Passkeys

Author: Isaac

Telegram/BUILD

@@ -495,6 +495,7 @@ associated_domains_fragment = "" if telegram_bundle_id not in official_bundle_id
     <string>applinks:telegram.me</string>
     <string>applinks:t.me</string>
     <string>applinks:*.t.me</string>
+    <string>webcredentials:t.me</string>
 </array>
 """
 

submodules/AuthorizationUI/Sources/AuthorizationSequenceController.swift

@@ -170,7 +170,7 @@ public final class AuthorizationSequenceController: NavigationController, ASAuth
         if let currentController = currentController {
             controller = currentController
         } else {
-            controller = AuthorizationSequencePhoneEntryController(sharedContext: self.sharedContext, account: self.account, isTestingEnvironment: self.account.testingEnvironment, otherAccountPhoneNumbers: self.otherAccountPhoneNumbers, network: self.account.network, presentationData: self.presentationData, openUrl: { [weak self] url in
+            controller = AuthorizationSequencePhoneEntryController(sharedContext: self.sharedContext, account: self.account, apiId: self.apiId, apiHash: self.apiHash, isTestingEnvironment: self.account.testingEnvironment, otherAccountPhoneNumbers: self.otherAccountPhoneNumbers, network: self.account.network, presentationData: self.presentationData, openUrl: { [weak self] url in
                 self?.openUrl(url)
             }, back: { [weak self] in
                 guard let strongSelf = self else {
@@ -315,6 +315,40 @@ public final class AuthorizationSequenceController: NavigationController, ASAuth
                     }
                 })
             }
+            controller.loginWithPasskey = { [weak self, weak controller] passkey, syncContacts in
+                guard let self else {
+                    return
+                }
+                
+                self.actionDisposable.set((authorizeWithPasskey(
+                    accountManager: self.sharedContext.accountManager,
+                    account: self.account,
+                    passkey: passkey,
+                    forcedPasswordSetupNotice: { value in
+                        guard let entry = CodableEntry(ApplicationSpecificCounterNotice(value: value)) else {
+                            return nil
+                        }
+                        return (ApplicationSpecificNotice.forcedPasswordSetupKey(), entry)
+                    },
+                    syncContacts: syncContacts
+                )
+                |> deliverOnMainQueue).startStrict(next: { _ in
+                }, error: { [weak self, weak controller] error in
+                    Queue.mainQueue().async {
+                        if let strongSelf = self, let controller {
+                            let text: String
+                            switch error {
+                            case .limitExceeded:
+                                text = strongSelf.presentationData.strings.Login_CodeFloodError
+                            case .generic, .invalidEmailAddress, .codeExpired, .invalidEmailToken, .invalidCode:
+                                text = strongSelf.presentationData.strings.Login_UnknownError
+                            }
+                            
+                            controller.present(standardTextAlertController(theme: AlertControllerTheme(presentationData: strongSelf.presentationData), title: nil, text: text, actions: [TextAlertAction(type: .defaultAction, title: strongSelf.presentationData.strings.Common_OK, action: {})]), in: .window(.root))
+                        }
+                    }
+                }))
+            }
         }
         controller.updateData(countryCode: countryCode, countryName: nil, number: number)
         return controller

submodules/AuthorizationUI/Sources/AuthorizationSequencePhoneEntryController.swift

@@ -12,8 +12,9 @@ import CountrySelectionUI
 import PhoneNumberFormat
 import DebugSettingsUI
 import MessageUI
+import AuthenticationServices
 
