Skip to content

feat(webauthn): support MFA-session passkey registration#47

Open
lakhansamani wants to merge 1 commit into
mainfrom
feat/mfa-session-webauthn-registration
Open

feat(webauthn): support MFA-session passkey registration#47
lakhansamani wants to merge 1 commit into
mainfrom
feat/mfa-session-webauthn-registration

Conversation

@lakhansamani

Copy link
Copy Markdown
Contributor

Summary

  • webauthn_registration_options/webauthn_registration_verify can now authenticate via the MFA session cookie (email/phone_number/state), not just a bearer token — needed so a passkey can be registered during a token-withheld MFA offer, before any token exists.
  • webauthnRegistrationVerify/registerPasskey now return the full AuthToken shape (access_token populated when this call completed the withheld MFA gate) instead of a bare message.
  • parseMfaRedirectParams gains mfaGate: 'offer' | 'verify' so a host app can tell a first-time enrollment offer from a challenge for an already-configured factor.

Backend counterpart: authorizerdev/authorizer#<branch feat/enforce-mfa-passkey-gate>.

Test plan

  • npx jest __test__/webauthnMethods.test.ts __test__/mfaRedirect.test.ts — all passing, new cases added
  • npm run build — clean
  • npx tsc --noEmit (consumer side, via authorizer-react) — clean

webauthn_registration_options/verify required a bearer token,
unavailable during a token-withheld MFA offer. Add email/phone_number/
state so registerPasskey can authenticate via the MFA session cookie
instead, and return the full AuthResponse (access_token on success)
rather than a bare message.

Also add mfa_gate to parseMfaRedirectParams so callers can tell an
enrollment offer from a challenge for an already-configured factor.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant