github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-08 23:18:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4896 from Infisical/feat/webauth-and-session-mfa

Browse Source 
feat: webauthn and PAM session mfa
This commit is contained in:
Sheen
2026-01-06 21:46:10 +08:00
committed by GitHub
parent 43fe937c2a ad74f4aa2b
commit 352176b7f7
63 changed files with 2846 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

329
backend/package-lock.json generated
View File

@@ -56,6 +56,7 @@
"@peculiar/x509": "^1.12.1",
"@react-email/components": "^1.0.1",
"@serdnam/pino-cloudwatch-transport": "^1.0.4",
"@simplewebauthn/server": "^13.2.2",
"@sindresorhus/slugify": "1.1.0",
"@slack/oauth": "^3.0.2",
"@slack/web-api": "^7.8.0",
@@ -663,7 +664,6 @@
"resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.637.0.tgz",
"integrity": "sha512-xUi7x4qDubtA8QREtlblPuAcn91GS/09YVEY/RwU7xCY0aqGuFwgszAANlha4OUIqva8oVj2WO4gJuG+iaSnhw==",
"license": "Apache-2.0",
"peer": true,
"dependencies": {
"@aws-crypto/sha256-browser": "5.2.0",
"@aws-crypto/sha256-js": "5.2.0",
@@ -2110,7 +2110,6 @@
"resolved": "https://registry.npmjs.org/@aws-sdk/client-sso-oidc/-/client-sso-oidc-3.682.0.tgz",
"integrity": "sha512-ZPZ7Y/r/w3nx/xpPzGSqSQsB090Xk5aZZOH+WBhTDn/pBEuim09BYXCLzvvxb7R7NnuoQdrTJiwimdJAhHl7ZQ==",
"license": "Apache-2.0",
"peer": true,
"dependencies": {
"@aws-crypto/sha256-browser": "5.2.0",
"@aws-crypto/sha256-js": "5.2.0",
@@ -2164,7 +2163,6 @@
"resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.682.0.tgz",
"integrity": "sha512-xKuo4HksZ+F8m9DOfx/ZuWNhaPuqZFPwwy0xqcBT6sWH7OAuBjv/fnpOTzyQhpVTWddlf+ECtMAMrxjxuOExGQ==",
"license": "Apache-2.0",
"peer": true,
"dependencies": {
"@aws-crypto/sha256-browser": "5.2.0",
"@aws-crypto/sha256-js": "5.2.0",
@@ -2664,7 +2662,6 @@
"version": "3.632.0",
"resolved": "https://registry.npmjs.org/@aws-sdk/client-sso-oidc/-/client-sso-oidc-3.632.0.tgz",
"integrity": "sha512-Oh1fIWaoZluihOCb/zDEpRTi+6an82fgJz7fyRBugyLhEtDjmvpCQ3oKjzaOhoN+4EvXAm1ZS/ZgpvXBlIRTgw==",
"peer": true,
"dependencies": {
"@aws-crypto/sha256-browser": "5.2.0",
"@aws-crypto/sha256-js": "5.2.0",
@@ -2741,7 +2738,6 @@
"version": "3.632.0",
"resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.632.0.tgz",
"integrity": "sha512-Ss5cBH09icpTvT+jtGGuQlRdwtO7RyE9BF4ZV/CEPATdd9whtJt4Qxdya8BUnkWR7h5HHTrQHqai3YVYjku41A==",
"peer": true,
"dependencies": {
"@aws-crypto/sha256-browser": "5.2.0",
"@aws-crypto/sha256-js": "5.2.0",
@@ -5179,7 +5175,6 @@
"integrity": "sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"@ampproject/remapping": "^2.2.0",
"@babel/code-frame": "^7.26.2",
@@ -7211,7 +7206,6 @@
"url": "https://opencollective.com/csstools"
}
],
"peer": true,
"engines": {
"node": ">=18"
},
@@ -7233,7 +7227,6 @@
"url": "https://opencollective.com/csstools"
}
],
"peer": true,
"engines": {
"node": ">=18"
}
@@ -8561,6 +8554,12 @@
"resolved": "https://registry.npmjs.org/@hapi/bourne/-/bourne-2.1.0.tgz",
"integrity": "sha512-i1BpaNDVLJdRBEKeJWkVO6tYX6DMFBuwMhSuWqLsY4ufeTKGVuV5rBsUhxPayXqnnWHgXUAmWK16H/ykO5Wj4Q=="
},
"node_modules/@hexagon/base64": {
"version": "1.1.28",
"resolved": "https://registry.npmjs.org/@hexagon/base64/-/base64-1.1.28.tgz",
"integrity": "sha512-lhqDEAvWixy3bZ+UOYbPwUbBkwBq5C1LAJ/xPC8Oi+lL54oyakv/npbA0aU2hgCsx/1NUd4IBvV03+aUBWxerw==",
"license": "MIT"
},
"node_modules/@humanwhocodes/config-array": {
"version": "0.11.13",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz",
@@ -9214,9 +9213,6 @@
"win32"
]
},
"node_modules/@infisical/quic/node_modules/@infisical/quic-linux-arm": {
"optional": true
},
"node_modules/@ioredis/commands": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/@ioredis/commands/-/commands-1.2.0.tgz",
@@ -9428,6 +9424,12 @@
"resolved": "https://registry.npmjs.org/@ldapjs/protocol/-/protocol-1.2.1.tgz",
"integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
},
"node_modules/@levischuck/tiny-cbor": {
"version": "0.2.11",
"resolved": "https://registry.npmjs.org/@levischuck/tiny-cbor/-/tiny-cbor-0.2.11.tgz",
"integrity": "sha512-llBRm4dT4Z89aRsm6u2oEZ8tfwL/2l6BwpZ7JcyieouniDECM5AqNgr/y08zalEIvW3RSK4upYyybDcmjXqAow==",
"license": "MIT"
},
"node_modules/@lukeed/ms": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
@@ -10667,7 +10669,6 @@
"resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.1.tgz",
"integrity": "sha512-dKYCMuPO1bmrpuogcjQ8z7ICCH3FP6WmxpwC03yjzGfZhj9fTJg6+bS1+UAplekbN2C+M61UNllGOOoAfGCrdQ==",
"license": "MIT",
"peer": true,
"dependencies": {
"@octokit/auth-token": "^4.0.0",
"@octokit/graphql": "^7.1.0",
@@ -11111,7 +11112,6 @@
"version": "1.9.0",
"resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz",
"integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==",
"peer": true,
"engines": {
"node": ">=8.0.0"
}
@@ -11430,147 +11430,160 @@
"@otplib/plugin-thirty-two": "^12.0.1"
}
},
"node_modules/@peculiar/asn1-cms": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.3.8.tgz",
"integrity": "sha512-Wtk9R7yQxGaIaawHorWKP2OOOm/RZzamOmSWwaqGphIuU6TcKYih0slL6asZlSSZtVoYTrBfrddSOD/jTu9vuQ==",
"node_modules/@peculiar/asn1-android": {
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-android/-/asn1-android-2.6.0.tgz",
"integrity": "sha512-cBRCKtYPF7vJGN76/yG8VbxRcHLPF3HnkoHhKOZeHpoVtbMYfY9ROKtH3DtYUY9m8uI1Mh47PRhHf2hSK3xcSQ==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"@peculiar/asn1-x509-attr": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-schema": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-cms": {
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.6.0.tgz",
"integrity": "sha512-2uZqP+ggSncESeUF/9Su8rWqGclEfEiz1SyU02WX5fUONFfkjzS2Z/F1Li0ofSmf4JqYXIOdCAZqIXAIBAT1OA==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"@peculiar/asn1-x509-attr": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-csr": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.3.8.tgz",
"integrity": "sha512-ZmAaP2hfzgIGdMLcot8gHTykzoI+X/S53x1xoGbTmratETIaAbSWMiPGvZmXRA0SNEIydpMkzYtq4fQBxN1u1w==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.6.0.tgz",
"integrity": "sha512-BeWIu5VpTIhfRysfEp73SGbwjjoLL/JWXhJ/9mo4vXnz3tRGm+NGm3KNcRzQ9VMVqwYS2RHlolz21svzRXIHPQ==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-ecc": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.3.8.tgz",
"integrity": "sha512-Ah/Q15y3A/CtxbPibiLM/LKcMbnLTdUdLHUgdpB5f60sSvGkXzxJCu5ezGTFHogZXWNX3KSmYqilCrfdmBc6pQ==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.6.0.tgz",
"integrity": "sha512-FF3LMGq6SfAOwUG2sKpPXblibn6XnEIKa+SryvUl5Pik+WR9rmRA3OCiwz8R3lVXnYnyRkSZsSLdml8H3UiOcw==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-pfx": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.3.8.tgz",
"integrity": "sha512-XhdnCVznMmSmgy68B9pVxiZ1XkKoE1BjO4Hv+eUGiY1pM14msLsFZ3N7K46SoITIVZLq92kKkXpGiTfRjlNLyg==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.6.0.tgz",
"integrity": "sha512-rtUvtf+tyKGgokHHmZzeUojRZJYPxoD/jaN1+VAB4kKR7tXrnDCA/RAWXAIhMJJC+7W27IIRGe9djvxKgsldCQ==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-cms": "^2.3.8",
"@peculiar/asn1-pkcs8": "^2.3.8",
"@peculiar/asn1-rsa": "^2.3.8",
"@peculiar/asn1-schema": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-cms": "^2.6.0",
"@peculiar/asn1-pkcs8": "^2.6.0",
"@peculiar/asn1-rsa": "^2.6.0",
"@peculiar/asn1-schema": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-pkcs8": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.3.8.tgz",
"integrity": "sha512-rL8k2x59v8lZiwLRqdMMmOJ30GHt6yuHISFIuuWivWjAJjnxzZBVzMTQ72sknX5MeTSSvGwPmEFk2/N8+UztFQ==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.6.0.tgz",
"integrity": "sha512-KyQ4D8G/NrS7Fw3XCJrngxmjwO/3htnA0lL9gDICvEQ+GJ+EPFqldcJQTwPIdvx98Tua+WjkdKHSC0/Km7T+lA==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-pkcs9": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.3.8.tgz",
"integrity": "sha512-+nONq5tcK7vm3qdY7ZKoSQGQjhJYMJbwJGbXLFOhmqsFIxEWyQPHyV99+wshOjpOjg0wUSSkEEzX2hx5P6EKeQ==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.6.0.tgz",
"integrity": "sha512-b78OQ6OciW0aqZxdzliXGYHASeCvvw5caqidbpQRYW2mBtXIX2WhofNXTEe7NyxTb0P6J62kAAWLwn0HuMF1Fw==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-cms": "^2.3.8",
"@peculiar/asn1-pfx": "^2.3.8",
"@peculiar/asn1-pkcs8": "^2.3.8",
