solid-pod-rs-idp 0.4.0-alpha.4

Solid-OIDC identity provider (authorization-code + DPoP-bound tokens, JWKS, credentials, dynamic client registration) — Rust port of JavaScriptSolidServer/src/idp
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507

//! WebAuthn / passkey support (row 80 — Sprint 11: full wiring).
//!
//! This module exposes:
//!
//! 1. The [`PasskeyBackend`] trait — the stable contract the IdP
//!    uses to issue and verify passkey ceremonies.
//! 2. [`WebauthnPasskey`] — a production-leaning implementation
//!    backed by [`webauthn-rs`] 0.5. It covers the happy path a
//!    Solid-OIDC passkey flow needs: register-options /
//!    register-verify / login-options / login-verify.
//! 3. [`NullPasskeyBackend`] — retained as a `#[doc(hidden)]`
//!    test fallback so integrators can wire the provider before
//!    bringing in `webauthn-rs`.
//!
//! # Scope honesty
//!
//! `webauthn-rs` carries roughly thirty configuration knobs
//! (attestation CA lists, attachment hints, residency preferences,
//! subdomain policies, timeouts, etc.). [`WebauthnPasskey::new`]
//! picks a sensible default: single-step registration, `ES256` +
//! `EdDSA` as the preferred COSE algorithms, user-verification
//! required (the 0.5 default), no subdomain relaxation. Integrators
//! with stricter requirements (e.g. attestation pinning) should
//! drop `WebauthnPasskey` and plumb their own
//! `Arc<webauthn_rs::Webauthn>` into a custom [`PasskeyBackend`]
//! impl — the trait is deliberately small enough to make that
//! trivial.
//!
//! We also ship the per-user challenge state in an in-memory
//! [`dashmap::DashMap`]. That is appropriate for single-node
//! deployments and short-lived ceremonies (the WebAuthn spec
//! recommends 5-minute challenges). Multi-node deployments should
//! externalise the state (Redis, sticky sessions, etc) and
//! implement [`PasskeyBackend`] directly.
//!
//! JSS parity: `src/idp/passkey.js` (~180 LOC built on
//! `@simplewebauthn/server`).

use async_trait::async_trait;
use serde::{Deserialize, Serialize};
use thiserror::Error;

#[cfg(feature = "passkey")]
use std::sync::Arc;

#[cfg(feature = "passkey")]
use dashmap::DashMap;

#[cfg(feature = "passkey")]
use url::Url;

#[cfg(feature = "passkey")]
use webauthn_rs::prelude::{
    CreationChallengeResponse, Passkey, PasskeyAuthentication, PasskeyRegistration,
    PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse, Uuid,
};
#[cfg(feature = "passkey")]
use webauthn_rs::{Webauthn, WebauthnBuilder};

/// Errors surfaced by a [`PasskeyBackend`].
#[derive(Debug, Error)]
pub enum PasskeyError {
    /// Backend not implemented (the `PasskeyTodo` / Null impl).
    #[error("passkey backend not implemented")]
    Unimplemented,
    /// Attestation / assertion verification failed.
    #[error("verification failed: {0}")]
    Verification(String),
    /// Backing store error (credential lookup, etc.).
    #[error("backend: {0}")]
    Backend(String),
    /// Configuration failure on [`WebauthnPasskey`] construction.
    #[error("configuration: {0}")]
    Config(String),
    /// The supplied challenge token (e.g. `account_id`) has no in-
    /// flight registration / authentication state. Either never
    /// started, already consumed, or evicted.
    #[error("no in-flight ceremony for user: {0}")]
    NoCeremony(String),
    /// Incoming response failed JSON deserialisation into the shape
    /// `webauthn-rs` expects.
    #[error("response parse: {0}")]
    Parse(String),
}

/// Registration options returned to the browser navigator API.
/// Matches the shape that `@simplewebauthn/browser` expects in
/// `startRegistration(options)`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RegistrationOptions {
    /// Opaque JSON blob the browser hands back on assertion.
    #[serde(flatten)]
    pub raw: serde_json::Value,
}

/// Registration response from the browser (the attestation bundle).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RegistrationResponse {
    /// Credential id (base64url).
    pub id: String,
    /// Attestation object + clientDataJSON.
    #[serde(flatten)]
    pub raw: serde_json::Value,
}

/// Authentication options (sign-in challenge).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuthenticationOptions {
    #[serde(flatten)]
    pub raw: serde_json::Value,
}

/// Authentication response (the assertion bundle from the navigator).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuthenticationResponse {
    pub id: String,
    #[serde(flatten)]
    pub raw: serde_json::Value,
}

