-
Notifications
You must be signed in to change notification settings - Fork 54
feat: passkey integration #793
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: development
Are you sure you want to change the base?
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
); | ||
// Check if device share exists for passkey auth | ||
const deviceShares = await WalletUtils.getDeviceSharesForUser(userId); | ||
const hasDeviceShare = !!deviceShares[walletId]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inside this if
, a wallet has already been activated, so this check should always pass. In any case, I'm not sure why these checks related to passkeys are merged together with the wallet activation flow, which should be authentication-method agnostic. That is, whatever logic needs to run around authentication, should happen before this block. Once we are here, authentication should be good.
@@ -1080,6 +1086,17 @@ export function EmbeddedProvider({ children }: EmbeddedProviderProps) { | |||
|
|||
let authStatus = "noAuth" as AuthStatus; | |||
|
|||
// Check for passkey authentication (should be flagged in localStorage) | |||
const isPasskeyAuth = embeddedContextAuth.authProviderType === "PASSKEYS"; | |||
const isCustomAuth = localStorage.getItem("isCustomAuth") === "true"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this needed? Would passkeys still work if the user cleans the browser data?
}; | ||
|
||
// Create a custom auth token for API requests | ||
const deviceNonce = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should use getDeviceNonce
here, which takes care of loading/initializing/storing it.
); | ||
|
||
// Set the auth token header for API requests | ||
setAuthTokenHeader(temporaryAuthToken); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not work, as this token is not signed.
localStorage.removeItem("needsWalletActivation"); | ||
|
||
// Important: Generate and set an authentication token for API requests | ||
const deviceNonce = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be done with getDeviceNonce()
.
// Store this nonce for future requests | ||
localStorage.setItem("deviceNonce", deviceNonce); | ||
|
||
// Create a custom auth token to use for API requests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, this answer the question above about the tokens not being valid. The tokens must be signed by the server, as otherwise anyone could use this custom auth header to steal someone else's session/account.
Blocking PR: wanderwallet/embed-api#4
Client integration for passkey. New integration for sign-in and registration for passkey.