PASS. All four acceptance criteria were independently verified through the REAL Customer Portal UI in headless Chromium with a CDP virtual authenticator (platform + roaming key) - not via API/curl/DB. I wrote my own spec (sherpa-test/tests/eval-passkey-qe.spec.ts) that self-registers a fresh customer, password-logs-in, then drives enrol -> passwordless login -> add 2nd -> revoke -> revoked-rejected -> survivor-login, capturing fresh eval-*.png proof. The 'Customer Portal' the ticket targets is served by the portal app on :3003 under the customer tenant (test.localhost:3003, portalType=customer); the bare localhost:3003 origin is the CRM/back-office org (Azure AD, portalType=crm) with no password form - but it too ships the 'Sign in with a passkey' button (eval-7). Tests: test:api reported 5 failures, but all 5 are pre-existing plus-insurance count/state assertions (renewals, ledger, policy-order, suspension preview, translation coverage) from shared-DB drift, zero relation to passkeys/auth; the identical 5-failed signature appears on unrelated ticket #456, so tests_ok=true (no new regressions). Feature is genuinely usable end-to-end in the Customer Portal UI.
Ticket #466 passkey re-run. Human feedback: previous run missed customer-portal create-account + profile. Must wire passkey into both, prove with real browser screenshots.
Start STEP 1 — stack gate. Check current health + explore state in parallel.
{"command":"echo \"=== API health ===\" ; curl -fsS -o /dev/null -w \"%{http_code}\" http://localhost:4003/health 2>&1 || echo \" API-DOWN\" ; echo ; echo \"=== Portal ===\" ; curl -fsS -o /dev/null -w \"%{http_code}\" http://localhost:3003 2>&1 || echo \" PORTAL-DOWN\" ; echo ; echo \"=== Embed ===\" ; curl -fsS -o /dev/null -w \"%{http_code}\" http://localhost:3103 2>&1 || echo \" EMBED-DOWN\" ; echo ; echo \"=== Dashboard ===\" ; curl -fsS -o /dev/null -w \"%{http_code}\" http://localhost:7777 2>&1 || echo \" DASH-DOWN\"","description":"Check health of all four services"}{"command":"echo \"=== api worktree git log ===\" ; git -C /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login log --oneline -15 2>&1 ; echo ; echo \"=== portal worktree git log ===\" ; git -C /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login log --oneline -15 2>&1 ; echo ; echo \"=== embed worktree git log ===\" ; git -C /Users/bakker/dev/gangkhar/sherpa-embed-api-466-passkey-webauthn-login log --oneline -10 2>&1","description":"Git log of each worktree to see prior run work"}{"command":"echo \"=== branches ===\" ; git -C /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login branch --show-current 2>&1 ; git -C /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login branch --show-current 2>&1 ; echo ; echo \"=== portal changed files vs dev ===\" ; git -C /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login diff --name-only dev...HEAD 2>&1 | head -50","description":"Branch names and portal changed files"}=== API health === curl: (52) Empty reply from server 000 API-DOWN === Portal === 200 === Embed === 200 === Dashboard === 200
=== api worktree git log === 47006bc4 test(qe): add independent QE eval proof screenshots for passkey UI (#466) 832e6e7d test(auth): browser-proof screenshots for passkey UI (#466) ced70d7d feat: add passkey (WebAuthn) registration and passwordless login (#466) 8636f82d Merge pull request #469 from gangkharai/feature/checkout-premium-prefix-i18n f26b2d47 fix(checkout): localize "Premium for" prefix in default checkout template e0f4b212 Merge pull request #468 from gangkharai/fix/products-list-own-org-scope 9e1db662 fix(products): scope product list to caller's own org 5743d556 Merge pull request #467 from gangkharai/ci/translate-cron-azure-env 976bdeb7 ci: add development environment to translate-cron workflow 17d035e8 Merge pull request #455 from gangkharai/feature/payout-data-model-category 3759aa38 feat(data-model): seed payout category and bank fields f425dc76 Merge pull request #454 from gangkharai/feat/multilingual-customer-messaging d6816804 feat(messages): multilingual messaging with manual LLM translation c0efaa7a fix(automated-import): strip UTF-8 BOM from CSV content f1762a6c Merge pull request #452 from gangkharai/fix/lmt-translate-azure-ai-env === portal worktree git log === ff48532 feat(auth): passkey (WebAuthn) login + management UI (#466) 82b98d9 chore: update translations [skip ci] 057349b fix: hide aggregate banner on non-aggregatable paths 18370d2 chore: update translations [skip ci] 56009e6 refactor: remove aggregated view nav locking from AppLayout d28e207 chore: update translations [skip ci] 445e166 style: simplify claim form page indicator markup 5ab3652 Merge branch 'development' of github.com:gangkharai/sherpa-portal into development 5d8ba53 feat: add LMT fallback to useProductTranslate and drag-drop file upload d0ffbf9 chore: update translations [skip ci] dff196a Merge branch 'development' of github.com:gangkharai/sherpa-portal into development 9811d48 fix: validate JSON fields before submitting endpoint mapping form 77ca605 chore: update translations [skip ci] 7abe5ac Merge branch 'development' of github.com:gangkharai/sherpa-portal into development ca19258 feat(portal): add CRM translation UI to message threads === embed worktree git log === 8f6d819 fix: sync document lang attr with selected locale 5e88116 Merge pull request #132 from gangkharai/feature/quote-acceptance-page 9c9dcd0 chore(i18n): regenerate translation cache after merge ef2d324 Merge remote-tracking branch 'origin/development' into feature/quote-acceptance-page d8c2ac6 feat(acceptance): overhaul AcceptancePage layout and T&C handling 4197533 Hide empty categories/pages when offer mode strips terms fields ff8fa91 fix(embed): hide terms field in offer mode (incl. funnel-template forms) 041ad57 fix(embed): drop "Acceptance link" heading on offer thank-you (button only) 65bfc53 fix(embed): drop raw acceptance URL text on offer thank-you (keep button) 51904d5 feat(embed): offer success uses styled thank-you page + shows acceptance link
=== branches === auto/api-466-passkey-webauthn-login auto/api-466-passkey-webauthn-login === portal changed files vs dev === fatal: ambiguous argument 'dev...HEAD': unknown revision or path not in the working tree. Use '--' to separate paths from revisions, like this: 'git <command> [<revision>...] -- [<file>...]'
API down (empty reply — booting/empty node_modules). Portal+embed+dashboard up. Prior run built api passkey + portal commit ff48532, but embed has nothing for #466. Human says create-account + profile not wired.
Kick off API install via dashboard + inspect prior portal work in parallel.
{"command":"curl -fsS -X POST http://localhost:7777/api/api-action -H 'Content-Type: application/json' -d '{\"path\":\"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\",\"action\":\"install\"}' 2>&1 ; echo \" <- install kicked\"","description":"Kick off API npm install via dashboard"}{"path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login","action":"install","status":"running","startedAt":1780262402997,"endedAt":null,"exitCode":null,"error":null,"logPath":"/var/folders/pr/7k4xc3v1715_0zbbw8tgwl5r0000gn/T/worktree-dashboard-logs/sherpa-api-api-466-passkey-webauthn-login-install.log","tail":""} <- install kicked{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login ; echo \"=== base branch detect ===\" ; git merge-base --fork-point origin/development HEAD 2>/dev/null && echo \"fork from development\" ; echo \"=== files in portal passkey commit ===\" ; git show --stat --oneline ff48532 2>&1 | head -60","description":"Show files changed in portal passkey commit"}=== base branch detect === 82b98d93777aa34cf6da25bfc852f3d83dfb8128 fork from development === files in portal passkey commit === ff48532 feat(auth): passkey (WebAuthn) login + management UI (#466) app/components/profile/PasskeysSection.tsx | 350 +++++++++++++++++++++++++++++ app/login/page.tsx | 78 ++++++- app/profile/page.tsx | 2 + app/src/utils/api.ts | 4 + app/src/utils/passkeys.ts | 133 +++++++++++ package-lock.json | 7 + package.json | 1 + 7 files changed, 573 insertions(+), 2 deletions(-)
API install running. Prior portal commit added PasskeysSection to app/profile/page.tsx + login button — but human says create-account AND customer profile (test.localhost) still missing. Likely prior run wired the WRONG profile (internal mgmt vs customer-facing tenant area).
Map portal routing + find create-account/customer-profile. Explore in parallel while API installs.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app 2>/dev/null || cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login ; echo \"=== top-level dirs ===\" ; fd -t d -d 2 . app 2>/dev/null | head -60 ; echo \"=== route pages (page.tsx) ===\" ; fd 'page.tsx$' app 2>/dev/null | head -80","description":"List portal route pages"}=== top-level dirs === === route pages (page.tsx) ===
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login ; echo \"=== create-account search ===\" ; fd -i 'create-account|create_account|signup|sign-up|register' app 2>/dev/null | head -40 ; echo \"=== profile pages ===\" ; fd 'page.tsx$' app 2>/dev/null | rg -i 'profile|account|customer' ","description":"Find create-account and profile/customer routes"}=== create-account search === app/create-account/ app/register/ === profile pages === app/create-account/page.tsx app/customer-portal/claims/[claimId]/page.tsx app/customer-portal/claims/page.tsx app/customer-portal/dashboard/page.tsx app/customer-portal/invoices/page.tsx app/customer-portal/notifications/page.tsx app/customer-portal/policies/[policyId]/cancel/page.tsx app/customer-portal/policies/[policyId]/claim/DefaultClaimPage.tsx app/customer-portal/policies/[policyId]/claim/page.tsx app/customer-portal/policies/[policyId]/claim/success/page.tsx app/customer-portal/policies/[policyId]/edit/page.tsx app/customer-portal/policies/[policyId]/invoices/page.tsx app/customer-portal/policies/[policyId]/page.tsx app/customer-portal/policies/[policyId]/reinstate/page.tsx app/customer-portal/policies/[policyId]/suspend/page.tsx app/customer-portal/policies/page.tsx app/customer-portal/profile/page.tsx app/customers/[id]/page.tsx app/customers/page.tsx app/embed-customer-portal/claims/[claimId]/page.tsx app/embed-customer-portal/claims/page.tsx app/embed-customer-portal/dashboard/page.tsx app/embed-customer-portal/invoices/page.tsx app/embed-customer-portal/notifications/page.tsx app/embed-customer-portal/pages/[page]/page.tsx app/embed-customer-portal/pages/token-expired/page.tsx app/embed-customer-portal/policies/[policyId]/cancel/page.tsx app/embed-customer-portal/policies/[policyId]/claim/page.tsx app/embed-customer-portal/policies/[policyId]/claim/success/page.tsx app/embed-customer-portal/policies/[policyId]/edit/page.tsx app/embed-customer-portal/policies/[policyId]/invoices/page.tsx app/embed-customer-portal/policies/[policyId]/page.tsx app/embed-customer-portal/policies/[policyId]/reinstate/page.tsx app/embed-customer-portal/policies/[policyId]/suspend/page.tsx app/embed-customer-portal/policies/page.tsx app/embed-customer-portal/profile/page.tsx app/policy-management/claims/[claimId]/customer/page.tsx app/profile/page.tsx app/register/account/page.tsx
Now clear. Distinct areas exist:
app/create-account/page.tsx — customer signup (human's test.localhost:3000/create-account)app/customer-portal/profile/page.tsx — CUSTOMER profile (human's test.localhost:3003/profile)app/profile/page.tsx — INTERNAL mgmt profile (what prior run WRONGLY modified)app/embed-customer-portal/profile/page.tsx — embed customer profilePrior run wired passkey into wrong profile. Need: create-account + customer-portal profile + customer login surface.
Launch thorough explore of customer-portal architecture + poll API install.
{"description":"Map customer-portal passkey integration points","prompt":"Explore the sherpa-portal worktree at /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login (a Next.js 16 / React 19 app). I need a precise map to integrate passkey (WebAuthn) UI into the CUSTOMER-facing flows. Be very thorough. Use rg/fd (never grep/find).\n\nCONTEXT: A prior run added passkey UI but in the WRONG place — it modified `app/profile/page.tsx` (internal management user profile) and `app/login/page.tsx`. The human reviewer wants it in the CUSTOMER-facing flows instead:\n- `app/create-account/page.tsx` — offer passkey setup when a customer creates an account\n- `app/customer-portal/profile/page.tsx` — let the customer manage passkeys here\n- The customer login surface (whatever the customer-portal uses to log in) needs a \"Sign in with a passkey\" button.\n\nReport these things with exact file paths and line numbers:\n\n1. EXISTING PASSKEY CODE (prior run): Read and summarize fully:\n - `app/src/utils/passkeys.ts` — what functions it exports, their signatures, what API endpoints they call, how options/verify are wired, base64url handling.\n - `app/components/profile/PasskeysSection.tsx` — what it renders, props, how it lists/adds/renames/revokes, how it calls the API, what auth/token it assumes.\n - The diff added to `app/login/page.tsx` (the \"sign in with passkey\" button) — how it calls login/options→navigator.credentials.get()→login/verify, and how it stores tokens/sets session.\n - `app/profile/page.tsx` — how PasskeysSection was mounted.\n - `app/src/utils/api.ts` — the 4 lines added.\n\n2. CUSTOMER ACCOUNT CREATION: Read `app/create-account/page.tsx` fully. How does a customer create an account? What API call (endpoint)? What happens after success (redirect, auto-login, token storage)? Is the user authenticated immediately after create-account (needed to enroll a passkey, which requires a bearer token)? Also check `app/register/account/page.tsx` and `app/register/`.\n\n3. CUSTOMER LOGIN: Find the customer-portal LOGIN page/surface (NOT the internal `app/login/page.tsx`). How do customers log in? Search for customer login routes, auth context, token storage for customer-portal. What endpoint does customer password login hit? Where are customer tokens stored (localStorage key? cookie? context)?\n\n4. CUSTOMER PROFILE: Read `app/customer-portal/profile/page.tsx` fully. Its layout, what sections it renders, how it fetches the customer, what auth/token context it uses, what UI component library/patterns (cards, sections, buttons) it uses so a new \"Passkeys\" section matches the style.\n\n5. CUSTOMER AUTH/SESSION MODEL: How is the customer session represented? Is there a customer auth context/provider/hook (e.g. useCustomerAuth, a context under app/customer-portal)? How is the bearer token obtained for authenticated customer API calls (the passkey register endpoints need an authenticated token)? Show the token storage key and the fetch wrapper customers use.\n\n6. MULTI-TENANT / SUBDOMAIN: The reviewer accesses via `test.localhost:3003`. How does the app resolve the tenant from the subdomain? Find middleware/proxy (Next 16 may use proxy.ts), any host/subdomain parsing. What is the \"test\" tenant? Does customer-portal require a tenant subdomain to function?\n\n7. EMBED CUSTOMER PORTAL: Briefly, does `app/embed-customer-portal/profile/page.tsx` mirror `app/customer-portal/profile/page.tsx`? Same structure?\n\n8. API CLIENT CONVENTIONS: How do customer-portal pages call sherpa-api? Base URL config (env var pointing at api_url), auth header injection, the fetch/client helper. Show the canonical pattern a new passkey call should follow.\n\nOutput a structured report. Quote the key code snippets (with file:line) so I can implement without re-reading everything. Focus on what I need to wire passkey enrolment into create-account, passkey management into customer-portal/profile, and a passkey sign-in button into the customer login surface.","subagent_type":"Explore"}{"command":"sleep 20 ; curl -fsS \"http://localhost:7777/api/api-action?path=/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\" 2>&1 | python3 -c \"import sys,json; d=json.load(sys.stdin); print('status:',d.get('status'),'exit:',d.get('exitCode')); print('tail:',d.get('tail','')[-400:])\" 2>&1","description":"Poll API install status"}{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login -type f -name \"*.ts\" -o -name \"*.tsx\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customers/[id]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customers/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/settings/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/policyStatus.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/claimRule.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/dateConstraints.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/cancellationTerm.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/navigation.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/insurer.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/suspensionTerm.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/product.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/contracts.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/template.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/permissions.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/parameters.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/pricing.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/widgetToken.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/claim.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/admin.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/displayConditions.ts
{"command":"find . -type f \\( -name \"passkeys.ts\" -o -name \"PasskeysSection.tsx\" -o -name \"create-account\" -o -name \"profile\" \\) 2>/dev/null | head -30"}./app/components/profile/PasskeysSection.tsx ./app/src/utils/passkeys.ts
{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app -type f -name \"page.tsx\" | sort"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/admin/integrations/[id]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/admin/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/auth/callback/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/bundles/[id]/funnel-templates/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/bundles/[id]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/bundles/[id]/subscriptions/[subscriptionId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/bundles/[id]/templates/[templateId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/bundles/new/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/bundles/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/chat/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/claims/[claimId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/claims/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/dashboard/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/invoices/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/notifications/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/cancel/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/success/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/edit/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/invoices/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/reinstate/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/suspend/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customers/[id]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customers/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/dashboard-legacy/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/dashboard/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/data/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/dev/flags/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/domain-blocked/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/claims/[claimId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/claims/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/dashboard/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/invoices/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/notifications/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/pages/[page]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/pages/token-expired/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/cancel/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/claim/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/claim/success/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/edit/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/invoices/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/reinstate/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/[policyId]/suspend/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/policies/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/profile/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/financials/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/forgot-password/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/commission/simulate/clustering/[taskId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/commission/simulate/complete/[taskId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/commission/simulate/fields/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/commission/simulate/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/commission/simulate/probabilities/[taskId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/commission/simulate/simulation/[taskId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/deployment/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/dev/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/health/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/integration/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/live/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/overview/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/[id]/recent/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/new/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/lens/optimizations/commission/page.tsx /Users/bakker/dev/gangkhar/sherpa-
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/passkeys.ts"}1 // Passkey (WebAuthn / FIDO2) client helpers.
2 //
3 // Thin wrappers over the sherpa-api passkey endpoints + @simplewebauthn/browser.
4 // The browser library handles the navigator.credentials.create()/.get() dance
5 // and Base64URL (de)serialisation; these helpers own the API round-trips and
6 // shape the results the UI consumes.
7 //
8 // Token handling is intentionally NOT done here — login() in AuthProvider is the
9 // single place that persists tokens (mirroring password login), so callers feed
10 // the returned tokens straight into it.
11
12 import {
13 browserSupportsWebAuthn,
14 startAuthentication,
15 startRegistration,
16 } from "@simplewebauthn/browser";
17 import type {
18 PublicKeyCredentialCreationOptionsJSON,
19 PublicKeyCredentialRequestOptionsJSON,
20 } from "@simplewebauthn/browser";
21
22 import api from "./api";
23
24 // Public projection of a UserPasskey, matching the API's serializePasskey().
25 export interface Passkey {
26 id: string;
27 name: string;
28 deviceType: "singleDevice" | "multiDevice" | null;
29 backedUp: boolean;
30 lastUsedAt: string | null;
31 createdAt: string;
32 }
33
34 export interface PasskeyLoginResult {
35 accessToken: string;
36 refreshToken: string;
37 }
38
39 // Synchronous feature gate for showing/hiding passkey affordances. Returns false
40 // during SSR (no `window`) and on browsers without the PublicKeyCredential API.
41 export function isPasskeySupported(): boolean {
42 if (typeof window === "undefined") return false;
43 return browserSupportsWebAuthn();
44 }
45
46 // Passwordless, discoverable-credential login: the authenticator surfaces which
47 // passkey to use, so no email is typed first. Returns the issued tokens for the
48 // caller to persist via AuthProvider.login().
49 export async function loginWithPasskey(): Promise<PasskeyLoginResult> {
50 // Send an explicit empty body: the shared api client forces a JSON
51 // Content-Type, and Fastify rejects a JSON request with no body at all.
52 const optionsResponse = await api.post("/auth/passkeys/login/options", {});
53 const { challengeId, options } = optionsResponse.data as {
54 challengeId: string;
55 options: PublicKeyCredentialRequestOptionsJSON;
56 };
57
58 const assertion = await startAuthentication({ optionsJSON: options });
59
60 const verifyResponse = await api.post("/auth/passkeys/login/verify", {
61 challengeId,
62 response: assertion,
63 });
64
65 const { accessToken, refreshToken } = verifyResponse.data.data;
66 return { accessToken, refreshToken };
67 }
68
69 // Enrols a new passkey for the signed-in user. Requires an authenticated
70 // session (the API derives the user from the bearer token).
71 export async function registerPasskey(name: string): Promise<Passkey> {
72 // register/options returns the raw PublicKeyCredentialCreationOptionsJSON.
73 const optionsResponse = await api.post("/auth/passkeys/register/options", { name });
74 const options = optionsResponse.data as PublicKeyCredentialCreationOptionsJSON;
75
76 const attestation = await startRegistration({ optionsJSON: options });
77
78 const verifyResponse = await api.post("/auth/passkeys/register/verify", {
79 name,
80 response: attestation,
81 });
82
83 return verifyResponse.data.passkey as Passkey;
84 }
85
86 export async function listPasskeys(): Promise<Passkey[]> {
87 const response = await api.get("/auth/passkeys");
88 return (response.data.data?.passkeys ?? []) as Passkey[];
89 }
90
91 export async function renamePasskey(id: string, name: string): Promise<Passkey> {
92 const response = await api.patch(`/auth/passkeys/${id}`, { name });
93 return response.data.data.passkey as Passkey;
94 }
95
96 export async function revokePasskey(id: string): Promise<void> {
97 await api.delete(`/auth/passkeys/${id}`);
98 }
99
100 // The user dismissed or let the native passkey prompt time out. Callers treat
101 // this as a soft cancel (no error toast) rather than a failure.
102 export function isPasskeyCancellation(error: unknown): boolean {
103 return error instanceof DOMException && error.name === "NotAllowedError";
104 }
105
106 // Extracts a human-readable message from a passkey failure: the well-known
107 // WebAuthn DOMExceptions first, then the API's `{ error: { message } }` /
108 // `{ message }` envelopes, falling back to the caller-supplied default.
109 export function extractPasskeyError(error: unknown, fallback: string): string {
110 if (error instanceof DOMException) {
111 if (error.name === "InvalidStateError") {
112 return "This device already has a passkey for your account.";
113 }
114 if (error.name === "NotAllowedError") {
115 return "The passkey prompt was cancelled or timed out.";
116 }
117 }
118
119 const responseData = (error as { response?: { data?: unknown } })?.response?.data;
120 if (responseData && typeof responseData === "object") {
121 const data = responseData as { error?: { message?: string }; message?: string };
122 const message = data.error?.message ?? data.message;
123 if (typeof message === "string" && message.length > 0) {
124 return message;
125 }
126 }
127
128 if (error instanceof Error && error.message) {
129 return error.message;
130 }
131
132 return fallback;
133 }
134 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/profile/PasskeysSection.tsx"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { Check, KeyRound, Loader2, Pencil, Plus, ShieldCheck, Trash2, X } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { localeDateTag } from "@/app/lib/locale";
9 import {
10 Passkey,
11 extractPasskeyError,
12 isPasskeyCancellation,
13 isPasskeySupported,
14 listPasskeys,
15 registerPasskey,
16 renamePasskey,
17 revokePasskey,
18 } from "../../src/utils/passkeys";
19 import { showSuccessToast } from "../Toast";
20 import { Button } from "../ui/button";
21
22 interface PasskeysSectionProps {
23 onError: (message: string) => void;
24 }
25
26 const PasskeysSection: React.FC<PasskeysSectionProps> = ({ onError }) => {
27 const t = useTranslation();
28
29 const [supported, setSupported] = useState(false);
30 const [passkeys, setPasskeys] = useState<Passkey[]>([]);
31 const [loading, setLoading] = useState(true);
32 const [loadFailed, setLoadFailed] = useState(false);
33
34 // A single in-flight flag disables every action during any mutating call —
35 // passkey ceremonies can't be cancelled mid-flight, so we never run two at once.
36 const [busy, setBusy] = useState(false);
37
38 const [adding, setAdding] = useState(false);
39 const [newName, setNewName] = useState("");
40 const [renamingId, setRenamingId] = useState<string | null>(null);
41 const [renameValue, setRenameValue] = useState("");
42 const [confirmRevokeId, setConfirmRevokeId] = useState<string | null>(null);
43
44 const loadPasskeys = useCallback(async () => {
45 try {
46 const data = await listPasskeys();
47 setPasskeys(data);
48 setLoadFailed(false);
49 } catch (error) {
50 console.error("Failed to load passkeys:", error);
51 setLoadFailed(true);
52 } finally {
53 setLoading(false);
54 }
55 }, []);
56
57 useEffect(() => {
58 const ok = isPasskeySupported();
59 setSupported(ok);
60 if (ok) {
61 void loadPasskeys();
62 } else {
63 setLoading(false);
64 }
65 }, [loadPasskeys]);
66
67 const reportError = (message: string) => {
68 onError(message);
69 };
70
71 const handleAdd = async () => {
72 const name = newName.trim();
73 if (!name) return;
74
75 setBusy(true);
76 try {
77 const created = await registerPasskey(name);
78 setPasskeys((prev) => [created, ...prev]);
79 setAdding(false);
80 setNewName("");
81 showSuccessToast(t('Passkey added'));
82 } catch (error) {
83 // A dismissed prompt is a soft cancel — leave the form open, no error.
84 if (isPasskeyCancellation(error)) return;
85 console.error("Failed to add passkey:", error);
86 reportError(extractPasskeyError(error, t('Could not add passkey. Please try again.')));
87 } finally {
88 setBusy(false);
89 }
90 };
91
92 const handleRename = async (id: string) => {
93 const name = renameValue.trim();
94 if (!name) return;
95
96 setBusy(true);
97 try {
98 const updated = await renamePasskey(id, name);
99 setPasskeys((prev) => prev.map((p) => (p.id === id ? updated : p)));
100 setRenamingId(null);
101 setRenameValue("");
102 showSuccessToast(t('Passkey renamed'));
103 } catch (error) {
104 console.error("Failed to rename passkey:", error);
105 reportError(extractPasskeyError(error, t('Could not rename passkey. Please try again.')));
106 } finally {
107 setBusy(false);
108 }
109 };
110
111 const handleRevoke = async (id: string) => {
112 setBusy(true);
113 try {
114 await revokePasskey(id);
115 setPasskeys((prev) => prev.filter((p) => p.id !== id));
116 setConfirmRevokeId(null);
117 showSuccessToast(t('Passkey revoked'));
118 } catch (error) {
119 console.error("Failed to revoke passkey:", error);
120 reportError(extractPasskeyError(error, t('Could not revoke passkey. Please try again.')));
121 } finally {
122 setBusy(false);
123 }
124 };
125
126 const deviceLabel = (passkey: Passkey): string => {
127 if (passkey.deviceType === "multiDevice") return t('Synced across your devices');
128 if (passkey.deviceType === "singleDevice") return t('This device only');
129 return t('Passkey');
130 };
131
132 const formatDate = (value: string | null): string => {
133 if (!value) return t('Never');
134 return new Date(value).toLocaleDateString(localeDateTag(), {
135 year: "numeric",
136 month: "short",
137 day: "numeric",
138 });
139 };
140
141 const openAddForm = () => {
142 setAdding(true);
143 setNewName("");
144 };
145
146 return (
147 <div className="mb-6 overflow-hidden bg-white shadow sm:rounded-md">
148 <div className="flex items-center justify-between px-4 py-5 sm:px-6">
149 <div className="flex items-center gap-2">
150 <KeyRound className="h-5 w-5 text-gray-400" />
151 <h3 className="text-lg leading-6 font-medium text-gray-900">{t('Passkeys')}</h3>
152 </div>
153 {supported && !adding && (
154 <Button onClick={openAddForm} disabled={busy || loading}>
155 <Plus className="mr-2 h-4 w-4" />
156 {t('Add passkey')}
157 </Button>
158 )}
159 </div>
160
161 <div className="border-t border-gray-200">
162 {!supported ? (
163 <div className="px-4 py-5 sm:p-6">
164 <p className="text-sm text-gray-500">
165 {t("This browser doesn't support passkeys. Try a recent version of Chrome, Safari, Edge, or Firefox.")}
166 </p>
167 </div>
168 ) : (
169 <div className="space-y-4 px-4 py-5 sm:p-6">
170 <div className="flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800">
171 <ShieldCheck className="mt-0.5 h-4 w-4 flex-shrink-0" />
172 <span>
173 {t('Passkeys are an additional sign-in method. Your password and two-factor authentication still work, so adding or removing a passkey can never lock you out of your account.')}
174 </span>
175 </div>
176
177 {adding && (
178 <div className="space-y-3 rounded-md border border-gray-200 p-4">
179 <label htmlFor="passkey-name" className="block text-sm font-medium text-gray-700">
180 {t('Name this passkey')}
181 </label>
182 <input
183 id="passkey-name"
184 type="text"
185 value={newName}
186 onChange={(e) => setNewName(e.target.value)}
187 maxLength={100}
188 placeholder={t('e.g. MacBook Touch ID')}
189 className="mt-1 block w-full rounded-md border border-gray-300 px-3 py-2 shadow-sm focus:border-blue-500 focus:ring-blue-500 focus:outline-none sm:text-sm"
190 />
191 <div className="flex justify-end space-x-3">
192 <Button
193 type="button"
194 variant="outline"
195 onClick={() => {
196 setAdding(false);
197 setNewName("");
198 }}
199 disabled={busy}
200 >
201 {t('Cancel')}
202 </Button>
203 <Button type="button" onClick={handleAdd} disabled={busy || !newName.trim()}>
204 {busy ? t('Waiting for passkey…') : t('Create passkey')}
205 </Button>
206 </div>
207 </div>
208 )}
209
210 {loading ? (
211 <div className="flex items-center gap-2 text-sm text-gray-500">
212 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/login/page.tsx"}1 "use client";
2
3 import React, { Suspense } from "react";
4 import { useState, useEffect } from "react";
5
6
7 import Link from "next/link";
8 import { useRouter, useSearchParams } from "next/navigation";
9
10 import { FaMicrosoft } from "react-icons/fa";
11 import { KeyRound } from "lucide-react";
12
13 import { useTranslation } from "@gangkharai/lmt/client";
14 import { useAuth } from "../components/AuthProvider";
15 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
16 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
17 import Loader from "../components/Loader";
18 import { useOrganization } from "../components/OrganizationProvider";
19 import SocialLoginButtons from "../components/SocialLoginButtons";
20 import Toast, { showErrorToast } from "../components/Toast";
21 import { Button } from "../components/ui/button";
22 import { Input } from "../components/ui/input";
23 import api from "../src/utils/api";
24 import { getSherpaApiUrl } from "../src/utils/env";
25 import {
26 extractPasskeyError,
27 isPasskeyCancellation,
28 isPasskeySupported,
29 loginWithPasskey,
30 } from "../src/utils/passkeys";
31 import { redirectAfterAuth } from "../src/utils/session";
32
33 function LoginContent() {
34 const t = useTranslation();
35 const [email, setEmail] = useState("");
36 const [password, setPassword] = useState("");
37 const [isLoading, setIsLoading] = useState(false);
38 const [isPasskeyLoading, setIsPasskeyLoading] = useState(false);
39 // Resolved client-side only: PublicKeyCredential is undefined during SSR, so
40 // we start false (matching the server render) and feature-detect on mount to
41 // avoid a hydration mismatch.
42 const [passkeySupported, setPasskeySupported] = useState(false);
43 const [error, setError] = useState("");
44 const [successMessage, setSuccessMessage] = useState<React.ReactNode>(null);
45 const router = useRouter();
46 const searchParams = useSearchParams();
47 const { login, user, loading: authLoading } = useAuth();
48 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
49
50 useEffect(() => {
51 document.title = t('Login - Sherpa Portal');
52
53 const errorParam = searchParams.get("error");
54 if (errorParam) {
55 setError(decodeURIComponent(errorParam));
56 }
57 if (searchParams.get("registered") === "true") {
58 setSuccessMessage(t('Registration successful! You can now log in with your new account.'));
59 }
60 }, [searchParams, t]);
61
62 useEffect(() => {
63 setPasskeySupported(isPasskeySupported());
64 }, []);
65
66 useEffect(() => {
67 // Already-authenticated visitor lands on /login: route them where they
68 // were headed via redirectAfterAuth (single reader of captured intent per
69 // §6.3), falling back to the role-appropriate landing page.
70 if (!authLoading && user) {
71 const defaultPath = user.userType === "customer" ? "/" : "/products";
72 redirectAfterAuth(router, defaultPath);
73 }
74 }, [authLoading, user, router]);
75
76 // Show Azure AD login based on feature flag
77 const showAzureLogin = organization?.settings?.features?.azureAdIntegration === true;
78 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
79
80 // Show loading while auth is loading or organization is still loading (unless there's an org error)
81 if (authLoading || (orgLoading && !orgError)) {
82 return <Loader />;
83 }
84
85 // If user is already authenticated, show loader while redirecting
86 if (user) {
87 return <Loader />;
88 }
89
90 const handleSubmit = async (e: React.FormEvent<HTMLFormElement>) => {
91 e.preventDefault();
92 setIsLoading(true);
93 setError("");
94
95 try {
96 // Use portalType from API, fall back to customerPortal setting presence
97 const isCustomerLogin = organization?.portalType
98 ? organization.portalType === "customer"
99 : !!organization?.settings?.customerPortal;
100 const loginEndpoint = isCustomerLogin ? "/auth/customer/login" : "/auth/login";
101 const response = await api.post(loginEndpoint, { email, password });
102 const data = response.data;
103
104 if (response.status === 200) {
105 if (!isCustomerLogin && data.message === "2FA required") {
106 router.push(
107 `/two-factor-verify?tempToken=${encodeURIComponent(data.tempToken)}&method=${data.twoFactorMethod}`
108 );
109 } else if (!isCustomerLogin && data.message === "2FA setup required") {
110 localStorage.setItem("setupToken", data.setupToken);
111 localStorage.setItem("refreshToken", data.refreshToken);
112 router.push("/two-factor-setup");
113 } else {
114 await login(data.data.accessToken, data.data.refreshToken);
115 // Redirection will be handled by the login function / useEffect hook
116 }
117 } else {
118 setError(data.error || t('Login failed. Please try again.'));
119 }
120 } catch (error) {
121 console.error("Login error:", error);
122 const errorMsg =
123 error instanceof Error ? error.message : t('Login failed. Please check your credentials.');
124 setError(errorMsg);
125 showErrorToast(errorMsg);
126 } finally {
127 setIsLoading(false);
128 }
129 };
130
131 const handlePasskeyLogin = async () => {
132 setIsPasskeyLoading(true);
133 setError("");
134
135 try {
136 const { accessToken, refreshToken } = await loginWithPasskey();
137 // Same session handling as password login: AuthProvider.login() persists
138 // the tokens, hydrates the user, and redirects.
139 await login(accessToken, refreshToken);
140 } catch (error) {
141 // A dismissed/timed-out prompt is a soft cancel, not a failure to surface.
142 if (isPasskeyCancellation(error)) {
143 return;
144 }
145 console.error("Passkey login error:", error);
146 const errorMsg = extractPasskeyError(error, t('Passkey sign-in failed. Please try again.'));
147 setError(errorMsg);
148 showErrorToast(errorMsg);
149 } finally {
150 setIsPasskeyLoading(false);
151 }
152 };
153
154 const handleAzureLogin = () => {
155 // Redirect to Azure AD login. Pass current origin so API callback returns
156 // here instead of the API's configured default portal URL.
157 const redirect = window.location.origin;
158 window.location.href = `${getSherpaApiUrl()}/v1/auth/azure/login?redirect=${encodeURIComponent(redirect)}`;
159 };
160
161 return (
162 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
163 <Toast />
164 <div className="absolute top-4 right-4">
165 <EnhancedLocaleSwitcher locales={LOCALE_LABELS} />
166 </div>
167 <div className="sm:mx-auto sm:w-full sm:max-w-md">
168 <div className="flex justify-center bg-white">
169 <img
170 src={organization?.settings?.branding?.logoUrl || "/assets/GangkharLogo.svg"}
171 alt={`${organization?.settings?.branding?.applicationName || organization?.displayName || organization?.name || "Portal"} Logo`}
172 width={240}
173 height={80}
174 className="object-contain"
175 />
176 </div>
177 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
178 {t('Log in to {name}', { name: organization?.settings?.branding?.applicationName ||
179 organization?.displayName ||
180 organization?.name ||
181 t('your account') })}
182 </h2>
183 </div>
184
185 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
186 <div className="bg-white px-4 py-8 shadow sm:rounded-md{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/profile/page.tsx"}1 "use client";
2
3 import React, { useState } from "react";
4
5 import { Shield } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { useAuth } from "../components/AuthProvider";
9 import AppLayout from "@/app/components/AppLayout";
10 import AddressSection from "../components/profile/AddressSection";
11 import ContactInfoSection from "../components/profile/ContactInfoSection";
12 import LogoutSection from "../components/profile/LogoutSection";
13 import PasskeysSection from "../components/profile/PasskeysSection";
14 import PasswordChangeSection from "../components/profile/PasswordChangeSection";
15 import PersonalInfoSection from "../components/profile/PersonalInfoSection";
16 import TwoFactorChangeSection from "../components/profile/TwoFactorChangeSection";
17 import { ProtectedRoute } from "../components/ProtectedRoute";
18 import { ProfileRoute } from "../components/UserTypeRoute";
19 import { showSuccessToast, showErrorToast } from "../components/Toast";
20 import useAuthStore from "../src/store/authStore";
21 import api from "../src/utils/api";
22 import { UserData } from "../types/user";
23 import { usePermission, PERMISSIONS } from "@/app/src/rbac";
24
25 const RoleBadge: React.FC = () => {
26 const t = useTranslation();
27 const canManageAllOrgs = usePermission(PERMISSIONS.organizations.manage_all.value);
28 const canManageUsers = usePermission(PERMISSIONS.users.create.value);
29
30 if (canManageAllOrgs) {
31 return (
32 <div className="inline-flex items-center rounded-full bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800">
33 <Shield className="mr-1 h-4 w-4" />
34 {t('Administrator')}
35 </div>
36 );
37 }
38
39 if (canManageUsers) {
40 return (
41 <div className="inline-flex items-center rounded-full bg-purple-100 px-3 py-1 text-sm font-medium text-purple-800">
42 <Shield className="mr-1 h-4 w-4" />
43 {t('Manager')}
44 </div>
45 );
46 }
47
48 return null;
49 };
50
51 const UserProfile: React.FC = () => {
52 const t = useTranslation();
53 const { user } = useAuth();
54 const setUser = useAuthStore((state) => state.setUser);
55 const [isLoading, setIsLoading] = useState(false);
56 const [error, setError] = useState<React.ReactNode>(null);
57
58 const handleUpdate = async (data: Partial<UserData>) => {
59 if (!user) return;
60
61 setIsLoading(true);
62 setError("");
63
64 try {
65 const response = await api.put(`/users/${user.id}`, data);
66 const updatedUser = response.data.data.user;
67 setUser(updatedUser);
68 showSuccessToast(t('Profile updated successfully'));
69 } catch (error) {
70 console.error("Error updating profile:", error);
71 const errorMsg = error instanceof Error ? error.message : t('An unexpected error occurred');
72 setError(errorMsg);
73 showErrorToast(errorMsg);
74 } finally {
75 setIsLoading(false);
76 }
77 };
78
79 return (
80 <ProtectedRoute>
81 <ProfileRoute>
82 <AppLayout>
83 <div className="mx-auto max-w-4xl py-6 sm:px-6 lg:px-8">
84 <div className="mb-6 flex items-center gap-3">
85 <h1 className="text-3xl font-bold text-gray-900">{t('User Profile')}</h1>
86 <RoleBadge />
87 </div>
88
89 {error && (
90 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
91 {error}
92 </div>
93 )}
94
95 {user && (
96 <>
97 <PersonalInfoSection
98 userData={user}
99 onUpdate={handleUpdate}
100 isLoading={isLoading}
101 />
102 <ContactInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
103 <AddressSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
104 <PasswordChangeSection
105 userId={user.id}
106 onSuccess={() => showSuccessToast(t('Password updated successfully'))}
107 onError={(errorMessage) => setError(errorMessage)}
108 />
109 <TwoFactorChangeSection
110 userId={user.id}
111 onSuccess={() =>
112 showSuccessToast(t('Two-factor authentication method updated successfully'))
113 }
114 onError={(errorMessage) => setError(errorMessage)}
115 />
116 <PasskeysSection onError={(errorMessage) => setError(errorMessage)} />
117 <LogoutSection />
118 </>
119 )}
120 </div>
121 </AppLayout>
122 </ProfileRoute>
123 </ProtectedRoute>
124 );
125 };
126
127 export default UserProfile;
128 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/api.ts","limit":150}1 import axios, { AxiosInstance, InternalAxiosRequestConfig, AxiosRequestConfig } from "axios";
2 import { jwtDecode } from "jwt-decode";
3
4 import { getSherpaApiUrl } from "./env";
5 import { endSession } from "./session";
6 import useAuthStore from "../store/authStore";
7 import useConnectionStore from "../store/connectionStore";
8
9 // Paths that never carry a user's Authorization header. The request
10 // interceptor skips both the attach and the pre-refresh check on these; the
11 // response interceptor skips the refresh-and-retry chain on 401 from these.
