feat: add hanko api passkey integration

Author: riccardoperra

apps/api/api-types/index.d.ts

@@ -10,4 +10,8 @@ export type {
   GetPresetByIdApi,
   UpdatePresetApi,
   GetAllPresetApi,
+  PasskeyStartRegistrationApi,
+  PasskeyFinalizeRegistrationApi,
+  PasskeyStartLoginApi,
+  PasskeyFinalizeLoginApi,
 } from '../dist/schemas/index.js';

apps/api/package.json

@@ -40,6 +40,7 @@
   "license": "ISC",
   "dependencies": {
     "@codeimage/prisma-models": "workspace:*",
+    "@fastify/auth": "4.4.0",
     "@fastify/autoload": "^5.7.1",
     "@fastify/cors": "^8.3.0",
     "@fastify/env": "^4.2.0",
@@ -50,13 +51,16 @@
     "@fastify/type-provider-typebox": "^3.2.0",
     "@prisma/client": "^4.15.0",
     "@sinclair/typebox": "^0.28.15",
+    "@teamhanko/passkeys-sdk": "0.1.8",
+    "auth0": "4.2.0",
     "close-with-grace": "^1.2.0",
     "dotenv": "^16.1.4",
     "dotenv-cli": "^6.0.0",
     "fastify": "^4.18.0",
     "fastify-auth0-verify": "^1.2.0",
     "fastify-cli": "^5.7.1",
     "fastify-healthcheck": "^4.4.0",
+    "fastify-jwt-jwks": "1.1.4",
     "fastify-plugin": "^4.5.0",
     "fluent-json-schema": "^4.1.0",
     "prisma": "^4.15.0"

apps/api/src/app.ts

@@ -2,6 +2,7 @@ import AutoLoad, {AutoloadPluginOptions} from '@fastify/autoload';
 import fastifyEnv from '@fastify/env';
 import {Type} from '@sinclair/typebox';
 import {FastifyPluginAsync} from 'fastify';
+import fp from 'fastify-plugin';
 import path, {join} from 'node:path';
 import {fileURLToPath} from 'node:url';
 
@@ -20,6 +21,9 @@ declare module 'fastify' {
       GRANT_TYPE_AUTH0?: string;
       ALLOWED_ORIGINS?: string;
       PRESETS_LIMIT?: number;
+      HANKO_PASSKEYS_LOGIN_BASE_URL: string;
+      HANKO_PASSKEYS_TENANT_ID: string;
+      HANKO_PASSKEYS_API_KEY: string;
     };
   }
 }
@@ -51,6 +55,9 @@ const app: FastifyPluginAsync<AppOptions> = async (
       GRANT_TYPE_AUTH0: Type.String(),
       ALLOWED_ORIGINS: Type.String(),
       PRESETS_LIMIT: Type.Number({default: Number.MAX_SAFE_INTEGER}),
+      HANKO_PASSKEYS_LOGIN_BASE_URL: Type.String(),
+      HANKO_PASSKEYS_TENANT_ID: Type.String(),
+      HANKO_PASSKEYS_API_KEY: Type.String(),
     }),
   });
 
@@ -61,6 +68,7 @@ const app: FastifyPluginAsync<AppOptions> = async (
     dir: join(__dirname, 'plugins'),
     options: opts,
     forceESM: true,
+    encapsulate: false,
   });
 
   // This loads all plugins defined in routes

apps/api/src/common/typebox/nullable.ts

@@ -1,14 +1,32 @@
-import {SchemaOptions, TSchema, Type} from '@sinclair/typebox';
+import {
+  SchemaOptions,
+  TNull,
+  TOptional,
+  TSchema,
+  TUnion,
+  Type,
+} from '@sinclair/typebox';
 
-export const Nullable = <T extends TSchema>(tType: T, optional = true) => {
+export function Nullable<T extends TSchema>(
+  tType: T,
+  optional?: true,
+): TOptional<TUnion<[T, TNull]>>;
+export function Nullable<T extends TSchema>(
+  tType: T,
+  optional?: false,
+): TUnion<[T, TNull]>;
+export function Nullable<T extends TSchema>(
+  tType: T,
+  optional?: boolean,
+): TOptional<TUnion<[T, TNull]>> | TUnion<[T, TNull]> {
   const options: SchemaOptions | undefined = Reflect.has(tType, 'default')
     ? {default: tType.default}
     : undefined;
 
   const resolvedType = Type.Union([tType, Type.Null()], options);
 
-  if (optional) {
+  if (optional === undefined || optional) {
     return Type.Optional(resolvedType);
   }
   return resolvedType;
-};
+}

apps/api/src/plugins/auth0.ts

@@ -3,8 +3,7 @@ import '@fastify/jwt';
 import {
   FastifyInstance,
   FastifyPluginAsync,
-  FastifyReply,
-  FastifyRequest,
+  preHandlerHookHandler,
 } from 'fastify';
 import fastifyAuth0Verify, {Authenticate} from 'fastify-auth0-verify';
 import fp from 'fastify-plugin';
@@ -54,67 +53,57 @@ export default fp<{authProvider?: FastifyPluginAsync}>(
       });
     }
 
-    async function authorize(
-      req: FastifyRequest,
-      reply: FastifyReply,
-      options: AuthorizeOptions = {
-        mustBeAuthenticated: true,
-      },
-    ) {
-      try {
-        await fastify.authenticate(req, reply);
-      } catch (e) {
-        if (options.mustBeAuthenticated) {
-          throw fastify.httpErrors.unauthorized();
+    const authorize: (options: AuthorizeOptions) => preHandlerHookHandler =
+      (options = {mustBeAuthenticated: true}) =>
+      async (req, reply) => {
+        try {
+          await fastify.authenticate(req, reply);
+        } catch (e) {
+          if (options.mustBeAuthenticated) {
+            throw fastify.httpErrors.unauthorized();
+          }
         }
-      }
 
-      const emailClaim = `${fastify.config.AUTH0_CLIENT_CLAIMS}/email`;
+        const emailClaim = `${fastify.config.AUTH0_CLIENT_CLAIMS}/email`;
 
-      if (!req.user) {
-        req.appUserOptional = null;
-        return;
-      }
-
-      const email = req.user[emailClaim] as string;
+        if (!req.user) {
+          req.appUserOptional = null;
+          return;
+        }
 
-      if (!email) {
-        throw fastify.httpErrors.badRequest('No valid user data');
-      }
+        const email = req.user[emailClaim] as string;
 
-      const user = await fastify.prisma.user.findFirst({
-        where: {
-          email,
-        },
-      });
+        if (!email) {
+          throw fastify.httpErrors.badRequest('No valid user data');
+        }
 
-      if (!user) {
-        req.appUser = await fastify.prisma.user.create({
-          data: {
+        const user = await fastify.prisma.user.findFirst({
+          where: {
             email,
           },
         });
-      } else {
-        req.appUser = user;
-      }
 
-      req.appUserOptional = req.appUser;
-    }
+        if (!user) {
+          req.appUser = await fastify.prisma.user.create({
+            data: {
+              email,
+            },
+          });
+        } else {
+          req.appUser = user;
+        }
+
+        req.appUserOptional = req.appUser;
+      };
 
-    fastify.decorateRequest('appUser', null);
-    fastify.decorate('authorize', authorize);
+    fastify.decorate('verifyAuth0', authorize);
   },
 );
 
 declare module 'fastify' {
   interface FastifyInstance {
-    authorize: (
-      req: FastifyRequest,
-      reply: FastifyReply,
-      options?: AuthorizeOptions,
-    ) => void;
+    verifyAuth0: (options?: AuthorizeOptions) => preHandlerHookHandler;
   }
-
   interface FastifyRequest {
     appUser: User;
     appUserOptional: User | null;

apps/api/src/plugins/auth0Management.ts

@@ -0,0 +1,20 @@
+import {ManagementClient} from 'auth0';
+import fp from 'fastify-plugin';
+
+export default fp(async fastify => {
+  fastify.decorate(
+    'auth0Management',
+    new ManagementClient({
+      domain: fastify.config.DOMAIN_AUTH0!,
+      audience: fastify.config.AUDIENCE_AUTH0!,
+      clientId: fastify.config.CLIENT_ID_AUTH0!,
+      clientSecret: fastify.config.CLIENT_SECRET_AUTH0!,
+    }),
+  );
+});
+
+declare module 'fastify' {
+  interface FastifyInstance {
+    auth0Management: ManagementClient;
+  }
+}

