igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement auth procedures with code review fixes

Browse Source 
Add complete auth backend (Workstream D):
- Auth middleware for session/API key authentication
- Signup with password or passkey (WebAuthn)
- Login flow with device trust and email confirmation
- Password reset and email verification
- Session management and logout

Utilities created:
- cookies.ts: Cookie helpers and configuration
- crypto.ts: Token generation and hashing
- password.ts: zxcvbn validation, argon2id hashing
- geo.ts: IP/location extraction from headers
- email.ts: Stubbed email sending
- session.ts: Session creation and device trust

Code review improvements applied:
- Use ORPCError instead of Error in procedures
- Add ast-grep rule to enforce ORPCError usage
- Remove error info leakage (generic messages)
- Optimize N+1 query with JOIN in login-password
- Extract signupWithPassword/signupWithPasskey for testability
- Add 15-minute WebAuthn challenge expiry check
- Strengthen CookieOptions type definitions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
2026-01-09 15:19:15 +08:00
parent 8de88472b1
commit 829d365e80
24 changed files with 1739 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/api-server/src/utils/webauthn.ts
View File

@@ -3,6 +3,7 @@
*/
import type { Database } from "@reviq/db-schema";
import type { VerifiedRegistrationResponse } from "@simplewebauthn/server";
import type {
AuthenticationResponseJSON,
PublicKeyCredentialCreationOptionsJSON,
@@ -11,7 +12,6 @@ import type {
} from "@simplewebauthn/types";
import type { Kysely } from "kysely";
import type { ParsedPasskey, PasskeyRow } from "./passkey-helpers.js";
import type { VerifiedRegistrationResponse } from "@simplewebauthn/server";
import {
generateAuthenticationOptions,
generateRegistrationOptions,
@@ -23,7 +23,7 @@ import { formatPasskeyDate, parsePasskeyRow } from "./passkey-helpers.js";
/**
* Known authenticator AAGUIDs mapped to friendly names
*/
const KNOWN_AAGUIDS: Record<string, string> = {
export const KNOWN_AAGUIDS: Record<string, string> = {
"ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4": "Google Password Manager",
"adce0002-35bc-c60a-648b-0b25f1f05503": "Chrome on Mac",
"08987058-cadc-4b81-b6e1-30de50dcbe96": "Windows Hello",