-public final class AuthorizationSequencePhoneEntryController: ViewController, MFMailComposeViewControllerDelegate {
+public final class AuthorizationSequencePhoneEntryController: ViewController, MFMailComposeViewControllerDelegate, ASAuthorizationControllerDelegate, ASAuthorizationControllerPresentationContextProviding {
     private var controllerNode: AuthorizationSequencePhoneEntryControllerNode {
         return self.displayNode as! AuthorizationSequencePhoneEntryControllerNode
     }
@@ -22,6 +23,8 @@ public final class AuthorizationSequencePhoneEntryController: ViewController, MF
 
     private let sharedContext: SharedAccountContext
     private var account: UnauthorizedAccount?
+    private let apiId: Int32
+    private let apiHash: String
     private let isTestingEnvironment: Bool
     private let otherAccountPhoneNumbers: ((String, AccountRecordId, Bool)?, [(String, AccountRecordId, Bool)])
     private let network: Network
@@ -52,6 +55,7 @@ public final class AuthorizationSequencePhoneEntryController: ViewController, MF
         }
     }
     public var loginWithNumber: ((String, Bool) -> Void)?
+    public var loginWithPasskey: ((AuthorizationPasskeyData, Bool) -> Void)?
     var accountUpdated: ((UnauthorizedAccount) -> Void)?
 
     weak var confirmationController: PhoneConfirmationController?
@@ -60,9 +64,11 @@ public final class AuthorizationSequencePhoneEntryController: ViewController, MF
 
     private let hapticFeedback = HapticFeedback()
 
-    public init(sharedContext: SharedAccountContext, account: UnauthorizedAccount?, countriesConfiguration: CountriesConfiguration? = nil, isTestingEnvironment: Bool, otherAccountPhoneNumbers: ((String, AccountRecordId, Bool)?, [(String, AccountRecordId, Bool)]), network: Network, presentationData: PresentationData, openUrl: @escaping (String) -> Void, back: @escaping () -> Void) {
+    public init(sharedContext: SharedAccountContext, account: UnauthorizedAccount?, countriesConfiguration: CountriesConfiguration? = nil, apiId: Int32, apiHash: String, isTestingEnvironment: Bool, otherAccountPhoneNumbers: ((String, AccountRecordId, Bool)?, [(String, AccountRecordId, Bool)]), network: Network, presentationData: PresentationData, openUrl: @escaping (String) -> Void, back: @escaping () -> Void) {
         self.sharedContext = sharedContext
         self.account = account
+        self.apiId = apiId
+        self.apiHash = apiHash
         self.isTestingEnvironment = isTestingEnvironment
         self.otherAccountPhoneNumbers = otherAccountPhoneNumbers
         self.network = network
@@ -187,6 +193,110 @@ public final class AuthorizationSequencePhoneEntryController: ViewController, MF
         } else {
             self.controllerNode.updateCountryCode()
         }
+        
+        if #available(iOS 15.0, *) {
+            Task { @MainActor [weak self] in
+                guard let self, let account = self.account else {
+                    return
+                }
+                
+                let decodeBase64: (String) -> Data? = { string in
+                    var string = string.replacingOccurrences(of: "-", with: "+")
+                        .replacingOccurrences(of: "_", with: "/")
+                    while string.count % 4 != 0 {
+                        string.append("=")
+                    }
+                    return Data(base64Encoded: string)
+                }
+                
+                let engine = TelegramEngineUnauthorized(account: account)
+                let passkeyDataString = await engine.auth.requestPasskeyLoginData(apiId: self.apiId, apiHash: self.apiHash).get()
+                guard let passkeyDataString, let passkeyData = passkeyDataString.data(using: .utf8) else {
+                    return
+                }
+                guard let params = try? JSONSerialization.jsonObject(with: passkeyData) as? [String: Any] else {
+                    return
+                }
+                guard let pkDict = params["publicKey"] as? [String: Any] else {
+                    return
+                }
+                guard let relyingPartyIdentifier = pkDict["rpId"] as? String else {
+                    return
+                }
+                guard let challengeBase64 = pkDict["challenge"] as? String else {
+                    return
+                }
+                guard let challengeData = decodeBase64(challengeBase64) else {
+                    return
+                }
+                
+                let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: relyingPartyIdentifier)
+                let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: challengeData)
+                let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest])
+                authController.delegate = self
+                authController.presentationContextProvider = self
+                authController.performRequests()
+            }
+        }
+    }
+    
+    public func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
+        Task { @MainActor [weak self] in
+            guard let self, let account = self.account else {
+                return
+            }
+            
+            let encodeBase64URL: (Data) -> String = { data in
+                var string = data.base64EncodedString()
+                string = string
+                    .replacingOccurrences(of: "+", with: "-")
+                    .replacingOccurrences(of: "/", with: "_")
+                string = string.replacingOccurrences(of: "=", with: "")
+                return string
+            }
+            
+            if #available(iOS 17.0, *) {
+                if let credential = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialAssertion {
+                    guard let clientData = String(data: credential.rawClientDataJSON, encoding: .utf8) else {
+                        return
+                    }
+                    guard let userHandle = String(data: credential.userID, encoding: .utf8) else {
+                        return
+                    }
+                    let passkey = AuthorizationPasskeyData(
+                        id: encodeBase64URL(credential.credentialID),
+                        clientData: clientData,
+                        authenticatorData: credential.rawAuthenticatorData,
+                        signature: credential.signature,
+                        userHandle: userHandle
+                    )
+                    self.loginWithPasskey?(passkey, self.controllerNode.syncContacts)
+                    
+                    /*if let clientData = String(data: credential.rawClientDataJSON, encoding: .utf8), let attestationObject = credential.rawAttestationObject {
+                        let passkey = await component.context.engine.auth.requestCreatePasskey(id: encodeBase64URL(credential.credentialID), clientData: clientData, attestationObject: attestationObject).get()
+                        if let passkey {
+                            if self.passkeysData == nil {
+                                self.passkeysData = []
+                                self.passkeysData?.insert(passkey, at: 0)
+                            }
+                            self.state?.updated(transition: .immediate)
+                        }
+                    }*/
+                    let _ = account
+                    let _ = credential
+                }
+            }
+        }
+    }
+
+    public func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: any Error) {
+    }
+    
+    public func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {
+        guard let windowScene = self.view.window?.windowScene else {
+            preconditionFailure()
+        }
+        return ASPresentationAnchor(windowScene: windowScene)
     }
 
