feat: WebAuthN support

.circleci/forceRunCI.sh

@@ -2,11 +2,11 @@ PAT=`cat .pat`
 auth=`echo "${PAT}:" | tr -d '\n' | base64 --wrap=0`
 branch=`git rev-parse --abbrev-ref HEAD`
 
-cdiCoreMap='{ }' # "5.2": "feat/oauth/allow-list"
-cdiPluginInterfaceMap='{ }' # "5.2": "feat/oauth/allow-list"
-fdiNodeMap='{ }' # "3.1": "feat/add_clientId_secret_and_refreshTokenRotation_settings", "4.0": "feat/add_clientId_secret_and_refreshTokenRotation_settings"
-fdiWebsiteMap='{ }' # "1.17": "20.1", "1.18": "20.1", "1.19": "20.1", "2.0": "20.1", "3.0": "20.1", "3.1": "20.1", "4.0": "20.1"
-fdiAuthReactMap='{ }' # "3.1": "0.48", "4.0": "0.48"
+cdiCoreMap='{ }'
+cdiPluginInterfaceMap='{ }'
+fdiNodeMap='{ "4.1": "feat/webauthn/base" }'
+fdiWebsiteMap='{ "1.17": "20.1", "1.18": "20.1", "1.19": "20.1", "2.0": "20.1", "3.0": "20.1", "3.1": "20.1", "4.0": "20.1", "4.1": "20.1" }'
+fdiAuthReactMap='{ "4.1": "feat/webauthn/base" }'
 
 data=`jq -cn --arg branch "$branch" \
   --arg cdiCoreMap "$cdiCoreMap" \

CHANGELOG.md

@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Added WebAuthn (Passkeys) Support
+
+-   Added WebAuthn recipe with authentication support:
+
+    -   Registration, sign-in, and credential verification flows
+    -   Account recovery functionality
+
+-   Added new API endpoints for WebAuthn operations:
+
+    -   GET `/api/webauthn/email/exists` - Check if email exists in system
+    -   POST `/api/webauthn/options/register` - Handle registration options
+    -   POST `/api/webauthn/options/signin` - Handle sign-in options
+    -   POST `/api/webauthn/signin` - Handle WebAuthn sign-in
+    -   POST `/api/webauthn/signup` - Handle WebAuthn sign-up
+    -   POST `/api/user/webauthn/reset` - Handle account recovery
+    -   POST `/api/user/webauthn/reset/token` - Generate recovery tokens
+
+-   Added WebAuthn support to account linking functionality:
+
+    -   Support for linking users based on WebAuthn `credentialId`
+    -   Updated `AccountInfo` type to `AccountInfoInput` with WebAuthn fields
+    -   Added `hasSameWebauthnInfoAs` method for credential comparison
+
+-   Updated FDI support to `4.1`
+
+### Breaking Changes
+
+-   Updated CDI supported version from `5.2` to `5.3`
+-   Changed `AccountInfo` to `AccountInfoInput` in various methods for better type safety. This is required in order to allow querying by a single WebAuthn `credentialId`, while the WebAuthn login method contains an array of `credentialId`
+
 ## [21.1.1] - 2025-03-06
 
 -   Fixes an issue where the response body was not being cloned when using cache

coreDriverInterfaceSupported.json

@@ -1,4 +1,4 @@
 {
     "_comment": "contains a list of core-driver interfaces branch names that this core supports",
-    "versions": ["5.2"]
+    "versions": ["5.3"]
 }

frontendDriverInterfaceSupported.json

@@ -1,4 +1,4 @@
 {
     "_comment": "contains a list of frontend-driver interfaces branch names that this core supports",
-    "versions": ["1.17", "1.18", "1.19", "2.0", "3.0", "3.1", "4.0"]
+    "versions": ["1.17", "1.18", "1.19", "2.0", "3.0", "3.1", "4.0", "4.1"]
 }

