Skip to content

feat: passkey integration #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: development
Choose a base branch
from
Open

feat: passkey integration #793

wants to merge 10 commits into from

Conversation

matteyu
Copy link
Contributor

@matteyu matteyu commented Apr 30, 2025

Blocking PR: wanderwallet/embed-api#4

Client integration for passkey. New integration for sign-in and registration for passkey.

Copy link

vercel bot commented Apr 30, 2025

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
wander-embed ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 7, 2025 5:48am
wander-embed-dev ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 7, 2025 5:48am

@matteyu matteyu changed the title Arc 937/auth passkeys feat: passkey integration Apr 30, 2025
);
// Check if device share exists for passkey auth
const deviceShares = await WalletUtils.getDeviceSharesForUser(userId);
const hasDeviceShare = !!deviceShares[walletId];
Copy link
Contributor

@Danziger Danziger May 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inside this if, a wallet has already been activated, so this check should always pass. In any case, I'm not sure why these checks related to passkeys are merged together with the wallet activation flow, which should be authentication-method agnostic. That is, whatever logic needs to run around authentication, should happen before this block. Once we are here, authentication should be good.

@@ -1080,6 +1086,17 @@ export function EmbeddedProvider({ children }: EmbeddedProviderProps) {

let authStatus = "noAuth" as AuthStatus;

// Check for passkey authentication (should be flagged in localStorage)
const isPasskeyAuth = embeddedContextAuth.authProviderType === "PASSKEYS";
const isCustomAuth = localStorage.getItem("isCustomAuth") === "true";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this needed? Would passkeys still work if the user cleans the browser data?

};

// Create a custom auth token for API requests
const deviceNonce =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use getDeviceNonce here, which takes care of loading/initializing/storing it.

);

// Set the auth token header for API requests
setAuthTokenHeader(temporaryAuthToken);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not work, as this token is not signed.

localStorage.removeItem("needsWalletActivation");

// Important: Generate and set an authentication token for API requests
const deviceNonce =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be done with getDeviceNonce().

// Store this nonce for future requests
localStorage.setItem("deviceNonce", deviceNonce);

// Create a custom auth token to use for API requests
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, this answer the question above about the tokens not being valid. The tokens must be signed by the server, as otherwise anyone could use this custom auth header to steal someone else's session/account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants