feat(api/v2): implement U2F session check (#6339)

proto/buf.yaml

@@ -7,6 +7,7 @@ deps:
 breaking:
   use:
     - FILE
+  ignore_unstable_packages: true
 lint:
   use:
     - MINIMAL

proto/zitadel/session/v2alpha/challenge.proto

@@ -2,18 +2,47 @@ syntax = "proto3";
 
 package zitadel.session.v2alpha;
 
+import "google/api/field_behavior.proto";
 import "google/protobuf/struct.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
+import "validate/validate.proto";
 
 option go_package = "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha;session";
 
-enum ChallengeKind {
-    CHALLENGE_KIND_UNSPECIFIED = 0;
-    CHALLENGE_KIND_PASSKEY = 1;
+enum UserVerificationRequirement {
+  USER_VERIFICATION_REQUIREMENT_UNSPECIFIED = 0;
+  USER_VERIFICATION_REQUIREMENT_REQUIRED = 1;
+  USER_VERIFICATION_REQUIREMENT_PREFERRED = 2;
+  USER_VERIFICATION_REQUIREMENT_DISCOURAGED = 3;
+}
+
+message RequestChallenges {
+  message WebAuthN {
+    string domain = 1 [
+      (validate.rules).string = {min_len: 1, max_len: 200},
+      (google.api.field_behavior) = REQUIRED,
+      (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        description: "\"Domain on which the session was created. Will be used in the WebAuthN challenge.\"";
+      }
+    ];
+    UserVerificationRequirement user_verification_requirement = 2 [
+      (validate.rules).enum = {
+        defined_only: true,
+        not_in: [0]
+      },
+      (google.api.field_behavior) = REQUIRED,
+      (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        description: "\"User verification that is required during validation. When set to `USER_VERIFICATION_REQUIREMENT_REQUIRED` the behaviour is for passkey authentication. Other values will mean U2F\"";
+        ref: "https://www.w3.org/TR/webauthn/#enum-userVerificationRequirement";
+      }
+    ];
+  }
+
+  optional WebAuthN web_auth_n = 1;
 }
 
 message Challenges {
-  message Passkey {
+  message WebAuthN {
     google.protobuf.Struct public_key_credential_request_options = 1 [
       (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
         description: "Options for Assertion Generaration (dictionary PublicKeyCredentialRequestOptions). Generated helper methods transform the field to JSON, for use in a WebauthN client. See also: https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions"
@@ -22,5 +51,5 @@ message Challenges {
     ];
   }
 
-  optional Passkey passkey = 1;
+  optional WebAuthN web_auth_n = 1;
 }

proto/zitadel/session/v2alpha/session.proto

@@ -39,17 +39,12 @@ message Session {
       description: "\"custom key value list\"";
     }
   ];
-  string domain = 7 [
-    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "\"domain on which the session was created\"";
-    }
-  ];
 }
 
 message Factors {
   UserFactor user = 1;
   PasswordFactor password = 2;
-  PasskeyFactor passkey = 3;
+  WebAuthNFactor web_auth_n = 3;
   IntentFactor intent = 4;
 }
 
@@ -97,12 +92,13 @@ message IntentFactor {
   ];
 }
 
-message PasskeyFactor {
+message WebAuthNFactor {
   google.protobuf.Timestamp verified_at = 1 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       description: "\"time when the passkey challenge was last checked\"";
     }
   ];
+  bool user_verified = 2;
 }
 
 message SearchQuery {

proto/zitadel/session/v2alpha/session_service.proto

@@ -244,12 +244,7 @@ message CreateSessionRequest{
       description: "\"custom key value list to be stored on the session\"";
     }
   ];
-  repeated ChallengeKind challenges = 3;
-  string domain = 4 [
-    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "\"Domain on which the session was created. Will be used for Passkey and U2F challenges.\"";
-    }
-  ];
+  RequestChallenges challenges = 3;
 }
 
 message CreateSessionResponse{
@@ -296,7 +291,7 @@ message SetSessionRequest{
       description: "\"custom key value list to be stored on the session\"";
     }
   ];
-  repeated ChallengeKind challenges = 5;
+  RequestChallenges challenges = 5;
 }
 
 message SetSessionResponse{
@@ -306,7 +301,7 @@ message SetSessionResponse{
       description: "\"token of the session, which is required for further updates of the session or the request other resources\"";
     }
   ];
-   Challenges challenges = 3;
+  Challenges challenges = 3;
 }
 
 message DeleteSessionRequest{
@@ -341,9 +336,9 @@ message Checks {
       description: "\"Checks the password and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
     }
   ];
-  optional CheckPasskey passkey = 3 [
+  optional CheckWebAuthN web_auth_n = 3 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "\"Checks the public key credential issued by the passkey client. Requires that the user is already checked and a passkey challenge to be requested, in any previous request.\"";
+      description: "\"Checks the public key credential issued by the WebAuthN client. Requires that the user is already checked and a WebAuthN challenge to be requested, in any previous request.\"";
     }
   ];
   optional CheckIntent intent = 4 [
@@ -385,12 +380,12 @@ message CheckPassword {
   ];
 }
 
-message CheckPasskey {
+message CheckWebAuthN {
   google.protobuf.Struct credential_assertion_data = 1 [
     (validate.rules).message.required = true,
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "JSON representation of public key credential issued by the passkey client";
+      description: "JSON representation of public key credential issued by the webAuthN client";
       min_length: 55;
       max_length: 1048576; //1 MB
     }