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"@peculiar/asn1-x509-attr": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-cms": "^2.6.0",
"@peculiar/asn1-pfx": "^2.6.0",
"@peculiar/asn1-pkcs8": "^2.6.0",
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"@peculiar/asn1-x509-attr": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-rsa": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.3.8.tgz",
"integrity": "sha512-ES/RVEHu8VMYXgrg3gjb1m/XG0KJWnV4qyZZ7mAg7rrF3VTmRbLxO8mk+uy0Hme7geSMebp+Wvi2U6RLLEs12Q==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.6.0.tgz",
"integrity": "sha512-Nu4C19tsrTsCp9fDrH+sdcOKoVfdfoQQ7S3VqjJU6vedR7tY3RLkQ5oguOIB3zFW33USDUuYZnPEQYySlgha4w==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-schema": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.3.8.tgz",
"integrity": "sha512-ULB1XqHKx1WBU/tTFIA+uARuRoBVZ4pNdOA878RDrRbBfBGcSzi5HBkdScC6ZbHn8z7L8gmKCgPC1LHRrP46tA==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.6.0.tgz",
"integrity": "sha512-xNLYLBFTBKkCzEZIw842BxytQQATQv+lDTCEMZ8C196iJcJJMBUZxrhSTxLaohMyKK8QlzRNTRkUmanucnDSqg==",
"license": "MIT",
"dependencies": {
"asn1js": "^3.0.5",
"pvtsutils": "^1.3.5",
"tslib": "^2.6.2"
"asn1js": "^3.0.6",
"pvtsutils": "^1.3.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-x509": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.3.8.tgz",
"integrity": "sha512-voKxGfDU1c6r9mKiN5ZUsZWh3Dy1BABvTM3cimf0tztNwyMJPhiXY94eRTgsMQe6ViLfT6EoXxkWVzcm3mFAFw==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.6.0.tgz",
"integrity": "sha512-uzYbPEpoQiBoTq0/+jZtpM6Gq6zADBx+JNFP3yqRgziWBxQ/Dt/HcuvRfm9zJTPdRcBqPNdaRHTVwpyiq6iNMA==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"asn1js": "^3.0.5",
"ipaddr.js": "^2.1.0",
"pvtsutils": "^1.3.5",
"tslib": "^2.6.2"
"@peculiar/asn1-schema": "^2.6.0",
"asn1js": "^3.0.6",
"pvtsutils": "^1.3.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/asn1-x509-attr": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.3.8.tgz",
"integrity": "sha512-4Z8mSN95MOuX04Aku9BUyMdsMKtVQUqWnr627IheiWnwFoheUhX3R4Y2zh23M7m80r4/WG8MOAckRKc77IRv6g==",
"version": "2.6.0",
"resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.6.0.tgz",
"integrity": "sha512-MuIAXFX3/dc8gmoZBkwJWxUWOSvG4MMDntXhrOZpJVMkYX+MYc/rUAU2uJOved9iJEoiUx7//3D8oG83a78UJA==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"asn1js": "^3.0.5",
"tslib": "^2.6.2"
}
},
"node_modules/@peculiar/asn1-x509/node_modules/ipaddr.js": {
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-2.2.0.tgz",
"integrity": "sha512-Ag3wB2o37wslZS19hZqorUnrnzSkpOVy+IiiDEiTqNubEYpYuHWIf6K4psgN2ZWKExS4xhVCrRVfb/wfW8fWJA==",
"engines": {
"node": ">= 10"
"@peculiar/asn1-schema": "^2.6.0",
"@peculiar/asn1-x509": "^2.6.0",
"asn1js": "^3.0.6",
"tslib": "^2.8.1"
}
},
"node_modules/@peculiar/x509": {
"version": "1.12.1",
"resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.12.1.tgz",
"integrity": "sha512-2T9t2viNP9m20mky50igPTpn2ByhHl5NlT6wW4Tp4BejQaQ5XDNZgfsabYwYysLXhChABlgtTCpp2gM3JBZRKA==",
"version": "1.14.0",
"resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.14.0.tgz",
"integrity": "sha512-Yc4PDxN3OrxUPiXgU63c+ZRXKGE8YKF2McTciYhUHFtHVB0KMnjeFSU0qpztGhsp4P0uKix4+J2xEpIEDu8oXg==",
"license": "MIT",
"dependencies": {
"@peculiar/asn1-cms": "^2.3.8",
"@peculiar/asn1-csr": "^2.3.8",
"@peculiar/asn1-ecc": "^2.3.8",
"@peculiar/asn1-pkcs9": "^2.3.8",
"@peculiar/asn1-rsa": "^2.3.8",
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"pvtsutils": "^1.3.5",
"@peculiar/asn1-cms": "^2.5.0",
"@peculiar/asn1-csr": "^2.5.0",
"@peculiar/asn1-ecc": "^2.5.0",
"@peculiar/asn1-pkcs9": "^2.5.0",
"@peculiar/asn1-rsa": "^2.5.0",
"@peculiar/asn1-schema": "^2.5.0",
"@peculiar/asn1-x509": "^2.5.0",
"pvtsutils": "^1.3.6",
"reflect-metadata": "^0.2.2",
"tslib": "^2.6.2",
"tsyringe": "^4.8.0"
"tslib": "^2.8.1",
"tsyringe": "^4.10.0"
}
},
"node_modules/@phc/format": {
@@ -11752,7 +11765,6 @@
"resolved": "https://registry.npmjs.org/@react-email/body/-/body-0.2.0.tgz",
"integrity": "sha512-9GCWmVmKUAoRfloboCd+RKm6X17xn7eGL7HnpAZUnjBXBilWCxsKnLMTC/ixSHDKS/A/057M1Tx6ZUXd89sVBw==",
"license": "MIT",
"peer": true,
"peerDependencies": {
"react": "^18.0 || ^19.0 || ^19.0.0-rc"
}
@@ -11762,7 +11774,6 @@
"resolved": "https://registry.npmjs.org/@react-email/button/-/button-0.2.0.tgz",
"integrity": "sha512-8i+v6cMxr2emz4ihCrRiYJPp2/sdYsNNsBzXStlcA+/B9Umpm5Jj3WJKYpgTPM+aeyiqlG/MMI1AucnBm4f1oQ==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11775,7 +11786,6 @@
"resolved": "https://registry.npmjs.org/@react-email/code-block/-/code-block-0.2.0.tgz",
"integrity": "sha512-eIrPW9PIFgDopQU0e/OPpwCW2QWQDtNZDSsiN4sJO8KdMnWWnXJicnRfzrit5rHwFo+Y98i+w/Y5ScnBAFr1dQ==",
"license": "MIT",
"peer": true,
"dependencies": {
"prismjs": "^1.30.0"
},
@@ -11791,7 +11801,6 @@
"resolved": "https://registry.npmjs.org/@react-email/code-inline/-/code-inline-0.0.5.tgz",
"integrity": "sha512-MmAsOzdJpzsnY2cZoPHFPk6uDO/Ncpb4Kh1hAt9UZc1xOW3fIzpe1Pi9y9p6wwUmpaeeDalJxAxH6/fnTquinA==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11867,7 +11876,6 @@
"resolved": "https://registry.npmjs.org/@react-email/container/-/container-0.0.15.tgz",
"integrity": "sha512-Qo2IQo0ru2kZq47REmHW3iXjAQaKu4tpeq/M8m1zHIVwKduL2vYOBQWbC2oDnMtWPmkBjej6XxgtZByxM6cCFg==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11901,7 +11909,6 @@
"resolved": "https://registry.npmjs.org/@react-email/heading/-/heading-0.0.15.tgz",
"integrity": "sha512-xF2GqsvBrp/HbRHWEfOgSfRFX+Q8I5KBEIG5+Lv3Vb2R/NYr0s8A5JhHHGf2pWBMJdbP4B2WHgj/VUrhy8dkIg==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11914,7 +11921,6 @@
"resolved": "https://registry.npmjs.org/@react-email/hr/-/hr-0.0.11.tgz",
"integrity": "sha512-S1gZHVhwOsd1Iad5IFhpfICwNPMGPJidG/Uysy1AwmspyoAP5a4Iw3OWEpINFdgh9MHladbxcLKO2AJO+cA9Lw==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11939,7 +11945,6 @@
"resolved": "https://registry.npmjs.org/@react-email/img/-/img-0.0.11.tgz",
"integrity": "sha512-aGc8Y6U5C3igoMaqAJKsCpkbm1XjguQ09Acd+YcTKwjnC2+0w3yGUJkjWB2vTx4tN8dCqQCXO8FmdJpMfOA9EQ==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11952,7 +11957,6 @@
"resolved": "https://registry.npmjs.org/@react-email/link/-/link-0.0.12.tgz",
"integrity": "sha512-vF+xxQk2fGS1CN7UPQDbzvcBGfffr+GjTPNiWM38fhBfsLv6A/YUfaqxWlmL7zLzVmo0K2cvvV9wxlSyNba1aQ==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -11980,7 +11984,6 @@
"resolved": "https://registry.npmjs.org/@react-email/preview/-/preview-0.0.13.tgz",
"integrity": "sha512-F7j9FJ0JN/A4d7yr+aw28p4uX7VLWs7hTHtLo7WRyw4G+Lit6Zucq4UWKRxJC8lpsUdzVmG7aBJnKOT+urqs/w==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -12085,7 +12088,6 @@
"resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.5.tgz",
"integrity": "sha512-o5PNHFSE085VMXayxH+SJ1LSOtGsTv+RpNKnTiJDrJUwoBu77G3PlKOsZZQHCNyD28WsQpl9v2WcJLbQudqwPg==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=18.0.0"
},
@@ -12515,6 +12517,25 @@
"split2": "^4.0.0"
}
},
"node_modules/@simplewebauthn/server": {
"version": "13.2.2",
"resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.2.2.tgz",
"integrity": "sha512-HcWLW28yTMGXpwE9VLx9J+N2KEUaELadLrkPEEI9tpI5la70xNEVEsu/C+m3u7uoq4FulLqZQhgBCzR9IZhFpA==",
"license": "MIT",
"dependencies": {
"@hexagon/base64": "^1.1.27",
"@levischuck/tiny-cbor": "^0.2.2",
"@peculiar/asn1-android": "^2.3.10",
"@peculiar/asn1-ecc": "^2.3.8",
"@peculiar/asn1-rsa": "^2.3.8",
"@peculiar/asn1-schema": "^2.3.8",
"@peculiar/asn1-x509": "^2.3.8",
"@peculiar/x509": "^1.13.0"
},
"engines": {
"node": ">=20.0.0"
}
},
"node_modules/@sindresorhus/slugify": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/@sindresorhus/slugify/-/slugify-1.1.0.tgz",
@@ -14074,7 +14095,6 @@
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.23.tgz",
"integrity": "sha512-yIdlVVVHXpmqRhtyovZAcSy0MiPcYWGkoO4CGe/+jpP0hmNuihm4XhHbADpK++MsiLHP5MVlv+bcgdF99kSiFQ==",
"license": "MIT",
"peer": true,
"dependencies": {
"undici-types": "~6.21.0"
}
@@ -14563,7 +14583,6 @@
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.20.0.tgz",
"integrity": "sha512-bYerPDF/H5v6V76MdMYhjwmwgMA+jlPVqjSDq2cRqMi8bP5sR3Z+RLOiOMad3nsnmDVmn2gAFCyNgh/dIrfP/w==",
"dev": true,
"peer": true,
"dependencies": {
"@typescript-eslint/scope-manager": "6.20.0",
"@typescript-eslint/types": "6.20.0",
@@ -15228,7 +15247,6 @@
