sirtimbly/bewcloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3fdda5b34e122a4f0d2e1193e70253bffbc97300
bewcloud/routes/api/auth/multi-factor/passkey/setup-complete.ts
0xGingi 455a7201e9 Add Optional 2FA Support (#61) 
* Add TOTP MFA Support

* Add Passkey MFA Support

It's not impossible I missed some minor cleanup, but most things make sense and there isn't a lot of obvious duplication anymore.

---------

Co-authored-by: Bruno Bernardino <me@brunobernardino.com>
2025-05-29 17:30:28 +01:00

103 lines
3.1 KiB
TypeScript
Raw Blame History

import { Handlers } from 'fresh/server.ts';
import { isoBase64URL } from '@simplewebauthn/server/helpers';
import { RegistrationResponseJSON } from '@simplewebauthn/server';
import { FreshContextState } from '/lib/types.ts';
import { PasskeyModel } from '/lib/models/multi-factor-auth/passkey.ts';
import { UserModel } from '/lib/models/user.ts';
import { AppConfig } from '/lib/config.ts';
export interface RequestBody {
methodId: string;
challenge: string;
registrationResponse: RegistrationResponseJSON;
}
export interface ResponseBody {
success: boolean;
error?: string;
}
export const handler: Handlers<unknown, FreshContextState> = {
async POST(request, context) {
if (!context.state.user) {
return new Response('Unauthorized', { status: 401 });
}
const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
if (!isMultiFactorAuthEnabled) {
const responseBody: ResponseBody = {
success: false,
error: 'Passwordless passkey login requires multi-factor authentication to be enabled.',
};
return new Response(JSON.stringify(responseBody), { status: 403 });
}
const { user } = context.state;
const body = await request.clone().json() as RequestBody;
const { methodId, challenge, registrationResponse } = body;
if (!methodId || !challenge || !registrationResponse) {
const responseBody: ResponseBody = {
success: false,
error: 'Method ID, challenge, and registration response are required',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
const config = await AppConfig.getConfig();
const expectedOrigin = config.auth.baseUrl;
const expectedRPID = new URL(config.auth.baseUrl).hostname;
const verification = await PasskeyModel.verifyRegistration(
registrationResponse,
challenge,
expectedOrigin,
expectedRPID,
);
if (!verification.verified || !verification.registrationInfo) {
const responseBody: ResponseBody = {
success: false,
error: 'Passkey registration verification failed',
};
return new Response(JSON.stringify(responseBody), { status: 400 });
}
const { registrationInfo } = verification;
const credentialID = registrationInfo.credential.id;
const credentialPublicKey = isoBase64URL.fromBuffer(registrationInfo.credential.publicKey);
const method = PasskeyModel.createMethod(
methodId,
'Passkey',
credentialID,
credentialPublicKey,
registrationInfo.credential.counter,
registrationInfo.credentialDeviceType,
registrationInfo.credentialBackedUp,
// @ts-expect-error SimpleWebAuthn supports a few more transports, and that's OK
registrationResponse.response?.transports || [],
);
if (!user.extra.multi_factor_auth_methods) {
user.extra.multi_factor_auth_methods = [];
}
user.extra.multi_factor_auth_methods.push(method);
await UserModel.update(user);
const responseBody: ResponseBody = {
success: true,
};
return new Response(JSON.stringify(responseBody));
},
};
Reference in New Issue View Git Blame Copy Permalink