/// Minimal WebAuthn contract for the IdP.
#[async_trait]
pub trait PasskeyBackend: Send + Sync + 'static {
    /// Start a passkey registration ceremony for the given account.
    async fn registration_options(
        &self,
        account_id: &str,
    ) -> Result<RegistrationOptions, PasskeyError>;

    /// Verify an attestation response, persisting the resulting
    /// public-key credential against `account_id`.
    async fn registration_verify(
        &self,
        account_id: &str,
        resp: RegistrationResponse,
    ) -> Result<(), PasskeyError>;

    /// Start an assertion ceremony for `account_id`.
    async fn authentication_options(
        &self,
        account_id: &str,
    ) -> Result<AuthenticationOptions, PasskeyError>;

    /// Verify an assertion response. Returns the account id on
    /// success (lets the backend confirm or choose the user).
    async fn authentication_verify(
        &self,
        resp: AuthenticationResponse,
    ) -> Result<String, PasskeyError>;
}

/// Test-only fallback. Every call returns
/// [`PasskeyError::Unimplemented`]. Kept so integrators who have not
/// yet wired a real backend can still instantiate the provider in
/// unit tests.
#[doc(hidden)]
pub struct PasskeyTodo;

/// Backward-compatible alias for the Sprint-10 name.
#[doc(hidden)]
pub type NullPasskeyBackend = PasskeyTodo;

#[async_trait]
impl PasskeyBackend for PasskeyTodo {
    async fn registration_options(
        &self,
        _account_id: &str,
    ) -> Result<RegistrationOptions, PasskeyError> {
        Err(PasskeyError::Unimplemented)
    }

    async fn registration_verify(
        &self,
        _account_id: &str,
        _resp: RegistrationResponse,
    ) -> Result<(), PasskeyError> {
        Err(PasskeyError::Unimplemented)
    }

    async fn authentication_options(
        &self,
        _account_id: &str,
    ) -> Result<AuthenticationOptions, PasskeyError> {
        Err(PasskeyError::Unimplemented)
    }

    async fn authentication_verify(
        &self,
        _resp: AuthenticationResponse,
    ) -> Result<String, PasskeyError> {
        Err(PasskeyError::Unimplemented)
    }
}

// ---------------------------------------------------------------
// Real impl — webauthn-rs 0.5 backed.
// ---------------------------------------------------------------

/// Production-leaning WebAuthn backend built on [`webauthn-rs`] 0.5.
///
/// # Defaults
///
/// * `rp_id` / `rp_name` / `origin` come from [`WebauthnPasskey::new`].
/// * Single-step registration (no attestation CA pinning).
/// * COSE algorithms preferred: `EdDSA`, `ES256` — the webauthn-rs
///   default set.
/// * User-verification required (webauthn-rs 0.5 default).
/// * No subdomain wildcarding.
///
/// For stricter policies (attestation CA pinning, `PreferredAuthenticatorAttachment`,
/// etc) implement [`PasskeyBackend`] against your own
/// `webauthn_rs::Webauthn` instance.
#[cfg(feature = "passkey")]
pub struct WebauthnPasskey {
    webauthn: Arc<Webauthn>,
    registration_state: DashMap<String, PasskeyRegistration>,
    authentication_state: DashMap<String, PasskeyAuthentication>,
    /// Per-account list of registered passkeys. Production
    /// deployments MUST replace this with a persistent store;
    /// `WebauthnPasskey` persists to memory to keep the wrapper
    /// self-contained for tests and single-node demos.
    credentials: DashMap<String, Vec<Passkey>>,
}

#[cfg(feature = "passkey")]
impl WebauthnPasskey {
    /// Build a fresh [`WebauthnPasskey`] for the given relying-party
    /// identity.
    ///
    /// * `rp_id` — the registrable domain part of the IdP origin
    ///   (e.g. `example.com`). **This cannot be changed without
    ///   invalidating every registered credential.**
    /// * `rp_name` — human-readable display name the authenticator
    ///   may show to the user during ceremonies.
    /// * `origin` — the full origin URL (scheme + host + optional
    ///   port) the browser will send as `clientDataJSON.origin`.
    pub fn new(rp_id: &str, rp_name: &str, origin: &Url) -> Result<Self, PasskeyError> {
        let builder = WebauthnBuilder::new(rp_id, origin)
            .map_err(|e| PasskeyError::Config(e.to_string()))?
            .rp_name(rp_name);
        let webauthn = builder
            .build()
            .map_err(|e| PasskeyError::Config(e.to_string()))?;
        Ok(Self {
            webauthn: Arc::new(webauthn),
            registration_state: DashMap::new(),
            authentication_state: DashMap::new(),
            credentials: DashMap::new(),
        })
    }