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
"license": "MIT",
"peer": true,
"bin": {
"acorn": "bin/acorn"
},
@@ -15717,7 +15735,6 @@
"resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz",
"integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==",
"license": "MIT",
"peer": true,
"dependencies": {
"bn.js": "^4.0.0",
"inherits": "^2.0.1",
@@ -15747,13 +15764,14 @@
}
},
"node_modules/asn1js": {
"version": "3.0.5",
"resolved": "https://registry.npmjs.org/asn1js/-/asn1js-3.0.5.tgz",
"integrity": "sha512-FVnvrKJwpt9LP2lAMl8qZswRNm3T4q9CON+bxldk2iwk3FFpuwhx2FfinyitizWHsVYyaY+y5JzDR0rCMV5yTQ==",
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/asn1js/-/asn1js-3.0.6.tgz",
"integrity": "sha512-UOCGPYbl0tv8+006qks/dTgV9ajs97X2p0FAbyS2iyCRrmLSRolDaHdp+v/CLgnzHc3fVB+CwYiUmei7ndFcgA==",
"license": "BSD-3-Clause",
"dependencies": {
"pvtsutils": "^1.3.2",
"pvtsutils": "^1.3.6",
"pvutils": "^1.1.3",
"tslib": "^2.4.0"
"tslib": "^2.8.1"
},
"engines": {
"node": ">=12.0.0"
@@ -15942,7 +15960,6 @@
"resolved": "https://registry.npmjs.org/axios/-/axios-1.12.2.tgz",
"integrity": "sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==",
"license": "MIT",
"peer": true,
"dependencies": {
"follow-redirects": "^1.15.6",
"form-data": "^4.0.4",
@@ -16544,7 +16561,6 @@
}
],
"license": "MIT",
"peer": true,
"dependencies": {
"baseline-browser-mapping": "^2.8.9",
"caniuse-lite": "^1.0.30001746",
@@ -18099,7 +18115,6 @@
"version": "16.4.1",
"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.4.1.tgz",
"integrity": "sha512-CjA3y+Dr3FyFDOAMnxZEGtnW9KBR2M0JvvUtXNW+dYJL5ROWxP9DUHCwgFqpMk0OXCc0ljhaNTr2w/kutYIcHQ==",
"peer": true,
"engines": {
"node": ">=12"
},
@@ -18485,7 +18500,6 @@
"dev": true,
"hasInstallScript": true,
"license": "MIT",
"peer": true,
"bin": {
"esbuild": "bin/esbuild"
},
@@ -18568,7 +18582,6 @@
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.56.0.tgz",
"integrity": "sha512-Go19xM6T9puCOWntie1/P997aXxFsOi37JIHRWI514Hc6ZnaHGKY9xFhrU65RT6CcBEzZoGG1e6Nq+DT04ZtZQ==",
"dev": true,
"peer": true,
"dependencies": {
"@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.6.1",
@@ -18667,7 +18680,6 @@
"resolved": "https://registry.npmjs.org/eslint-config-prettier/-/eslint-config-prettier-9.1.0.tgz",
"integrity": "sha512-NSWl5BFQWEPi1j4TjVNItzYV7dZXZ+wP6I6ZhrBGpChQhZRUaElihE9uRRkcbRnNb76UMKDF3r+WTmNcGPKsqw==",
"dev": true,
"peer": true,
"bin": {
"eslint-config-prettier": "bin/cli.js"
},
@@ -18756,7 +18768,6 @@
"resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.29.1.tgz",
"integrity": "sha512-BbPC0cuExzhiMo4Ff1BTVwHpjjv28C5R+btTOGaCRC7UEz801up0JadwkeSk5Ued6TG34uaczuVuH6qyy5YUxw==",
"dev": true,
"peer": true,
"dependencies": {
"array-includes": "^3.1.7",
"array.prototype.findlastindex": "^1.2.3",
@@ -19239,6 +19250,7 @@
"resolved": "https://registry.npmjs.org/express-session/-/express-session-1.18.1.tgz",
"integrity": "sha512-a5mtTqEaZvBCL9A9aqkrtfz+3SMDhOVUnjafjo+s7A9Txkq+SVX2DLvSp1Zrv4uCXa3lMSK3viWnh9Gg07PBUA==",
"license": "MIT",
"peer": true,
"dependencies": {
"cookie": "0.7.2",
"cookie-signature": "1.0.7",
@@ -19256,12 +19268,14 @@
"node_modules/express-session/node_modules/cookie-signature": {
"version": "1.0.7",
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
"integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA=="
"integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
"peer": true
},
"node_modules/express-session/node_modules/debug": {
"version": "2.6.9",
"resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
"integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
"peer": true,
"dependencies": {
"ms": "2.0.0"
}
@@ -19269,7 +19283,8 @@
"node_modules/express-session/node_modules/ms": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
"integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
"peer": true
},
"node_modules/express/node_modules/cookie": {
"version": "0.7.1",
@@ -25926,6 +25941,7 @@
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
"integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
"peer": true,
"engines": {
"node": ">= 0.8"
}
@@ -26625,7 +26641,6 @@
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-3.0.1.tgz",
"integrity": "sha512-I3EurrIQMlRc9IaAZnqRR044Phh2DXY+55o7uJ0V+hYZAcQYSuFWsc9q5PvyDHUSCe1Qxn/iBz+78s86zWnGag==",
"peer": true,
"engines": {
"node": ">=10"
},
@@ -26968,7 +26983,6 @@
}
],
"license": "MIT",
"peer": true,
"dependencies": {
"nanoid": "^3.3.11",
"picocolors": "^1.1.1",
@@ -27084,7 +27098,6 @@
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.5.3.tgz",
"integrity": "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw==",
"license": "MIT",
"peer": true,
"bin": {
"prettier": "bin/prettier.cjs"
},
@@ -27456,11 +27469,12 @@
}
},
"node_modules/pvtsutils": {
"version": "1.3.5",
"resolved": "https://registry.npmjs.org/pvtsutils/-/pvtsutils-1.3.5.tgz",
"integrity": "sha512-ARvb14YB9Nm2Xi6nBq1ZX6dAM0FsJnuk+31aUp4TrcZEdKUlSqOqsxJHUPJDNE3qiIp+iUPEIeR6Je/tgV7zsA==",
"version": "1.3.6",
"resolved": "https://registry.npmjs.org/pvtsutils/-/pvtsutils-1.3.6.tgz",
"integrity": "sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==",
"license": "MIT",
"dependencies": {
"tslib": "^2.6.1"
"tslib": "^2.8.1"
}
},
"node_modules/pvutils": {
@@ -27548,6 +27562,7 @@
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
"integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==",
"peer": true,
"engines": {
"node": ">= 0.8"
}
@@ -27643,7 +27658,6 @@
"resolved": "https://registry.npmjs.org/react/-/react-19.1.0.tgz",
"integrity": "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg==",
"license": "MIT",
"peer": true,
"engines": {
"node": ">=0.10.0"
}
@@ -27653,7 +27667,6 @@
"resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.1.0.tgz",
"integrity": "sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g==",
"license": "MIT",
"peer": true,
"dependencies": {
"scheduler": "^0.26.0"
},
@@ -29478,7 +29491,6 @@
"resolved": "https://registry.npmjs.org/socks/-/socks-2.8.4.tgz",
"integrity": "sha512-D3YaD0aRxR3mEcqnidIs7ReYJFVzWdd6fXJYUM8ixcQcJRGTka/b3saV0KflYhyVJXKhb947GndU35SxYNResQ==",
"license": "MIT",
"peer": true,
"dependencies": {
"ip-address": "^9.0.5",
"smart-buffer": "^4.2.0"
@@ -30977,7 +30989,6 @@
"integrity": "sha512-ytQKuwgmrrkDTFP4LjR0ToE2nqgy886GpvRSpU0JAnrdBYppuY5rLkRUYPU1yCryb24SsKBTL/hlDQAEFVwtZg==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"esbuild": "~0.25.0",
"get-tsconfig": "^4.7.5"
@@ -30993,9 +31004,10 @@
}
},
"node_modules/tsyringe": {
"version": "4.8.0",
"resolved": "https://registry.npmjs.org/tsyringe/-/tsyringe-4.8.0.tgz",
"integrity": "sha512-YB1FG+axdxADa3ncEtRnQCFq/M0lALGLxSZeVNbTU8NqhOVc51nnv2CISTcvc1kyv6EGPtXVr0v6lWeDxiijOA==",
"version": "4.10.0",
"resolved": "https://registry.npmjs.org/tsyringe/-/tsyringe-4.10.0.tgz",
"integrity": "sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==",
"license": "MIT",
"dependencies": {
"tslib": "^1.9.3"
},
@@ -31006,7 +31018,8 @@
"node_modules/tsyringe/node_modules/tslib": {
"version": "1.14.1",
"resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
"integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
"integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
"license": "0BSD"
},
"node_modules/ttl-set": {
"version": "1.0.0",
@@ -31155,7 +31168,6 @@
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.2.tgz",
"integrity": "sha512-6l+RyNy7oAHDfxC4FzSJcz9vnjTKxrLpDG5M2Vu4SHRVNg6xzqZp6LYSR9zjqQTu8DU/f5xwxUdADOkbrIX2gQ==",
"dev": true,
"peer": true,
"bin": {
"tsc": "bin/tsc",
"tsserver": "bin/tsserver"
@@ -31196,6 +31208,7 @@
"version": "2.1.5",
"resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
"integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
"peer": true,
"dependencies": {
"random-bytes": "~1.0.0"
},
@@ -31783,7 +31796,6 @@
"integrity": "sha512-ZWyE8YXEXqJrrSLvYgrRP7p62OziLW7xI5HYGWFzOvupfAlrLvURSzv/FyGyy0eidogEM3ujU+kUG1zuHgb6Ug==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"esbuild": "^0.25.0",
"fdir": "^6.5.0",
@@ -32465,7 +32477,6 @@
"resolved": "https://registry.npmjs.org/zod/-/zod-3.24.3.tgz",
"integrity": "sha512-HhY1oqzWCQWuUqvBFnsyrtZRhyPeR7SUGv+C4+MsisMuVfSPx8HpwWqH8tRahSlt6M3PiFAcoeFhZAqIXTxoSg==",
"license": "MIT",
"peer": true,
"funding": {
"url": "https://github.com/sponsors/colinhacks"
}

