jazz-tools 0.19.19 → 0.19.21

package/src/react-native-core/auth/usePasskeyAuth.tsx

@@ -0,0 +1,85 @@
+import {
+  useAuthSecretStorage,
+  useIsAuthenticated,
+  useJazzContext,
+} from "jazz-tools/react-core";
+import { useMemo } from "react";
+import { ReactNativePasskeyAuth } from "./PasskeyAuth.js";
+
+/**
+ * React hook for passkey (WebAuthn) authentication in React Native apps.
+ *
+ * This hook provides a simple interface for signing up and logging in with passkeys,
+ * using the device's biometric authentication (FaceID/TouchID/fingerprint).
+ *
+ * **Requirements:**
+ * - Install `react-native-passkey` as a peer dependency
+ * - Configure your app's associated domains (iOS) and asset links (Android)
+ * - Passkeys require HTTPS domain verification
+ *
+ * @example
+ * ```tsx
+ * import { usePasskeyAuth } from "jazz-tools/react-native-core";
+ *
+ * function AuthScreen() {
+ *   const auth = usePasskeyAuth({
+ *     appName: "My App",
+ *     rpId: "myapp.com",
+ *   });
+ *
+ *   if (auth.state === "signedIn") {
+ *     return <MainApp />;
+ *   }
+ *
+ *   return (
+ *     <View>
+ *       <Button title="Sign Up" onPress={() => auth.signUp("John Doe")} />
+ *       <Button title="Log In" onPress={auth.logIn} />
+ *     </View>
+ *   );
+ * }
+ * ```
+ *
+ * @param options.appName - The display name of your app shown during passkey prompts
+ * @param options.rpId - The relying party ID (your app's domain, e.g., "myapp.com")
+ *
+ * @category Auth Providers
+ */
+export function usePasskeyAuth({
+  appName,
+  rpId,
+}: {
+  appName: string;
+  rpId: string;
+}) {
+  const context = useJazzContext();
+  const authSecretStorage = useAuthSecretStorage();
+
+  if ("guest" in context) {
+    throw new Error("Passkey auth is not supported in guest mode");
+  }
+
+  const authMethod = useMemo(() => {
+    return new ReactNativePasskeyAuth(
+      context.node.crypto,
+      context.authenticate,
+      authSecretStorage,
+      appName,
+      rpId,
+    );
+  }, [
+    appName,
+    rpId,
+    authSecretStorage,
+    context.node.crypto,
+    context.authenticate,
+  ]);
+
+  const isAuthenticated = useIsAuthenticated();
+
+  return {
+    state: isAuthenticated ? "signedIn" : "anonymous",
+    logIn: authMethod.logIn,
+    signUp: authMethod.signUp,
+  } as const;
+}

package/src/react-native-core/hooks.tsx

@@ -6,6 +6,7 @@ import { Linking } from "react-native";
 
 export {
   useCoState,
+  useCoStates,
   experimental_useInboxSender,
   useDemoAuth,
   usePassphraseAuth,
@@ -20,6 +21,7 @@ export {
   useAccountSubscription,
   useSubscriptionSelector,
   useSuspenseCoState,
+  useSuspenseCoStates,
   useSuspenseAccount,
 } from "jazz-tools/react-core";
 

package/src/react-native-core/tests/PasskeyAuth.test.ts

@@ -0,0 +1,463 @@
+// @vitest-environment happy-dom
+
+import { AgentSecret } from "cojson";
+import { Account, InMemoryKVStore, KvStoreContext } from "jazz-tools";
+import { AuthSecretStorage } from "jazz-tools";
+import { createJazzTestAccount } from "jazz-tools/testing";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  ReactNativePasskeyAuth,
+  setPasskeyModule,
+} from "../auth/PasskeyAuth.js";
+import {
+  base64UrlToUint8Array,
+  uint8ArrayToBase64Url,
+} from "../auth/passkey-utils.js";
+
+// Create mock functions
+const mockCreate = vi.fn();
+const mockGet = vi.fn();
+const mockIsSupported = vi.fn();
+
+// Create mock passkey module
+const mockPasskeyModule = {
+  create: mockCreate,
+  get: mockGet,
+  isSupported: mockIsSupported,
+};
+
+KvStoreContext.getInstance().initialize(new InMemoryKVStore());
+const authSecretStorage = new AuthSecretStorage();
+
+beforeEach(async () => {
+  await authSecretStorage.clear();
+  vi.clearAllMocks();
+
+  // Inject the mock module using dependency injection
+  setPasskeyModule(mockPasskeyModule);
+
+  await createJazzTestAccount({
+    isCurrentActiveAccount: true,
+  });
+});
+
+describe("ReactNativePasskeyAuth", () => {
+  const mockCrypto = {
+    randomBytes: (l: number) => crypto.getRandomValues(new Uint8Array(l)),
+    newRandomSecretSeed: () => new Uint8Array(32).fill(1),
+    agentSecretFromSecretSeed: () => "mock-secret" as AgentSecret,
+  } as any;
+  const mockAuthenticate = vi.fn();
+
+  describe("initialization", () => {
+    it("should initialize with app name and rpId", () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+      expect(auth.appName).toBe("Test App");
+      expect(auth.rpId).toBe("example.com");
+    });
+
+    it("should have static id property", () => {
+      expect(ReactNativePasskeyAuth.id).toBe("passkey");
+    });
+  });
+
+  describe("logIn", () => {
+    it("should call Passkey.get with correct parameters", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      // Create a mock credential payload (secretSeed + accountID)
+      const mockPayload = new Uint8Array(56);
+      mockPayload.fill(1, 0, 32); // secretSeed
+      mockPayload.fill(2, 32, 56); // accountID hash
+
+      mockGet.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          authenticatorData: "mock-auth-data",
+          signature: "mock-signature",
+          userHandle: uint8ArrayToBase64Url(mockPayload),
+        },
+      });
+
+      await auth.logIn();
+
+      expect(mockGet).toHaveBeenCalledWith({
+        challenge: expect.any(String),
+        rpId: "example.com",
+        timeout: 60000,
+        userVerification: "preferred",
+      });
+
+      expect(mockAuthenticate).toHaveBeenCalledWith({
+        accountID: expect.any(String),
+        accountSecret: "mock-secret",
+      });
+    });
+
+    it("should store credentials after successful login", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      const mockPayload = new Uint8Array(56);
+      mockPayload.fill(1, 0, 32);
+      mockPayload.fill(2, 32, 56);
+
+      mockGet.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          authenticatorData: "mock-auth-data",
+          signature: "mock-signature",
+          userHandle: uint8ArrayToBase64Url(mockPayload),
+        },
+      });
+
+      await auth.logIn();
+
+      const stored = await authSecretStorage.get();
+      expect(stored).toEqual({
+        accountID: expect.any(String),
+        secretSeed: expect.any(Uint8Array),
+        accountSecret: "mock-secret",
+        provider: "passkey",
+      });
+    });
+
+    it("should throw error when passkey authentication fails", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      mockGet.mockRejectedValue(new Error("User cancelled"));
+
+      await expect(auth.logIn()).rejects.toThrow(
+        "Passkey authentication aborted",
+      );
+    });
+
+    it("should return early when passkey.get returns null", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      mockGet.mockResolvedValue(null);
+
+      await auth.logIn();
+
+      expect(mockAuthenticate).not.toHaveBeenCalled();
+    });
+
+    it("should throw error when userHandle is null", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      mockGet.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          authenticatorData: "mock-auth-data",
+          signature: "mock-signature",
+          userHandle: null,
+        },
+      });
+
+      await expect(auth.logIn()).rejects.toThrow(
+        "Passkey credential is missing userHandle",
+      );
+    });
+  });
+
+  describe("signUp", () => {
+    it("should call Passkey.create with correct parameters", async () => {
+      // Use the real account from createJazzTestAccount
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      // Set up credentials with the real account ID
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      expect(mockCreate).toHaveBeenCalledWith({
+        challenge: expect.any(String),
+        rp: {
+          id: "example.com",
+          name: "Test App",
+        },
+        user: {
+          id: expect.any(String),
+          name: expect.stringContaining("testuser"),
+          displayName: "testuser",
+        },
+        pubKeyCredParams: [
+          { alg: -7, type: "public-key" },
+          { alg: -257, type: "public-key" },
+        ],
+        authenticatorSelection: {
+          residentKey: "required",
+          userVerification: "preferred",
+        },
+        timeout: 60000,
+        attestation: "none",
+      });
+    });
+
+    it("should update provider to passkey after signup", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      const stored = await authSecretStorage.get();
+      expect(stored?.provider).toBe("passkey");
+    });
+
+    it("should throw error when no credentials exist", async () => {
+      await authSecretStorage.clear();
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await expect(auth.signUp("testuser")).rejects.toThrow(
+        "Not enough credentials to register the account with passkey",
+      );
+    });
+
+    it("should throw error when passkey creation fails", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockRejectedValue(new Error("User cancelled"));
+
+      await expect(auth.signUp("testuser")).rejects.toThrow(
+        "Passkey creation aborted",
+      );
+    });
+
+    it("should leave profile name unchanged if username is empty", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("");
+
+      const currentAccount = await Account.getMe().$jazz.ensureLoaded({
+        resolve: {
+          profile: true,
+        },
+      });
+
+      // 'Test Account' is the name provided during account creation
+      expect(currentAccount.profile.name).toEqual("Test Account");
+    });
+
+    it("should update profile name if username is provided", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      const currentAccount = await Account.getMe().$jazz.ensureLoaded({
+        resolve: {
+          profile: true,
+        },
+      });
+
+      expect(currentAccount.profile.name).toEqual("testuser");
+    });
+  });
+
+  describe("credential encoding", () => {
+    it("should encode user.id as base64url in create request", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      const createCall = mockCreate.mock.calls[0]![0];
+      const userId = createCall.user.id;
+
+      // Should be a valid base64url string (no +, /, or =)
+      expect(userId).not.toContain("+");
+      expect(userId).not.toContain("/");
+      expect(userId).not.toContain("=");
+
+      // Should decode to expected length (secretSeedLength 32 + shortHashLength 19 = 51 bytes)
+      const decoded = base64UrlToUint8Array(userId);
+      expect(decoded.length).toBe(51);
+    });
+  });
+});

