feat: webauthn base (#1115)

* feat: new dependency: webauthn4j

* feat: add tables for webauthn

* fix: typo fixes

* feat: webauthn options

* feat: registercredentials wip

* feat: passkeys register credentials wip

* feat: recipe user sign up

* recipe user creation wip

* sign up recipe user

* feat: register credentials

* fix: temp

* feat: webauthn support wip

* feat: webauthn support wip

* merging

* feat: webauthn support wip

* feat: getuserinfolist draft

* feat: get user by account info - webauthn support

* fix: generate account recovery token api

* feat: get user by account info - webauthn support

* feat: signup with credentialsregister

* fix: fixes for tests

* fix: fixes for tests

* feat: get generated options api

* feat: webauthn sign in

* fix: account recovery

* fix: fixes for tests

* fix: fixing id name in response

* fix: fixing id encoding in response

* fix: base64 url encode the challenge insted of base64 encode

* fix: account recovery impl

* fix: base64 encoding changes

* fix: fixes for tests

* fix: fixing sql issues and encoding issues

* fix: fixes for tests

* fix: integration fix for signup

* fix: webauthn flow test stub

* fix: fixes for sdk tests

* feat: add webauthn recover account apis to webserver

* feat: crud apis addition

* feat: remove options api

* fix: additional field in the sign in options response

* fix: reworked error handling

* fix: fixing GET api not to expect json body

* fix: sign in + options check

* fix: more descriptive error messages for credentialsRegister

* fix: typo fixes

* fix: fixes for tests

* fix: not letting dependencies exception to leak out

* feat: clean up expired data cron

* fix: changing recovery token consume

* fix: fixing loginmethod collection

* fix: signin fixes

* fix: webauthn sign in fixes

* fix: add recipeUserId in signIn response

* feat: enable credentials listing api

* feat: extending user listing with webauthn

* fix: don't use the counter at signin check

* fix: small fixes

* fix: setting UV and RK to false

* feat: saving userVerification and userPresence values

* fix: change a bunch of error messages for sdk integration

* fix: change a bunch of error messages for sdk integration

* fix: include userVerification and userPresence in options response

* fix: error messages changes

* fix: refactor exceptions

* feat: get credential api

* fix: options generation no longer throws invalid options error as per reference impl

* fix: more error handling for sign in

* fix: rename methods for better readability

* fix: throw the right exception

* ci: experiment with a GHA to publish test/dev images

* ci: experiment with publishing dev docker images

* ci: experiment with publishing dev docker images

* ci: experiment with a GHA to publish test/dev images

* fix: options validation

* fix: options validation rpId doesn't have to be an url

* fix: additional validation

* fix: fixes for various sdk tests

* fix: Dockerfile setupTestEnv --local

* ci: remove arm64 build from dev-docker

* fix: add webauth4jn-test dependency

* fix: fixing email verification query for webauthn

* fix: authenticator mocking and example usage

* fix: sem ver and few test fixes

* fix: test fixes

* fix: cdi version increment in webauthn test

* fix: webauthn signIn should load all loginmethods of the user

* fix: fixing table locked issue with in memory db

* fix: remove unnecessary logging

* fix: add tests and fixes

* fix: add tests and fixes for email update

* fix: additional tests and fixes related to useridmapping

* fix: add null check

* fix: add test

* fix: additional indexes for performance optimization

* ci: fix dev-docker build

* fix: self-review fixes

* fix: update pluginInterfaceSupported to the right branch

* chore: changelog, version number

* fix: review fixes

* fix: review fixes

* fix: fixing email verified flag after email change

* fix: review fixes

* fix: handling potential error while saving options

* fix: review fixes

* chore: updating supported pluginInterface

* chore: updating supported pluginInterface

* test: API tests (#1118)