1
backend/package.json
View File

@@ -188,6 +188,7 @@
"@peculiar/x509": "^1.12.1",
"@react-email/components": "^1.0.1",
"@serdnam/pino-cloudwatch-transport": "^1.0.4",
"@simplewebauthn/server": "^13.2.2",
"@sindresorhus/slugify": "1.1.0",
"@slack/oauth": "^3.0.2",
"@slack/web-api": "^7.8.0",

4
backend/src/@types/fastify.d.ts vendored
View File

@@ -102,6 +102,7 @@ import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/i
import { TMembershipGroupServiceFactory } from "@app/services/membership-group/membership-group-service";
import { TMembershipIdentityServiceFactory } from "@app/services/membership-identity/membership-identity-service";
import { TMembershipUserServiceFactory } from "@app/services/membership-user/membership-user-service";
import { TMfaSessionServiceFactory } from "@app/services/mfa-session/mfa-session-service";
import { TMicrosoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
import { TNotificationServiceFactory } from "@app/services/notification/notification-service";
import { TOfflineUsageReportServiceFactory } from "@app/services/offline-usage-report/offline-usage-report-service";
@@ -137,6 +138,7 @@ import { TUpgradePathService } from "@app/services/upgrade-path/upgrade-path-ser
import { TUserDALFactory } from "@app/services/user/user-dal";
import { TUserServiceFactory } from "@app/services/user/user-service";
import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
import { TWebAuthnServiceFactory } from "@app/services/webauthn/webauthn-service";
import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";
@@ -329,6 +331,7 @@ declare module "fastify" {
externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
projectTemplate: TProjectTemplateServiceFactory;
totp: TTotpServiceFactory;
webAuthn: TWebAuthnServiceFactory;
appConnection: TAppConnectionServiceFactory;
secretSync: TSecretSyncServiceFactory;
kmip: TKmipServiceFactory;
@@ -355,6 +358,7 @@ declare module "fastify" {
pamResource: TPamResourceServiceFactory;
pamAccount: TPamAccountServiceFactory;
pamSession: TPamSessionServiceFactory;
mfaSession: TMfaSessionServiceFactory;
upgradePath: TUpgradePathService;
membershipUser: TMembershipUserServiceFactory;

8
backend/src/@types/knex.d.ts vendored
View File

@@ -614,6 +614,9 @@ import {
TVaultExternalMigrationConfigs,
TVaultExternalMigrationConfigsInsert,
TVaultExternalMigrationConfigsUpdate,
TWebauthnCredentials,
TWebauthnCredentialsInsert,
TWebauthnCredentialsUpdate,
TWebhooks,
TWebhooksInsert,
TWebhooksUpdate,
@@ -1528,6 +1531,11 @@ declare module "knex/types/tables" {
TVaultExternalMigrationConfigsInsert,
TVaultExternalMigrationConfigsUpdate
>;
[TableName.WebAuthnCredential]: KnexOriginal.CompositeTableType<
TWebauthnCredentials,
TWebauthnCredentialsInsert,
TWebauthnCredentialsUpdate
>;
[TableName.AiMcpServer]: KnexOriginal.CompositeTableType<TAiMcpServers, TAiMcpServersInsert, TAiMcpServersUpdate>;
[TableName.AiMcpServerTool]: KnexOriginal.CompositeTableType<
TAiMcpServerTools,

30
backend/src/db/migrations/20251118190904_add-webauthn-support.ts Normal file
View File

@@ -0,0 +1,30 @@
import { Knex } from "knex";
import { TableName } from "../schemas";
import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
export async function up(knex: Knex): Promise<void> {
if (!(await knex.schema.hasTable(TableName.WebAuthnCredential))) {
await knex.schema.createTable(TableName.WebAuthnCredential, (t) => {
t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
t.uuid("userId").notNullable();
t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
t.text("credentialId").notNullable(); // base64url encoded credential ID
t.text("publicKey").notNullable(); // base64url encoded public key
t.bigInteger("counter").defaultTo(0).notNullable(); // signature counter for replay protection
t.specificType("transports", "text[]").nullable(); // transport methods
t.string("name").nullable(); // user-friendly name
t.timestamp("lastUsedAt").nullable();
t.timestamps(true, true, true);
t.unique("credentialId"); // credential IDs must be unique across all users
t.index("userId"); // index for fast lookups by user
});
await createOnUpdateTrigger(knex, TableName.WebAuthnCredential);
}
}
export async function down(knex: Knex): Promise<void> {
await dropOnUpdateTrigger(knex, TableName.WebAuthnCredential);
await knex.schema.dropTableIfExists(TableName.WebAuthnCredential);
}

19
backend/src/db/migrations/20251119124200_add-require-mfa-to-pam-account.ts Normal file
View File

@@ -0,0 +1,19 @@
import { Knex } from "knex";
import { TableName } from "../schemas";
export async function up(knex: Knex): Promise<void> {
if (!(await knex.schema.hasColumn(TableName.PamAccount, "requireMfa"))) {
await knex.schema.alterTable(TableName.PamAccount, (t) => {
t.boolean("requireMfa").defaultTo(false);
});
}
}
export async function down(knex: Knex): Promise<void> {
if (await knex.schema.hasColumn(TableName.PamAccount, "requireMfa")) {
await knex.schema.alterTable(TableName.PamAccount, (t) => {
t.dropColumn("requireMfa");
});
}
}

1
backend/src/db/schemas/index.ts
View File

@@ -209,5 +209,6 @@ export * from "./user-encryption-keys";
export * from "./user-group-membership";
export * from "./users";
export * from "./vault-external-migration-configs";
export * from "./webauthn-credentials";
export * from "./webhooks";
export * from "./workflow-integrations";

1
backend/src/db/schemas/models.ts
View File

@@ -160,6 +160,7 @@ export enum TableName {
InternalKms = "internal_kms",
InternalKmsKeyVersion = "internal_kms_key_version",
TotpConfig = "totp_configs",
WebAuthnCredential = "webauthn_credentials",
// @depreciated
KmsKeyVersion = "kms_key_versions",
WorkflowIntegrations = "workflow_integrations",

3
backend/src/db/schemas/pam-accounts.ts
View File

@@ -23,7 +23,8 @@ export const PamAccountsSchema = z.object({
rotationIntervalSeconds: z.number().nullable().optional(),
lastRotatedAt: z.date().nullable().optional(),
rotationStatus: z.string().nullable().optional(),
encryptedLastRotationMessage: zodBuffer.nullable().optional()
encryptedLastRotationMessage: zodBuffer.nullable().optional(),
requireMfa: z.boolean().default(false).nullable().optional()
});
export type TPamAccounts = z.infer<typeof PamAccountsSchema>;

25
backend/src/db/schemas/webauthn-credentials.ts Normal file
View File

@@ -0,0 +1,25 @@
// Code generated by automation script, DO NOT EDIT.
// Automated by pulling database and generating zod schema
// To update. Just run npm run generate:schema
// Written by akhilmhdh.
import { z } from "zod";
import { TImmutableDBKeys } from "./models";
export const WebauthnCredentialsSchema = z.object({
id: z.string().uuid(),
userId: z.string().uuid(),
credentialId: z.string(),
publicKey: z.string(),
counter: z.coerce.number().default(0),
transports: z.string().array().nullable().optional(),
name: z.string().nullable().optional(),
lastUsedAt: z.date().nullable().optional(),
createdAt: z.date(),
updatedAt: z.date()
});
export type TWebauthnCredentials = z.infer<typeof WebauthnCredentialsSchema>;
export type TWebauthnCredentialsInsert = Omit<z.input<typeof WebauthnCredentialsSchema>, TImmutableDBKeys>;
export type TWebauthnCredentialsUpdate = Partial<Omit<z.input<typeof WebauthnCredentialsSchema>, TImmutableDBKeys>>;

8
backend/src/ee/routes/v1/pam-account-routers/pam-account-endpoints.ts
View File

@@ -24,6 +24,7 @@ export const registerPamAccountEndpoints = <C extends TPamAccount>({
description?: C["description"];
rotationEnabled?: C["rotationEnabled"];
rotationIntervalSeconds?: C["rotationIntervalSeconds"];
requireMfa?: C["requireMfa"];
}>;
updateAccountSchema: z.ZodType<{
credentials?: C["credentials"];
@@ -31,6 +32,7 @@ export const registerPamAccountEndpoints = <C extends TPamAccount>({
description?: C["description"];
rotationEnabled?: C["rotationEnabled"];
rotationIntervalSeconds?: C["rotationIntervalSeconds"];
requireMfa?: C["requireMfa"];
}>;
accountResponseSchema: z.ZodTypeAny;
}) => {
@@ -66,7 +68,8 @@ export const registerPamAccountEndpoints = <C extends TPamAccount>({
name: req.body.name,
description: req.body.description,
rotationEnabled: req.body.rotationEnabled ?? false,
rotationIntervalSeconds: req.body.rotationIntervalSeconds
rotationIntervalSeconds: req.body.rotationIntervalSeconds,
requireMfa: req.body.requireMfa
}
}
});
@@ -116,7 +119,8 @@ export const registerPamAccountEndpoints = <C extends TPamAccount>({
name: req.body.name,
description: req.body.description,
rotationEnabled: req.body.rotationEnabled,
rotationIntervalSeconds: req.body.rotationIntervalSeconds
rotationIntervalSeconds: req.body.rotationIntervalSeconds,
requireMfa: req.body.requireMfa
}
}
});

4
backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts
View File

@@ -115,6 +115,7 @@ export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
body: z.object({
accountPath: z.string().trim(),
projectId: z.string().uuid(),
mfaSessionId: z.string().optional(),
duration: z
.string()
.min(1)
@@ -163,7 +164,8 @@ export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
actorUserAgent: req.auditLogInfo.userAgent ?? "",
accountPath: req.body.accountPath,
projectId: req.body.projectId,
duration: req.body.duration
duration: req.body.duration,
mfaSessionId: req.body.mfaSessionId
},
req.permission
);

