feat: passkey integration #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

matteyu wants to merge 10 commits into development from arc-937/auth-passkeys

Contributor

matteyu commented Apr 30, 2025 •

edited

Loading

Blocking PR: wanderwallet/embed-api#4

Client integration for passkey. New integration for sign-in and registration for passkey.

matteyu added 3 commits

April 20, 2025 15:05


          feat: passkey integration

fa56423


          modify signature verification for cross auth with passkey

1140ed5


          fix: enable for iframe

4e8ce90

vercel bot commented Apr 30, 2025 •

edited

Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
wander-embed	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 7, 2025 5:48am
wander-embed-dev	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 7, 2025 5:48am

matteyu changed the title ~~Arc 937/auth passkeys~~ feat: passkey integration


          utilize supabase session via client

f15fade

vercel bot had a problem deploying to Preview – wander-embed

May 1, 2025 15:41

Failure

vercel bot had a problem deploying to Preview – wander-embed-dev

May 1, 2025 15:43

Failure

matteyu added 2 commits

May 1, 2025 17:25


          fix merge conflict

02cf6b8


          fix: enable passkeys through iframe

5b60f62

vercel bot deployed to Preview – wander-embed

May 2, 2025 04:31

View deployment

vercel bot deployed to Preview – wander-embed-dev

May 2, 2025 04:33

View deployment


          add more info to passkey registration

a5d8c36

vercel bot deployed to Preview – wander-embed

May 2, 2025 05:02

View deployment

vercel bot deployed to Preview – wander-embed-dev

May 2, 2025 05:02

View deployment

matteyu mentioned this pull request

feat: add endpoints - authenticate [passkeys] wanderwallet/embed-api#4

Open

matteyu requested review from Danziger, pawanpaudel93 and 7i7o

May 2, 2025 16:54

matteyu marked this pull request as ready for review

May 2, 2025 16:54

Danziger reviewed

View reviewed changes

src/utils/embedded/embedded.provider.tsx Outdated

-                        );
+                        // Check if device share exists for passkey auth
+                        const deviceShares = await WalletUtils.getDeviceSharesForUser(userId);
+                        const hasDeviceShare = !!deviceShares[walletId];

Contributor

Danziger May 4, 2025 •

edited

Loading

Inside this if, a wallet has already been activated, so this check should always pass. In any case, I'm not sure why these checks related to passkeys are merged together with the wallet activation flow, which should be authentication-method agnostic. That is, whatever logic needs to run around authentication, should happen before this block. Once we are here, authentication should be good.

Danziger reviewed

View reviewed changes

src/utils/embedded/embedded.provider.tsx Outdated

                     let authStatus = "noAuth" as AuthStatus;
+                    // Check for passkey authentication (should be flagged in localStorage)
+                    const isPasskeyAuth = embeddedContextAuth.authProviderType === "PASSKEYS";
+                    const isCustomAuth = localStorage.getItem("isCustomAuth") === "true";

Contributor

Danziger May 4, 2025

Why is this needed? Would passkeys still work if the user cleans the browser data?

Danziger reviewed

View reviewed changes

src/utils/embedded/embedded.provider.tsx Outdated

+                      };
+                      // Create a custom auth token for API requests
+                      const deviceNonce =

Contributor

Danziger May 4, 2025

You should use getDeviceNonce here, which takes care of loading/initializing/storing it.

Danziger reviewed

View reviewed changes

src/utils/embedded/embedded.provider.tsx Outdated

+                      );
+                      // Set the auth token header for API requests
+                      setAuthTokenHeader(temporaryAuthToken);

Contributor

Danziger May 4, 2025

This should not work, as this token is not signed.

Danziger reviewed

View reviewed changes

src/utils/embedded/embedded.provider.tsx Outdated

+                        localStorage.removeItem("needsWalletActivation");
+                        // Important: Generate and set an authentication token for API requests
+                        const deviceNonce =

Contributor

Danziger May 4, 2025

This should be done with getDeviceNonce().

Danziger reviewed

View reviewed changes

src/utils/embedded/embedded.provider.tsx Outdated

+                        // Store this nonce for future requests
+                        localStorage.setItem("deviceNonce", deviceNonce);
+                        // Create a custom auth token to use for API requests

Contributor

Danziger May 4, 2025

Ok, this answer the question above about the tokens not being valid. The tokens must be signed by the server, as otherwise anyone could use this custom auth header to steal someone else's session/account.

matteyu added 3 commits

May 6, 2025 21:48


          fix: handle tokens properly

f12023b


          fix merge conflict

56aec35


          fix token handling

6f51277

vercel bot deployed to Preview – wander-embed

May 7, 2025 05:46

View deployment

vercel bot deployed to Preview – wander-embed-dev

May 7, 2025 05:48

View deployment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet