@things-factory/auth-base 8.0.0-alpha.2 → 8.0.0-alpha.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/client/index.ts +1 -0
  2. package/client/verify-webauthn.ts +86 -0
  3. package/dist-client/index.d.ts +1 -0
  4. package/dist-client/index.js +1 -0
  5. package/dist-client/index.js.map +1 -1
  6. package/dist-client/tsconfig.tsbuildinfo +1 -1
  7. package/dist-client/verify-webauthn.d.ts +13 -0
  8. package/dist-client/verify-webauthn.js +72 -0
  9. package/dist-client/verify-webauthn.js.map +1 -0
  10. package/dist-server/index.d.ts +1 -0
  11. package/dist-server/index.js +1 -0
  12. package/dist-server/index.js.map +1 -1
  13. package/dist-server/middlewares/webauthn-middleware.js.map +1 -1
  14. package/dist-server/router/webauthn-router.js +51 -1
  15. package/dist-server/router/webauthn-router.js.map +1 -1
  16. package/dist-server/tsconfig.tsbuildinfo +1 -1
  17. package/dist-server/utils/check-user-has-role.d.ts +12 -0
  18. package/dist-server/utils/check-user-has-role.js +28 -0
  19. package/dist-server/utils/check-user-has-role.js.map +1 -0
  20. package/package.json +6 -6
  21. package/server/index.ts +1 -0
  22. package/server/middlewares/webauthn-middleware.ts +7 -8
  23. package/server/router/webauthn-router.ts +71 -9
  24. package/server/utils/check-user-has-role.ts +29 -0
package/dist-server/router/webauthn-router.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"webauthn-router.js","sourceRoot":"","sources":["../../server/router/webauthn-router.ts"],"names":[],"mappings":";;;;AAAA,oEAA+B;AAC/B,iDAAqD;AACrD,6CAAgD;AAEhD,mDAAmG;AAEnG,4FAAsF;AAItF,sEAAmE;AACnE,4EAA8E;AAEjE,QAAA,0BAA0B,GAAG,IAAI,oBAAM,EAAE,CAAA;AACzC,QAAA,2BAA2B,GAAG,IAAI,oBAAM,EAAE,CAAA;AAEvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,gBAAiB,CAAA;AAE1C,mCAA2B,CAAC,GAAG,CAAC,mCAAmC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IAC3F,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,MAAM,kBAAkB,GAAG,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,IAAI,CAAC;QACrE,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;SACtB;KACF,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2C,MAAM,IAAA,oCAA2B,EAAC;QACxF,MAAM;QACN,IAAI;QACJ,QAAQ,EAAE,IAAI,CAAC,KAAK;QACpB,eAAe,EAAE,IAAI,CAAC,IAAI;QAC1B,wEAAwE;QACxE,gCAAgC;QAChC,eAAe,EAAE,MAAM;QACvB,4DAA4D;QAC5D,kBAAkB,EAAE,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACxD,EAAE,EAAE,UAAU,CAAC,YAAY;YAC3B,WAAW;YACX,oCAAoC;SACrC,CAAC,CAAC;QACH,sBAAsB,EAAE;YACtB,WAAW;YACX,WAAW,EAAE,WAAW;YACxB,gBAAgB,EAAE,WAAW;YAC7B,WAAW;YACX,uBAAuB,EAAE,UAAU;SACpC;KACF,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,mCAA2B,CAAC,IAAI,CAAC,2BAA2B,EAAE,IAAA,8CAAwB,EAAC,mBAAmB,CAAC,CAAC,CAAC;AAE7G,kCAA0B,CAAC,GAAG,CAAC,iCAAiC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACxF,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,MAAM,OAAO,GAAG,MAAM,IAAA,sCAA6B,EAAC;QAClD,IAAI;QACJ,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,kCAA0B,CAAC,IAAI,CAC7B,uBAAuB,EAAE,IAAA,8CAAwB,EAAC,gBAAgB,CAAC,EACnE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACtB,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAE,KAAK,CAAA;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAC3B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE,CAAC,CAAA;IAC/D,IAAA,0CAAoB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAEpC,IAAI,WAAW,GAAG,gBAAgB,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,kBAAkB,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC,EAAE,CAAA;IAErI,yGAAyG;IACzG,OAAO,CAAC,IAAI,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAA;IAE9C,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CACF,CAAA","sourcesContent":["import