lib/build/recipe/accountlinking/recipe.js

@@ -38,10 +38,15 @@ class Recipe extends recipeModule_1.default {
             if (user.isPrimaryUser) {
                 return user;
             }
-            // then, we try and find a primary user based on the email / phone number / third party ID.
+            // then, we try and find a primary user based on the email / phone number / third party ID / credentialId.
             let users = await this.recipeInterfaceImpl.listUsersByAccountInfo({
                 tenantId,
-                accountInfo: user.loginMethods[0],
+                accountInfo: Object.assign(Object.assign({}, user.loginMethods[0]), {
+                    // we don't need to list by (webauthn) credentialId because we are looking for
+                    // a user to link to the current recipe user, but any search using the credentialId
+                    // of the current user "will identify the same user" which is the current one.
+                    webauthn: undefined,
+                }),
                 doUnionOfAccountInfo: true,
                 userContext,
             });
@@ -87,7 +92,12 @@ class Recipe extends recipeModule_1.default {
             // then, we try and find matching users based on the email / phone number / third party ID.
             let users = await this.recipeInterfaceImpl.listUsersByAccountInfo({
                 tenantId,
-                accountInfo: user.loginMethods[0],
+                accountInfo: Object.assign(Object.assign({}, user.loginMethods[0]), {
+                    // we don't need to list by (webauthn) credentialId because we are looking for
+                    // a user to link to the current recipe user, but any search using the credentialId
+                    // of the current user "will identify the same user" which is the current one.
+                    webauthn: undefined,
+                }),
                 doUnionOfAccountInfo: true,
                 userContext,
             });
@@ -172,7 +182,12 @@ class Recipe extends recipeModule_1.default {
             // primary user.
             let users = await this.recipeInterfaceImpl.listUsersByAccountInfo({
                 tenantId,
-                accountInfo,
+                accountInfo: Object.assign(Object.assign({}, accountInfo), {
+                    // we don't need to list by (webauthn) credentialId because we are looking for
+                    // a user to link to the current recipe user, but any search using the credentialId
+                    // of the current user "will identify the same user" which is the current one.
+                    webauthn: undefined,
+                }),
                 doUnionOfAccountInfo: true,
                 userContext,
             });

lib/build/recipe/accountlinking/recipeImplementation.js

@@ -157,7 +157,7 @@ function getRecipeImplementation(querier, config, recipeInstance) {
             return undefined;
         },
         listUsersByAccountInfo: async function ({ tenantId, accountInfo, doUnionOfAccountInfo, userContext }) {
-            var _a, _b;
+            var _a, _b, _c;
             let result = await querier.sendGetRequest(
                 new normalisedURLPath_1.default(
                     `${tenantId !== null && tenantId !== void 0 ? tenantId : "public"}/users/by-accountinfo`
@@ -167,6 +167,8 @@ function getRecipeImplementation(querier, config, recipeInstance) {
                     phoneNumber: accountInfo.phoneNumber,
                     thirdPartyId: (_a = accountInfo.thirdParty) === null || _a === void 0 ? void 0 : _a.id,
                     thirdPartyUserId: (_b = accountInfo.thirdParty) === null || _b === void 0 ? void 0 : _b.userId,
+                    webauthnCredentialId:
+                        (_c = accountInfo.webauthn) === null || _c === void 0 ? void 0 : _c.credentialId,
                     doUnionOfAccountInfo,
                 },
                 userContext

lib/build/recipe/accountlinking/types.d.ts

@@ -163,7 +163,7 @@ export declare type RecipeInterface = {
     getUser: (input: { userId: string; userContext: UserContext }) => Promise<User | undefined>;
     listUsersByAccountInfo: (input: {
         tenantId: string;
-        accountInfo: AccountInfo;
+        accountInfo: AccountInfoInput;
         doUnionOfAccountInfo: boolean;
         userContext: UserContext;
     }) => Promise<User[]>;
@@ -182,9 +182,17 @@ export declare type AccountInfo = {
         id: string;
         userId: string;
     };
+    webauthn?: {
+        credentialIds: string[];
+    };
+};
+export declare type AccountInfoInput = Omit<AccountInfo, "webauthn"> & {
+    webauthn?: {
+        credentialId: string;
+    };
 };
 export declare type AccountInfoWithRecipeId = {
-    recipeId: "emailpassword" | "thirdparty" | "passwordless";
+    recipeId: "emailpassword" | "thirdparty" | "passwordless" | "webauthn";
 } & AccountInfo;
 export declare type RecipeLevelUser = {
     tenantIds: string[];

lib/build/recipe/multifactorauth/index.d.ts

@@ -9,6 +9,7 @@ export default class Wrapper {
     static MultiFactorAuthClaim: import("./multiFactorAuthClaim").MultiFactorAuthClaimClass;
     static FactorIds: {
         EMAILPASSWORD: string;
+        WEBAUTHN: string;
         OTP_EMAIL: string;
         OTP_PHONE: string;
         LINK_EMAIL: string;

