@virtonetwork/authenticators-webauthn

Version:

An Authenticator compatible with KreivoPassSigner that uses the WebAuthn standard

virto-network.github.io/papi-signers/guide/webauthn

95 lines (94 loc) • 4.24 kB

TypeScript

import { Binary } from "@polkadot-api/substrate-bindings"; import type { Challenger, TPassAuthenticate } from "@virtonetwork/signer"; /** * WebAuthn pass‑key authenticator for Virto Network. * * Exposes a browser‑side implementation of {@link Authenticator} that creates, * stores, and uses WebAuthn resident credentials ("passkeys") while producing * SCALE‑encoded data structures understood by the Kreivo signer pallet. * * Responsibilities * ───────────────────────────────────────────────────────── * • Derive a deterministic `deviceId` from the raw credential id * • Emit `TAttestation<number>` during registration * • Emit `TPassAuthenticate` during authentication * • Never persist the credential mapping; that is delegated to the caller * * @module WebAuthn */ import { type AddressGenerator, type Authenticator } from "@virtonetwork/signer"; import { InMemoryCredentialsHandler } from "./in-memory-credentials-handler.ts"; import type { CredentialsHandler, TAttestation } from "./types.ts"; export { InMemoryCredentialsHandler, type CredentialsHandler }; /** Fixed authority id for Kreivo pass‑key attestors. */ export declare const KREIVO_AUTHORITY_ID: Binary; /** * Browser‑side Authenticator that wraps the WebAuthn API. * * The generic type parameter `<number>` indicates that the **context** * carried inside attestations and assertions is the block number that * originated the challenge. * * @implements {Authenticator<number>} */ export declare class WebAuthn implements Authenticator<number> { readonly userId: string; readonly getChallenge: Challenger<number>; readonly addressGenerator: AddressGenerator; /** * SHA‑256 hash of {@link userId}. Filled once by {@link setup} and reused * for all WebAuthn operations. */ hashedUserId: Uint8Array; private getPublicKeyCreateOptions; private getPublicKeyRequestOptions; private onCreatedCredentials; /** * Creates a new WebAuthn helper. * * @param userId - Logical user identifier (e‑mail, DID, etc.).. * @param getChallenge - An implementation of the `generate` method used in the challenger, * @param credentialsHandler - An implementation of {@link CredentialsHandler}, * */ constructor(userId: string, getChallenge: Challenger<number>, handler?: CredentialsHandler, addressGenerator?: AddressGenerator); /** * Pre‑computes {@link hashedUserId}. * * Must be awaited **once** before any other interaction. * Returns `this` for fluent chaining. */ setup(): Promise<this>; private static getHashedUserId; /** * Deterministic identifier of the hardware/software authenticator * (`deviceId = Blake2‑256(credentialId)`). * * @returns DeviceId suitable for on‑chain storage. * @throws Error If this instance does not yet know a credential id. */ private getDeviceId; /** * Registers a **new** resident credential (pass‑key) with the user’s * authenticator and returns a SCALE‑ready attestation. * * @param blockNumber - The number of the block whose hash seeds the challenge. * @param blockHash - The block hash used to derive a deterministic challenge. * @param [displayName=this.userId] - Friendly name shown by the authenticator. * * @throws Error If this instance already has a credential id. * @returns {Promise<TAttestation<number>>} SCALE‑encoded attestation object. */ register(blockNumber: number, displayName?: string): Promise<TAttestation<number>>; /** * Signs an arbitrary challenge with the pass‑key and produces a * {@link TPassAuthenticate} payload understood by `PassSigner`. * * @param challenge - 32‑byte buffer supplied by the runtime. * @param context - Block number (or any numeric context expected by the pallet). * * @returns SCALE‑encoded authentication payload. * @throws Error If no credential id is available. */ authenticate(context: number, xtc: Uint8Array): Promise<TPassAuthenticate>; }