* fix: API tests template

* fix: options register APIs

* test: register credential

* test: fix

* fix: test get credential

* test: list credential

* test: remove credential

* test: remove credential

* test: sign in options

* test: sign-in

* test: sign-in

* test: update email

* fix: delete

* fix: tests for mongodb

* fix: tests

* fix: tests

* fix: review fixes

* fix: review fix: token generation changes

---------

Co-authored-by: Sattvik Chakravarthy <[email protected]>
Co-authored-by: Mihaly Lengyel <[email protected]>
Co-authored-by: Sattvik Chakravarthy <[email protected]>

Author: 3 people

.gitignore

@@ -47,4 +47,7 @@ local.properties
 *.iml
 ee/bin
 addDevTag
-addReleaseTag
+addReleaseTag
+
+install-linux.sh
+install-windows.bat

CHANGELOG.md

@@ -7,6 +7,191 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [10.1.0]
+
+- Adds Webauthn (Passkeys) support to core
+- Adds APIs:
+  - GET `/recipe/webauthn/user/credential/`
+  - GET `/recipe/webauthn/user/credential/list`
+  - GET `/recipe/webauthn/options`
+  - GET `/recipe/webauthn/user/recover`
+  - POST `/recipe/webauthn/options/register`
+  - POST `/recipe/webauthn/options/signin`
+  - POST `/recipe/webauthn/user/credential/register`
+  - POST `/recipe/webauthn/signup`
+  - POST `/recipe/webauthn/signin`
+  - POST `/recipe/webauthn/user/recover/token`
+  - POST `/recipe/webauthn/user/recover/token/consume`
+  - PUT `/recipe/webauthn/user/email`
+  - DELETE `/recipe/webauthn/user/credential/remove`
+  - DELETE `/recipe/webauthn/options/remove`
+- Adds additional indexing for `emailverification_verified_emails`
+
+### Migration
+
+If using PostgreSQL, run the following SQL script:
+
+```sql
+
+CREATE INDEX IF NOT EXISTS emailverification_verified_emails_app_id_email_index ON emailverification_verified_emails
+(app_id, email);
+
+CREATE TABLE IF NOT EXISTS webauthn_account_recovery_tokens (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    tenant_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    user_id CHAR(36) NOT NULL,
+    email VARCHAR(256) NOT NULL,
+    token VARCHAR(256) NOT NULL,
+    expires_at BIGINT NOT NULL,
+    CONSTRAINT webauthn_account_recovery_token_pkey PRIMARY KEY (app_id, tenant_id, user_id, token),
+    CONSTRAINT webauthn_account_recovery_token_user_id_fkey FOREIGN KEY (app_id, tenant_id, user_id) REFERENCES 
+    all_auth_recipe_users(app_id, tenant_id, user_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_credentials (
+    id VARCHAR(256) NOT NULL,
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    rp_id VARCHAR(256) NOT NULL,
+    user_id CHAR(36),
+    counter BIGINT NOT NULL,
+    public_key BYTEA NOT NULL,
+    transports TEXT NOT NULL,
+    created_at BIGINT NOT NULL,
+    updated_at BIGINT NOT NULL,
+    CONSTRAINT webauthn_credentials_pkey PRIMARY KEY (app_id, rp_id, id),
+    CONSTRAINT webauthn_credentials_user_id_fkey FOREIGN KEY (app_id, user_id) REFERENCES webauthn_users
+    (app_id, user_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_generated_options (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    tenant_id VARCHAR(64) DEFAULT 'public'NOT NULL,
