packages/ui/certd-server/src/modules/login/service/passkey-service.ts

import { cache, logger } from "@certd/basic";
import { AuthException, BaseService, SysInstallInfo, SysSettingsService, SysSiteInfo } from "@certd/lib-server";
import { isComm } from "@certd/plus-core";
import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
import { InjectEntityModel } from "@midwayjs/typeorm";
import { Repository } from "typeorm";
import { UserService } from "../../sys/authority/service/user-service.js";
import { PasskeyEntity } from "../entity/passkey.js";

@Provide()
@Scope(ScopeEnum.Request, { allowDowngrade: true })
export class PasskeyService extends BaseService<PasskeyEntity> {

  @Inject()
  userService: UserService;

  @InjectEntityModel(PasskeyEntity)
  repository: Repository<PasskeyEntity>;

  @Inject()
  sysSettingsService: SysSettingsService;

  getRepository(): Repository<PasskeyEntity> {
    return this.repository;
  }

  async getRpInfo() {
    let rpName = "Certd"
    if (isComm()) {
      const siteInfo = await this.sysSettingsService.getSetting<SysSiteInfo>(SysSiteInfo);
      rpName = siteInfo.title || rpName;
    }

    const installInfo = await this.sysSettingsService.getSetting<SysInstallInfo>(SysInstallInfo);

    const url = installInfo.bindUrl || "http://localhost:7001";
    const uri = new URL(url);
    const rpId = uri.hostname;
    const origin = uri.origin;

    return {
      rpName,
      rpId,
      origin,
    }
  }
  async generateRegistrationOptions(userId: number, username: string, remoteIp: string, ctx: any) {
    const { generateRegistrationOptions } = await import("@simplewebauthn/server");
    const user = await this.userService.info(userId);

    const { rpName, rpId } = await this.getRpInfo();


    const options = await generateRegistrationOptions({
      rpName: rpName,
      rpID: rpId,
      userID: new TextEncoder().encode(userId + ""),
      userName: username,
      userDisplayName: user.nickName || username,
      timeout: 60000,
      attestationType: "none",
      excludeCredentials: [],
      preferredAuthenticatorType: 'localDevice',
      authenticatorSelection: {
        authenticatorAttachment: "cross-platform", 
        userVerification: "preferred",      
        residentKey: "preferred",
        requireResidentKey: false
      },
    });
    logger.info('[passkey] 注册选项:', JSON.stringify(options));
    cache.set(`passkey:registration:${options.challenge}`, userId, {
      ttl: 5 * 60 * 1000,
    });

    return {
      ...options,
    };
  }

  async verifyRegistrationResponse(
    userId: number,
    response: any,
    challenge: string,
    ctx: any
  ) {
    const { verifyRegistrationResponse } = await import("@simplewebauthn/server");

    const storedUserId = cache.get(`passkey:registration:${challenge}`);
    if (!storedUserId || storedUserId !== userId) {
      throw new AuthException("注册验证失败");
    }

    const { rpId, origin } = await this.getRpInfo();

    let verification: any = null;
    const verifyReq = {
      response,
      expectedChallenge: challenge,
      expectedOrigin: origin,
      expectedRPID: rpId,
      requireUserVerification: false,
    };
    try {
      verification = await verifyRegistrationResponse(verifyReq);
    } catch (error) {
      // 后端验证时
      logger.error('[passkey] 注册验证失败:', JSON.stringify(verifyReq));
      throw new AuthException(`注册验证失败:${error.message || error}`);
    }
    if (!verification.verified) {
      throw new AuthException("注册验证失败");
    }
    

    cache.delete(`passkey:registration:${challenge}`);

    return {
      credentialId: verification.registrationInfo.credential.id,
      credentialPublicKey: verification.registrationInfo.credential.publicKey,
      counter: verification.registrationInfo.credential.counter,
    };
  }

  async generateAuthenticationOptions(ctx: any) {
    const { rpId } = await this.getRpInfo();
    const { generateAuthenticationOptions } = await import("@simplewebauthn/server");
    const options = await generateAuthenticationOptions({
      rpID: rpId,
      timeout: 60000,
      allowCredentials: [],
      userVerification: 'preferred' //'required' | 'preferred' | 'discouraged';
    });

