@authsignal/browser
Version:
**[Authsignal](https://www.authsignal.com) provides passwordless step up authentication (Multi-factor Authentication - MFA) that can be placed anywhere within your application. Authsignal also provides a no-code fraud risk rules engine to manage when step
1,108 lines (1,065 loc) • 155 kB
JavaScript
// Unique ID creation requires a high quality random # generator. In the browser we therefore
// require the crypto API and do not support built-in fallback to lower quality random number
// generators (like Math.random()).
let getRandomValues;
const rnds8 = new Uint8Array(16);
function rng() {
// lazy load so that environments that need to polyfill have a chance to do so
if (!getRandomValues) {
// getRandomValues needs to be invoked in a context where "this" is a Crypto implementation.
getRandomValues = typeof crypto !== 'undefined' && crypto.getRandomValues && crypto.getRandomValues.bind(crypto);
if (!getRandomValues) {
throw new Error('crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported');
}
}
return getRandomValues(rnds8);
}
/**
* Convert array of 16 byte values to UUID string format of the form:
* XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
*/
const byteToHex = [];
for (let i = 0; i < 256; ++i) {
byteToHex.push((i + 0x100).toString(16).slice(1));
}
function unsafeStringify(arr, offset = 0) {
// Note: Be careful editing this code! It's been tuned for performance
// and works in ways you may not expect. See https://github.com/uuidjs/uuid/pull/434
return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + '-' + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + '-' + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + '-' + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + '-' + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
}
const randomUUID = typeof crypto !== 'undefined' && crypto.randomUUID && crypto.randomUUID.bind(crypto);
var native = {
randomUUID
};
function v4(options, buf, offset) {
if (native.randomUUID && !buf && !options) {
return native.randomUUID();
}
options = options || {};
const rnds = options.random || (options.rng || rng)(); // Per 4.4, set bits for version and `clock_seq_hi_and_reserved`
rnds[6] = rnds[6] & 0x0f | 0x40;
rnds[8] = rnds[8] & 0x3f | 0x80; // Copy bytes to buffer, if provided
if (buf) {
offset = offset || 0;
for (let i = 0; i < 16; ++i) {
buf[offset + i] = rnds[i];
}
return buf;
}
return unsafeStringify(rnds);
}
/******************************************************************************
Copyright (c) Microsoft Corporation.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
***************************************************************************** */
/* global Reflect, Promise */
var extendStatics = function(d, b) {
extendStatics = Object.setPrototypeOf ||
({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
return extendStatics(d, b);
};
function __extends(d, b) {
if (typeof b !== "function" && b !== null)
throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
extendStatics(d, b);
function __() { this.constructor = d; }
d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
}
var __assign = function() {
__assign = Object.assign || function __assign(t) {
for (var s, i = 1, n = arguments.length; i < n; i++) {
s = arguments[i];
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p)) t[p] = s[p];
}
return t;
};
return __assign.apply(this, arguments);
};
function __rest(s, e) {
var t = {};
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
t[p] = s[p];
if (s != null && typeof Object.getOwnPropertySymbols === "function")
for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
t[p[i]] = s[p[i]];
}
return t;
}
function __awaiter(thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
}
function __generator(thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
}
/**
* Convert the given array buffer into a Base64URL-encoded string. Ideal for converting various
* credential response ArrayBuffers to string for sending back to the server as JSON.
*
* Helper method to compliment `base64URLStringToBuffer`
*/
function bufferToBase64URLString(buffer) {
const bytes = new Uint8Array(buffer);
let str = '';
for (const charCode of bytes) {
str += String.fromCharCode(charCode);
}
const base64String = btoa(str);
return base64String.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
}
/**
* Convert from a Base64URL-encoded string to an Array Buffer. Best used when converting a
* credential ID from a JSON string to an ArrayBuffer, like in allowCredentials or
* excludeCredentials
*
* Helper method to compliment `bufferToBase64URLString`
*/
function base64URLStringToBuffer(base64URLString) {
// Convert from Base64URL to Base64
const base64 = base64URLString.replace(/-/g, '+').replace(/_/g, '/');
/**
* Pad with '=' until it's a multiple of four
* (4 - (85 % 4 = 1) = 3) % 4 = 3 padding
* (4 - (86 % 4 = 2) = 2) % 4 = 2 padding
* (4 - (87 % 4 = 3) = 1) % 4 = 1 padding
* (4 - (88 % 4 = 0) = 4) % 4 = 0 padding
*/
const padLength = (4 - (base64.length % 4)) % 4;
const padded = base64.padEnd(base64.length + padLength, '=');
// Convert to a binary string
const binary = atob(padded);
// Convert binary string to buffer
const buffer = new ArrayBuffer(binary.length);
const bytes = new Uint8Array(buffer);
for (let i = 0; i < binary.length; i++) {
bytes[i] = binary.charCodeAt(i);
}
return buffer;
}
/**
* Determine if the browser is capable of Webauthn
*/
function browserSupportsWebAuthn() {
return _browserSupportsWebAuthnInternals.stubThis(globalThis?.PublicKeyCredential !== undefined &&
typeof globalThis.PublicKeyCredential === 'function');
}
/**
* Make it possible to stub the return value during testing
* @ignore Don't include this in docs output
*/
const _browserSupportsWebAuthnInternals = {
stubThis: (value) => value,
};
function toPublicKeyCredentialDescriptor(descriptor) {
const { id } = descriptor;
return {
...descriptor,
id: base64URLStringToBuffer(id),
/**
* `descriptor.transports` is an array of our `AuthenticatorTransportFuture` that includes newer
* transports that TypeScript's DOM lib is ignorant of. Convince TS that our list of transports
* are fine to pass to WebAuthn since browsers will recognize the new value.
*/
transports: descriptor.transports,
};
}
/**
* A simple test to determine if a hostname is a properly-formatted domain name
*
* A "valid domain" is defined here: https://url.spec.whatwg.org/#valid-domain
*
* Regex sourced from here:
* https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html
*/
function isValidDomain(hostname) {
return (
// Consider localhost valid as well since it's okay wrt Secure Contexts
hostname === 'localhost' ||
/^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname));
}
/**
* A custom Error used to return a more nuanced error detailing _why_ one of the eight documented
* errors in the spec was raised after calling `navigator.credentials.create()` or
* `navigator.credentials.get()`:
*
* - `AbortError`
* - `ConstraintError`
* - `InvalidStateError`
* - `NotAllowedError`
* - `NotSupportedError`
* - `SecurityError`
* - `TypeError`
* - `UnknownError`
*
* Error messages were determined through investigation of the spec to determine under which
* scenarios a given error would be raised.
*/
class WebAuthnError extends Error {
constructor({ message, code, cause, name, }) {
// @ts-ignore: help Rollup understand that `cause` is okay to set
super(message, { cause });
Object.defineProperty(this, "code", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this.name = name ?? cause.name;
this.code = code;
}
}
/**
* Attempt to intuit _why_ an error was raised after calling `navigator.credentials.create()`
*/
function identifyRegistrationError({ error, options, }) {
const { publicKey } = options;
if (!publicKey) {
throw Error('options was missing required publicKey property');
}
if (error.name === 'AbortError') {
if (options.signal instanceof AbortSignal) {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
return new WebAuthnError({
message: 'Registration ceremony was sent an abort signal',
code: 'ERROR_CEREMONY_ABORTED',
cause: error,
});
}
}
else if (error.name === 'ConstraintError') {
if (publicKey.authenticatorSelection?.requireResidentKey === true) {
// https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 4)
return new WebAuthnError({
message: 'Discoverable credentials were required but no available authenticator supported it',
code: 'ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT',
cause: error,
});
}
else if (
// @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
options.mediation === 'conditional' &&
publicKey.authenticatorSelection?.userVerification === 'required') {
// https://w3c.github.io/webauthn/#sctn-createCredential (Step 22.4)
return new WebAuthnError({
message: 'User verification was required during automatic registration but it could not be performed',
code: 'ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE',
cause: error,
});
}
else if (publicKey.authenticatorSelection?.userVerification === 'required') {
// https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 5)
return new WebAuthnError({
message: 'User verification was required but no available authenticator supported it',
code: 'ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT',
cause: error,
});
}
}
else if (error.name === 'InvalidStateError') {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 20)
// https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 3)
return new WebAuthnError({
message: 'The authenticator was previously registered',
code: 'ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED',
cause: error,
});
}
else if (error.name === 'NotAllowedError') {
/**
* Pass the error directly through. Platforms are overloading this error beyond what the spec
* defines and we don't want to overwrite potentially useful error messages.
*/
return new WebAuthnError({
message: error.message,
code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
cause: error,
});
}
else if (error.name === 'NotSupportedError') {
const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === 'public-key');
if (validPubKeyCredParams.length === 0) {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 10)
return new WebAuthnError({
message: 'No entry in pubKeyCredParams was of type "public-key"',
code: 'ERROR_MALFORMED_PUBKEYCREDPARAMS',
cause: error,
});
}
// https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 2)
return new WebAuthnError({
message: 'No available authenticator supported any of the specified pubKeyCredParams algorithms',
code: 'ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG',
cause: error,
});
}
else if (error.name === 'SecurityError') {
const effectiveDomain = globalThis.location.hostname;
if (!isValidDomain(effectiveDomain)) {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 7)
return new WebAuthnError({
message: `${globalThis.location.hostname} is an invalid domain`,
code: 'ERROR_INVALID_DOMAIN',
cause: error,
});
}
else if (publicKey.rp.id !== effectiveDomain) {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 8)
return new WebAuthnError({
message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
code: 'ERROR_INVALID_RP_ID',
cause: error,
});
}
}
else if (error.name === 'TypeError') {
if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 5)
return new WebAuthnError({
message: 'User ID was not between 1 and 64 characters',
code: 'ERROR_INVALID_USER_ID_LENGTH',
cause: error,
});
}
}
else if (error.name === 'UnknownError') {
// https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 1)
// https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 8)
return new WebAuthnError({
message: 'The authenticator was unable to process the specified options, or could not create a new credential',
code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
cause: error,
});
}
return error;
}
class BaseWebAuthnAbortService {
constructor() {
Object.defineProperty(this, "controller", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
}
createNewAbortSignal() {
// Abort any existing calls to navigator.credentials.create() or navigator.credentials.get()
if (this.controller) {
const abortError = new Error('Cancelling existing WebAuthn API call for new one');
abortError.name = 'AbortError';
this.controller.abort(abortError);
}
const newController = new AbortController();
this.controller = newController;
return newController.signal;
}
cancelCeremony() {
if (this.controller) {
const abortError = new Error('Manually cancelling existing WebAuthn API call');
abortError.name = 'AbortError';
this.controller.abort(abortError);
this.controller = undefined;
}
}
}
/**
* A service singleton to help ensure that only a single WebAuthn ceremony is active at a time.
*
* Users of **@simplewebauthn/browser** shouldn't typically need to use this, but it can help e.g.
* developers building projects that use client-side routing to better control the behavior of
* their UX in response to router navigation events.
*/
const WebAuthnAbortService = new BaseWebAuthnAbortService();
const attachments = ['cross-platform', 'platform'];
/**
* If possible coerce a `string` value into a known `AuthenticatorAttachment`
*/
function toAuthenticatorAttachment(attachment) {
if (!attachment) {
return;
}
if (attachments.indexOf(attachment) < 0) {
return;
}
return attachment;
}
/**
* Begin authenticator "registration" via WebAuthn attestation
*
* @param optionsJSON Output from **@simplewebauthn/server**'s `generateRegistrationOptions()`
* @param useAutoRegister (Optional) Try to silently create a passkey with the password manager that the user just signed in with. Defaults to `false`.
*/
async function startRegistration(options) {
// @ts-ignore: Intentionally check for old call structure to warn about improper API call
if (!options.optionsJSON && options.challenge) {
console.warn('startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
// @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
options = { optionsJSON: options };
}
const { optionsJSON, useAutoRegister = false } = options;
if (!browserSupportsWebAuthn()) {
throw new Error('WebAuthn is not supported in this browser');
}
// We need to convert some values to Uint8Arrays before passing the credentials to the navigator
const publicKey = {
...optionsJSON,
challenge: base64URLStringToBuffer(optionsJSON.challenge),
user: {
...optionsJSON.user,
id: base64URLStringToBuffer(optionsJSON.user.id),
},
excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor),
};
// Prepare options for `.create()`
const createOptions = {};
/**
* Try to use conditional create to register a passkey for the user with the password manager
* the user just used to authenticate with. The user won't be shown any prominent UI by the
* browser.
*/
if (useAutoRegister) {
// @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
createOptions.mediation = 'conditional';
}
// Finalize options
createOptions.publicKey = publicKey;
// Set up the ability to cancel this request if the user attempts another
createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
// Wait for the user to complete attestation
let credential;
try {
credential = (await navigator.credentials.create(createOptions));
}
catch (err) {
throw identifyRegistrationError({ error: err, options: createOptions });
}
if (!credential) {
throw new Error('Registration was not completed');
}
const { id, rawId, response, type } = credential;
// Continue to play it safe with `getTransports()` for now, even when L3 types say it's required
let transports = undefined;
if (typeof response.getTransports === 'function') {
transports = response.getTransports();
}
// L3 says this is required, but browser and webview support are still not guaranteed.
let responsePublicKeyAlgorithm = undefined;
if (typeof response.getPublicKeyAlgorithm === 'function') {
try {
responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
}
catch (error) {
warnOnBrokenImplementation('getPublicKeyAlgorithm()', error);
}
}
let responsePublicKey = undefined;
if (typeof response.getPublicKey === 'function') {
try {
const _publicKey = response.getPublicKey();
if (_publicKey !== null) {
responsePublicKey = bufferToBase64URLString(_publicKey);
}
}
catch (error) {
warnOnBrokenImplementation('getPublicKey()', error);
}
}
// L3 says this is required, but browser and webview support are still not guaranteed.
let responseAuthenticatorData;
if (typeof response.getAuthenticatorData === 'function') {
try {
responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
}
catch (error) {
warnOnBrokenImplementation('getAuthenticatorData()', error);
}
}
return {
id,
rawId: bufferToBase64URLString(rawId),
response: {
attestationObject: bufferToBase64URLString(response.attestationObject),
clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
transports,
publicKeyAlgorithm: responsePublicKeyAlgorithm,
publicKey: responsePublicKey,
authenticatorData: responseAuthenticatorData,
},
type,
clientExtensionResults: credential.getClientExtensionResults(),
authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
};
}
/**
* Visibly warn when we detect an issue related to a passkey provider intercepting WebAuthn API
* calls
*/
function warnOnBrokenImplementation(methodName, cause) {
console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.\n`, cause);
}
/**
* Determine if the browser supports conditional UI, so that WebAuthn credentials can
* be shown to the user in the browser's typical password autofill popup.
*/
function browserSupportsWebAuthnAutofill() {
if (!browserSupportsWebAuthn()) {
return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
}
/**
* I don't like the `as unknown` here but there's a `declare var PublicKeyCredential` in
* TS' DOM lib that's making it difficult for me to just go `as PublicKeyCredentialFuture` as I
* want. I think I'm fine with this for now since it's _supposed_ to be temporary, until TS types
* have a chance to catch up.
*/
const globalPublicKeyCredential = globalThis
.PublicKeyCredential;
if (globalPublicKeyCredential?.isConditionalMediationAvailable === undefined) {
return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
}
return _browserSupportsWebAuthnAutofillInternals.stubThis(globalPublicKeyCredential.isConditionalMediationAvailable());
}
// Make it possible to stub the return value during testing
const _browserSupportsWebAuthnAutofillInternals = {
stubThis: (value) => value,
};
/**
* Attempt to intuit _why_ an error was raised after calling `navigator.credentials.get()`
*/
function identifyAuthenticationError({ error, options, }) {
const { publicKey } = options;
if (!publicKey) {
throw Error('options was missing required publicKey property');
}
if (error.name === 'AbortError') {
if (options.signal instanceof AbortSignal) {
// https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
return new WebAuthnError({
message: 'Authentication ceremony was sent an abort signal',
code: 'ERROR_CEREMONY_ABORTED',
cause: error,
});
}
}
else if (error.name === 'NotAllowedError') {
/**
* Pass the error directly through. Platforms are overloading this error beyond what the spec
* defines and we don't want to overwrite potentially useful error messages.
