";
 export declare const USER_CREDENTIAL_NOT_FOUND = "user credential not found";
 export declare const AUTH_ERROR = "auth error";
-export declare const FIDO2_CERT_UNSUPPORTED = "fido2 certificate unsupported";

package/dist-server/constants/error-code.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FIDO2_CERT_UNSUPPORTED = exports.AUTH_ERROR = exports.USER_CREDENTIAL_NOT_FOUND = exports.VERIFICATION_ERROR = exports.PASSWORD_USED_PAST = exports.USER_DUPLICATED = exports.PASSWORD_PATTERN_NOT_MATCHED = exports.CONFIRM_PASSWORD_NOT_MATCHED = exports.SUBDOMAIN_NOTFOUND = exports.AUTH_INVALID = exports.TOKEN_INVALID = exports.REDIRECT_TO_DEFAULT_DOMAIN = exports.NO_SELECTED_DOMAIN = exports.UNAVAILABLE_DOMAIN = exports.NO_AVAILABLE_DOMAIN = exports.USER_DELETED = exports.USER_LOCKED = exports.USER_NOT_ACTIVATED = exports.PASSWORD_NOT_MATCHED = exports.USER_NOT_FOUND = void 0;
+exports.AUTH_ERROR = exports.USER_CREDENTIAL_NOT_FOUND = exports.AUTHN_VERIFICATION_FAILED = exports.VERIFICATION_ERROR = exports.PASSWORD_USED_PAST = exports.USER_DUPLICATED = exports.PASSWORD_PATTERN_NOT_MATCHED = exports.CONFIRM_PASSWORD_NOT_MATCHED = exports.SUBDOMAIN_NOTFOUND = exports.AUTH_INVALID = exports.TOKEN_INVALID = exports.REDIRECT_TO_DEFAULT_DOMAIN = exports.NO_SELECTED_DOMAIN = exports.UNAVAILABLE_DOMAIN = exports.NO_AVAILABLE_DOMAIN = exports.USER_DELETED = exports.USER_LOCKED = exports.USER_NOT_ACTIVATED = exports.PASSWORD_NOT_MATCHED = exports.USER_NOT_FOUND = void 0;
 exports.USER_NOT_FOUND = 'user not found';
 exports.PASSWORD_NOT_MATCHED = 'password-not-matched';
 exports.USER_NOT_ACTIVATED = 'user not activated';
@@ -18,7 +18,7 @@ exports.PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule';
 exports.USER_DUPLICATED = 'user duplicated';
 exports.PASSWORD_USED_PAST = 'password used in the past';
 exports.VERIFICATION_ERROR = 'user or verification token not found';
+exports.AUTHN_VERIFICATION_FAILED = 'authn verification failed';
 exports.USER_CREDENTIAL_NOT_FOUND = 'user credential not found';
 exports.AUTH_ERROR = 'auth error';
-exports.FIDO2_CERT_UNSUPPORTED = 'fido2 certificate unsupported';
 //# sourceMappingURL=error-code.js.map

package/dist-server/constants/error-code.js.map

@@ -1 +1 @@
-{"version":3,"file":"error-code.js","sourceRoot":"","sources":["../../server/constants/error-code.ts"],"names":[],"mappings":";;;AAAa,QAAA,cAAc,GAAG,gBAAgB,CAAA;AACjC,QAAA,oBAAoB,GAAG,sBAAsB,CAAA;AAC7C,QAAA,kBAAkB,GAAG,oBAAoB,CAAA;AACzC,QAAA,WAAW,GAAG,aAAa,CAAA;AAC3B,QAAA,YAAY,GAAG,cAAc,CAAA;AAC7B,QAAA,mBAAmB,GAAG,qBAAqB,CAAA;AAC3C,QAAA,kBAAkB,GAAG,oBAAoB,CAAA;AACzC,QAAA,kBAAkB,GAAG,oBAAoB,CAAA;AACzC,QAAA,0BAA0B,GAAG,4BAA4B,CAAA;AACzD,QAAA,aAAa,GAAG,eAAe,CAAA;AAC/B,QAAA,YAAY,GAAG,cAAc,CAAA;AAC7B,QAAA,kBAAkB,GAAG,qBAAqB,CAAA;AAC1C,QAAA,4BAA4B,GAAG,8BAA8B,CAAA;AAC7D,QAAA,4BAA4B,GAAG,gCAAgC,CAAA;AAC/D,QAAA,eAAe,GAAG,iBAAiB,CAAA;AACnC,QAAA,kBAAkB,GAAG,2BAA2B,CAAA;AAChD,QAAA,kBAAkB,GAAG,sCAAsC,CAAA;AAC3D,QAAA,yBAAyB,GAAG,2BAA2B,CAAA;AACvD,QAAA,UAAU,GAAG,YAAY,CAAA;AACzB,QAAA,sBAAsB,GAAG,+BAA+B,CAAA","sourcesContent":["export const USER_NOT_FOUND = 'user not found'\nexport const PASSWORD_NOT_MATCHED = 'password-not-matched'\nexport const USER_NOT_ACTIVATED = 'user not activated'\nexport const USER_LOCKED = 'user-locked'\nexport const USER_DELETED = 'user-deleted'\nexport const NO_AVAILABLE_DOMAIN = 'no-available-domain'\nexport const UNAVAILABLE_DOMAIN = 'unavailable-domain'\nexport const NO_SELECTED_DOMAIN = 'no-selected-domain'\nexport const REDIRECT_TO_DEFAULT_DOMAIN = 'redirect-to-default-domain'\nexport const TOKEN_INVALID = 'token-invalid'\nexport const AUTH_INVALID = 'auth-invalid'\nexport const SUBDOMAIN_NOTFOUND = 'subdomain not found'\nexport const CONFIRM_PASSWORD_NOT_MATCHED = 'confirm password not matched'\nexport const PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule'\nexport const USER_DUPLICATED = 'user duplicated'\nexport const PASSWORD_USED_PAST = 'password used in the past'\nexport const VERIFICATION_ERROR = 'user or verification token not found'\nexport const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'\nexport const AUTH_ERROR = 'auth error'\nexport const FIDO2_CERT_UNSUPPORTED = 'fido2 certificate unsupported'\n"]}
+{"version":3,"file":"error-code.js","sourceRoot":"","sources":["../../server/constants/error-code.ts"],"names":[],"mappings":";;;AAAa,QAAA,cAAc,GAAG,gBAAgB,CAAA;AACjC,QAAA,oBAAoB,GAAG,sBAAsB,CAAA;AAC7C,QAAA,kBAAkB,GAAG,oBAAoB,CAAA;AACzC,QAAA,WAAW,GAAG,aAAa,CAAA;AAC3B,QAAA,YAAY,GAAG,cAAc,CAAA;AAC7B,QAAA,mBAAmB,GAAG,qBAAqB,CAAA;AAC3C,QAAA,kBAAkB,GAAG,oBAAoB,CAAA;AACzC,QAAA,kBAAkB,GAAG,oBAAoB,CAAA;AACzC,QAAA,0BAA0B,GAAG,4BAA4B,CAAA;AACzD,QAAA,aAAa,GAAG,eAAe,CAAA;AAC/B,QAAA,YAAY,GAAG,cAAc,CAAA;AAC7B,QAAA,kBAAkB,GAAG,qBAAqB,CAAA;AAC1C,QAAA,4BAA4B,GAAG,8BAA8B,CAAA;AAC7D,QAAA,4BAA4B,GAAG,gCAAgC,CAAA;AAC/D,QAAA,eAAe,GAAG,iBAAiB,CAAA;AACnC,QAAA,kBAAkB,GAAG,2BAA2B,CAAA;AAChD,QAAA,kBAAkB,GAAG,sCAAsC,CAAA;AAC3D,QAAA,yBAAyB,GAAG,2BAA2B,CAAA;AACvD,QAAA,yBAAyB,GAAG,2BAA2B,CAAA;AACvD,QAAA,UAAU,GAAG,YAAY,CAAA","sourcesContent":["export const USER_NOT_FOUND = 'user not found'\nexport const PASSWORD_NOT_MATCHED = 'password-not-matched'\nexport const USER_NOT_ACTIVATED = 'user not activated'\nexport const USER_LOCKED = 'user-locked'\nexport const USER_DELETED = 'user-deleted'\nexport const NO_AVAILABLE_DOMAIN = 'no-available-domain'\nexport const UNAVAILABLE_DOMAIN = 'unavailable-domain'\nexport const NO_SELECTED_DOMAIN = 'no-selected-domain'\nexport const REDIRECT_TO_DEFAULT_DOMAIN = 'redirect-to-default-domain'\nexport const TOKEN_INVALID = 'token-invalid'\nexport const AUTH_INVALID = 'auth-invalid'\nexport const SUBDOMAIN_NOTFOUND = 'subdomain not found'\nexport const CONFIRM_PASSWORD_NOT_MATCHED = 'confirm password not matched'\nexport const PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule'\nexport const USER_DUPLICATED = 'user duplicated'\nexport const PASSWORD_USED_PAST = 'password used in the past'\nexport const VERIFICATION_ERROR = 'user or verification token not found'\nexport const AUTHN_VERIFICATION_FAILED = 'authn verification failed'\nexport const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'\nexport const AUTH_ERROR = 'auth error'\n"]}