lib/build/recipe/multifactorauth/types.d.ts

@@ -136,6 +136,7 @@ export declare type GetPhoneNumbersForFactorsFromOtherRecipesFunc = (
       };
 export declare const FactorIds: {
     EMAILPASSWORD: string;
+    WEBAUTHN: string;
     OTP_EMAIL: string;
     OTP_PHONE: string;
     LINK_EMAIL: string;

lib/build/recipe/multifactorauth/types.js

@@ -17,6 +17,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.FactorIds = void 0;
 exports.FactorIds = {
     EMAILPASSWORD: "emailpassword",
+    WEBAUTHN: "webauthn",
     OTP_EMAIL: "otp-email",
     OTP_PHONE: "otp-phone",
     LINK_EMAIL: "link-email",

lib/build/recipe/webauthn/api/emailExists.d.ts

@@ -0,0 +1,9 @@
+// @ts-nocheck
+import { APIInterface, APIOptions } from "../";
+import { UserContext } from "../../../types";
+export default function emailExists(
+    apiImplementation: APIInterface,
+    tenantId: string,
+    options: APIOptions,
+    userContext: UserContext
+): Promise<boolean>;

lib/build/recipe/webauthn/api/emailExists.js

@@ -0,0 +1,44 @@
+"use strict";
+/* Copyright (c) 2025, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ * This software is licensed under the Apache License, Version 2.0 (the
+ * "License") as published by the Apache Software Foundation.
+ *
+ * You may not use this file except in compliance with the License. You may
+ * obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+var __importDefault =
+    (this && this.__importDefault) ||
+    function (mod) {
+        return mod && mod.__esModule ? mod : { default: mod };
+    };
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("../../../utils");
+const error_1 = __importDefault(require("../error"));
+async function emailExists(apiImplementation, tenantId, options, userContext) {
+    if (apiImplementation.emailExistsGET === undefined) {
+        return false;
+    }
+    const email = options.req.getKeyValueFromQuery("email");
+    if (email === undefined || typeof email !== "string") {
+        throw new error_1.default({
+            type: error_1.default.BAD_INPUT_ERROR,
+            message: "Please provide the email as a GET param",
+        });
+    }
+    let result = await apiImplementation.emailExistsGET({
+        email,
+        tenantId,
+        options,
+        userContext,
+    });
+    utils_1.send200Response(options.res, result);
+    return true;
+}
+exports.default = emailExists;

lib/build/recipe/webauthn/api/generateRecoverAccountToken.d.ts

@@ -0,0 +1,9 @@
+// @ts-nocheck
+import { APIInterface, APIOptions } from "../";
+import { UserContext } from "../../../types";
+export default function generateRecoverAccountToken(
+    apiImplementation: APIInterface,
+    tenantId: string,
+    options: APIOptions,
+    userContext: UserContext
+): Promise<boolean>;

lib/build/recipe/webauthn/api/generateRecoverAccountToken.js

@@ -0,0 +1,45 @@
+"use strict";
+/* Copyright (c) 2025, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ * This software is licensed under the Apache License, Version 2.0 (the
+ * "License") as published by the Apache Software Foundation.
+ *
+ * You may not use this file except in compliance with the License. You may
+ * obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+var __importDefault =
+    (this && this.__importDefault) ||
+    function (mod) {
+        return mod && mod.__esModule ? mod : { default: mod };
+    };
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("../../../utils");
+const error_1 = __importDefault(require("../error"));
+async function generateRecoverAccountToken(apiImplementation, tenantId, options, userContext) {
+    if (apiImplementation.generateRecoverAccountTokenPOST === undefined) {
+        return false;
+    }
+    const requestBody = await options.req.getJSONBody();
+    const email = requestBody.email;
+    if (email === undefined || typeof email !== "string") {
+        throw new error_1.default({
+            type: error_1.default.BAD_INPUT_ERROR,
+            message: "Please provide the email",
+        });
+    }
+    const result = await apiImplementation.generateRecoverAccountTokenPOST({
+        email,
+        tenantId,
+        options,
+        userContext,
+    });
+    utils_1.send200Response(options.res, result);
+    return true;
+}
+exports.default = generateRecoverAccountToken;

lib/build/recipe/webauthn/api/implementation.d.ts

@@ -0,0 +1,3 @@
+// @ts-nocheck
+import { APIInterface } from "..";
+export default function getAPIImplementation(): APIInterface;