choose factor when multiple, register u2f, verify u2f

2025-12-13 16:53:05 +00:00 · 2024-04-30 10:39:34 +02:00
parent 88030ff2b9
commit b01ca12e53
13 changed files with 863 additions and 235 deletions
--- a/apps/login/app/api/u2f/route.ts
+++ b/apps/login/app/api/u2f/route.ts
@@ -0,0 +1,50 @@
+import {
+  createPasskeyRegistrationLink,
+  getSession,
+  registerPasskey,
+  registerU2F,
+  server,
+} from "#/lib/zitadel";
+import { getSessionCookieById } from "#/utils/cookies";
+import { NextRequest, NextResponse } from "next/server";
+
+export async function POST(request: NextRequest) {
+  const body = await request.json();
+  if (body) {
+    const { sessionId } = body;
+
+    const sessionCookie = await getSessionCookieById(sessionId);
+
+    const session = await getSession(
+      server,
+      sessionCookie.id,
+      sessionCookie.token
+    );
+
+    const domain: string = request.nextUrl.hostname;
+
+    const userId = session?.session?.factors?.user?.id;
+
+    if (userId) {
+      // TODO: add org context
+      return createPasskeyRegistrationLink(userId, sessionCookie.token)
+        .then((resp) => {
+          const code = resp.code;
+          return registerU2F(userId, domain).then((resp) => {
+            return NextResponse.json(resp);
+          });
+        })
+        .catch((error) => {
+          console.error("error on creating passkey registration link");
+          return NextResponse.json(error, { status: 500 });
+        });
+    } else {
+      return NextResponse.json(
+        { details: "could not get session" },
+        { status: 500 }
+      );
+    }
+  } else {
+    return NextResponse.json({}, { status: 400 });
+  }
+}
--- a/apps/login/app/api/u2f/set/route.ts
+++ b/apps/login/app/api/u2f/set/route.ts
@@ -0,0 +1,70 @@
+import {
+  SessionCookie,
+  getMostRecentSessionCookie,
+  getSessionCookieById,
+  getSessionCookieByLoginName,
+} from "#/utils/cookies";
+import { setSessionAndUpdateCookie } from "#/utils/session";
+import { Checks } from "@zitadel/server";
+import { NextRequest, NextResponse, userAgent } from "next/server";
+
+export async function POST(request: NextRequest) {
+  const body = await request.json();
+
+  if (body) {
+    const { loginName, sessionId, organization, authRequestId, code, method } =
+      body;
+
+    const recentPromise: Promise<SessionCookie> = sessionId
+      ? getSessionCookieById(sessionId).catch((error) => {
+          return Promise.reject(error);
+        })
+      : loginName
+      ? getSessionCookieByLoginName(loginName, organization).catch((error) => {
+          return Promise.reject(error);
+        })
+      : getMostRecentSessionCookie().catch((error) => {
+          return Promise.reject(error);
+        });
+
+    return recentPromise
+      .then((recent) => {
+        const checks: Checks = {};
+
+        if (method === "time-based") {
+          checks.totp = {
+            code,
+          };
+        } else if (method === "sms") {
+          checks.otpSms = {
+            code,
+          };
+        } else if (method === "email") {
+          checks.otpEmail = {
+            code,
+          };
+        }
+
+        return setSessionAndUpdateCookie(
+          recent,
+          checks,
+          undefined,
+          authRequestId
+        ).then((session) => {
+          return NextResponse.json({
+            sessionId: session.id,
+            factors: session.factors,
+            challenges: session.challenges,
+          });
+        });
+      })
+      .catch((error) => {
+        return NextResponse.json({ details: error }, { status: 500 });
+      });
+  } else {
+    return NextResponse.json(
+      { details: "Request body is missing" },
+      { status: 400 }
+    );
+  }
+}