    /// Deterministically hash an opaque `account_id` string to the
    /// 16-byte UUID that `webauthn-rs` requires as `user_unique_id`.
    /// Using a hash keeps the user handle stable across ceremonies
    /// without persisting a separate mapping.
    fn account_uuid(account_id: &str) -> Uuid {
        use sha2::{Digest, Sha256};
        let digest = Sha256::digest(account_id.as_bytes());
        let mut bytes = [0u8; 16];
        bytes.copy_from_slice(&digest[..16]);
        // Force RFC 4122 v4 layout so the Uuid is well-formed.
        bytes[6] = (bytes[6] & 0x0f) | 0x40;
        bytes[8] = (bytes[8] & 0x3f) | 0x80;
        Uuid::from_bytes(bytes)
    }

    /// Read-only access to the stored credentials for `account_id`.
    /// Mainly intended for tests that want to assert the finish
    /// step actually persisted something.
    pub fn credentials_for(&self, account_id: &str) -> Vec<Passkey> {
        self.credentials
            .get(account_id)
            .map(|v| v.clone())
            .unwrap_or_default()
    }
}

#[cfg(feature = "passkey")]
#[async_trait]
impl PasskeyBackend for WebauthnPasskey {
    async fn registration_options(
        &self,
        account_id: &str,
    ) -> Result<RegistrationOptions, PasskeyError> {
        let uuid = Self::account_uuid(account_id);
        let existing: Vec<_> = self
            .credentials_for(account_id)
            .iter()
            .map(|p| p.cred_id().clone())
            .collect();
        let exclude = if existing.is_empty() {
            None
        } else {
            Some(existing)
        };
        let (ccr, state): (CreationChallengeResponse, PasskeyRegistration) = self
            .webauthn
            .start_passkey_registration(uuid, account_id, account_id, exclude)
            .map_err(|e| PasskeyError::Verification(e.to_string()))?;
        self.registration_state
            .insert(account_id.to_string(), state);
        let raw = serde_json::to_value(&ccr)
            .map_err(|e| PasskeyError::Backend(format!("serialise ccr: {e}")))?;
        Ok(RegistrationOptions { raw })
    }

    async fn registration_verify(
        &self,
        account_id: &str,
        resp: RegistrationResponse,
    ) -> Result<(), PasskeyError> {
        let (_, state) = self
            .registration_state
            .remove(account_id)
            .ok_or_else(|| PasskeyError::NoCeremony(account_id.to_string()))?;
        // The entire `resp` value (including the flattened `id`)
        // deserialises into `RegisterPublicKeyCredential`. Rebuild
        // the full JSON view first so we don't drop `id`.
        let mut value = resp.raw.clone();
        if let serde_json::Value::Object(ref mut map) = value {
            map.insert("id".into(), serde_json::Value::String(resp.id.clone()));
        }
        let reg: RegisterPublicKeyCredential = serde_json::from_value(value)
            .map_err(|e| PasskeyError::Parse(e.to_string()))?;
        let passkey = self
            .webauthn
            .finish_passkey_registration(&reg, &state)
            .map_err(|e| PasskeyError::Verification(e.to_string()))?;
        self.credentials
            .entry(account_id.to_string())
            .or_default()
            .push(passkey);
        Ok(())
    }

    async fn authentication_options(
        &self,
        account_id: &str,
    ) -> Result<AuthenticationOptions, PasskeyError> {
        let creds = self.credentials_for(account_id);
        if creds.is_empty() {
            return Err(PasskeyError::NoCeremony(format!(
                "no passkeys registered for {account_id}"
            )));
        }
        let (rcr, state): (RequestChallengeResponse, PasskeyAuthentication) = self
            .webauthn
            .start_passkey_authentication(&creds)
            .map_err(|e| PasskeyError::Verification(e.to_string()))?;
        self.authentication_state
            .insert(account_id.to_string(), state);
        let raw = serde_json::to_value(&rcr)
            .map_err(|e| PasskeyError::Backend(format!("serialise rcr: {e}")))?;
        Ok(AuthenticationOptions { raw })
    }

    async fn authentication_verify(
        &self,
        resp: AuthenticationResponse,
    ) -> Result<String, PasskeyError> {
        // Find the in-flight authentication. The AuthenticationResponse
        // carries the credential id; we scan for the account whose
        // registered credentials include it. In real deployments the
        // consumer supplies the account_id out-of-band (cookie,
        // login form), so this scan is a convenience fallback.
        let mut matched: Option<String> = None;
        for cred_entry in self.credentials.iter() {
            if cred_entry
                .value()
                .iter()
                .any(|p| base64url_matches(p.cred_id().as_ref(), &resp.id))
            {
                matched = Some(cred_entry.key().clone());
                break;
            }
        }
        let account_id = matched
            .ok_or_else(|| PasskeyError::Verification(format!("unknown credential {}", resp.id)))?;
        let (_, state) = self
            .authentication_state
            .remove(&account_id)
            .ok_or_else(|| PasskeyError::NoCeremony(account_id.clone()))?;

        let mut value = resp.raw.clone();
        if let serde_json::Value::Object(ref mut map) = value {
            map.insert("id".into(), serde_json::Value::String(resp.id.clone()));
        }
        let cred: PublicKeyCredential = serde_json::from_value(value)
            .map_err(|e| PasskeyError::Parse(e.to_string()))?;
        self.webauthn
            .finish_passkey_authentication(&cred, &state)
            .map_err(|e| PasskeyError::Verification(e.to_string()))?;
        Ok(account_id)
    }
}

