Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: WebAuthN Sign In, Sign Up and Options methods support - NEW #952

Merged
merged 26 commits into from
Nov 25, 2024
Merged

feat: WebAuthN Sign In, Sign Up and Options methods support - NEW #952

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
c57b645
add initial passkey types
niftyvictor Oct 10, 2024
56422f3
passkey types cleanup
niftyvictor Oct 11, 2024
f102128
added untested support for options, sign in and sign up methods
niftyvictor Oct 16, 2024
de9fb88
Merge branch 'feat/webauthn/base' into feat/webauthn/basic-methods
niftyvictor Oct 16, 2024
40bd6e9
updated types based on pr changes
niftyvictor Oct 17, 2024
e150fc2
pr changes. removed incorrect errors and added missing ones
niftyvictor Oct 18, 2024
8c8d711
added missing user type
niftyvictor Oct 18, 2024
ced57b1
added webauthn details to user object
niftyvictor Oct 18, 2024
fbbed56
pr fixes. centralized error types and added crud for credentials
niftyvictor Oct 21, 2024
64a4a6b
pr fixes
niftyvictor Oct 21, 2024
3186aa5
pr fixes and added decode method
niftyvictor Oct 21, 2024
3fa31ce
added types implementation and minor fixes
niftyvictor Oct 28, 2024
177b580
pr fixes
niftyvictor Oct 28, 2024
5d1363e
pr fixes and cleanup
niftyvictor Oct 28, 2024
57e210d
pr fixes
niftyvictor Oct 28, 2024
ea42bd1
updated initial recipe implementation
niftyvictor Oct 29, 2024
b8cffc1
fixed implementation
niftyvictor Nov 6, 2024
bf9e00f
added basic build
niftyvictor Nov 8, 2024
b44752f
added basic build exports
niftyvictor Nov 8, 2024
dba5cda
pr fixes
niftyvictor Nov 8, 2024
c84a76a
pr fixes
niftyvictor Nov 8, 2024
3649b45
pr fixes
niftyvictor Nov 12, 2024
3bb7234
pr fixes
niftyvictor Nov 12, 2024
ce371d1
pr fixes
niftyvictor Nov 12, 2024
d356701
added missing default email delivery implementation
niftyvictor Nov 25, 2024
e743046
added basic tests and mock
niftyvictor Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 22 additions & 25 deletions lib/ts/recipe/webauthn/api/implementation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ export default function getAPIImplementation(): APIInterface {
}
| { status: "RECOVER_ACCOUNT_TOKEN_INVALID_ERROR" }
| { status: "EMAIL_MISSING_ERROR" }
| { status: "REGISTER_OPTIONS_NOT_ALLOWED"; reason: string }
> {
const relyingPartyId = await options.config.relyingPartyId({
tenantId,
Expand Down Expand Up @@ -543,7 +544,7 @@ export default function getAPIImplementation(): APIInterface {
| {
status: "OK";
}
| { status: "ACCOUNT_RECOVERY_NOT_ALLOWED"; reason: string }
| { status: "RECOVER_ACCOUNT_NOT_ALLOWED"; reason: string }
| GeneralErrorResponse
> {
// NOTE: Check for email being a non-string value. This check will likely
Expand All @@ -562,7 +563,7 @@ export default function getAPIImplementation(): APIInterface {
| {
status: "OK";
}
| { status: "ACCOUNT_RECOVERY_NOT_ALLOWED"; reason: string }
| { status: "RECOVER_ACCOUNT_NOT_ALLOWED"; reason: string }
| GeneralErrorResponse
> {
// the user ID here can be primary or recipe level.
Expand All @@ -575,7 +576,7 @@ export default function getAPIImplementation(): APIInterface {

if (response.status === "UNKNOWN_USER_ID_ERROR") {
logDebugMessage(
`Account recovery email not sent, unknown user id: ${
`Recover account email not sent, unknown user id: ${
recipeUserId === undefined ? primaryUserId : recipeUserId.getAsString()
}`
);
Expand All @@ -592,7 +593,7 @@ export default function getAPIImplementation(): APIInterface {
userContext,
});

logDebugMessage(`Sending account recovery email to ${email}`);
logDebugMessage(`Sending recover account email to ${email}`);
await options.emailDelivery.ingredientInterfaceImpl.sendEmail({
tenantId,
type: "RECOVER_ACCOUNT",
Expand Down Expand Up @@ -639,10 +640,10 @@ export default function getAPIImplementation(): APIInterface {
let primaryUserAssociatedWithEmail = users.find((u) => u.isPrimaryUser);

