feat: webauthn (#173)

* feat: webauthn options

* feat: register credentials wip

* feat: recipe user sign up

* fix: temp

* feat: webauthn support wip

* feat: webauthn loginmethod

* feat: webauthn sign in

* fix: for account recovery

* fix: account recovery impl

* fix: integration fix for signup

* feat: crud apis addition

* feat: remove options api

* fix: reworked error handling

* feat: clean up expired data cron

* feat: extending user listing with webauthn

* feat: saving userVerification and userPresence values

* feat: get credentials

* fix: refactor exceptions

* fix: user json and dashboard search

* fix: fixing table locked issue with in-memory db

* fix: add tests and fixes for email update

* chore: changelog, version number

* fix: review fix: additional possible errors while saving a credential

* fix: remove unused method

* fix: potential error handling when saving options

---------

Co-authored-by: Sattvik Chakravarthy <[email protected]>

Author: tamassoltesz

CHANGELOG.md

@@ -7,6 +7,11 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+
+## [7.1.0]
+
+- Adds support for Webauthn (passkeys)
+
 ## [7.0.0] 
 
 - Adds support for Bulk Import

build.gradle

@@ -2,7 +2,7 @@ plugins {
     id 'java-library'
 }
 
-version = "7.0.0"
+version = "7.1.0"
 
 repositories {
     mavenCentral()

src/main/java/io/supertokens/pluginInterface/RECIPE_ID.java

@@ -22,7 +22,7 @@ public enum RECIPE_ID {
     EMAIL_PASSWORD("emailpassword"), THIRD_PARTY("thirdparty"), SESSION("session"),
     EMAIL_VERIFICATION("emailverification"), JWT("jwt"), PASSWORDLESS("passwordless"), USER_METADATA("usermetadata"),
     USER_ROLES("userroles"), USER_ID_MAPPING("useridmapping"), DASHBOARD("dashboard"), TOTP("totp"),
-    MULTITENANCY("multitenancy"), ACCOUNT_LINKING("accountlinking"), MFA("mfa"), OAUTH("oauth");
+    MULTITENANCY("multitenancy"), ACCOUNT_LINKING("accountlinking"), MFA("mfa"), OAUTH("oauth"), WEBAUTHN("webauthn");
 
     private final String name;
 

src/main/java/io/supertokens/pluginInterface/StorageUtils.java

@@ -30,6 +30,7 @@
 import io.supertokens.pluginInterface.useridmapping.UserIdMappingStorage;
 import io.supertokens.pluginInterface.usermetadata.sqlStorage.UserMetadataSQLStorage;
 import io.supertokens.pluginInterface.userroles.sqlStorage.UserRolesSQLStorage;
+import io.supertokens.pluginInterface.webauthn.slqStorage.WebAuthNSQLStorage;
 
 public class StorageUtils {
     public static AuthRecipeSQLStorage getAuthRecipeStorage(Storage storage) {
@@ -151,4 +152,11 @@ public static OAuthStorage getOAuthStorage(Storage storage) {
         }
         return (OAuthStorage) storage;
     }
+
+    public static WebAuthNSQLStorage getWebAuthNStorage(Storage storage) {
+        if (storage.getType() != STORAGE_TYPE.SQL) {
+            throw new UnsupportedOperationException("");
+        }
+        return (WebAuthNSQLStorage) storage;
+    }
 }

src/main/java/io/supertokens/pluginInterface/authRecipe/AuthRecipeStorage.java

@@ -58,6 +58,9 @@ AuthRecipeUserInfo[] listPrimaryUsersByEmail(TenantIdentifier tenantIdentifier,
     AuthRecipeUserInfo[] listPrimaryUsersByPhoneNumber(TenantIdentifier tenantIdentifier, String phoneNumber)
             throws StorageQueryException;
 
+    AuthRecipeUserInfo getPrimaryUserByWebauthNCredentialId(TenantIdentifier tenantIdentifier, String webauthNCredentialId)
+            throws StorageQueryException;
+
     AuthRecipeUserInfo[] listPrimaryUsersByThirdPartyInfo(AppIdentifier appIdentifier, String thirdPartyId,
                                                           String thirdPartyUserId)
             throws StorageQueryException;

src/main/java/io/supertokens/pluginInterface/authRecipe/AuthRecipeUserInfo.java

@@ -16,12 +16,15 @@
 
 package io.supertokens.pluginInterface.authRecipe;
 
+import com.google.gson.Gson;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonPrimitive;
 import io.supertokens.pluginInterface.RECIPE_ID;
 
-import java.util.*;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
 
 public class AuthRecipeUserInfo {
 
@@ -124,7 +127,7 @@ public int hashCode() {
         return hashCode;
     }
 
-    public JsonObject toJson() {
+    public JsonObject toJson(boolean includeWebauthn) {
         if (!didCallSetExternalUserId) {
             throw new RuntimeException("Found a bug: Did you forget to call setExternalUserId?");
         }
@@ -142,7 +145,13 @@ public JsonObject toJson() {
         Set<String> emails = new HashSet<>();
         Set<String> phoneNumbers = new HashSet<>();
         Set<LoginMethod.ThirdParty> thirdParty = new HashSet<>();
+        Set<String> webauthn = new HashSet<>();
         for (LoginMethod loginMethod : this.loginMethods) {
+            if (!includeWebauthn) {
+                if (loginMethod.recipeId == RECIPE_ID.WEBAUTHN) {
+                    continue;
+                }
+            }
             if (loginMethod.email != null) {
                 emails.add(loginMethod.email);
             }
@@ -152,6 +161,9 @@ public JsonObject toJson() {
             if (loginMethod.thirdParty != null) {
                 thirdParty.add(loginMethod.thirdParty);
             }
+            if(loginMethod.webauthN != null) {
+                webauthn.addAll(loginMethod.webauthN.credentialIds);
+            }
         }
         JsonArray emailsJson = new JsonArray();
         for (String email : emails) {
@@ -172,6 +184,14 @@ public JsonObject toJson() {
         }
         jsonObject.add("thirdParty", thirdPartyJson);
 
+        if (includeWebauthn) {
+            JsonObject webauthnJson = new JsonObject();
+            JsonArray j = new JsonArray();
+            j.addAll(new Gson().toJsonTree(webauthn).getAsJsonArray());
+            webauthnJson.add("credentialIds", j);
+            jsonObject.add("webauthn", webauthnJson);
+        }
+
         // now we add login methods..
         JsonArray loginMethodsArr = new JsonArray();
         for (LoginMethod lM : this.loginMethods) {
@@ -197,6 +217,13 @@ public JsonObject toJson() {
                 thirdPartyJsonObject.addProperty("userId", lM.thirdParty.userId);
                 lMJsonObject.add("thirdParty", thirdPartyJsonObject);
             }
+            if (includeWebauthn) {
+                if(lM.webauthN != null) {
+                    JsonObject webauthNJson = new JsonObject();
+                    webauthNJson.add("credentialIds", new Gson().toJsonTree(lM.webauthN.credentialIds));
+                    lMJsonObject.add("webauthn", webauthNJson);
+                }
+            }
             loginMethodsArr.add(lMJsonObject);
         }
         jsonObject.add("loginMethods", loginMethodsArr);

src/main/java/io/supertokens/pluginInterface/authRecipe/LoginMethod.java

@@ -20,6 +20,7 @@
 
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 public class LoginMethod {
@@ -42,6 +43,8 @@ public class LoginMethod {
 
     public final Set<String> tenantIds;
 
+    public final WebAuthN webauthN;
+
     public transient final String passwordHash;
 
     private boolean didCallSetExternalUserId = false;
@@ -55,6 +58,7 @@ public LoginMethod(String recipeUserId, long timeJoined, boolean verified, Strin
         this.email = email;
         this.phoneNumber = null;
         this.thirdParty = null;
+        this.webauthN = null;
         this.tenantIds = new HashSet<>();
         Collections.addAll(this.tenantIds, tenantIds);
         this.passwordHash = passwordHash;
@@ -71,6 +75,7 @@ public LoginMethod(String recipeUserId, long timeJoined, boolean verified, Passw
         this.tenantIds = new HashSet<>();
         Collections.addAll(this.tenantIds, tenantIds);
         this.thirdParty = null;
+        this.webauthN = null;
         this.passwordHash = null;
     }
 
@@ -84,6 +89,22 @@ public LoginMethod(String recipeUserId, long timeJoined, boolean verified, Strin
         this.tenantIds = new HashSet<>();
         Collections.addAll(this.tenantIds, tenantIds);
         this.thirdParty = thirdPartyInfo;
+        this.webauthN = null;
+        this.phoneNumber = null;
+        this.passwordHash = null;
+    }
+
+    public LoginMethod(String recipeUserId, long timeJoined, boolean verified, String email, WebAuthN webauthN,
+                       String[] tenantIds) {
+        this.verified = verified;
+        this.timeJoined = timeJoined;
+        this.recipeUserId = recipeUserId;
+        this.recipeId = RECIPE_ID.WEBAUTHN;
+        this.email = email;
+        this.tenantIds = new HashSet<>();
+        Collections.addAll(this.tenantIds, tenantIds);
+        this.webauthN = webauthN;
+        this.thirdParty = null;
         this.phoneNumber = null;
         this.passwordHash = null;
     }
@@ -147,6 +168,32 @@ public int hashCode() {
         }
     }
 
