@toa.io/extensions.exposition 1.0.0-alpha.130 → 1.0.0-alpha.132

package/components/identity.passkeys/source/challenge.ts

@@ -1,4 +1,5 @@
 import { randomBytes } from 'node:crypto'
+import { newid } from '@toa.io/generic'
 import { MAX_KEYS } from './lib/const'
 import type { Operation } from '@toa.io/types'
 import type { Context } from './types'
@@ -31,7 +32,7 @@ export class Effect implements Operation {
   }
 
   public async execute (input: Input): Promise<Output> {
-    const { identity, authority } = input
+    const { type, identity, authority } = input
     const challenge = await this.createChallenge(authority)
 
     const options: Output = {
@@ -39,23 +40,31 @@ export class Effect implements Operation {
       timeout: this.timeout
     }
 
-    if (identity === undefined)
-      return options
-
-    const keys = await this.enumerate({
-      query: {
-        criteria: `identity==${identity}`,
-        projection: ['kid', 'transports'],
-        limit: MAX_KEYS
-      }
-    })
-
-    return {
-      ...options,
-      excludeCredentials: keys.map(({ kid, transports }) => ({ id: kid, transports })),
-      pubKeyCredParams: this.credParams,
-      authenticatorSelection: this.authenticator
-    }
+    if (type === 'creation')
+      options.identity = identity ?? newid()
+
+    const keys = identity === undefined
+      ? undefined
+      : await this.enumerate({
+        query: {
+          criteria: `identity==${identity}`,
+          projection: ['kid', 'transports'],
+          limit: MAX_KEYS
+        }
+      })
+
+    if (type === 'creation')
+      return {
+        ...options,
+        excludeCredentials: keys?.map(({ kid, transports }) => ({ id: kid, transports })),
+        pubKeyCredParams: this.credParams,
+        authenticatorSelection: this.authenticator
+      } satisfies CreationOptions
+    else
+      return {
+        ...options,
+        allowCredentials: keys?.map(({ kid, transports }) => ({ id: kid, transports }))
+      } satisfies RequestOptions
   }
 
   private async createChallenge (authority: string): Promise<string> {
@@ -73,6 +82,7 @@ export class Effect implements Operation {
 const EX_GAP = 1.5
 
 interface Input {
+  type: 'creation' | 'request'
   authority: string
   identity?: string | null
 }
@@ -80,6 +90,7 @@ interface Input {
 type Output = CreationOptions | RequestOptions
 
 interface CommonOptions {
+  identity?: string
   challenge: string
   timeout: number
 }
@@ -91,7 +102,10 @@ interface KeyDescriptor {
 
 type CreationOptions =
   CommonOptions
-  & Omit<PublicKeyCredentialCreationOptions, 'rp' | 'user' | 'excludeCredentials'>
-  & { excludeCredentials: KeyDescriptor[] }
+  & Omit<PublicKeyCredentialCreationOptions, 'challenge' | 'rp' | 'user' | 'excludeCredentials'>
+  & { excludeCredentials?: KeyDescriptor[] }
 
-type RequestOptions = CommonOptions
+type RequestOptions =
+  CommonOptions
+  & Omit<PublicKeyCredentialRequestOptions, 'challenge' | 'allowCredentials'>
+  & { allowCredentials?: KeyDescriptor[] }

package/components/identity.passkeys/source/create.ts

@@ -9,9 +9,13 @@ export class Transition implements Operation {
   private algorithms!: number[]
   private stash!: Context['stash']
   private logs!: Context['logs']
+  private verification!: boolean
+  private presence!: boolean
 
   public mount (context: Context): void {
     this.algorithms = context.configuration.algorithms
+    this.verification = context.configuration.verification === 'required'
+    this.presence = context.configuration.residence === 'required'
     this.stash = context.stash
     this.logs = context.logs
   }
@@ -26,7 +30,9 @@ export class Transition implements Operation {
       response,
       expectedOrigin: input.origin,
       expectedChallenge: async (challenge) => this.verifyChallenge(authority, challenge),
-      supportedAlgorithmIDs: this.algorithms
+      supportedAlgorithmIDs: this.algorithms,
+      requireUserVerification: this.verification,
+      requireUserPresence: this.presence
     }).catch((e) => {
       this.logs.info('Failed to verify registration response', { message: e.message })
 

package/components/identity.passkeys/source/use.ts

@@ -7,10 +7,14 @@ import type { Context, Passkey } from './types'
 export class Transition implements Operation {
   private stash!: Context['stash']
   private logs!: Context['logs']
+  private verification!: boolean
+  private presence!: boolean
 
   public mount (context: Context): void {
     this.stash = context.stash
     this.logs = context.logs
+    this.verification = context.configuration.verification === 'required'
+    this.presence = context.configuration.residence === 'required'
   }
 
