@virtonetwork/authenticators-webauthn
Version:
An Authenticator compatible with KreivoPassSigner that uses the WebAuthn standard
94 lines (93 loc) • 4.18 kB
TypeScript
/**
* WebAuthn pass‑key authenticator for Virto Network.
*
* Exposes a browser‑side implementation of {@link Authenticator} that creates,
* stores, and uses WebAuthn resident credentials ("passkeys") while producing
* SCALE‑encoded data structures understood by the Kreivo signer pallet.
*
* Responsibilities
* ─────────────────────────────────────────────────────────
* • Derive a deterministic `deviceId` from the raw credential id
* • Emit `TAttestation<number>` during registration
* • Emit `TPassAuthenticate` during authentication
* • Never persist the credential mapping; that is delegated to the caller
*
* @module WebAuthn
*/
import { Authenticator } from "@virtonetwork/signer";
import { Binary } from "@polkadot-api/substrate-bindings";
import type { Challenger, TPassAuthenticate } from "@virtonetwork/signer";
import type { CredentialsHandler, TAttestation } from "./types.ts";
import { InMemoryCredentialsHandler } from "./in-memory-credentials-handler.ts";
export { InMemoryCredentialsHandler, CredentialsHandler };
/** Fixed authority id for Kreivo pass‑key attestors. */
export declare const KREIVO_AUTHORITY_ID: Binary;
/**
* Browser‑side Authenticator that wraps the WebAuthn API.
*
* The generic type parameter `<number>` indicates that the **context**
* carried inside attestations and assertions is the block number that
* originated the challenge.
*
* @implements {Authenticator<number>}
*/
export declare class WebAuthn implements Authenticator<number> {
readonly userId: string;
readonly getChallenge: Challenger<number>;
/**
* SHA‑256 hash of {@link userId}. Filled once by {@link setup} and reused
* for all WebAuthn operations.
*/
hashedUserId: Uint8Array;
private credentialId?;
private getPublicKeyCreateOptions;
private getPublicKeyRequestOptions;
private onCreatedCredentials;
/**
* Creates a new WebAuthn helper.
*
* @param userId - Logical user identifier (e‑mail, DID, etc.).
* @param [credentialId] - Raw credential id obtained from a previous
* registration flow; omit it if the user must enrol a new pass‑key.
*/
constructor(userId: string, getChallenge: Challenger<number>, { publicKeyCreateOptions, publicKeyRequestOptions, onCreatedCredentials, }?: CredentialsHandler);
/**
* Pre‑computes {@link hashedUserId}.
*
* Must be awaited **once** before any other interaction.
* Returns `this` for fluent chaining.
*/
setup(): Promise<this>;
private static getHashedUserId;
/**
* Deterministic identifier of the hardware/software authenticator
* (`deviceId = Blake2‑256(credentialId)`).
*
* @returns DeviceId suitable for on‑chain storage.
* @throws Error If this instance does not yet know a credential id.
*/
private getDeviceId;
/**
* Registers a **new** resident credential (pass‑key) with the user’s
* authenticator and returns a SCALE‑ready attestation.
*
* @param blockNumber - The number of the block whose hash seeds the challenge.
* @param blockHash - The block hash used to derive a deterministic challenge.
* @param [displayName=this.userId] - Friendly name shown by the authenticator.
*
* @throws Error If this instance already has a credential id.
* @returns {Promise<TAttestation<number>>} SCALE‑encoded attestation object.
*/
register(blockNumber: number, displayName?: string): Promise<TAttestation<number>>;
/**
* Signs an arbitrary challenge with the pass‑key and produces a
* {@link TPassAuthenticate} payload understood by `PassSigner`.
*
* @param challenge - 32‑byte buffer supplied by the runtime.
* @param context - Block number (or any numeric context expected by the pallet).
*
* @returns SCALE‑encoded authentication payload.
* @throws Error If no credential id is available.
*/
authenticate(context: number, xtc: Uint8Array): Promise<TPassAuthenticate>;
}