apps/api/src/plugins/multi-auth.ts

@@ -0,0 +1,30 @@
+import fastifyAuth from '@fastify/auth';
+import {preHandlerHookHandler} from 'fastify';
+import fp from 'fastify-plugin';
+
+interface AuthorizeOptions {
+  mustBeAuthenticated: boolean;
+}
+export default fp(async fastify => {
+  fastify.register(fastifyAuth);
+
+  const preHookHandler: (options: AuthorizeOptions) => preHandlerHookHandler = (
+    options = {mustBeAuthenticated: true},
+  ) =>
+    function (request, reply, done) {
+      return fastify
+        .auth([
+          fastify.verifyAuth0(options),
+          fastify.verifyHankoPasskey(options),
+        ])
+        .apply(this, [request, reply, done]);
+    };
+
+  fastify.decorate('authorize', preHookHandler);
+});
+
+declare module 'fastify' {
+  interface FastifyInstance {
+    authorize: (options?: AuthorizeOptions) => preHandlerHookHandler;
+  }
+}

apps/api/src/plugins/passkeys.ts

@@ -0,0 +1,56 @@
+import {tenant} from '@teamhanko/passkeys-sdk';
+import {preHandlerHookHandler} from 'fastify';
+import fp from 'fastify-plugin';
+
+interface AuthorizeOptions {
+  mustBeAuthenticated: boolean;
+}
+
+export const passkeysPlugin = fp(async fastify => {
+  const passkeysApi = tenant({
+    tenantId: fastify.config.HANKO_PASSKEYS_TENANT_ID,
+    apiKey: fastify.config.HANKO_PASSKEYS_API_KEY,
+    baseUrl: fastify.config.HANKO_PASSKEYS_LOGIN_BASE_URL,
+  });
+
+  fastify.decorate('passkeysApi', passkeysApi);
+
+  const verify: (options: AuthorizeOptions) => preHandlerHookHandler =
+    (options = {mustBeAuthenticated: true}) =>
+    async (req, reply, done) => {
+      const token = req.headers.authorization
+        ?.split('Bearer ')[1]
+        .split('.')[1] as string;
+      const claims = JSON.parse(atob(token));
+      const userId = claims.sub;
+
+      const user = await fastify.prisma.user.findFirst({
+        where: {
+          id: userId,
+        },
+      });
+
+      if (user) {
+        console.log('augment request with user', user);
+        req.appUser = user;
+        req.appUserOptional = user;
+        done();
+      } else if (options.mustBeAuthenticated) {
+        throw fastify.httpErrors.unauthorized();
+      }
+    };
+
+  fastify.decorate('verifyHankoPasskey', verify);
+});
+
+export default passkeysPlugin;
+
+declare module 'fastify' {
+  interface FastifyInstance {
+    passkeysApi: ReturnType<typeof tenant>;
+
+    verifyHankoPasskey: (
+      options?: AuthorizeOptions,
+    ) => (req: FastifyRequest, reply: FastifyReply) => void;
+  }
+}

apps/api/src/plugins/user.ts

@@ -0,0 +1,6 @@
+import fp from 'fastify-plugin';
+
+export default fp(async fastify => {
+  fastify.decorateRequest('appUser', null);
+  fastify.decorateRequest('appUserOptional', null);
+});

apps/api/src/routes/v1/passkey/deleteCredential.ts

@@ -0,0 +1,25 @@
+import {FastifyPluginAsyncTypebox} from '@fastify/type-provider-typebox';
+import {Type} from '@sinclair/typebox';
+
+const route: FastifyPluginAsyncTypebox = async fastify => {
+  fastify.delete(
+    '/credentials',
+    {
+      schema: {
+        params: Type.Object({
+          credentialId: Type.String(),
+        }),
+      },
+      preValidation: function (request, reply, done) {
+        return fastify
+          .auth([fastify.authenticate, fastify.verifyHankoPasskey])
+          .apply(this, [request, reply, done]);
+      },
+    },
+    async request => {
+      return fastify.passkeysApi.credential(request.params.credentialId);
+    },
+  );
+};
+
+export default route;