feat: add passkeys (#989)

## Description

Add support to login with passkeys.

Passkeys can be added via the user security settings page.

Note: Currently left out adding the type of authentication method for
the 'user security audit logs' because we're using the `signIn`
next-auth event which doesn't appear to provide the context. Will look
into it at another time.

## Changes Made

- Add passkeys to login
- Add passkeys feature flag
- Add page to manage passkeys
- Add audit logs relating to passkeys
- Updated prisma schema to support passkeys & anonymous verification
tokens

## Testing Performed

To be done.

MacOS:
- Safari ✅ 
- Chrome ✅ 
- Firefox ✅

Windows:
- Chrome [Untested] 
- Firefox [Untested]

Linux:
- Chrome [Untested]
- Firefox [Untested]

iOS:
- Safari ✅

## Checklist

<!--- Please check the boxes that apply to this pull request. -->
<!--- You can add or remove items as needed. -->

- [X] I have tested these changes locally and they work as expected.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Introduced Passkey authentication, including creation, sign-in, and
management of passkeys.
- Added a Passkeys section in Security Settings for managing user
passkeys.
- Implemented UI updates for Passkey authentication, including a new
dialog for creating passkeys and a data table for managing them.
- Enhanced security settings with server-side feature flags to
conditionally display new security features.
- **Bug Fixes**
	- Improved UI consistency in the Settings Security Activity Page.
- Updated button styling in the 2FA Recovery Codes component for better
visibility.
- **Refactor**
- Streamlined authentication options to include WebAuthn credentials
provider.
- **Chores**
- Updated database schema to support passkeys and related functionality.
	- Added new audit log types for passkey-related activities.
- Enhanced server-only authentication utilities for passkey registration
and management.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

packages/lib/server-only/auth/create-passkey-registration-options.ts

@@ -0,0 +1,58 @@
+import { generateRegistrationOptions } from '@simplewebauthn/server';
+import type { AuthenticatorTransportFuture } from '@simplewebauthn/types';
+import { DateTime } from 'luxon';
+
+import { prisma } from '@documenso/prisma';
+
+import { PASSKEY_TIMEOUT } from '../../constants/auth';
+import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+
+type CreatePasskeyRegistrationOptions = {
+  userId: number;
+};
+
+export const createPasskeyRegistrationOptions = async ({
+  userId,
+}: CreatePasskeyRegistrationOptions) => {
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    select: {
+      name: true,
+      email: true,
+      passkeys: true,
+    },
+  });
+
+  const { passkeys } = user;
+
+  const { rpName, rpId: rpID } = getAuthenticatorRegistrationOptions();
+
+  const options = await generateRegistrationOptions({
+    rpName,
+    rpID,
+    userID: userId.toString(),
+    userName: user.email,
+    userDisplayName: user.name ?? undefined,
+    timeout: PASSKEY_TIMEOUT,
+    attestationType: 'none',
+    excludeCredentials: passkeys.map((passkey) => ({
+      id: passkey.credentialId,
+      type: 'public-key',
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+      transports: passkey.transports as AuthenticatorTransportFuture[],
+    })),
+  });
+
+  await prisma.verificationToken.create({
+    data: {
+      userId,
+      token: options.challenge,
+      expires: DateTime.now().plus({ minutes: 2 }).toJSDate(),
+      identifier: 'PASSKEY_CHALLENGE',
+    },
+  });
+
+  return options;
+};

packages/lib/server-only/auth/create-passkey-signin-options.ts

@@ -0,0 +1,41 @@
+import { generateAuthenticationOptions } from '@simplewebauthn/server';
+import { DateTime } from 'luxon';
+
+import { prisma } from '@documenso/prisma';
+
+import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+
+type CreatePasskeySigninOptions = {
+  sessionId: string;
+};
+
+export const createPasskeySigninOptions = async ({ sessionId }: CreatePasskeySigninOptions) => {
+  const { rpId, timeout } = getAuthenticatorRegistrationOptions();
+
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    userVerification: 'preferred',
+    timeout,
+  });
+
+  const { challenge } = options;
+
+  await prisma.anonymousVerificationToken.upsert({
+    where: {
+      id: sessionId,
+    },
+    update: {
+      token: challenge,
+      expiresAt: DateTime.now().plus({ minutes: 2 }).toJSDate(),
+      createdAt: new Date(),
+    },
+    create: {
+      id: sessionId,
+      token: challenge,
+      expiresAt: DateTime.now().plus({ minutes: 2 }).toJSDate(),
+      createdAt: new Date(),
+    },
+  });
+
+  return options;
+};