package/dist-server/middlewares/webauthn-middleware.d.ts

@@ -1,2 +1 @@
-export declare const store: any;
-export declare function webAuthnMiddleware(context: any, next: any): Promise<any>;
+export declare function createWebAuthnMiddleware(strategy: 'webauthn-register' | 'webauthn-login'): (context: any, next: any) => Promise<any>;

package/dist-server/middlewares/webauthn-middleware.js

@@ -1,68 +1,95 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.store = void 0;
-exports.webAuthnMiddleware = webAuthnMiddleware;
+exports.createWebAuthnMiddleware = createWebAuthnMiddleware;
 const tslib_1 = require("tslib");
 const koa_passport_1 = tslib_1.__importDefault(require("koa-passport"));
-const passport_fido2_webauthn_1 = require("passport-fido2-webauthn");
+const passport_custom_1 = require("passport-custom");
 const shell_1 = require("@things-factory/shell");
 const user_1 = require("../service/user/user");
 const auth_error_1 = require("../errors/auth-error");
 const web_auth_credential_1 = require("../service/web-auth-credential/web-auth-credential");
-exports.store = new passport_fido2_webauthn_1.SessionChallengeStore();
-koa_passport_1.default.use(new passport_fido2_webauthn_1.Strategy({ store: exports.store }, async function verify(id, userHandle, cb) {
-    const user = await (0, shell_1.getRepository)(user_1.User).findOne({ where: { id: userHandle.toString() } });
-    if (!user) {
-        return cb(null, false, { errorCode: auth_error_1.AuthError.ERROR_CODES.USER_NOT_FOUND });
+const server_1 = require("@simplewebauthn/server");
+koa_passport_1.default.use('webauthn-register', new passport_custom_1.Strategy(async (context, done) => {
+    const { body, session, user, hostname, origin } = context;
+    const challenge = session.challenge;
+    const verification = await (0, server_1.verifyRegistrationResponse)({
+        response: body,
+        expectedChallenge: challenge,
+        expectedOrigin: origin,
+        expectedRPID: hostname,
+        expectedType: 'webauthn.create',
+        requireUserVerification: false
+    });
+    if (verification.verified) {
+        const { registrationInfo } = verification;
+        const publicKey = Buffer.from(registrationInfo.credentialPublicKey).toString('base64');
+        if (user) {
+            const webAuthRepository = (0, shell_1.getRepository)(web_auth_credential_1.WebAuthCredential);
+            await webAuthRepository.save({
+                user,
+                credentialId: registrationInfo.credentialID,
+                publicKey,
+                counter: registrationInfo.counter,
+                creator: user,
+                updater: user
+            });
+        }
+        return done(null, user);
     }
+    else {
+        return done(null, false);
+    }
+}));
+koa_passport_1.default.use('webauthn-login', new passport_custom_1.Strategy(async (context, done) => {
+    const { body, session, origin, hostname } = context;
+    const challenge = session.challenge;
+    const assertionResponse = body;
     const credential = await (0, shell_1.getRepository)(web_auth_credential_1.WebAuthCredential).findOne({
-        where: { credentialId: id, user: { id: user.id } }
+        where: {
+            credentialId: assertionResponse.id
+        }
     });
     if (!credential) {
-        return cb(null, false, { errorCode: auth_error_1.AuthError.ERROR_CODES.USER_CREDENTIAL_NOT_FOUND });
-    }
-    try {
-        return cb(null, user, credential.publicKey);
+        return done(null, false);
     }
-    catch (error) {
-        console.error(error);
-        return cb(null, false, { errorCode: auth_error_1.AuthError.ERROR_CODES.FIDO2_CERT_UNSUPPORTED });
-    }
-}, async function register(user, id, publicKey, cb) {
-    const userObject = await (0, shell_1.getRepository)(user_1.User).findOne({ where: { id: user.id.toString() } });
-    const webAuthRepository = (0, shell_1.getRepository)(web_auth_credential_1.WebAuthCredential);
-    const oldCredential = await webAuthRepository.findOne({
-        where: { user: { id: userObject.id }, publicKey: publicKey }
+    const verification = await (0, server_1.verifyAuthenticationResponse)({
+        response: body,
+        expectedChallenge: challenge,
+        expectedOrigin: origin,
+        expectedRPID: hostname,
+        requireUserVerification: false,
+        authenticator: {
+            credentialID: credential.credentialId,
+            credentialPublicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),
+            counter: credential.counter
+        }
     });
-    /* TODO publicKey 비교로는 중복된 등록을 막을 수 없다. */
-    if (oldCredential) {
-        await webAuthRepository.delete(oldCredential.id);
+    if (verification.verified) {
+        const { authenticationInfo } = verification;
+        credential.counter = authenticationInfo.newCounter;
+        await (0, shell_1.getRepository)(web_auth_credential_1.WebAuthCredential).save(credential);