     public func updateCountryCode() {

submodules/SettingsUI/BUILD

@@ -126,6 +126,7 @@ swift_library(
         "//submodules/TelegramUI/Components/Settings/ThemeAccentColorScreen",
         "//submodules/TelegramUI/Components/Settings/GenerateThemeName",
         "//submodules/TelegramUI/Components/Settings/PeerNameColorItem",
+        "//submodules/TelegramUI/Components/Settings/PasskeysScreen",
         "//submodules/TelegramUI/Components/FaceScanScreen",
         "//submodules/ComponentFlow",
         "//submodules/Components/BundleIconComponent",

submodules/SettingsUI/Sources/ChangePhoneNumberController.swift

@@ -22,7 +22,7 @@ public func ChangePhoneNumberController(context: AccountContext) -> ViewControll
     let requestDisposable = MetaDisposable()
     let changePhoneDisposable = MetaDisposable()
 
-    let controller = AuthorizationSequencePhoneEntryController(sharedContext: context.sharedContext, account: nil, countriesConfiguration: context.currentCountriesConfiguration.with { $0 }, isTestingEnvironment: false, otherAccountPhoneNumbers: (nil, []), network: context.account.network, presentationData: presentationData, openUrl: { _ in }, back: {
+    let controller = AuthorizationSequencePhoneEntryController(sharedContext: context.sharedContext, account: nil, countriesConfiguration: context.currentCountriesConfiguration.with { $0 }, apiId: 0, apiHash: "", isTestingEnvironment: false, otherAccountPhoneNumbers: (nil, []), network: context.account.network, presentationData: presentationData, openUrl: { _ in }, back: {
         dismissImpl?()
     })
     controller.loginWithNumber = { [weak controller] phoneNumber, _ in