feat(clerk-js): Adds experimental support for registering a passkey (#2884)

* feat(clerk-js): Adds experimental support for registering a passkey

* chore(clerk-js): Add changelog

* fix(clerk-js): Align endpoints and payload

* chore(clerk-js): Support create endpoint for passkeys

* test(clerk-js): Test transformations for webauthn payloads

* chore(remix): Minor refactor

* chore(clerk-js): Update experimental prefix

* chore(clerk-js): Use nonce and convert it to publicKey

- Remove prepare verification step
- Update environment to handle passkey attribute

* chore(clerk-js): Improve comments

Author: panteliselef

.changeset/late-insects-doubt.md

@@ -0,0 +1,7 @@
+---
+'@clerk/clerk-js': minor
+'@clerk/types': minor
+---
+
+Experimental support for a user to register a passkey for their account.
+Usage: `await clerk.user.__experimental__createPasskey()`

packages/clerk-js/src/core/resources/Passkey.ts

@@ -0,0 +1,132 @@
+import type { PasskeyJSON, PasskeyResource, PasskeyVerificationResource } from '@clerk/types';
+
+import { unixEpochToDate } from '../../utils/date';
+import type { PublicKeyCredentialWithAuthenticatorAttestationResponse } from '../../utils/passkeys';
+import {
+  isWebAuthnPlatformAuthenticatorSupported,
+  serializePublicKeyCredential,
+  webAuthnCreateCredential,
+} from '../../utils/passkeys';
+import { BaseResource, ClerkRuntimeError, PasskeyVerification } from './internal';
+
+export class Passkey extends BaseResource implements PasskeyResource {
+  id!: string;
+  pathRoot = '/me/passkeys';
+  credentialId: string | null = null;
+  verification: PasskeyVerificationResource | null = null;
+  name: string | null = null;
+  lastUsedAt: Date | null = null;
+  createdAt!: Date;
+  updatedAt!: Date;
+
+  public constructor(data: PasskeyJSON) {
+    super();
+    this.fromJSON(data);
+  }
+
+  private static async create() {
+    return BaseResource._fetch({
+      path: `/me/passkeys`,
+      method: 'POST',
+    }).then(res => new Passkey(res?.response as PasskeyJSON));
+  }
+
+  private static async attemptVerification(
+    passkeyId: string,
+    credential: PublicKeyCredentialWithAuthenticatorAttestationResponse,
+  ) {
+    const jsonPublicKeyCredential = serializePublicKeyCredential(credential);
+    return BaseResource._fetch({
+      path: `/me/passkeys/${passkeyId}/attempt_verification`,
+      method: 'POST',
+      body: { strategy: 'passkey', publicKeyCredential: JSON.stringify(jsonPublicKeyCredential) } as any,
+    }).then(res => new Passkey(res?.response as PasskeyJSON));
+  }
+
+  /**
+   * TODO-PASSKEYS: Implement this later
+   *
+   * GET /v1/me/passkeys
+   */
+  static async get() {}
+
+  /**
+   * Developers should not be able to create a new Passkeys from an already instanced object
+   */
+  static async registerPasskey() {
+    /**
+     * The UI should always prevent from this method being called if WebAuthn is not supported.
+     * As a precaution we need to check if WebAuthn is supported.
+     */
+
+    /**
+     * TODO-PASSKEYS: First simply check if webauthn is supported and check for this only when
+     * publicKey?.authenticatorSelection.authenticatorAttachment === 'platform'
+     */
+    if (!(await isWebAuthnPlatformAuthenticatorSupported())) {
+      throw new ClerkRuntimeError('Platform authenticator is not supported', {
+        code: 'passkeys_unsupported_platform_authenticator',
+      });
+    }
+
+    const passkey = await this.create();
+
+    const { verification } = passkey;
+
+    const publicKey = verification?.publicKey;
+
+    // This should never occur such a fail-safe
+    if (!publicKey) {
+      // TODO-PASSKEYS: Implement this later
+      throw 'Missing key';
+    }
+
+    // Invoke the WebAuthn create() method.
+    const { publicKeyCredential, error } = await webAuthnCreateCredential(publicKey);
+
+    if (!publicKeyCredential) {
+      throw error;
+    }
+
+    return this.attemptVerification(passkey.id, publicKeyCredential);
+  }
+
+  /**
+   * TODO-PASSKEYS: Implement this later
+   *
+   * PATCH /v1/me/passkeys/{passkeyIdentificationID}
+   */
+  update = (): Promise<PasskeyResource> => this._basePatch();
+
+  /**
+   * TODO-PASSKEYS: Implement this later
+   *
+   * DELETE /v1/me/passkeys/{passkeyIdentificationID}
+   */
+  destroy = (): Promise<void> => this._baseDelete();
+
+  /**
+   * TODO-PASSKEYS: Implement this later
+   *
+   * GET /v1/me/passkeys/{passkeyIdentificationID}
+   */
+  reload = () => this._baseGet();
+
+  protected fromJSON(data: PasskeyJSON | null): this {
+    if (!data) {
+      return this;
+    }
+
+    this.id = data.id;
+    this.credentialId = data.credential_id;
+    this.name = data.name;
+    this.lastUsedAt = data.last_used_at ? unixEpochToDate(data.last_used_at) : null;
+    this.createdAt = unixEpochToDate(data.created_at);
+    this.updatedAt = unixEpochToDate(data.updated_at);
+
+    if (data.verification) {
+      this.verification = new PasskeyVerification(data.verification);
+    }
+    return this;
+  }
+}