+    id CHAR(36) NOT NULL,
+    challenge VARCHAR(256) NOT NULL,
+    email VARCHAR(256),
+    rp_id VARCHAR(256) NOT NULL,
+    rp_name VARCHAR(256) NOT NULL,
+    origin VARCHAR(256) NOT NULL,
+    expires_at BIGINT NOT NULL,
+    created_at BIGINT NOT NULL,
+    user_presence_required BOOLEAN DEFAULT false NOT NULL,
+    user_verification VARCHAR(12) DEFAULT 'preferred' NOT NULL,
+    CONSTRAINT webauthn_generated_options_pkey PRIMARY KEY (app_id, tenant_id, id),
+    CONSTRAINT webauthn_generated_options_tenant_id_fkey FOREIGN KEY (app_id, tenant_id) REFERENCES tenants
+    (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_user_to_tenant (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    tenant_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    user_id CHAR(36) NOT NULL,
+    email VARCHAR(256) NOT NULL,
+    CONSTRAINT webauthn_user_to_tenant_email_key UNIQUE (app_id, tenant_id, email),
+    CONSTRAINT webauthn_user_to_tenant_pkey PRIMARY KEY (app_id, tenant_id, user_id),
+    CONSTRAINT webauthn_user_to_tenant_user_id_fkey FOREIGN KEY (app_id, tenant_id, user_id) REFERENCES 
+    all_auth_recipe_users(app_id, tenant_id, user_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_users (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    user_id CHAR(36) NOT NULL,
+    email VARCHAR(256) NOT NULL,
+    rp_id VARCHAR(256) NOT NULL,
+    time_joined BIGINT NOT NULL,
+    CONSTRAINT webauthn_users_pkey PRIMARY KEY (app_id, user_id),
+    CONSTRAINT webauthn_users_user_id_fkey FOREIGN KEY (app_id, user_id) REFERENCES app_id_to_user_id(app_id, 
+    user_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS webauthn_user_to_tenant_email_index ON webauthn_user_to_tenant (app_id, email);
+CREATE INDEX IF NOT EXISTS webauthn_user_challenges_expires_at_index ON webauthn_generated_options (app_id, tenant_id, expires_at);
+CREATE INDEX IF NOT EXISTS webauthn_credentials_user_id_index ON webauthn_credentials (user_id);
+CREATE INDEX IF NOT EXISTS webauthn_account_recovery_token_token_index ON webauthn_account_recovery_tokens (app_id, tenant_id, token);
+CREATE INDEX IF NOT EXISTS webauthn_account_recovery_token_expires_at_index ON webauthn_account_recovery_tokens (expires_at DESC);
+CREATE INDEX IF NOT EXISTS webauthn_account_recovery_token_email_index ON webauthn_account_recovery_tokens (app_id, tenant_id, email);
+```
+
+If using MySQL, run the following SQL script:
+
+```sql
+CREATE INDEX emailverification_verified_emails_app_id_email_index ON emailverification_verified_emails
+(app_id, email);
+
+CREATE TABLE IF NOT EXISTS webauthn_account_recovery_tokens (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    tenant_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    user_id CHAR(36) NOT NULL,
+    email VARCHAR(256) NOT NULL,
+    token VARCHAR(256) NOT NULL,
+    expires_at BIGINT NOT NULL,
+    CONSTRAINT webauthn_account_recovery_token_pkey PRIMARY KEY (app_id, tenant_id, user_id, token),
+    CONSTRAINT webauthn_account_recovery_token_user_id_fkey FOREIGN KEY (app_id, tenant_id, user_id) REFERENCES 
