Implement passkey graphql API

Author: Perlmint

graphql/login.ts

@@ -1,4 +1,8 @@
 import { negotiateLocale } from "@hackerspub/models/i18n";
+import {
+  getAuthenticationOptions,
+  verifyAuthentication,
+} from "@hackerspub/models/passkey";
 import {
   createSession,
   deleteSession,
@@ -13,6 +17,7 @@ import {
 } from "@hackerspub/models/signin";
 import type { Uuid } from "@hackerspub/models/uuid";
 import { getLogger } from "@logtape/logtape";
+import type { AuthenticationResponseJSON } from "@simplewebauthn/server";
 import { expandGlob } from "@std/fs";
 import { join } from "@std/path";
 import { createMessage, type Message } from "@upyo/core";
@@ -260,6 +265,63 @@ builder.mutationFields((t) => ({
       return null;
     },
   }),
+
+  getPasskeyAuthenticationOptions: t.field({
+    type: "JSON",
+    args: {
+      sessionId: t.arg({
+        type: "UUID",
+        required: true,
+        description: "Temporary session ID for passkey authentication.",
+      }),
+    },
+    async resolve(_, args, ctx) {
+      const options = await getAuthenticationOptions(
+        ctx.kv,
+        ctx.fedCtx.canonicalOrigin,
+        args.sessionId as Uuid,
+      );
+      return options;
+    },
+  }),
+
+  loginByPasskey: t.field({
+    type: SessionRef,
+    nullable: true,
+    args: {
+      sessionId: t.arg({
+        type: "UUID",
+        required: true,
+        description: "Temporary session ID used for authentication options.",
+      }),
+      authenticationResponse: t.arg({
+        type: "JSON",
+        required: true,
+        description: "WebAuthn authentication response from the client.",
+      }),
+    },
+    async resolve(_, args, ctx) {
+      const result = await verifyAuthentication(
+        ctx.db,
+        ctx.kv,
+        ctx.fedCtx.canonicalOrigin,
+        args.sessionId as Uuid,
+        args.authenticationResponse as AuthenticationResponseJSON,
+      );
+      if (result == null) return null;
+      const { response, account } = result;
+      if (!response.verified) return null;
+
+      const remoteAddr = ctx.connectionInfo?.remoteAddr;
+      return await createSession(ctx.kv, {
+        accountId: account.id,
+        ipAddress: remoteAddr?.transport === "tcp"
+          ? remoteAddr.hostname
+          : undefined,
+        userAgent: ctx.request.headers.get("User-Agent"),
+      });
+    },
+  }),
 }));
 
 const LOCALES_DIR = join(import.meta.dirname!, "locales");

graphql/mod.ts

@@ -6,6 +6,7 @@ import { builder } from "./builder.ts";
 import "./doc.ts";
 import "./login.ts";
 import "./notification.ts";
+import "./passkey.ts";
 import "./poll.ts";
 import "./post.ts";
 import "./reactable.ts";

