feat: session v2 passkey authentication (#5952)

internal/command/session_model.go

@@ -6,10 +6,31 @@ import (
 	"time"
 
 	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/session"
+	usr_repo "github.com/zitadel/zitadel/internal/repository/user"
 )
 
+type PasskeyChallengeModel struct {
+	Challenge          string
+	AllowedCrentialIDs [][]byte
+	UserVerification   domain.UserVerificationRequirement
+}
+
+func (p *PasskeyChallengeModel) WebAuthNLogin(human *domain.Human, credentialAssertionData []byte) (*domain.WebAuthNLogin, error) {
+	if p == nil {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Ioqu5", "Errors.Session.Passkey.NoChallenge")
+	}
+	return &domain.WebAuthNLogin{
+		ObjectRoot:              human.ObjectRoot,
+		CredentialAssertionData: credentialAssertionData,
+		Challenge:               p.Challenge,
+		AllowedCredentialIDs:    p.AllowedCrentialIDs,
+		UserVerification:        p.UserVerification,
+	}, nil
+}
+
 type SessionWriteModel struct {
 	eventstore.WriteModel
 
@@ -17,9 +38,12 @@ type SessionWriteModel struct {
 	UserID            string
 	UserCheckedAt     time.Time
 	PasswordCheckedAt time.Time
+	PasskeyCheckedAt  time.Time
 	Metadata          map[string][]byte
 	State             domain.SessionState
 
+	PasskeyChallenge *PasskeyChallengeModel
+
 	commands  []eventstore.Command
 	aggregate *eventstore.Aggregate
 }
@@ -44,6 +68,10 @@ func (wm *SessionWriteModel) Reduce() error {
 			wm.reduceUserChecked(e)
 		case *session.PasswordCheckedEvent:
 			wm.reducePasswordChecked(e)
+		case *session.PasskeyChallengedEvent:
+			wm.reducePasskeyChallenged(e)
+		case *session.PasskeyCheckedEvent:
+			wm.reducePasskeyChecked(e)
 		case *session.TokenSetEvent:
 			wm.reduceTokenSet(e)
 		case *session.TerminateEvent:
@@ -62,6 +90,8 @@ func (wm *SessionWriteModel) Query() *eventstore.SearchQueryBuilder {
 			session.AddedType,
 			session.UserCheckedType,
 			session.PasswordCheckedType,
+			session.PasskeyChallengedType,
+			session.PasskeyCheckedType,
 			session.TokenSetType,
 			session.MetadataSetType,
 			session.TerminateType,
@@ -87,6 +117,19 @@ func (wm *SessionWriteModel) reducePasswordChecked(e *session.PasswordCheckedEve
 	wm.PasswordCheckedAt = e.CheckedAt
 }
 
+func (wm *SessionWriteModel) reducePasskeyChallenged(e *session.PasskeyChallengedEvent) {
+	wm.PasskeyChallenge = &PasskeyChallengeModel{
+		Challenge:          e.Challenge,
+		AllowedCrentialIDs: e.AllowedCrentialIDs,
+		UserVerification:   e.UserVerification,
+	}
+}
+
+func (wm *SessionWriteModel) reducePasskeyChecked(e *session.PasskeyCheckedEvent) {
+	wm.PasskeyChallenge = nil
+	wm.PasskeyCheckedAt = e.CheckedAt
+}
+
 func (wm *SessionWriteModel) reduceTokenSet(e *session.TokenSetEvent) {
 	wm.TokenID = e.TokenID
 }
@@ -110,6 +153,17 @@ func (wm *SessionWriteModel) PasswordChecked(ctx context.Context, checkedAt time
 	wm.commands = append(wm.commands, session.NewPasswordCheckedEvent(ctx, wm.aggregate, checkedAt))
 }
 
+func (wm *SessionWriteModel) PasskeyChallenged(ctx context.Context, challenge string, allowedCrentialIDs [][]byte, userVerification domain.UserVerificationRequirement) {
+	wm.commands = append(wm.commands, session.NewPasskeyChallengedEvent(ctx, wm.aggregate, challenge, allowedCrentialIDs, userVerification))
+}
+
+func (wm *SessionWriteModel) PasskeyChecked(ctx context.Context, checkedAt time.Time, tokenID string, signCount uint32) {
+	wm.commands = append(wm.commands,
+		session.NewPasskeyCheckedEvent(ctx, wm.aggregate, checkedAt),
+		usr_repo.NewHumanPasswordlessSignCountChangedEvent(ctx, wm.aggregate, tokenID, signCount),
+	)
+}
+
 func (wm *SessionWriteModel) SetToken(ctx context.Context, tokenID string) {
 	wm.commands = append(wm.commands, session.NewTokenSetEvent(ctx, wm.aggregate, tokenID))
 }