/// base64url comparator that tolerates padded / unpadded encodings.
#[cfg(feature = "passkey")]
fn base64url_matches(bin: &[u8], txt: &str) -> bool {
    use base64::engine::general_purpose::URL_SAFE_NO_PAD;
    use base64::Engine;
    let encoded = URL_SAFE_NO_PAD.encode(bin);
    encoded == txt.trim_end_matches('=')
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn passkey_todo_is_callable_and_returns_unimplemented() {
        let backend = PasskeyTodo;
        let err = backend.registration_options("acct-1").await.unwrap_err();
        assert!(matches!(err, PasskeyError::Unimplemented));
        let err = backend
            .authentication_options("acct-1")
            .await
            .unwrap_err();
        assert!(matches!(err, PasskeyError::Unimplemented));
    }

    #[cfg(feature = "passkey")]
    #[tokio::test]
    async fn webauthn_passkey_constructs_with_reasonable_defaults() {
        let origin = Url::parse("https://idp.example.com").unwrap();
        let _pk = WebauthnPasskey::new("idp.example.com", "Example IdP", &origin)
            .expect("WebauthnPasskey::new with defaults");
    }

    #[cfg(feature = "passkey")]
    #[tokio::test]
    async fn start_registration_returns_non_empty_challenge() {
        let origin = Url::parse("https://idp.example.com").unwrap();
        let pk = WebauthnPasskey::new("idp.example.com", "Example IdP", &origin).unwrap();
        let opts = pk.registration_options("alice").await.unwrap();
        // webauthn-rs surfaces the challenge under publicKey.challenge.
        let challenge = opts
            .raw
            .pointer("/publicKey/challenge")
            .and_then(|v| v.as_str())
            .expect("challenge string present");
        assert!(!challenge.is_empty(), "challenge should be non-empty");

        // State must have been stored for the user.
        assert!(
            pk.registration_state.contains_key("alice"),
            "registration state recorded for alice"
        );
    }

    #[cfg(feature = "passkey")]
    #[tokio::test]
    async fn start_registration_is_isolated_per_user() {
        let origin = Url::parse("https://idp.example.com").unwrap();
        let pk = WebauthnPasskey::new("idp.example.com", "Example IdP", &origin).unwrap();
        pk.registration_options("alice").await.unwrap();
        pk.registration_options("bob").await.unwrap();
        assert!(pk.registration_state.contains_key("alice"));
        assert!(pk.registration_state.contains_key("bob"));
        assert_eq!(
            pk.registration_state.len(),
            2,
            "per-user isolation retains both states"
        );
    }

    #[cfg(feature = "passkey")]
    #[tokio::test]
    async fn registration_verify_without_start_is_rejected() {
        let origin = Url::parse("https://idp.example.com").unwrap();
        let pk = WebauthnPasskey::new("idp.example.com", "Example IdP", &origin).unwrap();
        let err = pk
            .registration_verify(
                "ghost",
                RegistrationResponse {
                    id: "abc".into(),
                    raw: serde_json::json!({}),
                },
            )
            .await
            .unwrap_err();
        assert!(matches!(err, PasskeyError::NoCeremony(_)));
    }

    #[cfg(feature = "passkey")]
    #[tokio::test]
    async fn authentication_options_rejects_user_with_no_credentials() {
        let origin = Url::parse("https://idp.example.com").unwrap();
        let pk = WebauthnPasskey::new("idp.example.com", "Example IdP", &origin).unwrap();
        let err = pk
            .authentication_options("never-registered")
            .await
            .unwrap_err();
        assert!(matches!(err, PasskeyError::NoCeremony(_)));
    }

    #[cfg(feature = "passkey")]
    #[tokio::test]
    async fn account_uuid_is_deterministic_and_v4() {
        let a = WebauthnPasskey::account_uuid("alice");
        let a2 = WebauthnPasskey::account_uuid("alice");
        let b = WebauthnPasskey::account_uuid("bob");
        assert_eq!(a, a2, "deterministic");
        assert_ne!(a, b, "per-user unique");
        assert_eq!(a.get_version_num(), 4, "RFC 4122 v4");
    }
}