Tons of stuff tbh

README.md

@@ -80,6 +80,8 @@ It is also the natural initializer boundary for adopter-supplied auth messaging
 - custom auth-message handlers
 - optional auth template overrides
 
+For WebAuthn PRF flows, the adapter proxies PRF registration query flags and assertion request bodies to the Seamless Auth API. PRF outputs remain browser-only and are never handled by the server adapter.
+
 Location:
 
 ```

packages/core/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@seamless-auth/core",
-    "version": "0.4.0",
+    "version": "0.5.0",
     "description": "Framework-agnostic core authentication logic for SeamlessAuth",
     "license": "AGPL-3.0-only",
     "author": "Fells Code, LLC",
@@ -53,4 +53,4 @@
     "publishConfig": {
         "access": "public"
     }
-}
+}

packages/core/src/authFetch.ts

@@ -7,6 +7,8 @@ export interface AuthFetchOptions {
   headers?: Record<string, string>;
   body?: unknown;
   authorization?: string;
+  serviceAuthorization?: string;
+  forwardedClientIp?: string;
 }
 
 export async function authFetch(
@@ -17,6 +19,15 @@ export async function authFetch(
     "Content-Type": "application/json",
     ...options.headers,
     ...(options.authorization ? { Authorization: options.authorization } : {}),
+    ...((options.serviceAuthorization ?? options.authorization)
+      ? {
+          "x-seamless-service-token":
+            options.serviceAuthorization ?? options.authorization!,
+        }
+      : {}),
+    ...(options.forwardedClientIp
+      ? { "x-seamless-client-ip": options.forwardedClientIp }
+      : {}),
   };
 
   return fetch(url, {

packages/core/src/createServiceToken.ts

@@ -4,6 +4,7 @@ export interface ServiceTokenOptions {
   issuer: string;
   audience: string;
   subject: string;
+  sessionId?: string;
   refreshToken?: string;
   serviceSecret: string;
   keyId: string;
@@ -15,6 +16,7 @@ export function createServiceToken(opts: ServiceTokenOptions): string {
       iss: opts.issuer,
       aud: opts.audience,
       sub: opts.subject,
+      ...(opts.sessionId === undefined ? {} : { sid: opts.sessionId }),
       refreshToken: opts.refreshToken,
       iat: Math.floor(Date.now() / 1000),
     },

packages/core/src/ensureCookies.ts

@@ -8,11 +8,12 @@ export interface EnsureCookiesInput {
 
 export interface CookiePayload {
   sub: string;
+  sessionId?: string;
   token?: string;
   refreshToken?: string;
   roles?: string[];
   email?: string;
-  phone?: string;
+  phone?: string | null;
 }
 
 export interface CookieInstruction {
@@ -28,6 +29,7 @@ export interface EnsureCookiesResult {
   error?: string;
   user?: {
     sub: string;
+    sessionId?: string;
     roles?: string[];
   };
   setCookies?: CookieInstruction[];
@@ -46,6 +48,7 @@ export interface EnsureCookiesOptions {
   issuer: string;
   audience: string;
   keyId: string;
+  forwardedClientIp?: string;
 }
 
 const COOKIE_REQUIREMENTS: Record<
@@ -78,8 +81,35 @@ const COOKIE_REQUIREMENTS: Record<
     name: "registrationCookieName",
     required: true,
   },
+  "/otp/verify-login-email-otp": {
+    name: "preAuthCookieName",
+    required: true,
+  },
+  "/otp/verify-login-phone-otp": {
+    name: "preAuthCookieName",
+    required: true,
+  },
+  "/otp/generate-login-email-otp": {
+    name: "preAuthCookieName",
+    required: true,
+  },
+  "/otp/generate-login-phone-otp": {
+    name: "preAuthCookieName",
+    required: true,
+  },
+  "/magic-link": {
+    name: "preAuthCookieName",
+    required: true,
+  },
+  "/magic-link/check": {
+    name: "preAuthCookieName",
+    required: true,
+  },
   "/logout": { name: "accessCookieName", required: true },
   "/users/me": { name: "accessCookieName", required: true },
+  "/step-up/status": { name: "accessCookieName", required: true },
+  "/step-up/webauthn/start": { name: "accessCookieName", required: true },
+  "/step-up/webauthn/finish": { name: "accessCookieName", required: true },
   "/internal/metrics/dashboard": { name: "accessCookieName", required: true },
   "/internal/auth-events/timeseries": {
     name: "accessCookieName",
@@ -163,6 +193,7 @@ export async function ensureCookies(
       issuer: opts.issuer,
       audience: opts.audience,
       keyId: opts.keyId,
+      forwardedClientIp: opts.forwardedClientIp,
     });
 
     if (!refreshed?.token) {
@@ -182,14 +213,22 @@ export async function ensureCookies(
       type: "ok",
       user: {
         sub: refreshed.sub,
+        ...(refreshed.sessionId === undefined
+          ? {}
+          : { sessionId: refreshed.sessionId }),
         roles: refreshed.roles,
       },
       setCookies: [
         {
           name: cookieName,
           value: {
             sub: refreshed.sub,
+            ...(refreshed.sessionId === undefined
+              ? {}
+              : { sessionId: refreshed.sessionId }),
             roles: refreshed.roles,
+            email: refreshed.email,
+            phone: refreshed.phone,
           },
           ttl: refreshed.ttl,
           domain: opts.cookieDomain,
@@ -221,6 +260,9 @@ export async function ensureCookies(
       type: "ok",
       user: {
         sub: payload.sub as string,
+        ...(typeof payload.sessionId === "string"
+          ? { sessionId: payload.sessionId }
+          : {}),
         roles: payload.roles as string[] | undefined,
       },
     };

packages/core/src/getSeamlessUser.ts

@@ -6,6 +6,7 @@ export interface GetSeamlessUserOptions {
   cookieSecret: string;
   authorization: string;
   cookieName?: string;
+  forwardedClientIp?: string;
 }
 
 /**
@@ -32,9 +33,8 @@ export async function getSeamlessUser<T = any>(
 
   const response = await authFetch(`${opts.authServerUrl}/users/me`, {
     method: "GET",
-    headers: {
-      Authorization: opts.authorization,
-    },
+    authorization: opts.authorization,
+    forwardedClientIp: opts.forwardedClientIp,
   });
 
   if (!response.ok) return null;

packages/core/src/handlers/admin.ts

@@ -3,6 +3,7 @@ import { authFetch } from "../authFetch.js";
 type BaseOpts = {
   authServerUrl: string;
   authorization?: string;
+  forwardedClientIp?: string;
 };
 
 type WithQuery = BaseOpts & {
@@ -42,6 +43,7 @@ async function request(
       method,
       authorization: opts.authorization,
       body: opts.body,
+      forwardedClientIp: opts.forwardedClientIp,
     },
   );
 

packages/core/src/handlers/bootstrapAdminInvite.ts

@@ -5,6 +5,7 @@ export interface BootstrapAdminInviteOptions {
   email: string;
   authorization?: string;
   externalDelivery?: boolean;
+  forwardedClientIp?: string;
 }
 
 export interface BootstrapAdminInviteResult {
@@ -24,8 +25,9 @@ export async function bootstrapAdminInviteHandler(
     `${opts.authServerUrl}/internal/bootstrap/admin-invite`,
     {
       method: "POST",
+      authorization: opts.authorization,
+      forwardedClientIp: opts.forwardedClientIp,
       headers: {
-        authorization: opts.authorization || "",
         ...(opts.externalDelivery
           ? {
               "x-seamless-auth-delivery-mode": "external",

packages/core/src/handlers/finishLogin.ts

@@ -5,6 +5,7 @@ import { verifySignedAuthResponse } from "../verifySignedAuthResponse.js";
 export interface FinishLoginInput {
   body: unknown;
   authorization?: string;
+  forwardedClientIp?: string;
 }
 
 export interface FinishLoginOptions {
@@ -34,6 +35,7 @@ export async function finishLoginHandler(
     method: "POST",
     body: input.body,
     authorization: input.authorization,
+    forwardedClientIp: input.forwardedClientIp,
   });
 
   const data = await up.json();
@@ -58,6 +60,11 @@ export async function finishLoginHandler(
     throw new Error("Signature mismatch with data payload");
   }
 
+  const sessionId =
+    typeof verifiedAccessToken.sid === "string"
+      ? verifiedAccessToken.sid
+      : undefined;
+
   return {
     status: 200,
     body: data,
@@ -66,6 +73,7 @@ export async function finishLoginHandler(
         name: opts.accessCookieName,
         value: {
           sub: data.sub,
+          ...(sessionId === undefined ? {} : { sessionId }),
           roles: data.roles,
           email: data.email,
           phone: data.phone,

packages/core/src/handlers/finishRegister.ts

@@ -6,6 +6,7 @@ export interface FinishRegisterInput {
   authorization?: string;
   headers?: Record<string, string>;
   body: unknown;
+  forwardedClientIp?: string;
 }
 
 export interface FinishRegisterOptions {
@@ -35,6 +36,7 @@ export async function finishRegisterHandler(
     authorization: input.authorization,
     headers: input.headers,
     body: input.body,
+    forwardedClientIp: input.forwardedClientIp,
   });
 
   const data = await up.json();
@@ -59,13 +61,17 @@ export async function finishRegisterHandler(
     throw new Error("Signature mismatch with data payload");
   }
 
+  const sessionId =
+    typeof verified.sid === "string" ? verified.sid : undefined;
+
   return {
     status: 204,
     setCookies: [
       {
         name: opts.accessCookieName,
         value: {
           sub: data.sub,
+          ...(sessionId === undefined ? {} : { sessionId }),
           roles: data.roles,
           email: data.email,
           phone: data.phone,

packages/core/src/handlers/internalMetrics.ts

@@ -3,6 +3,7 @@ import { authFetch } from "../authFetch.js";
 type BaseOpts = {
   authServerUrl: string;
   authorization?: string;
+  forwardedClientIp?: string;
 };
 
 type WithQuery = BaseOpts & {
@@ -32,6 +33,7 @@ async function get(path: string, opts: WithQuery): Promise<Result> {
     {
       method: "GET",
       authorization: opts.authorization,
+      forwardedClientIp: opts.forwardedClientIp,
     },
   );
 

packages/core/src/handlers/login.ts

@@ -10,11 +10,17 @@ export interface LoginOptions {
   authServerUrl: string;
   cookieDomain?: string;
   preAuthCookieName: string;
+  forwardedClientIp?: string;
 }
 
 export interface LoginResult {
   status: number;
-  error?: string;
+  body?: {
+    message?: string;
+    identifierType?: string;
+    loginMethods?: string[];
+  };
+  error?: unknown;
   setCookies?: {
     name: string;
     value: CookiePayload;
@@ -30,6 +36,7 @@ export async function loginHandler(
   const up = await authFetch(`${opts.authServerUrl}/login`, {
     method: "POST",
     body: input.body,
+    forwardedClientIp: opts.forwardedClientIp,
   });
 
   const data = await up.json();
@@ -54,8 +61,23 @@ export async function loginHandler(
     throw new Error("Signature mismatch with data payload");
   }
 
+  const body = {
+    ...(typeof data.message === "string" ? { message: data.message } : {}),
+    ...(typeof data.identifierType === "string"
+      ? { identifierType: data.identifierType }
+      : {}),
+    ...(Array.isArray(data.loginMethods)
+      ? {
+          loginMethods: data.loginMethods.filter(
+            (item: unknown) => typeof item === "string",
+          ),
+        }
+      : {}),
+  };
+
   return {
-    status: 204,
+    status: up.status,
+    body,
     setCookies: [
       {
         name: opts.preAuthCookieName,

packages/core/src/handlers/logout.ts

@@ -5,6 +5,7 @@ export interface LogoutOptions {
   accessCookieName: string;
   registrationCookieName: string;
   refreshCookieName: string;
+  forwardedClientIp?: string;
 }
 
 export interface LogoutResult {
@@ -17,6 +18,7 @@ export async function logoutHandler(
 ): Promise<LogoutResult> {
   await authFetch(`${opts.authServerUrl}/logout`, {
     method: "GET",
+    forwardedClientIp: opts.forwardedClientIp,
   });
 
   return {