Authentication with security keys and the WebAuthn API

[plmercereau]

Introduce the SDK's part of security keys with WebAuthn

Note

A changeset will be added once this PR passed its review

@nhost/hasura-auth-js

nhost.auth.signIn({ email, securityKey: true })
nhost.auth.addSecurityKey(nickname?: string)

• securityKey: true makes the distinction with nhost.auth.signIn({ email }) that authenticates with a magic link.
• No nhost.auth.removeSecurityKey or nhost.auth.listSecurityKeys have been added, as listing/deleting keys occur through the GraphQL api, and @nhost/hasura-auth-js cannot access to the parent nhost.graphql client.
  To import @nhost/nhost-js in @nhost/hasura-auth-js would create a circular dependency.
  Happy to discuss about the matter.

@nhost/react

const { 
    signInSecurityKeyEmail,
    accessToken,
    error,
    isError,
    isLoading,
    isSuccess,
    needsEmailVerification,
    user
} = useSignInSecurityKeyEmail()
const { add, remove, list } = useSecurityKeys()

@nhost/vue

Will come in another PR once this one is merged

Tests

No e2e tests have been added because cypress does not support the WebAuthn API.
Szilard you may have an opinion about testing the Auth state.

React-Apollo example

Example has been updated to show case the addition, listing and deletion of security keys, and the sign-in.

Documentation

• Inline documentation is up to date
• Configuration/guide will come in another PR

Internals

• Some bundlers e.g. NextJs or Webpack don't support pure ESM out of the box, in this case, @simplewebauthn/browser. Until a better workaround is found (or NextJs gets up to speed), we bundle this package to avoid users being forced to add experimental.esmExternals: 'loose' to their NextJs config - and to avoid the risk of other unidentified frameworks being incompatible with this release.
• CodifiedError extends Error, with an error that contains the codified error. It helps catching rejected promises in a consistent way

[changeset-bot]

⚠️ No Changeset found

Latest commit: d7b5261

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
docs	✅ Ready (Inspect)	Visit Preview	Sep 12, 2022 at 4:47PM (UTC)
example-react-apollo	✅ Ready (Inspect)	Visit Preview	Sep 12, 2022 at 4:47PM (UTC)
example-vue-apollo	✅ Ready (Inspect)	Visit Preview	Sep 12, 2022 at 4:47PM (UTC)

[codecov-commenter]

Codecov Report

Merging #910 (d7b5261) into main (5ff6876) will decrease coverage by 0.08%.
The diff coverage is 89.47%.

@@            Coverage Diff             @@
##             main     #910      +/-   ##
==========================================
- Coverage   96.61%   96.52%   -0.09%     
==========================================
  Files          39       39              
  Lines        6139     6212      +73     
  Branches      375      384       +9     
==========================================
+ Hits         5931     5996      +65     
- Misses        208      216       +8     

Impacted Files	Coverage Δ
packages/core/src/errors.ts	90.24% <76.92%> (-3.58%)	⬇️
packages/core/src/machines/index.ts	98.65% <95.83%> (-0.18%)	⬇️
packages/core/src/hasura-auth.ts	91.66% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[elitan]

🚀

resolved