Add authentication flow for passkey

.changeset/quiet-sloths-lose.md

@@ -0,0 +1,5 @@
+---
+"permissionless": patch
+---
+
+Added passkeys authentication flow

packages/permissionless/actions/passkeyServer/startAuthentication.ts

@@ -0,0 +1,35 @@
+import { Base64 } from "ox"
+import type { WebAuthnP256 } from "ox"
+import {
+    type Account,
+    type Chain,
+    type Client,
+    type Transport,
+    toHex
+} from "viem"
+import type { PasskeyServerRpcSchema } from "../../types/passkeyServer.js"
+
+export type StartAuthenticationReturnType = WebAuthnP256.sign.Options & {
+    uuid: string
+}
+
+export const startAuthentication = async (
+    client: Client<
+        Transport,
+        Chain | undefined,
+        Account | undefined,
+        PasskeyServerRpcSchema
+    >
+): Promise<StartAuthenticationReturnType> => {
+    const response = await client.request({
+        method: "pks_startAuthentication",
+        params: []
+    })
+
+    return {
+        challenge: toHex(Base64.toBytes(response.challenge)),
+        rpId: response.rpId,
+        userVerification: response.userVerification,
+        uuid: response.uuid
+    }
+}

packages/permissionless/actions/passkeyServer/verifyAuthentication.ts

@@ -0,0 +1,121 @@
+import { Base64, type WebAuthnP256 } from "ox"
+// import { Base64 } from "ox"
+import type { Account, Chain, Client, Hex, Transport } from "viem"
+import type { PasskeyServerRpcSchema } from "../../types/passkeyServer.js"
+
+export type VerifyAuthenticationParameters = WebAuthnP256.sign.ReturnType & {
+    uuid: string
+}
+
+export type VerifyAuthenticationReturnType = {
+    success: boolean
+    id: string
+    publicKey: Hex
+}
+
+export const verifyAuthentication = async (
+    client: Client<
+        Transport,
+        Chain | undefined,
+        Account | undefined,
+        PasskeyServerRpcSchema
+    >,
+    args: VerifyAuthenticationParameters
+): Promise<VerifyAuthenticationReturnType> => {
+    const { raw, uuid } = args
+
+    let responseAuthenticatorData: string
+
+    if ("authenticatorData" in raw.response) {
+        responseAuthenticatorData = Base64.fromBytes(
+            new Uint8Array(raw.response.authenticatorData as ArrayBuffer),
+            {
+                url: true
+            }
+        )
+    } else {
+        throw new Error("authenticatorData not found in the signature")
+    }
+
+    let signature: string
+    if ("signature" in raw.response) {
+        signature = Base64.fromBytes(
+            new Uint8Array(raw.response.signature as ArrayBuffer),
+            {
+                pad: false,
+                url: true
+            }
+        )
+    } else {
+        throw new Error("signature not found in the signature")
+    }
+
+    let userHandle: string | undefined
+    if ("userHandle" in raw.response) {
+        userHandle = Base64.fromBytes(
+            new Uint8Array(raw.response.userHandle as ArrayBuffer),
+            {
+                pad: false,
+                url: true
+            }
+        )
+    }
+
+    const serverResponse = await client.request(
+        {
+            method: "pks_verifyAuthentication",
+            params: [
+                {
+                    id: raw.id,
+                    rawId: Base64.fromBytes(new Uint8Array(raw.rawId), {
+                        pad: false,
+                        url: true
+                    }),
+                    authenticatorAttachment: raw.authenticatorAttachment as
+                        | "cross-platform"
+                        | "platform",
+                    response: {
+                        clientDataJSON: Base64.fromBytes(
+                            new Uint8Array(raw.response.clientDataJSON),
+                            {
+                                pad: false,
+                                url: true
+                            }
+                        ),
+                        authenticatorData: responseAuthenticatorData,
+                        signature,
+                        userHandle
+                    },
+                    clientExtensionResults: raw.getClientExtensionResults(),
+                    type: raw.type as "public-key"
+                },
+                {
+                    uuid
+                }
+            ]
+        },
+        {
+            retryCount: 0
+        }
+    )
+
+    const success = Boolean(serverResponse?.success)
+    const id = serverResponse?.id
+    const publicKey = serverResponse?.publicKey
+
+    if (typeof id !== "string") {
+        throw new Error("Invalid passkey id returned from server")
+    }
+
+    if (typeof publicKey !== "string" || !publicKey.startsWith("0x")) {
+        throw new Error(
+            "Invalid public key returned from server - must be hex string starting with 0x"
+        )
+    }
+
+    return {
+        success,
+        id,
+        publicKey: publicKey as Hex
+    }
+}

packages/permissionless/actions/passkeyServer/verifyRegistration.ts

@@ -48,49 +48,59 @@
         }
     }
 
-    const serverResponse = await client.request({
-        method: "pks_verifyRegistration",
-        params: [
-            {
-                id: credential.id,
-                rawId: Base64.fromBytes(new Uint8Array(credential.raw.rawId), {
-                    pad: false,
-                    url: true
-                }),
-                response: {
-                    clientDataJSON: Base64.fromBytes(
-                        new Uint8Array(response.clientDataJSON)
-                    ),
-                    attestationObject: Base64.fromBytes(
-                        new Uint8Array(response.attestationObject),
+    const serverResponse = await client.request(
+        {
+            method: "pks_verifyRegistration",
+            params: [
+                {
+                    id: credential.id,
+                    rawId: Base64.fromBytes(
+                        new Uint8Array(credential.raw.rawId),
                         {
+                            pad: false,
                             url: true
                         }
                     ),
-                    transports:
-                        typeof response.getTransports === "function"
-                            ? (response.getTransports() as (
-                                  | "ble"
-                                  | "cable"
-                                  | "hybrid"
-                                  | "internal"
-                                  | "nfc"
-                                  | "smart-card"
-                                  | "usb"
-                              )[])
-                            : undefined,
-                    publicKeyAlgorithm: responsePublicKeyAlgorithm,
-                    authenticatorData: responseAuthenticatorData
+                    response: {
+                        clientDataJSON: Base64.fromBytes(
+                            new Uint8Array(response.clientDataJSON)
+                        ),
+                        attestationObject: Base64.fromBytes(
+                            new Uint8Array(response.attestationObject),
+                            {
+                                url: true
+                            }
+                        ),
+                        transports:
+                            typeof response.getTransports === "function"
+                                ? (response.getTransports() as (
+                                      | "ble"
+                                      | "cable"
+                                      | "hybrid"
+                                      | "internal"
+                                      | "nfc"
+                                      | "smart-card"
+                                      | "usb"
+                                  )[])
+                                : undefined,
+                        publicKeyAlgorithm: responsePublicKeyAlgorithm,
+                        authenticatorData: responseAuthenticatorData
+                    },
+                    authenticatorAttachment: credential.raw
+                        .authenticatorAttachment as
+                        | "cross-platform"
+                        | "platform",
+                    clientExtensionResults:
+                        credential.raw.getClientExtensionResults(),
+                    type: credential.raw.type as "public-key"
                 },
-                authenticatorAttachment: credential.raw
-                    .authenticatorAttachment as "cross-platform" | "platform",
-                clientExtensionResults:
-                    credential.raw.getClientExtensionResults(),
-                type: credential.raw.type as "public-key"
-            },
-            context
-        ]
-    })
+                context
+            ]
+        },
+        {
+            retryCount: 0
+        }
+    )
 
     const success = Boolean(serverResponse?.success)
     const id = serverResponse?.id

packages/permissionless/clients/decorators/passkeyServer.ts

@@ -4,11 +4,20 @@
     type GetCredentialsReturnType,
     getCredentials
 } from "../../actions/passkeyServer/getCredentials.js"
+import {
+    type StartAuthenticationReturnType,
+    startAuthentication
+} from "../../actions/passkeyServer/startAuthentication.js"
 import {
     type StartRegistrationParameters,
     type StartRegistrationReturnType,
     startRegistration
 } from "../../actions/passkeyServer/startRegistration.js"
+import {
+    type VerifyAuthenticationParameters,
+    type VerifyAuthenticationReturnType,
+    verifyAuthentication
+} from "../../actions/passkeyServer/verifyAuthentication.js"
 import {
     type VerifyRegistrationParameters,
     type VerifyRegistrationReturnType,
@@ -23,6 +32,10 @@
     verifyRegistration: (
         args: VerifyRegistrationParameters
     ) => Promise<VerifyRegistrationReturnType>
+    startAuthentication: () => Promise<StartAuthenticationReturnType>
+    verifyAuthentication: (
+        args: VerifyAuthenticationParameters
+    ) => Promise<VerifyAuthenticationReturnType>
     getCredentials: (
         args: GetCredentialsParameters
     ) => Promise<GetCredentialsReturnType>
@@ -38,5 +51,7 @@
 ): PasskeyServerActions => ({
     startRegistration: (args) => startRegistration(client, args),
     verifyRegistration: (args) => verifyRegistration(client, args),
-    getCredentials: (args) => getCredentials(client, args)
+    getCredentials: (args) => getCredentials(client, args),
+    startAuthentication: () => startAuthentication(client),
+    verifyAuthentication: (args) => verifyAuthentication(client, args)
 })

packages/permissionless/types/passkeyServer.ts

@@ -1,6 +1,17 @@
 import type { Hex } from "viem"
 
 export type PasskeyServerRpcSchema = [
+    {
+        Method: "pks_startAuthentication"
+        Parameters: []
+        ReturnType: {
+            challenge: string
+            rpId: string
+            timeout?: number
+            userVerification?: "required" | "preferred" | "discouraged"
+            uuid: string
+        }
+    },
     {
         Method: "pks_startRegistration"
         Parameters: [context: unknown]
@@ -71,6 +82,36 @@ export type PasskeyServerRpcSchema = [
             publicKey: Hex
         }
     },
+    {
+        Method: "pks_verifyAuthentication"
+        Parameters: [
+            {
+                id: string
+                rawId: string
+                response: {
+                    clientDataJSON: string
+                    authenticatorData: string
+                    signature: string
+                    userHandle?: string
+                }
+                authenticatorAttachment: "cross-platform" | "platform"
+                clientExtensionResults: {
+                    appid?: boolean
+                    credProps?: {
+                        rk?: boolean
+                    }
+                    hmacCreateSecret?: boolean
+                }
+                type: "public-key"
+            },
+            context: unknown
+        ]
+        ReturnType: {
+            success: boolean
+            id: string
+            publicKey: Hex
+        }
+    },
     {
         Method: "pks_getCredentials"
         Parameters: [context: unknown]