Router from 'koa-router'\nimport { getRepository } from '@things-factory/shell'\nimport { appPackage } from '@things-factory/env'\n\nimport { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'\n\nimport { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'\nimport {\n PublicKeyCredentialCreationOptionsJSON,\n} from '@simplewebauthn/server/script/deps'\nimport { setAccessTokenCookie } from '../utils/access-token-cookie'\nimport { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware';\n\nexport const webAuthnGlobalPublicRouter = new Router()\nexport const webAuthnGlobalPrivateRouter = new Router()\n\nconst { name: rpName } = appPackage as any\n\nwebAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {\n const { user } = context.state\n const rpID = context.hostname\n\n const webAuthCredentials = await getRepository(WebAuthCredential).find({\n where: {\n user: { id: user.id }\n }\n })\n\n const options: PublicKeyCredentialCreationOptionsJSON = await generateRegistrationOptions({\n rpName,\n rpID,\n userName: user.email,\n userDisplayName: user.name,\n // Don't prompt users for additional information about the authenticator\n // (Recommended for smoother UX)\n attestationType: 'none',\n // Prevent users from re-registering existing authenticators\n excludeCredentials: webAuthCredentials.map(credential => ({\n id: credential.credentialId\n // Optional\n // transports: credential.transports\n })),\n authenticatorSelection: {\n // Defaults\n residentKey: 'preferred',\n userVerification: 'preferred',\n // Optional\n authenticatorAttachment: 'platform'\n }\n })\n\n context.session.challenge = options.challenge\n context.body = options\n})\n\nwebAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'));\n\nwebAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {\n const rpID = context.hostname\n\n const options = await generateAuthenticationOptions({\n rpID,\n userVerification: 'preferred'\n })\n\n context.session.challenge = options.challenge\n context.body = options\n})\n\nwebAuthnGlobalPublicRouter.post(\n '/auth/signin-webauthn', createWebAuthnMiddleware('webauthn-login'),\n async (context, next) => {\n const { domain, user } = context. state\n const { request } = context\n const { body: reqBody } = request\n\n const token = await user.sign({ subdomain: domain?.subdomain })\n setAccessTokenCookie(context, token)\n\n var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`\n\n /* 2단계 인터렉션 때문에 브라우저에서 fetch(...) 진행될 것이므로, redirect(3xx) 응답으로 처리할 없다. 따라서, 데이타로 redirectURL를 응답한다. */\n context.body = { redirectURL, verified: true }\n\n await next();\n }\n)\n"]}
1
+ {"version":3,"file":"webauthn-router.js","sourceRoot":"","sources":["../../server/router/webauthn-router.ts"],"names":[],"mappings":";;;;AAAA,oEAA+B;AAC/B,iDAAqD;AACrD,6CAAgD;AAEhD,mDAAmG;AAEnG,4FAAsF;AAEtF,sEAAmE;AACnE,4EAA6E;AAEhE,QAAA,0BAA0B,GAAG,IAAI,oBAAM,EAAE,CAAA;AACzC,QAAA,2BAA2B,GAAG,IAAI,oBAAM,EAAE,CAAA;AAEvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,gBAAiB,CAAA;AAE1C,qEAAqE;AACrE,mCAA2B,CAAC,GAAG,CAAC,iCAAiC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACzF,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,MAAM,GAAG,GAAG,CAAA;QACpB,OAAO,CAAC,IAAI,GAAG,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAA;QAClD,OAAM;IACR,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,IAAI,CAAC;QACrE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE;KACjC,CAAC,CAAA;IAEF,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,MAAM,GAAG,GAAG,CAAA;QACpB,OAAO,CAAC,IAAI,GAAG,EAAE,KAAK,EAAE,mDAAmD,EAAE,CAAA;QAC7E,OAAM;IACR,