Passkeys!

2026-01-19 15:53:05 -07:00
parent bf2a1816db
commit ee9807e8e0
18 changed files with 1358 additions and 360 deletions
--- a/src/pages/api/auth/passkey/login/finish.ts
+++ b/src/pages/api/auth/passkey/login/finish.ts
@@ -0,0 +1,102 @@
+import type { APIRoute } from "astro";
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+import { db } from "../../../../../db";
+import { users, passkeys, passkeyChallenges } from "../../../../../db/schema";
+import { eq, and, gt } from "drizzle-orm";
+import { createSession } from "../../../../../lib/auth";
+
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const body = await request.json();
+  const { id } = body;
+
+  const passkey = await db.query.passkeys.findFirst({
+    where: eq(passkeys.id, id),
+  });
+
+  if (!passkey) {
+    return new Response(JSON.stringify({ error: "Passkey not found" }), {
+      status: 400,
+    });
+  }
+
+  const user = await db.query.users.findFirst({
+    where: eq(users.id, passkey.userId),
+  });
+
+  if (!user) return new Response(null, { status: 400 });
+
+  const clientDataJSON = Buffer.from(
+    body.response.clientDataJSON,
+    "base64url",
+  ).toString("utf-8");
+  const clientData = JSON.parse(clientDataJSON);
+  const challenge = clientData.challenge;
+
+  const dbChallenge = await db.query.passkeyChallenges.findFirst({
+    where: and(
+      eq(passkeyChallenges.challenge, challenge),
+      gt(passkeyChallenges.expiresAt, new Date()),
+    ),
+  });
+
+  if (!dbChallenge) {
+    return new Response(
+      JSON.stringify({ error: "Invalid or expired challenge" }),
+      {
+        status: 400,
+      },
+    );
+  }
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: challenge as string,
+      expectedOrigin: new URL(request.url).origin,
+      expectedRPID: new URL(request.url).hostname,
+      credential: {
+        id: passkey.id,
+        publicKey: new Uint8Array(Buffer.from(passkey.publicKey, "base64")),
+        counter: passkey.counter,
+        transports: passkey.transports
+          ? JSON.parse(passkey.transports)
+          : undefined,
+      },
+    });
+  } catch (error) {
+    return new Response(JSON.stringify({ error: (error as Error).message }), {
+      status: 400,
+    });
+  }
+
+  if (verification.verified) {
+    const { authenticationInfo } = verification;
+
+    await db
+      .update(passkeys)
+      .set({
+        counter: authenticationInfo.newCounter,
+        lastUsedAt: new Date(),
+      })
+      .where(eq(passkeys.id, passkey.id));
+
+    const { sessionId, expiresAt } = await createSession(user.id);
+
+    cookies.set("session_id", sessionId, {
+      path: "/",
+      httpOnly: true,
+      secure: import.meta.env.PROD,
+      sameSite: "lax",
+      expires: expiresAt,
+    });
+
+    await db
+      .delete(passkeyChallenges)
+      .where(eq(passkeyChallenges.challenge, challenge));
+
+    return new Response(JSON.stringify({ verified: true }));
+  }
+
+  return new Response(JSON.stringify({ verified: false }), { status: 400 });
+};