   public async execute (input: Input, object: Passkey): Promise<Output> {
@@ -23,7 +27,8 @@ export class Transition implements Operation {
       credential,
       expectedOrigin: origin,
       expectedRPID: new URL(origin).hostname,
-      expectedChallenge: async (challenge) => this.verifyChallenge(object.authority, challenge)
+      expectedChallenge: async (challenge) => this.verifyChallenge(object.authority, challenge),
+      requireUserVerification: this.verification
     }).catch((e) => {
       this.logs.info('Failed to verify authentication response', { message: e.message })
 

package/features/passkeys.feature

@@ -12,12 +12,46 @@ Feature: Web Authentication
       host: nex.toa.io
       authorization: Token ${{ identity.token }}
       accept: application/yaml
+      content-type: application/yaml
+
+      type: creation
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      challenge: ${{ challenge }}
+      identity: ${{ identity.id }}
+      timeout: 60000
+      pubKeyCredParams:
+        - type: public-key
+          alg: -7
+        - type: public-key
+          alg: -257
+      """
+
+  Scenario: Create a challenge to create a passkey to new identity
+    Given the `identity.passkeys` configuration:
+      """yaml
+      name: Nex
+      """
+    And transient identity
+    When the following request is received:
+      """
+      POST /identity/passkeys/challenges/ HTTP/1.1
+      host: nex.toa.io
+      accept: application/yaml
+      content-type: application/yaml
+
+      type: creation
       """
     Then the following reply is sent:
       """
       201 Created
+      authorization: Token ${{ token }}
 
       challenge: ${{ challenge }}
+      identity: ${{ identity }}
       timeout: 60000
       pubKeyCredParams:
         - type: public-key

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.exposition",
-  "version": "1.0.0-alpha.130",
+  "version": "1.0.0-alpha.132",
   "description": "Toa Exposition",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -63,5 +63,5 @@
     "@types/negotiator": "0.6.1",
     "jest-esbuild": "0.3.0"
   },
-  "gitHead": "fe6810a087b7c7c88b4e194b99ce421fc21501ba"
+  "gitHead": "0159315b61cab2a7ab70e8473e4b88dc666c28d5"
 }

package/source/directives/auth/Incept.ts

@@ -1,4 +1,5 @@
 import assert from 'node:assert'
+import { console } from 'openspan'
 import * as http from '../../HTTP'
 import { split } from './split'
 import { create } from './create'
@@ -35,12 +36,21 @@ export class Incept implements Directive {
   public async settle (context: Context, response: http.OutgoingMessage): Promise<void> {
     const id = response.body?.[this.property ?? 'id']
 
+    if (id === undefined) {
+      console.debug('Inception skipped: response does not contain expected property', {
+        property: this.property,
+        response
+      })
+
+      return
+    }
+
     assert(typeof id === 'string', `Response body property "${this.property}" expected to be a string`)
 
     if (context.request.headers.authorization !== undefined)
       context.identity = await this.incept(context, id)
     else
-      context.identity = { id, scheme: null, refresh: true }
+      context.identity = { id, scheme: null, refresh: true, roles: [] }
   }
 
   private async incept (context: Context, id: string): Promise<Identity> {
@@ -67,6 +77,7 @@ export class Incept implements Directive {
       throw new http.UnprocessableEntity(identity)
 
     identity.scheme = scheme
+    identity.roles = []
 
     return identity
   }

package/transpiled/directives/auth/Incept.js

@@ -28,6 +28,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Incept = void 0;
 const node_assert_1 = __importDefault(require("node:assert"));
+const openspan_1 = require("openspan");
 const http = __importStar(require("../../HTTP"));
 const split_1 = require("./split");
 const create_1 = require("./create");
@@ -52,11 +53,18 @@ class Incept {
     }
     async settle(context, response) {
         const id = response.body?.[this.property ?? 'id'];
+        if (id === undefined) {
+            openspan_1.console.debug('Inception skipped: response does not contain expected property', {
+                property: this.property,
+                response
+            });
+            return;
+        }
         (0, node_assert_1.default)(typeof id === 'string', `Response body property "${this.property}" expected to be a string`);
         if (context.request.headers.authorization !== undefined)
             context.identity = await this.incept(context, id);
         else
-            context.identity = { id, scheme: null, refresh: true };
+            context.identity = { id, scheme: null, refresh: true, roles: [] };
     }
     async incept(context, id) {
         const [scheme, credentials] = (0, split_1.split)(context.request.headers.authorization);
@@ -76,6 +84,7 @@ class Incept {
         if (identity instanceof Error)
             throw new http.UnprocessableEntity(identity);
         identity.scheme = scheme;
+        identity.roles = [];
         return identity;
     }
 }

