Verify Biometric Credentials with WebAuthn [wallet - service]

[salazarsebas]

🔑 Verify Biometric Credentials with WebAuthn 🛠️

📝 Description

Implement an API endpoint to verify biometric credentials (e.g., fingerprint or Face ID) using WebAuthn for the Stellar wallet service. This endpoint will allow users to authenticate by validating their WebAuthn credentials against stored public keys, ensuring secure access to protected routes and operations in the wallet service.

🎯 Objective

Create a POST /auth/verify endpoint in services/stellar-wallet/src/routes/auth-verify.js to verify WebAuthn credentials against the SQLite database, with a unit test to confirm functionality.

🗂 Structure

• Directory: services/stellar-wallet
• Files:
  • src/routes/auth-verify.js
  • tests/routes/auth-verify.test.js
• Expected structure:

  services/stellar-wallet
  ├── src
  │   ├── index.js
  │   ├── stellar
  │   │   ├── client.js
  │   │   ├── keys.js
  │   │   └── fund.js
  │   ├── db
  │   │   └── kyc.js
  │   ├── routes
  │   │   ├── kyc.js
  │   │   ├── kyc-verify.js
  │   │   ├── kyc-status.js
  │   │   ├── auth-register.js
  │   │   └── auth-verify.js
  │   ├── kyc
  │   │   └── validate.js
  │   ├── soroban
  │   │   ├── client.js
  │   │   ├── kyc-contract.rs
  │   │   └── deploy.js
  │   └── auth
  │       └── webauthn.js
  ├── config
  │   └── db.sqlite
  ├── tests
  │   ├── stellar
  │   │   ├── client.test.js
  │   │   ├── keys.test.js
  │   │   └── fund.test.js
  │   ├── db
  │   │   └── kyc.test.js
  │   ├── routes
  │   │   ├── kyc.test.js
  │   │   ├── kyc-verify.test.js
  │   │   ├── kyc-status.test.js
  │   │   ├── auth-register.test.js
  │   │   └── auth-verify.test.js
  │   ├── kyc
  │   │   └── validate.test.js
  │   └── soroban
  │       ├── client.test.js
  │       └── deploy.test.js
  ├── package.json
  ├── .env.example
  ├── .eslintrc.json
  ├── .eslintignore
  ├── .prettierrc.json
  ├── .prettierignore
  ├── .gitignore
  

✅ Requirements

• Create a branch named feat/webauthn-verify for this task.
• Create src/routes/auth-verify.js to define a POST /auth/verify endpoint using Express.
• Configure the endpoint to accept JSON input with user_id (string, matching a kyc_id from the SQLite database) and the WebAuthn authentication response.
• Validate that user_id exists in the credentials table (from Issue 17); return HTTP 400 with a JSON error message (e.g., { error: "Invalid user ID" }) if not found.
• Use generateAuthenticationOptions from src/auth/webauthn.js (Issue 16) to create WebAuthn authentication options for the client.
• Verify the client’s WebAuthn response using @simplewebauthn/server against the stored credential_id and public_key in the credentials table.
• Return a JSON response with HTTP status 200 and details (e.g., { user_id, verified: true }) if verification succeeds.
• Handle errors (e.g., invalid WebAuthn response, non-existent credentials) with HTTP 401 or 500 and a JSON error message (e.g., { error: "Authentication failed" }).
• Create a unit test in tests/routes/auth-verify.test.js to verify:
  • Successful verification returns HTTP 200 with verified: true.
  • Invalid user_id or WebAuthn response returns HTTP 401 or 400.
• Mock the WebAuthn server and SQLite database in the unit test to avoid external dependencies.
• Update src/index.js to mount the authentication verification routes at /auth/verify.
• Ensure the code adheres to ESLint and Prettier rules (from Issue 3).
• Commit changes to the feat/webauthn-verify branch with a message like feat: verify webauthn credentials.
• Verify that the CI pipeline (from Issue 1) passes, with linting and test jobs succeeding.

🏆 Expected Outcomes

• src/routes/auth-verify.js defines a POST /auth/verify endpoint that verifies WebAuthn credentials.
• Valid credentials are verified against the credentials table, returning HTTP 200 with a JSON response.
• Invalid inputs or failed verifications return appropriate HTTP status codes and JSON error messages.
• Unit test in tests/routes/auth-verify.test.js confirms correct behavior for valid and invalid inputs.
• Express server mounts authentication verification routes correctly.
• Code passes ESLint and Prettier checks.
• Changes are committed to the feat/webauthn-verify branch with a descriptive lowercase commit message.
• CI pipeline runs successfully, with linting passing for src/routes/auth-verify.js and tests/routes/auth-verify.test.js, and the unit test passing.

🔗 References

• SimpleWebAuthn Server
• WebAuthn Authentication
• SQLite3 Node.js Package
• Jest Mocking
• ESLint Node.js Rules

📋 Notes

• The user_id should match a kyc_id in the credentials table.
• Mocking the WebAuthn server and SQLite database in tests ensures reliable CI execution.
• Ensure secure handling of credentials, avoiding exposure of sensitive data like public_key.
• Verification failures should return HTTP 401 to indicate unauthorized access.
• Commit messages must be in lowercase and start with feat, change, fix, chore, or refactor.
• The CI pipeline should validate the new code, ensuring ESLint passes and the unit test executes successfully.

[yhoungdev]

Hello @salazarsebas
I’d like to take this on as a recurring contributor. I have solid Stellar + WebAuthn experience and familiarity with this codebase. I’ll implement POST /auth/verify, add mocked unit tests, and ensure linting/CI passes. Please assign me.

[yhoungdev]

Thanks for assigning to me.

[yhoungdev]

In progress