UNPKG

ploy-test-one

Version:

Passwordless authentication Study

github.com/Pimchaonk/po-pass1

Pimchaonk/po-pass1

125 lines (124 loc) 6.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
/// <reference types="node" /> /** * Copyright Amazon.com, Inc. and its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You * may not use this file except in compliance with the License. A copy of * the License is located at * * http://aws.amazon.com/apache2.0/ * * or in the "license" file accompanying this file. This file is * distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF * ANY KIND, either express or implied. See the License for the specific * language governing permissions and limitations under the License. */ import { VerifyAuthChallengeResponseTriggerEvent, CreateAuthChallengeTriggerEvent } from "aws-lambda"; import { JsonWebKey } from "crypto"; interface StoredCredential { id: string; transports?: string[]; jwk: JsonWebKey; signCount: number; flagBackupEligibility: 0 | 1; } declare let config: { /** Should FIDO2 sign-in be enabled? If set to false, clients cannot sign-in with FIDO2 (a FIDO2 challenge to sign is not sent to them) */ fido2enabled: boolean; /** The DynamoDB table with FIDO2 credentials */ dynamoDbAuthenticatorsTableName: string | undefined; /** The set of allowed origins thay may initiate FIDO2 sign-in */ allowedOrigins: string[] | undefined; /** The set of Relying Party IDs thay may initiate FIDO2 sign-in */ allowedRelyingPartyIds: string[] | undefined; /** The Relying Party ID to use (optional, if not set user agents will use the current domain) */ relyingPartyId: string | undefined; /** The WebAuthn user verification requirement to enforce ("discouraged" | "preferred" | "required") */ userVerification: UserVerificationRequirement; /** Expose credential IDs to users signing in? If you want users to use non-discoverable credentials you should set this to true */ exposeUserCredentialIds: boolean; /** Function to generate FIDO2 challenges that user's authenticators must sign. Override to e.g. implement transaction signing */ challengeGenerator: () => Promise<string> | string; /** Timeout for the sign-in attempt (per WebAuthn standard) */ timeout: number; /** Should users having a registered FIDO2 credential be forced to use that for signing in? If true, other custom auth flows, such as Magic Link sign-in, will be denied for users having FIDO2 credentials––to protect them from phishing */ enforceFido2IfAvailable: boolean; /** Salt to use for storing hashed FIDO2 credential data */ salt: string | undefined; }; export declare function configure(update?: Partial<typeof config>): { /** Should FIDO2 sign-in be enabled? If set to false, clients cannot sign-in with FIDO2 (a FIDO2 challenge to sign is not sent to them) */ fido2enabled: boolean; /** The DynamoDB table with FIDO2 credentials */ dynamoDbAuthenticatorsTableName: string | undefined; /** The set of allowed origins thay may initiate FIDO2 sign-in */ allowedOrigins: string[] | undefined; /** The set of Relying Party IDs thay may initiate FIDO2 sign-in */ allowedRelyingPartyIds: string[] | undefined; /** The Relying Party ID to use (optional, if not set user agents will use the current domain) */ relyingPartyId: string | undefined; /** The WebAuthn user verification requirement to enforce ("discouraged" | "preferred" | "required") */ userVerification: UserVerificationRequirement; /** Expose credential IDs to users signing in? If you want users to use non-discoverable credentials you should set this to true */ exposeUserCredentialIds: boolean; /** Function to generate FIDO2 challenges that user's authenticators must sign. Override to e.g. implement transaction signing */ challengeGenerator: () => string | Promise<string>; /** Timeout for the sign-in attempt (per WebAuthn standard) */ timeout: number; /** Should users having a registered FIDO2 credential be forced to use that for signing in? If true, other custom auth flows, such as Magic Link sign-in, will be denied for users having FIDO2 credentials––to protect them from phishing */ enforceFido2IfAvailable: boolean; /** Salt to use for storing hashed FIDO2 credential data */ salt: string | undefined; }; export declare function addChallengeToEvent(event: CreateAuthChallengeTriggerEvent): Promise<void>; export declare function createChallenge({ userId, relyingPartyId, exposeUserCredentialIds, challengeGenerator, userVerification, credentialGetter, timeout, userNotFound, }: { userId?: string; relyingPartyId?: string; exposeUserCredentialIds?: boolean; challengeGenerator?: () => Promise<string> | string; userVerification?: UserVerificationRequirement; credentialGetter?: typeof getCredentialsForUser; timeout?: number; userNotFound?: boolean; }): Promise<{ relyingPartyId: string | undefined; challenge: string; credentials: Omit<StoredCredential, "jwk" | "signCount" | "flagBackupEligibility">[] | undefined; timeout: number; userVerification: UserVerificationRequirement; }>; export declare function addChallengeVerificationResultToEvent(event: VerifyAuthChallengeResponseTriggerEvent): Promise<void>; interface SerializedAuthenticatorAssertion { credentialIdB64: string; authenticatorDataB64: string; clientDataJSON_B64: string; signatureB64: string; userHandleB64?: string; } export declare function verifyChallenge({ userId, fido2options, authenticatorAssertion: { credentialIdB64, authenticatorDataB64, clientDataJSON_B64, signatureB64, userHandleB64, }, credentialGetter, credentialUpdater, }: { userId: string; fido2options: { challenge: string; credentials?: StoredCredential[]; userVerification: UserVerificationRequirement; }; authenticatorAssertion: SerializedAuthenticatorAssertion; credentialGetter?: typeof getCredentialForUser; credentialUpdater?: typeof updateCredential; }): Promise<void>; declare function getCredentialsForUser({ userId, limit, }: { userId: string; limit?: number; }): Promise<Omit<StoredCredential, "jwk" | "signCount" | "flagBackupEligibility">[]>; declare function getCredentialForUser({ userId, credentialId, }: { userId: string; credentialId: string; }): Promise<StoredCredential | undefined>; declare function updateCredential({ userId, credentialId, signCount, flagBackupState, }: { userId: string; credentialId: string; signCount: number; flagBackupState: 0 | 1; }): Promise<void>; export declare function assertFido2SignInOptional(event: VerifyAuthChallengeResponseTriggerEvent): Promise<void>; export {};