Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add MFA for WebAuthn bindings #960

Open
wants to merge 23 commits into
base: master
Choose a base branch
from
Open

fix: add MFA for WebAuthn bindings #960

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
9b74b4f
fix: update types
J0 Sep 17, 2024
41c22fb
fix: temp workaround on types
J0 Sep 19, 2024
2586cac
fix: add types for assertions
J0 Sep 19, 2024
f2ca00f
fix: implement challengeAndVerify
J0 Sep 19, 2024
1745cce
fix: swap multi-step with challengeAndVerify
J0 Sep 19, 2024
98e6416
fix: use all to account for unverified factors
J0 Sep 19, 2024
094582b
fix: add autoenroll
J0 Sep 20, 2024
7673fd9
fix: temporary commit
J0 Sep 20, 2024
d933990
fix: modify challenge types
J0 Sep 23, 2024
2112d56
fix: patch errors
J0 Sep 23, 2024
d0801e3
fix: nest credential options
J0 Sep 23, 2024
0cf58b7
fix: another temp commit
J0 Sep 23, 2024
452aee4
feat: add auth-js webauthn bindings
J0 Sep 23, 2024
a604c52
Merge branch 'master' into j0/add_webauthn
J0 Sep 30, 2024
7159833
fix: remove unneeded imports
J0 Sep 30, 2024
8819b40
fix: catch errors
J0 Oct 2, 2024
49941fa
fix: copy over startRegistration and startAuthentication instead
J0 Oct 2, 2024
a9df539
fix: condense webauthn details
J0 Oct 2, 2024
d6c313e
fix: remove redundant checks
J0 Oct 2, 2024
3abc450
fix: move verify code challenge
J0 Oct 2, 2024
00f6c1d
fix: move WebAuthn to separate branch
J0 Oct 2, 2024
f445ba5
fix: refactor into branches
J0 Oct 2, 2024
4c6f7ba
fix: refactor _challenge structure
J0 Oct 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 69 additions & 23 deletions src/GoTrueClient.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,12 +70,15 @@ import type {
VerifyOtpParams,
GoTrueMFAApi,
MFAEnrollParams,
MFAVerifyParams,
AuthMFAEnrollResponse,
MFAChallengeParams,
AuthMFAChallengeResponse,
MFAUnenrollParams,
AuthMFAUnenrollResponse,
MFAVerifyParams,
MFAVerifyTOTPParams,
MFAVerifyPhoneParams,
MFAVerifyWebAuthnParams,
AuthMFAVerifyResponse,
AuthMFAListFactorsResponse,
AMREntry,
Expand All @@ -88,11 +91,13 @@ import type {
LockFunc,
UserIdentity,
SignInAnonymouslyCredentials,
MFAEnrollTOTPParams,
AuthMFAEnrollTOTPResponse,
AuthMFAEnrollPhoneResponse,
AuthMFAEnrollWebAuthnResponse,
AuthMFAEnrollErrorResponse,
MFAEnrollTOTPParams,
MFAEnrollPhoneParams,
AuthMFAEnrollPhoneResponse,
MFAEnrollWebAuthnParams,
} from './lib/types'

polyfillGlobalThis() // Make "globalThis" available
Expand Down Expand Up @@ -2364,6 +2369,9 @@ export default class GoTrueClient {
private async _enroll(
params: MFAEnrollPhoneParams
): Promise<AuthMFAEnrollPhoneResponse | AuthMFAEnrollErrorResponse>
private async _enroll(
params: MFAEnrollWebAuthnParams
): Promise<AuthMFAEnrollWebAuthnResponse | AuthMFAEnrollErrorResponse>
private async _enroll(params: MFAEnrollParams): Promise<AuthMFAEnrollResponse> {
try {
return await this._useSession(async (result) => {
Expand Down Expand Up @@ -2413,34 +2421,67 @@ export default class GoTrueClient {
private async _verify(params: MFAVerifyParams): Promise<AuthMFAVerifyResponse> {
return this._acquireLock(-1, async () => {
try {
return await this._useSession(async (result) => {
const result = await this._useSession(async (result) => {
const { data: sessionData, error: sessionError } = result
if (sessionError) {
return { data: null, error: sessionError }
}

const { data, error } = await _request(
this.fetch,
'POST',
`${this.url}/factors/${params.factorId}/verify`,
{
body: { code: params.code, challenge_id: params.challengeId },
headers: this.headers,
jwt: sessionData?.session?.access_token,
if ('code' in params && 'challengeId' in params && 'factorId' in params) {
// This handles MFAVerifyTOTPParams and MFAVerifyPhoneParams
const { data, error } = await _request(
this.fetch,
'POST',
`${this.url}/factors/${params.factorId}/verify`,
{
body: {
code: params.code,
challenge_id: params.challengeId,
},
headers: this.headers,
jwt: sessionData?.session?.access_token,
}
)
if (error) {
return { data: null, error }
}
)
if (error) {
return { data: null, error }
await this._saveSession({
expires_at: Math.round(Date.now() / 1000) + data.expires_in,
...data,
})
await this._notifyAllSubscribers('MFA_CHALLENGE_VERIFIED', data)
return { data, error }
} else if ('factorType' in params && params.factorType === 'webauthn') {
// TODO: Replace the placeholder
const { data, error } = await _request(
this.fetch,
'POST',
`${this.url}/factors/verify`,
{
body: {
use_multi_step: params.useMultiStep,
factorType: params.factorType,
},
headers: this.headers,
jwt: sessionData?.session?.access_token,
}
)
if (error) {
return { data: null, error }
}
await this._saveSession({
expires_at: Math.round(Date.now() / 1000) + data.expires_in,
...data,
})
await this._notifyAllSubscribers('MFA_CHALLENGE_VERIFIED', data)
return { data, error }
}

