wip: test

apps/remix/app/lib/auth-client.ts

@@ -0,0 +1,13 @@
+import { twoFactor } from 'better-auth/plugins';
+import { createAuthClient } from 'better-auth/react';
+
+import { passkeyClientPlugin } from './auth/passkey-plugin/client';
+
+// make sure to import from better-auth/react
+
+export const authClient = createAuthClient({
+  baseURL: 'http://localhost:3000',
+  plugins: [twoFactor(), passkeyClientPlugin()],
+});
+
+export const { signIn, signOut, useSession } = authClient;

apps/remix/app/lib/auth.server.ts

@@ -0,0 +1,112 @@
+import { compare, hash } from '@node-rs/bcrypt';
+import { betterAuth } from 'better-auth';
+import { prismaAdapter } from 'better-auth/adapters/prisma';
+import { twoFactor } from 'better-auth/plugins';
+
+import { getAuthenticatorOptions } from '@documenso/lib/utils/authenticator';
+import { prisma } from '@documenso/prisma';
+
+import { passkeyPlugin } from './auth/passkey-plugin';
+
+// todo: import from @documenso/lib/constants/auth
+export const SALT_ROUNDS = 12;
+
+const passkeyOptions = getAuthenticatorOptions();
+
+export const auth = betterAuth({
+  appName: 'Documenso',
+  plugins: [
+    twoFactor({
+      issuer: 'Documenso',
+      skipVerificationOnEnable: true,
+      // totpOptions: {
+
+      // },
+      schema: {
+        twoFactor: {
+          modelName: 'TwoFactor',
+          fields: {
+            userId: 'userId',
+            secret: 'secret',
+            backupCodes: 'backupCodes',
+          },
+        },
+      },
+      // todo: add options
+    }),
+    passkeyPlugin(),
+    // passkey({
+    //   rpID: passkeyOptions.rpId,
+    //   rpName: passkeyOptions.rpName,
+    //   origin: passkeyOptions.origin,
+    //   schema: {
+    //     passkey: {
+    //       fields: {
+    //         publicKey: 'credentialPublicKey',
+    //         credentialID: 'credentialId',
+    //         deviceType: 'credentialDeviceType',
+    //         backedUp: 'credentialBackedUp',
+    //         // transports: '',
+    //       },
+    //     },
+    //   },
+    // }),
+  ],
+  secret: 'secret', // todo
+  database: prismaAdapter(prisma, {
+    provider: 'postgresql',
+  }),
+  databaseHooks: {
+    account: {
+      create: {
+        before: (session) => {
+          return {
+            data: {
+              ...session,
+              accountId: session.accountId.toString(),
+            },
+          };
+        },
+      },
+    },
+  },
+  session: {
+    fields: {
+      token: 'sessionToken',
+      expiresAt: 'expires',
+    },
+  },
+  user: {
+    fields: {
+      emailVerified: 'isEmailVerified',
+    },
+  },
+  account: {
+    fields: {
+      providerId: 'provider',
+      accountId: 'providerAccountId',
+      refreshToken: 'refresh_token',
+      accessToken: 'access_token',
+      idToken: 'id_token',
+    },
+  },
+  advanced: {
+    generateId: false,
+  },
+  socialProviders: {
+    google: {
+      clientId: '',
+      clientSecret: '',
+    },
+  },
+  emailAndPassword: {
+    enabled: true,
+    requireEmailVerification: false,
+    // maxPasswordLength: 128,
+    // minPasswordLength: 8,
+    password: {
+      hash: async (password) => hash(password, SALT_ROUNDS),
+      verify: async ({ hash, password }) => compare(password, hash),
+    },
+  },
+});

apps/remix/app/lib/auth/passkey-plugin/client.ts

@@ -0,0 +1,24 @@
+import type { BetterAuthClientPlugin } from 'better-auth';
+
+import type { passkeyPlugin } from './index';
+
+type PasskeyPlugin = typeof passkeyPlugin;
+
+export const passkeyClientPlugin = () => {
+  const passkeySignin = () => {
+    //
+    // credential: JSON.stringify(credential),
+    // callbackUrl,
+  };
+
+  return {
+    id: 'passkeyPlugin',
+    getActions: () => ({
+      signIn: {
+        passkey: () => passkeySignin,
+      },
+    }),
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    $InferServerPlugin: {} as ReturnType<PasskeyPlugin>,
+  } satisfies BetterAuthClientPlugin;
+};