*/
return new WebAuthnError({
message: error.message,
code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
cause: error,
});
}
else if (error.name === 'SecurityError') {
const effectiveDomain = globalThis.location.hostname;
if (!isValidDomain(effectiveDomain)) {
// https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 5)
return new WebAuthnError({
message: `${globalThis.location.hostname} is an invalid domain`,
code: 'ERROR_INVALID_DOMAIN',
cause: error,
});
}
else if (publicKey.rpId !== effectiveDomain) {
// https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 6)
return new WebAuthnError({
message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
code: 'ERROR_INVALID_RP_ID',
cause: error,
});
}
}
else if (error.name === 'UnknownError') {
// https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 1)
// https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 12)
return new WebAuthnError({
message: 'The authenticator was unable to process the specified options, or could not create a new assertion signature',
code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
cause: error,
});
}
return error;
}
/**
* Begin authenticator "login" via WebAuthn assertion
*
* @param optionsJSON Output from **@simplewebauthn/server**'s `generateAuthenticationOptions()`
* @param useBrowserAutofill (Optional) Initialize conditional UI to enable logging in via browser autofill prompts. Defaults to `false`.
* @param verifyBrowserAutofillInput (Optional) Ensure a suitable `<input>` element is present when `useBrowserAutofill` is `true`. Defaults to `true`.
*/
async function startAuthentication(options) {
// @ts-ignore: Intentionally check for old call structure to warn about improper API call
if (!options.optionsJSON && options.challenge) {
console.warn('startAuthentication() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
// @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
options = { optionsJSON: options };
}
const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true, } = options;
if (!browserSupportsWebAuthn()) {
throw new Error('WebAuthn is not supported in this browser');
}
// We need to avoid passing empty array to avoid blocking retrieval
// of public key
let allowCredentials;
if (optionsJSON.allowCredentials?.length !== 0) {
allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
}
// We need to convert some values to Uint8Arrays before passing the credentials to the navigator
const publicKey = {
...optionsJSON,
challenge: base64URLStringToBuffer(optionsJSON.challenge),
allowCredentials,
};
// Prepare options for `.get()`
const getOptions = {};
/**
* Set up the page to prompt the user to select a credential for authentication via the browser's
* input autofill mechanism.
*/
if (useBrowserAutofill) {
if (!(await browserSupportsWebAuthnAutofill())) {
throw Error('Browser does not support WebAuthn autofill');
}
// Check for an <input> with "webauthn" in its `autocomplete` attribute
const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
// WebAuthn autofill requires at least one valid input
if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
}
// `CredentialMediationRequirement` doesn't know about "conditional" yet as of
// typescript@4.6.3
getOptions.mediation = 'conditional';
// Conditional UI requires an empty allow list
publicKey.allowCredentials = [];
}
// Finalize options
getOptions.publicKey = publicKey;
// Set up the ability to cancel this request if the user attempts another
getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
// Wait for the user to complete assertion
let credential;
try {
credential = (await navigator.credentials.get(getOptions));
}
catch (err) {
throw identifyAuthenticationError({ error: err, options: getOptions });
}
if (!credential) {
throw new Error('Authentication was not completed');
}
const { id, rawId, response, type } = credential;
let userHandle = undefined;
if (response.userHandle) {
userHandle = bufferToBase64URLString(response.userHandle);
}
// Convert values to base64 to make it easier to send back to the server
return {
id,
rawId: bufferToBase64URLString(rawId),
response: {
authenticatorData: bufferToBase64URLString(response.authenticatorData),
clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
signature: bufferToBase64URLString(response.signature),
userHandle,
},
type,
clientExtensionResults: credential.getClientExtensionResults(),
authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
};
}
function setCookie(_a) {
var name = _a.name, value = _a.value, expire = _a.expire, domain = _a.domain, secure = _a.secure;
var expireString = expire === Infinity ? " expires=Fri, 31 Dec 9999 23:59:59 GMT" : "; max-age=" + expire;
document.cookie =
encodeURIComponent(name) +
"=" +
value +
"; path=/;" +
expireString +
(domain ? "; domain=" + domain : "") +
(secure ? "; secure" : "");
}
function getCookieDomain() {
return document.location.hostname.replace("www.", "");
}
function getCookie(name) {
if (!name) {
return null;
}
return (decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*" + encodeURIComponent(name).replace(/[\-\.\+\*]/g, "\\$&") + "\\s*\\=\\s*([^;]*).*$)|^.*$"), "$1")) || null);
}
function handleErrorResponse(errorResponse) {
var _a;
var error = (_a = errorResponse.errorDescription) !== null && _a !== void 0 ? _a : errorResponse.error;
console.error(error);
return {
error: error,
};
}
function handleApiResponse(response) {
var _a;
if (response && typeof response === "object" && "error" in response) {
var error = (_a = response.errorDescription) !== null && _a !== void 0 ? _a : response.error;
console.error(error);
return {
error: error,
};
}
else if (response &&
typeof response === "object" &&
"accessToken" in response &&
typeof response.accessToken === "string") {
var accessToken = response.accessToken, data = __rest(response, ["accessToken"]);
return {
data: __assign(__assign({}, data), { token: accessToken }),
};
}
else {
return {
data: response,
};
}
}
function handleWebAuthnError(error) {
var _a, _b;
if (error instanceof WebAuthnError && error.code === "ERROR_INVALID_RP_ID") {
var rpId = ((_b = (_a = error.message) === null || _a === void 0 ? void 0 : _a.match(/"([^"]*)"/)) === null || _b === void 0 ? void 0 : _b[1]) || "";
console.error("[Authsignal] The Relying Party ID \"".concat(rpId, "\" is invalid for this domain.\n To learn more, visit https://docs.authsignal.com/scenarios/passkeys-prebuilt-ui#defining-the-relying-party"));
}
}
var AuthsignalWindowMessage;
(function (AuthsignalWindowMessage) {
AuthsignalWindowMessage["AUTHSIGNAL_CLOSE_POPUP"] = "AUTHSIGNAL_CLOSE_POPUP";
})(AuthsignalWindowMessage || (AuthsignalWindowMessage = {}));
function buildHeaders(_a) {
var token = _a.token, tenantId = _a.tenantId;
var authorizationHeader = token ? "Bearer ".concat(token) : "Basic ".concat(window.btoa(encodeURIComponent(tenantId)));
return {
"Content-Type": "application/json",
Authorization: authorizationHeader,
};
}
function handleTokenExpired(_a) {
var response = _a.response, onTokenExpired = _a.onTokenExpired;
if ("error" in response && response.errorCode === "expired_token" && onTokenExpired) {
onTokenExpired();
}
}
var PasskeyApiClient = /** @class */ (function () {
function PasskeyApiClient(_a) {
var baseUrl = _a.baseUrl, tenantId = _a.tenantId, onTokenExpired = _a.onTokenExpired;
this.tenantId = tenantId;
this.baseUrl = baseUrl;
this.onTokenExpired = onTokenExpired;
}
PasskeyApiClient.prototype.registrationOptions = function (_a) {
return __awaiter(this, arguments, void 0, function (_b) {
var body, response, responseJson;
var token = _b.token, username = _b.username, authenticatorAttachment = _b.authenticatorAttachment;
return __generator(this, function (_c) {
switch (_c.label) {
case 0:
body = Boolean(authenticatorAttachment)
? { username: username, authenticatorAttachment: authenticatorAttachment }
: { username: username };
return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/user-authenticators/passkey/registration-options"), {
method: "POST",
headers: buildHeaders({ token: token, tenantId: this.tenantId }),
body: JSON.stringify(body),
})];
case 1:
response = _c.sent();
return [4 /*yield*/, response.json()];
case 2:
responseJson = _c.sent();
handleTokenExpired({ response: responseJson, onTokenExpired: this.onTokenExpired });
