feat: add endpoints - authenticate [passkeys] by matteyu · Pull Request #4 · wanderwallet/embed-api

matteyu · 2025-01-22T08:35:18Z

JIra: https://communitylabs.atlassian.net/browse/ARC-937?atlOrigin=eyJpIjoiNGFhMGUwZTE0ZTc2NDIyNmJmYmE5NGRkZjhiNDUzYWQiLCJwIjoiaiJ9

Passkeys auth implementation

Screen.Recording.2025-03-23.at.9.07.46.PM.mp4

prisma/ERD.svg

prisma/schema.prisma

server/routers/authenticate/authProviders/passkeys.ts

server/routers/authenticate/index.ts

services/auth.ts

vercel · 2025-02-25T16:07:16Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
embed-api	❌ Failed (Inspect)			May 7, 2025 7:33am

server/utils/passkey/session.ts

server/utils/backup/backup.utils.ts

server/routers/share-recovery/recoverWallet.ts

matteyu · 2025-05-02T05:07:59Z

Updated video of iframe test with passkeys

https://drive.google.com/file/d/1Imw5hxeI34aJm408QKV0xbAtLE_bUFpz/view?usp=drive_link

Draft PR updated to support passkeys in iframe: wanderwallet/Wander#793

Danziger · 2025-05-04T22:17:04Z

server/context.ts

+      }
+
+      // Fetch the user from the database
+      const userProfile = await prisma.userProfile.findUnique({


Auth tokens can never be generated on the client, as this allows an attacker to steal anyone else's session/account.

The token gets generated on the server and get sent to the client so the signing key is still on the server. It just gets stored in localstorage on client side and sent back upon requests to the server

Danziger · 2025-05-04T22:17:43Z

server/context.ts

+
+        // If session doesn't exist, create it based on the token data
+        const newSessionId = decodedToken.session_id || crypto.randomUUID();
+        const newDeviceNonce = decodedToken.device_nonce || deviceNonce || crypto.randomUUID();


Device nonces should also be generated on the client.

removed crypto.randomUUID(); for server generation

Danziger · 2025-05-04T22:44:10Z

server/utils/passkey/session.ts

+    email: string | null;
+    phone: string | null;
+    app_metadata: {
+      sessionData?: {


Session data seems to be at the root, not nested inside app_metadata. app_metadata could be used to identify this sessions as originating from a passkeys authentication, as it usually contains something like this:

"app_metadata": { "provider": "twitter", "providers": [ "twitter" ] }

However, if you fetch a session on the client, you'll session.user also contains an identities property. I'm not sure if manually setting the value of provider and providers will throw any error, as it's related to this: https://supabase.com/docs/guides/auth/auth-identity-linking

If that doesn't work, I guess it would make sense to set app_metadata.provider to the value that corresponds to email and password, as that's how we created those users anyway, and move the user details to user_metadata. This means that the client should not need to store any kind of data to know whether a session comes from a passkeys authentication or something else, as the session itself contains that information.

good point. I restructured it so that it specifies passkey auth method in app data. I've tested it and it did not throw any errors when manually setting these values.

matteyu added 2 commits January 22, 2025 00:32

feat: add passkeys registration, auth, verify routes

564f163

add auth methods for passkeys

edc5e1e

matteyu changed the title ~~[WIP] feat: add endpoints - authenticate [passkeys]~~ feat: add endpoints - authenticate [passkeys] Jan 27, 2025

matteyu changed the title ~~feat: add endpoints - authenticate [passkeys]~~ feat: add endpoints - authenticate [passkeys] - part 2 Jan 27, 2025