    // cache.set(`passkey:authentication:${options.challenge}`, userId, {
    //   ttl: 5 * 60 * 1000,
    // });

    return {
      ...options,
    };
  }

  async verifyAuthenticationResponse(
    credential: any,
    challenge: string,
    ctx: any
  ) {
    const { verifyAuthenticationResponse } = await import("@simplewebauthn/server");

    const passkey = await this.repository.findOne({
      where: {
        passkeyId: credential.id,
      },
    });

    if (!passkey) {
      throw new AuthException("Passkey不存在");
    }

    const { rpId, origin } = await this.getRpInfo();

    const verification = await verifyAuthenticationResponse({
      response: credential,
      expectedChallenge: challenge,
      expectedOrigin: origin,
      expectedRPID: rpId,
      requireUserVerification: false,
      credential: {
        id: passkey.passkeyId,
        publicKey: new Uint8Array(Buffer.from(passkey.publicKey, 'base64')),
        counter: passkey.counter,
        transports: passkey.transports as any,
      },
    });

    if (!verification.verified) {
      throw new AuthException("认证验证失败");
    }

    cache.delete(`passkey:authentication:${challenge}`);

    return {
      credentialId: verification.authenticationInfo.credentialID,
      counter: verification.authenticationInfo.newCounter,
      userId: passkey.userId,
    };
  }

  async registerPasskey(
    userId: number,
    response: any,
    challenge: string,
    deviceName: string,
    ctx: any
  ) {
    const verification = await this.verifyRegistrationResponse(
      userId,
      response,
      challenge,
      ctx
    );

    await this.add({
      userId,
      passkeyId: verification.credentialId,
      publicKey: Buffer.from(verification.credentialPublicKey).toString('base64'),
      counter: verification.counter,
      deviceName,
      registeredAt: Date.now(),
    });

    return { success: true };
  }

  async loginByPasskey(credential: any, challenge: string, ctx: any) {
    const verification = await this.verifyAuthenticationResponse(
      credential,
      challenge,
      ctx
    );

    const passkey = await this.repository.findOne({
      where: {
        passkeyId: verification.credentialId,
      },
    });

    if (!passkey) {
      throw new AuthException("Passkey不存在");
    }

    if (verification.counter <= passkey.counter) {
      throw new AuthException("认证失败:计数器异常");
    }

    passkey.counter = verification.counter;
    passkey.updateTime = new Date();
    await this.repository.save(passkey);

    const user = await this.userService.info(passkey.userId);
    return user;
  }

  // private getRpId(ctx: any): string {
  //   if (ctx && ctx.request && ctx.request.host) {
  //     return ctx.request.host.split(':')[0];
  //   }
  //   return 'localhost';
  // }

  // private getOrigin(ctx: any): string {
  //   if (ctx && ctx.request) {
  //     const protocol = ctx.request.protocol;
  //     const host = ctx.request.host;
  //     return `${protocol}://${host}`;
  //   }
  //   return 'https://localhost';
  // }
}
chore: passkey perf 2026-03-17 19:16:11 +08:00			`import { cache, logger } from "@certd/basic";`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`import { AuthException, BaseService, SysInstallInfo, SysSettingsService, SysSiteInfo } from "@certd/lib-server";`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`import { isComm } from "@certd/plus-core";`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`import { InjectEntityModel } from "@midwayjs/typeorm";`
			`import { Repository } from "typeorm";`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`import { UserService } from "../../sys/authority/service/user-service.js";`
			`import { PasskeyEntity } from "../entity/passkey.js";`

			`@Provide()`
			`@Scope(ScopeEnum.Request, { allowDowngrade: true })`
			`export class PasskeyService extends BaseService<PasskeyEntity> {`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`@Inject()`
			`userService: UserService;`

			`@InjectEntityModel(PasskeyEntity)`
			`repository: Repository<PasskeyEntity>;`

chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`@Inject()`
			`sysSettingsService: SysSettingsService;`

perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`getRepository(): Repository<PasskeyEntity> {`
			`return this.repository;`
			`}`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`async getRpInfo() {`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`let rpName = "Certd"`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`if (isComm()) {`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`const siteInfo = await this.sysSettingsService.getSetting<SysSiteInfo>(SysSiteInfo);`
			`rpName = siteInfo.title \|\| rpName;`
			`}`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
			`const installInfo = await this.sysSettingsService.getSetting<SysInstallInfo>(SysInstallInfo);`

			`const url = installInfo.bindUrl \|\| "http://localhost:7001";`
			`const uri = new URL(url);`
			`const rpId = uri.hostname;`
			`const origin = uri.origin;`

chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`return {`
			`rpName,`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`rpId,`
			`origin,`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`}`
			`}`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`async generateRegistrationOptions(userId: number, username: string, remoteIp: string, ctx: any) {`
			`const { generateRegistrationOptions } = await import("@simplewebauthn/server");`
			`const user = await this.userService.info(userId);`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
			`const { rpName, rpId } = await this.getRpInfo();`

chore: passkey登录优化 2026-03-13 15:31:03 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`const options = await generateRegistrationOptions({`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`rpName: rpName,`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`rpID: rpId,`
chore: passkey perf 2026-03-17 19:16:11 +08:00			`userID: new TextEncoder().encode(userId + ""),`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`userName: username,`
			`userDisplayName: user.nickName \|\| username,`
			`timeout: 60000,`
			`attestationType: "none",`
			`excludeCredentials: [],`
perf: 优化passkey 2026-03-18 00:43:01 +08:00			`preferredAuthenticatorType: 'localDevice',`
			`authenticatorSelection: {`
			`authenticatorAttachment: "cross-platform",`
			`userVerification: "preferred",`
			`residentKey: "preferred",`
			`requireResidentKey: false`
			`},`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`});`
chore: passkey perf 2026-03-17 19:16:11 +08:00			`logger.info('[passkey] 注册选项:', JSON.stringify(options));`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			cache.set(`passkey:registration:${options.challenge}`, userId, {
			`ttl: 5 * 60 * 1000,`
			`});`

			`return {`
			`...options,`
			`};`
			`}`

			`async verifyRegistrationResponse(`
			`userId: number,`
			`response: any,`
			`challenge: string,`
			`ctx: any`
			`) {`
			`const { verifyRegistrationResponse } = await import("@simplewebauthn/server");`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			const storedUserId = cache.get(`passkey:registration:${challenge}`);
			`if (!storedUserId \|\| storedUserId !== userId) {`
			`throw new AuthException("注册验证失败");`
			`}`

chore: 优化passkey 2026-03-15 02:20:39 +08:00			`const { rpId, origin } = await this.getRpInfo();`

chore: passkey perf 2026-03-17 19:16:11 +08:00			`let verification: any = null;`
			`const verifyReq = {`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`response,`
			`expectedChallenge: challenge,`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`expectedOrigin: origin,`
			`expectedRPID: rpId,`
chore: 1 2026-03-18 01:04:43 +08:00			`requireUserVerification: false,`
chore: passkey perf 2026-03-17 19:16:11 +08:00			`};`
			`try {`
			`verification = await verifyRegistrationResponse(verifyReq);`
			`} catch (error) {`
			`// 后端验证时`
			`logger.error('[passkey] 注册验证失败:', JSON.stringify(verifyReq));`
			throw new AuthException(`注册验证失败:${error.message \|\| error}`);
			`}`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`if (!verification.verified) {`
			`throw new AuthException("注册验证失败");`
			`}`
chore: passkey perf 2026-03-17 19:16:11 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00
			cache.delete(`passkey:registration:${challenge}`);

			`return {`
			`credentialId: verification.registrationInfo.credential.id,`
			`credentialPublicKey: verification.registrationInfo.credential.publicKey,`
			`counter: verification.registrationInfo.credential.counter,`
			`};`
			`}`

			`async generateAuthenticationOptions(ctx: any) {`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`const { rpId } = await this.getRpInfo();`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`const { generateAuthenticationOptions } = await import("@simplewebauthn/server");`
			`const options = await generateAuthenticationOptions({`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`rpID: rpId,`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`timeout: 60000,`
			`allowCredentials: [],`
perf: 优化passkey 2026-03-18 00:43:01 +08:00			`userVerification: 'preferred' //'required' \| 'preferred' \| 'discouraged';`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`});`

