wanderwallet · matteyu · Jan 22, 2025 · Jan 24, 2025 · Feb 25, 2025 · Feb 25, 2025
diff --git a/.env.example b/.env.example
@@ -21,4 +21,10 @@ MAX_ACTIVATIONS_PER_WALLET=""
 MAX_WORK_SHARES_PER_WALLET=""
 MAX_RECOVERY_SHARES_PER_WALLET=""
 MAX_RECOVERIES_PER_WALLET=""
-MAX_EXPORTS_PER_WALLET=""
+MAX_EXPORTS_PER_WALLET=""
+
+
+# PASSKEYS
+WEBAUTHN_RELYING_PARTY_NAME=""
+WEBAUTHN_RELYING_PARTY_ID=""
+WEBAUTHN_RELYING_PARTY_ORIGIN=""
diff --git a/app/page.tsx b/app/page.tsx
@@ -34,10 +34,10 @@ export default function Login() {
   const handleGoogleSignIn = async () => {
     setIsLoading(true)
     try {
-      const { url } = await loginMutation.mutateAsync({ authProviderType: "GOOGLE" })
-      if (url) {
+      const loginData = await loginMutation.mutateAsync({ authProviderType: "GOOGLE" })
+      if (loginData?.url) {
         // Redirect to Google's OAuth page
-        window.location.href = url
+        window.location.href = loginData.url
       } else {
         console.error("No URL returned from authenticate")
       }

diff --git a/package.json b/package.json
@@ -12,6 +12,8 @@
   },
   "dependencies": {
     "@prisma/client": "6.2.1",
+    "@simplewebauthn/browser": "^13.1.0",
+    "@simplewebauthn/server": "^13.1.0",
     "@supabase/supabase-js": "^2.47.15",
     "@tanstack/react-query": "4.36.1",
     "@trpc/client": "^10.45.2",
@@ -26,13 +28,15 @@
     "zod": "^3.24.1"
   },
   "devDependencies": {
+    "@mermaid-js/mermaid-cli": "^11.4.2",
     "@types/jsonwebtoken": "^9.0.7",
     "@types/node": "^20",
     "@types/react": "^18",
     "@types/react-dom": "^18",
     "eslint": "^8",
     "eslint-config-next": "14.2.16",
     "prisma": "6.2.1",
+    "prisma-erd-generator": "^1.11.2",
     "ts-node": "^10.9.2",
     "typescript": "^5"
   }

diff --git a/prisma/ERD.svg b/prisma/ERD.svg
diff --git a/prisma/migrations/20250122083115_add_passkeys/migration.sql b/prisma/migrations/20250122083115_add_passkeys/migration.sql
@@ -0,0 +1,16 @@
+-- CreateEnum
+CREATE TYPE "WebAuthnDeviceType" AS ENUM ('SINGLE_DEVICE', 'MULTI_DEVICE');
+
+-- CreateEnum
+CREATE TYPE "WebAuthnBackupState" AS ENUM ('NOT_BACKED_UP', 'BACKED_UP');
+
+-- AlterTable
+ALTER TABLE "AuthMethods" ADD COLUMN     "aaguid" VARCHAR(255) DEFAULT '00000000-0000-0000-0000-000000000000',
+ADD COLUMN     "backupState" "WebAuthnBackupState" NOT NULL DEFAULT 'NOT_BACKED_UP',
+ADD COLUMN     "deviceType" "WebAuthnDeviceType" NOT NULL DEFAULT 'SINGLE_DEVICE',
+ADD COLUMN     "publicKey" BYTEA,
+ADD COLUMN     "signCount" INTEGER,
+ADD COLUMN     "transports" TEXT[];
+
+-- AlterTable
+ALTER TABLE "Challenges" ADD COLUMN     "usedAt" TIMESTAMP(3);
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -2,6 +2,10 @@ generator client {
   provider = "prisma-client-js"
 }
 
+generator erd {
+  provider = "prisma-erd-generator"
+}
+
 datasource db {
   provider  = "postgresql"
   url       = env("POSTGRES_PRISMA_URL") // uses connection pooling
@@ -70,6 +74,16 @@ enum ChallengePurpose {
   ACCOUNT_RECOVERY_CONFIRMATION
 }
 
+enum WebAuthnDeviceType {
+  SINGLE_DEVICE
+  MULTI_DEVICE
+}
+
+enum WebAuthnBackupState {
+  NOT_BACKED_UP
+  BACKED_UP
+}
+
 // TODO: Indexes need to be added manually.
 
 // TODO: Should we add triggers somewhere for cascade updates/deletions?
@@ -80,11 +94,15 @@ enum ChallengePurpose {
 
 model AuthMethod {
   id            String           @id @default(uuid())
-  // TODO: Not sure we need this separate ID. This would come from Auth0. Maybe it can just be the main id on this table.
-  providerId    String           @db.VarChar(255)
+  providerId    String           @db.VarChar(255) // Can store passkey credential ID for passkeys
   providerType  AuthProviderType
-  /// This can be an email for EMAIL, a profile handler for social networks or some kind of device ID for passkeys.
-  providerLabel String           @db.VarChar(255)
+  providerLabel String           @db.VarChar(255) // Friendly name for the passkey
+  publicKey     Bytes?           // Public key for passkeys
+  aaguid        String?          @db.VarChar(255) @default("00000000-0000-0000-0000-000000000000") // Authenticator ID
+  signCount     Int?             // Used for replay protection
+  transports    String[]      // List of transports (e.g., "usb", "ble")
+  deviceType    WebAuthnDeviceType @default(SINGLE_DEVICE) // Type of device used
+  backupState   WebAuthnBackupState @default(NOT_BACKED_UP) // Backup state
   linkedAt      DateTime         @default(now())
   lastUsedAt    DateTime         @default(now())
   unlinkedAt    DateTime?
@@ -93,7 +111,6 @@ model AuthMethod {
   userId String
 