+        const user = await (0, shell_1.getRepository)(user_1.User).findOne({ where: { email: body.email } });
+        return done(null, user);
+    }
+    else {
+        return done(verification, false);
     }
-    await webAuthRepository.save({
-        user: userObject,
-        credentialId: id,
-        publicKey,
-        counter: 0
-    });
-    return cb(null, userObject);
 }));
-async function webAuthnMiddleware(context, next) {
-    return koa_passport_1.default.authenticate('webauthn', { session: true, failureMessage: true, failWithError: true }, async (err, user, info) => {
-        if (err || !user) {
-            if (info.errorCode) {
-                throw new auth_error_1.AuthError(info);
-            }
-            else {
+function createWebAuthnMiddleware(strategy) {
+    return async function webAuthnMiddleware(context, next) {
+        return koa_passport_1.default.authenticate(strategy, { session: true, failureMessage: true, failWithError: true }, async (err, user) => {
+            if (err || !user) {
                 throw new auth_error_1.AuthError({
-                    errorCode: auth_error_1.AuthError.ERROR_CODES.AUTH_ERROR,
-                    detail: info
+                    errorCode: auth_error_1.AuthError.ERROR_CODES.AUTHN_VERIFICATION_FAILED,
+                    detail: err
                 });
             }
-        }
-        else {
-            context.state.user = user;
+            else {
+                context.state.user = user;
+                context.body = { user, verified: true };
+            }
             await next();
-        }
-    })(context, next);
+        })(context, next);
+    };
 }
 //# sourceMappingURL=webauthn-middleware.js.map

package/dist-server/middlewares/webauthn-middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"webauthn-middleware.js","sourceRoot":"","sources":["../../server/middlewares/webauthn-middleware.ts"],"names":[],"mappings":";;;AA0DA,gDAqBC;;AA/ED,wEAAmC;AACnC,qEAA6F;AAE7F,iDAAqD;AAErD,+CAA2C;AAC3C,qDAAgD;AAChD,4FAAsF;AAEzE,QAAA,KAAK,GAAG,IAAI,+CAAqB,EAAE,CAAA;AAEhD,sBAAQ,CAAC,GAAG,CACV,IAAI,kCAAgB,CAClB,EAAE,KAAK,EAAL,aAAK,EAAE,EACT,KAAK,UAAU,MAAM,CAAC,EAAU,EAAE,UAAsB,EAAE,EAAE;IAC1D,MAAM,IAAI,GAAG,MAAM,IAAA,qBAAa,EAAC,WAAI,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAA;IACxF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,sBAAS,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,CAAA;IAC7E,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,OAAO,CAAC;QAChE,KAAK,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE;KACnD,CAAC,CAAA;IACF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,sBAAS,CAAC,WAAW,CAAC,yBAAyB,EAAE,CAAC,CAAA;IACxF,CAAC;IAED,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAA;IAC7C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QACpB,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,sBAAS,CAAC,WAAW,CAAC,sBAAsB,EAAE,CAAC,CAAA;IACrF,CAAC;AACH,CAAC,EACD,KAAK,UAAU,QAAQ,CAAC,IAAI,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE;IAC7C,MAAM,UAAU,GAAG,MAAM,IAAA,qBAAa,EAAC,WAAI,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAA;IAC3F,MAAM,iBAAiB,GAAG,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAA;IAE1D,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC;QACpD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE;KAC7D,CAAC,CAAA;IAEF,0CAA0C;IAC1C,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,iBAAiB,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAA;IAClD,CAAC;IAED,MAAM,iBAAiB,CAAC,IAAI,CAAC;QAC3B,IAAI,EAAE,UAAU;QAChB,YAAY,EAAE,EAAE;QAChB,SAAS;QACT,OAAO,EAAE,CAAC;KACX,CAAC,CAAA;IAEF,OAAO,EAAE,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;AAC7B,CAAC,CACF,CACF,CAAA;AAEM,KAAK,UAAU,kBAAkB,CAAC,OAAO,EAAE,IAAI;IACpD,OAAO,sBAAQ,CAAC,YAAY,CAC1B,UAAU,EACV,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,EAC5D,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QACxB,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YACjB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,MAAM,IAAI,sBAAS,CAAC,IAAI,CAAC,CAAA;YAC3B,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,sBAAS,CAAC;oBAClB,SAAS,EAAE,sBAAS,CAAC,WAAW,CAAC,UAAU;oBAC3C,MAAM,EAAE,IAAI;iBACb,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAA;YAEzB,MAAM,IAAI,EAAE,CAAA;QACd,CAAC;IACH,CAAC,CACF,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;AAClB,CAAC","sourcesContent":["import passport from 'koa-passport'\nimport { Strategy as WebAuthnStrategy, SessionChallengeStore } from 'passport-fido2-webauthn'\n\nimport { getRepository } from '@things-factory/shell'\n\nimport { User } from '../service/user/user'\nimport { AuthError } from '../errors/auth-error'\nimport { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'\n\nexport const store = new SessionChallengeStore()\n\npassport.use(\n  new WebAuthnStrategy(\n    { store },\n    async function verify(id: string, userHandle: Uint8Array, cb) {\n      const user = await getRepository(User).findOne({ where: { id: userHandle.toString() } })\n      if (!user) {\n        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND })\n      }\n      const credential = await getRepository(WebAuthCredential).findOne({\n        where: { credentialId: id, user: { id: user.id } }\n      })\n      if (!credential) {\n        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_CREDENTIAL_NOT_FOUND })\n      }\n\n      try {\n        return cb(null, user, credential.publicKey)\n      } catch (error) {\n        console.error(error)\n        