feat: WebAuthN Sign In, Sign Up and Options methods support - NEW

[victorbojica]

ONLY REVIEW REQUIRED. NOTHING TESTED YET.

Summary of change

Implement WebAuthN support according to:
https://docs.google.com/document/d/1G7tO9_dSNi8wur3ajGg4pq-wiHatKDbHv2sBt-uSbQg/edit#heading=h.olee876uqu8a

Related

Check #942 for more feedback

Test Plan

No testing at the moment.

Documentation changes

Will have to add WebAuthN recipe documentation

Checklist for important updates

• Changelog has been updated
• coreDriverInterfaceSupported.json file has been updated (if needed)
  • Along with the associated array in lib/ts/version.ts
• frontendDriverInterfaceSupported.json file has been updated (if needed)
• Changes to the version if needed
  • In package.json
  • In package-lock.json
  • In lib/ts/version.ts
• Had run npm run build-pretty
• Had installed and ran the pre-commit hook
• If new thirdparty provider is added,
  • update switch statement in recipe/thirdparty/providers/configUtils.ts file, createProvider function.
  • add an icon on the user management dashboard.
• Issue this PR against the latest non released version branch.
  • To know which one it is, run find the latest released tag (git tag) in the format vX.Y.Z, and then find the latest branch (git branch --all) whose X.Y is greater than the latest released tag.
  • If no such branch exists, then create one from the latest released branch.
• If have added a new web framework, update the add-ts-no-check.js file to include that
• If added a new recipe / api interface, then make sure that the implementation of it uses NON arrow functions only (like someFunc: function () {..}).
• If added a new recipe, then make sure to expose it inside the recipe folder present in the root of this repo. We also need to expose its types.
• If added a new entry point, then make sure that it is importable by adding it to the exports in package.json

Remaining TODOs for this PR

• Check support for other authenticators
• Account recovery flow
• Options testing
• Sign In testing
• Sign Up testing
• Multiple authenticators testing
• Do we need verifyCredentials in recipeInterface?

[cloudflare-workers-and-pages]

Deploying supertokens-node-pr-check-for-edge-function-compat with    Cloudflare Pages

Latest commit:	ce371d1
Status:	✅  Deploy successful!
Preview URL:	https://fa49a36e.supertokens-node-b95.pages.dev

View logs

[rishabhpoddar]

How does webauthn flow work for native mobile apps?

[victorbojica]

Yes, through WebViews starting from iOS 16 and Android 9 (and 14 in some cases): https://passkeys.dev/docs/reference/android/ and https://passkeys.dev/docs/reference/ios/.

[victorbojica]

done

[rishabhpoddar]

why did we remove relyingPartyName, userName, userDisplayName and attestation?

[victorbojica]

I checked the schema and we don't store them in the generated options. userName is the email and i renamed it to be more simple.

[rishabhpoddar]

So ideally, the output of registerOptions function should be similar to the output of this function. For example, in the registerOptions output, we have:

user: {
                  id: string;
                  name: string; // user email
                  displayName: string; //user email
              };

Now in the output of getGeneratedOptions, it's totally different. So this is strange.

[victorbojica]

Because we only store what is needed to verify the credentials. See the schema here (webauthn_user_generated_options) https://docs.google.com/document/d/1G7tO9_dSNi8wur3ajGg4pq-wiHatKDbHv2sBt-uSbQg/edit?tab=t.0#heading=h.td4zxgo1675k

[victorbojica]

should use webauthnCredentialId because there is no need to have a list of objects

[porcellus]

This is also used by listUsersByAccount info. We may have to split types, or are there any cases where we'd want to search by multiple credentialIds? How does that function, do we only get a match if all credentialIds are present? Is there a use-case for that?

[victorbojica]

I haven't taken that into consideration. But as far as ai can tell, no. there is no use like that. There might the possibllity to search by one of the credentialIds. What do you think?

[porcellus]

I think searching by a single credentialId makes sense.

[porcellus]

I think the error codes will have to be updated. You can add a TODO here and wherever an update like this is pending.

[victorbojica]

What should be the update? Or am i missing something ?

[porcellus]

well the error codes are login method specific, so we'll have to have new ones I think.

[victorbojica]

done. added to do.

[porcellus]

shouldn't this have the credentialId? or is that something we only get later?

[victorbojica]

I don't think so. We are identifying the user by email. And since we are signing up, the credential isn't stored yet.

[porcellus]

so in no cases would this be relevant to this or other linking related functions? if so then the types may require some cleanup

[victorbojica]

will check if we need to remove webauthn credential ids from the type - it is not used atm

[porcellus]

Is this correct? is credential validation independent of the tenant?

[victorbojica]

Done.

Was doing it like this, because at the moment of implementation, we hadn't decided on having a method for retrieving the webauthGeneratedOptions (which contained the email) and i had to retrieve the email before calling AuthUtils.getAuthenticatingUserAndAddToCurrentTenantIfRequired.
In the last few chats with Rishabh we deciede on adding the new method, but didn't update the API implmentation yet.

As a side note:
The credential can be shared across tenants and is not linked to a tenant.

[porcellus]

I see. So the point of checkCredentialsOnTenant is to find out if the user can use the current set of credentials to log in on the given tenantId (it can take it as a first parameter). This is tenant independent for pwless and thirdparty, but not for emailpassword for example.

[victorbojica]

reverted to previous version because we don't need to check in the scope of the tenant.

[victorbojica]

done

[porcellus]

this function also needs to be updated to take the new account info prop into account (plus I think you'll need to check all places where we use the account info)

[victorbojica]

maybe we could have a chat about this.

[victorbojica]

same as previous comments. also need to check method to see if ti works with webauthn

[porcellus]

This feels weird on a signUp endpoint, maybe specify which param is wrong/how?

[victorbojica]

The status is a generic one, for whatever error happens because of the Webauthn credentials flow. If we'd need to be more specific here (not in the API implementation - we should keep it generic there), then we'd need to do the actual core implementation, as there might lots of stuff that we can only find out when we start implementing.

There is another type of status "INVALID_AUTHENTICATOR_ERROR" (along with the reason) which means that the credential has been generated by an "unsupported" authenticator (this could happen by overriding the registerOptions method and overriding the default values for attestation, requireResidentKey, residentKey, userVerification, supportedAlgorithmIds, etc.).

What do you think ?

[porcellus]

The INVALID_AUTHENTICATOR_ERROR sounds good. My main issue with WRONG_CREDENTIALS_ERROR is that it overlaps with the error status we have for people submitting wrong passwords I guess.

[victorbojica]

same as previous error discussion

[victorbojica]

done