// first we check if there even exists a primary user that has the input email
// if not, then we do the regular flow for account recovery
// if not, then we do the regular flow for recover account
if (primaryUserAssociatedWithEmail === undefined) {
if (webauthnAccount === undefined) {
logDebugMessage(`Account recovery email not sent, unknown user email: ${email}`);
logDebugMessage(`Recover account email not sent, unknown user email: ${email}`);
return {
status: "OK",
};
Expand Down Expand Up @@ -675,9 +676,9 @@ export default function getAPIImplementation(): APIInterface {

if (!emailVerified && hasOtherEmailOrPhone) {
return {
status: "ACCOUNT_RECOVERY_NOT_ALLOWED",
status: "RECOVER_ACCOUNT_NOT_ALLOWED",
reason:
"Account recovery link was not created because of account take over risk. Please contact support. (ERR_CODE_001)",
"Recover account link was not created because of account take over risk. Please contact support. (ERR_CODE_001)",
};
}

Expand All @@ -704,12 +705,12 @@ export default function getAPIImplementation(): APIInterface {
// met.

// But first we must check if account linking is enabled at all - cause if it's
// not, then the new webauthn user that will be created in account recovery
// not, then the new webauthn user that will be created in recover account
// code consume cannot be linked to the primary user - therefore, we should
// not generate a account recovery reset token
// not generate a recover account reset token
if (!shouldDoAccountLinkingResponse.shouldAutomaticallyLink) {
logDebugMessage(
`Account recovery email not sent, since webauthn user didn't exist, and account linking not enabled`
`Recover account email not sent, since webauthn user didn't exist, and account linking not enabled`
);
return {
status: "OK",
Expand All @@ -733,7 +734,7 @@ export default function getAPIImplementation(): APIInterface {
return await generateAndSendRecoverAccountToken(primaryUserAssociatedWithEmail.id, undefined);
} else {
logDebugMessage(
`Account recovery email not sent, isSignUpAllowed returned false for email: ${email}`
`Recover account email not sent, isSignUpAllowed returned false for email: ${email}`
);
return {
status: "OK",
Expand Down Expand Up @@ -772,7 +773,7 @@ export default function getAPIImplementation(): APIInterface {

It is important to realize that the attacker had created another account with A because if they hadn't done that, then they wouldn't have access to this account after the real user recovers the account which is why it is important to check there is another non-webauthn account linked to the primary such that the email is not the same as B.

Exception to the above is that, if there is a third recipe account linked to the above two accounts and has B as verified, then we should allow account recovery token generation because user has already proven that the owns the email B
Exception to the above is that, if there is a third recipe account linked to the above two accounts and has B as verified, then we should allow recover account token generation because user has already proven that the owns the email B
*/

// But first, this only matters it the user cares about checking for email verification status..
Expand Down Expand Up @@ -801,7 +802,7 @@ export default function getAPIImplementation(): APIInterface {
webauthnAccount.recipeUserId
);
},
recoverAccountTokenPOST: async function ({
recoverAccountPOST: async function ({
webauthnGeneratedOptionsId,
credential,
token,
Expand Down Expand Up @@ -891,10 +892,10 @@ export default function getAPIImplementation(): APIInterface {
// status: "OK"

// If the update was successful, we try to mark the email as verified.
// We do this because we assume that the account recovery token was delivered by email (and to the appropriate email address)
// We do this because we assume that the recover account token was delivered by email (and to the appropriate email address)
// so consuming it means that the user actually has access to the emails we send.

// We only do this if the account recovery was successful, otherwise the following scenario is possible:
// We only do this if the recover account was successful, otherwise the following scenario is possible:
// 1. User M: signs up using the email of user V with their own credential. They can't validate the email, because it is not their own.
// 2. User A: tries signing up but sees the email already exists message
// 3. User A: recovers the account, but somehow this fails
Expand All @@ -903,7 +904,7 @@ export default function getAPIImplementation(): APIInterface {
// We refresh the user information here, because the verification status may be updated, which is used during linking.
const updatedUserAfterEmailVerification = await getUser(recipeUserId.getAsString(), userContext);
if (updatedUserAfterEmailVerification === undefined) {
throw new Error("Should never happen - user deleted after during account recovery");
throw new Error("Should never happen - user deleted after during recover account");
}

if (updatedUserAfterEmailVerification.isPrimaryUser) {
Expand Down Expand Up @@ -948,10 +949,6 @@ export default function getAPIImplementation(): APIInterface {
// todo decide how to handle these
if (tokenConsumptionResponse.status === "RECOVER_ACCOUNT_TOKEN_INVALID_ERROR") {
return tokenConsumptionResponse;
} else if (tokenConsumptionResponse.status === "WRONG_CREDENTIALS_ERROR") {
return tokenConsumptionResponse;
} else if (tokenConsumptionResponse.status === "INVALID_AUTHENTICATOR_ERROR") {
return tokenConsumptionResponse;
}

let userIdForWhomTokenWasGenerated = tokenConsumptionResponse.userId;
Expand Down Expand Up @@ -984,7 +981,7 @@ export default function getAPIImplementation(): APIInterface {
// resolve to false anyway, and that's what we want.