   @@unique([userId, providerId], name: "userAuthentication")
-  // TODO: If we end up removing providerId, we can remove this index
   @@index([providerId])
   @@index([lastUsedAt])
   @@map("AuthMethods")
@@ -372,6 +389,7 @@ model Challenge {
   value    String           @db.VarChar(255)
   version  String           @db.VarChar(50)
   issuedAt DateTime         @default(now())
+  usedAt   DateTime?        // New field to track when the challenge is used?
 
   user   User?   @relation(fields: [userId], references: [id], onDelete: Cascade)
   userId String?

diff --git a/server/routers/_app.ts b/server/routers/_app.ts
@@ -1,4 +1,3 @@
-import { z } from "zod";
 import { protectedProcedure, router } from "../trpc";
 import { authenticateRouter } from "./authenticate";
 

diff --git a/server/routers/authenticate.ts b/server/routers/authenticate.ts
diff --git a/server/routers/authenticate/authProviders/google.ts b/server/routers/authenticate/authProviders/google.ts
@@ -0,0 +1,10 @@
+import { publicProcedure } from "@/server/trpc"
+import { handleGoogleCallback } from "@/services/auth"
+
+export const googleRoutes = {
+  handleGoogleCallback: publicProcedure.query(async () => {
+    const user = await handleGoogleCallback()
+    return { user }
+  }),
+  // Add any other google auth related routes here
+}
diff --git a/server/routers/authenticate/authProviders/passkeys.ts b/server/routers/authenticate/authProviders/passkeys.ts
@@ -0,0 +1,125 @@
+// src/server/routers/passkeys.ts
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+} from "@simplewebauthn/server";
+import { supabase } from "@/lib/supabaseClient";
+import { TRPCError } from "@trpc/server";
+import { z } from "zod";
+import { publicProcedure } from "@/server/trpc";
+import {
+  relyingPartyID,
+  relyingPartyName,
+  relyingPartyOrigin,
+} from "@/services/webauthnConfig";
+
+function stringToUint8Array(str: string): Uint8Array {
+  return new TextEncoder().encode(str);
+}
+
+export const passkeysRoutes = {
+  startRegistration: publicProcedure
+    .input(
+      z.object({
+        userId: z.string(),
+        userEmail: z.string(),
+      })
+    )
+    .mutation(async ({ input }) => {
+      const { userId, userEmail } = input;
+
+      // Generate registration options
+      const options = await generateRegistrationOptions({
+        rpName: relyingPartyName,
+        rpID: relyingPartyID,
+        userID: stringToUint8Array(userId),
+        userName: userEmail,
+        attestationType: "direct",
+        authenticatorSelection: {
+          residentKey: "preferred",
+          userVerification: "preferred",
+          authenticatorAttachment: "platform",
+        },
+      });
+
+      // Store challenge in the database
+      const { error } = await supabase.from("Challenges").insert({
+        type: "SIGNATURE",
+        purpose: "ACCOUNT_RECOVERY",
+        value: options.challenge,
+        user_id: userId,
+      });
+
+      if (error) {
+        throw new TRPCError({
+          code: "INTERNAL_SERVER_ERROR",
+          message: error.message,
+        });
+      }
+
+      return options;
+    }),
+  verifyRegistration: publicProcedure
+    .input(
+      z.object({
+        userId: z.string(),
+        attestationResponse: z.any(),
+      })
+    )
+    .mutation(async ({ input }) => {
+      const { userId, attestationResponse } = input;
+
+      // Retrieve the challenge
+      const { data: challenge, error: challengeError } = await supabase
+        .from("Challenges")
+        .select("*")
+        .eq("user_id", userId)
+        .order("created_at", { ascending: false })
+        .limit(1)
+        .single();
+
+      if (challengeError || !challenge) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "Challenge not found",
+        });
+      }
+
+      // Verify the response
+      const verification = await verifyRegistrationResponse({
+        response: attestationResponse,
+        expectedChallenge: challenge.value,
+        expectedOrigin: relyingPartyOrigin,
+        expectedRPID: relyingPartyID,
+      });
+
+      if (!verification.verified) {
+        throw new TRPCError({
+          code: "FORBIDDEN",
+          message: "Verification failed",
+        });
+      }
+
+      // Save the credential
+      const { error: saveError } = await supabase.from("AuthMethods").insert({
+        user_id: userId,
+        provider_id: verification.registrationInfo?.credential.id,
+        public_key: verification.registrationInfo?.credential.publicKey,
+        sign_count: verification.registrationInfo?.credential.counter,
+        provider_label: `Passkey created ${new Date().toLocaleString()}`,
+        provider_type: "PASSKEYS",
+      });
+
+      if (saveError) {
+        throw new TRPCError({
+          code: "INTERNAL_SERVER_ERROR",
+          message: saveError.message,
+        });
+      }
+
+      // Delete the challenge
+      await supabase.from("Challenges").delete().eq("id", challenge.id);
+
+      return { verified: true };
+    }),
+};