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,IAAA,sCAA6B,EAAC;QAClD,IAAI;QACJ,gBAAgB,EAAE,WAAW;QAC7B,gBAAgB,EAAE,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACtD,EAAE,EAAE,UAAU,CAAC,YAAY;YAC3B,IAAI,EAAE,YAAY;SACnB,CAAC,CAAC;KACJ,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,kCAAkC;AAClC,mCAA2B,CAAC,IAAI,CAC9B,uBAAuB;AACvB,sDAAsD;AACtD,IAAA,8CAAwB,EAAC,gBAAgB,CAAC,EAC1C,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACtB,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAC9B,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAC3B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAEjC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,MAAM,GAAG,GAAG,CAAA;QACpB,OAAO,CAAC,IAAI,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAA;QACrE,OAAM;IACR,CAAC;IAED,OAAO,CAAC,IAAI,GAAG;QACb,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE,qCAAqC;KAC/C,CAAA;IAED,MAAM,IAAI,EAAE,CAAA;AACd,CAAC,CACF,CAAA;AAED,mEAAmE;AACnE,mCAA2B,CAAC,GAAG,CAAC,mCAAmC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IAC3F,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,MAAM,kBAAkB,GAAG,MAAM,IAAA,qBAAa,EAAC,uCAAiB,CAAC,CAAC,IAAI,CAAC;QACrE,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;SACtB;KACF,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2C,MAAM,IAAA,oCAA2B,EAAC;QACxF,MAAM;QACN,IAAI;QACJ,QAAQ,EAAE,IAAI,CAAC,KAAK;QACpB,eAAe,EAAE,IAAI,CAAC,IAAI;QAC1B,wEAAwE;QACxE,gCAAgC;QAChC,eAAe,EAAE,MAAM;QACvB,4DAA4D;QAC5D,kBAAkB,EAAE,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACxD,EAAE,EAAE,UAAU,CAAC,YAAY;YAC3B,WAAW;YACX,oCAAoC;SACrC,CAAC,CAAC;QACH,sBAAsB,EAAE;YACtB,WAAW;YACX,WAAW,EAAE,WAAW;YACxB,gBAAgB,EAAE,WAAW;YAC7B,WAAW;YACX,uBAAuB,EAAE,UAAU;SACpC;KACF,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,sBAAsB;AACtB,mCAA2B,CAAC,IAAI,CAAC,2BAA2B,EAAE,IAAA,8CAAwB,EAAC,mBAAmB,CAAC,CAAC,CAAA;AAE5G,6BAA6B;AAC7B,kCAA0B,CAAC,GAAG,CAAC,iCAAiC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACxF,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAA;IAE7B,MAAM,OAAO,GAAG,MAAM,IAAA,sCAA6B,EAAC;QAClD,IAAI;QACJ,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC7C,OAAO,CAAC,IAAI,GAAG,OAAO,CAAA;AACxB,CAAC,CAAC,CAAA;AAEF,wCAAwC;AACxC,kCAA0B,CAAC,IAAI,CAC7B,uBAAuB,EACvB,IAAA,8CAAwB,EAAC,gBAAgB,CAAC,EAC1C,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IACtB,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IACtC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAC3B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE,CAAC,CAAA;IAC/D,IAAA,0CAAoB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAEpC,IAAI,WAAW,GAAG,gBAAgB,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,kBAAkB,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC,EAAE,CAAA;IAErI,6LAA6L;IAC7L,OAAO,CAAC,IAAI,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAA;IAE9C,MAAM,IAAI,EAAE,CAAA;AACd,CAAC,CACF,CAAA","sourcesContent":["import Router from 'koa-router'\nimport { getRepository } from '@things-factory/shell'\nimport { appPackage } from '@things-factory/env'\n\nimport { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'\n\nimport { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'\nimport { PublicKeyCredentialCreationOptionsJSON } from '@simplewebauthn/server/script/deps'\nimport { setAccessTokenCookie } from '../utils/access-token-cookie'\nimport { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware'\n\nexport const webAuthnGlobalPublicRouter = new Router()\nexport const webAuthnGlobalPrivateRouter = new Router()\n\nconst { name: rpName } = appPackage as any\n\n// Generate authentication challenge for the currently logged-in