12 // A 401 from a credential-less request is not a verdict on the user's session
13 // — see rfc/ideas/organization-resolution-and-auth-policy.md §6.1.
14 //
15 // INVARIANT: every entry MUST start with `/v1/`. The request interceptor
16 // rewrites legacy `/auth/...` and bare paths into `/v1/...` BEFORE this list
17 // is consulted, so any non-`/v1/` entry here is unreachable and indicates a
18 // refactor drift. The module-load assertion below fails fast if violated.
19 const NO_AUTH_PATHS = [
20 "/v1/auth/login",
21 "/v1/auth/customer/login",
22 "/v1/auth/register",
23 "/v1/auth/forgot-password",
24 "/v1/auth/refresh-token",
25 "/v1/auth/customer/refresh-token",
26 // Passwordless passkey login is pre-auth: a 401 here (e.g. an unrecognized or
27 // revoked passkey) is a login failure, not a verdict on an existing session.
28 "/v1/auth/passkeys/login/options",
29 "/v1/auth/passkeys/login/verify",
30 "/v1/organization",
31 "/v1/health/self",
32 ];
33
34 // Fail fast on refactor breakage: surfaces a missing rewrite or a stale entry
35 // at startup rather than as a silent auth-attach regression at runtime.
36 for (const path of NO_AUTH_PATHS) {
37 if (!path.startsWith("/v1/")) {
38 throw new Error(
39 `NO_AUTH_PATHS invariant violated: "${path}" must start with "/v1/". ` +
40 `The request interceptor only sees rewritten /v1/* URLs.`,
41 );
42 }
43 }
44
45 function stripQuery(url: string | undefined): string {
46 return (url || "").split("?")[0];
47 }
48
49 function isNoAuthPath(url: string | undefined): boolean {
50 return NO_AUTH_PATHS.includes(stripQuery(url));
51 }
52
53 class ApiService {
54 private static instance: ApiService;
55 private api: AxiosInstance;
56 private isRefreshing: boolean = false;
57
58 private constructor() {
59 this.api = axios.create({
60 baseURL: getSherpaApiUrl(),
61 validateStatus: (status) => (status >= 200 && status < 300) || status === 304,
62 });
63
64 this.setupInterceptors();
65 }
66
67 private failedQueue: Array<{
68 resolve: (value?: unknown) => void;
69 reject: (reason?: unknown) => void;
70 }> = [];
71
72 private processQueue(error: Error | null = null): void {
73 this.failedQueue.forEach((promise) => {
74 if (error) {
75 promise.reject(error);
76 } else {
77 promise.resolve();
78 }
79 });
80 this.failedQueue = [];
81 }
82
83 public static getInstance(): ApiService {
84 if (!ApiService.instance) {
85 ApiService.instance = new ApiService();
86 }
87 return ApiService.instance;
88 }
89
90 public getAxiosInstance(): AxiosInstance {
91 return this.api;
92 }
93
94 public isTokenExpired(token: string): boolean {
95 try {
96 const decoded = jwtDecode(token);
97 const currentTime = Date.now() / 1000;
98 return decoded.exp ? decoded.exp < currentTime : false;
99 } catch {
100 return true;
101 }
102 }
103
104 public isCustomerToken(token: string): boolean {
105 try {
106 const decoded = jwtDecode<{ tokenType?: string }>(token);
107 return decoded.tokenType === "customer";
108 } catch {
109 return false;
110 }
111 }
112
113 public async refreshAuthToken(): Promise<string | null> {
114 try {
115 const refreshToken = useAuthStore.getState().refreshToken;
116 if (!refreshToken) {
117 // No refresh token to use — the session was already over.
118 endSession({ captureIntent: true });
119 return null;
120 }
121
122 const isCustomer = this.isCustomerToken(refreshToken);
123 const refreshUrl = isCustomer
124 ? `${getSherpaApiUrl()}/v1/auth/customer/refresh-token`
125 : `${getSherpaApiUrl()}/v1/auth/refresh-token`;
126
127 const localeValue = this.getLocaleCookie();
128 const response = await axios.post(
129 refreshUrl,
130 { refreshToken },
131 {
132 headers: localeValue
133 ? {
134 "Content-Type": "application/json",
135 "locale": localeValue,
136 }
137 : {
138 "Content-Type": "application/json",
139 },
140 validateStatus: (status) => (status >= 200 && status < 300) || status === 304,
141 }
142 );
143
144 if (response.data.status !== "success") {
145 throw new Error("Refresh token response status is not success");
146 }
147
148 const { accessToken, refreshToken: newRefreshToken } = response.data.data;
149 if (!accessToken || !newRefreshToken) {
150 throw new Error("Missing tokens in refresh response");{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx"}1 "use client";
2
3 import React, { Suspense } from "react";
4 import { useState, useEffect } from "react";
5
6
7 import Link from "next/link";
8 import { useRouter, useSearchParams } from "next/navigation";
9
10 import { useForm } from "react-hook-form";
11
12 import { useTranslation } from "@gangkharai/lmt/client";
13 import { useAuth } from "../components/AuthProvider";
14 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
15 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
16 import Loader from "../components/Loader";
17 import { useOrganization } from "../components/OrganizationProvider";
18 import PasswordValidation from "../components/PasswordValidation";
19 import SocialCreateAccountButtons from "../components/SocialCreateAccountButtons";
20 import Toast, { showErrorToast, showSuccessToast } from "../components/Toast";
21 import { Button } from "../components/ui/button";
22 import { Input } from "../components/ui/input";
23 import api from "../src/utils/api";
24 import useAuthStore from "../src/store/authStore";
25
26 interface CreateAccountFormData {
27 password: string;
28 confirmPassword: string;
29 }
30
31 function CreateAccountContent() {
32 const t = useTranslation();
33 const [isLoading, setIsLoading] = useState(false);
34 const [error, setError] = useState("");
35 const [token, setToken] = useState("");
36 const router = useRouter();
37 const searchParams = useSearchParams();
38 const { login, user, loading: authLoading } = useAuth();
39 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
40 const storeLogout = useAuthStore((state) => state.logout);
41
42 const {
43 register,
44 handleSubmit,
45 formState: { errors },
46 watch,
47 } = useForm<CreateAccountFormData>();
48
49 const password = watch("password");
50
51 useEffect(() => {
52 document.title = t("Create Account - Sherpa Portal");
53
54 const tokenParam = searchParams.get("token");
55 if (!tokenParam) {
56 setError(t("Invalid or missing token. Please check your email link."));
57 return;
58 }
59 setToken(tokenParam);
60
61 const errorParam = searchParams.get("error");
62 if (errorParam) {
63 setError(decodeURIComponent(errorParam));
64 }
65 }, [searchParams, t]);
66
67 useEffect(() => {
68 if (!authLoading && user) {
69 storeLogout();
70 }
71 }, [authLoading, user, storeLogout]);
72
73 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
74
75 if (authLoading || (orgLoading && !orgError)) {
76 return <Loader />;
77 }
78
79 const handleCreateAccount = async (data: CreateAccountFormData) => {
80 if (!token) {
81 setError(t("Invalid token. Please check your email link."));
82 return;
83 }
84
85 setIsLoading(true);
86 setError("");
87
88 try {
89 const response = await api.post("/v1/auth/create-account", {
90 token: token,
91 password: data.password,
92 });
93
94 if (response.data.status === "success") {
95 showSuccessToast(t("Account created successfully! Please log in with your new account."));
96
97 // If the API returns user email, attempt auto-login
98 if (response.data.data?.email) {
99 try {
100 const loginResponse = await api.post("/v1/auth/login", {
101 email: response.data.data.email,
102 password: data.password,
103 });
104
105 if (loginResponse.data.status === "success" && loginResponse.data.data) {
106 await login(
107 loginResponse.data.data.accessToken,
108 loginResponse.data.data.refreshToken
109 );
110 router.push("/dashboard");
111 return;
112 }
113 } catch (loginError) {
114 console.error("Auto-login failed:", loginError);
115 }
116 }
117
118 // Fallback: redirect to login page
119 router.push("/login?registered=true");
120 } else {
121 setError(response.data.message || t("Failed to create account. Please try again."));
122 }
123 } catch (error: unknown) {
124 console.error("Create account error:", error);
125 let errorMsg = t("Failed to create account. Please try again.");
126
127 if (error && typeof error === "object" && "response" in error) {
128 const axiosError = error as { response?: { data?: { error?: { message?: string } } } };
129 const apiErrorMessage = axiosError.response?.data?.error?.message;
130
131 if (apiErrorMessage === "Invalid or expired token") {
132 errorMsg = t("This invitation link has expired or is invalid. Please request a new invitation link from your administrator.");
133 } else if (apiErrorMessage) {
134 errorMsg = apiErrorMessage;
135 }
136 }
137
138 setError(errorMsg);
139 showErrorToast(errorMsg);
140 } finally {
141 setIsLoading(false);
142 }
143 };
144
145 return (
146 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
147 <Toast />
148 <div className="absolute top-4 right-4">
149 <EnhancedLocaleSwitcher locales={LOCALE_LABELS} />
150 </div>
151 <div className="sm:mx-auto sm:w-full sm:max-w-md">
152 <div className="flex justify-center bg-white">
153 <img
154 src={organization?.settings?.branding?.logoUrl || "/assets/GangkharLogo.svg"}
155 alt={`${organization?.settings?.branding?.applicationName || organization?.displayName || organization?.name || "Portal"} Logo`}
156 width={240}
157 height={80}
158 className="object-contain"
159 />
160 </div>
161 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
162 {t("Create Your Account")}
163 </h2>
164 <p className="mt-2 text-center text-sm text-gray-600">
165 {t("Set up your customer portal account to manage your policies")}
166 </p>
167 </div>
168
169 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
170 <div className="bg-white px-4 py-8 shadow sm:rounded-md sm:px-10">
171 {error && (
172 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
173 {error}
174 </div>
175 )}
176
177 <form className="space-y-6" onSubmit={handleSubmit(handleCreateAccount)}>
178 <div>
179 <label htmlFor="password" className="block text-sm font-medium text-gray-700">
180 {t("Password")}
181 </label>
182 <div className="mt-1">
183 <Input
184 id="password"
185 type="password"
186 {...register("password", {
187 required: t("Password is required"),
188 validate: {
189 length: (v) => v.length >= 8 || t("Password must be at least 8 characters"),
190 uppercase: (v) => /[A-Z]/.test(v) || t("Must contain uppercase letter"),
191 lowercase: (v) => /[a-z]/.test(v) || t("Must contain lowercase letter"),
192 number: (v) => /\d/.test(v) || t("Must contain number"),
193 special: (v) => /[@$!%*?&]/.test(v) || t("Must contain special character"),
194 },
195 })}
196 isInvalid={!!errors.password}
197 errorMessage={errors.password?.message}
198 />
199 <PasswordValidation password={password || ""} />
200 </div>
201 </div>
202
203 <div>
204 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/page.tsx"}1 "use client";
2
3 import TemplateDispatcher from "../lib/TemplateDispatcher";
4 import DefaultProfile from "./DefaultProfile";
5
6 export default function ProfilePage() {
7 return <TemplateDispatcher page="profile" DefaultComponent={DefaultProfile} />;
8 }
9 {"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal -type f -name \"*.tsx\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/invoices/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/invoices/DefaultInvoices.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/PortalLayout.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/DefaultPolicies.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/cancel/DefaultCancelPolicy.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/cancel/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/invoices/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/invoices/DefaultPolicyInvoices.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/suspend/DefaultSuspendPolicy.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/suspend/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/DefaultPolicyDetails.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/edit/DefaultPolicyEdit.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/edit/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/success/DefaultClaimSuccess.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/success/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/DefaultClaimPage.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/ClaimForm.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/claim/page.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/policies/[policyId]/reinstate/DefaultReinstatePolicy.tsx
{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal -type f \\( -name \"DefaultProfile.tsx\" -o -name \"profile\" \\)"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx"}1 "use client";
2
3 import React, { useState } from "react";
4
5 import { Shield } from "lucide-react";
6
7 import { useTranslation } from "@gangkharai/lmt/client";
8 import { useAuth } from "@/app/components/AuthProvider";
9 import AddressSection from "@/app/components/profile/AddressSection";
10 import ContactInfoSection from "@/app/components/profile/ContactInfoSection";
11 import LogoutSection from "@/app/components/profile/LogoutSection";
12 import PasswordChangeSection from "@/app/components/profile/PasswordChangeSection";
13 import PersonalInfoSection from "@/app/components/profile/PersonalInfoSection";
14 import TwoFactorChangeSection from "@/app/components/profile/TwoFactorChangeSection";
15 import { showSuccessToast } from "@/app/components/Toast";
16 import useAuthStore from "@/app/src/store/authStore";
17 import api from "@/app/src/utils/api";
18 import { UserData } from "@/app/types/user";
19 import { usePermission, PERMISSIONS } from "@/app/src/rbac";
20 import PortalLayout from "@/app/customer-portal/PortalLayout";
21
22 const RoleBadge: React.FC = () => {
23 const t = useTranslation();
24 const canManageAllOrgs = usePermission(PERMISSIONS.organizations.manage_all.value);
25 const canManageUsers = usePermission(PERMISSIONS.users.create.value);
26
27 if (canManageAllOrgs) {
28 return (
29 <div className="inline-flex items-center rounded-full bg-portal-primary-light px-3 py-1 text-sm font-medium text-portal-primary">
30 <Shield className="mr-1 h-4 w-4" />
31 {t('Administrator')}
32 </div>
33 );
34 }
35
36 if (canManageUsers) {
37 return (
38 <div className="inline-flex items-center rounded-full bg-purple-100 px-3 py-1 text-sm font-medium text-purple-800">
39 <Shield className="mr-1 h-4 w-4" />
40 {t('Manager')}
41 </div>
42 );
43 }
44
45 return null;
46 };
47
48 export default function DefaultProfile() {
49 const t = useTranslation();
50 const { user } = useAuth();
51 const setUser = useAuthStore((state) => state.setUser);
52 const [isLoading, setIsLoading] = useState(false);
53 const [error, setError] = useState<React.ReactNode>(null);
54
55 const handleUpdate = async (data: Partial<UserData>) => {
56 if (!user) return;
57
58 setIsLoading(true);
59 setError(null);
60
61 try {
62 const response = await api.put(`/customers/${user.id}`, data);
63
64 if (response.data.status === "success") {
65 const updatedUser = { ...user, ...data };
66 setUser(updatedUser);
67 showSuccessToast(t('Profile updated successfully'));
68 } else {
69 setError(t('Failed to update profile'));
70 }
71 } catch (error) {
72 console.error("Error updating profile:", error);
73 setError(t('Failed to update profile'));
74 } finally {
75 setIsLoading(false);
76 }
77 };
78
79 return (
80 <PortalLayout>
81 <div className="mx-auto max-w-4xl py-6 sm:px-6 lg:px-8">
82 <div className="mb-6">
83 <div className="flex items-center gap-3">
84 <h1 className="text-3xl font-bold text-gray-900">{t('Customer Profile')}</h1>
85 <RoleBadge />
86 </div>
87 <div className="bg-portal-primary mt-3 h-1 w-12 rounded-full opacity-80"></div>
88 </div>
89
90 {error && (
91 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
92 {error}
93 </div>
94 )}
95
96 {user && (
97 <>
98 <PersonalInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
99 <ContactInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
100 <AddressSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
101 <PasswordChangeSection
102 userId={user.id}
103 onSuccess={() => showSuccessToast(t('Password updated successfully'))}
104 onError={(errorMessage) => setError(errorMessage)}
105 />
106 <TwoFactorChangeSection
107 userId={user.id}
108 onSuccess={() =>
109 showSuccessToast(t('Two-factor authentication method updated successfully'))
110 }
111 onError={(errorMessage) => setError(errorMessage)}
112 />
113 <LogoutSection />
114 </>
115 )}
116 </div>
117 </PortalLayout>
118 );
119 }
120 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/PortalLayout.tsx"}1 "use client";
2
3 import React, { useEffect, useState } from "react";
4
5 import Image from "next/image";
6 import Link from "next/link";
7 import { usePathname, useRouter } from "next/navigation";
8 import {
9 Menu,
10 X,
11 User,
12 LogOut,
13 LucideIcon,
14 ShoppingBag,
15 LayoutDashboard,
16 UserCircle,
17 FileText,
18 Receipt,
19 Bell,
20 ChevronLeft,
21 ChevronRight,
22 ChevronDown,
23 } from "lucide-react";
24
25 import { useTranslation } from "@gangkharai/lmt/client";
26 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
27 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
28 import Loader from "../components/Loader";
29 import Toast, { showErrorToast } from "../components/Toast";
30 import { useAuth } from "../components/AuthProvider";
31 import { useOrganization } from "../components/OrganizationProvider";
32 import api, { streamFetch } from "@/app/src/utils/api";
33 import { getSherpaApiUrl } from "@/app/src/utils/env";
34 import useNotificationStore from "@/app/src/store/notificationStore";
35
36 interface PortalLayoutProps {
37 children: React.ReactNode;
38 chatMode?: boolean;
39 }
40
41 interface MenuItem {
42 name: React.ReactNode;
43 href: string;
44 icon?: LucideIcon;
45 key: string;
46 }
47
48 const PortalLayout: React.FC<PortalLayoutProps> = ({ children, chatMode = false }) => {
49 const t = useTranslation();
50 const { user, loading: authLoading, logout } = useAuth();
51 const { organization } = useOrganization();
52 const router = useRouter();
53 const pathname = usePathname();
54 const [isSidebarCollapsed, setIsSidebarCollapsed] = useState(false);
55 const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
56 const [isProfileDropdownOpen, setIsProfileDropdownOpen] = useState(false);
57 const { unreadCount, setUnreadCount, prependNotification } = useNotificationStore();
58
59 useEffect(() => {
60 try {
61 const pending = sessionStorage.getItem("pendingErrorToast");
62 if (pending) {
63 showErrorToast(pending);
64 sessionStorage.removeItem("pendingErrorToast");
65 }
66 } catch {}
67 }, []);
68
69 useEffect(() => {
70 const sidebarWidth = isSidebarCollapsed ? 80 : 256;
71 document.documentElement.style.setProperty("--sidebar-width", `${sidebarWidth}px`);
72 }, [isSidebarCollapsed]);
73
74 // Load unread count on mount
75 useEffect(() => {
76 if (!user) return;
77 api.get("/claim-records/notifications/unread-count")
78 .then((res) => {
79 if (res.data.status === "success") setUnreadCount(res.data.data.count);
80 })
81 .catch(() => {});
82 }, [user]);
83
84 // SSE for real-time notifications (using streamFetch with proper auth headers)
85 useEffect(() => {
86 if (!user) return;
87
88 let mounted = true;
89 const abortController = new AbortController();
90 let reconnectTimeout: NodeJS.Timeout | null = null;
91 const RECONNECT_DELAYS = [1000, 2000, 4000, 8000];
92 let retryCount = 0;
93
94 async function connectSSE() {
95 if (!mounted) return;
96
97 try {
98 const url = `${getSherpaApiUrl()}/v1/plus/claim-records/notifications/sse`;
99 const res = await streamFetch(url, { signal: abortController.signal });
100
101 if (!mounted || !res.ok || !res.body) {
102 if (mounted) scheduleReconnect();
103 return;
104 }
105
106 retryCount = 0;
107 const reader = res.body.getReader();
108 const decoder = new TextDecoder();
109 let buffer = "";
110
111 while (mounted) {
112 const { done, value } = await reader.read();
113 if (done) break;
114
115 buffer += decoder.decode(value, { stream: true });
116 const parts = buffer.split("\n\n");
117 buffer = parts.pop() || "";
118
119 for (const part of parts) {
120 if (!part.startsWith("data: ")) continue;
121 try {
122 const data = JSON.parse(part.slice(6));
123 if (data.type === "notification" && data.data) {
124 prependNotification(data.data);
125 }
126 } catch {
127 // ignore malformed messages
128 }
129 }
130 }
131
132 if (mounted) scheduleReconnect();
133 } catch (err) {
134 if ((err as Error).name === "AbortError") return;
135 if (mounted) scheduleReconnect();
136 }
137 }
138
139 function scheduleReconnect() {
140 if (!mounted) return;
141 const delay = RECONNECT_DELAYS[Math.min(retryCount, RECONNECT_DELAYS.length - 1)];
142 retryCount++;
143 reconnectTimeout = setTimeout(() => { if (mounted) connectSSE(); }, delay);
144 }
145
146 connectSSE();
147
148 return () => {
149 mounted = false;
150 abortController.abort();
151 if (reconnectTimeout) clearTimeout(reconnectTimeout);
152 };
153 }, [user]);
154
155 const handleLogout = () => {
156 logout();
157 router.push("/login");
158 };
159
160 const menuItems: MenuItem[] = [
161 { name: t('Dashboard'), href: "/dashboard", icon: LayoutDashboard, key: "dashboard" },
162 { name: t('Policies'), href: "/customer-portal/policies", icon: ShoppingBag, key: "policies" },
163 { name: t('Claims'), href: "/customer-portal/claims", icon: FileText, key: "claims" },
164 { name: t('Invoices'), href: "/customer-portal/invoices", icon: Receipt, key: "invoices" },
165 { name: t('Notifications'), href: "/customer-portal/notifications", icon: Bell, key: "notifications" },
166 { name: t('Profile'), href: "/profile", icon: UserCircle, key: "profile" },
167 ];
168
169 const toggleSidebar = () => {
170 setIsSidebarCollapsed(!isSidebarCollapsed);
171 };
172
173 const toggleMobileMenu = () => {
174 setIsMobileMenuOpen(!isMobileMenuOpen);
175 };
176
177 const toggleProfileDropdown = () => {
178 setIsProfileDropdownOpen(!isProfileDropdownOpen);
179 };
180
181 const isActive = (href: string) => {
182 return pathname === href || pathname.startsWith(`${href}/`);
183 };
184
185 useEffect(() => {
186 // Embedded sessions are authenticated by a portal token in the URL hash;
187 // /login is not reachable from inside the iframe. The Loader fallback
188 // below covers the transient pre-token-bootstrap window without forcing
189 // a top-level navigation that would break the parent site.
190 if (pathname?.startsWith("/embed-customer-portal")) return;
191 if (!authLoading && !user) {
192 router.push("/login");
193 }
194 }, [authLoading, user, router, pathname]);
195
196 if (!user) {
197 return <Loader />;
198 }
199
200 // Embed mode: when a Default* page is rendered under /embed-customer-portal/*
201 // (iframe inside a partner's site), the partner already supplies its own
202 // chrome — we MUST NOT render the sidebar/header/profile menu. We still
203 // render the Toast portal and providers via the parent layout so transient
204 // UI from the Default* component (errors, redirects) still works.
205 if (pathname?.startsWith("/embed-customer-portal")) {
206 // Chromeless: partner site supplies its own frame. The notifications
207 // bell is rendered inline by DefaultDashboard next to its heading, so
208 // it aligns with the title and only appears on the dashboard.
209 return (
210 <div className={`customer-portal-root min-h-screen ${chatMode ? "bg-white" : "bg-portal-bg"}`} style={{ fontFamily: "var(--portal-font, inherit)" }}>
211 <Toast />
212 <main className="px-4 py-6 sm:px-6 lg:px-8">{children}</main>
213 </div>
214 );
215 }
216
217 const regularMenuItems = menuItems.filter((item) => item.key !== "profile");
218 const profileItem = menuItems.fin{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app -type f -name \"AuthProvider.tsx\" -o -name \"authStore.ts\""}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/store/authStore.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx","limit":200}1 "use client";
2
3 import React, { createContext, useContext, useState, useEffect, useCallback } from "react";
4
5 import { usePathname, useRouter } from "next/navigation";
6
7 import { jwtDecode } from "jwt-decode";
8 import { useTranslation } from "@gangkharai/lmt/client";
9
10 import Loader from "./Loader";
11 import useAuthStore from "../src/store/authStore";
12 import useConnectionStore from "../src/store/connectionStore";
13 import api from "../src/utils/api";
14 import { endSession, redirectAfterAuth } from "../src/utils/session";
15 import { AuthContextType } from "../types/user";
16
17 // AuthProvider component - strings already in dictionary
18 const AuthContext = createContext<AuthContextType | null>(null);
19
20 // Check if we're in a browser environment
21 const isBrowser = typeof window !== "undefined";
22
23 interface DecodedToken {
24 id: string;
25 email: string;
26 role: string;
27 userType?: string;
28 tokenType?: string;
29 }
30
31 function isCustomerToken(token: string): boolean {
32 try {
33 const decoded = jwtDecode<DecodedToken>(token);
34 return decoded.tokenType === "customer";
35 } catch {
36 return false;
37 }
38 }
39
40 // Customer-scoped tokens authenticate as a Customer (server resolves the
41 // record from token claims, then exposes it via bearerAuth.customerId). Both
42 // /v1/auth/customer/login sessions (tokenType=customer) and sherpa-portal
43 // embed sessions minted by /v1/customer-portal/sessions (tokenType=portal)
44 // satisfy `/v1/customers/me` etc. — kept separate from isCustomerToken so
45 // the refresh-endpoint routing (which differs per token type) stays correct.
46 function isCustomerScopedToken(token: string): boolean {
47 try {
48 const decoded = jwtDecode<DecodedToken>(token);
49 return decoded.tokenType === "customer" || decoded.tokenType === "portal";
50 } catch {
51 return false;
52 }
53 }
54
55 export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children }) => {
56 const t = useTranslation();
57 const [loading, setLoading] = useState(true);
58 const [logoutLoading, setLogoutLoading] = useState(false);
59 const router = useRouter();
60 const pathname = usePathname();
61 const { user, accessToken, hydrated, setUser, setTokens } = useAuthStore();
62
63 const fetchUserDetails = useCallback(
64 async (userId: string | null) => {
65 if (!user) {
66 try {
67 const currentToken = useAuthStore.getState().accessToken;
68 if (currentToken && isCustomerScopedToken(currentToken)) {
69 const response = await api.get("/customers/me", { sherpaAdmin: false });
70 const customerData = response.data.data?.customer || response.data.data;
71 setUser({ ...customerData, userType: "customer" });
72 } else if (userId) {
73 const response = await api.get(`/users/${userId}`);
74 setUser(response.data.data.user);
75 }
76 } catch (error) {
77 console.error("Error fetching user details:", error);
78 throw error;
79 }
80 }
81 },
82 [user, setUser]
83 );
84
85 // Listen for storage changes to sync auth state across tabs
86 useEffect(() => {
87 if (!isBrowser) return;
88
89 const handleStorageChange = (e: StorageEvent) => {
90 // Listen for changes to the auth-storage key
91 if (e.key === "auth-storage") {
92 // If the storage was cleared (logout in another tab)
93 if (e.newValue === null || e.newValue === "") {
94 // If we currently have a user, log them out immediately
95 if (user) {
96 setLoading(false); // Clear loading state for smoother transition
97 setLogoutLoading(false); // Reset logout loading state
98 // Cross-tab logout: the other tab made the choice to leave; we
99 // mirror that here without capturing intent.
100 endSession({ captureIntent: false });
101 }
102 } else {
103 // If new auth data was set (login in another tab)
104 try {
105 const newAuthData = JSON.parse(e.newValue);
106 // If we don't have a user but new auth data exists, reload to sync
107 if (newAuthData?.state?.accessToken && !user) {
108 window.location.reload();
109 }
110 } catch (error) {
111 console.error("Error parsing storage event data:", error);
112 }
113 }
114 }
115 };
116
117 window.addEventListener("storage", handleStorageChange);
118 return () => window.removeEventListener("storage", handleStorageChange);
119 }, [user, router]);
120
121 useEffect(() => {
122 const initializeAuth = async () => {
123 // Wait for the store to be hydrated before proceeding
124 if (!hydrated) {
125 return;
126 }
127
128 try {
129 if (accessToken && !user) {
130 const decodedToken = jwtDecode<DecodedToken>(accessToken);
131 // Customer-scoped tokens (customer + portal) authenticate via
132 // /v1/customers/me, which derives identity from the token itself
133 // and ignores the userId arg. User/admin tokens still need their
134 // decoded `id` claim to hit /v1/users/:id.
135 const userId =
136 decodedToken && typeof decodedToken.id === "string" ? decodedToken.id : null;
137 if (userId || isCustomerScopedToken(accessToken)) {
138 await fetchUserDetails(userId);
139 }
140 }
141 } catch (error) {
142 const isEmbedPortal = (pathname || "").startsWith("/embed-customer-portal/");
143 console.error("Error initializing auth:", error);
144 // Auth init failure means the token was rejected. For standalone
145 // sessions endSession redirects to /login; for embedded sessions
146 // the iframe can't navigate to /login meaningfully, so we surface
147 // a loaded-but-unauthenticated state and let the parent reload.
148 if (!isEmbedPortal) {
149 endSession({ captureIntent: true });
150 }
151 } finally {
152 setLoading(false);
153 }
154 };
155
156 // Add a fallback timeout to prevent infinite loading
157 const fallbackTimer = setTimeout(() => {
158 if (!hydrated) {
159 console.warn("Store hydration timeout, proceeding anyway");
160 setLoading(false);
161 }
162 }, 1000);
163
164 initializeAuth();
165
166 return () => clearTimeout(fallbackTimer);
167 }, [accessToken, user, hydrated, fetchUserDetails, pathname]);
168
169 const login = async (accessToken: string, refreshToken: string, userData?: Partial<import("../types/user").UserData>) => {
170 setTokens(accessToken, refreshToken);
171
172 if (userData) {
173 // Use provided user data directly (e.g., from customer login response)
174 setUser(userData as import("../types/user").UserData);
175 } else {
176 const decodedToken = jwtDecode<DecodedToken>(accessToken);
177 await fetchUserDetails(typeof decodedToken.id === "string" ? decodedToken.id : null);
178 }
179
180 // redirectAfterAuth is the single reader of captured intent (§6.3): it
181 // consumes the value and routes the user, falling back to the
182 // role-appropriate landing page when no intent was captured.
183 const isCustomer = isCustomerToken(accessToken);
184 redirectAfterAuth(router, isCustomer ? "/" : "/products");
185 };
186
187 const refreshToken = async (): Promise<string | null> => {
188 if (!isBrowser) return null;
189
190 // currently embed-customer-portal section is authenticated with clientId/clientSecret, so we run a different client refresh/token url and not the userAuth refreshToken.
191 // in the future we might need to h{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/store/authStore.ts"}1 // src/store/authStore.ts
2
3 import { create } from "zustand";
4 import { persist } from "zustand/middleware";
5
6 import { UserData } from "../../types/user";
7 import { UserOrganization, OrganizationScope } from "../../types/organization";
8
9 interface AuthState {
10 accessToken: string | null;
11 refreshToken: string | null;
12 user: UserData | null;
13 currentOrganization: UserOrganization | null;
14 availableOrganizations: UserOrganization[];
15 organizationScope: OrganizationScope | null;
16 drillDownOrgId: string | null;
17 hydrated: boolean;
18 setTokens: (accessToken: string, refreshToken: string) => void;
19 setUser: (user: UserData) => void;
20 setCurrentOrganization: (organization: UserOrganization) => void;
21 setAvailableOrganizations: (organizations: UserOrganization[]) => void;
22 setOrganizationScope: (scope: OrganizationScope | null) => void;
23 setDrillDownOrgId: (orgId: string | null) => void;
24 logout: () => void;
25 setHydrated: (hydrated: boolean) => void;
26 }
27
28 // Check if we're in a browser environment
29 const isBrowser = typeof window !== "undefined";
30
31 const useAuthStore = create<AuthState>()(
32 persist(
33 (set) => ({
34 accessToken: null,
35 refreshToken: null,
36 user: null,
37 currentOrganization: null,
38 availableOrganizations: [],
39 organizationScope: null,
40 drillDownOrgId: null,
41 hydrated: false,
42 setTokens: (accessToken, refreshToken) => set({ accessToken, refreshToken }),
43 setUser: (user) => set({ user }),
44 setCurrentOrganization: (organization) => set({ currentOrganization: organization }),
45 setAvailableOrganizations: (organizations) => set({ availableOrganizations: organizations }),
46 setOrganizationScope: (scope) => set({ organizationScope: scope }),
47 setDrillDownOrgId: (orgId) => set({ drillDownOrgId: orgId }),
48 setHydrated: (hydrated) => set({ hydrated }),
49 logout: () => {
50 if (isBrowser) {
51 // Clear any authentication-related data from localStorage
52 localStorage.removeItem("accessToken");
53 localStorage.removeItem("refreshToken");
54 localStorage.removeItem("setupToken");
55 // Clear the main auth storage
56 localStorage.removeItem("auth-storage");
57 }
58 set({
59 accessToken: null,
60 refreshToken: null,
61 user: null,
62 currentOrganization: null,
63 availableOrganizations: [],
64 organizationScope: null,
65 drillDownOrgId: null,
66 });
67 },
68 }),
69 {
70 name: "auth-storage",
71 storage: {
72 getItem: (name) => {
73 if (!isBrowser) return null;
74 const str = localStorage.getItem(name);
75 return str ? JSON.parse(str) : null;
76 },
77 setItem: (name, value) => {
78 if (isBrowser) {
79 localStorage.setItem(name, JSON.stringify(value));
80 }
81 },
82 removeItem: (name) => {
83 if (isBrowser) {
84 localStorage.removeItem(name);
85 }
86 },
87 },
88 // The "onRehydrateStorage" callback ran during store creation can cause
89 // a temporal-dead-zone error (store referenced before initialization).
90 // We instead mark the store as hydrated after creation via the fallback
91 // timer below, or explicitly in client-side effects.
92 onRehydrateStorage: () => undefined,
93 }
94 )
95 );
96
97 // Ensure hydration happens on the client side
98 if (isBrowser) {
99 // Set a fallback timer in case onRehydrateStorage doesn't fire
100 setTimeout(() => {
101 if (!useAuthStore.getState().hydrated) {
102 useAuthStore.getState().setHydrated(true);
103 }
104 }, 100);
105 }
106
107 export default useAuthStore;
108 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/api.ts","offset":150,"limit":100}150 throw new Error("Missing tokens in refresh response");
151 }
152
153 useAuthStore.getState().setTokens(accessToken, newRefreshToken);
154 return accessToken;
155 } catch (err) {
156 // Distinguish "the refresh endpoint rejected the token" (4xx → real
157 // session-end signal per §6.1) from "the refresh request itself failed
158 // because the network/server is having a moment" (transient → keep the
159 // session, let the health poller recover). Only the former ends session.
160 const e = err as { response?: { status?: number }; code?: string };
161 const status = e?.response?.status;
162 const isCredentialRejection = status === 401 || status === 403;
163 if (isCredentialRejection) {
164 endSession({ captureIntent: true });
165 } else if (
166 !e?.response &&
167 (e?.code === "ERR_NETWORK" || e?.code === "ERR_CONNECTION_REFUSED")
168 ) {
169 useConnectionStore.getState().markFailure();
170 }
171 return null;
172 }
173 }
174
175 private getLocaleCookie(): string | null {
176 if (typeof document === "undefined") return null;
177
178 const cookies = document.cookie.split(";");
179 const localeCookie = cookies.find((cookie) => cookie.trim().startsWith("locale="));
180 if (localeCookie) {
181 return localeCookie.split("=")[1].trim();
182 }
183 return null;
184 }
185
186 private setupInterceptors(): void {
187 this.api.interceptors.request.use(
188 async (config: InternalAxiosRequestConfig & { sherpaAdmin?: boolean }) => {
189 const rawUrl = config.url || "/";
190 const ensured = rawUrl.startsWith("/") ? rawUrl : `/${rawUrl}`;
191 if (!ensured.startsWith("/v1/")) {
192 const isAdmin = config.sherpaAdmin !== false;
193 if (ensured.startsWith("/auth")) {
194 config.url = `/v1${ensured}`;
195 } else {
196 config.url = isAdmin ? `/v1/plus${ensured}` : `/v1${ensured}`;
197 }
198 } else {
199 config.url = ensured;
200 }
201 try {
202 void useAuthStore.getState().accessToken;
203 } catch {}
204 const localeValue = this.getLocaleCookie();
205 if (localeValue) {
206 config.headers["locale"] = localeValue;
207 }
208
209 // Credential-less routes: don't attach Authorization and don't trigger
210 // a pre-refresh on expired tokens. A response from these routes is
211 // never a verdict on the user's session.
212 if (isNoAuthPath(config.url)) {
213 return config;
214 }
215
216 let accessToken = useAuthStore.getState().accessToken;
217
218 // If a refresh is already in progress, wait for it to complete
219 if (this.isRefreshing) {
220 return new Promise((resolve, reject) => {
221 this.failedQueue.push({ resolve, reject });
222 }).then(() => {
223 config.headers.Authorization = `Bearer ${useAuthStore.getState().accessToken}`;
224 return config;
225 });
226 }
227
228 // Check if token is expired before making the request
229 if (accessToken && this.isTokenExpired(accessToken)) {
230 const refreshToken = useAuthStore.getState().refreshToken;
231 if (!refreshToken) {
232 endSession({ captureIntent: true });
233 throw new Error("No refresh token available");
234 }
235
236 this.isRefreshing = true;
237 try {
238 accessToken = await this.refreshAuthToken();
239 this.processQueue();
240 this.isRefreshing = false;
241 } catch (error) {
242 this.processQueue(error as Error);
243 this.isRefreshing = false;
244 throw error;
245 }
246 }
247
248 if (accessToken) {
249 config.headers.Authorization = `Bearer ${accessToken}`;{"command":"grep -r \"customer.*login\\|customer.*sign\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app --include=\"*.ts\" --include=\"*.tsx\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx:// /v1/auth/customer/login sessions (tokenType=customer) and sherpa-portal /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx: // Use provided user data directly (e.g., from customer login response) /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/login/page.tsx: const loginEndpoint = isCustomerLogin ? "/auth/customer/login" : "/auth/login"; /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/api.ts: "/v1/auth/customer/login",
{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app -type d -name \"embed-customer-portal\" | head -1 | xargs find -name \"page.tsx\" | head -5"}find: illegal option -- n
usage: find [-H | -L | -P] [-EXdsx] [-f path] path ... [expression]
find [-H | -L | -P] [-EXdsx] -f path [path ...] [expression]{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/profile/page.tsx"}1 "use client";
2
3 import TemplateDispatcher from "@/app/customer-portal/lib/TemplateDispatcher";
4 import DefaultProfile from "@/app/customer-portal/profile/DefaultProfile";
5
6 export default function ProfilePage() {
7 return <TemplateDispatcher page="profile" DefaultComponent={DefaultProfile} />;
8 }
9 {"command":"ls -la /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/register/"}total 16 drwxr-xr-x@ 5 bakker staff 160 May 31 14:19 . drwxr-xr-x@ 53 bakker staff 1696 May 31 14:19 .. drwxr-xr-x@ 3 bakker staff 96 May 31 14:19 account -rw-r--r--@ 1 bakker staff 5954 May 31 14:19 page.tsx drwxr-xr-x@ 3 bakker staff 96 May 31 14:19 personal
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/register/page.tsx"}1 "use client";
2
3 import React, { useState, useEffect } from "react";
4
5 import { useRouter, useSearchParams } from "next/navigation";
6
7 import { useForm } from "react-hook-form";
8
9 import { useTranslation } from "@gangkharai/lmt/client";
10 import PasswordValidation from "../components/PasswordValidation";
11 import SocialRegistrationButtons from "../components/SocialRegistrationButtons";
12 import { Divider } from "../components/ui/divider";
13 import { Input } from "../components/ui/input";
14 import { AccountFormData } from "../types/registration";
15
16 type FormData = AccountFormData;
17
18 export default function Register() {
19 const t = useTranslation();
20 const searchParams = useSearchParams();
21
22 useEffect(() => {
23 const error = searchParams.get("error");
24 if (error) {
25 setError(decodeURIComponent(error));
26 }
27 }, [searchParams]);
28 const {
29 register,
30 handleSubmit,
31 formState: { errors },
32 trigger,
33 watch,
34 } = useForm<FormData>({
35 defaultValues: async () => {
36 const savedData = sessionStorage.getItem("basicData");
37 return savedData ? JSON.parse(savedData) : {};
38 },
39 });
40 const [isLoading, setIsLoading] = useState(false);
41 const [error, setError] = useState<React.ReactNode>(null);
42 const router = useRouter();
43
44 const onSubmit = async (data: FormData) => {
45 setIsLoading(true);
46 setError(null);
47
48 try {
49 // Store basic data in sessionStorage and proceed to account info
50 sessionStorage.setItem("basicData", JSON.stringify(data));
51 router.push("/register/account");
52 } catch {
53 setError(t('An unexpected error occurred'));
54 } finally {
55 setIsLoading(false);
56 }
57 };
58
59 return (
60 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
61 <div className="sm:mx-auto sm:w-full sm:max-w-2xl">
62 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
63 {t('Register an account')}
64 </h2>
65
66 {/* Progress indicator */}
67 <div className="mt-8 flex justify-center">
68 <div className="flex items-center">
69 <div className="flex h-10 w-10 items-center justify-center rounded-full bg-blue-600">
70 <span className="font-medium text-white">1</span>
71 </div>
72 <div className="h-1 w-24 bg-blue-200"></div>
73 <div className="flex h-10 w-10 items-center justify-center rounded-full bg-blue-200">
74 <span className="font-medium text-white">2</span>
75 </div>
76 <div className="h-1 w-24 bg-blue-200"></div>
77 <div className="flex h-10 w-10 items-center justify-center rounded-full bg-blue-200">
78 <span className="font-medium text-white">3</span>
79 </div>
80 </div>
81 </div>
82 </div>
83
84 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
85 <div className="bg-white px-4 py-8 shadow sm:rounded-md sm:px-8">
86 <form className="space-y-6" onSubmit={handleSubmit(onSubmit)}>
87 <div>
88 <label htmlFor="email" className="block text-sm font-medium text-gray-700">
89 {t('Email')}
90 </label>
91 <Input
92 type="email"
93 {...register("email", {
94 required: t('Email is required'),
95 pattern: {
96 value: /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$/i,
97 message: t('Invalid email address'),
98 },
99 onChange: (e) => {
100 const emailRegex = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$/i;
101 e.target.setCustomValidity(
102 emailRegex.test(e.target.value) || e.target.value === ""
103 ? ""
104 : t('Please enter a valid email address')
105 );
106 trigger("email");
107 },
108 })}
109 isInvalid={!!errors.email}
110 errorMessage={errors.email?.message}
111 />
112 </div>
113
114 <div>
115 <label htmlFor="password" className="block text-sm font-medium text-gray-700">
116 {t('Password')}
117 </label>
118 <div>
119 <Input
120 type="password"
121 {...register("password", {
122 required: t('Password is required'),
123 validate: {
124 length: (v) => v.length >= 8 || t('Password must be at least 8 characters'),
125 uppercase: (v) => /[A-Z]/.test(v) || t('Must contain uppercase letter'),
126 lowercase: (v) => /[a-z]/.test(v) || t('Must contain lowercase letter'),
127 number: (v) => /\d/.test(v) || t('Must contain number'),
128 special: (v) => /[@$!%*?&]/.test(v) || t('Must contain special character'),
129 },
130 })}
131 isInvalid={!!errors.password}
132 errorMessage={errors.password?.message}
133 />
134 <PasswordValidation password={watch("password") || ""} />
135 </div>
136 </div>
137
138 {error && <p className="mt-2 text-sm text-red-600">{error}</p>}
139
140 <div className="col-span-2">
141 <button
142 type="submit"
143 className="flex w-full justify-center rounded-md border border-transparent bg-blue-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:ring-2 focus:ring-blue-500 focus:ring-offset-2 focus:outline-none"
144 disabled={isLoading}
145 >
146 {isLoading ? t('Processing...') : t('Continue')}
147 </button>
148 </div>
149 </form>
150
151 <Divider text={t('Or')} />
152
153 <div className="mt-6">
154 <SocialRegistrationButtons />
155 </div>
156 </div>
157 </div>
158 </div>
159 );
160 }
161 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/register/account/page.tsx"}1 "use client";
2
3 import React, { useState } from "react";
4
5 import { useRouter, useSearchParams } from "next/navigation";
6
7 import { useForm } from "react-hook-form";
8
9 import { useTranslation } from "@gangkharai/lmt/client";
10 import { Input } from "../../components/ui/input";
11 import { BasicFormData } from "../../types/registration";
12
13 type FormData = BasicFormData;
14
15 export default function AccountInfo() {
16 const t = useTranslation();
17 const searchParams = useSearchParams();
18 const {
19 register,
20 handleSubmit,
21 trigger,
22 formState: { errors },
23 } = useForm<FormData>({
24 defaultValues: async () => {
25 const savedData = sessionStorage.getItem("accountData");
26 const parsedData = savedData ? JSON.parse(savedData) : {};
27
28 // Check URL parameters for social registration data
29 const firstName = searchParams.get("firstName");
30 const lastName = searchParams.get("lastName");
31
32 if (firstName) parsedData.firstName = firstName;
33 if (lastName) parsedData.lastName = lastName;
34
35 // Store social registration data and email
36 if (searchParams.get("provider")) {
37 sessionStorage.setItem("registrationFlow", "social");
38 sessionStorage.setItem("socialProvider", searchParams.get("provider") || "");
39 sessionStorage.setItem("socialId", searchParams.get("socialId") || "");
40 const email = searchParams.get("email") || "";
41 sessionStorage.setItem("socialEmail", email);
42 // Add email to the form data
43 parsedData.email = email;
44 }
45
46 return parsedData;
47 },
48 });
49 const [isLoading, setIsLoading] = useState(false);
50 const [error, setError] = useState<React.ReactNode>(null);
51 const router = useRouter();
52
53 const onSubmit = async (data: FormData) => {
54 setIsLoading(true);
55 setError(null);
56
57 try {
58 // Get the basic data and combine with account data
59 const basicData = JSON.parse(sessionStorage.getItem("basicData") || "{}");
60 const combinedData = { ...basicData, ...data };
61
62 // Store combined data and proceed to personal info
63 sessionStorage.setItem("accountData", JSON.stringify(combinedData));
64 router.push("/register/personal");
65 } catch {
66 setError(t('An unexpected error occurred'));
67 } finally {
68 setIsLoading(false);
69 }
70 };
71
72 return (
73 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
74 <div className="sm:mx-auto sm:w-full sm:max-w-2xl">
75 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">{t('Account Details')}</h2>
76
77 {/* Progress indicator */}
78 <div className="mt-8 flex justify-center">
79 <div className="flex items-center">
80 <div className="flex h-10 w-10 items-center justify-center rounded-full bg-blue-600">
81 <span className="font-medium text-white">✓</span>
82 </div>
83 <div className="h-1 w-24 bg-blue-600"></div>
84 <div className="flex h-10 w-10 items-center justify-center rounded-full bg-blue-600">
85 <span className="font-medium text-white">2</span>
86 </div>
87 <div className="h-1 w-24 bg-blue-200"></div>
88 <div className="flex h-10 w-10 items-center justify-center rounded-full bg-blue-200">
89 <span className="font-medium text-white">3</span>
90 </div>
91 </div>
92 </div>
93 </div>
94
95 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
96 <div className="bg-white px-4 py-8 shadow sm:rounded-md sm:px-8">
97 <form className="space-y-6" onSubmit={handleSubmit(onSubmit)}>
98 <div>
99 <label htmlFor="companyName" className="block text-sm font-medium text-gray-700">
100 {t('Company Name')}
101 </label>
102 <Input
103 {...register("companyName")}
104 className={errors.companyName ? "border-red-500" : "border-gray-300"}
105 isInvalid={!!errors.companyName}
106 errorMessage={errors.companyName?.message}
107 />
108 </div>
109
110 <div>
111 <label htmlFor="firstName" className="block text-sm font-medium text-gray-700">
112 {t('First Name')}
113 </label>
114 <Input
115 {...register("firstName", {
116 required: t('First name is required'),
117 pattern: {
118 value: /^[A-Za-z\s-']+$/,
119 message: t('First name should only contain letters, spaces, hyphens, and apostrophes'),
120 },
121 onChange: (e) => {
122 const hasNumbers = /\d/.test(e.target.value);
123 e.target.setCustomValidity(
124 hasNumbers ? t('Numbers are not allowed in first name') : ""
125 );
126 // Don't show minLength error during typing
127 if (e.target.value.length >= 2 || e.target.value.length === 0) {
128 trigger("firstName");
129 }
130 },
131 onBlur: () => {
132 // Validate all rules including minLength on blur
133 trigger("firstName");
134 },
135 minLength: {
136 value: 2,
137 message: t('First name must be at least 2 characters'),
138 },
139 })}
140 className={errors.firstName ? "border-red-500" : "border-gray-300"}
141 isInvalid={!!errors.firstName}
142 errorMessage={errors.firstName?.message}
143 />
144 </div>
145
146 <div>
147 <label htmlFor="lastName" className="block text-sm font-medium text-gray-700">
148 {t('Last Name')}
149 </label>
150 <Input
151 {...register("lastName", {
152 required: t('Last name is required'),
153 pattern: {
154 value: /^[A-Za-z\s-']+$/,
155 message: t('Last name should only contain letters, spaces, hyphens, and apostrophes'),
156 },
157 onChange: (e) => {
158 const hasNumbers = /\d/.test(e.target.value);
159 e.target.setCustomValidity(
160 hasNumbers ? t('Numbers are not allowed in last name') : ""
161 );
162 // Don't show minLength error during typing
163 if (e.target.value.length >= 2 || e.target.value.length === 0) {
164 trigger("lastName");
165 }
166 },
167 onBlur: () => {
168 // Validate all rules including minLength on blur
169 trigger("lastName");
170 },
171 minLength: {
172 value: 2,
173 message: t('Last name must be at least 2 characters'),
174 },
175 })}
176 className={errors.lastName ? "border-red-500" : "border-gray-300"}
177 isInvalid={!!errors.lastName}
178 errorMessage={errors.lastName?.message}
179 />
180 </div>
181
182 {error && <p className="mt-2 text-sm text-red-600">{error}</p>}
183
184 <div className="flex space-x-4">
185 <button
186 type="butt{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login -type f \\( -name \"middleware.ts\" -o -name \"proxy.ts\" \\)"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/reselect/src/autotrackMemoize/proxy.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/immer/src/core/proxy.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/recharts/node_modules/@reduxjs/toolkit/node_modules/immer/src/core/proxy.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/recharts/node_modules/redux/src/types/middleware.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/proxy.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/proxy.ts"}1 import { NextRequest, NextResponse } from "next/server";
2
3 import { getSherpaApiUrl } from "./app/src/utils/env";
4
5 // Allowlist of static-asset file extensions the middleware skips. Keep in sync
6 // with whatever public/ + bundler output actually produces; broaden only when
7 // a real new asset type appears. Intentionally narrow — the previous
8 // `pathname.includes(".")` check would skip any URL containing a dot (e.g.
9 // `/users/[email protected]`), letting org resolution be bypassed.
10 const STATIC_EXT =
11 /\.(js|css|map|ico|png|jpe?g|gif|svg|webp|avif|woff2?|ttf|otf|eot|json|txt|xml|webmanifest)$/i;
12
13 const suspiciousPatterns = [
14 /<script/i,
15 /javascript:/i,
16 /onerror=/i,
17 /onload=/i,
18 /onclick=/i,
19 /<img/i,
20 /<iframe/i,
21 /<object/i,
22 /<embed/i,
23 /<svg/i,
24 /ptt93e3cf1e/,
25 ];
26
27 const isSuspicious = (value: string): boolean => {
28 return suspiciousPatterns.some((pattern) => pattern.test(value));
29 };
30
31 export async function proxy(request: NextRequest) {
32 const url = request.nextUrl.clone();
33 const searchParams = url.searchParams;
34 let hasSuspiciousParams = false;
35
36 searchParams.forEach((value, key) => {
37 if (isSuspicious(value) || isSuspicious(key)) {
38 searchParams.delete(key);
39 hasSuspiciousParams = true;
40 }
41 });
42
43 if (hasSuspiciousParams) {
44 return NextResponse.redirect(url);
45 }
46
47 try {
48 // Bail out for static asset requests so we never make an org-resolution
49 // round-trip for them. Restrict to a known extension allowlist — the
50 // previous `pathname.includes(".")` check let any URL with a dot anywhere
51 // in the path (including encoded values) skip middleware entirely.
52 if (STATIC_EXT.test(request.nextUrl.pathname)) {
53 return NextResponse.next();
54 }
55
56 const skipPages = [
57 "/register",
58 "/create-account",
59 "/forgot-password",
60 "/reset-password",
61 "/two-factor-setup",
62 "/two-factor-verify",
63 "/domain-blocked",
64 "/api",
65 "/login",
66 "/customer-portal",
67 "/embed-customer-portal",
68 ];
69
70 if (skipPages.some((page) => request.nextUrl.pathname.startsWith(page))) {
71 return NextResponse.next();
72 }
73
74 const host = request.headers.get("host") || request.nextUrl.hostname;
75 const hostname = host.split(":")[0];
76
77 const apiBaseUrl = getSherpaApiUrl(request.nextUrl.protocol);
78
79 const res = await fetch(`${apiBaseUrl}/v1/organization?by=origin`, {
80 method: "GET",
81 headers: {
82 Origin: `${request.nextUrl.protocol}//${host}`,
83 "Content-Type": "application/json",
84 },
85 cache: "no-store",
86 });
87 if (res.ok) {
88 // A 200 with an unparseable body is a contract violation, not a routing
89 // signal. Fall through to NextResponse.next() rather than crashing the
90 // middleware (which runs on every portal request).
91 let orgData: any;
92 try {
93 orgData = await res.json();
94 } catch {
95 return NextResponse.next();
96 }
97
98 // Only rewrite to customer portal for orgs with portalType 'customer'.
99 // The default Gangkhar org has portalType 'crm' and serves the admin app.
100 if (orgData?.portalType !== "customer") {
101 return NextResponse.next();
102 }
103
104 const templateId = orgData?.settings?.customerPortal?.templateId;
105 const portalMode = orgData?.portalMode;
106
107 if (portalMode === "embedded" && templateId) {
108 const page =
109 request.nextUrl.pathname === "/" ? "index" : request.nextUrl.pathname.slice(1);
110
111 const rewriteUrl = new URL(`/embed-customer-portal/pages/${page}`, request.url);
112 return NextResponse.rewrite(rewriteUrl);
113 }
114
115 if (portalMode === "standalone") {
116 const pathname = request.nextUrl.pathname;
117 if (pathname === "/") {
118 const rewriteUrl = new URL("/customer-portal/dashboard", request.url);
119 return NextResponse.rewrite(rewriteUrl);
120 }
121 const rewriteUrl = new URL(`/customer-portal${pathname}`, request.url);
122 return NextResponse.rewrite(rewriteUrl);
123 }
124 }
125 } catch (error) {
126 if (process.env.NODE_ENV !== "development") {
127 console.error("Proxy error:", error);
128 }
129 }
130
131 return NextResponse.next();
132 }
133
134 export const config = {
135 matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
136 };
137 {"command":"ls -la /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/profile/"}total 136 drwxr-xr-x@ 9 bakker staff 288 May 31 14:19 . drwxr-xr-x@ 60 bakker staff 1920 May 31 14:19 .. -rw-r--r--@ 1 bakker staff 9964 May 31 14:19 AddressSection.tsx -rw-r--r--@ 1 bakker staff 4973 May 31 14:19 ContactInfoSection.tsx -rw-r--r--@ 1 bakker staff 1165 May 31 14:19 LogoutSection.tsx -rw-r--r--@ 1 bakker staff 13371 May 31 14:19 PasskeysSection.tsx -rw-r--r--@ 1 bakker staff 6645 May 31 14:19 PasswordChangeSection.tsx -rw-r--r--@ 1 bakker staff 5202 May 31 14:19 PersonalInfoSection.tsx -rw-r--r--@ 1 bakker staff 8479 May 31 14:19 TwoFactorChangeSection.tsx
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/dashboard/page.tsx"}1 "use client";
2
3 import TemplateDispatcher from "../lib/TemplateDispatcher";
4 import DefaultDashboard from "./DefaultDashboard";
5
6 export default function DashboardPage() {
7 return <TemplateDispatcher page="dashboard" DefaultComponent={DefaultDashboard} />;
8 }
9 {"command":"grep -r \"customer.*dashboard\\|customer.*login\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal --include=\"*.tsx\" | head -10"}(Bash completed with no output)
{"command":"grep -n \"portalType\\|customerPortal\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/login/page.tsx"}96: // Use portalType from API, fall back to customerPortal setting presence 97: const isCustomerLogin = organization?.portalType 98: ? organization.portalType === "customer" 99: : !!organization?.settings?.customerPortal;
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/api.ts","offset":250,"limit":100}250 }
251
252 // Remove Content-Type header for FormData so axios can set it with boundary
253 if (config.data instanceof FormData) {
254 delete config.headers["Content-Type"];
255 }
256
257 return config;
258 },
259 (error) => Promise.reject(error)
260 );
261
262 this.api.interceptors.response.use(
263 (response) => {
264 if (useConnectionStore.getState().status !== "online") {
265 useConnectionStore.getState().markRecovered();
266 }
267 // Broadcast a product-mutated event for any non-GET call made while
268 // the user is on a /products/:id page, so useProductReadiness refetches
269 // the dots+banner without a page reload. We resolve the productId from
270 // either the request URL (preferred — works for /products/:id/...
271 // endpoints) or the current pathname (covers product-scoped pages that
272 // POST/PATCH/DELETE to non-product-prefixed routes like
273 // /quotes/:id, /policies/:id, /product-plans/:id, /pricing/:id, etc.).
274 try {
275 const method = response.config?.method?.toUpperCase();
276 if (method && method !== "GET" && typeof window !== "undefined") {
277 const url = response.config?.url ?? "";
278 const urlMatch = url.match(/\/products\/(\d+)(?:\/|$)/);
279 const pathMatch = window.location.pathname.match(/^\/products\/(\d+)(?:\/|$)/);
280 const productId = urlMatch
281 ? parseInt(urlMatch[1], 10)
282 : pathMatch
283 ? parseInt(pathMatch[1], 10)
284 : null;
285 if (productId !== null) {
286 window.dispatchEvent(
287 new CustomEvent("sherpa:product-mutated", {
288 detail: { productId },
289 }),
290 );
291 }
292 }
293 } catch {
294 // Never let event-dispatch failures break the API response chain.
295 }
296 return response;
297 },
298 async (error) => {
299 const originalRequest = error.config;
300 // `originalRequest.url` was already rewritten to its `/v1/...` form by
301 // the request interceptor before the request went out, so comparing
302 // against NO_AUTH_PATHS (all `/v1/`-prefixed by the module-load
303 // invariant above) is well-defined here. We evaluate this once, up
304 // front, before any branches mutate `originalRequest`.
305 const reqUrl: string | undefined = originalRequest?.url;
306 const requestHadAuth = !isNoAuthPath(reqUrl);
307 const isCanceled = axios.isCancel(error) || error.code === "ERR_CANCELED";
308
309 // Banner fires only when the API is genuinely unreachable. Any HTTP
310 // response — including 5xx — proves the API is alive: a 502/503/504
311 // from a domain endpoint typically means an upstream the API depends
312 // on failed (e.g., a third-party integration), not that this API is
313 // down. Let those propagate as normal errors.
314 const isInfraDown =
315 !isCanceled &&
316 requestHadAuth &&
317 !error.response &&
318 (error.code === "ERR_NETWORK" || error.code === "ERR_CONNECTION_REFUSED");
319 if (isInfraDown) {
320 useConnectionStore.getState().markFailure();
321 }
322
323 // 403 on organization-switching endpoints is a domain-specific
324 // navigation, not a session-end.
325 if (error.response?.status === 403) {
326 if (
327 originalRequest.url?.includes("/auth/organizations/") ||
328 originalRequest.url?.includes("/auth/switch-organization")
329 ) {
330 console.warn("Organization access denied. User may need to switch organizations.");
331 window.location.href = "/dashboard";
332 return Promise.reject(error);
333 }
334 }
335
336 // Only requests that carried Authorization can produce a session-end
337 // 401. A 401 from a credential-less request says nothing about the
338 // user's session (§6.1).
339 if (
340 !requestHadAuth ||
341 !error.response ||
342 error.response.status !== 401 ||
343 originalRequest._retry
344 ) {
345 return Promise.reject(error);
346 }
347
348 // 401 from an authenticated request: try refreshing once. If the
349 // refresh fails for credential reasons, refreshAuthToken() ends the{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/env.ts"}1 /// Use this to require all env variables and fail fast when they are missing!
2 /// We don't want to allow the service to go live with bad configuration.
3 /// Use this at the import-scope wherever we use environment variables and NEVER USE || 'default' fallbacks.
4 /// Eg: `const JWT_SECRET = getRequired('JWT_SECRET');` on top of your file.
5 export function getRequired(key: string): string {
6 if (key.startsWith("NEXT_PUBLIC_")) {
7 throw new Error(
8 `Do not use getRequired() with NEXT_PUBLIC_ variables. Use process.env.${key} directly since Next.js inlines these as static values during build.`
9 );
10 }
11
12 const value = process.env[key];
13 if (!value) {
14 throw new Error(`Environment variable ${key} is not set`);
15 }
16 return value;
17 }
18
19 function getUrl(httpUrl: string, httpsUrl: string, protocolOverride?: string): string {
20 const isDevelopment = process.env.NODE_ENV === "development";
21 if (!isDevelopment) return httpsUrl;
22 if (protocolOverride) {
23 const isHttps = protocolOverride === "https:";
24 return isHttps ? httpsUrl : httpUrl;
25 }
26 if (typeof window !== "undefined") {
27 const isHttps = window.location.protocol === "https:";
28 return isHttps ? httpsUrl : httpUrl;
29 }
30 return httpUrl;
31 }
32
33 /**
34 * Get the appropriate API URL based on environment and current protocol
35 */
36 export function getSherpaApiUrl(protocol?: string): string {
37 return getUrl(
38 process.env.NEXT_PUBLIC_SHERPA_API_HTTP!,
39 process.env.NEXT_PUBLIC_SHERPA_API_HTTPS!,
40 protocol
41 );
42 }
43
44 /**
45 * Get the appropriate app URL based on environment and current protocol
46 */
47 export function getAppUrl(): string {
48 return getUrl(process.env.NEXT_PUBLIC_APP_HTTP!, process.env.NEXT_PUBLIC_APP_HTTPS!);
49 }
50
51 /**
52 * Get the appropriate embed URL based on environment and current protocol
53 */
54 export function getEmbedUrl(): string {
55 return getUrl(process.env.NEXT_PUBLIC_EMBED_HTTP!, process.env.NEXT_PUBLIC_EMBED_HTTPS!);
56 }
57
58 /**
59 * Get the sherpa-mesh API URL for direct browser→mesh requests.
60 * Uses HTTP only when the current page is served over HTTP — HTTPS in all other cases.
61 */
62 export function getMeshUrl(): string {
63 const http = process.env.NEXT_PUBLIC_SHERPA_MESH_HTTP;
64 const https = process.env.NEXT_PUBLIC_SHERPA_MESH_HTTPS;
65 if (!http || !https) {
66 throw new Error(
67 "NEXT_PUBLIC_SHERPA_MESH_HTTP and NEXT_PUBLIC_SHERPA_MESH_HTTPS must be set. " +
68 "Add them to your .env file — see env.reference for values."
69 );
70 }
71 const isHttp = typeof window !== "undefined" && window.location.protocol === "http:";
72 return isHttp ? http : https;
73 }
74
75 // Hardcoded production mesh origins. Kept here (not in env) so a misconfigured
76 // NEXT_PUBLIC_SHERPA_MESH_HTTPS at build time cannot widen the allowlist past
77 // what the portal will accept as a bearer-token destination.
78 const HARDCODED_MESH_ORIGINS = [
79 "https://mesh.gangkhar.com",
80 "https://mesh.sherpa.gangkhar.com",
81 ];
82
83 function safeOrigin(value: string | undefined): string | null {
84 if (!value) return null;
85 try {
86 return new URL(value).origin;
87 } catch {
88 return null;
89 }
90 }
91
92 // Parse env-derived mesh origins once at module load. Anything that fails to
93 // parse is silently dropped — the hardcoded list still applies, and a
94 // misconfigured env will surface via getMeshUrl()'s missing-env throw.
95 const ENV_MESH_ORIGINS: readonly string[] = [
96 safeOrigin(process.env.NEXT_PUBLIC_SHERPA_MESH_HTTP),
97 safeOrigin(process.env.NEXT_PUBLIC_SHERPA_MESH_HTTPS),
98 ].filter((o): o is string => o !== null);
99
100 /**
101 * Returns true if `url` resolves to an origin we are allowed to send a portal
102 * bearer token to. The allowlist is:
103 * - origins derived from NEXT_PUBLIC_SHERPA_MESH_HTTP/HTTPS (parsed once at
104 * module load),
105 * - hardcoded production mesh origins,
106 * - any http://localhost[:port] (development only).
107 *
108 * Used by browser → mesh callers (e.g. usePortalChat) to refuse to attach a
109 * bearer when the resolved mesh URL has drifted to an unexpected origin.
110 */
111 export function isAllowedMeshOrigin(url: string): boolean {
112 const origin = safeOrigin(url);
113 if (!origin) return false;
114
115 if (ENV_MESH_ORIGINS.includes(origin)) return true;
116 if (HARDCODED_MESH_ORIGINS.includes(origin)) return true;
117
118 // Dev allowance: any http://localhost[:port]. We only permit this when
119 // NODE_ENV is "development" so a production build cannot accept localhost.
120 if (process.env.NODE_ENV === "development") {
121 try {
122 const parsed = new URL(url);
123 if (parsed.protocol === "http:" && parsed.hostname === "localhost") {
124 return true;
125 }
126 } catch {
127 return false;
128 }
129 }
130
131 return false;
132 }
133 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/api.ts","offset":350,"limit":50}350 // session itself. If it fails for transient reasons, we just reject
351 // and the session stays alive.
352 if (!this.isRefreshing) {
353 const refreshToken = useAuthStore.getState().refreshToken;
354 if (!refreshToken) {
355 endSession({ captureIntent: true });
356 return Promise.reject(new Error("No refresh token available"));
357 }
358
359 originalRequest._retry = true;
360 this.isRefreshing = true;
361
362 try {
363 const newToken = await this.refreshAuthToken();
364 this.isRefreshing = false;
365
366 if (newToken) {
367 this.processQueue();
368 originalRequest.headers.Authorization = `Bearer ${newToken}`;
369 return this.api(originalRequest);
370 }
371 this.processQueue(new Error("Token refresh failed"));
372 // refreshAuthToken already handled session-end vs. transient.
373 return Promise.reject(new Error("Token refresh failed"));
374 } catch (refreshError) {
375 this.processQueue(refreshError as Error);
376 this.isRefreshing = false;
377 return Promise.reject(refreshError);
378 }
379 }
380
381 return Promise.reject(error);
382 }
383 );
384 }
385 }
386
387 const apiService = ApiService.getInstance();
388
389 const api = axios.create({
390 baseURL: getSherpaApiUrl(),
391 headers: {
392 "Content-Type": "application/json",
393 },
394 validateStatus: (status) => (status >= 200 && status < 300) || status === 304,
395 });
396 api.interceptors.request = apiService.getAxiosInstance().interceptors.request;
397 api.interceptors.response = apiService.getAxiosInstance().interceptors.response;
398
399 export default api;Perfect! Now I have all the information I need. Let me compile a comprehensive report.
---
## COMPREHENSIVE INTEGRATION MAP: CUSTOMER-FACING PASSKEY FLOWS
This map details exactly where passkey WebAuthn support should be wired into customer-facing journeys, with precise file paths, line numbers, and code snippets.
---
### 1. EXISTING PASSKEY CODE (PRIOR IMPLEMENTATION)
**File: `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/passkeys.ts`**
**Exports:**
- **`isPasskeySupported(): boolean`** (line 41–44) — SSR-safe feature gate; returns false on server and on browsers without PublicKeyCredential API.
- **`loginWithPasskey(): Promise<PasskeyLoginResult>`** (line 49–67) — Passwordless discoverable-credential login:
1. `POST /auth/passkeys/login/options` with empty body → gets `{ challengeId, options: PublicKeyCredentialRequestOptionsJSON }`
2. Calls `startAuthentication({ optionsJSON: options })` (from `@simplewebauthn/browser`)
3. `POST /auth/passkeys/login/verify` with `{ challengeId, response: assertion }` → returns `{ accessToken, refreshToken }`
4. **Returns:** `{ accessToken, refreshToken }` for caller to pass to `AuthProvider.login()`
- **`registerPasskey(name: string): Promise<Passkey>`** (line 71–84) — Enrols a new passkey for authenticated user:
1. `POST /auth/passkeys/register/options` with `{ name }` → gets `PublicKeyCredentialCreationOptionsJSON`
2. Calls `startRegistration({ optionsJSON: options })`
3. `POST /auth/passkeys/register/verify` with `{ name, response: attestation }` → returns passkey object
4. **Requires:** Bearer token from authenticated session (API derives user from token)
- **`listPasskeys(): Promise<Passkey[]>`** (line 86–89) — `GET /auth/passkeys` → returns `{ data: { passkeys: [] } }`
- **`renamePasskey(id: string, name: string): Promise<Passkey>`** (line 91–94) — `PATCH /auth/passkeys/{id}` with `{ name }`
- **`revokePasskey(id: string): Promise<void>`** (line 96–98) — `DELETE /auth/passkeys/{id}`
- **`isPasskeyCancellation(error: unknown): boolean`** (line 102–104) — Checks if error is `DOMException` with `name === "NotAllowedError"` (user dismissed prompt).
- **`extractPasskeyError(error: unknown, fallback: string): string`** (line 109–133) — Extracts user-friendly message from WebAuthn DOMExceptions or API error envelopes (`{ error: { message } }` or `{ message }`).
**Passkey Interface** (line 25–32):
```typescript
export interface Passkey {
id: string;
name: string;
deviceType: "singleDevice" | "multiDevice" | null;
backedUp: boolean;
lastUsedAt: string | null;
createdAt: string;
}
```
---
**File: `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/profile/PasskeysSection.tsx`**
**Component:** `PasskeysSection` — Renders the passkey management UI (add, rename, revoke, list).
**Props** (line 22–24):
```typescript
interface PasskeysSectionProps {
onError: (message: string) => void; // Error callback for parent
}
```
**What it renders:**
- Header with "Passkeys" title + "Add passkey" button (if supported and not already adding) (lines 147–159)
- Browser support check: shows fallback text if unsupported (lines 162–167)
- Info box: explains passkeys are additional, not required, so removing them can't lock users out (lines 170–175)
- **Add form** (lines 177–207): Text input for name, "Create passkey" button (calls `registerPasskey(name)`)
- **List view** (lines 242–341): Each passkey shows name, device type label, creation date, last-used date, with rename/revoke action buttons
- **Loading/error states:** Spinner during load, "Retry" button on failure (lines 210–227)
- Empty state with "Set up a passkey" button (lines 228–240)
**Key behaviors:**
- Single `busy` flag prevents concurrent operations (passkey ceremonies can't be cancelled mid-flight) (line 36)
- `loadPasskeys()` calls `listPasskeys()` on mount (line 44)
- `handleAdd()` calls `registerPasskey(name)`, adds to local state, shows toast (lines 71–90)
- `handleRename()` and `handleRevoke()` update local state on success (lines 92–124)
- **Auth assumption:** Callers must be authenticated (bearer token required for enroll/rename/revoke endpoints)
---
**File: `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/login/page.tsx`**
**Customer-aware login page.** Customer login checks `organization.portalType === "customer"` (line 97–99) to route to `/auth/customer/login` instead of `/auth/login`.
**Passkey sign-in (lines 299–326):**
```typescript
{passkeySupported && (
<div className="mt-6">
<div className="relative">...</div>
<Button
type="button"
variant="outline"
onClick={handlePasskeyLogin}
disabled={isPasskeyLoading || isLoading}
className="flex w-full items-center justify-center gap-2"
>
<KeyRound className="h-5 w-5" />
{isPasskeyLoading ? t('Waiting for passkey…') : t('Sign in with a passkey')}
</Button>
<p className="mt-2 text-center text-xs text-gray-500">
{t('Use your fingerprint, face, or device PIN. Your password still works too.')}
</p>
</div>
)}
```
**Flow** (lines 131–152):
1. `handlePasskeyLogin()` calls `loginWithPasskey()`
2. Returns `{ accessToken, refreshToken }`
3. Calls `login(accessToken, refreshToken)` → same as password login
4. On success: AuthProvider redirects to `/dashboard` or `/products` (line 184)
5. On cancellation: silent (line 142)
6. On error: `extractPasskeyError()` → error toast
---
**File: `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/profile/page.tsx`**
**Internal user profile.** Mounts `PasskeysSection` (line 116):
```typescript
<PasskeysSection onError={(errorMessage) => setError(errorMessage)} />
```
**Context:** This is the **WRONG place** — targets `/app/profile` (internal users/admins), not customers.
---
**File: `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/api.ts`**
**Passkey endpoint constants** (lines 26–29):
```typescript
// Passwordless passkey login is pre-auth: a 401 here (e.g. an unrecognized or
// revoked passkey) is a login failure, not a verdict on an existing session.
"/v1/auth/passkeys/login/options",
"/v1/auth/passkeys/login/verify",
```
These are listed in `NO_AUTH_PATHS` (line 19) — they never carry Authorization headers, and 401 is treated as a login failure, not a session-end signal.
Register endpoints (`/auth/passkeys/register/options`, `/auth/passkeys/register/verify`) **ARE authenticated** (not in NO_AUTH_PATHS) — they require a bearer token.
---
### 2. CUSTOMER ACCOUNT CREATION
**File: `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx`**
**Purpose:** Customers create password after clicking invite link. **Visited with `?token={invite_token}`.**
**Account creation flow** (lines 79–119):
```typescript
const response = await api.post("/v1/auth/create-account", {
token: token,
password: data.password,
});
if (response.data.status === "success") {
// If API returns user email, attempt auto-login
if (response.data.data?.email) {
const loginResponse = await api.post("/v1/auth/login", {
email: response.data.data.email,
password: data.password,
});
if (loginResponse.data.status === "success" && loginResponse.data.data) {
await login(
loginResponse.data.data.accessToken,
loginResponse.data.data.refreshToken
);
router.push("/dashboard");
return;
}
}
// Fallback: redirect to login page
router.push("/login?registered=true");
}
```
**Key observations:**
1. **Endpoint:** `POST /v1/auth/create-account` with `{ token, password }`
2. **Response:** `{ status: "success", data: { email } }` on success
3. **Auto-login:** API returns email → attempts `POST /v1/auth/login` → gets `accessToken, refreshToken` → calls `AuthProvider.login()`
4. **Result:** User is authenticated immediately aftstatus: done exit: 0 tail: > Sherpa [email protected] prepare > husky git command not found up to date, audited 955 packages in 1s 221 packages are looking for funding run `npm fund` for details 5 moderate severity vulnerabilities To address issues that do not require attention, run: npm audit fix Some issues need review, and may require choosing a different dependency. Run `npm audit` for details.
Install done. Map complete. Key facts:
passkeys.ts + PasskeysSection.tsx exist & reusable (props: onError).app/login/page.tsx ALREADY has passkey button + customer-login routing → customer login surface covered.create-account (offer setup after signup) + customer-portal/profile (mount PasskeysSection). Embed profile shares DefaultProfile.Kick API migrate + read actual files I'll edit (don't trust map blindly).