return cb(null, false, { errorCode: AuthError.ERROR_CODES.FIDO2_CERT_UNSUPPORTED })\n      }\n    },\n    async function register(user, id, publicKey, cb) {\n      const userObject = await getRepository(User).findOne({ where: { id: user.id.toString() } })\n      const webAuthRepository = getRepository(WebAuthCredential)\n\n      const oldCredential = await webAuthRepository.findOne({\n        where: { user: { id: userObject.id }, publicKey: publicKey }\n      })\n\n      /* TODO publicKey 비교로는 중복된 등록을 막을 수 없다. */\n      if (oldCredential) {\n        await webAuthRepository.delete(oldCredential.id)\n      }\n\n      await webAuthRepository.save({\n        user: userObject,\n        credentialId: id,\n        publicKey,\n        counter: 0\n      })\n\n      return cb(null, userObject)\n    }\n  )\n)\n\nexport async function webAuthnMiddleware(context, next) {\n  return passport.authenticate(\n    'webauthn',\n    { session: true, failureMessage: true, failWithError: true },\n    async (err, user, info) => {\n      if (err || !user) {\n        if (info.errorCode) {\n          throw new AuthError(info)\n        } else {\n          throw new AuthError({\n            errorCode: AuthError.ERROR_CODES.AUTH_ERROR,\n            detail: info\n          })\n        }\n      } else {\n        context.state.user = user\n\n        await next()\n      }\n    }\n  )(context, next)\n}\n"]}
+{"version":3,"file":"webauthn-middleware.js","sourceRoot":"","sources":["../../server/middlewares/webauthn-middleware.ts"],"names":[],"mappings":";;AAuGA,4DAqBC;;AA5HD,wEAAmC;AACnC,qDAA4D;AAE5D,iDAAqD;AAErD,+CAA2C;AAC3C,qDAAgD;AAEhD,4FAAsF;AACtF,mDAG+B;AAI/B,sBAAQ,CAAC,GAAG,CACV,mBAAmB,EACnB,IAAI,0BAAc,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACzC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAc,CAAA;IAEhE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAEnC,MAAM,YAAY,GAAG,MAAM,IAAA,mCAA0B,EAAC;QACpD,QAAQ,EAAE,IAAI;QACd,iBAAiB,EAAE,SAAS;QAC5B,cAAc,EAAE,MAAM;QACtB,YAAY,EAAE,QAAQ;QACtB,YAAY,EAAE,iBAAiB;QAC/B,uBAAuB,EAAE,KAAK;KAC/B,CAAC,CAAA;IAEF,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,EAAE,gBAAgB,EAAE,GAAG,YAAY,CAAA;QACzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEvF,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,iBAAiB,GAAG,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAA;YAC1D,MAAM,iBAAiB,CAAC,IAAI,CAAC;gBAC3B,IAAI;gBACJ,YAAY,EAAE,gBAAgB,CAAC,YAAY;gBAC3C,SAAS;gBACT,OAAO,EAAE,gBAAgB,CAAC,OAAO;gBACjC,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IAC1B,CAAC;AACH,CAAC,CAAC,CACH,CAAA;AAED,sBAAQ,CAAC,GAAG,CACV,gBAAgB,EAChB,IAAI,0BAAc,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACzC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAc,CAAA;IAE1D,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAEnC,MAAM,iBAAiB,GAAG,IAGzB,CAAA;IAED,MAAM,UAAU,GAAG,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,OAAO,CAAC;QAChE,KAAK,EAAE;YACL,YAAY,EAAE,iBAAiB,CAAC,EAAE;SACnC;KACF,CAAC,CAAA;IAEF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IAC1B,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,IAAA,qCAA4B,EAAC;QACtD,QAAQ,EAAE,IAAI;QACd,iBAAiB,EAAE,SAAS;QAC5B,cAAc,EAAE,MAAM;QACtB,YAAY,EAAE,QAAQ;QACtB,uBAAuB,EAAE,KAAK;QAC9B,aAAa,EAAE;YACb,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,mBAAmB,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAChF,OAAO,EAAE,UAAU,CAAC,OAAO;SAC5B;KACF,CAAC,CAAA;IAEF,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,EAAE,kBAAkB,EAAE,GAAG,YAAY,CAAA;QAC3C,UAAU,CAAC,OAAO,GAAG,kBAAkB,CAAC,UAAU,CAAA;QAClD,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAEvD,MAAM,IAAI,GAAG,MAAM,IAAA,qBAAa,EAAC,WAAI,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QAChF,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;IAClC,CAAC;AACH,CAAC,CAAC,CACH,CAAA;AAED,SAAgB,wBAAwB,CAAC,QAAgD;IACvF,OAAO,KAAK,UAAU,kBAAkB,CAAC,OAAO,EAAE,IAAI;QACpD,OAAO,sBAAQ,CAAC,YAAY,CAC1B,QAAQ,EACR,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,EAC5D,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YAClB,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,IAAI,sBAAS,CAAC;oBAClB,SAAS,EAAE,sBAAS,CAAC,WAAW,CAAC,yBAAyB;oBAC1D,MAAM,EAAE,GAAG;iBACZ,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC;gBAE1B,OAAO,CAAC,IAAI,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC1C,CAAC;YAED,MAAM,IAAI,EAAE,CAAC;QACf,CAAC,CACF,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC","sourcesContent":["import passport from 'koa-passport'\nimport { Strategy as CustomStrategy } from 'passport-custom'\n\nimport { getRepository } from '@things-factory/shell'\n\nimport { User } from '../service/user/user'\nimport { AuthError } from '../errors/auth-error'\n\nimport { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'\nimport {\n  verifyRegistrationResponse,\n  verifyAuthenticationResponse\n} from '@simplewebauthn/server'\n\nimport { AuthenticatorAssertionResponse } from '@simplewebauthn/types'\n\npassport.use(\n  'webauthn-register',\n  new CustomStrategy(async (context, done) => {\n    const { body, session, user, hostname, origin } = context as any\n\n    const challenge = session.challenge\n\n    const verification = await verifyRegistrationResponse({\n      response: body,\n      expectedChallenge: challenge,\n      expectedOrigin: origin,\n      expectedRPID: hostname,\n      expectedType: 'webauthn.create',\n      requireUserVerification: false\n    })\n\n    if (verification.verified) {\n      const { registrationInfo } = verification\n      const publicKey = Buffer.from(registrationInfo.credentialPublicKey).toString('base64');\n\n      if (user) {\n        const webAuthRepository = getRepository(WebAuthCredential)\n        await webAuthRepository.save({\n          user,\n          credentialId: registrationInfo.credentialID,\n          publicKey,\n          counter: registrationInfo.counter,\n          creator: user,\n          updater: user\n        })\n      }\n\n      return done(null, user)\n    } else {\n      return done(null, false)\n    }\n  })\n)\n\npassport.use(\n  'webauthn-login',\n  new CustomStrategy(async (context, done) => {\n    const { body, session, origin, hostname } = context as any\n\n    const challenge = session.challenge\n\n    const assertionResponse = body as {\n      id: string\n      response: AuthenticatorAssertionResponse\n    }\n    \n    const credential = await getRepository(WebAuthCredential).findOne({\n      where: {\n        credentialId: assertionResponse.id\n      }\n    })\n\n    if (!credential) {\n      return done(null, false)\n    }\n\n    const verification = await verifyAuthenticationResponse({\n      response: body,\n      expectedChallenge: challenge,\n      expectedOrigin: origin,\n      expectedRPID: hostname,\n      requireUserVerification: false,\n      authenticator: {\n        credentialID: credential.credentialId,\n        credentialPublicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),\n        counter: credential.counter\n      }\n    })\n\n    if (verification.verified) {\n      const { authenticationInfo } = verification\n      credential.counter = authenticationInfo.newCounter\n      await getRepository(WebAuthCredential).save(credential)\n\n      const user = await getRepository(User).findOne({ where: { email: body.email } })\n      return done(null, user)\n    } else {\n      return done(verification, false)\n    }\n  })\n)\n\nexport function createWebAuthnMiddleware(strategy: 'webauthn-register' | 'webauthn-login') {\n  return async function webAuthnMiddleware(context, next) {\n    return passport.authenticate(\n      strategy,\n      { session: true, failureMessage: true, failWithError: true },\n      async (err, user) => {\n        if (err || !user) {\n          throw new AuthError({\n            errorCode: AuthError.ERROR_CODES.AUTHN_VERIFICATION_FAILED,\n            detail: err\n          });\n        } else {\n          context.state.user = user;\n\n          context.body = { user, verified: true };\n        }\n\n        await next();\n      }\n    )(context, next);\n  };\n}\n"]}

package/dist-server/router/webauthn-router.js

@@ -2,20 +2,60 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.webAuthnGlobalPrivateRouter = exports.webAuthnGlobalPublicRouter = void 0;
 const tslib_1 = require("tslib");
-const util_1 = tslib_1.__importDefault(require("util"));
 const koa_router_1 = tslib_1.__importDefault(require("koa-router"));
+const shell_1 = require("@things-factory/shell");
+const env_1 = require("@things-factory/env");
+const server_1 = require("@simplewebauthn/server");
+const web_auth_credential_1 = require("../service/web-auth-credential/web-auth-credential");
 const access_token_cookie_1 = require("../utils/access-token-cookie");
 const webauthn_middleware_1 = require("../middlewares/webauthn-middleware");
 exports.webAuthnGlobalPublicRouter = new koa_router_1.default();
 exports.webAuthnGlobalPrivateRouter = new koa_router_1.default();
-const challengeAsync = util_1.default.promisify(webauthn_middleware_1.store.challenge).bind(webauthn_middleware_1.store);
-exports.webAuthnGlobalPublicRouter.post('/auth/signin-webauthn/challenge', async (context, next) => {
-    const challenge = await challengeAsync(Object.assign(Object.assign({}, context.request), { session: context.session }));
-    context.body = {
-        challenge: Buffer.from(challenge).toString('base64')
-    };
+const { name: rpName } = env_1.appPackage;
+exports.webAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {
+    const { user } = context.state;
+    const rpID = context.hostname;
+    const webAuthCredentials = await (0, shell_1.getRepository)(web_auth_credential_1.WebAuthCredential).find({
+        where: {
+            user: { id: user.id }
+        }
+    });
+    const options = await (0, server_1.generateRegistrationOptions)({
+        rpName,
+        rpID,
+        userName: user.email,
+        userDisplayName: user.name,
+        // Don't prompt users for additional information about the authenticator
+        // (Recommended for smoother UX)
+        attestationType: 'none',
+        // Prevent users from re-registering existing authenticators
+        excludeCredentials: webAuthCredentials.map(credential => ({
+            id: credential.credentialId
+            // Optional
+            // transports: credential.transports
+        })),
+        authenticatorSelection: {
+            // Defaults
+            residentKey: 'preferred',
+            userVerification: 'preferred',
+            // Optional
+            authenticatorAttachment: 'platform'
+        }
+    });
+    context.session.challenge = options.challenge;
+    context.body = options;
 });
-exports.webAuthnGlobalPublicRouter.post('/auth/signin-webauthn', webauthn_middleware_1.webAuthnMiddleware, async (context, next) => {
+exports.webAuthnGlobalPrivateRouter.post('/auth/verify-registration', (0, webauthn_middleware_1.createWebAuthnMiddleware)('webauthn-register'));
+exports.webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {
+    const rpID = context.hostname;
+    const options = await (0, server_1.generateAuthenticationOptions)({