await this._saveSession({
expires_at: Math.round(Date.now() / 1000) + data.expires_in,
...data,
})
await this._notifyAllSubscribers('MFA_CHALLENGE_VERIFIED', data)

return { data, error }
// TODO: fix this hack
// If we reach here, it means none of the conditions were met
return { data: null, error: new Error('Invalid MFA parameters') }
})
// TODO: Fix thsi hack
return result
} catch (error) {
if (isAuthError(error)) {
return { data: null, error }
Expand Down Expand Up @@ -2526,11 +2567,16 @@ export default class GoTrueClient {
(factor) => factor.factor_type === 'phone' && factor.status === 'verified'
)

const webauthn = factors.filter(
(factor) => factor.factor_type === 'webauthn' && factor.status === 'verified'
)

return {
data: {
all: factors,
totp,
phone,
webauthn,
},
error: null,
}
Expand Down
57 changes: 52 additions & 5 deletions src/lib/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -808,6 +808,7 @@ export type MFAEnrollTOTPParams = {
/** Human readable name assigned to the factor. */
friendlyName?: string
}

export type MFAEnrollPhoneParams = {
/** The type of factor being enrolled. */
factorType: 'phone'
Expand All @@ -816,14 +817,20 @@ export type MFAEnrollPhoneParams = {
/** Phone number associated with a factor. Number should conform to E.164 format */
phone: string
}
export type MFAEnrollParams = MFAEnrollTOTPParams | MFAEnrollPhoneParams

export type MFAUnenrollParams = {
/** ID of the factor being unenrolled. */
factorId: string
export type MFAEnrollWebAuthnParams = {
/** The type of factor being enrolled. */
factorType: 'webauthn'
/** Domain which the user is enrolled with. */
issuer?: string
/** Human readable name assigned to the factor. */
friendlyName?: string

/** Have the Auth client library handle the browser-authenticator interaction for you */
useMultiStep?: boolean
}

export type MFAVerifyParams = {
export type MFAVerifyTOTPParams = {
/** ID of the factor being verified. Returned in enroll(). */
factorId: string

Expand All @@ -834,6 +841,26 @@ export type MFAVerifyParams = {
code: string
}

// Declared as a separate type to allow for future changes
export type MFAVerifyPhoneParams = MFAVerifyTOTPParams

export type MFAVerifyWebAuthnParams = {
/** The type of factor being enrolled. */
factorType: 'webauthn'

/** Have the Auth client library handle the browser-authenticator interaction for you */
useMultiStep?: boolean
}

export type MFAEnrollParams = MFAEnrollTOTPParams | MFAEnrollPhoneParams | MFAEnrollWebAuthnParams

export type MFAVerifyParams = MFAVerifyTOTPParams | MFAVerifyPhoneParams | MFAVerifyWebAuthnParams

export type MFAUnenrollParams = {
/** ID of the factor being unenrolled. */
factorId: string
}

export type MFAChallengeParams = {
/** ID of the factor to be challenged. Returned in enroll(). */
factorId: string
Expand Down Expand Up @@ -918,13 +945,30 @@ export type AuthMFAEnrollPhoneResponse = {
}
error: null
}

export type AuthMFAEnrollWebAuthnResponse = {
data: {
/** ID of the factor that was just enrolled (in an unverified state). */
id: string

/** Type of MFA factor. */
type: 'phone'
J0 marked this conversation as resolved.
Show resolved Hide resolved

/** Friendly name of the factor, useful for distinguishing between factors **/
friendly_name?: string
}
error: null
}

export type AuthMFAEnrollErrorResponse = {
data: null
error: AuthError
}

export type AuthMFAEnrollResponse =
| AuthMFAEnrollTOTPResponse
| AuthMFAEnrollPhoneResponse
| AuthMFAEnrollWebAuthnResponse
| AuthMFAEnrollErrorResponse

export type AuthMFAUnenrollResponse =
Expand Down Expand Up @@ -963,6 +1007,9 @@ export type AuthMFAListFactorsResponse =
totp: Factor[]
/** Only verified Phone factors. (A subset of `all`.) */
phone: Factor[]
/** Only verified Phone factors. (A subset of `all`.) */
// TODO: Hgihglight that it's not webAuthn since totp and phone it's lower case, and then delete this comment.
webauthn: Factor[]
}
error: null
}
Expand Down