{"command":"curl -fsS -X POST http://localhost:7777/api/api-action -H 'Content-Type: application/json' -d '{\"path\":\"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\",\"action\":\"migrate\"}' 2>&1 | python3 -c \"import sys,json;d=json.load(sys.stdin);print('migrate:',d.get('status'))\" ; echo \"kicked\"","description":"Kick API migrate"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/page.tsx"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx"}migrate: running kicked
1 "use client";
2
3 import TemplateDispatcher from "../lib/TemplateDispatcher";
4 import DefaultProfile from "./DefaultProfile";
5
6 export default function ProfilePage() {
7 return <TemplateDispatcher page="profile" DefaultComponent={DefaultProfile} />;
8 }
9 1 "use client";
2
3 import React, { useState } from "react";
4
5 import { Shield } from "lucide-react";
6
7 import { useTranslation } from "@gangkharai/lmt/client";
8 import { useAuth } from "@/app/components/AuthProvider";
9 import AddressSection from "@/app/components/profile/AddressSection";
10 import ContactInfoSection from "@/app/components/profile/ContactInfoSection";
11 import LogoutSection from "@/app/components/profile/LogoutSection";
12 import PasswordChangeSection from "@/app/components/profile/PasswordChangeSection";
13 import PersonalInfoSection from "@/app/components/profile/PersonalInfoSection";
14 import TwoFactorChangeSection from "@/app/components/profile/TwoFactorChangeSection";
15 import { showSuccessToast } from "@/app/components/Toast";
16 import useAuthStore from "@/app/src/store/authStore";
17 import api from "@/app/src/utils/api";
18 import { UserData } from "@/app/types/user";
19 import { usePermission, PERMISSIONS } from "@/app/src/rbac";
20 import PortalLayout from "@/app/customer-portal/PortalLayout";
21
22 const RoleBadge: React.FC = () => {
23 const t = useTranslation();
24 const canManageAllOrgs = usePermission(PERMISSIONS.organizations.manage_all.value);
25 const canManageUsers = usePermission(PERMISSIONS.users.create.value);
26
27 if (canManageAllOrgs) {
28 return (
29 <div className="inline-flex items-center rounded-full bg-portal-primary-light px-3 py-1 text-sm font-medium text-portal-primary">
30 <Shield className="mr-1 h-4 w-4" />
31 {t('Administrator')}
32 </div>
33 );
34 }
35
36 if (canManageUsers) {
37 return (
38 <div className="inline-flex items-center rounded-full bg-purple-100 px-3 py-1 text-sm font-medium text-purple-800">
39 <Shield className="mr-1 h-4 w-4" />
40 {t('Manager')}
41 </div>
42 );
43 }
44
45 return null;
46 };
47
48 export default function DefaultProfile() {
49 const t = useTranslation();
50 const { user } = useAuth();
51 const setUser = useAuthStore((state) => state.setUser);
52 const [isLoading, setIsLoading] = useState(false);
53 const [error, setError] = useState<React.ReactNode>(null);
54
55 const handleUpdate = async (data: Partial<UserData>) => {
56 if (!user) return;
57
58 setIsLoading(true);
59 setError(null);
60
61 try {
62 const response = await api.put(`/customers/${user.id}`, data);
63
64 if (response.data.status === "success") {
65 const updatedUser = { ...user, ...data };
66 setUser(updatedUser);
67 showSuccessToast(t('Profile updated successfully'));
68 } else {
69 setError(t('Failed to update profile'));
70 }
71 } catch (error) {
72 console.error("Error updating profile:", error);
73 setError(t('Failed to update profile'));
74 } finally {
75 setIsLoading(false);
76 }
77 };
78
79 return (
80 <PortalLayout>
81 <div className="mx-auto max-w-4xl py-6 sm:px-6 lg:px-8">
82 <div className="mb-6">
83 <div className="flex items-center gap-3">
84 <h1 className="text-3xl font-bold text-gray-900">{t('Customer Profile')}</h1>
85 <RoleBadge />
86 </div>
87 <div className="bg-portal-primary mt-3 h-1 w-12 rounded-full opacity-80"></div>
88 </div>
89
90 {error && (
91 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
92 {error}
93 </div>
94 )}
95
96 {user && (
97 <>
98 <PersonalInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
99 <ContactInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
100 <AddressSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
101 <PasswordChangeSection
102 userId={user.id}
103 onSuccess={() => showSuccessToast(t('Password updated successfully'))}
104 onError={(errorMessage) => setError(errorMessage)}
105 />
106 <TwoFactorChangeSection
107 userId={user.id}
108 onSuccess={() =>
109 showSuccessToast(t('Two-factor authentication method updated successfully'))
110 }
111 onError={(errorMessage) => setError(errorMessage)}
112 />
113 <LogoutSection />
114 </>
115 )}
116 </div>
117 </PortalLayout>
118 );
119 }
120 1 "use client";
2
3 import React, { Suspense } from "react";
4 import { useState, useEffect } from "react";
5
6
7 import Link from "next/link";
8 import { useRouter, useSearchParams } from "next/navigation";
9
10 import { useForm } from "react-hook-form";
11
12 import { useTranslation } from "@gangkharai/lmt/client";
13 import { useAuth } from "../components/AuthProvider";
14 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
15 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
16 import Loader from "../components/Loader";
17 import { useOrganization } from "../components/OrganizationProvider";
18 import PasswordValidation from "../components/PasswordValidation";
19 import SocialCreateAccountButtons from "../components/SocialCreateAccountButtons";
20 import Toast, { showErrorToast, showSuccessToast } from "../components/Toast";
21 import { Button } from "../components/ui/button";
22 import { Input } from "../components/ui/input";
23 import api from "../src/utils/api";
24 import useAuthStore from "../src/store/authStore";
25
26 interface CreateAccountFormData {
27 password: string;
28 confirmPassword: string;
29 }
30
31 function CreateAccountContent() {
32 const t = useTranslation();
33 const [isLoading, setIsLoading] = useState(false);
34 const [error, setError] = useState("");
35 const [token, setToken] = useState("");
36 const router = useRouter();
37 const searchParams = useSearchParams();
38 const { login, user, loading: authLoading } = useAuth();
39 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
40 const storeLogout = useAuthStore((state) => state.logout);
41
42 const {
43 register,
44 handleSubmit,
45 formState: { errors },
46 watch,
47 } = useForm<CreateAccountFormData>();
48
49 const password = watch("password");
50
51 useEffect(() => {
52 document.title = t("Create Account - Sherpa Portal");
53
54 const tokenParam = searchParams.get("token");
55 if (!tokenParam) {
56 setError(t("Invalid or missing token. Please check your email link."));
57 return;
58 }
59 setToken(tokenParam);
60
61 const errorParam = searchParams.get("error");
62 if (errorParam) {
63 setError(decodeURIComponent(errorParam));
64 }
65 }, [searchParams, t]);
66
67 useEffect(() => {
68 if (!authLoading && user) {
69 storeLogout();
70 }
71 }, [authLoading, user, storeLogout]);
72
73 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
74
75 if (authLoading || (orgLoading && !orgError)) {
76 return <Loader />;
77 }
78
79 const handleCreateAccount = async (data: CreateAccountFormData) => {
80 if (!token) {
81 setError(t("Invalid token. Please check your email link."));
82 return;
83 }
84
85 setIsLoading(true);
86 setError("");
87
88 try {
89 const response = await api.post("/v1/auth/create-account", {
90 token: token,
91 password: data.password,
92 });
93
94 if (response.data.status === "success") {
95 showSuccessToast(t("Account created successfully! Please log in with your new account."));
96
97 // If the API returns user email, attempt auto-login
98 if (response.data.data?.email) {
99 try {
100 const loginResponse = await api.post("/v1/auth/login", {
101 email: response.data.data.email,
102 password: data.password,
103 });
104
105 if (loginResponse.data.status === "success" && loginResponse.data.data) {
106 await login(
107 loginResponse.data.data.accessToken,
108 loginResponse.data.data.refreshToken
109 );
110 router.push("/dashboard");
111 return;
112 }
113 } catch (loginError) {
114 console.error("Auto-login failed:", loginError);
115 }
116 }
117
118 // Fallback: redirect to login page
119 router.push("/login?registered=true");
120 } else {
121 setError(response.data.message || t("Failed to create account. Please try again."));
122 }
123 } catch (error: unknown) {
124 console.error("Create account error:", error);
125 let errorMsg = t("Failed to create account. Please try again.");
126
127 if (error && typeof error === "object" && "response" in error) {
128 const axiosError = error as { response?: { data?: { error?: { message?: string } } } };
129 const apiErrorMessage = axiosError.response?.data?.error?.message;
130
131 if (apiErrorMessage === "Invalid or expired token") {
132 errorMsg = t("This invitation link has expired or is invalid. Please request a new invitation link from your administrator.");
133 } else if (apiErrorMessage) {
134 errorMsg = apiErrorMessage;
135 }
136 }
137
138 setError(errorMsg);
139 showErrorToast(errorMsg);
140 } finally {
141 setIsLoading(false);
142 }
143 };
144
145 return (
146 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
147 <Toast />
148 <div className="absolute top-4 right-4">
149 <EnhancedLocaleSwitcher locales={LOCALE_LABELS} />
150 </div>
151 <div className="sm:mx-auto sm:w-full sm:max-w-md">
152 <div className="flex justify-center bg-white">
153 <img
154 src={organization?.settings?.branding?.logoUrl || "/assets/GangkharLogo.svg"}
155 alt={`${organization?.settings?.branding?.applicationName || organization?.displayName || organization?.name || "Portal"} Logo`}
156 width={240}
157 height={80}
158 className="object-contain"
159 />
160 </div>
161 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
162 {t("Create Your Account")}
163 </h2>
164 <p className="mt-2 text-center text-sm text-gray-600">
165 {t("Set up your customer portal account to manage your policies")}
166 </p>
167 </div>
168
169 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
170 <div className="bg-white px-4 py-8 shadow sm:rounded-md sm:px-10">
171 {error && (
172 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
173 {error}
174 </div>
175 )}
176
177 <form className="space-y-6" onSubmit={handleSubmit(handleCreateAccount)}>
178 <div>
179 <label htmlFor="password" className="block text-sm font-medium text-gray-700">
180 {t("Password")}
181 </label>
182 <div className="mt-1">
183 <Input
184 id="password"
185 type="password"
186 {...register("password", {
187 required: t("Password is required"),
188 validate: {
189 length: (v) => v.length >= 8 || t("Password must be at least 8 characters"),
190 uppercase: (v) => /[A-Z]/.test(v) || t("Must contain uppercase letter"),
191 lowercase: (v) => /[a-z]/.test(v) || t("Must contain lowercase letter"),
192 number: (v) => /\d/.test(v) || t("Must contain number"),
193 special: (v) => /[@$!%*?&]/.test(v) || t("Must contain special character"),
194 },
195 })}
196 isInvalid={!!errors.password}
197 errorMessage={errors.password?.message}
198 />
199 <PasswordValidation password={password || ""} />
200 </div>
201 </div>
202
203 <div>
204 Files read. Key constraint spotted: create-account useEffect (line 67-71) calls storeLogout() whenever user becomes set — so calling full login() then staying on page would nuke session. Plan: after signup, setTokens directly (authenticates api for passkey register, doesn't set user → no logout), show skippable passkey step, then finalize login() (redirects away).
Need exact passkeys.ts paths + PasskeysSection props + embed profile sharing + proxy rewrites. Read in parallel, poll migrate.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/passkeys.ts"}1 // Passkey (WebAuthn / FIDO2) client helpers.
2 //
3 // Thin wrappers over the sherpa-api passkey endpoints + @simplewebauthn/browser.
4 // The browser library handles the navigator.credentials.create()/.get() dance
5 // and Base64URL (de)serialisation; these helpers own the API round-trips and
6 // shape the results the UI consumes.
7 //
8 // Token handling is intentionally NOT done here — login() in AuthProvider is the
9 // single place that persists tokens (mirroring password login), so callers feed
10 // the returned tokens straight into it.
11
12 import {
13 browserSupportsWebAuthn,
14 startAuthentication,
15 startRegistration,
16 } from "@simplewebauthn/browser";
17 import type {
18 PublicKeyCredentialCreationOptionsJSON,
19 PublicKeyCredentialRequestOptionsJSON,
20 } from "@simplewebauthn/browser";
21
22 import api from "./api";
23
24 // Public projection of a UserPasskey, matching the API's serializePasskey().
25 export interface Passkey {
26 id: string;
27 name: string;
28 deviceType: "singleDevice" | "multiDevice" | null;
29 backedUp: boolean;
30 lastUsedAt: string | null;
31 createdAt: string;
32 }
33
34 export interface PasskeyLoginResult {
35 accessToken: string;
36 refreshToken: string;
37 }
38
39 // Synchronous feature gate for showing/hiding passkey affordances. Returns false
40 // during SSR (no `window`) and on browsers without the PublicKeyCredential API.
41 export function isPasskeySupported(): boolean {
42 if (typeof window === "undefined") return false;
43 return browserSupportsWebAuthn();
44 }
45
46 // Passwordless, discoverable-credential login: the authenticator surfaces which
47 // passkey to use, so no email is typed first. Returns the issued tokens for the
48 // caller to persist via AuthProvider.login().
49 export async function loginWithPasskey(): Promise<PasskeyLoginResult> {
50 // Send an explicit empty body: the shared api client forces a JSON
51 // Content-Type, and Fastify rejects a JSON request with no body at all.
52 const optionsResponse = await api.post("/auth/passkeys/login/options", {});
53 const { challengeId, options } = optionsResponse.data as {
54 challengeId: string;
55 options: PublicKeyCredentialRequestOptionsJSON;
56 };
57
58 const assertion = await startAuthentication({ optionsJSON: options });
59
60 const verifyResponse = await api.post("/auth/passkeys/login/verify", {
61 challengeId,
62 response: assertion,
63 });
64
65 const { accessToken, refreshToken } = verifyResponse.data.data;
66 return { accessToken, refreshToken };
67 }
68
69 // Enrols a new passkey for the signed-in user. Requires an authenticated
70 // session (the API derives the user from the bearer token).
71 export async function registerPasskey(name: string): Promise<Passkey> {
72 // register/options returns the raw PublicKeyCredentialCreationOptionsJSON.
73 const optionsResponse = await api.post("/auth/passkeys/register/options", { name });
74 const options = optionsResponse.data as PublicKeyCredentialCreationOptionsJSON;
75
76 const attestation = await startRegistration({ optionsJSON: options });
77
78 const verifyResponse = await api.post("/auth/passkeys/register/verify", {
79 name,
80 response: attestation,
81 });
82
83 return verifyResponse.data.passkey as Passkey;
84 }
85
86 export async function listPasskeys(): Promise<Passkey[]> {
87 const response = await api.get("/auth/passkeys");
88 return (response.data.data?.passkeys ?? []) as Passkey[];
89 }
90
91 export async function renamePasskey(id: string, name: string): Promise<Passkey> {
92 const response = await api.patch(`/auth/passkeys/${id}`, { name });
93 return response.data.data.passkey as Passkey;
94 }
95
96 export async function revokePasskey(id: string): Promise<void> {
97 await api.delete(`/auth/passkeys/${id}`);
98 }
99
100 // The user dismissed or let the native passkey prompt time out. Callers treat
101 // this as a soft cancel (no error toast) rather than a failure.
102 export function isPasskeyCancellation(error: unknown): boolean {
103 return error instanceof DOMException && error.name === "NotAllowedError";
104 }
105
106 // Extracts a human-readable message from a passkey failure: the well-known
107 // WebAuthn DOMExceptions first, then the API's `{ error: { message } }` /
108 // `{ message }` envelopes, falling back to the caller-supplied default.
109 export function extractPasskeyError(error: unknown, fallback: string): string {
110 if (error instanceof DOMException) {
111 if (error.name === "InvalidStateError") {
112 return "This device already has a passkey for your account.";
113 }
114 if (error.name === "NotAllowedError") {
115 return "The passkey prompt was cancelled or timed out.";
116 }
117 }
118
119 const responseData = (error as { response?: { data?: unknown } })?.response?.data;
120 if (responseData && typeof responseData === "object") {
121 const data = responseData as { error?: { message?: string }; message?: string };
122 const message = data.error?.message ?? data.message;
123 if (typeof message === "string" && message.length > 0) {
124 return message;
125 }
126 }
127
128 if (error instanceof Error && error.message) {
129 return error.message;
130 }
131
132 return fallback;
133 }
134 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/profile/PasskeysSection.tsx"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { Check, KeyRound, Loader2, Pencil, Plus, ShieldCheck, Trash2, X } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { localeDateTag } from "@/app/lib/locale";
9 import {
10 Passkey,
11 extractPasskeyError,
12 isPasskeyCancellation,
13 isPasskeySupported,
14 listPasskeys,
15 registerPasskey,
16 renamePasskey,
17 revokePasskey,
18 } from "../../src/utils/passkeys";
19 import { showSuccessToast } from "../Toast";
20 import { Button } from "../ui/button";
21
22 interface PasskeysSectionProps {
23 onError: (message: string) => void;
24 }
25
26 const PasskeysSection: React.FC<PasskeysSectionProps> = ({ onError }) => {
27 const t = useTranslation();
28
29 const [supported, setSupported] = useState(false);
30 const [passkeys, setPasskeys] = useState<Passkey[]>([]);
31 const [loading, setLoading] = useState(true);
32 const [loadFailed, setLoadFailed] = useState(false);
33
34 // A single in-flight flag disables every action during any mutating call —
35 // passkey ceremonies can't be cancelled mid-flight, so we never run two at once.
36 const [busy, setBusy] = useState(false);
37
38 const [adding, setAdding] = useState(false);
39 const [newName, setNewName] = useState("");
40 const [renamingId, setRenamingId] = useState<string | null>(null);
41 const [renameValue, setRenameValue] = useState("");
42 const [confirmRevokeId, setConfirmRevokeId] = useState<string | null>(null);
43
44 const loadPasskeys = useCallback(async () => {
45 try {
46 const data = await listPasskeys();
47 setPasskeys(data);
48 setLoadFailed(false);
49 } catch (error) {
50 console.error("Failed to load passkeys:", error);
51 setLoadFailed(true);
52 } finally {
53 setLoading(false);
54 }
55 }, []);
56
57 useEffect(() => {
58 const ok = isPasskeySupported();
59 setSupported(ok);
60 if (ok) {
61 void loadPasskeys();
62 } else {
63 setLoading(false);
64 }
65 }, [loadPasskeys]);
66
67 const reportError = (message: string) => {
68 onError(message);
69 };
70
71 const handleAdd = async () => {
72 const name = newName.trim();
73 if (!name) return;
74
75 setBusy(true);
76 try {
77 const created = await registerPasskey(name);
78 setPasskeys((prev) => [created, ...prev]);
79 setAdding(false);
80 setNewName("");
81 showSuccessToast(t('Passkey added'));
82 } catch (error) {
83 // A dismissed prompt is a soft cancel — leave the form open, no error.
84 if (isPasskeyCancellation(error)) return;
85 console.error("Failed to add passkey:", error);
86 reportError(extractPasskeyError(error, t('Could not add passkey. Please try again.')));
87 } finally {
88 setBusy(false);
89 }
90 };
91
92 const handleRename = async (id: string) => {
93 const name = renameValue.trim();
94 if (!name) return;
95
96 setBusy(true);
97 try {
98 const updated = await renamePasskey(id, name);
99 setPasskeys((prev) => prev.map((p) => (p.id === id ? updated : p)));
100 setRenamingId(null);
101 setRenameValue("");
102 showSuccessToast(t('Passkey renamed'));
103 } catch (error) {
104 console.error("Failed to rename passkey:", error);
105 reportError(extractPasskeyError(error, t('Could not rename passkey. Please try again.')));
106 } finally {
107 setBusy(false);
108 }
109 };
110
111 const handleRevoke = async (id: string) => {
112 setBusy(true);
113 try {
114 await revokePasskey(id);
115 setPasskeys((prev) => prev.filter((p) => p.id !== id));
116 setConfirmRevokeId(null);
117 showSuccessToast(t('Passkey revoked'));
118 } catch (error) {
119 console.error("Failed to revoke passkey:", error);
120 reportError(extractPasskeyError(error, t('Could not revoke passkey. Please try again.')));
121 } finally {
122 setBusy(false);
123 }
124 };
125
126 const deviceLabel = (passkey: Passkey): string => {
127 if (passkey.deviceType === "multiDevice") return t('Synced across your devices');
128 if (passkey.deviceType === "singleDevice") return t('This device only');
129 return t('Passkey');
130 };
131
132 const formatDate = (value: string | null): string => {
133 if (!value) return t('Never');
134 return new Date(value).toLocaleDateString(localeDateTag(), {
135 year: "numeric",
136 month: "short",
137 day: "numeric",
138 });
139 };
140
141 const openAddForm = () => {
142 setAdding(true);
143 setNewName("");
144 };
145
146 return (
147 <div className="mb-6 overflow-hidden bg-white shadow sm:rounded-md">
148 <div className="flex items-center justify-between px-4 py-5 sm:px-6">
149 <div className="flex items-center gap-2">
150 <KeyRound className="h-5 w-5 text-gray-400" />
151 <h3 className="text-lg leading-6 font-medium text-gray-900">{t('Passkeys')}</h3>
152 </div>
153 {supported && !adding && (
154 <Button onClick={openAddForm} disabled={busy || loading}>
155 <Plus className="mr-2 h-4 w-4" />
156 {t('Add passkey')}
157 </Button>
158 )}
159 </div>
160
161 <div className="border-t border-gray-200">
162 {!supported ? (
163 <div className="px-4 py-5 sm:p-6">
164 <p className="text-sm text-gray-500">
165 {t("This browser doesn't support passkeys. Try a recent version of Chrome, Safari, Edge, or Firefox.")}
166 </p>
167 </div>
168 ) : (
169 <div className="space-y-4 px-4 py-5 sm:p-6">
170 <div className="flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800">
171 <ShieldCheck className="mt-0.5 h-4 w-4 flex-shrink-0" />
172 <span>
173 {t('Passkeys are an additional sign-in method. Your password and two-factor authentication still work, so adding or removing a passkey can never lock you out of your account.')}
174 </span>
175 </div>
176
177 {adding && (
178 <div className="space-y-3 rounded-md border border-gray-200 p-4">
179 <label htmlFor="passkey-name" className="block text-sm font-medium text-gray-700">
180 {t('Name this passkey')}
181 </label>
182 <input
183 id="passkey-name"
184 type="text"
185 value={newName}
186 onChange={(e) => setNewName(e.target.value)}
187 maxLength={100}
188 placeholder={t('e.g. MacBook Touch ID')}
189 className="mt-1 block w-full rounded-md border border-gray-300 px-3 py-2 shadow-sm focus:border-blue-500 focus:ring-blue-500 focus:outline-none sm:text-sm"
190 />
191 <div className="flex justify-end space-x-3">
192 <Button
193 type="button"
194 variant="outline"
195 onClick={() => {
196 setAdding(false);
197 setNewName("");
198 }}
199 disabled={busy}
200 >
201 {t('Cancel')}
202 </Button>
203 <Button type="button" onClick={handleAdd} disabled={busy || !newName.trim()}>
204 {busy ? t('Waiting for passkey…') : t('Create passkey')}
205 </Button>
206 </div>
207 </div>
208 )}
209
210 {loading ? (
211 <div className="flex items-center gap-2 text-sm text-gray-500">
212 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/profile/page.tsx"}1 "use client";
2
3 import TemplateDispatcher from "@/app/customer-portal/lib/TemplateDispatcher";
4 import DefaultProfile from "@/app/customer-portal/profile/DefaultProfile";
5
6 export default function ProfilePage() {
7 return <TemplateDispatcher page="profile" DefaultComponent={DefaultProfile} />;
8 }
9 Confirmed: embed-customer-portal/profile/page.tsx imports the SAME @/app/customer-portal/profile/DefaultProfile → one edit covers both. PasskeysSection fully self-contained (feature-detect, list/add/rename/revoke, recovery copy). passkeys.ts helpers reusable as-is.
Portal work = 2 edits:
DefaultProfile.tsx: mount <PasskeysSection> (covers customer + embed profile).create-account/page.tsx: skippable passkey step post-signup.Verify login passkey button + proxy /profile rewrite. Poll migrate.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/login/page.tsx"}1 "use client";
2
3 import React, { Suspense } from "react";
4 import { useState, useEffect } from "react";
5
6
7 import Link from "next/link";
8 import { useRouter, useSearchParams } from "next/navigation";
9
10 import { FaMicrosoft } from "react-icons/fa";
11 import { KeyRound } from "lucide-react";
12
13 import { useTranslation } from "@gangkharai/lmt/client";
14 import { useAuth } from "../components/AuthProvider";
15 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
16 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
17 import Loader from "../components/Loader";
18 import { useOrganization } from "../components/OrganizationProvider";
19 import SocialLoginButtons from "../components/SocialLoginButtons";
20 import Toast, { showErrorToast } from "../components/Toast";
21 import { Button } from "../components/ui/button";
22 import { Input } from "../components/ui/input";
23 import api from "../src/utils/api";
24 import { getSherpaApiUrl } from "../src/utils/env";
25 import {
26 extractPasskeyError,
27 isPasskeyCancellation,
28 isPasskeySupported,
29 loginWithPasskey,
30 } from "../src/utils/passkeys";
31 import { redirectAfterAuth } from "../src/utils/session";
32
33 function LoginContent() {
34 const t = useTranslation();
35 const [email, setEmail] = useState("");
36 const [password, setPassword] = useState("");
37 const [isLoading, setIsLoading] = useState(false);
38 const [isPasskeyLoading, setIsPasskeyLoading] = useState(false);
39 // Resolved client-side only: PublicKeyCredential is undefined during SSR, so
40 // we start false (matching the server render) and feature-detect on mount to
41 // avoid a hydration mismatch.