2
backend/src/ee/services/audit-log/audit-log-types.ts
View File

@@ -4199,6 +4199,7 @@ interface PamAccountCreateEvent {
description?: string | null;
rotationEnabled: boolean;
rotationIntervalSeconds?: number | null;
requireMfa?: boolean | null;
};
}
@@ -4212,6 +4213,7 @@ interface PamAccountUpdateEvent {
description?: string | null;
rotationEnabled?: boolean;
rotationIntervalSeconds?: number | null;
requireMfa?: boolean | null;
};
}

115
backend/src/ee/services/pam-account/pam-account-service.ts
View File

@@ -38,11 +38,16 @@ import { TApprovalPolicyDALFactory } from "@app/services/approval-policy/approva
import { ApprovalPolicyType } from "@app/services/approval-policy/approval-policy-enums";
import { APPROVAL_POLICY_FACTORY_MAP } from "@app/services/approval-policy/approval-policy-factory";
import { TApprovalRequestGrantsDALFactory } from "@app/services/approval-policy/approval-request-dal";
import { ActorType } from "@app/services/auth/auth-type";
import { ActorType, MfaMethod } from "@app/services/auth/auth-type";
import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
import { KmsDataKey } from "@app/services/kms/kms-types";
import { TMfaSessionServiceFactory } from "@app/services/mfa-session/mfa-session-service";
import { MfaSessionStatus } from "@app/services/mfa-session/mfa-session-types";
import { TOrgDALFactory } from "@app/services/org/org-dal";
import { TPamSessionExpirationServiceFactory } from "@app/services/pam-session-expiration/pam-session-expiration-queue";
import { TProjectDALFactory } from "@app/services/project/project-dal";
import { TSmtpService } from "@app/services/smtp/smtp-service";
import { TUserDALFactory } from "@app/services/user/user-dal";
import { EventType, TAuditLogServiceFactory } from "../audit-log/audit-log-types";
@@ -68,7 +73,9 @@ type TPamAccountServiceFactoryDep = {
pamSessionDAL: TPamSessionDALFactory;
pamAccountDAL: TPamAccountDALFactory;
pamFolderDAL: TPamFolderDALFactory;
mfaSessionService: TMfaSessionServiceFactory;
projectDAL: TProjectDALFactory;
orgDAL: TOrgDALFactory;
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
licenseService: Pick<TLicenseServiceFactory, "getPlan">;
kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
@@ -78,10 +85,13 @@ type TPamAccountServiceFactoryDep = {
>;
userDAL: TUserDALFactory;
auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser" | "validateTokenForUser">;
smtpService: Pick<TSmtpService, "sendMail">;
approvalPolicyDAL: TApprovalPolicyDALFactory;
approvalRequestGrantsDAL: TApprovalRequestGrantsDALFactory;
pamSessionExpirationService: Pick<TPamSessionExpirationServiceFactory, "scheduleSessionExpiration">;
};
export type TPamAccountServiceFactory = ReturnType<typeof pamAccountServiceFactory>;
const ROTATION_CONCURRENCY_LIMIT = 10;
@@ -90,8 +100,10 @@ export const pamAccountServiceFactory = ({
pamResourceDAL,
pamSessionDAL,
pamAccountDAL,
mfaSessionService,
pamFolderDAL,
projectDAL,
orgDAL,
userDAL,
permissionService,
licenseService,
@@ -110,7 +122,8 @@ export const pamAccountServiceFactory = ({
description,
folderId,
rotationEnabled,
rotationIntervalSeconds
rotationIntervalSeconds,
requireMfa
}: TCreateAccountDTO,
actor: OrgServiceActor
) => {
@@ -198,7 +211,8 @@ export const pamAccountServiceFactory = ({
description,
folderId,
rotationEnabled,
rotationIntervalSeconds
rotationIntervalSeconds,
requireMfa
});
return {
@@ -222,7 +236,15 @@ export const pamAccountServiceFactory = ({
};
const updateById = async (
{ accountId, credentials, description, name, rotationEnabled, rotationIntervalSeconds }: TUpdateAccountDTO,
{
accountId,
credentials,
description,
name,
rotationEnabled,
rotationIntervalSeconds,
requireMfa
}: TUpdateAccountDTO,
actor: OrgServiceActor
) => {
const orgLicensePlan = await licenseService.getPlan(actor.orgId);
@@ -268,6 +290,10 @@ export const pamAccountServiceFactory = ({
updateDoc.name = name;
}
if (requireMfa !== undefined) {
updateDoc.requireMfa = requireMfa;
}
if (description !== undefined) {
updateDoc.description = description;
}
@@ -552,7 +578,16 @@ export const pamAccountServiceFactory = ({
};
const access = async (
{ accountPath, projectId, actorEmail, actorIp, actorName, actorUserAgent, duration }: TAccessAccountDTO,
{
accountPath,
projectId,
actorEmail,
actorIp,
actorName,
actorUserAgent,
duration,
mfaSessionId
}: TAccessAccountDTO,
actor: OrgServiceActor
) => {
const orgLicensePlan = await licenseService.getPlan(actor.orgId);
@@ -640,6 +675,76 @@ export const pamAccountServiceFactory = ({
);
}
const project = await projectDAL.findById(account.projectId);
if (!project) throw new NotFoundError({ message: `Project with ID '${account.projectId}' not found` });
const actorUser = await userDAL.findById(actor.id);
if (!actorUser) throw new NotFoundError({ message: `User with ID '${actor.id}' not found` });
// If no mfaSessionId is provided, create a new MFA session
if (!mfaSessionId && account.requireMfa) {
// Get organization to check if MFA is enforced at org level
const org = await orgDAL.findOrgById(project.orgId);
if (!org) throw new NotFoundError({ message: `Organization with ID '${project.orgId}' not found` });
// Determine which MFA method to use
// Priority: org-enforced > user-selected > email as fallback
const orgMfaMethod = org.enforceMfa ? (org.selectedMfaMethod as MfaMethod | null) : undefined;
const userMfaMethod = actorUser.isMfaEnabled ? (actorUser.selectedMfaMethod as MfaMethod | null) : undefined;
const mfaMethod = (orgMfaMethod ?? userMfaMethod ?? MfaMethod.EMAIL) as MfaMethod;
// Create MFA session
const newMfaSessionId = await mfaSessionService.createMfaSession(actorUser.id, account.id, mfaMethod);
// If MFA method is email, send the code immediately
if (mfaMethod === MfaMethod.EMAIL && actorUser.email) {
await mfaSessionService.sendMfaCode(actorUser.id, actorUser.email);
}
// Throw an error with the mfaSessionId to signal that MFA is required
throw new BadRequestError({
message: "MFA verification required to access PAM account",
name: "SESSION_MFA_REQUIRED",
details: {
mfaSessionId: newMfaSessionId,
mfaMethod
}
});
}
if (mfaSessionId && account.requireMfa) {
const mfaSession = await mfaSessionService.getMfaSession(mfaSessionId);
if (!mfaSession) {
throw new BadRequestError({
message: "MFA session not found or expired"
});
}
// Verify the session belongs to the current user
if (mfaSession.userId !== actor.id) {
throw new BadRequestError({
message: "MFA session does not belong to current user"
});
}
// Verify the session is for the same account
if (mfaSession.resourceId !== account.id) {
throw new BadRequestError({
message: "MFA session is for a different account"
});
}
// Check if MFA session is active
if (mfaSession.status !== MfaSessionStatus.ACTIVE) {
throw new BadRequestError({
message: "MFA session is not active. Please complete MFA verification first."
});
}
// MFA verified successfully, delete the session and proceed with access
await mfaSessionService.deleteMfaSession(mfaSessionId);
}
const { connectionDetails, gatewayId, resourceType } = await decryptResource(
resource,
account.projectId,

3
backend/src/ee/services/pam-account/pam-account-types.ts
View File

@@ -6,7 +6,7 @@ import { PamAccountOrderBy, PamAccountView } from "./pam-account-enums";
// DTOs
export type TCreateAccountDTO = Pick<
TPamAccount,
"name" | "description" | "credentials" | "folderId" | "resourceId" | "rotationIntervalSeconds"
"name" | "description" | "credentials" | "folderId" | "resourceId" | "rotationIntervalSeconds" | "requireMfa"
> & {
rotationEnabled?: boolean;
};
@@ -23,6 +23,7 @@ export type TAccessAccountDTO = {
actorName: string;
actorUserAgent: string;
duration: number;
mfaSessionId?: string;
};
export type TListAccountsDTO = {

6
backend/src/ee/services/pam-resource/pam-resource-schemas.ts
View File

@@ -66,12 +66,14 @@ export const BaseCreatePamAccountSchema = z.object({
name: slugSchema({ field: "name" }),
description: z.string().max(512).nullable().optional(),
rotationEnabled: z.boolean(),
rotationIntervalSeconds: z.number().min(3600).nullable().optional()
rotationIntervalSeconds: z.number().min(3600).nullable().optional(),
requireMfa: z.boolean().optional().default(false)
});
export const BaseUpdatePamAccountSchema = z.object({
name: slugSchema({ field: "name" }).optional(),
description: z.string().max(512).nullable().optional(),
rotationEnabled: z.boolean().optional(),
rotationIntervalSeconds: z.number().min(3600).nullable().optional()
rotationIntervalSeconds: z.number().min(3600).nullable().optional(),
requireMfa: z.boolean().optional()
});

6
backend/src/keystore/keystore.ts
View File

@@ -81,6 +81,8 @@ export const KeyStorePrefixes = {
`group-member-project-permission:${projectId}:${groupId}:*` as const,
PkiAcmeNonce: (nonce: string) => `pki-acme-nonce:${nonce}` as const,
MfaSession: (mfaSessionId: string) => `mfa-session:${mfaSessionId}` as const,
WebAuthnChallenge: (userId: string) => `webauthn-challenge:${userId}` as const,
AiMcpServerOAuth: (sessionId: string) => `ai-mcp-server-oauth:${sessionId}` as const,
@@ -94,7 +96,9 @@ export const KeyStoreTtls = {
SetSecretSyncLastRunTimestampInSeconds: 60,
AccessTokenStatusUpdateInSeconds: 120,
ProjectPermissionCacheInSeconds: 300, // 5 minutes
ProjectPermissionDalVersionTtl: "15m" // Project permission DAL version TTL
ProjectPermissionDalVersionTtl: "15m", // Project permission DAL version TTL
MfaSessionInSeconds: 300, // 5 minutes
WebAuthnChallengeInSeconds: 300 // 5 minutes
};
type TDeleteItems = {

15
backend/src/lib/errors/index.ts
View File

@@ -90,10 +90,23 @@ export class BadRequestError extends Error {
error: unknown;
constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
details?: unknown;
constructor({
name,
error,
message,
details
}: {
message?: string;
name?: string;
error?: unknown;
details?: unknown;
}) {
super(message ?? "The request is invalid");
this.name = name || "BadRequest";
this.error = error;
this.details = details;
}
}

