feat: add functional authentication

2025-08-12 23:11:08 +02:00
parent f0630d43b7
commit 82d7a0d9cd
74 changed files with 763 additions and 396 deletions
--- a/spec/schemas/auth/errors.ts
+++ b/spec/schemas/auth/errors.ts
@@ -0,0 +1,7 @@
+import { BadRequestError } from "@spec/relay";
+
+export class AuthenticationStrategyPayloadError extends BadRequestError {
+  constructor() {
+    super("Provided authentication payload is not recognized.");
+  }
+}
--- a/spec/schemas/auth/routes.ts
+++ b/spec/schemas/auth/routes.ts
@@ -0,0 +1,41 @@
+import { route, UnauthorizedError } from "@spec/relay";
+import z from "zod";
+
+import { AccountSchema } from "../account/account.ts";
+
+export * from "./errors.ts";
+export * from "./strategies.ts";
+
+export const email = route.post("/api/v1/auth/email").body(
+  z.object({
+    base: z.url(),
+    email: z.email(),
+  }),
+);
+
+export const password = route.post("/api/v1/auth/password").body(
+  z.object({
+    alias: z.string(),
+    password: z.string(),
+  }),
+);
+
+export const code = route
+  .get("/api/v1/auth/code/:accountId/code/:codeId/:value")
+  .params({
+    accountId: z.string(),
+    codeId: z.string(),
+    value: z.string(),
+  })
+  .query({
+    next: z.string().optional(),
+  });
+
+export const session = route.get("/api/v1/auth/session").response(AccountSchema).errors([UnauthorizedError]);
+
+export const routes = {
+  email,
+  password,
+  code,
+  session,
+};
--- a/spec/schemas/auth/strategies.ts
+++ b/spec/schemas/auth/strategies.ts
@@ -0,0 +1,44 @@
+import { z } from "zod";
+
+export const PasskeyStrategySchema = z.object({
+  type: z.literal("passkey").describe("Authentication strategy type for WebAuthn/Passkey"),
+  id: z.string().describe("Base64URL encoded credential ID"),
+  rawId: z.string().describe("Raw credential ID as base64URL encoded string"),
+  response: z
+    .object({
+      clientDataJSON: z.string().describe("Base64URL encoded client data JSON"),
+      authenticatorData: z.string().describe("Base64URL encoded authenticator data"),
+      signature: z.string().optional().describe("Signature for authentication responses"),
+      userHandle: z.string().optional().describe("Optional user handle identifier"),
+      attestationObject: z.string().optional().describe("Attestation object for registration responses"),
+    })
+    .describe("WebAuthn response data"),
+  clientExtensionResults: z
+    .record(z.string(), z.unknown())
+    .default({})
+    .describe("Results from WebAuthn extension inputs"),
+  authenticatorAttachment: z
+    .enum(["platform", "cross-platform"])
+    .optional()
+    .describe("Type of authenticator used (platform or cross-platform)"),
+});
+
+export const EmailStrategySchema = z.object({
+  type: z.literal("email").describe("Authentication strategy type for email"),
+  email: z.email().describe("User's email address for authentication"),
+});
+
+export const PasswordStrategySchema = z.object({
+  type: z.literal("password").describe("Authentication strategy type for password"),
+  alias: z.string().describe("User alias (username or email)"),
+  password: z.string().describe("User's password"),
+});
+
+export const StrategySchema = z
+  .union([PasskeyStrategySchema, EmailStrategySchema, PasswordStrategySchema])
+  .describe("Union of all available authentication strategy schemas");
+
+export type PasskeyStrategy = z.infer<typeof PasskeyStrategySchema>;
+export type EmailStrategy = z.infer<typeof EmailStrategySchema>;
+export type PasswordStrategy = z.infer<typeof PasswordStrategySchema>;
+export type Strategy = z.infer<typeof StrategySchema>;