+    all_auth_recipe_users(app_id, tenant_id, user_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_credentials (
+    id VARCHAR(256) NOT NULL,
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    rp_id VARCHAR(256) NOT NULL,
+    user_id CHAR(36),
+    counter BIGINT NOT NULL,
+    public_key BLOB NOT NULL,
+    transports TEXT NOT NULL,
+    created_at BIGINT NOT NULL,
+    updated_at BIGINT NOT NULL,
+    CONSTRAINT webauthn_credentials_pkey PRIMARY KEY (app_id, rp_id, id),
+    CONSTRAINT webauthn_credentials_user_id_fkey FOREIGN KEY (app_id, user_id) REFERENCES webauthn_users
+    (app_id, user_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_generated_options (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    tenant_id VARCHAR(64) DEFAULT 'public'NOT NULL,
+    id CHAR(36) NOT NULL,
+    challenge VARCHAR(256) NOT NULL,
+    email VARCHAR(256),
+    rp_id VARCHAR(256) NOT NULL,
+    rp_name VARCHAR(256) NOT NULL,
+    origin VARCHAR(256) NOT NULL,
+    expires_at BIGINT NOT NULL,
+    created_at BIGINT NOT NULL,
+    user_presence_required BOOLEAN DEFAULT false NOT NULL,
+    user_verification VARCHAR(12) DEFAULT 'preferred' NOT NULL,
+    CONSTRAINT webauthn_generated_options_pkey PRIMARY KEY (app_id, tenant_id, id),
+    CONSTRAINT webauthn_generated_options_tenant_id_fkey FOREIGN KEY (app_id, tenant_id) REFERENCES tenants
+    (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_user_to_tenant (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    tenant_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    user_id CHAR(36) NOT NULL,
+    email VARCHAR(256) NOT NULL,
+    CONSTRAINT webauthn_user_to_tenant_email_key UNIQUE (app_id, tenant_id, email),
+    CONSTRAINT webauthn_user_to_tenant_pkey PRIMARY KEY (app_id, tenant_id, user_id),
+    CONSTRAINT webauthn_user_to_tenant_user_id_fkey FOREIGN KEY (app_id, tenant_id, user_id) REFERENCES 
+    all_auth_recipe_users(app_id, tenant_id, user_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS webauthn_users (
+    app_id VARCHAR(64) DEFAULT 'public' NOT NULL,
+    user_id CHAR(36) NOT NULL,
+    email VARCHAR(256) NOT NULL,
+    rp_id VARCHAR(256) NOT NULL,
+    time_joined BIGINT NOT NULL,
+    CONSTRAINT webauthn_users_pkey PRIMARY KEY (app_id, user_id),
+    CONSTRAINT webauthn_users_user_id_fkey FOREIGN KEY (app_id, user_id) REFERENCES app_id_to_user_id (app_id, 
+    user_id) ON DELETE CASCADE
+);
+
+CREATE INDEX webauthn_user_to_tenant_email_index ON webauthn_user_to_tenant (app_id, email);
+CREATE INDEX webauthn_user_challenges_expires_at_index ON webauthn_generated_options (app_id, tenant_id, expires_at);
+CREATE INDEX webauthn_credentials_user_id_index ON webauthn_credentials (user_id);
+CREATE INDEX webauthn_account_recovery_token_token_index ON webauthn_account_recovery_tokens (app_id, tenant_id, token);
+CREATE INDEX webauthn_account_recovery_token_expires_at_index ON webauthn_account_recovery_tokens (expires_at DESC);
+CREATE INDEX webauthn_account_recovery_token_email_index ON webauthn_account_recovery_tokens (app_id, tenant_id, email);
+```
+
 ## [10.0.3]
 