10
backend/src/server/plugins/error-handler.ts
View File

@@ -134,9 +134,13 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
}
if (error instanceof BadRequestError) {
void res
.status(HttpStatusCodes.BadRequest)
.send({ reqId: req.id, statusCode: HttpStatusCodes.BadRequest, message: error.message, error: error.name });
void res.status(HttpStatusCodes.BadRequest).send({
reqId: req.id,
statusCode: HttpStatusCodes.BadRequest,
message: error.message,
error: error.name,
details: error.details
});
} else if (error instanceof NotFoundError) {
void res
.status(HttpStatusCodes.NotFound)

24
backend/src/server/routes/index.ts
View File

@@ -293,6 +293,7 @@ import { membershipIdentityDALFactory } from "@app/services/membership-identity/
import { membershipIdentityServiceFactory } from "@app/services/membership-identity/membership-identity-service";
import { membershipUserDALFactory } from "@app/services/membership-user/membership-user-dal";
import { membershipUserServiceFactory } from "@app/services/membership-user/membership-user-service";
import { mfaSessionServiceFactory } from "@app/services/mfa-session/mfa-session-service";
import { microsoftTeamsIntegrationDALFactory } from "@app/services/microsoft-teams/microsoft-teams-integration-dal";
import { microsoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
import { projectMicrosoftTeamsConfigDALFactory } from "@app/services/microsoft-teams/project-microsoft-teams-config-dal";
@@ -391,6 +392,8 @@ import { userDALFactory } from "@app/services/user/user-dal";
import { userServiceFactory } from "@app/services/user/user-service";
import { userAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
import { userEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
import { webAuthnCredentialDALFactory } from "@app/services/webauthn/webauthn-credential-dal";
import { webAuthnServiceFactory } from "@app/services/webauthn/webauthn-service";
import { webhookDALFactory } from "@app/services/webhook/webhook-dal";
import { webhookServiceFactory } from "@app/services/webhook/webhook-service";
import { workflowIntegrationDALFactory } from "@app/services/workflow-integration/workflow-integration-dal";
@@ -570,6 +573,7 @@ export const registerRoutes = async (
const projectSlackConfigDAL = projectSlackConfigDALFactory(db);
const workflowIntegrationDAL = workflowIntegrationDALFactory(db);
const totpConfigDAL = totpConfigDALFactory(db);
const webAuthnCredentialDAL = webAuthnCredentialDALFactory(db);
const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
@@ -914,6 +918,13 @@ export const registerRoutes = async (
kmsService
});
const webAuthnService = webAuthnServiceFactory({
webAuthnCredentialDAL,
userDAL,
tokenService,
keyStore
});
const loginService = authLoginServiceFactory({
userDAL,
smtpService,
@@ -2451,6 +2462,13 @@ export const registerRoutes = async (
gatewayV2Service
});
const mfaSessionService = mfaSessionServiceFactory({
keyStore,
tokenService,
smtpService,
totpService
});
const approvalPolicyDAL = approvalPolicyDALFactory(db);
const pamSessionExpirationService = pamSessionExpirationServiceFactory({
queueService,
@@ -2467,8 +2485,12 @@ export const registerRoutes = async (
pamSessionDAL,
permissionService,
projectDAL,
orgDAL,
userDAL,
auditLogService,
mfaSessionService,
tokenService,
smtpService,
approvalRequestGrantsDAL,
approvalPolicyDAL,
pamSessionExpirationService
@@ -2702,6 +2724,7 @@ export const registerRoutes = async (
externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
projectTemplate: projectTemplateService,
totp: totpService,
webAuthn: webAuthnService,
appConnection: appConnectionService,
secretSync: secretSyncService,
kmip: kmipService,
@@ -2723,6 +2746,7 @@ export const registerRoutes = async (
pamResource: pamResourceService,
pamAccount: pamAccountService,
pamSession: pamSessionService,
mfaSession: mfaSessionService,
upgradePath: upgradePathService,
membershipUser: membershipUserService,

3
backend/src/server/routes/sanitizedSchemas.ts
View File

@@ -37,7 +37,8 @@ export const DefaultResponseErrorsSchema = {
reqId: z.string(),
statusCode: z.literal(400),
message: z.string(),
error: z.string()
error: z.string(),
details: z.any().optional()
}),
404: z.object({
reqId: z.string(),

214
backend/src/server/routes/v1/user-router.ts
View File

@@ -1,3 +1,4 @@
import type { AuthenticationResponseJSON, RegistrationResponseJSON } from "@simplewebauthn/server";
import { z } from "zod";
import { UsersSchema } from "@app/db/schemas";
@@ -284,4 +285,217 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
});
}
});
// WebAuthn/Passkey Routes
server.route({
method: "GET",
url: "/me/webauthn",
config: {
rateLimit: readLimit
},
schema: {
response: {
200: z.object({
credentials: z.array(
z.object({
id: z.string(),
credentialId: z.string(),
name: z.string().nullable().optional(),
transports: z.array(z.string()).nullable().optional(),
createdAt: z.date(),
lastUsedAt: z.date().nullable().optional()
})
)
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const credentials = await server.services.webAuthn.getUserWebAuthnCredentials({
userId: req.permission.id
});
return { credentials };
}
});
server.route({
method: "POST",
url: "/me/webauthn/register",
config: {
rateLimit: writeLimit
},
schema: {
response: {
200: z.any() // Returns PublicKeyCredentialCreationOptionsJSON from @simplewebauthn/server
}
},
onRequest: verifyAuth([AuthMode.JWT], {
requireOrg: false
}),
handler: async (req) => {
return server.services.webAuthn.generateRegistrationOptions({
userId: req.permission.id
});
}
});
server.route({
method: "POST",
url: "/me/webauthn/register/verify",
config: {
rateLimit: writeLimit
},
schema: {
body: z.object({
registrationResponse: z
.object({
id: z.string(),
rawId: z.string(),
response: z
.object({
clientDataJSON: z.string(),
attestationObject: z.string()
})
.passthrough(),
clientExtensionResults: z.record(z.unknown()).default({}),
type: z.literal("public-key")
})
.passthrough(),
name: z.string().optional()
}),
response: {
200: z.object({
credentialId: z.string(),
name: z.string().nullable().optional()
})
}
},
onRequest: verifyAuth([AuthMode.JWT], {
requireOrg: false
}),
handler: async (req) => {
return server.services.webAuthn.verifyRegistrationResponse({
userId: req.permission.id,
registrationResponse: req.body.registrationResponse as RegistrationResponseJSON,
name: req.body.name
});
}
});
server.route({
method: "POST",
url: "/me/webauthn/authenticate",
config: {
rateLimit: readLimit
},
schema: {
response: {
200: z.any() // Returns PublicKeyCredentialRequestOptionsJSON from @simplewebauthn/server
}
},
onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
handler: async (req) => {
return server.services.webAuthn.generateAuthenticationOptions({
userId: req.permission.id
});
}
});
server.route({
method: "POST",
url: "/me/webauthn/authenticate/verify",
config: {
rateLimit: writeLimit
},
schema: {
body: z.object({
authenticationResponse: z
.object({
id: z.string(),
rawId: z.string(),
response: z
.object({
clientDataJSON: z.string(),
authenticatorData: z.string(),
signature: z.string()
})
.passthrough(),
clientExtensionResults: z.record(z.unknown()).optional(),
type: z.literal("public-key")
})
.passthrough()
}),
response: {
200: z.object({
verified: z.boolean(),
credentialId: z.string(),
sessionToken: z.string()
})
}
},
onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
handler: async (req) => {
return server.services.webAuthn.verifyAuthenticationResponse({
userId: req.permission.id,
authenticationResponse: req.body.authenticationResponse as AuthenticationResponseJSON
});
}
});
server.route({
method: "PATCH",
url: "/me/webauthn/:id",
config: {
rateLimit: writeLimit
},
schema: {
params: z.object({
id: z.string()
}),
body: z.object({
name: z.string().optional()
}),
response: {
200: z.object({
id: z.string(),
credentialId: z.string(),
name: z.string().nullable().optional()
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
return server.services.webAuthn.updateWebAuthnCredential({
userId: req.permission.id,
id: req.params.id,
name: req.body.name
});
}
});
server.route({
method: "DELETE",
url: "/me/webauthn/:id",
config: {
rateLimit: writeLimit
},
schema: {
params: z.object({
id: z.string()
}),
response: {
200: z.object({
success: z.boolean()
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
await server.services.webAuthn.deleteWebAuthnCredential({
userId: req.permission.id,
id: req.params.id
});
return { success: true };
}
});
};

2
backend/src/server/routes/v2/index.ts
View File

@@ -6,6 +6,7 @@ import { registerDeprecatedProjectMembershipRouter } from "./deprecated-project-
import { registerDeprecatedProjectRouter } from "./deprecated-project-router";
import { registerIdentityOrgRouter } from "./identity-org-router";
import { registerMfaRouter } from "./mfa-router";
import { registerMfaSessionRouter } from "./mfa-session-router";
import { registerOrgRouter } from "./organization-router";
import { registerPasswordRouter } from "./password-router";
import { registerPkiAlertRouter } from "./pki-alert-router";
@@ -17,6 +18,7 @@ import { registerUserRouter } from "./user-router";
export const registerV2Routes = async (server: FastifyZodProvider) => {
await server.register(registerMfaRouter, { prefix: "/auth" });
await server.register(registerMfaSessionRouter, { prefix: "/mfa-sessions" });
await server.register(registerUserRouter, { prefix: "/users" });
await server.register(registerServiceTokenRouter, { prefix: "/service-token" });
await server.register(registerPasswordRouter, { prefix: "/password" });

33
backend/src/server/routes/v2/mfa-router.ts
View File

@@ -186,4 +186,37 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
return handleMfaVerification(req, res, server, req.body.recoveryCode, MfaMethod.TOTP, true);
}
});
// WebAuthn MFA routes
server.route({
method: "GET",
url: "/mfa/check/webauthn",
config: {
rateLimit: mfaRateLimit
},
schema: {
response: {
200: z.object({
hasPasskeys: z.boolean()
})
}
},
handler: async (req) => {
try {
const credentials = await server.services.webAuthn.getUserWebAuthnCredentials({
userId: req.mfa.userId
});
return {
hasPasskeys: credentials.length > 0
};
} catch (error) {
if (error instanceof NotFoundError) {
return { hasPasskeys: false };
}
throw error;
}
}
});
};

