Scaffold OS user verification

2026-02-21 11:54:02 +00:00 · 2026-01-07 10:20:09 -06:00
parent bcaefeac47
commit 2442e6048e
17 changed files with 419 additions and 31 deletions
--- a/libs/common/src/platform/abstractions/fido2/fido2-authenticator.service.abstraction.ts
+++ b/libs/common/src/platform/abstractions/fido2/fido2-authenticator.service.abstraction.ts
@@ -12,13 +12,16 @@ export abstract class Fido2AuthenticatorService<ParentWindowReference> {
   * https://www.w3.org/TR/webauthn-3/#sctn-op-make-cred
   *
   * @param params Parameters for creating a new credential
+   * @param window A reference to the window of the WebAuthn client.
   * @param abortController An AbortController that can be used to abort the operation.
+   * @param transactionContext Context from the original WebAuthn request used for callbacks back to the WebAuthn client for user verification.
   * @returns A promise that resolves with the new credential and an attestation signature.
   **/
  abstract makeCredential(
    params: Fido2AuthenticatorMakeCredentialsParams,
    window: ParentWindowReference,
    abortController?: AbortController,
+    transactionContext?: string,
  ): Promise<Fido2AuthenticatorMakeCredentialResult>;

  /**
@@ -26,13 +29,16 @@ export abstract class Fido2AuthenticatorService<ParentWindowReference> {
   * https://www.w3.org/TR/webauthn-3/#sctn-op-get-assertion
   *
   * @param params Parameters for generating an assertion
+   * @param window A reference to the window of the WebAuthn client.
   * @param abortController An AbortController that can be used to abort the operation.
+   * @param transactionContext Context from the original WebAuthn request used for callbacks back to the WebAuthn client for user verification.
   * @returns A promise that resolves with the asserted credential and an assertion signature.
   */
  abstract getAssertion(
    params: Fido2AuthenticatorGetAssertionParams,
    window: ParentWindowReference,
    abortController?: AbortController,
+    transactionContext?: string,
  ): Promise<Fido2AuthenticatorGetAssertionResult>;

  /**
--- a/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts
+++ b/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts
@@ -65,12 +65,15 @@ export abstract class Fido2UserInterfaceService<ParentWindowReference> {
   * Note: This will not necessarily open a window until it is needed to request something from the user.
   *
   * @param fallbackSupported Whether or not the browser natively supports WebAuthn.
+   * @param window A reference to the window of the WebAuthn client.
   * @param abortController An abort controller that can be used to cancel/close the session.
+   * @param transactionContext Context from the original WebAuthn request used for callbacks back to the WebAuthn client for user verification.
   */
  abstract newSession(
    fallbackSupported: boolean,
    window: ParentWindowReference,
    abortController?: AbortController,
+    transactionContext?: string,
  ): Promise<Fido2UserInterfaceSession>;
 }

@@ -79,7 +82,6 @@ export abstract class Fido2UserInterfaceSession {
   * Ask the user to pick a credential from a list of existing credentials.
   *
   * @param params The parameters to use when asking the user to pick a credential.
-   * @param abortController An abort controller that can be used to cancel/close the session.
   * @returns The ID of the cipher that contains the credentials the user picked. If not cipher was picked, return cipherId = undefined to to let the authenticator throw the error.
   */
  abstract pickCredential(
@@ -90,7 +92,6 @@ export abstract class Fido2UserInterfaceSession {
   * Ask the user to confirm the creation of a new credential.
   *
   * @param params The parameters to use when asking the user to confirm the creation of a new credential.
-   * @param abortController An abort controller that can be used to cancel/close the session.
   * @returns The ID of the cipher where the new credential should be saved.
   */
  abstract confirmNewCredential(
--- a/libs/common/src/platform/services/fido2/fido2-authenticator.service.ts
+++ b/libs/common/src/platform/services/fido2/fido2-authenticator.service.ts
@@ -61,11 +61,13 @@ export class Fido2AuthenticatorService<
    params: Fido2AuthenticatorMakeCredentialsParams,
    window: ParentWindowReference,
    abortController?: AbortController,
+    transactionContext?: string,
  ): Promise<Fido2AuthenticatorMakeCredentialResult> {
    const userInterfaceSession = await this.userInterface.newSession(
      params.fallbackSupported,
      window,
      abortController,
+      transactionContext,
    );

    try {
@@ -128,6 +130,7 @@ export class Fido2AuthenticatorService<
      let userVerified = false;
      let credentialId: string;
      let pubKeyDer: ArrayBuffer;
+
      const response = await userInterfaceSession.confirmNewCredential({
        credentialName: params.rpEntity.name,
        userName: params.userEntity.name,
@@ -230,11 +233,13 @@ export class Fido2AuthenticatorService<
    params: Fido2AuthenticatorGetAssertionParams,
    window: ParentWindowReference,
    abortController?: AbortController,
+    transactionContext?: string,
  ): Promise<Fido2AuthenticatorGetAssertionResult> {
    const userInterfaceSession = await this.userInterface.newSession(
      params.fallbackSupported,
      window,
      abortController,
+      transactionContext,
    );
    try {
      if (