packages/clerk-js/src/core/resources/User.ts

@@ -15,6 +15,7 @@ import type {
   GetUserOrganizationSuggestionsParams,
   ImageResource,
   OrganizationMembershipResource,
+  PasskeyResource,
   PhoneNumberResource,
   RemoveUserPasswordParams,
   SamlAccountResource,
@@ -41,6 +42,7 @@ import {
   Image,
   OrganizationMembership,
   OrganizationSuggestion,
+  Passkey,
   PhoneNumber,
   SamlAccount,
   SessionWithActivities,
@@ -124,6 +126,14 @@ export class User extends BaseResource implements UserResource {
     ).create();
   };
 
+  /**
+   * @experimental
+   * This method is experimental, avoid using this in production applications
+   */
+  __experimental_createPasskey = (): Promise<PasskeyResource> => {
+    return Passkey.registerPasskey();
+  };
+
   createPhoneNumber = (params: CreatePhoneNumberParams): Promise<PhoneNumberResource> => {
     const { phoneNumber } = params || {};
     return new PhoneNumber(

packages/clerk-js/src/core/resources/Verification.ts

@@ -1,6 +1,9 @@
 import { parseError } from '@clerk/shared/error';
 import type {
   ClerkAPIError,
+  PasskeyVerificationResource,
+  PublicKeyCredentialCreationOptionsJSON,
+  PublicKeyCredentialCreationOptionsWithoutExtensions,
   SignUpVerificationJSON,
   SignUpVerificationResource,
   SignUpVerificationsJSON,
@@ -11,6 +14,7 @@ import type {
 } from '@clerk/types';
 
 import { unixEpochToDate } from '../../utils/date';
+import { convertJSONToPublicKeyCreateOptions } from '../../utils/passkeys';
 import { BaseResource } from './internal';
 
 export class Verification extends BaseResource implements VerificationResource {
@@ -53,6 +57,27 @@ export class Verification extends BaseResource implements VerificationResource {
   }
 }
 
+export class PasskeyVerification extends Verification implements PasskeyVerificationResource {
+  publicKey: PublicKeyCredentialCreationOptionsWithoutExtensions | null = null;
+
+  constructor(data: VerificationJSON | null) {
+    super(data);
+    this.fromJSON(data);
+  }
+
+  /**
+   * Transform base64url encoded strings to ArrayBuffer
+   */
+  protected fromJSON(data: VerificationJSON | null): this {
+    if (data?.nonce) {
+      this.publicKey = convertJSONToPublicKeyCreateOptions(
+        JSON.parse(data.nonce) as PublicKeyCredentialCreationOptionsJSON,
+      );
+    }
+    return this;
+  }
+}
+
 export class SignUpVerifications implements SignUpVerificationsResource {
   emailAddress: SignUpVerificationResource;
   phoneNumber: SignUpVerificationResource;

packages/clerk-js/src/core/resources/internal.ts

@@ -20,6 +20,7 @@ export * from './OrganizationMembershipRequest';
 export * from './OrganizationSuggestion';
 export * from './SamlAccount';
 export * from './Session';
+export * from './Passkey';
 export * from './PublicUserData';
 export * from './SessionWithActivities';
 export * from './SignIn';

packages/clerk-js/src/utils/__tests__/passkeys.test.ts

@@ -0,0 +1,84 @@
+import type { PublicKeyCredentialCreationOptionsJSON } from '@clerk/types';
+
+import type { PublicKeyCredentialWithAuthenticatorAttestationResponse } from '../passkeys';
+import { bufferToBase64Url, convertJSONToPublicKeyCreateOptions, serializePublicKeyCredential } from '../passkeys';
+
+describe('Passkey utils', () => {
+  describe('serialization', () => {
+    it('convertJSONToPublicKeyCreateOptions()', () => {
+      const pkCreateOptions: PublicKeyCredentialCreationOptionsJSON = {
+        rp: {
+          name: 'clerk.com',
+          id: 'clerk.com',
+        },
+        user: {
+          name: 'clerkUser',
+          displayName: 'Clerk User',
+          id: 'dXNlcl8xMjM', // user_123 encoded as base64url
+        },
+        excludeCredentials: [
+          {
+            type: 'public-key',
+            id: 'cmFuZG9tX2lk',
+          },
+        ],
+        authenticatorSelection: {
+          requireResidentKey: true,
+          residentKey: 'required',
+          userVerification: 'required',
+        },
+        attestation: 'none',
+        pubKeyCredParams: [
+          {
+            type: 'public-key',
+            alg: -7,
+          },
+        ],
+        timeout: 10000,
+        challenge: 'Y2hhbGxlbmdlXzEyMw', // challenge_123 encoded as base64url
+      };
+
+      const result = convertJSONToPublicKeyCreateOptions(pkCreateOptions);
+
+      expect(result.rp).toEqual({
+        name: 'clerk.com',
+        id: 'clerk.com',
+      });
+
+      expect(result.attestation).toEqual('none');
+      expect(result.authenticatorSelection).toEqual({
+        requireResidentKey: true,
+        residentKey: 'required',
+        userVerification: 'required',
+      });
+
+      expect(bufferToBase64Url(result.user.id)).toEqual(pkCreateOptions.user.id);
+
+      expect(bufferToBase64Url(result.excludeCredentials[0].id)).toEqual(pkCreateOptions.excludeCredentials[0].id);
+    });
+
+    it('serializePublicKeyCredential()', () => {
+      const publicKeyCredential: PublicKeyCredentialWithAuthenticatorAttestationResponse = {
+        type: 'public-key',
+        id: 'credentialId_123',
+        rawId: new Uint8Array([99, 114, 101, 100, 101, 110, 116, 105, 97, 108, 73, 100, 95, 49, 50, 51]),
+        authenticatorAttachment: 'cross-platform',
+        response: {
+          clientDataJSON: new Uint8Array([110, 116, 105, 97]),
+          attestationObject: new Uint8Array([108, 73, 100, 95, 49]),
+          getTransports: () => ['usb'],
+        },
+      };
+
+      const result = serializePublicKeyCredential(publicKeyCredential);
+
+      expect(result.type).toEqual('public-key');
+      expect(result.id).toEqual('credentialId_123');
+      expect(result.rawId).toEqual('Y3JlZGVudGlhbElkXzEyMw');
+
+      expect(result.response.clientDataJSON).toEqual('bnRpYQ');
+      expect(result.response.attestationObject).toEqual('bElkXzE');
+      expect(result.response.transports).toEqual(['usb']);
+    });
+  });
+});

packages/clerk-js/src/utils/passkeys.ts

@@ -0,0 +1,176 @@
+import { isValidBrowser } from '@clerk/shared/browser';
+import { ClerkRuntimeError } from '@clerk/shared/error';
+import type {
+  PublicKeyCredentialCreationOptionsJSON,
+  PublicKeyCredentialCreationOptionsWithoutExtensions,
+} from '@clerk/types';
+
+type PublicKeyCredentialWithAuthenticatorAttestationResponse = Omit<
+  PublicKeyCredential,
+  'response' | 'getClientExtensionResults'
+> & {
+  response: Omit<AuthenticatorAttestationResponse, 'getAuthenticatorData' | 'getPublicKey' | 'getPublicKeyAlgorithm'>;
+};
+
+type WebAuthnCreateCredentialReturn =
+  | {
+      publicKeyCredential: PublicKeyCredentialWithAuthenticatorAttestationResponse;
+      error: null;
+    }
+  | {
+      publicKeyCredential: null;
+      error: ClerkWebAuthnError | Error;
+    };
+
+type ClerkWebAuthnErrorCode = 'passkey_exists' | 'passkey_registration_cancelled' | 'passkey_credential_failed';
+
+function isWebAuthnSupported() {
+  return (
+    isValidBrowser() &&
+    // Check if `PublicKeyCredential` is a constructor
+    typeof window.PublicKeyCredential === 'function'
+  );
+}
+
+async function isWebAuthnAutofillSupported(): Promise<boolean> {
+  try {
+    return isWebAuthnSupported() && (await window.PublicKeyCredential.isConditionalMediationAvailable());
+  } catch (e) {
+    return false;
+  }
+}
+
+async function isWebAuthnPlatformAuthenticatorSupported(): Promise<boolean> {
+  try {
+    return (
+      typeof window !== 'undefined' &&
+      (await window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable())
+    );
+  } catch (e) {
+    return false;
+  }
+}
+
+class Base64Converter {
+  static encode(buffer: ArrayBuffer): string {
+    return btoa(String.fromCharCode(...new Uint8Array(buffer)))
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=+$/, '');
+  }
+
+  static decode(base64url: string): ArrayBuffer {
+    // TODO-PASSKEYS: check if this can be replaced with Buffer.from(base64url, 'base64');
+    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+
+    const binaryString = atob(base64);
+    const length = binaryString.length;
+    const bytes = new Uint8Array(length);
+    for (let i = 0; i < length; i++) {
+      bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+}
+
+async function webAuthnCreateCredential(
+  publicKeyOptions: PublicKeyCredentialCreationOptionsWithoutExtensions,
+): Promise<WebAuthnCreateCredentialReturn> {
+  try {
+    // Typescript types are not aligned with the spec. These type assertions are required to comply with the spec.
+    const credential = (await navigator.credentials.create({
+      publicKey: publicKeyOptions,
+    })) as PublicKeyCredential | null;
+
+    if (!credential) {
+      return {
+        error: new ClerkWebAuthnError('Browser failed to create credential', { code: 'passkey_credential_failed' }),
+        publicKeyCredential: null,
+      };
+    }
+
+    // Typescript types are not aligned with the spec. These type assertions are required to comply with the spec.
+    const res = credential.response as AuthenticatorAttestationResponse;
+
+    return { publicKeyCredential: { ...credential, response: res }, error: null };
+  } catch (e) {
+    return { error: handlePublicKeyCreateError(e), publicKeyCredential: null };
+  }
+}
+
+/**
+ * Map webauthn errors from `navigator.credentials.create()` to Clerk-js errors
+ * @param error
+ */
+function handlePublicKeyCreateError(error: Error): ClerkWebAuthnError | ClerkRuntimeError | Error {
+  if (error.name === 'InvalidStateError') {
+    return new ClerkWebAuthnError(error.message, { code: 'passkey_exists' });
+  } else if (error.name === 'NotAllowedError') {
+    return new ClerkWebAuthnError(error.message, { code: 'passkey_registration_cancelled' });
+  }
+  return error;
+}
+
+function convertJSONToPublicKeyCreateOptions(jsonPublicKey: PublicKeyCredentialCreationOptionsJSON) {
+  const userIdBuffer = base64UrlToBuffer(jsonPublicKey.user.id);
+  const challengeBuffer = base64UrlToBuffer(jsonPublicKey.challenge);
+
+  const excludeCredentialsWithBuffer = (jsonPublicKey.excludeCredentials || []).map(cred => ({
+    ...cred,
+    id: base64UrlToBuffer(cred.id),
+  }));
+
+  return {
+    ...jsonPublicKey,
+    excludeCredentials: excludeCredentialsWithBuffer,
+    challenge: challengeBuffer,
+    user: {
+      ...jsonPublicKey.user,
+      id: userIdBuffer,
+    },
+  } as PublicKeyCredentialCreationOptionsWithoutExtensions;
+}
+
+function serializePublicKeyCredential(publicKeyCredential: PublicKeyCredentialWithAuthenticatorAttestationResponse) {
+  const response = publicKeyCredential.response;
+  return {
+    type: publicKeyCredential.type,
+    id: publicKeyCredential.id,
+    rawId: bufferToBase64Url(publicKeyCredential.rawId),
+    authenticatorAttachment: publicKeyCredential.authenticatorAttachment,
+    response: {
+      clientDataJSON: bufferToBase64Url(response.clientDataJSON),
+      attestationObject: bufferToBase64Url(response.attestationObject),
+      transports: response.getTransports(),
+    },
+  };
+}
+
+const bufferToBase64Url = Base64Converter.encode.bind(Base64Converter);
+const base64UrlToBuffer = Base64Converter.decode.bind(Base64Converter);
+
+export class ClerkWebAuthnError extends ClerkRuntimeError {
+  /**
+   * A unique code identifying the error, can be used for localization.
+   */
+  code: ClerkWebAuthnErrorCode;
+
+  constructor(message: string, { code }: { code: ClerkWebAuthnErrorCode }) {
+    super(message, { code });
+    this.code = code;
+  }
+}
+
+export {
+  isWebAuthnPlatformAuthenticatorSupported,
+  isWebAuthnAutofillSupported,
+  isWebAuthnSupported,
+  base64UrlToBuffer,
+  bufferToBase64Url,
+  handlePublicKeyCreateError,
+  webAuthnCreateCredential,
+  convertJSONToPublicKeyCreateOptions,
+  serializePublicKeyCredential,
+};
+
+export type { PublicKeyCredentialWithAuthenticatorAttestationResponse };

packages/shared/src/error.ts

@@ -139,7 +139,7 @@ export class ClerkRuntimeError extends Error {
   message: string;
 
   /**
-   * A unique code identifying the error, used for localization
+   * A unique code identifying the error, can be used for localization.
    *
    * @type {string}
    * @memberof ClerkRuntimeError

packages/types/src/index.ts

@@ -54,3 +54,4 @@ export * from './web3';
 export * from './web3Wallet';
 export * from './customPages';
 export * from './pagination';
+export * from './passkey';

packages/types/src/json.ts

@@ -136,6 +136,17 @@ export interface PhoneNumberJSON extends ClerkResourceJSON {
   backup_codes?: string[];
 }
 
+export interface PasskeyJSON extends ClerkResourceJSON {
+  object: 'passkey';
+  id: string;
+  credential_id: string | null;
+  name: string | null;
+  verification: VerificationJSON | null;
+  last_used_at: number | null;
+  updated_at: number;
+  created_at: number;
+}
+
 export interface Web3WalletJSON extends ClerkResourceJSON {
   object: 'web3_wallet';
   id: string;
@@ -437,3 +448,43 @@ export interface DeletedObjectJSON {
 
 export type SignInFirstFactorJSON = CamelToSnake<SignInFirstFactor>;
 export type SignInSecondFactorJSON = CamelToSnake<SignInSecondFactor>;
+
+/**
+ * Types for WebAuthN passkeys
+ */
+
+type Base64UrlString = string;
+
+interface PublicKeyCredentialUserEntityJSON {
+  name: string;
+  displayName: string;
+  id: Base64UrlString;
+}
+
+export interface ExcludedCredentialJSON {
+  type: 'public-key';
+  id: Base64UrlString;
+  transports?: ('ble' | 'hybrid' | 'internal' | 'nfc' | 'usb')[];
+}
+
+interface AuthenticatorSelectionCriteriaJSON {
+  requireResidentKey: boolean;
+  residentKey: 'discouraged' | 'preferred' | 'required';
+  userVerification: 'discouraged' | 'preferred' | 'required';
+}
+
+export interface PublicKeyCredentialCreationOptionsJSON {
+  rp: PublicKeyCredentialRpEntity;
+  user: PublicKeyCredentialUserEntityJSON;
+  challenge: Base64UrlString;
+  pubKeyCredParams: PublicKeyCredentialParameters[];
+  timeout: number;
+  excludeCredentials: ExcludedCredentialJSON[];
+  authenticatorSelection: AuthenticatorSelectionCriteriaJSON;
+  attestation: 'direct' | 'enterprise' | 'indirect' | 'none';
+}
+
+// TODO-PASSKEYS: Decide if we are keeping this
+// export interface PassKeyVerificationJSON extends VerificationJSON {
+//   publicKey: PublicKeyCredentialCreationOptionsJSON | null;
+// }

packages/types/src/passkey.ts

@@ -0,0 +1,14 @@
+import type { ClerkResource } from './resource';
+import type { PasskeyVerificationResource } from './verification';
+
+export interface PublicKeyOptions extends PublicKeyCredentialCreationOptions {}
+
+export interface PasskeyResource extends ClerkResource {
+  id: string;
+  credentialId: string | null;
+  name: string | null;
+  verification: PasskeyVerificationResource | null;
+  lastUsedAt: Date | null;
+  updatedAt: Date;
+  createdAt: Date;
+}

packages/types/src/user.ts

@@ -9,6 +9,7 @@ import type { OrganizationInvitationStatus } from './organizationInvitation';
 import type { OrganizationMembershipResource } from './organizationMembership';
 import type { OrganizationSuggestionResource, OrganizationSuggestionStatus } from './organizationSuggestion';
 import type { ClerkPaginatedResponse, ClerkPaginationParams } from './pagination';
+import type { PasskeyResource } from './passkey';
 import type { PhoneNumberResource } from './phoneNumber';
 import type { ClerkResource } from './resource';
 import type { SamlAccountResource } from './samlAccount';
@@ -88,6 +89,12 @@ export interface UserResource extends ClerkResource {
   updatePassword: (params: UpdateUserPasswordParams) => Promise<UserResource>;
   removePassword: (params: RemoveUserPasswordParams) => Promise<UserResource>;
   createEmailAddress: (params: CreateEmailAddressParams) => Promise<EmailAddressResource>;
+
+  /**
+   * @experimental
+   * This method is experimental, avoid using this in production applications
+   */
+  __experimental_createPasskey: () => Promise<PasskeyResource>;
   createPhoneNumber: (params: CreatePhoneNumberParams) => Promise<PhoneNumberResource>;
   createWeb3Wallet: (params: CreateWeb3WalletParams) => Promise<Web3WalletResource>;
   isPrimaryIdentification: (ident: EmailAddressResource | PhoneNumberResource | Web3WalletResource) => boolean;

packages/types/src/userSettings.ts

@@ -11,7 +11,8 @@ export type Attribute =
   | 'password'
   | 'web3_wallet'
   | 'authenticator_app'
-  | 'backup_code';
+  | 'backup_code'
+  | 'passkey';
 
 export type VerificationStrategy = 'email_link' | 'email_code' | 'phone_code' | 'totp' | 'backup_code';
 

packages/types/src/verification.ts

@@ -13,6 +13,14 @@ export interface VerificationResource extends ClerkResource {
   verifiedFromTheSameClient: () => boolean;
 }
 
+export type PublicKeyCredentialCreationOptionsWithoutExtensions = Omit<
+  Required<PublicKeyCredentialCreationOptions>,
+  'extensions'
+>;
+export interface PasskeyVerificationResource extends VerificationResource {
+  publicKey: PublicKeyCredentialCreationOptionsWithoutExtensions | null;
+}
+
 export type VerificationStatus = 'unverified' | 'verified' | 'transferable' | 'failed' | 'expired';
 
 export interface CodeVerificationAttemptParam {