feat: add passkey-first login and management flow

2026-06-20 21:00:41 +00:00 · 2026-03-31 00:59:50 +08:00
parent 1184cb8d9a
commit 0f6da7d147
16 changed files with 799 additions and 6 deletions
@@ -8,6 +8,7 @@ import type {
  TokenSuccess,
 } from '../types';
 import { parseJson, type AuthedFetch, type SessionSetter } from './shared';
+import { createPasskeyCredential, requestPasskeyAssertion } from '../passkey';

 const SESSION_KEY = 'nodewarden.web.session.v4';
 const DEVICE_IDENTIFIER_KEY = 'nodewarden.web.device.identifier.v1';
@@ -26,6 +27,14 @@ export interface PreloginKdfConfig {
  kdfParallelism: number | null;
 }

+export interface AccountPasskey {
+  id: string;
+  name: string;
+  creationDate: string;
+  revisionDate: string;
+  lastUsedDate: string | null;
+}
+
 function randomHex(length: number): string {
  const bytes = crypto.getRandomValues(new Uint8Array(Math.max(1, Math.ceil(length / 2))));
  return Array.from(bytes).map((b) => b.toString(16).padStart(2, '0')).join('').slice(0, length);
@@ -197,6 +206,84 @@ export async function refreshAccessToken(refreshToken: string): Promise<TokenSuc
  return json || null;
 }

+export async function listAccountPasskeys(authedFetch: AuthedFetch): Promise<AccountPasskey[]> {
+  const resp = await authedFetch('/api/accounts/passkeys');
+  if (!resp.ok) throw new Error('Failed to load passkeys');
+  const body = (await parseJson<{ data?: AccountPasskey[] }>(resp)) || {};
+  return Array.isArray(body.data) ? body.data : [];
+}
+
+export async function registerAccountPasskey(authedFetch: AuthedFetch, name: string, session: SessionState): Promise<void> {
+  const beginResp = await authedFetch('/api/accounts/passkeys/begin-registration', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: '{}',
+  });
+  if (!beginResp.ok) throw new Error('Failed to start passkey registration');
+  const begin = (await parseJson<{ challengeId: string; publicKey: Record<string, any> }>(beginResp)) || {};
+  if (!begin.challengeId || !begin.publicKey) throw new Error('Invalid registration challenge');
+
+  const credential = await createPasskeyCredential(begin.publicKey);
+  const finishResp = await authedFetch('/api/accounts/passkeys/finish-registration', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      challengeId: begin.challengeId,
+      name,
+      wrappedVaultKeys: JSON.stringify({
+        symEncKey: session.symEncKey || '',
+        symMacKey: session.symMacKey || '',
+      }),
+      credential,
+    }),
+  });
+  if (!finishResp.ok) {
+    const err = await parseJson<TokenError>(finishResp);
+    throw new Error(err?.error_description || err?.error || 'Failed to finish passkey registration');
+  }
+}
+
+export async function renameAccountPasskey(authedFetch: AuthedFetch, passkeyId: string, name: string): Promise<void> {
+  const resp = await authedFetch(`/api/accounts/passkeys/${passkeyId}`, {
+    method: 'PATCH',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name }),
+  });
+  if (!resp.ok) throw new Error('Failed to rename passkey');
+}
+
+export async function deleteAccountPasskey(authedFetch: AuthedFetch, passkeyId: string): Promise<void> {
+  const resp = await authedFetch(`/api/accounts/passkeys/${passkeyId}`, { method: 'DELETE' });
+  if (!resp.ok && resp.status !== 204) throw new Error('Failed to delete passkey');
+}
+
+export async function loginWithPasskey(email?: string, totpCode?: string): Promise<TokenSuccess | TokenError> {
+  const beginResp = await fetch('/identity/passkeys/begin-login', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email: String(email || '').trim().toLowerCase() || undefined }),
+  });
+  if (!beginResp.ok) return ((await parseJson<TokenError>(beginResp)) || {});
+  const begin = (await parseJson<{ challengeId: string; publicKey: Record<string, any> }>(beginResp)) || {};
+  if (!begin.challengeId || !begin.publicKey) return { error: 'Passkey challenge missing' };
+
+  const credential = await requestPasskeyAssertion(begin.publicKey);
+  const finishResp = await fetch('/identity/passkeys/finish-login', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      challengeId: begin.challengeId,
+      credential,
+      deviceIdentifier: getOrCreateDeviceIdentifier(),
+      deviceName: guessDeviceName(),
+      deviceType: '14',
+      twoFactorToken: totpCode || undefined,
+    }),
+  });
+  const result = (await parseJson<TokenSuccess & TokenError>(finishResp)) || {};
+  return result;
+}
+
 export async function registerAccount(args: {
  email: string;
  name: string;
@@ -4,6 +4,7 @@ import {
  getProfile,
  loadSession,
  loginWithPassword,
+  loginWithPasskey,
  refreshAccessToken,
  recoverTwoFactor,
  registerAccount,
@@ -46,6 +47,11 @@ export type PasswordLoginResult =
  | { kind: 'totp'; pendingTotp: PendingTotp }
  | { kind: 'error'; message: string };