+    public static class WebAuthN {
+        public List<String> credentialIds;
+
+        public WebAuthN(List<String> credentialIds) {
+            this.credentialIds = credentialIds;
+        }
+
+        public void addCredentialId(String credentialId) {
+            this.credentialIds.add(credentialId);
+        }
+
+        @Override
+        public boolean equals(Object other) {
+            if (!(other instanceof WebAuthN)) {
+                return false;
+            }
+            WebAuthN webauthN = (WebAuthN) other;
+            return this.credentialIds.equals(webauthN.credentialIds);
+        }
+
+        @Override
+        public int hashCode() {
+            return credentialIds.hashCode();
+        }
+    }
+
     @Override
     public boolean equals(Object other) {
         if (!(other instanceof LoginMethod)) {
@@ -159,6 +206,7 @@ public boolean equals(Object other) {
                 && java.util.Objects.equals(this.phoneNumber, otherLoginMethod.phoneNumber)
                 && java.util.Objects.equals(this.passwordHash, otherLoginMethod.passwordHash)
                 && java.util.Objects.equals(this.thirdParty, otherLoginMethod.thirdParty)
+                && java.util.Objects.equals(this.webauthN, otherLoginMethod.webauthN)
                 && this.tenantIds.equals(otherLoginMethod.tenantIds);
     }
 
@@ -176,6 +224,7 @@ public int hashCode() {
         result = 31 * result + tenantIds.hashCode();
         result = 31 * result + (passwordHash != null ? passwordHash.hashCode() : 0);
         result = 31 * result + (thirdParty != null ? thirdParty.hashCode() : 0);
+        result = 31 * result + (webauthN != null ? webauthN.hashCode() : 0);
         return result;
     }
 }

src/main/java/io/supertokens/pluginInterface/authRecipe/sqlStorage/AuthRecipeSQLStorage.java

@@ -20,6 +20,7 @@
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.sqlStorage.SQLStorage;
 import io.supertokens.pluginInterface.sqlStorage.TransactionConnection;
 
@@ -32,6 +33,10 @@ AuthRecipeUserInfo getPrimaryUserById_Transaction(AppIdentifier appIdentifier, T
                                                       String userId)
             throws StorageQueryException;
 
+    AuthRecipeUserInfo getPrimaryUserByWebauthNCredentialId_Transaction(TenantIdentifier tenantIdentifier, TransactionConnection con,
+                                                                        String credentialId)
+            throws StorageQueryException;
+
     List<AuthRecipeUserInfo> getPrimaryUsersByIds_Transaction(AppIdentifier appIdentifier, TransactionConnection con,
                                                               List<String> userIds)
             throws StorageQueryException;

src/main/java/io/supertokens/pluginInterface/dashboard/DashboardSearchTags.java

@@ -55,6 +55,11 @@ public boolean shouldPasswordlessTableBeSearched() {
         return false;
     }
 
+    public boolean shouldWebauthnTableBeSearched() {
+        List<SUPPORTED_SEARCH_TAGS> nonNullSearchTags = getNonNullSearchFields();
+        return nonNullSearchTags.contains(SUPPORTED_SEARCH_TAGS.EMAIL) && nonNullSearchTags.size() == 1;
+    }
+
     private List<SUPPORTED_SEARCH_TAGS> getNonNullSearchFields() {
         List<SUPPORTED_SEARCH_TAGS> nonNullSearchTags = new ArrayList<>();
 

src/main/java/io/supertokens/pluginInterface/webauthn/AccountRecoveryTokenInfo.java

@@ -0,0 +1,35 @@
+/*
+ *    Copyright (c) 2020, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.pluginInterface.webauthn;
+
+public class AccountRecoveryTokenInfo {
+
+    public final String userId;
+
+    public final String token;
+
+    public final long expiresAt;
+
+    public final String email;
+
+    public AccountRecoveryTokenInfo(String userId, String email, String token, long expiresAt) {
+        this.userId = userId;
+        this.email = email;
+        this.token = token;
+        this.expiresAt = expiresAt;
+    }
+}