package/src/react-native-core/tests/passkey-utils.test.ts

@@ -0,0 +1,144 @@
+import { describe, expect, it } from "vitest";
+import {
+  base64UrlToUint8Array,
+  uint8ArrayToBase64Url,
+} from "../auth/passkey-utils";
+
+describe("passkey-utils", () => {
+  describe("uint8ArrayToBase64Url", () => {
+    it("should encode an empty array", () => {
+      const bytes = new Uint8Array([]);
+      expect(uint8ArrayToBase64Url(bytes)).toBe("");
+    });
+
+    it("should encode a simple byte array", () => {
+      // "Hello" in bytes
+      const bytes = new Uint8Array([72, 101, 108, 108, 111]);
+      expect(uint8ArrayToBase64Url(bytes)).toBe("SGVsbG8");
+    });
+
+    it("should use base64url alphabet (- instead of +)", () => {
+      // Bytes that produce + in standard base64
+      const bytes = new Uint8Array([251, 239]); // produces "++" in base64
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result).not.toContain("+");
+      expect(result).toContain("-");
+    });
+
+    it("should use base64url alphabet (_ instead of /)", () => {
+      // Bytes that produce / in standard base64
+      const bytes = new Uint8Array([255, 255]); // produces "//" in base64
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result).not.toContain("/");
+      expect(result).toContain("_");
+    });
+
+    it("should omit padding", () => {
+      // Single byte produces base64 with padding
+      const bytes = new Uint8Array([1]);
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result).not.toContain("=");
+    });
+
+    it("should handle typical credential payload size (56 bytes)", () => {
+      // secretSeedLength (32) + shortHashLength (19) = 51 bytes
+      const bytes = new Uint8Array(56);
+      for (let i = 0; i < 56; i++) {
+        bytes[i] = i;
+      }
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result.length).toBeGreaterThan(0);
+      expect(result).not.toContain("+");
+      expect(result).not.toContain("/");
+      expect(result).not.toContain("=");
+    });
+  });
+
+  describe("base64UrlToUint8Array", () => {
+    it("should decode an empty string", () => {
+      const result = base64UrlToUint8Array("");
+      expect(result).toEqual(new Uint8Array([]));
+    });
+
+    it("should decode a simple base64url string", () => {
+      // "SGVsbG8" is "Hello" in base64url
+      const result = base64UrlToUint8Array("SGVsbG8");
+      expect(result).toEqual(new Uint8Array([72, 101, 108, 108, 111]));
+    });
+
+    it("should handle - character (base64url for +)", () => {
+      const result = base64UrlToUint8Array("--8");
+      expect(result).toBeInstanceOf(Uint8Array);
+    });
+
+    it("should handle _ character (base64url for /)", () => {
+      const result = base64UrlToUint8Array("__8");
+      expect(result).toBeInstanceOf(Uint8Array);
+    });
+
+    it("should add padding automatically", () => {
+      // "AQ" needs padding to become "AQ==" for valid base64
+      const result = base64UrlToUint8Array("AQ");
+      expect(result).toEqual(new Uint8Array([1]));
+    });
+
+    it("should handle strings that need 1 padding char", () => {
+      // 3 chars needs 1 padding
+      const result = base64UrlToUint8Array("ABC");
+      expect(result).toBeInstanceOf(Uint8Array);
+      expect(result.length).toBe(2);
+    });
+
+    it("should handle strings that need 2 padding chars", () => {
+      // 2 chars needs 2 padding
+      const result = base64UrlToUint8Array("AB");
+      expect(result).toBeInstanceOf(Uint8Array);
+      expect(result.length).toBe(1);
+    });
+  });
+
+  describe("roundtrip encoding/decoding", () => {
+    it("should roundtrip empty array", () => {
+      const original = new Uint8Array([]);
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip simple bytes", () => {
+      const original = new Uint8Array([1, 2, 3, 4, 5]);
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip all byte values", () => {
+      const original = new Uint8Array(256);
+      for (let i = 0; i < 256; i++) {
+        original[i] = i;
+      }
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip credential-sized payload", () => {
+      // Typical passkey credential payload: secretSeed + accountID hash
+      const original = new Uint8Array(56);
+      crypto.getRandomValues(original);
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip random data of various sizes", () => {
+      for (const size of [1, 2, 3, 10, 32, 64, 100, 256]) {
+        const original = new Uint8Array(size);
+        crypto.getRandomValues(original);
+        const encoded = uint8ArrayToBase64Url(original);
+        const decoded = base64UrlToUint8Array(encoded);
+        expect(decoded).toEqual(original);
+      }
+    });
+  });
+});