packages/lib/server-only/auth/create-passkey.ts

@@ -0,0 +1,106 @@
+import { verifyRegistrationResponse } from '@simplewebauthn/server';
+import type { RegistrationResponseJSON } from '@simplewebauthn/types';
+
+import { prisma } from '@documenso/prisma';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';
+
+import { MAXIMUM_PASSKEYS } from '../../constants/auth';
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+
+type CreatePasskeyOptions = {
+  userId: number;
+  passkeyName: string;
+  verificationResponse: RegistrationResponseJSON;
+  requestMetadata?: RequestMetadata;
+};
+
+export const createPasskey = async ({
+  userId,
+  passkeyName,
+  verificationResponse,
+  requestMetadata,
+}: CreatePasskeyOptions) => {
+  const { _count } = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    include: {
+      _count: {
+        select: {
+          passkeys: true,
+        },
+      },
+    },
+  });
+
+  if (_count.passkeys >= MAXIMUM_PASSKEYS) {
+    throw new AppError('TOO_MANY_PASSKEYS');
+  }
+
+  const verificationToken = await prisma.verificationToken.findFirst({
+    where: {
+      userId,
+      identifier: 'PASSKEY_CHALLENGE',
+    },
+    orderBy: {
+      createdAt: 'desc',
+    },
+  });
+
+  if (!verificationToken) {
+    throw new AppError(AppErrorCode.NOT_FOUND, 'Challenge token not found');
+  }
+
+  await prisma.verificationToken.deleteMany({
+    where: {
+      userId,
+      identifier: 'PASSKEY_CHALLENGE',
+    },
+  });
+
+  if (verificationToken.expires < new Date()) {
+    throw new AppError(AppErrorCode.EXPIRED_CODE, 'Challenge token expired');
+  }
+
+  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorRegistrationOptions();
+
+  const verification = await verifyRegistrationResponse({
+    response: verificationResponse,
+    expectedChallenge: verificationToken.token,
+    expectedOrigin,
+    expectedRPID,
+  });
+
+  if (!verification.verified || !verification.registrationInfo) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, 'Verification failed');
+  }
+
+  const { credentialPublicKey, credentialID, counter, credentialDeviceType, credentialBackedUp } =
+    verification.registrationInfo;
+
+  await prisma.$transaction(async (tx) => {
+    await tx.passkey.create({
+      data: {
+        userId,
+        name: passkeyName,
+        credentialId: Buffer.from(credentialID),
+        credentialPublicKey: Buffer.from(credentialPublicKey),
+        counter,
+        credentialDeviceType,
+        credentialBackedUp,
+        transports: verificationResponse.response.transports,
+      },
+    });
+
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId,
+        type: UserSecurityAuditLogType.PASSKEY_CREATED,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });
+  });
+};

packages/lib/server-only/auth/delete-passkey.ts

@@ -0,0 +1,41 @@
+import { prisma } from '@documenso/prisma';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';
+
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+
+export interface DeletePasskeyOptions {
+  userId: number;
+  passkeyId: string;
+  requestMetadata?: RequestMetadata;
+}
+
+export const deletePasskey = async ({
+  userId,
+  passkeyId,
+  requestMetadata,
+}: DeletePasskeyOptions) => {
+  await prisma.passkey.findFirstOrThrow({
+    where: {
+      id: passkeyId,
+      userId,
+    },
+  });
+
+  await prisma.$transaction(async (tx) => {
+    await tx.passkey.delete({
+      where: {
+        id: passkeyId,
+        userId,
+      },
+    });
+
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId,
+        type: UserSecurityAuditLogType.PASSKEY_DELETED,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });
+  });
+};

packages/lib/server-only/auth/find-passkeys.ts

@@ -0,0 +1,71 @@
+import type { FindResultSet } from '@documenso/lib/types/find-result-set';
+import { prisma } from '@documenso/prisma';
+import type { Passkey } from '@documenso/prisma/client';
+import { Prisma } from '@documenso/prisma/client';
+
+export interface FindPasskeysOptions {
+  userId: number;
+  term?: string;
+  page?: number;
+  perPage?: number;
+  orderBy?: {
+    column: keyof Passkey;
+    direction: 'asc' | 'desc';
+  };
+}
+
+export const findPasskeys = async ({
+  userId,
+  term = '',
+  page = 1,
+  perPage = 10,
+  orderBy,
+}: FindPasskeysOptions) => {
+  const orderByColumn = orderBy?.column ?? 'name';
+  const orderByDirection = orderBy?.direction ?? 'desc';
+
+  const whereClause: Prisma.PasskeyWhereInput = {
+    userId,
+  };
+
+  if (term.length > 0) {
+    whereClause.name = {
+      contains: term,
+      mode: Prisma.QueryMode.insensitive,
+    };
+  }
+
+  const [data, count] = await Promise.all([
+    prisma.passkey.findMany({
+      where: whereClause,
+      skip: Math.max(page - 1, 0) * perPage,
+      take: perPage,
+      orderBy: {
+        [orderByColumn]: orderByDirection,
+      },
+      select: {
+        id: true,
+        userId: true,
+        name: true,
+        createdAt: true,
+        updatedAt: true,
+        lastUsedAt: true,
+        counter: true,
+        credentialDeviceType: true,
+        credentialBackedUp: true,
+        transports: true,
+      },
+    }),
+    prisma.passkey.count({
+      where: whereClause,
+    }),
+  ]);
+
+  return {
+    data,
+    count,
+    currentPage: Math.max(page, 1),
+    perPage,
+    totalPages: Math.ceil(count / perPage),
+  } satisfies FindResultSet<typeof data>;
+};

packages/lib/server-only/auth/update-passkey.ts

@@ -0,0 +1,51 @@
+import { prisma } from '@documenso/prisma';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';
+
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+
+export interface UpdateAuthenticatorsOptions {
+  userId: number;
+  passkeyId: string;
+  name: string;
+  requestMetadata?: RequestMetadata;
+}
+
+export const updatePasskey = async ({
+  userId,
+  passkeyId,
+  name,
+  requestMetadata,
+}: UpdateAuthenticatorsOptions) => {
+  const passkey = await prisma.passkey.findFirstOrThrow({
+    where: {
+      id: passkeyId,
+      userId,
+    },
+  });
+
+  if (passkey.name === name) {
+    return;
+  }
+
+  await prisma.$transaction(async (tx) => {
+    await tx.passkey.update({
+      where: {
+        id: passkeyId,
+        userId,
+      },
+      data: {
+        name,
+        updatedAt: new Date(),
+      },
+    });
+
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId,
+        type: UserSecurityAuditLogType.PASSKEY_UPDATED,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });
+  });
+};