feat: add passkey and 2FA document action auth options (#1065)

## Description Add the following document action auth options: - 2FA - Passkey If the user does not have the required auth setup, we onboard them directly. ## Changes made Note: Added secondaryId to the VerificationToken schema ## Testing Performed Tested locally, pending preview tests ## Checklist - [X] I have tested these changes locally and they work as expected. - [X] I have added/updated tests that prove the effectiveness of these changes. - [X] I have followed the project's coding style guidelines.  ## Summary by CodeRabbit - **New Features** - Introduced components for 2FA, account, and passkey authentication during document signing. - Added "Require passkey" option to document settings and signer authentication settings. - Enhanced form submission and loading states for improved user experience. - **Refactor** - Optimized authentication components to efficiently support multiple authentication methods. - **Chores** - Updated and renamed functions and components for clarity and consistency across the authentication system. - Refined sorting options and database schema to support new authentication features. - **Bug Fixes** - Adjusted SignInForm to verify browser support for WebAuthn before proceeding.
2025-11-13 00:03:33 +10:00 · 2024-03-31 15:49:12 +08:00
parent 81ee582f1c
commit cbe6270494
27 changed files with 966 additions and 243 deletions
--- a/packages/lib/server-only/auth/create-passkey-authentication-options.ts
+++ b/packages/lib/server-only/auth/create-passkey-authentication-options.ts
@ -0,0 +1,76 @@
+import { generateAuthenticationOptions } from '@simplewebauthn/server';
+import type { AuthenticatorTransportFuture } from '@simplewebauthn/types';
+import { DateTime } from 'luxon';
+
+import { prisma } from '@documenso/prisma';
+import type { Passkey } from '@documenso/prisma/client';
+
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import { getAuthenticatorOptions } from '../../utils/authenticator';
+
+type CreatePasskeyAuthenticationOptions = {
+  userId: number;
+
+  /**
+   * The ID of the passkey to request authentication for.
+   *
+   * If not set, we allow the browser client to handle choosing.
+   */
+  preferredPasskeyId?: string;
+};
+
+export const createPasskeyAuthenticationOptions = async ({
+  userId,
+  preferredPasskeyId,
+}: CreatePasskeyAuthenticationOptions) => {
+  const { rpId, timeout } = getAuthenticatorOptions();
+
+  let preferredPasskey: Pick<Passkey, 'credentialId' | 'transports'> | null = null;
+
+  if (preferredPasskeyId) {
+    preferredPasskey = await prisma.passkey.findFirst({
+      where: {
+        userId,
+        id: preferredPasskeyId,
+      },
+      select: {
+        credentialId: true,
+        transports: true,
+      },
+    });
+
+    if (!preferredPasskey) {
+      throw new AppError(AppErrorCode.NOT_FOUND, 'Requested passkey not found');
+    }
+  }
+
+  const options = await generateAuthenticationOptions({
+    rpID: rpId,
+    userVerification: 'preferred',
+    timeout,
+    allowCredentials: preferredPasskey
+      ? [
+          {
+            id: preferredPasskey.credentialId,
+            type: 'public-key',
+            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+            transports: preferredPasskey.transports as AuthenticatorTransportFuture[],
+          },
+        ]
+      : undefined,
+  });
+
+  const { secondaryId } = await prisma.verificationToken.create({
+    data: {
+      userId,
+      token: options.challenge,
+      expires: DateTime.now().plus({ minutes: 2 }).toJSDate(),
+      identifier: 'PASSKEY_CHALLENGE',
+    },
+  });
+
+  return {
+    tokenReference: secondaryId,
+    options,
+  };
+};
--- a/packages/lib/server-only/auth/create-passkey-registration-options.ts
+++ b/packages/lib/server-only/auth/create-passkey-registration-options.ts
@ -5,7 +5,7 @@ import { DateTime } from 'luxon';
 import { prisma } from '@documenso/prisma';

 import { PASSKEY_TIMEOUT } from '../../constants/auth';
-import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+import { getAuthenticatorOptions } from '../../utils/authenticator';

 type CreatePasskeyRegistrationOptions = {
  userId: number;
@ -27,7 +27,7 @@ export const createPasskeyRegistrationOptions = async ({

  const { passkeys } = user;

-  const { rpName, rpId: rpID } = getAuthenticatorRegistrationOptions();
+  const { rpName, rpId: rpID } = getAuthenticatorOptions();

  const options = await generateRegistrationOptions({
    rpName,
--- a/packages/lib/server-only/auth/create-passkey-signin-options.ts
+++ b/packages/lib/server-only/auth/create-passkey-signin-options.ts
@ -3,14 +3,14 @@ import { DateTime } from 'luxon';

 import { prisma } from '@documenso/prisma';

-import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+import { getAuthenticatorOptions } from '../../utils/authenticator';

 type CreatePasskeySigninOptions = {
  sessionId: string;
 };

 export const createPasskeySigninOptions = async ({ sessionId }: CreatePasskeySigninOptions) => {
-  const { rpId, timeout } = getAuthenticatorRegistrationOptions();
+  const { rpId, timeout } = getAuthenticatorOptions();

  const options = await generateAuthenticationOptions({
    rpID: rpId,
--- a/packages/lib/server-only/auth/create-passkey.ts
+++ b/packages/lib/server-only/auth/create-passkey.ts
@ -7,7 +7,7 @@ import { UserSecurityAuditLogType } from '@documenso/prisma/client';
 import { MAXIMUM_PASSKEYS } from '../../constants/auth';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
-import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
+import { getAuthenticatorOptions } from '../../utils/authenticator';

 type CreatePasskeyOptions = {
  userId: number;
@ -64,7 +64,7 @@ export const createPasskey = async ({
    throw new AppError(AppErrorCode.EXPIRED_CODE, 'Challenge token expired');
  }

-  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorRegistrationOptions();
+  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorOptions();

  const verification = await verifyRegistrationResponse({
    response: verificationResponse,
--- a/packages/lib/server-only/auth/find-passkeys.ts
+++ b/packages/lib/server-only/auth/find-passkeys.ts
@ -11,6 +11,7 @@ export interface FindPasskeysOptions {
  orderBy?: {
    column: keyof Passkey;
    direction: 'asc' | 'desc';
+    nulls?: Prisma.NullsOrder;
  };
 }

@ -21,8 +22,9 @@ export const findPasskeys = async ({
  perPage = 10,
  orderBy,
 }: FindPasskeysOptions) => {
-  const orderByColumn = orderBy?.column ?? 'name';
+  const orderByColumn = orderBy?.column ?? 'lastUsedAt';
  const orderByDirection = orderBy?.direction ?? 'desc';
+  const orderByNulls: Prisma.NullsOrder | undefined = orderBy?.nulls ?? 'last';

  const whereClause: Prisma.PasskeyWhereInput = {
    userId,
@ -41,7 +43,10 @@ export const findPasskeys = async ({
      skip: Math.max(page - 1, 0) * perPage,
      take: perPage,
      orderBy: {
-        [orderByColumn]: orderByDirection,
+        [orderByColumn]: {
+          sort: orderByDirection,
+          nulls: orderByNulls,
+        },
      },
      select: {
        id: true,