72
backend/src/server/routes/v2/mfa-session-router.ts Normal file
View File

@@ -0,0 +1,72 @@
import { z } from "zod";
import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode, MfaMethod } from "@app/services/auth/auth-type";
import { MfaSessionStatus } from "@app/services/mfa-session/mfa-session-types";
export const registerMfaSessionRouter = async (server: FastifyZodProvider) => {
server.route({
method: "POST",
url: "/:mfaSessionId/verify",
config: {
rateLimit: writeLimit
},
schema: {
description: "Verify MFA session",
params: z.object({
mfaSessionId: z.string().trim()
}),
body: z.object({
mfaToken: z.string().trim(),
mfaMethod: z.nativeEnum(MfaMethod)
}),
response: {
200: z.object({
success: z.boolean(),
message: z.string()
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const result = await server.services.mfaSession.verifyMfaSession({
mfaSessionId: req.params.mfaSessionId,
userId: req.permission.id,
mfaToken: req.body.mfaToken,
mfaMethod: req.body.mfaMethod
});
return result;
}
});
server.route({
method: "GET",
url: "/:mfaSessionId/status",
config: {
rateLimit: readLimit
},
schema: {
description: "Get MFA session status",
params: z.object({
mfaSessionId: z.string().trim()
}),
response: {
200: z.object({
status: z.nativeEnum(MfaSessionStatus),
mfaMethod: z.nativeEnum(MfaMethod)
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const result = await server.services.mfaSession.getMfaSessionStatus({
mfaSessionId: req.params.mfaSessionId,
userId: req.permission.id
});
return result;
}
});
};

7
backend/src/services/auth-token/auth-token-service.ts
View File

@@ -74,6 +74,13 @@ export const getTokenConfig = (tokenType: TokenType) => {
const expiresAt = new Date(new Date().getTime() + 259200000);
return { token, expiresAt };
}
case TokenType.TOKEN_WEBAUTHN_SESSION: {
// generate random hex token for WebAuthn session
const token = crypto.randomBytes(32).toString("hex");
const triesLeft = 1;
const expiresAt = new Date(new Date().getTime() + 60000); // 60 seconds
return { token, triesLeft, expiresAt };
}
default: {
const token = crypto.randomBytes(16).toString("hex");
const expiresAt = new Date();

3
backend/src/services/auth-token/auth-token-types.ts
View File

@@ -8,7 +8,8 @@ export enum TokenType {
TOKEN_EMAIL_ORG_INVITATION = "organizationInvitation",
TOKEN_EMAIL_PASSWORD_RESET = "passwordReset",
TOKEN_EMAIL_PASSWORD_SETUP = "passwordSetup",
TOKEN_USER_UNLOCK = "userUnlock"
TOKEN_USER_UNLOCK = "userUnlock",
TOKEN_WEBAUTHN_SESSION = "webauthnSession"
}
export type TCreateTokenForUserDTO = {

12
backend/src/services/auth/auth-login-service.ts
View File

@@ -882,6 +882,18 @@ export const authLoginServiceFactory = ({
totp: mfaToken
});
}
} else if (mfaMethod === MfaMethod.WEBAUTHN) {
if (!mfaToken) {
throw new BadRequestError({
message: "WebAuthn session token is required"
});
}
// Validate the one-time WebAuthn session token (passed as mfaToken)
await tokenService.validateTokenForUser({
type: TokenType.TOKEN_WEBAUTHN_SESSION,
userId,
code: mfaToken
});
}
} catch (err) {
const updatedUser = await processFailedMfaAttempt(userId);

3
backend/src/services/auth/auth-type.ts
View File

@@ -100,5 +100,6 @@ export type AuthModeProviderSignUpTokenPayload = {
export enum MfaMethod {
EMAIL = "email",
TOTP = "totp"
TOTP = "totp",
WEBAUTHN = "webauthn"
}

175
backend/src/services/mfa-session/mfa-session-service.ts Normal file
View File

@@ -0,0 +1,175 @@
import { KeyStorePrefixes, KeyStoreTtls, TKeyStoreFactory } from "@app/keystore/keystore";
import { crypto } from "@app/lib/crypto";
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
import { MfaMethod } from "@app/services/auth/auth-type";
import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
import { TokenType } from "@app/services/auth-token/auth-token-types";
import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
import { TTotpServiceFactory } from "@app/services/totp/totp-service";
import { MfaSessionStatus, TGetMfaSessionStatusDTO, TMfaSession, TVerifyMfaSessionDTO } from "./mfa-session-types";
type TMfaSessionServiceFactoryDep = {
keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem">;
tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser" | "validateTokenForUser">;
smtpService: Pick<TSmtpService, "sendMail">;
totpService: Pick<TTotpServiceFactory, "verifyUserTotp" | "verifyWithUserRecoveryCode">;
};
export type TMfaSessionServiceFactory = ReturnType<typeof mfaSessionServiceFactory>;
export const mfaSessionServiceFactory = ({
keyStore,
tokenService,
smtpService,
totpService
}: TMfaSessionServiceFactoryDep) => {
// Helper function to get MFA session from Redis
const getMfaSession = async (mfaSessionId: string): Promise<TMfaSession | null> => {
const mfaSessionKey = KeyStorePrefixes.MfaSession(mfaSessionId);
const mfaSessionData = await keyStore.getItem(mfaSessionKey);
if (!mfaSessionData) {
return null;
}
return JSON.parse(mfaSessionData) as TMfaSession;
};
// Helper function to update MFA session in Redis
const updateMfaSession = async (mfaSession: TMfaSession, ttlSeconds: number): Promise<void> => {
const mfaSessionKey = KeyStorePrefixes.MfaSession(mfaSession.sessionId);
await keyStore.setItemWithExpiry(mfaSessionKey, ttlSeconds, JSON.stringify(mfaSession));
};
// Helper function to send MFA code via email
const sendMfaCode = async (userId: string, email: string) => {
const code = await tokenService.createTokenForUser({
type: TokenType.TOKEN_EMAIL_MFA,
userId
});
await smtpService.sendMail({
template: SmtpTemplates.EmailMfa,
subjectLine: "Infisical MFA code",
recipients: [email],
substitutions: {
code
}
});
};
const verifyMfaSession = async ({ mfaSessionId, userId, mfaToken, mfaMethod }: TVerifyMfaSessionDTO) => {
const mfaSession = await getMfaSession(mfaSessionId);
if (!mfaSession) {
throw new BadRequestError({
message: "MFA session not found or expired"
});
}
if (mfaSession.mfaMethod !== mfaMethod) {
throw new BadRequestError({
message: "MFA method does not match the session"
});
}
// Verify the session belongs to the current user
if (mfaSession.userId !== userId) {
throw new ForbiddenRequestError({
message: "MFA session does not belong to current user"
});
}
try {
if (mfaMethod === MfaMethod.EMAIL) {
await tokenService.validateTokenForUser({
type: TokenType.TOKEN_EMAIL_MFA,
userId,
code: mfaToken
});
} else if (mfaMethod === MfaMethod.TOTP) {
if (mfaToken.length !== 6) {
throw new BadRequestError({
message: "Please use a valid TOTP code."
});
}
await totpService.verifyUserTotp({
userId,
totp: mfaToken
});
} else if (mfaMethod === MfaMethod.WEBAUTHN) {
await tokenService.validateTokenForUser({
type: TokenType.TOKEN_WEBAUTHN_SESSION,
userId,
code: mfaToken
});
}
} catch (error) {
throw new BadRequestError({
message: "Invalid MFA code"
});
}
mfaSession.status = MfaSessionStatus.ACTIVE;
await updateMfaSession(mfaSession, KeyStoreTtls.MfaSessionInSeconds);
return {
success: true,
message: "MFA verification successful"
};
};
const getMfaSessionStatus = async ({ mfaSessionId, userId }: TGetMfaSessionStatusDTO) => {
const mfaSession = await getMfaSession(mfaSessionId);
if (!mfaSession) {
throw new NotFoundError({
message: "MFA session not found or expired"
});
}
if (mfaSession.userId !== userId) {
throw new ForbiddenRequestError({
message: "MFA session does not belong to current user"
});
}
return {
status: mfaSession.status,
mfaMethod: mfaSession.mfaMethod
};
};
const createMfaSession = async (userId: string, resourceId: string, mfaMethod: MfaMethod): Promise<string> => {
const mfaSessionId = crypto.randomBytes(32).toString("hex");
const mfaSession: TMfaSession = {
sessionId: mfaSessionId,
userId,
resourceId,
status: MfaSessionStatus.PENDING,
mfaMethod
};
await keyStore.setItemWithExpiry(
KeyStorePrefixes.MfaSession(mfaSessionId),
KeyStoreTtls.MfaSessionInSeconds,
JSON.stringify(mfaSession)
);
return mfaSessionId;
};
const deleteMfaSession = async (mfaSessionId: string) => {
await keyStore.deleteItem(KeyStorePrefixes.MfaSession(mfaSessionId));
};
return {
createMfaSession,
verifyMfaSession,
getMfaSessionStatus,
sendMfaCode,
getMfaSession,
deleteMfaSession
};
};

32
backend/src/services/mfa-session/mfa-session-types.ts Normal file
View File

@@ -0,0 +1,32 @@
import { MfaMethod } from "@app/services/auth/auth-type";
export enum MfaSessionStatus {
PENDING = "PENDING",
ACTIVE = "ACTIVE"
}
export type TMfaSession = {
sessionId: string;
userId: string;
resourceId: string; // Generic - can be accountId, documentId, etc.
status: MfaSessionStatus;
mfaMethod: MfaMethod;
};
export type TCreateMfaSessionDTO = {
userId: string;
resourceId: string;
mfaMethod: MfaMethod;
};
export type TVerifyMfaSessionDTO = {
mfaSessionId: string;
userId: string;
mfaToken: string;
mfaMethod: MfaMethod;
};
export type TGetMfaSessionStatusDTO = {
mfaSessionId: string;
userId: string;
};

11
backend/src/services/webauthn/webauthn-credential-dal.ts Normal file
View File

@@ -0,0 +1,11 @@
import { TDbClient } from "@app/db";
import { TableName } from "@app/db/schemas";
import { ormify } from "@app/lib/knex";
export type TWebAuthnCredentialDALFactory = ReturnType<typeof webAuthnCredentialDALFactory>;
export const webAuthnCredentialDALFactory = (db: TDbClient) => {
const webAuthnCredentialDal = ormify(db, TableName.WebAuthnCredential);
return webAuthnCredentialDal;
};