+export type PasskeyLoginResult =
+  | { kind: 'success'; login: CompletedLogin }
+  | { kind: 'totp' }
+  | { kind: 'error'; message: string };
+
 export interface RecoverTwoFactorResult {
  login: CompletedLogin | null;
  newRecoveryCode: string | null;
@@ -359,3 +365,30 @@ export async function performUnlock(
  }
  return { ...refreshedSession, ...keys };
 }
+
+export async function performPasskeyLogin(email: string, totpCode?: string): Promise<PasskeyLoginResult> {
+  const token = await loginWithPasskey(email, totpCode);
+  if ('access_token' in token && token.access_token) {
+    const normalizedEmail = String(email || '').trim().toLowerCase();
+    const baseSession: SessionState = {
+      accessToken: token.access_token,
+      refreshToken: token.refresh_token,
+      email: normalizedEmail,
+      symEncKey: token.VaultKeys?.symEncKey,
+      symMacKey: token.VaultKeys?.symMacKey,
+    };
+    const tempFetch = createAuthedFetch(() => baseSession, () => {});
+    const profile = buildTransientProfile(token, normalizedEmail);
+    return {
+      kind: 'success',
+      login: {
+        session: baseSession,
+        profile,
+        profilePromise: getProfile(tempFetch),
+      },
+    };
+  }
+  const tokenError = token as { TwoFactorProviders?: unknown; error_description?: string; error?: string };
+  if (tokenError.TwoFactorProviders) return { kind: 'totp' };
+  return { kind: 'error', message: tokenError.error_description || tokenError.error || 'Passkey login failed' };
+}
@@ -0,0 +1,72 @@
+function base64UrlToBytes(input: string): Uint8Array {
+  const normalized = String(input || '').replace(/-/g, '+').replace(/_/g, '/');
+  const padded = normalized + '='.repeat((4 - (normalized.length % 4 || 4)) % 4);
+  const binary = atob(padded);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i += 1) out[i] = binary.charCodeAt(i);
+  return out;
+}
+
+function bytesToBase64Url(bytes: ArrayBuffer | Uint8Array): string {
+  const view = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let binary = '';
+  for (const b of view) binary += String.fromCharCode(b);
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+
+export function passkeySupported(): boolean {
+  return typeof window !== 'undefined' && !!window.PublicKeyCredential;
+}
+
+export async function createPasskeyCredential(publicKey: Record<string, any>): Promise<any> {
+  const options: PublicKeyCredentialCreationOptions = {
+    ...(publicKey as PublicKeyCredentialCreationOptions),
+    challenge: base64UrlToBytes(publicKey.challenge),
+    user: {
+      ...publicKey.user,
+      id: base64UrlToBytes(publicKey.user.id),
+    },
+    excludeCredentials: Array.isArray(publicKey.excludeCredentials)
+      ? publicKey.excludeCredentials.map((item: any) => ({ ...item, id: base64UrlToBytes(item.id) }))
+      : [],
+  };
+
+  const credential = (await navigator.credentials.create({ publicKey: options })) as PublicKeyCredential | null;
+  if (!credential) throw new Error('Passkey creation was cancelled');
+  const response = credential.response as AuthenticatorAttestationResponse;
+
+  return {
+    id: credential.id,
+    rawId: bytesToBase64Url(credential.rawId),
+    type: credential.type,
+    response: {
+      clientDataJSON: bytesToBase64Url(response.clientDataJSON),
+      attestationObject: bytesToBase64Url(response.attestationObject),
+    },
+  };
+}
+
+export async function requestPasskeyAssertion(publicKey: Record<string, any>): Promise<any> {
+  const options: PublicKeyCredentialRequestOptions = {
+    ...(publicKey as PublicKeyCredentialRequestOptions),
+    challenge: base64UrlToBytes(publicKey.challenge),
+    allowCredentials: Array.isArray(publicKey.allowCredentials)
+      ? publicKey.allowCredentials.map((item: any) => ({ ...item, id: base64UrlToBytes(item.id) }))
+      : undefined,
+  };
+
+  const credential = (await navigator.credentials.get({ publicKey: options })) as PublicKeyCredential | null;
+  if (!credential) throw new Error('Passkey login was cancelled');
+  const response = credential.response as AuthenticatorAssertionResponse;
+  return {
+    id: credential.id,
+    rawId: bytesToBase64Url(credential.rawId),
+    type: credential.type,
+    response: {
+      clientDataJSON: bytesToBase64Url(response.clientDataJSON),
+      authenticatorData: bytesToBase64Url(response.authenticatorData),
+      signature: bytesToBase64Url(response.signature),
+      userHandle: response.userHandle ? bytesToBase64Url(response.userHandle) : null,
+    },
+  };
+}
@@ -290,6 +290,10 @@ export interface TokenSuccess {
  unofficialServer?: boolean;
  UserDecryptionOptions?: unknown;
  userDecryptionOptions?: unknown;
+  VaultKeys?: {
+    symEncKey?: string;
+    symMacKey?: string;
+  };
 }

 export interface TokenError {