graphql/passkey.ts

@@ -0,0 +1,147 @@
+import {
+  getRegistrationOptions,
+  verifyRegistration,
+} from "@hackerspub/models/passkey";
+import { passkeyTable } from "@hackerspub/models/schema";
+import {
+  resolveCursorConnection,
+  type ResolveCursorConnectionArgs,
+} from "@pothos/plugin-relay";
+import type { RegistrationResponseJSON } from "@simplewebauthn/server";
+import { and, desc, eq, gt, lt } from "drizzle-orm";
+import { Account } from "./account.ts";
+import { builder } from "./builder.ts";
+
+export const Passkey = builder.drizzleNode("passkeyTable", {
+  name: "Passkey",
+  id: {
+    column: (passkey) => passkey.id,
+  },
+  fields: (t) => ({
+    name: t.exposeString("name"),
+    lastUsed: t.expose("lastUsed", { type: "DateTime", nullable: true }),
+    created: t.expose("created", { type: "DateTime" }),
+  }),
+});
+
+// Add passkeys connection to Account type
+builder.objectField(Account, "passkeys", (t) =>
+  t.connection({
+    type: Passkey,
+    authScopes: (parent) => ({
+      selfAccount: parent.id,
+    }),
+    async resolve(account, args, ctx) {
+      return resolveCursorConnection(
+        {
+          args,
+          toCursor: (passkey) => passkey.created.valueOf().toString(),
+        },
+        async (
+          { before, after, limit, inverted }: ResolveCursorConnectionArgs,
+        ) => {
+          const beforeDate = before ? new Date(Number(before)) : undefined;
+          const afterDate = after ? new Date(Number(after)) : undefined;
+
+          return await ctx.db
+            .select()
+            .from(passkeyTable)
+            .where(
+              and(
+                eq(passkeyTable.accountId, account.id),
+                before
+                  ? inverted
+                    ? lt(passkeyTable.created, beforeDate!)
+                    : gt(passkeyTable.created, beforeDate!)
+                  : undefined,
+                after
+                  ? inverted
+                    ? gt(passkeyTable.created, afterDate!)
+                    : lt(passkeyTable.created, afterDate!)
+                  : undefined,
+              ),
+            )
+            .orderBy(
+              inverted ? passkeyTable.created : desc(passkeyTable.created),
+            ).limit(limit);
+        },
+      );
+    },
+  }));
+
+builder.mutationFields((t) => ({
+  getPasskeyRegistrationOptions: t.field({
+    type: "JSON",
+    args: {
+      accountId: t.arg.globalID({ for: Account, required: true }),
+    },
+    async resolve(_, args, ctx) {
+      const session = await ctx.session;
+      if (session == null) throw new Error("Not authenticated.");
+      if (session.accountId !== args.accountId.id) {
+        throw new Error("Not authorized.");
+      }
+      const account = await ctx.db.query.accountTable.findFirst({
+        where: { id: args.accountId.id },
+        with: { passkeys: true },
+      });
+      if (account == null) throw new Error("Account not found.");
+      const options = await getRegistrationOptions(
+        ctx.kv,
+        ctx.fedCtx.canonicalOrigin,
+        account,
+      );
+      return options;
+    },
+  }),
+  verifyPasskeyRegistration: t.field({
+    type: "JSON",
+    args: {
+      accountId: t.arg.globalID({ for: Account, required: true }),
+      name: t.arg.string({ required: true }),
+      registrationResponse: t.arg({ type: "JSON", required: true }),
+    },
+    async resolve(_, args, ctx) {
+      const session = await ctx.session;
+      if (session == null) throw new Error("Not authenticated.");
+      if (session.accountId !== args.accountId.id) {
+        throw new Error("Not authorized.");
+      }
+      const account = await ctx.db.query.accountTable.findFirst({
+        where: { id: args.accountId.id },
+        with: { passkeys: true },
+      });
+      if (account == null) throw new Error("Account not found.");
+      const result = await verifyRegistration(
+        ctx.db,
+        ctx.kv,
+        ctx.fedCtx.canonicalOrigin,
+        account,
+        args.name,
+        args.registrationResponse as RegistrationResponseJSON,
+      );
+      return { verified: result.verified };
+    },
+  }),
+  revokePasskey: t.field({
+    type: "Boolean",
+    args: {
+      passkeyId: t.arg.globalID({ for: Passkey, required: true }),
+    },
+    async resolve(_, args, ctx) {
+      const session = await ctx.session;
+      if (session == null) throw new Error("Not authenticated.");
+      const passkey = await ctx.db.query.passkeyTable.findFirst({
+        where: { id: args.passkeyId.id },
+      });
+      if (passkey == null) return false;
+      if (passkey.accountId !== session.accountId) {
+        throw new Error("Not authorized.");
+      }
+      await ctx.db.delete(passkeyTable).where(
+        eq(passkeyTable.id, args.passkeyId.id),
+      );
+      return true;
+    },
+  }),
+}));

graphql/schema.graphql

@@ -15,6 +15,7 @@ type Account implements Node {
   moderator: Boolean!
   name: String!
   notifications(after: String, before: String, first: Int, last: Int): AccountNotificationsConnection!
+  passkeys(after: String, before: String, first: Int, last: Int): AccountPasskeysConnection!
   preferAiSummary: Boolean!
   updated: DateTime!
   username: String!
@@ -95,6 +96,16 @@ type AccountNotificationsConnectionEdge {
   node: Notification!
 }
 
+type AccountPasskeysConnection {
+  edges: [AccountPasskeysConnectionEdge!]!
+  pageInfo: PageInfo!
+}
+
+type AccountPasskeysConnectionEdge {
+  cursor: String!
+  node: Passkey!
+}
+
 type Actor implements Node {
   account: Account
   articles(after: String, before: String, first: Int, last: Int): ActorArticlesConnection!
@@ -425,6 +436,11 @@ type Mutation {
     token: UUID!
   ): SignupResult!
   createNote(input: CreateNoteInput!): CreateNoteResult!
+  getPasskeyAuthenticationOptions(
+    """Temporary session ID for passkey authentication."""
+    sessionId: UUID!
+  ): JSON!
+  getPasskeyRegistrationOptions(accountId: ID!): JSON!
   loginByEmail(
     """The email of the account to sign in."""
     email: String!
@@ -437,6 +453,13 @@ type Mutation {
     """
     verifyUrl: URITemplate!
   ): LoginResult!
+  loginByPasskey(
+    """WebAuthn authentication response from the client."""
+    authenticationResponse: JSON!
+
+    """Temporary session ID used for authentication options."""
+    sessionId: UUID!
+  ): Session
   loginByUsername(
     """The locale for the sign-in email."""
     locale: Locale!
@@ -449,13 +472,15 @@ type Mutation {
     """
     verifyUrl: URITemplate!
   ): LoginResult!
+  revokePasskey(passkeyId: ID!): Boolean!
 
   """Revoke a session by its ID."""
   revokeSession(
     """The ID of the session to log out."""
     sessionId: UUID!
   ): Session
   updateAccount(input: UpdateAccountInput!): UpdateAccountPayload!
+  verifyPasskeyRegistration(accountId: ID!, name: String!, registrationResponse: JSON!): JSON!
 }
 
 interface Node {
@@ -527,6 +552,13 @@ type PageInfo {
   startCursor: String
 }
 
+type Passkey implements Node {
+  created: DateTime!
+  id: ID!
+  lastUsed: DateTime
+  name: String!
+}
+
 type Poll implements Node {
   ends: DateTime!
   id: ID!