385
backend/src/services/webauthn/webauthn-service.ts Normal file
View File

@@ -0,0 +1,385 @@
import {
AuthenticatorTransportFuture,
generateAuthenticationOptions,
generateRegistrationOptions,
VerifiedAuthenticationResponse,
VerifiedRegistrationResponse,
verifyAuthenticationResponse,
verifyRegistrationResponse
} from "@simplewebauthn/server";
import { KeyStorePrefixes, KeyStoreTtls, TKeyStoreFactory } from "@app/keystore/keystore";
import { getConfig } from "@app/lib/config/env";
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
import { TokenType } from "../auth-token/auth-token-types";
import { TUserDALFactory } from "../user/user-dal";
import { TWebAuthnCredentialDALFactory } from "./webauthn-credential-dal";
import {
TDeleteWebAuthnCredentialDTO,
TGenerateAuthenticationOptionsDTO,
TGenerateRegistrationOptionsDTO,
TGetUserWebAuthnCredentialsDTO,
TUpdateWebAuthnCredentialDTO,
TVerifyAuthenticationResponseDTO,
TVerifyRegistrationResponseDTO
} from "./webauthn-types";
type TWebAuthnServiceFactoryDep = {
userDAL: TUserDALFactory;
webAuthnCredentialDAL: TWebAuthnCredentialDALFactory;
tokenService: TAuthTokenServiceFactory;
keyStore: TKeyStoreFactory;
};
export type TWebAuthnServiceFactory = ReturnType<typeof webAuthnServiceFactory>;
export const webAuthnServiceFactory = ({
userDAL,
webAuthnCredentialDAL,
tokenService,
keyStore
}: TWebAuthnServiceFactoryDep) => {
const storeChallenge = async (userId: string, challenge: string) => {
const challengeKey = KeyStorePrefixes.WebAuthnChallenge(userId);
await keyStore.setItemWithExpiry(challengeKey, KeyStoreTtls.WebAuthnChallengeInSeconds, challenge);
};
const getChallenge = async (userId: string): Promise<string | null> => {
const challengeKey = KeyStorePrefixes.WebAuthnChallenge(userId);
return keyStore.getItem(challengeKey);
};
const clearChallenge = async (userId: string) => {
const challengeKey = KeyStorePrefixes.WebAuthnChallenge(userId);
await keyStore.deleteItem(challengeKey);
};
const appCfg = getConfig();
// Relying Party (RP) information - extracted from SITE_URL
const RP_NAME = "Infisical";
const RP_ID = new URL(appCfg.SITE_URL || "http://localhost:8080").hostname;
const ORIGIN = appCfg.SITE_URL || "http://localhost:8080";
/**
* Generate registration options for a new passkey
* This is the first step in passkey registration
*/
const generateRegistrationOptionsForUser = async ({ userId }: TGenerateRegistrationOptionsDTO) => {
const user = await userDAL.findById(userId);
if (!user) {
throw new NotFoundError({
message: "User not found"
});
}
// Get existing credentials to exclude them from registration
const existingCredentials = await webAuthnCredentialDAL.find({ userId });
const options = await generateRegistrationOptions({
rpName: RP_NAME,
rpID: RP_ID,
userID: Buffer.from(userId, "utf-8"),
userName: user.email || "",
userDisplayName: user.email || "",
attestationType: "none",
excludeCredentials: existingCredentials.map((cred) => ({
id: cred.credentialId,
transports: cred.transports as AuthenticatorTransportFuture[]
})),
authenticatorSelection: {
requireResidentKey: true,
residentKey: "required",
userVerification: "required"
}
});
// Store challenge for verification
await storeChallenge(userId, options.challenge);
return options;
};
/**
* Verify registration response and store the credential
* This is the second step in passkey registration
*/
const verifyRegistrationResponseFromUser = async ({
userId,
registrationResponse,
name
}: TVerifyRegistrationResponseDTO) => {
const user = await userDAL.findById(userId);
if (!user) {
throw new NotFoundError({
message: "User not found"
});
}
// Retrieve the stored challenge
const expectedChallenge = await getChallenge(userId);
if (!expectedChallenge) {
throw new BadRequestError({
message: "Challenge not found or expired. Please try registering again."
});
}
let verification: VerifiedRegistrationResponse;
try {
verification = await verifyRegistrationResponse({
response: registrationResponse,
expectedChallenge,
expectedOrigin: ORIGIN,
expectedRPID: RP_ID,
requireUserVerification: true
});
} catch (error: unknown) {
await clearChallenge(userId);
throw new BadRequestError({
message: `Registration verification failed: ${error instanceof Error ? error.message : "Unknown error"}`
});
}
if (!verification.verified || !verification.registrationInfo) {
await clearChallenge(userId);
throw new BadRequestError({
message: "Registration verification failed"
});
}
const { credential: registeredCredential } = verification.registrationInfo;
// Check if credential already exists
const credentialIdBase64 = registeredCredential.id;
const existingCredential = await webAuthnCredentialDAL.findOne({
credentialId: credentialIdBase64
});
if (existingCredential) {
await clearChallenge(userId);
throw new BadRequestError({
message: "This credential has already been registered"
});
}
// Store the credential
const credential = await webAuthnCredentialDAL.create({
userId,
credentialId: credentialIdBase64,
publicKey: Buffer.from(registeredCredential.publicKey).toString("base64url"),
counter: registeredCredential.counter,
transports: registrationResponse.response.transports || null,
name: name || "Passkey"
});
// Clear the challenge
await clearChallenge(userId);
return {
credentialId: credential.credentialId,
name: credential.name
};
};
/**
* Generate authentication options for passkey verification
* This is used during login/2FA
*/
const generateAuthenticationOptionsForUser = async ({ userId }: TGenerateAuthenticationOptionsDTO) => {
const credentials = await webAuthnCredentialDAL.find({ userId });
if (credentials.length === 0) {
throw new NotFoundError({
message: "No passkeys registered for this user"
});
}
const options = await generateAuthenticationOptions({
rpID: RP_ID,
allowCredentials: credentials.map((cred) => ({
id: cred.credentialId,
transports: cred.transports as AuthenticatorTransportFuture[]
})),
userVerification: "required"
});
// Store challenge for verification
await storeChallenge(userId, options.challenge);
return options;
};
/**
* Verify authentication response
* This is used during login/2FA to verify the user's passkey
*/
const verifyAuthenticationResponseFromUser = async ({
userId,
authenticationResponse
}: TVerifyAuthenticationResponseDTO) => {
const credentialIdBase64 = authenticationResponse.id;
if (!credentialIdBase64) {
throw new BadRequestError({
message: "Invalid authentication response"
});
}
// Find the credential
const credential = await webAuthnCredentialDAL.findOne({ credentialId: credentialIdBase64 });
if (!credential) {
throw new NotFoundError({
message: "Credential not found"
});
}
// Verify the credential belongs to the user
if (userId !== credential.userId) {
throw new ForbiddenRequestError({
message: "Credential does not belong to this user"
});
}
// Retrieve the stored challenge
const expectedChallenge = await getChallenge(userId);
if (!expectedChallenge) {
throw new BadRequestError({
message: "Challenge not found or expired. Please try authenticating again."
});
}
let verification: VerifiedAuthenticationResponse;
try {
verification = await verifyAuthenticationResponse({
response: authenticationResponse,
expectedChallenge,
expectedOrigin: ORIGIN,
expectedRPID: RP_ID,
credential: {
id: credential.credentialId,
publicKey: Buffer.from(credential.publicKey, "base64url"),
counter: credential.counter
},
requireUserVerification: true
});
} catch (error: unknown) {
await clearChallenge(userId);
throw new BadRequestError({
message: `Authentication verification failed: ${error instanceof Error ? error.message : "Unknown error"}`
});
}
if (!verification.verified) {
await clearChallenge(userId);
throw new BadRequestError({
message: "Authentication verification failed"
});
}
// Update last used timestamp and counter
await webAuthnCredentialDAL.updateById(credential.id, {
lastUsedAt: new Date(),
counter: verification.authenticationInfo.newCounter
});
// Clear the challenge
await clearChallenge(userId);
// Generate one-time WebAuthn session token with 60-second expiration
const sessionToken = await tokenService.createTokenForUser({
type: TokenType.TOKEN_WEBAUTHN_SESSION,
userId
});
return {
verified: true,
credentialId: credential.credentialId,
sessionToken
};
};
/**
* Get all WebAuthn credentials for a user
*/
const getUserWebAuthnCredentials = async ({ userId }: TGetUserWebAuthnCredentialsDTO) => {
const credentials = await webAuthnCredentialDAL.find({ userId });
// Don't return sensitive data like public keys
return credentials.map((cred) => ({
id: cred.id,
credentialId: cred.credentialId,
name: cred.name,
transports: cred.transports,
createdAt: cred.createdAt,
lastUsedAt: cred.lastUsedAt
}));
};
/**
* Delete a WebAuthn credential
*/
const deleteWebAuthnCredential = async ({ userId, id }: TDeleteWebAuthnCredentialDTO) => {
const credential = await webAuthnCredentialDAL.findById(id);
if (!credential) {
throw new NotFoundError({
message: "Credential not found"
});
}
if (userId !== credential.userId) {
throw new ForbiddenRequestError({
message: "Credential does not belong to this user"
});
}
await webAuthnCredentialDAL.deleteById(credential.id);
return {
success: true
};
};
/**
* Update a WebAuthn credential (e.g., rename it)
*/
const updateWebAuthnCredential = async ({ userId, id, name }: TUpdateWebAuthnCredentialDTO) => {
const credential = await webAuthnCredentialDAL.findById(id);
if (!credential) {
throw new NotFoundError({
message: "Credential not found"
});
}
if (userId !== credential.userId) {
throw new ForbiddenRequestError({
message: "Credential does not belong to this user"
});
}
const updatedCredential = await webAuthnCredentialDAL.updateById(credential.id, {
name: name || credential.name
});
return {
id: updatedCredential.id,
credentialId: updatedCredential.credentialId,
name: updatedCredential.name
};
};
return {
generateRegistrationOptions: generateRegistrationOptionsForUser,
verifyRegistrationResponse: verifyRegistrationResponseFromUser,
generateAuthenticationOptions: generateAuthenticationOptionsForUser,
verifyAuthenticationResponse: verifyAuthenticationResponseFromUser,
getUserWebAuthnCredentials,
deleteWebAuthnCredential,
updateWebAuthnCredential
};
};

35
backend/src/services/webauthn/webauthn-types.ts Normal file
View File

@@ -0,0 +1,35 @@
import { AuthenticationResponseJSON, RegistrationResponseJSON } from "@simplewebauthn/server";
export type TGenerateRegistrationOptionsDTO = {
userId: string;
};
export type TVerifyRegistrationResponseDTO = {
userId: string;
registrationResponse: RegistrationResponseJSON;
name?: string; // User-friendly name for the credential
};
export type TGenerateAuthenticationOptionsDTO = {
userId: string;
};
export type TVerifyAuthenticationResponseDTO = {
userId: string;
authenticationResponse: AuthenticationResponseJSON;
};
export type TGetUserWebAuthnCredentialsDTO = {
userId: string;
};
export type TDeleteWebAuthnCredentialDTO = {
userId: string;
id: string;
};
export type TUpdateWebAuthnCredentialDTO = {
userId: string;
id: string;
name?: string;
};