 - Fixes `StorageTransactionLogicException` in bulk import when not using userRoles and totpDevices in import json.

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "10.0.3"
+version = "10.1.0"
 
 repositories {
     mavenCentral()
@@ -73,6 +73,12 @@ dependencies {
     // https://mvnrepository.com/artifact/com.googlecode.libphonenumber/libphonenumber/
     implementation group: 'com.googlecode.libphonenumber', name: 'libphonenumber', version: '8.13.25'
 
+    // https://mvnrepository.com/artifact/com.webauthn4j/webauthn4j-core
+    implementation group: 'com.webauthn4j', name: 'webauthn4j-core', version: '0.28.5.RELEASE'
+
+    // https://mvnrepository.com/artifact/com.webauthn4j/webauthn4j-test
+    implementation group: 'com.webauthn4j', name: 'webauthn4j-test', version: '0.28.5.RELEASE'
+
     compileOnly project(":supertokens-plugin-interface")
     testImplementation project(":supertokens-plugin-interface")
 
@@ -86,7 +92,6 @@ dependencies {
     testImplementation group: 'org.reflections', name: 'reflections', version: '0.9.10'
 
     testImplementation 'com.tngtech.archunit:archunit-junit4:0.22.0'
-
 }
 
 application {

config.yaml

@@ -174,3 +174,7 @@ core_config_version: 0
 # (DIFFERENT_ACROSS_APPS | OPTIONAL | Default: number of available processor cores) int value. If specified,
 # the supertokens core will use the specified number of threads to complete the migration of users.
 # bulk_migration_parallelism:
+
+# (DIFFERENT_ACROSS_APPS | OPTIONAL | Default: 3600000) long value. Time in milliseconds for how long a webauthn
+# account recovery token is valid for.
+# webauthn_recover_account_token_lifetime:

coreDriverInterfaceSupported.json

@@ -21,6 +21,7 @@
     "4.0",
     "5.0",
     "5.1",
-    "5.2"
+    "5.2",
+    "5.3"
   ]
 }

devConfig.yaml

@@ -175,3 +175,6 @@ disable_telemetry: true
 # the supertokens core will use the specified number of threads to complete the migration of users.
 # bulk_migration_parallelism:
 
+# (DIFFERENT_ACROSS_APPS | OPTIONAL | Default: 3600000) long value. Time in milliseconds for how long a webauthn
+# account recovery token is valid for.
+# webauthn_recover_account_token_lifetime:

implementationDependencies.json

@@ -115,6 +115,16 @@
       "jar": "https://repo1.maven.org/maven2/com/googlecode/libphonenumber/libphonenumber/8.13.25/libphonenumber-8.13.25.jar",
       "name": "Libphonenumber 8.13.25",
       "src": "https://repo1.maven.org/maven2/com/googlecode/libphonenumber/libphonenumber/8.13.25/libphonenumber-8.13.25-sources.jar"
+    },
+    {
+      "jar": "https://repo1.maven.org/maven2/com/webauthn4j/webauthn4j-core/0.28.3.RELEASE/webauthn4j-core-0.28.5.RELEASE.jar",
+      "name": "webauthn4j-core 0.28.3.RELEASE",
+      "src": "https://repo1.maven.org/maven2/com/webauthn4j/webauthn4j-core/0.28.3.RELEASE/webauthn4j-core-0.28.5.RELEASE-sources.jar"
+    },
+    {
+      "jar": "https://repo1.maven.org/maven2/com/webauthn4j/webauthn4j-test/0.28.5.RELEASE/webauthn4j-test-0.28.5.RELEASE.jar",
+      "name": "webauthn4j-test 0.28.5.RELEASE",
+      "src": "https://repo1.maven.org/maven2/com/webauthn4j/webauthn4j-test/0.28.5.RELEASE/webauthn4j-test-0.28.5.RELEASE-sources.jar"
     }
   ]
 }

pluginInterfaceSupported.json

@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "7.0"
+    "7.1"
   ]
 }

src/main/java/io/supertokens/Main.java

@@ -22,6 +22,7 @@
 import io.supertokens.cronjobs.Cronjobs;
 import io.supertokens.cronjobs.bulkimport.ProcessBulkImportUsers;
 import io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges.CleanupOAuthSessionsAndChallenges;
+import io.supertokens.cronjobs.cleanupWebauthnExpiredData.CleanUpWebauthNExpiredDataCron;
 import io.supertokens.cronjobs.deleteExpiredAccessTokenSigningKeys.DeleteExpiredAccessTokenSigningKeys;
 import io.supertokens.cronjobs.deleteExpiredDashboardSessions.DeleteExpiredDashboardSessions;
 import io.supertokens.cronjobs.deleteExpiredEmailVerificationTokens.DeleteExpiredEmailVerificationTokens;
@@ -265,6 +266,8 @@ private void init() throws IOException, StorageQueryException {
 
         Cronjobs.addCronjob(this, CleanupOAuthSessionsAndChallenges.init(this, uniqueUserPoolIdsTenants));
 
+        Cronjobs.addCronjob(this, CleanUpWebauthNExpiredDataCron.init(this, uniqueUserPoolIdsTenants));
+
         // this is to ensure tenantInfos are in sync for the new cron job as well
         MultitenancyHelper.getInstance(this).refreshCronjobs();