[RFC] Webauthn / Passkeys

[ilkergzlkkr]

resolves #111

This implementation only allows issuer to verify webauthn credentials. Users required to create credentails on another client.

We are creating user passkeys on profile page, using apex domain rpId (example.com) so issuer (auth.example.com) can access credentials to verify. more info

Usage:

providers: {
    otp: CodeProvider(
      CodeUI({
        sendCode: async (claims, code) => {
          await authService.sendMagicLinkEmail(claims.email, code);
        },
      }),
    ),
    passkey: WebAuthnProvider(
      WebAuthnUI({
        // options returned to the browser to get the credential
        options: {
          userVerification: "required",
          rpId: "myapp.com", // optional, defaults to the domain of the issuer (auth.example.com)
        },
        async getCredential(id) {
          // get the credential from the database
          const credential = await authService.getPasskeyCredential(id);

          if (!credential) return null;

          return { credential, claims: { userId: credential.userId } };
        },
      }),
    ),
  },

Authentication inspired by Pilcrow's Guide: https://webauthn.oslojs.dev/examples/authentication

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0ae3d97

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR