feat: Dashboard WebAuthn support (#984)

coolbueb · niftyvictor · porcellus · web-flow · commit 175a3a3afd56 · 2025-03-26T20:43:36.000+01:00
* added support for webauthn user editing

* bumped version

* chore: update version and rebuild

---------

Co-authored-by: Victor Bojica &lt;victor@niftylearning.io&gt;
Co-authored-by: Mihaly Lengyel &lt;mihaly@lengyel.tech&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
 
+## [22.0.1] - 2025-03-26
+
+-   Added Dashboard support for WebAuthn
+
 ## [22.0.0] - 2025-03-19
 
 ### Breaking changes
diff --git a/lib/build/recipe/dashboard/api/multitenancy/utils.js b/lib/build/recipe/dashboard/api/multitenancy/utils.js
@@ -66,6 +66,7 @@ function factorIdToRecipe(factorId) {
         "link-email": "Passwordless",
         "link-phone": "Passwordless",
         totp: "Totp",
+        webauthn: "WebAuthn",
     };
     return factorIdToRecipe[factorId];
 }
diff --git a/lib/build/recipe/dashboard/api/userdetails/userPut.js b/lib/build/recipe/dashboard/api/userdetails/userPut.js
@@ -9,10 +9,12 @@ exports.userPut = void 0;
 const error_1 = __importDefault(require("../../../../error"));
 const recipe_1 = __importDefault(require("../../../emailpassword/recipe"));
 const recipe_2 = __importDefault(require("../../../passwordless/recipe"));
+const recipe_3 = __importDefault(require("../../../webauthn/recipe"));
 const emailpassword_1 = __importDefault(require("../../../emailpassword"));
 const passwordless_1 = __importDefault(require("../../../passwordless"));
+const webauthn_1 = __importDefault(require("../../../webauthn"));
 const utils_1 = require("../../utils");
-const recipe_3 = __importDefault(require("../../../usermetadata/recipe"));
+const recipe_4 = __importDefault(require("../../../usermetadata/recipe"));
 const usermetadata_1 = __importDefault(require("../../../usermetadata"));
 const constants_1 = require("../../../emailpassword/constants");
 const utils_2 = require("../../../passwordless/utils");
@@ -99,6 +101,33 @@ const updateEmailForRecipeId = async (recipeId, recipeUserId, email, tenantId, u
             status: "OK",
         };
     }
+    if (recipeId === "webauthn") {
+        let validationError = await recipe_3.default
+            .getInstanceOrThrowError()
+            .config.validateEmailAddress(email, tenantId, userContext);
+        if (validationError !== undefined) {
+            return {
+                status: "INVALID_EMAIL_ERROR",
+                error: validationError,
+            };
+        }
+        const emailUpdateResponse = await webauthn_1.default.updateUserEmail({
+            email,
+            recipeUserId: recipeUserId.getAsString(),
+            tenantId,
+            userContext,
+        });
+        if (emailUpdateResponse.status === "EMAIL_ALREADY_EXISTS_ERROR") {
+            return {
+                status: "EMAIL_ALREADY_EXISTS_ERROR",
+            };
+        } else if (emailUpdateResponse.status === "UNKNOWN_USER_ID_ERROR") {
+            throw new Error("Should never come here");
+        }
+        return {
+            status: "OK",
+        };
+    }
     /**
      * If it comes here then the user is a third party user in which case the UI should not have allowed this
      */
@@ -211,7 +240,7 @@ const userPut = async (_, tenantId, options, userContext) => {
     if (firstName.trim() !== "" || lastName.trim() !== "") {
         let isRecipeInitialised = false;
         try {
-            recipe_3.default.getInstanceOrThrowError();
+            recipe_4.default.getInstanceOrThrowError();
             isRecipeInitialised = true;
         } catch (_) {
             // no op
diff --git a/lib/build/recipe/dashboard/types.d.ts b/lib/build/recipe/dashboard/types.d.ts
@@ -51,7 +51,7 @@ export declare type APIFunction = (
     options: APIOptions,
     userContext: UserContext
 ) => Promise<any>;
-export declare type RecipeIdForUser = "emailpassword" | "thirdparty" | "passwordless";
+export declare type RecipeIdForUser = "emailpassword" | "thirdparty" | "passwordless" | "webauthn";
 export declare type AuthMode = "api-key" | "email-password";
 export declare type UserWithFirstAndLastName = User & {
     firstName?: string;
diff --git a/lib/build/recipe/dashboard/utils.d.ts b/lib/build/recipe/dashboard/utils.d.ts
@@ -12,7 +12,7 @@ export declare function getUserForRecipeId(
     userContext: UserContext
 ): Promise<{
     user: UserWithFirstAndLastName | undefined;
-    recipe: "emailpassword" | "thirdparty" | "passwordless" | undefined;
+    recipe: "emailpassword" | "thirdparty" | "passwordless" | "webauthn" | undefined;
 }>;
 export declare function validateApiKey(input: {
     req: BaseRequest;
diff --git a/lib/build/recipe/dashboard/utils.js b/lib/build/recipe/dashboard/utils.js
@@ -26,6 +26,7 @@ const recipe_1 = __importDefault(require("../accountlinking/recipe"));
 const recipe_2 = __importDefault(require("../emailpassword/recipe"));
 const recipe_3 = __importDefault(require("../thirdparty/recipe"));
 const recipe_4 = __importDefault(require("../passwordless/recipe"));
+const recipe_5 = __importDefault(require("../webauthn/recipe"));
 const logger_1 = require("../../logger");
 function validateAndNormaliseUserInput(config) {
     let override = Object.assign(
@@ -57,7 +58,12 @@ function sendUnauthorisedAccess(res) {
 }
 exports.sendUnauthorisedAccess = sendUnauthorisedAccess;
 function isValidRecipeId(recipeId) {
-    return recipeId === "emailpassword" || recipeId === "thirdparty" || recipeId === "passwordless";
+    return (
+        recipeId === "emailpassword" ||
+        recipeId === "thirdparty" ||
+        recipeId === "passwordless" ||
+        recipeId === "webauthn"
+    );
 }
 exports.isValidRecipeId = isValidRecipeId;
 async function getUserForRecipeId(recipeUserId, recipeId, userContext) {
@@ -115,6 +121,13 @@ async function _getUserForRecipeId(recipeUserId, recipeId, userContext) {
         } catch (e) {
             // No - op
         }
+    } else if (recipeId === recipe_5.default.RECIPE_ID) {
+        try {
+            recipe_5.default.getInstanceOrThrowError();
+            recipe = "webauthn";
+        } catch (e) {
+            // No - op
+        }
     }
     return {
         user,
diff --git a/lib/build/recipe/multitenancy/api/implementation.js b/lib/build/recipe/multitenancy/api/implementation.js
@@ -76,6 +76,9 @@ function getAPIInterface() {
                     enabled: validFirstFactors.includes("thirdparty"),
                     providers: finalProviderList,
                 },
+                webauthn: {
+                    enabled: validFirstFactors.includes("webauthn"),
+                },
                 passwordless: {
                     enabled:
                         validFirstFactors.includes("otp-email") ||
diff --git a/lib/build/recipe/webauthn/index.d.ts b/lib/build/recipe/webauthn/index.d.ts
@@ -223,9 +223,9 @@ export default class Wrapper {
         status:
             | "OK"
             | "UNKNOWN_USER_ID_ERROR"
-            | "INVALID_CREDENTIALS_ERROR"
             | "INVALID_OPTIONS_ERROR"
             | "OPTIONS_NOT_FOUND_ERROR"
+            | "INVALID_CREDENTIALS_ERROR"
             | "INVALID_AUTHENTICATOR_ERROR"
             | "CREDENTIAL_NOT_FOUND_ERROR";
     }>;
diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts
diff --git a/lib/build/version.js b/lib/build/version.js
diff --git a/lib/ts/recipe/dashboard/api/multitenancy/utils.ts b/lib/ts/recipe/dashboard/api/multitenancy/utils.ts
@@ -67,6 +67,7 @@ export function factorIdToRecipe(factorId: string): string {
         "link-email": "Passwordless",
         "link-phone": "Passwordless",
         totp: "Totp",
+        webauthn: "WebAuthn",
     };
 
     return factorIdToRecipe[factorId];
diff --git a/lib/ts/recipe/dashboard/api/userdetails/userPut.ts b/lib/ts/recipe/dashboard/api/userdetails/userPut.ts
@@ -2,8 +2,10 @@ import { APIInterface, APIOptions } from "../../types";
 import STError from "../../../../error";
 import EmailPasswordRecipe from "../../../emailpassword/recipe";
 import PasswordlessRecipe from "../../../passwordless/recipe";
+import WebAuthnRecipe from "../../../webauthn/recipe";
 import EmailPassword from "../../../emailpassword";
 import Passwordless from "../../../passwordless";
+import WebAuthn from "../../../webauthn";
 import { isValidRecipeId, getUserForRecipeId } from "../../utils";
 import UserMetadataRecipe from "../../../usermetadata/recipe";
 import UserMetadata from "../../../usermetadata";
@@ -40,7 +42,7 @@ type Response =
       };
 
 const updateEmailForRecipeId = async (
-    recipeId: "emailpassword" | "passwordless" | "thirdparty",
+    recipeId: "emailpassword" | "passwordless" | "thirdparty" | "webauthn",
     recipeUserId: RecipeUserId,
     email: string,
     tenantId: string,
@@ -159,6 +161,40 @@ const updateEmailForRecipeId = async (
         };
     }
 
+    if (recipeId === "webauthn") {
+        let validationError = await WebAuthnRecipe.getInstanceOrThrowError().config.validateEmailAddress(
+            email,
+            tenantId,
+            userContext
+        );
+
+        if (validationError !== undefined) {
+            return {
+                status: "INVALID_EMAIL_ERROR",
+                error: validationError,
+            };
+        }
+
+        const emailUpdateResponse = await WebAuthn.updateUserEmail({
+            email,
+            recipeUserId: recipeUserId.getAsString(),
+            tenantId,
+            userContext,
+        });
+
+        if (emailUpdateResponse.status === "EMAIL_ALREADY_EXISTS_ERROR") {
+            return {
+                status: "EMAIL_ALREADY_EXISTS_ERROR",
+            };
+        } else if (emailUpdateResponse.status === "UNKNOWN_USER_ID_ERROR") {
+            throw new Error("Should never come here");
+        }
+
+        return {
+            status: "OK",
+        };
+    }
+
     /**
      * If it comes here then the user is a third party user in which case the UI should not have allowed this
      */
diff --git a/lib/ts/recipe/dashboard/types.ts b/lib/ts/recipe/dashboard/types.ts
@@ -72,7 +72,7 @@ export type APIFunction = (
     userContext: UserContext
 ) => Promise<any>;
 
-export type RecipeIdForUser = "emailpassword" | "thirdparty" | "passwordless";
+export type RecipeIdForUser = "emailpassword" | "thirdparty" | "passwordless" | "webauthn";
 
 export type AuthMode = "api-key" | "email-password";
 
diff --git a/lib/ts/recipe/dashboard/utils.ts b/lib/ts/recipe/dashboard/utils.ts
@@ -28,6 +28,7 @@ import AccountLinking from "../accountlinking/recipe";
 import EmailPasswordRecipe from "../emailpassword/recipe";
 import ThirdPartyRecipe from "../thirdparty/recipe";
 import PasswordlessRecipe from "../passwordless/recipe";
+import WebAuthnRecipe from "../webauthn/recipe";
 import RecipeUserId from "../../recipeUserId";
 import { User, UserContext } from "../../types";
 import { logDebugMessage } from "../../logger";
@@ -62,7 +63,12 @@ export function sendUnauthorisedAccess(res: BaseResponse) {
 }
 
 export function isValidRecipeId(recipeId: string): recipeId is RecipeIdForUser {
-    return recipeId === "emailpassword" || recipeId === "thirdparty" || recipeId === "passwordless";
+    return (
+        recipeId === "emailpassword" ||
+        recipeId === "thirdparty" ||
+        recipeId === "passwordless" ||
+        recipeId === "webauthn"
+    );
 }
 
 export async function getUserForRecipeId(
@@ -71,7 +77,7 @@ export async function getUserForRecipeId(
     userContext: UserContext
 ): Promise<{
     user: UserWithFirstAndLastName | undefined;
-    recipe: "emailpassword" | "thirdparty" | "passwordless" | undefined;
+    recipe: "emailpassword" | "thirdparty" | "passwordless" | "webauthn" | undefined;
 }> {
     let userResponse = await _getUserForRecipeId(recipeUserId, recipeId, userContext);
     let user: UserWithFirstAndLastName | undefined = undefined;
@@ -94,9 +100,9 @@ async function _getUserForRecipeId(
     userContext: UserContext
 ): Promise<{
     user: User | undefined;
-    recipe: "emailpassword" | "thirdparty" | "passwordless" | undefined;
+    recipe: "emailpassword" | "thirdparty" | "passwordless" | "webauthn" | undefined;
 }> {
-    let recipe: "emailpassword" | "thirdparty" | "passwordless" | undefined;
+    let recipe: "emailpassword" | "thirdparty" | "passwordless" | "webauthn" | undefined;
 
     const user = await AccountLinking.getInstance().recipeInterfaceImpl.getUser({
         userId: recipeUserId.getAsString(),
@@ -143,6 +149,13 @@ async function _getUserForRecipeId(
         } catch (e) {
             // No - op
         }
+    } else if (recipeId === WebAuthnRecipe.RECIPE_ID) {
+        try {
+            WebAuthnRecipe.getInstanceOrThrowError();
+            recipe = "webauthn";
+        } catch (e) {
+            // No - op
+        }
     }
     return {
         user,
diff --git a/lib/ts/recipe/multitenancy/api/implementation.ts b/lib/ts/recipe/multitenancy/api/implementation.ts
@@ -90,6 +90,9 @@ export default function getAPIInterface(): APIInterface {
                     enabled: validFirstFactors.includes("thirdparty"),
                     providers: finalProviderList,
                 },
+                webauthn: {
+                    enabled: validFirstFactors.includes("webauthn"),
+                },
                 passwordless: {
                     enabled:
                         validFirstFactors.includes("otp-email") ||
diff --git a/lib/ts/version.ts b/lib/ts/version.ts
@@ -12,9 +12,9 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const version = "22.0.0";
+export const version = "22.0.1";
 
 export const cdiSupported = ["5.3"];
 
 // Note: The actual script import for dashboard uses v{DASHBOARD_VERSION}
-export const dashboardVersion = "0.13";
+export const dashboardVersion = "0.15";
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "supertokens-node",
-    "version": "22.0.0",
+    "version": "22.0.1",
     "description": "NodeJS driver for SuperTokens core",
     "main": "index.js",
     "scripts": {

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ function factorIdToRecipe(factorId) {`
`66`	`66`	`"link-email": "Passwordless",`
`67`	`67`	`"link-phone": "Passwordless",`
`68`	`68`	`totp: "Totp",`
	`69`	`+ webauthn: "WebAuthn",`
`69`	`70`	`};`
`70`	`71`	`return factorIdToRecipe[factorId];`
`71`	`72`	`}`