return [2 /*return*/, responseJson];
}
});
});
};
PasskeyApiClient.prototype.authenticationOptions = function (_a) {
return __awaiter(this, arguments, void 0, function (_b) {
var body, response, responseJson;
var token = _b.token, challengeId = _b.challengeId;
return __generator(this, function (_c) {
switch (_c.label) {
case 0:
body = { challengeId: challengeId };
return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/user-authenticators/passkey/authentication-options"), {
method: "POST",
headers: buildHeaders({ token: token, tenantId: this.tenantId }),
body: JSON.stringify(body),
})];
case 1:
response = _c.sent();
return [4 /*yield*/, response.json()];
case 2:
responseJson = _c.sent();
handleTokenExpired({ response: responseJson, onTokenExpired: this.onTokenExpired });
return [2 /*return*/, responseJson];
}
});
});
};
PasskeyApiClient.prototype.addAuthenticator = function (_a) {
return __awaiter(this, arguments, void 0, function (_b) {
var body, response, responseJson;
var token = _b.token, challengeId = _b.challengeId, registrationCredential = _b.registrationCredential, conditionalCreate = _b.conditionalCreate;
return __generator(this, function (_c) {
switch (_c.label) {
case 0:
body = {
challengeId: challengeId,
registrationCredential: registrationCredential,
conditionalCreate: conditionalCreate,
};
return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/user-authenticators/passkey"), {
method: "POST",
headers: buildHeaders({ token: token, tenantId: this.tenantId }),
body: JSON.stringify(body),
})];
case 1:
response = _c.sent();
return [4 /*yield*/, response.json()];
case 2:
responseJson = _c.sent();
handleTokenExpired({ response: responseJson, onTokenExpired: this.onTokenExpired });
return [2 /*return*/, responseJson];
}
});
});
};
PasskeyApiClient.prototype.verify = function (_a) {
return __awaiter(this, arguments, void 0, function (_b) {
var body, response, responseJson;
var token = _b.token, challengeId = _b.challengeId, authenticationCredential = _b.authenticationCredential, deviceId = _b.deviceId;
return __generator(this, function (_c) {
switch (_c.label) {
case 0:
body = { challengeId: challengeId, authenticationCredential: authenticationCredential, deviceId: deviceId };
return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/verify/passkey"), {
method: "POST",
headers: buildHeaders({ token: token, tenantId: this.tenantId }),
body: JSON.stringify(body),
})];
case 1:
response = _c.sent();
return [4 /*yield*/, response.json()];
case 2:
responseJson = _c.sent();
handleTokenExpired({ response: responseJson, onTokenExpired: this.onTokenExpired });
return [2 /*return*/, responseJson];
}
});
});
};
PasskeyApiClient.prototype.getPasskeyAuthenticator = function (_a) {
return __awaiter(this, arguments, void 0, function (_b) {
var response;
var credentialIds = _b.credentialIds;
return __generator(this, function (_c) {
switch (_c.label) {
case 0: return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/user-authenticators/passkey?credentialIds=").concat(credentialIds), {
method: "GET",
headers: buildHeaders({ tenantId: this.tenantId }),
})];
case 1:
response = _c.sent();
if (!response.ok) {
throw new Error(response.statusText);
}
return [2 /*return*/, response.json()];
}
});
});
};
PasskeyApiClient.prototype.challenge = function (action) {
return __awaiter(this, void 0, void 0, function () {
var response, responseJson;
return __generator(this, function (_a) {
switch (_a.label) {
case 0: return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/challenge"), {
method: "POST",
headers: buildHeaders({ tenantId: this.tenantId }),
body: JSON.stringify({ action: action }),
})];
case 1:
response = _a.sent();
return [4 /*yield*/, response.json()];
case 2:
responseJson = _a.sent();
handleTokenExpired({ response: responseJson, onTokenExpired: this.onTokenExpired });
return [2 /*return*/, responseJson];
}
});
});
};
return PasskeyApiClient;
}());
var TokenCache = /** @class */ (function () {
function TokenCache() {
this.token = null;
}
TokenCache.prototype.handleTokenNotSetError = function () {
var error = "A token has not been set. Call 'setToken' first.";
var errorCode = "TOKEN_NOT_SET";
console.error("Error: ".concat(error));
return {
error: errorCode,
errorDescription: error,
};
};
TokenCache.shared = new TokenCache();
return TokenCache;
}());
var autofillRequestPending = false;
var Passkey = /** @class */ (function () {
function Passkey(_a) {
var baseUrl = _a.baseUrl, tenantId = _a.tenantId, anonymousId = _a.anonymousId, onTokenExpired = _a.onTokenExpired;
this.passkeyLocalStorageKey = "as_user_passkey_map";
this.cache = TokenCache.shared;
this.api = new PasskeyApiClient({ baseUrl: baseUrl, tenantId: tenantId, onTokenExpired: onTokenExpired });
this.anonymousId = anonymousId;
}
Passkey.prototype.signUp = function (_a) {
return __awaiter(this, arguments, void 0, function (_b) {
var userToken, optionsInput, optionsResponse, registrationResponse, addAuthenticatorResponse, e_1;
var username = _b.username, displayName = _b.displayName, token = _b.token, _c = _b.authenticatorAttachment, authenticatorAttachment = _c === void 0 ? "platform" : _c, _d = _b.useAutoRegister, useAutoRegister = _d === void 0 ? false : _d;
return __generator(this, function (_e) {
switch (_e.label) {
case 0:
userToken = token !== null && token !== void 0 ? token : this.cache.token;
if (!userToken) {
return [2 /*return*/, this.cache.handleTokenNotSetError()];
}
if (!useAutoRegister) return [3 /*break*/, 2];
return [4 /*yield*/, this.doesBrowserSupportConditionalCreate()];
case 1:
if (!(_e.sent())) {
throw new Error("CONDITIONAL_CREATE_NOT_SUPPORTED");
}
_e.label = 2;
case 2:
optionsInput = {
username: username,
displayName: displayName,
token: userToken,
authenticatorAttachment: authenticatorAttachment,
};
return [4 /*yield*/, this.api.registrationOptions(optionsInput)];
case 3:
optionsResponse = _e.sent();
if ("error" in optionsResponse) {
return [2 /*return*/, handleErrorResponse(optionsResponse)];
}
_e.label = 4;
case 4:
_e.trys.push([4, 7, , 8]);
return [4 /*yield*/, startRegistration({ optionsJSON: optionsResponse.options, useAutoRegister: useAutoRegister })];
case 5:
registrationResponse = _e.sent();
return [4 /*yield*/, this.api.addAuthenticator({
challengeId: optionsResponse.challengeId,
registrationCredential: registrationResponse,
token: userToken,
conditionalCreate: useAutoRegister,
})];
case 6:
addAuthenticatorResponse = _e.sent();
if ("error" in addAuthenticatorResponse) {
return [2 /*return*/, handleErrorResponse(addAuthenticatorResponse)];
}
if (addAuthenticatorResponse.isVerified) {
this.storeCredentialAgainstDevice(__assign(__assign({}, registrationResponse), { userId: addAuthenticatorResponse.userId }));
}
if (addAuthenticatorResponse.accessToken) {
this.cache.token = addAuthenticatorResponse.accessToken;
}
return [2 /*return*/, {
data: {
token: addAuthenticatorResponse.accessToken,
userAuthenticator: addAuthenticatorResponse.userAuthenticator,
registrationResponse: registrationResponse,
},
}];
case 7:
e_1 = _e.sent();
autofillRequestPending = false;
handleWebAuthnError(e_1);
throw e_1;
case 8: return [2 /*return*/];
}
});
});
};
Passkey.prototype.signIn = function (params) {
return __awaiter(this, void 0, void 0, function () {
var challengeResponse, _a, optionsResponse, authenticationResponse, verifyResponse, token, userId, userAuthenticatorId, username, userDisplayName, isVerified, e_2;
return __generator(this, function (_b) {
switch (_b.label) {
case 0:
if ((params === null || params === void 0 ? void 0 : params.token) && params.autofill) {
throw new Error("autofill is not supported when providing a token");
}
if ((params === null || params === void 0 ? void 0 : params.action) && params.token) {
throw new Error("action is not supported when providing a token");
}
if (params === null || params === void 0 ? void 0 : params.autofill) {
if (autofillRequestPending) {
return [2 /*return*/, {}];
}
else {
autofillRequestPending = true;
}
}
if (!(params === null || params === void 0 ? void 0 : params.action)) return [3 /*break*/, 2];
return [4 /*yield*/, this.api.challenge(params.action)];
case 1:
_a = _b.sent();
return [3 /*break*/, 3];
case 2:
_a = null;
_b.label = 3;
case 3:
challengeResponse = _a;
if (challengeResponse && "error" in challengeResponse) {