// there is an edge case where if the webauthn recipe user was created
// after the account recovery token generation, and it was linked to the
// after the recover account token generation, and it was linked to the
// primary user id (userIdForWhomTokenWasGenerated), in this case,
// we still don't allow credntials update, cause the user should try again
// and the token should be regenerated for the right recipe user.
Expand All @@ -1009,7 +1006,7 @@ export default function getAPIImplementation(): APIInterface {
// invalid error and the user can try again.

// NOTE: We do not ask the dev if we should do account linking or not here
// cause we already have asked them this when generating an account recovery reset token.
// cause we already have asked them this when generating an recover account reset token.
// In the edge case that the dev changes account linking allowance from true to false
// when it comes here, only a new recipe user id will be created and not linked
// cause createPrimaryUserIdOrLinkAccounts will disallow linking. This doesn't
Expand All @@ -1034,7 +1031,7 @@ export default function getAPIImplementation(): APIInterface {
status: "RECOVER_ACCOUNT_TOKEN_INVALID_ERROR",
};
} else {
// we mark the email as verified because account recovery also requires
// we mark the email as verified because recover account also requires
// access to the email to work.. This has a good side effect that
// any other login method with the same email in existingAccount will also get marked
// as verified.
Expand All @@ -1044,7 +1041,7 @@ export default function getAPIImplementation(): APIInterface {
);
const updatedUser = await getUser(createUserResponse.user.id, userContext);
if (updatedUser === undefined) {
throw new Error("Should never happen - user deleted after during account recovery");
throw new Error("Should never happen - user deleted after during recover account");
}
createUserResponse.user = updatedUser;
// Now we try and link the accounts. The function below will try and also
Expand Down
8 changes: 4 additions & 4 deletions lib/ts/recipe/webauthn/api/recoverAccount.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ export default async function recoverAccount(
): Promise<boolean> {
// Logic as per https://github.com/supertokens/supertokens-node/issues/22#issuecomment-710512442
porcellus marked this conversation as resolved.
Show resolved Hide resolved

if (apiImplementation.recoverAccountTokenPOST === undefined) {
if (apiImplementation.recoverAccountPOST === undefined) {
return false;
}

Expand All @@ -41,17 +41,17 @@ export default async function recoverAccount(
if (token === undefined) {
throw new STError({
type: STError.BAD_INPUT_ERROR,
message: "Please provide the account recovery token",
message: "Please provide the recover account token",
});
}
if (typeof token !== "string") {
throw new STError({
type: STError.BAD_INPUT_ERROR,
message: "The account recovery token must be a string",
message: "The recover account token must be a string",
});
}

let result = await apiImplementation.recoverAccountTokenPOST({
let result = await apiImplementation.recoverAccountPOST({
webauthnGeneratedOptionsId,
credential,
token,
Expand Down
2 changes: 1 addition & 1 deletion lib/ts/recipe/webauthn/core-mock.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ export const getMockQuerier = (recipeId: string) => {
// // @ts-ignore
// return {
// status: "OK",
// token: "dummy-recovery-token",
// token: "dummy-recover-token",
// };
// } else if (path.getAsStringDangerous().includes("/recipe/webauthn/user/recover/token/consume")) {
// // @ts-ignore
Expand Down
2 changes: 1 addition & 1 deletion lib/ts/recipe/webauthn/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import {
DEFAULT_REGISTER_OPTIONS_USER_VERIFICATION,
DEFAULT_SIGNIN_OPTIONS_USER_VERIFICATION,
} from "./constants";
import { updateEmailOrPassword } from "../emailpassword/index";

export default class Wrapper {
static init = Recipe.init;
Expand Down Expand Up @@ -78,6 +77,7 @@ export default class Wrapper {
}
| { status: "RECOVER_ACCOUNT_TOKEN_INVALID_ERROR" }
| { status: "EMAIL_MISSING_ERROR" }
| { status: "INVALID_EMAIL_ERROR" }
> {
return Recipe.getInstanceOrThrowError().recipeInterfaceImpl.registerOptions({
requireResidentKey: DEFAULT_REGISTER_OPTIONS_REQUIRE_RESIDENT_KEY,
Expand Down
Loading
Loading