apps/remix/app/lib/auth/passkey-plugin/index.ts

@@ -0,0 +1,165 @@
+import type { BetterAuthPlugin } from 'better-auth';
+import { createAuthEndpoint, createAuthMiddleware } from 'better-auth/plugins';
+
+export const passkeyPlugin = () =>
+  ({
+    id: 'passkeyPlugin',
+    schema: {
+      user: {
+        fields: {
+          // twoFactorEnabled: {
+          //   type: 'boolean',
+          //   required: false,
+          // },
+          // twoFactorBackupCodes: {
+          //   type: 'string',
+          //   required: false,
+          // },
+          // twoFactorSecret: {
+          //   type: 'string',
+          //   required: false,
+          // },
+          // birthday: {
+          //   type: 'date', // string, number, boolean, date
+          //   required: true, // if the field should be required on a new record. (default: false)
+          //   unique: false, // if the field should be unique. (default: false)
+          //   reference: null, // if the field is a reference to another table. (default: null)
+          // },
+        },
+      },
+    },
+    endpoints: {
+      authorize: createAuthEndpoint(
+        '/passkey/authorize',
+        {
+          method: 'POST',
+          // use: [],
+        },
+        async (ctx) => {
+          const csrfToken = credentials?.csrfToken;
+
+          if (typeof csrfToken !== 'string' || csrfToken.length === 0) {
+            throw new AppError(AppErrorCode.INVALID_REQUEST);
+          }
+
+          let requestBodyCrediential: TAuthenticationResponseJSONSchema | null = null;
+
+          try {
+            const parsedBodyCredential = JSON.parse(req.body?.credential);
+            requestBodyCrediential = ZAuthenticationResponseJSONSchema.parse(parsedBodyCredential);
+          } catch {
+            throw new AppError(AppErrorCode.INVALID_REQUEST);
+          }
+
+          const challengeToken = await prisma.anonymousVerificationToken
+            .delete({
+              where: {
+                id: csrfToken,
+              },
+            })
+            .catch(() => null);
+
+          if (!challengeToken) {
+            return null;
+          }
+
+          if (challengeToken.expiresAt < new Date()) {
+            throw new AppError(AppErrorCode.EXPIRED_CODE);
+          }
+
+          const passkey = await prisma.passkey.findFirst({
+            where: {
+              credentialId: Buffer.from(requestBodyCrediential.id, 'base64'),
+            },
+            include: {
+              User: {
+                select: {
+                  id: true,
+                  email: true,
+                  name: true,
+                  emailVerified: true,
+                },
+              },
+            },
+          });
+
+          if (!passkey) {
+            throw new AppError(AppErrorCode.NOT_SETUP);
+          }
+
+          const user = passkey.User;
+
+          const { rpId, origin } = getAuthenticatorOptions();
+
+          const verification = await verifyAuthenticationResponse({
+            response: requestBodyCrediential,
+            expectedChallenge: challengeToken.token,
+            expectedOrigin: origin,
+            expectedRPID: rpId,
+            authenticator: {
+              credentialID: new Uint8Array(Array.from(passkey.credentialId)),
+              credentialPublicKey: new Uint8Array(passkey.credentialPublicKey),
+              counter: Number(passkey.counter),
+            },
+          }).catch(() => null);
+
+          const requestMetadata = extractNextAuthRequestMetadata(req);
+
+          if (!verification?.verified) {
+            await prisma.userSecurityAuditLog.create({
+              data: {
+                userId: user.id,
+                ipAddress: requestMetadata.ipAddress,
+                userAgent: requestMetadata.userAgent,
+                type: UserSecurityAuditLogType.SIGN_IN_PASSKEY_FAIL,
+              },
+            });
+
+            return null;
+          }
+
+          await prisma.passkey.update({
+            where: {
+              id: passkey.id,
+            },
+            data: {
+              lastUsedAt: new Date(),
+              counter: verification.authenticationInfo.newCounter,
+            },
+          });
+
+          return {
+            id: Number(user.id),
+            email: user.email,
+            name: user.name,
+            emailVerified: user.emailVerified?.toISOString() ?? null,
+          } satisfies User;
+        },
+      ),
+    },
+    hooks: {
+      before: [
+        {
+          matcher: (context) => context.path.startsWith('/sign-in/email'),
+          handler: createAuthMiddleware(async (ctx) => {
+            console.log('here...');
+
+            const { birthday } = ctx.body;
+
+            if ((!birthday) instanceof Date) {
+              throw new APIError('BAD_REQUEST', { message: 'Birthday must be of type Date.' });
+            }
+
+            const today = new Date();
+            const fiveYearsAgo = new Date(today.setFullYear(today.getFullYear() - 5));
+
+            if (birthday >= fiveYearsAgo) {
+              throw new APIError('BAD_REQUEST', { message: 'User must be above 5 years old.' });
+            }
+
+            return { context: ctx };
+          }),
+        },
+      ],
+    },
+  }) satisfies BetterAuthPlugin;