+        rpID,
+        userVerification: 'preferred'
+    });
+    context.session.challenge = options.challenge;
+    context.body = options;
+});
+exports.webAuthnGlobalPublicRouter.post('/auth/signin-webauthn', (0, webauthn_middleware_1.createWebAuthnMiddleware)('webauthn-login'), async (context, next) => {
     const { domain, user } = context.state;
     const { request } = context;
     const { body: reqBody } = request;
@@ -23,23 +63,7 @@ exports.webAuthnGlobalPublicRouter.post('/auth/signin-webauthn', webauthn_middle
     (0, access_token_cookie_1.setAccessTokenCookie)(context, token);
     var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`;
     /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
-    context.body = { redirectURL };
-});
-exports.webAuthnGlobalPrivateRouter.post('/auth/register-webauthn/challenge', async (context, next) => {
-    const { user } = context.state;
-    const { id, name } = user || {};
-    const challenge = await challengeAsync(Object.assign(Object.assign({}, context.request), { session: context.session }), {
-        user: {
-            id
-        }
-    });
-    context.body = {
-        user: {
-            id: Buffer.from(id).toString('base64'),
-            name: name,
-            displayName: name
-        },
-        challenge: Buffer.from(challenge).toString('base64')
-    };
+    context.body = { redirectURL, verified: true };
+    await next();
 });
 //# sourceMappingURL=webauthn-router.js.map

package/dist-server/router/webauthn-router.js.map

@@ -1 +1 @@
-{"version":3,"file":"webauthn-router.js","sourceRoot":"","sources":["../../server/router/webauthn-router.ts"],"names":[],"mappings":";;;;AAAA,wDAAuB;AACvB,oEAA+B;AAE/B,sEAAmE;AACnE,4EAA8E;AAEjE,QAAA,0BAA0B,GAAG,IAAI,oBAAM,EAAE,CAAA;AACzC,QAAA,2BAA2B,GAAG,IAAI,oBAAM,EAAE,CAAA;AAEvD,MAAM,cAAc,GAAG,cAAI,CAAC,SAAS,CAAC,2BAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,2BAAK,CAAC,CAAA;AAElE,kCAA0B,CAAC,IAAI,CAAC,iCAAiC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACzF,MAAM,SAAS,GAAG,MAAM,cAAc,iCAAM,OAAO,CAAC,OAAO,KAAE,OAAO,EAAE,OAAO,CAAC,OAAO,IAAG,CAAA;IAExF,OAAO,CAAC,IAAI,GAAG;QACb,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KACrD,CAAA;AACH,CAAC,CAAC,CAAA;AAEF,kCAA0B,CAAC,IAAI,CAAC,uBAAuB,EAAE,wCAAkB,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACnG,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IACtC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAC3B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE,CAAC,CAAA;IAC/D,IAAA,0CAAoB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAEpC,IAAI,WAAW,GAAG,gBAAgB,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,kBAAkB,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC,EAAE,CAAA;IAErI,yGAAyG;IACzG,OAAO,CAAC,IAAI,GAAG,EAAE,WAAW,EAAE,CAAA;AAChC,CAAC,CAAC,CAAA;AAEF,mCAA2B,CAAC,IAAI,CAAC,mCAAmC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IAC5F,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAC9B,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,IAAI,IAAI,EAAE,CAAA;IAE/B,MAAM,SAAS,GAAG,MAAM,cAAc,iCAC/B,OAAO,CAAC,OAAO,KAAE,OAAO,EAAE,OAAO,CAAC,OAAO,KAC9C;QACE,IAAI,EAAE;YACJ,EAAE;SACH;KACF,CACF,CAAA;IAED,OAAO,CAAC,IAAI,GAAG;QACb,IAAI,EAAE;YACJ,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACtC,IAAI,EAAE,IAAI;YACV,WAAW,EAAE,IAAI;SAClB;QACD,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KACrD,CAAA;AACH,CAAC,CAAC,CAAA","sourcesContent":["import util from 'util'\nimport Router from 'koa-router'\n\nimport { setAccessTokenCookie } from '../utils/access-token-cookie'\nimport { store, webAuthnMiddleware } from '../middlewares/webauthn-middleware'\n\nexport const webAuthnGlobalPublicRouter = new Router()\nexport const webAuthnGlobalPrivateRouter = new Router()\n\nconst challengeAsync = util.promisify(store.challenge).bind(store)\n\nwebAuthnGlobalPublicRouter.post('/auth/signin-webauthn/challenge', async (context, next) => {\n  const challenge = await challengeAsync({ ...context.request, session: context.session })\n\n  context.body = {\n    challenge: Buffer.from(challenge).toString('base64')\n  }\n})\n\nwebAuthnGlobalPublicRouter.post('/auth/signin-webauthn', webAuthnMiddleware, async (context, next) => {\n  const { domain, user } = context.state\n  const { request } = context\n  const { body: reqBody } = request\n\n  const token = await user.sign({ subdomain: domain?.subdomain })\n  setAccessTokenCookie(context, token)\n\n  var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`\n\n  /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */\n  context.body = { redirectURL }\n})\n\nwebAuthnGlobalPrivateRouter.post('/auth/register-webauthn/challenge', async (context, next) => {\n  const { user } = context.state\n  const { id, name } = user || {}\n\n  const challenge = await challengeAsync(\n    { ...context.request, session: context.session },\n    {\n      user: {\n        id\n      }\n    }\n  )\n\n  context.body = {\n    user: {\n      id: Buffer.from(id).toString('base64'),\n      name: name,\n      displayName: name\n    },\n    challenge: Buffer.from(challenge).toString('base64')\n  }\n})\n"]}