			// cache.set(`passkey:authentication:${options.challenge}`, userId, {
			`// ttl: 5 * 60 * 1000,`
			`// });`

			`return {`
			`...options,`
			`};`
			`}`

			`async verifyAuthenticationResponse(`
			`credential: any,`
			`challenge: string,`
			`ctx: any`
			`) {`
			`const { verifyAuthenticationResponse } = await import("@simplewebauthn/server");`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`const passkey = await this.repository.findOne({`
			`where: {`
			`passkeyId: credential.id,`
			`},`
			`});`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`if (!passkey) {`
			`throw new AuthException("Passkey不存在");`
			`}`

chore: 优化passkey 2026-03-15 02:20:39 +08:00			`const { rpId, origin } = await this.getRpInfo();`

perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`const verification = await verifyAuthenticationResponse({`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`response: credential,`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`expectedChallenge: challenge,`
chore: 优化passkey 2026-03-15 02:20:39 +08:00			`expectedOrigin: origin,`
			`expectedRPID: rpId,`
chore: 1 2026-03-18 01:04:43 +08:00			`requireUserVerification: false,`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`credential: {`
			`id: passkey.passkeyId,`
			`publicKey: new Uint8Array(Buffer.from(passkey.publicKey, 'base64')),`
			`counter: passkey.counter,`
			`transports: passkey.transports as any,`
			`},`
			`});`

			`if (!verification.verified) {`
			`throw new AuthException("认证验证失败");`
			`}`

			cache.delete(`passkey:authentication:${challenge}`);

			`return {`
			`credentialId: verification.authenticationInfo.credentialID,`
			`counter: verification.authenticationInfo.newCounter,`
			`userId: passkey.userId,`
			`};`
			`}`

			`async registerPasskey(`
			`userId: number,`
			`response: any,`
			`challenge: string,`
			`deviceName: string,`
			`ctx: any`
			`) {`
			`const verification = await this.verifyRegistrationResponse(`
			`userId,`
			`response,`
			`challenge,`
			`ctx`
			`);`

			`await this.add({`
			`userId,`
			`passkeyId: verification.credentialId,`
			`publicKey: Buffer.from(verification.credentialPublicKey).toString('base64'),`
			`counter: verification.counter,`
			`deviceName,`
			`registeredAt: Date.now(),`
			`});`

			`return { success: true };`
			`}`

chore: 优化passkey 2026-03-15 02:20:39 +08:00			`async loginByPasskey(credential: any, challenge: string, ctx: any) {`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`const verification = await this.verifyAuthenticationResponse(`
			`credential,`
			`challenge,`
			`ctx`
			`);`

			`const passkey = await this.repository.findOne({`
			`where: {`
			`passkeyId: verification.credentialId,`
			`},`
			`});`
chore: 优化passkey 2026-03-15 02:20:39 +08:00
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`if (!passkey) {`
			`throw new AuthException("Passkey不存在");`
			`}`

			`if (verification.counter <= passkey.counter) {`
			`throw new AuthException("认证失败:计数器异常");`
			`}`

			`passkey.counter = verification.counter;`
chore: passkey登录优化 2026-03-13 15:31:03 +08:00			`passkey.updateTime = new Date();`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`await this.repository.save(passkey);`

			`const user = await this.userService.info(passkey.userId);`
			`return user;`
			`}`

chore: 优化passkey 2026-03-15 02:20:39 +08:00			`// private getRpId(ctx: any): string {`
			`// if (ctx && ctx.request && ctx.request.host) {`
			`// return ctx.request.host.split(':')[0];`
			`// }`
			`// return 'localhost';`
			`// }`

			`// private getOrigin(ctx: any): string {`
			`// if (ctx && ctx.request) {`
			`// const protocol = ctx.request.protocol;`
			`// const host = ctx.request.host;`
			// return `${protocol}://${host}`;
			`// }`
			`// return 'https://localhost';`
			`// }`
perf: 支持passkey登录 2026-03-12 18:11:02 +08:00			`}`