npm - @vc1023/passkey-2fa - Versions diffs - 0.1.0 - Mend

@vc1023/passkey-2fa 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/.env.example +19 -0
package/README.md +119 -0
package/bin/check-env.mjs +57 -0
package/migrations/0001_passkey_tables.sql +64 -0
package/package.json +51 -0
package/src/aal2.test.ts +37 -0
package/src/aal2.ts +67 -0
package/src/api-client.ts +58 -0
package/src/client.ts +86 -0
package/src/config.ts +63 -0
package/src/env.ts +20 -0
package/src/events.ts +14 -0
package/src/guard.ts +75 -0
package/src/index.ts +20 -0
package/src/middleware.ts +55 -0
package/src/rate-limit.test.ts +20 -0
package/src/rate-limit.ts +48 -0
package/src/routes.ts +182 -0
package/src/supabase.ts +40 -0
package/src/types.ts +26 -0
package/src/validation.test.ts +36 -0
package/src/validation.ts +36 -0
package/src/webauthn.ts +186 -0

package/src/webauthn.ts ADDED Viewed

@@ -0,0 +1,186 @@
+// WebAuthn passkey ceremonies — the second factor. All verification happens HERE,
+// server-side. Challenges are single-use + expiring; the signature counter is
+// persisted to resist replay. User verification (face/fingerprint/PIN) is
+// required. Challenges + credential writes use the service-role client.
+import {
+  generateAuthenticationOptions,
+  generateRegistrationOptions,
+  verifyAuthenticationResponse,
+  verifyRegistrationResponse,
+  type AuthenticationResponseJSON,
+  type RegistrationResponseJSON,
+} from "@simplewebauthn/server";
+import { expectedOrigin, rpID, rpName } from "./config";
+import { createServiceSupabase } from "./supabase";
+import type { WebAuthnCredentialRow } from "./types";
+export interface AuthUser {
+  id: string;
+  email: string;
+}
+const CHALLENGE_TTL_MS = 5 * 60 * 1000;
+type ChallengeType = "registration" | "authentication";
+function b64urlToBytes(s: string) {
+  const b = Buffer.from(s, "base64url");
+  const out = new Uint8Array(b.byteLength);
+  out.set(b);
+  return out;
+}
+function bytesToB64url(b: Uint8Array): string {
+  return Buffer.from(b).toString("base64url");
+}
+async function storeChallenge(userId: string, challenge: string, type: ChallengeType): Promise<void> {
+  const svc = createServiceSupabase();
+  await svc.from("webauthn_challenges").delete().eq("user_id", userId).eq("type", type);
+  await svc.from("webauthn_challenges").insert({
+    user_id: userId,
+    challenge,
+    type,
+    expires_at: new Date(Date.now() + CHALLENGE_TTL_MS).toISOString(),
+  });
+}
+/** Fetch + delete (single-use) the latest challenge; null if missing/expired. */
+async function consumeChallenge(userId: string, type: ChallengeType): Promise<string | null> {
+  const svc = createServiceSupabase();
+  const { data } = await svc
+    .from("webauthn_challenges")
+    .select("challenge, expires_at")
+    .eq("user_id", userId)
+    .eq("type", type)
+    .order("created_at", { ascending: false })
+    .limit(1);
+  await svc.from("webauthn_challenges").delete().eq("user_id", userId).eq("type", type);
+  const row = data?.[0];
+  if (!row) return null;
+  if (new Date(row.expires_at).getTime() < Date.now()) return null;
+  return row.challenge;
+}
+export async function createRegistrationOptions(user: AuthUser) {
+  const svc = createServiceSupabase();
+  const { data: existing } = await svc
+    .from("webauthn_credentials")
+    .select("credential_id, transports")
+    .eq("user_id", user.id);
+  const options = await generateRegistrationOptions({
+    rpName: rpName(),
+    rpID: rpID(),
+    userName: user.email,
+    userID: new TextEncoder().encode(user.id),
+    attestationType: "none",
+    excludeCredentials: (existing ?? []).map((c) => ({
+      id: c.credential_id,
+      transports: (c.transports ?? undefined) as never,
+    })),
+    authenticatorSelection: { residentKey: "preferred", userVerification: "required" },
+  });
+  await storeChallenge(user.id, options.challenge, "registration");
+  return options;
+}
+export async function verifyRegistration(
+  user: AuthUser,
+  response: RegistrationResponseJSON,
+): Promise<{ verified: boolean; reason?: string }> {
+  const expectedChallenge = await consumeChallenge(user.id, "registration");
+  if (!expectedChallenge) return { verified: false, reason: "challenge" };
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin: expectedOrigin(),
+      expectedRPID: rpID(),
+      requireUserVerification: true,
+    });
+  } catch {
+    return { verified: false, reason: "verify" };
+  }
+  if (!verification.verified || !verification.registrationInfo) {
+    return { verified: false, reason: "verify" };
+  }
+  const { credential, aaguid, credentialDeviceType, credentialBackedUp } =
+    verification.registrationInfo;
+  const svc = createServiceSupabase();
+  const { error } = await svc.from("webauthn_credentials").insert({
+    user_id: user.id,
+    credential_id: credential.id,
+    public_key: bytesToB64url(credential.publicKey),
+    counter: credential.counter,
+    transports: credential.transports ?? null,
+    device_type: credentialDeviceType,
+    backed_up: credentialBackedUp,
+    aaguid,
+  });
+  if (error) return { verified: false, reason: "store" };
+  return { verified: true };
+}
+export async function createAuthenticationOptions(user: AuthUser) {
+  const svc = createServiceSupabase();
+  const { data: creds } = await svc
+    .from("webauthn_credentials")
+    .select("credential_id, transports")
+    .eq("user_id", user.id);
+  const options = await generateAuthenticationOptions({
+    rpID: rpID(),
+    allowCredentials: (creds ?? []).map((c) => ({
+      id: c.credential_id,
+      transports: (c.transports ?? undefined) as never,
+    })),
+    userVerification: "required",
+  });
+  await storeChallenge(user.id, options.challenge, "authentication");
+  return options;
+}
+export async function verifyAuthentication(
+  user: AuthUser,
+  response: AuthenticationResponseJSON,
+): Promise<{ verified: boolean; reason?: string }> {
+  const expectedChallenge = await consumeChallenge(user.id, "authentication");
+  if (!expectedChallenge) return { verified: false, reason: "challenge" };
+  const svc = createServiceSupabase();
+  const { data: rows } = await svc
+    .from("webauthn_credentials")
+    .select("*")
+    .eq("user_id", user.id)
+    .eq("credential_id", response.id)
+    .limit(1);
+  const cred = rows?.[0] as WebAuthnCredentialRow | undefined;
+  if (!cred) return { verified: false, reason: "unknown_credential" };
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin: expectedOrigin(),
+      expectedRPID: rpID(),
+      requireUserVerification: true,
+      credential: {
+        id: cred.credential_id,
+        publicKey: b64urlToBytes(cred.public_key),
+        counter: Number(cred.counter),
+        transports: (cred.transports ?? undefined) as never,
+      },
+    });
+  } catch {
+    return { verified: false, reason: "verify" };
+  }
+  if (!verification.verified) return { verified: false, reason: "verify" };
+  await svc
+    .from("webauthn_credentials")
+    .update({ counter: verification.authenticationInfo.newCounter })
+    .eq("id", cred.id);
+  return { verified: true };
+}