package/transpiled/directives/auth/Incept.js.map

@@ -1 +1 @@
-{"version":3,"file":"Incept.js","sourceRoot":"","sources":["../../../source/directives/auth/Incept.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,iDAAkC;AAClC,mCAA+B;AAC/B,qCAAiC;AACjC,uCAAgD;AAIhD,MAAa,MAAM;IACA,QAAQ,CAAe;IACvB,SAAS,CAAW;IACpB,OAAO,GAAY,EAAwB,CAAA;IAE5D,YAAoB,QAAgB,EAAE,SAAoB;QACxD,qBAAM,CAAC,EAAE,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EACzD,8CAA8C,CAAC,CAAA;QAEjD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;IAC5B,CAAC;IAEM,SAAS,CAAE,QAAyB;QACzC,OAAO,QAAQ,KAAK,IAAI,CAAA;IAC1B,CAAC;IAEM,KAAK,CAAE,OAAgB;QAC5B,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;YACxB,OAAO,IAAI,CAAA;QAEb,MAAM,IAAI,GAAG,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAE1D,OAAO,EAAE,IAAI,EAAE,CAAA;IACjB,CAAC;IAEM,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,QAA8B;QACnE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAA;QAEjD,IAAA,qBAAM,EAAC,OAAO,EAAE,KAAK,QAAQ,EAAE,2BAA2B,IAAI,CAAC,QAAQ,2BAA2B,CAAC,CAAA;QAEnG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS;YACrD,OAAO,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;;YAEjD,OAAO,CAAC,QAAQ,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,EAAU;QAChD,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAA,aAAK,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAc,CAAC,CAAA;QAC3E,MAAM,QAAQ,GAAG,mBAAS,CAAC,MAAM,CAAC,CAAA;QAElC,IAAI,QAAQ,KAAK,SAAS;YACxB,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,wCAAwC,CAAC,CAAA;QAErE,IAAI,CAAC,mBAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/B,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,2DAA2D,CAAC,CAAA;QAExF,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QAEvD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAkB,QAAQ,EAAE;YAC5E,KAAK,EAAE;gBACL,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,EAAE;gBACF,WAAW;aACZ;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,YAAY,KAAK;YAC3B,MAAM,IAAI,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAA;QAE9C,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAA;QAExB,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAhED,wBAgEC"}
+{"version":3,"file":"Incept.js","sourceRoot":"","sources":["../../../source/directives/auth/Incept.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,uCAAkC;AAClC,iDAAkC;AAClC,mCAA+B;AAC/B,qCAAiC;AACjC,uCAAgD;AAIhD,MAAa,MAAM;IACA,QAAQ,CAAe;IACvB,SAAS,CAAW;IACpB,OAAO,GAAY,EAAwB,CAAA;IAE5D,YAAoB,QAAgB,EAAE,SAAoB;QACxD,qBAAM,CAAC,EAAE,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EACzD,8CAA8C,CAAC,CAAA;QAEjD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;IAC5B,CAAC;IAEM,SAAS,CAAE,QAAyB;QACzC,OAAO,QAAQ,KAAK,IAAI,CAAA;IAC1B,CAAC;IAEM,KAAK,CAAE,OAAgB;QAC5B,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;YACxB,OAAO,IAAI,CAAA;QAEb,MAAM,IAAI,GAAG,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAE1D,OAAO,EAAE,IAAI,EAAE,CAAA;IACjB,CAAC;IAEM,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,QAA8B;QACnE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAA;QAEjD,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;YACrB,kBAAO,CAAC,KAAK,CAAC,gEAAgE,EAAE;gBAC9E,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ;aACT,CAAC,CAAA;YAEF,OAAM;QACR,CAAC;QAED,IAAA,qBAAM,EAAC,OAAO,EAAE,KAAK,QAAQ,EAAE,2BAA2B,IAAI,CAAC,QAAQ,2BAA2B,CAAC,CAAA;QAEnG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS;YACrD,OAAO,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;;YAEjD,OAAO,CAAC,QAAQ,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IACrE,CAAC;IAEO,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,EAAU;QAChD,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAA,aAAK,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAc,CAAC,CAAA;QAC3E,MAAM,QAAQ,GAAG,mBAAS,CAAC,MAAM,CAAC,CAAA;QAElC,IAAI,QAAQ,KAAK,SAAS;YACxB,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,wCAAwC,CAAC,CAAA;QAErE,IAAI,CAAC,mBAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/B,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,2DAA2D,CAAC,CAAA;QAExF,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QAEvD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAkB,QAAQ,EAAE;YAC5E,KAAK,EAAE;gBACL,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,EAAE;gBACF,WAAW;aACZ;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,YAAY,KAAK;YAC3B,MAAM,IAAI,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAA;QAE9C,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAA;QACxB,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAA;QAEnB,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AA1ED,wBA0EC"}