user\nwebAuthnGlobalPrivateRouter.get('/auth/verify-webauthn/challenge', async (context, next) => {\n const { user } = context.state\n const rpID = context.hostname\n\n if (!user) {\n context.status = 401\n context.body = { error: 'User not authenticated' }\n return\n }\n\n const webAuthCredentials = await getRepository(WebAuthCredential).find({\n where: { user: { id: user.id } }\n })\n\n if (webAuthCredentials.length === 0) {\n context.status = 400\n context.body = { error: 'No biometric credentials registered for this user' }\n return\n }\n\n const options = await generateAuthenticationOptions({\n rpID,\n userVerification: 'preferred',\n allowCredentials: webAuthCredentials.map(credential => ({\n id: credential.credentialId,\n type: 'public-key'\n }))\n })\n\n context.session.challenge = options.challenge\n context.body = options\n})\n\n// Verify biometric authentication\nwebAuthnGlobalPrivateRouter.post(\n '/auth/verify-webauthn',\n /* reuse webauthn-login as webauthn-verify strategy */\n createWebAuthnMiddleware('webauthn-login'),\n async (context, next) => {\n const { user } = context.state\n const { request } = context\n const { body: reqBody } = request\n\n if (!user) {\n context.status = 401\n context.body = { verified: false, message: 'User not authenticated' }\n return\n }\n\n context.body = {\n verified: true,\n message: 'Biometric authentication successful'\n }\n\n await next()\n }\n)\n\n// Generate registration challenge for the currently logged-in user\nwebAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {\n const { user } = context.state\n const rpID = context.hostname\n\n const webAuthCredentials = await getRepository(WebAuthCredential).find({\n where: {\n user: { id: user.id }\n }\n })\n\n const options: PublicKeyCredentialCreationOptionsJSON = await generateRegistrationOptions({\n rpName,\n rpID,\n userName: user.email,\n userDisplayName: user.name,\n // Don't prompt users for additional information about the authenticator\n // (Recommended for smoother UX)\n attestationType: 'none',\n // Prevent users from re-registering existing authenticators\n excludeCredentials: webAuthCredentials.map(credential => ({\n id: credential.credentialId\n // Optional\n // transports: credential.transports\n })),\n authenticatorSelection: {\n // Defaults\n residentKey: 'preferred',\n userVerification: 'preferred',\n // Optional\n authenticatorAttachment: 'platform'\n }\n })\n\n context.session.challenge = options.challenge\n context.body = options\n})\n\n// Verify registration\nwebAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'))\n\n// Generate sign-in challenge\nwebAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {\n const rpID = context.hostname\n\n const options = await generateAuthenticationOptions({\n rpID,\n userVerification: 'preferred'\n })\n\n context.session.challenge = options.challenge\n context.body = options\n})\n\n// Sign in with biometric authentication\nwebAuthnGlobalPublicRouter.post(\n '/auth/signin-webauthn',\n createWebAuthnMiddleware('webauthn-login'),\n async (context, next) => {\n const { domain, user } = context.state\n const { request } = context\n const { body: reqBody } = request\n\n const token = await user.sign({ subdomain: domain?.subdomain })\n setAccessTokenCookie(context, token)\n\n var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`\n\n /* Due to the two-step interaction, it will be processed by fetch(...) in the browser, so it cannot be handled with a redirect(3xx) response. Therefore, respond with redirectURL as data. */\n context.body = { redirectURL, verified: true }\n\n await next()\n }\n)\n"]}