+{"version":3,"file":"webauthn-router.js","sourceRoot":"","sources":["../../server/router/webauthn-router.ts"],"names":[],"mappings":";;;;AAAA,oEAA+B;AAC/B,iDAAqD;AACrD,6CAAgD;AAEhD,mDAAmG;AAEnG,4FAAsF;AAItF,sEAAmE;AACnE,4EAA8E;AAEjE,QAAA,0BAA0B,GAAG,IAAI,oBAAM,EAAE,CAAA;AACzC,QAAA,2BAA2B,GAAG,IAAI,oBAAM,EAAE,CAAA;AAEvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,gBAAiB,CAAA;AAE1C,mCAA2B,CAAC,GAAG,CAAC,mCAAmC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IAC3F,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,MAAM,kBAAkB,GAAG,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,IAAI,CAAC;QACrE,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;SACtB;KACF,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2C,MAAM,IAAA,oCAA2B,EAAC;QACxF,MAAM;QACN,IAAI;QACJ,QAAQ,EAAE,IAAI,CAAC,KAAK;QACpB,eAAe,EAAE,IAAI,CAAC,IAAI;QAC1B,wEAAwE;QACxE,gCAAgC;QAChC,eAAe,EAAE,MAAM;QACvB,4DAA4D;QAC5D,kBAAkB,EAAE,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACxD,EAAE,EAAE,UAAU,CAAC,YAAY;YAC3B,WAAW;YACX,oCAAoC;SACrC,CAAC,CAAC;QACH,sBAAsB,EAAE;YACtB,WAAW;YACX,WAAW,EAAE,WAAW;YACxB,gBAAgB,EAAE,WAAW;YAC7B,WAAW;YACX,uBAAuB,EAAE,UAAU;SACpC;KACF,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,mCAA2B,CAAC,IAAI,CAAC,2BAA2B,EAAE,IAAA,8CAAwB,EAAC,mBAAmB,CAAC,CAAC,CAAC;AAE7G,kCAA0B,CAAC,GAAG,CAAC,iCAAiC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACxF,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,MAAM,OAAO,GAAG,MAAM,IAAA,sCAA6B,EAAC;QAClD,IAAI;QACJ,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,kCAA0B,CAAC,IAAI,CAC7B,uBAAuB,EAAE,IAAA,8CAAwB,EAAC,gBAAgB,CAAC,EACnE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACtB,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAE,KAAK,CAAA;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAC3B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE,CAAC,CAAA;IAC/D,IAAA,0CAAoB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAEpC,IAAI,WAAW,GAAG,gBAAgB,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,kBAAkB,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC,EAAE,CAAA;IAErI,yGAAyG;IACzG,OAAO,CAAC,IAAI,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAA;IAE9C,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CACF,CAAA","sourcesContent":["import Router from 'koa-router'\nimport { getRepository } from '@things-factory/shell'\nimport { appPackage } from '@things-factory/env'\n\nimport { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'\n\nimport { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'\nimport {\n  PublicKeyCredentialCreationOptionsJSON,\n} from '@simplewebauthn/server/script/deps'\nimport { setAccessTokenCookie } from '../utils/access-token-cookie'\nimport { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware';\n\nexport const webAuthnGlobalPublicRouter = new Router()\nexport const webAuthnGlobalPrivateRouter = new Router()\n\nconst { name: rpName } = appPackage as any\n\nwebAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {\n  const { user } = context.state\n  const rpID = context.hostname\n\n  const webAuthCredentials = await getRepository(WebAuthCredential).find({\n    where: {\n      user: { id: user.id }\n    }\n  })\n\n  const options: PublicKeyCredentialCreationOptionsJSON = await generateRegistrationOptions({\n    rpName,\n    rpID,\n    userName: user.email,\n    userDisplayName: user.name,\n    // Don't prompt users for additional information about the authenticator\n    // (Recommended for smoother UX)\n    attestationType: 'none',\n    // Prevent users from re-registering existing authenticators\n    excludeCredentials: webAuthCredentials.map(credential => ({\n      id: credential.credentialId\n      // Optional\n      // transports: credential.transports\n    })),\n    authenticatorSelection: {\n      // Defaults\n      residentKey: 'preferred',\n      userVerification: 'preferred',\n      // Optional\n      authenticatorAttachment: 'platform'\n    }\n  })\n\n  context.session.challenge = options.challenge\n  context.body = options\n})\n\nwebAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'));\n\nwebAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {\n  const rpID = context.hostname\n\n  const options = await generateAuthenticationOptions({\n    rpID,\n    userVerification: 'preferred'\n  })\n\n  context.session.challenge = options.challenge\n  context.body = options\n})\n\nwebAuthnGlobalPublicRouter.post(\n  '/auth/signin-webauthn', createWebAuthnMiddleware('webauthn-login'),\n  async (context, next) => {\n    const { domain, user } = context. state\n    const { request } = context\n    const { body: reqBody } = request\n\n    const token = await user.sign({ subdomain: domain?.subdomain })\n    setAccessTokenCookie(context, token)\n\n    var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`\n\n    /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */\n    context.body = { redirectURL, verified: true }\n\n    await next();\n  }\n)\n"]}

package/dist-server/service/web-auth-credential/web-auth-credential.js.map

@@ -1 +1 @@
-{"version":3,"file":"web-auth-credential.js","sourceRoot":"","sources":["../../../server/service/web-auth-credential/web-auth-credential.ts"],"names":[],"mappings":";;;;AAAA,+CAAwC;AACxC,qCASgB;AAEhB,uCAAmC;AAQ5B,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;CA6C7B,CAAA;AA7CY,8CAAiB;AAGnB;IAFR,IAAA,gCAAsB,EAAC,MAAM,CAAC;IAC9B,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,iBAAE,CAAC;;6CACC;AAInB;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCACjC,WAAI;+CAAA;AAGX;IADC,IAAA,oBAAU,EAAC,CAAC,iBAAoC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC;;iDAC9D;AAIf;IAFC,IAAA,gBAAM,GAAE;IACR,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;uDACN;AAIpB;IAFC,IAAA,gBAAM,GAAE;IACR,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;oDACT;AAIjB;IAFC,IAAA,gBAAM,GAAE;IACR,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;kDACX;AAIf;IAFC,IAAA,0BAAgB,GAAE;IAClB,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCACd,IAAI;oDAAA;AAIhB;IAFC,IAAA,0BAAgB,GAAE;IAClB,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCACd,IAAI;oDAAA;AAIhB;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCAC9B,WAAI;kDAAA;AAGd;IADC,IAAA,oBAAU,EAAC,CAAC,iBAAoC,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC;;oDAC9D;AAIlB;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCAC9B,WAAI;kDAAA;AAGd;IADC,IAAA,oBAAU,EAAC,CAAC,iBAAoC,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC;;oDAC9D;4BA5CP,iBAAiB;IAN7B,IAAA,gBAAM,GAAE;IACR,IAAA,eAAK,EACJ,0BAA0B,EAC1B,CAAC,iBAAoC,EAAE,EAAE,CAAC,CAAC,iBAAiB,CAAC,IAAI,EAAE,iBAAiB,CAAC,YAAY,CAAC,EAClG,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB;GACY,iBAAiB,CA6C7B","sourcesContent":["import { Field, ID } from 'type-graphql'\nimport {\n  CreateDateColumn,\n  UpdateDateColumn,\n  Entity,\n  Index,\n  Column,\n  RelationId,\n  ManyToOne,\n  PrimaryGeneratedColumn\n} from 'typeorm'\n\nimport { User } from '../user/user'\n\n@Entity()\n@Index(\n  'ix_web_auth_credential_0',\n  (webAuthCredential: WebAuthCredential) => [webAuthCredential.user, webAuthCredential.credentialId],\n  { unique: true }\n)\nexport class WebAuthCredential {\n  @PrimaryGeneratedColumn('uuid')\n  @Field(type => ID)\n  readonly id: string\n\n  @ManyToOne(type => User, { nullable: true })\n  @Field(type => User, { nullable: true })\n  user?: User\n\n  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.user)\n  userId?: string\n\n  @Column()\n  @Field({ nullable: true })\n  credentialId: string\n\n  @Column()\n  @Field({ nullable: true })\n  publicKey: string\n\n  @Column()\n  @Field({ nullable: true })\n  counter: number\n\n  @CreateDateColumn()\n  @Field({ nullable: true })\n  createdAt?: Date\n\n  @UpdateDateColumn()\n  @Field({ nullable: true })\n  updatedAt?: Date\n\n  @ManyToOne(type => User, { nullable: true })\n  @Field(type => User, { nullable: true })\n  creator?: User\n\n  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.creator)\n  creatorId?: string\n\n  @ManyToOne(type => User, { nullable: true })\n  @Field(type => User, { nullable: true })\n  updater?: User\n\n  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.updater)\n  updaterId?: string\n}\n"]}
+{"version":3,"file":"web-auth-credential.js","sourceRoot":"","sources":["../../../server/service/web-auth-credential/web-auth-credential.ts"],"names":[],"mappings":";;;;AAAA,+CAAwC;AACxC,qCASgB;AAEhB,uCAAmC;AAS5B,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;CA6C7B,CAAA;AA7CY,8CAAiB;AAGnB;IAFR,IAAA,gCAAsB,EAAC,MAAM,CAAC;IAC9B,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,iBAAE,CAAC;;6CACC;AAInB;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCACjC,WAAI;+CAAA;AAGX;IADC,IAAA,oBAAU,EAAC,CAAC,iBAAoC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC;;iDAC9D;AAIf;IAFC,IAAA,gBAAM,GAAE;IACR,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;uDACN;AAIpB;IAFC,IAAA,gBAAM,GAAE;IACR,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;oDACT;AAIjB;IAFC,IAAA,gBAAM,GAAE;IACR,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;kDACX;AAIf;IAFC,IAAA,0BAAgB,GAAE;IAClB,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCACd,IAAI;oDAAA;AAIhB;IAFC,IAAA,0BAAgB,GAAE;IAClB,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCACd,IAAI;oDAAA;AAIhB;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCAC9B,WAAI;kDAAA;AAGd;IADC,IAAA,oBAAU,EAAC,CAAC,iBAAoC,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC;;oDAC9D;AAIlB;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,WAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;sCAC9B,WAAI;kDAAA;AAGd;IADC,IAAA,oBAAU,EAAC,CAAC,iBAAoC,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC;;oDAC9D;4BA5CP,iBAAiB;IAN7B,IAAA,gBAAM,GAAE;IACR,IAAA,eAAK,EACJ,0BAA0B,EAC1B,CAAC,iBAAoC,EAAE,EAAE,CAAC,CAAC,iBAAiB,CAAC,IAAI,EAAE,iBAAiB,CAAC,YAAY,CAAC,EAClG,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB;GACY,iBAAiB,CA6C7B","sourcesContent":["import { Field, ID } from 'type-graphql'\nimport {\n  CreateDateColumn,\n  UpdateDateColumn,\n  Entity,\n  Index,\n  Column,\n  RelationId,\n  ManyToOne,\n  PrimaryGeneratedColumn\n} from 'typeorm'\n\nimport { User } from '../user/user'\nimport { AuthenticatorTransportFuture } from '@simplewebauthn/server/script/deps'\n\n@Entity()\n@Index(\n  'ix_web_auth_credential_0',\n  (webAuthCredential: WebAuthCredential) => [webAuthCredential.user, webAuthCredential.credentialId],\n  { unique: true }\n)\nexport class WebAuthCredential {\n  @PrimaryGeneratedColumn('uuid')\n  @Field(type => ID)\n  readonly id: string\n\n  @ManyToOne(type => User, { nullable: true })\n  @Field(type => User, { nullable: true })\n  user?: User\n\n  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.user)\n  userId?: string\n\n  @Column()\n  @Field({ nullable: true })\n  credentialId: string\n\n  @Column()\n  @Field({ nullable: true })\n  publicKey: string\n\n  @Column()\n  @Field({ nullable: true })\n  counter: number\n\n  @CreateDateColumn()\n  @Field({ nullable: true })\n  createdAt?: Date\n\n  @UpdateDateColumn()\n  @Field({ nullable: true })\n  updatedAt?: Date\n\n  @ManyToOne(type => User, { nullable: true })\n  @Field(type => User, { nullable: true })\n  creator?: User\n\n  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.creator)\n  creatorId?: string\n\n  @ManyToOne(type => User, { nullable: true })\n  @Field(type => User, { nullable: true })\n  updater?: User\n\n  @RelationId((webAuthCredential: WebAuthCredential) => webAuthCredential.updater)\n  updaterId?: string\n}\n"]}