42 const [passkeySupported, setPasskeySupported] = useState(false);
43 const [error, setError] = useState("");
44 const [successMessage, setSuccessMessage] = useState<React.ReactNode>(null);
45 const router = useRouter();
46 const searchParams = useSearchParams();
47 const { login, user, loading: authLoading } = useAuth();
48 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
49
50 useEffect(() => {
51 document.title = t('Login - Sherpa Portal');
52
53 const errorParam = searchParams.get("error");
54 if (errorParam) {
55 setError(decodeURIComponent(errorParam));
56 }
57 if (searchParams.get("registered") === "true") {
58 setSuccessMessage(t('Registration successful! You can now log in with your new account.'));
59 }
60 }, [searchParams, t]);
61
62 useEffect(() => {
63 setPasskeySupported(isPasskeySupported());
64 }, []);
65
66 useEffect(() => {
67 // Already-authenticated visitor lands on /login: route them where they
68 // were headed via redirectAfterAuth (single reader of captured intent per
69 // §6.3), falling back to the role-appropriate landing page.
70 if (!authLoading && user) {
71 const defaultPath = user.userType === "customer" ? "/" : "/products";
72 redirectAfterAuth(router, defaultPath);
73 }
74 }, [authLoading, user, router]);
75
76 // Show Azure AD login based on feature flag
77 const showAzureLogin = organization?.settings?.features?.azureAdIntegration === true;
78 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
79
80 // Show loading while auth is loading or organization is still loading (unless there's an org error)
81 if (authLoading || (orgLoading && !orgError)) {
82 return <Loader />;
83 }
84
85 // If user is already authenticated, show loader while redirecting
86 if (user) {
87 return <Loader />;
88 }
89
90 const handleSubmit = async (e: React.FormEvent<HTMLFormElement>) => {
91 e.preventDefault();
92 setIsLoading(true);
93 setError("");
94
95 try {
96 // Use portalType from API, fall back to customerPortal setting presence
97 const isCustomerLogin = organization?.portalType
98 ? organization.portalType === "customer"
99 : !!organization?.settings?.customerPortal;
100 const loginEndpoint = isCustomerLogin ? "/auth/customer/login" : "/auth/login";
101 const response = await api.post(loginEndpoint, { email, password });
102 const data = response.data;
103
104 if (response.status === 200) {
105 if (!isCustomerLogin && data.message === "2FA required") {
106 router.push(
107 `/two-factor-verify?tempToken=${encodeURIComponent(data.tempToken)}&method=${data.twoFactorMethod}`
108 );
109 } else if (!isCustomerLogin && data.message === "2FA setup required") {
110 localStorage.setItem("setupToken", data.setupToken);
111 localStorage.setItem("refreshToken", data.refreshToken);
112 router.push("/two-factor-setup");
113 } else {
114 await login(data.data.accessToken, data.data.refreshToken);
115 // Redirection will be handled by the login function / useEffect hook
116 }
117 } else {
118 setError(data.error || t('Login failed. Please try again.'));
119 }
120 } catch (error) {
121 console.error("Login error:", error);
122 const errorMsg =
123 error instanceof Error ? error.message : t('Login failed. Please check your credentials.');
124 setError(errorMsg);
125 showErrorToast(errorMsg);
126 } finally {
127 setIsLoading(false);
128 }
129 };
130
131 const handlePasskeyLogin = async () => {
132 setIsPasskeyLoading(true);
133 setError("");
134
135 try {
136 const { accessToken, refreshToken } = await loginWithPasskey();
137 // Same session handling as password login: AuthProvider.login() persists
138 // the tokens, hydrates the user, and redirects.
139 await login(accessToken, refreshToken);
140 } catch (error) {
141 // A dismissed/timed-out prompt is a soft cancel, not a failure to surface.
142 if (isPasskeyCancellation(error)) {
143 return;
144 }
145 console.error("Passkey login error:", error);
146 const errorMsg = extractPasskeyError(error, t('Passkey sign-in failed. Please try again.'));
147 setError(errorMsg);
148 showErrorToast(errorMsg);
149 } finally {
150 setIsPasskeyLoading(false);
151 }
152 };
153
154 const handleAzureLogin = () => {
155 // Redirect to Azure AD login. Pass current origin so API callback returns
156 // here instead of the API's configured default portal URL.
157 const redirect = window.location.origin;
158 window.location.href = `${getSherpaApiUrl()}/v1/auth/azure/login?redirect=${encodeURIComponent(redirect)}`;
159 };
160
161 return (
162 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
163 <Toast />
164 <div className="absolute top-4 right-4">
165 <EnhancedLocaleSwitcher locales={LOCALE_LABELS} />
166 </div>
167 <div className="sm:mx-auto sm:w-full sm:max-w-md">
168 <div className="flex justify-center bg-white">
169 <img
170 src={organization?.settings?.branding?.logoUrl || "/assets/GangkharLogo.svg"}
171 alt={`${organization?.settings?.branding?.applicationName || organization?.displayName || organization?.name || "Portal"} Logo`}
172 width={240}
173 height={80}
174 className="object-contain"
175 />
176 </div>
177 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
178 {t('Log in to {name}', { name: organization?.settings?.branding?.applicationName ||
179 organization?.displayName ||
180 organization?.name ||
181 t('your account') })}
182 </h2>
183 </div>
184
185 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
186 <div className="bg-white px-4 py-8 shadow sm:rounded-md{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/proxy.ts"}1 import { NextRequest, NextResponse } from "next/server";
2
3 import { getSherpaApiUrl } from "./app/src/utils/env";
4
5 // Allowlist of static-asset file extensions the middleware skips. Keep in sync
6 // with whatever public/ + bundler output actually produces; broaden only when
7 // a real new asset type appears. Intentionally narrow — the previous
8 // `pathname.includes(".")` check would skip any URL containing a dot (e.g.
9 // `/users/[email protected]`), letting org resolution be bypassed.
10 const STATIC_EXT =
11 /\.(js|css|map|ico|png|jpe?g|gif|svg|webp|avif|woff2?|ttf|otf|eot|json|txt|xml|webmanifest)$/i;
12
13 const suspiciousPatterns = [
14 /<script/i,
15 /javascript:/i,
16 /onerror=/i,
17 /onload=/i,
18 /onclick=/i,
19 /<img/i,
20 /<iframe/i,
21 /<object/i,
22 /<embed/i,
23 /<svg/i,
24 /ptt93e3cf1e/,
25 ];
26
27 const isSuspicious = (value: string): boolean => {
28 return suspiciousPatterns.some((pattern) => pattern.test(value));
29 };
30
31 export async function proxy(request: NextRequest) {
32 const url = request.nextUrl.clone();
33 const searchParams = url.searchParams;
34 let hasSuspiciousParams = false;
35
36 searchParams.forEach((value, key) => {
37 if (isSuspicious(value) || isSuspicious(key)) {
38 searchParams.delete(key);
39 hasSuspiciousParams = true;
40 }
41 });
42
43 if (hasSuspiciousParams) {
44 return NextResponse.redirect(url);
45 }
46
47 try {
48 // Bail out for static asset requests so we never make an org-resolution
49 // round-trip for them. Restrict to a known extension allowlist — the
50 // previous `pathname.includes(".")` check let any URL with a dot anywhere
51 // in the path (including encoded values) skip middleware entirely.
52 if (STATIC_EXT.test(request.nextUrl.pathname)) {
53 return NextResponse.next();
54 }
55
56 const skipPages = [
57 "/register",
58 "/create-account",
59 "/forgot-password",
60 "/reset-password",
61 "/two-factor-setup",
62 "/two-factor-verify",
63 "/domain-blocked",
64 "/api",
65 "/login",
66 "/customer-portal",
67 "/embed-customer-portal",
68 ];
69
70 if (skipPages.some((page) => request.nextUrl.pathname.startsWith(page))) {
71 return NextResponse.next();
72 }
73
74 const host = request.headers.get("host") || request.nextUrl.hostname;
75 const hostname = host.split(":")[0];
76
77 const apiBaseUrl = getSherpaApiUrl(request.nextUrl.protocol);
78
79 const res = await fetch(`${apiBaseUrl}/v1/organization?by=origin`, {
80 method: "GET",
81 headers: {
82 Origin: `${request.nextUrl.protocol}//${host}`,
83 "Content-Type": "application/json",
84 },
85 cache: "no-store",
86 });
87 if (res.ok) {
88 // A 200 with an unparseable body is a contract violation, not a routing
89 // signal. Fall through to NextResponse.next() rather than crashing the
90 // middleware (which runs on every portal request).
91 let orgData: any;
92 try {
93 orgData = await res.json();
94 } catch {
95 return NextResponse.next();
96 }
97
98 // Only rewrite to customer portal for orgs with portalType 'customer'.
99 // The default Gangkhar org has portalType 'crm' and serves the admin app.
100 if (orgData?.portalType !== "customer") {
101 return NextResponse.next();
102 }
103
104 const templateId = orgData?.settings?.customerPortal?.templateId;
105 const portalMode = orgData?.portalMode;
106
107 if (portalMode === "embedded" && templateId) {
108 const page =
109 request.nextUrl.pathname === "/" ? "index" : request.nextUrl.pathname.slice(1);
110
111 const rewriteUrl = new URL(`/embed-customer-portal/pages/${page}`, request.url);
112 return NextResponse.rewrite(rewriteUrl);
113 }
114
115 if (portalMode === "standalone") {
116 const pathname = request.nextUrl.pathname;
117 if (pathname === "/") {
118 const rewriteUrl = new URL("/customer-portal/dashboard", request.url);
119 return NextResponse.rewrite(rewriteUrl);
120 }
121 const rewriteUrl = new URL(`/customer-portal${pathname}`, request.url);
122 return NextResponse.rewrite(rewriteUrl);
123 }
124 }
125 } catch (error) {
126 if (process.env.NODE_ENV !== "development") {
127 console.error("Proxy error:", error);
128 }
129 }
130
131 return NextResponse.next();
132 }
133
134 export const config = {
135 matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
136 };
137 {"command":"curl -fsS \"http://localhost:7777/api/api-action?path=/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\" 2>&1 | python3 -c \"import sys,json;d=json.load(sys.stdin);print('migrate status:',d.get('status'),'exit:',d.get('exitCode'));print('tail:',d.get('tail','')[-500:])\"","description":"Poll migrate status"}migrate status: done exit: 0 tail: > Sherpa [email protected] db:migrate:up > tsx src/db/migrate.ts up
Migrate done. Proxy confirms: customer-org standalone rewrites /profile → /customer-portal/profile (human's URL works). Login passkey button already wired for customer orgs.
Crux for create-account design: does AuthProvider auto-hydrate user/redirect when tokens appear via setTokens (not login())? That decides whether I can show an in-place passkey step. Read AuthProvider + restart API + check test worktree.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx"}1 "use client";
2
3 import React, { createContext, useContext, useState, useEffect, useCallback } from "react";
4
5 import { usePathname, useRouter } from "next/navigation";
6
7 import { jwtDecode } from "jwt-decode";
8 import { useTranslation } from "@gangkharai/lmt/client";
9
10 import Loader from "./Loader";
11 import useAuthStore from "../src/store/authStore";
12 import useConnectionStore from "../src/store/connectionStore";
13 import api from "../src/utils/api";
14 import { endSession, redirectAfterAuth } from "../src/utils/session";
15 import { AuthContextType } from "../types/user";
16
17 // AuthProvider component - strings already in dictionary
18 const AuthContext = createContext<AuthContextType | null>(null);
19
20 // Check if we're in a browser environment
21 const isBrowser = typeof window !== "undefined";
22
23 interface DecodedToken {
24 id: string;
25 email: string;
26 role: string;
27 userType?: string;
28 tokenType?: string;
29 }
30
31 function isCustomerToken(token: string): boolean {
32 try {
33 const decoded = jwtDecode<DecodedToken>(token);
34 return decoded.tokenType === "customer";
35 } catch {
36 return false;
37 }
38 }
39
40 // Customer-scoped tokens authenticate as a Customer (server resolves the
41 // record from token claims, then exposes it via bearerAuth.customerId). Both
42 // /v1/auth/customer/login sessions (tokenType=customer) and sherpa-portal
43 // embed sessions minted by /v1/customer-portal/sessions (tokenType=portal)
44 // satisfy `/v1/customers/me` etc. — kept separate from isCustomerToken so
45 // the refresh-endpoint routing (which differs per token type) stays correct.
46 function isCustomerScopedToken(token: string): boolean {
47 try {
48 const decoded = jwtDecode<DecodedToken>(token);
49 return decoded.tokenType === "customer" || decoded.tokenType === "portal";
50 } catch {
51 return false;
52 }
53 }
54
55 export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children }) => {
56 const t = useTranslation();
57 const [loading, setLoading] = useState(true);
58 const [logoutLoading, setLogoutLoading] = useState(false);
59 const router = useRouter();
60 const pathname = usePathname();
61 const { user, accessToken, hydrated, setUser, setTokens } = useAuthStore();
62
63 const fetchUserDetails = useCallback(
64 async (userId: string | null) => {
65 if (!user) {
66 try {
67 const currentToken = useAuthStore.getState().accessToken;
68 if (currentToken && isCustomerScopedToken(currentToken)) {
69 const response = await api.get("/customers/me", { sherpaAdmin: false });
70 const customerData = response.data.data?.customer || response.data.data;
71 setUser({ ...customerData, userType: "customer" });
72 } else if (userId) {
73 const response = await api.get(`/users/${userId}`);
74 setUser(response.data.data.user);
75 }
76 } catch (error) {
77 console.error("Error fetching user details:", error);
78 throw error;
79 }
80 }
81 },
82 [user, setUser]
83 );
84
85 // Listen for storage changes to sync auth state across tabs
86 useEffect(() => {
87 if (!isBrowser) return;
88
89 const handleStorageChange = (e: StorageEvent) => {
90 // Listen for changes to the auth-storage key
91 if (e.key === "auth-storage") {
92 // If the storage was cleared (logout in another tab)
93 if (e.newValue === null || e.newValue === "") {
94 // If we currently have a user, log them out immediately
95 if (user) {
96 setLoading(false); // Clear loading state for smoother transition
97 setLogoutLoading(false); // Reset logout loading state
98 // Cross-tab logout: the other tab made the choice to leave; we
99 // mirror that here without capturing intent.
100 endSession({ captureIntent: false });
101 }
102 } else {
103 // If new auth data was set (login in another tab)
104 try {
105 const newAuthData = JSON.parse(e.newValue);
106 // If we don't have a user but new auth data exists, reload to sync
107 if (newAuthData?.state?.accessToken && !user) {
108 window.location.reload();
109 }
110 } catch (error) {
111 console.error("Error parsing storage event data:", error);
112 }
113 }
114 }
115 };
116
117 window.addEventListener("storage", handleStorageChange);
118 return () => window.removeEventListener("storage", handleStorageChange);
119 }, [user, router]);
120
121 useEffect(() => {
122 const initializeAuth = async () => {
123 // Wait for the store to be hydrated before proceeding
124 if (!hydrated) {
125 return;
126 }
127
128 try {
129 if (accessToken && !user) {
130 const decodedToken = jwtDecode<DecodedToken>(accessToken);
131 // Customer-scoped tokens (customer + portal) authenticate via
132 // /v1/customers/me, which derives identity from the token itself
133 // and ignores the userId arg. User/admin tokens still need their
134 // decoded `id` claim to hit /v1/users/:id.
135 const userId =
136 decodedToken && typeof decodedToken.id === "string" ? decodedToken.id : null;
137 if (userId || isCustomerScopedToken(accessToken)) {
138 await fetchUserDetails(userId);
139 }
140 }
141 } catch (error) {
142 const isEmbedPortal = (pathname || "").startsWith("/embed-customer-portal/");
143 console.error("Error initializing auth:", error);
144 // Auth init failure means the token was rejected. For standalone
145 // sessions endSession redirects to /login; for embedded sessions
146 // the iframe can't navigate to /login meaningfully, so we surface
147 // a loaded-but-unauthenticated state and let the parent reload.
148 if (!isEmbedPortal) {
149 endSession({ captureIntent: true });
150 }
151 } finally {
152 setLoading(false);
153 }
154 };
155
156 // Add a fallback timeout to prevent infinite loading
157 const fallbackTimer = setTimeout(() => {
158 if (!hydrated) {
159 console.warn("Store hydration timeout, proceeding anyway");
160 setLoading(false);
161 }
162 }, 1000);
163
164 initializeAuth();
165
166 return () => clearTimeout(fallbackTimer);
167 }, [accessToken, user, hydrated, fetchUserDetails, pathname]);
168
169 const login = async (accessToken: string, refreshToken: string, userData?: Partial<import("../types/user").UserData>) => {
170 setTokens(accessToken, refreshToken);
171
172 if (userData) {
173 // Use provided user data directly (e.g., from customer login response)
174 setUser(userData as import("../types/user").UserData);
175 } else {
176 const decodedToken = jwtDecode<DecodedToken>(accessToken);
177 await fetchUserDetails(typeof decodedToken.id === "string" ? decodedToken.id : null);
178 }
179
180 // redirectAfterAuth is the single reader of captured intent (§6.3): it
181 // consumes the value and routes the user, falling back to the
182 // role-appropriate landing page when no intent was captured.
183 const isCustomer = isCustomerToken(accessToken);
184 redirectAfterAuth(router, isCustomer ? "/" : "/products");
185 };
186
187 const refreshToken = async (): Promise<string | null> => {
188 if (!isBrowser) return null;
189
190 // currently embed-customer-portal section is authenticated with clientId/clientSecret, so we run a different client refresh/token url and not the userAuth refreshToken.
191 // in the future we might need to h{"command":"curl -fsS -X POST http://localhost:7777/api/restart -H 'Content-Type: application/json' -d '{\"paths\":[\"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\"]}' 2>&1 | head -c 400 ; echo \" <- restart kicked\"","description":"Restart API via dashboard"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login 2>&1 ; echo \"=== node_modules? ===\" ; test -d node_modules && echo \"node_modules EXISTS\" || echo \"NO node_modules\" ; echo \"=== playwright browsers ===\" ; ls ~/Library/Caches/ms-playwright 2>/dev/null | head || echo \"no pw cache\" ; echo \"=== auth state seed (primary) ===\" ; test -f /Users/bakker/dev/gangkhar/sherpa-test/playwright/.auth/user.json && echo \"PRIMARY auth EXISTS\" || echo \"no primary auth\" ; echo \"=== this worktree auth ===\" ; test -f playwright/.auth/user.json && echo \"WT auth EXISTS\" || echo \"no WT auth\"","description":"Check test worktree deps, browsers, auth seed"}{"results":[{"path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login","ok":true,"freedPort":4003,"readyMs":49356}]} <- restart kicked=== node_modules? === NO node_modules === playwright browsers === chromium-1217 chromium_headless_shell-1217 ffmpeg-1011 firefox-1511 webkit-2272 === auth state seed (primary) === PRIMARY auth EXISTS === this worktree auth === no WT auth
AuthProvider initializeAuth (lines 121-167) auto-hydrates user from accessToken via setTokens. So on create-account I can setTokens to authenticate the api client for passkey register — but must guard create-account's logout effect (line 67) with a ref so it doesn't tear down the self-initiated session. Design locked.
API restarted (ready, port 4003). Verify health + install test deps + seed auth.
{"command":"echo \"=== API health ===\" ; curl -fsS -w \"\\nHTTP %{http_code}\\n\" http://localhost:4003/health 2>&1 | head -c 300 ; echo ; echo \"=== API root ===\" ; curl -fsS -o /dev/null -w \"root HTTP %{http_code}\\n\" http://localhost:4003/ 2>&1","description":"Verify API health after restart"}=== API health === curl: (22) The requested URL returned error: 404 HTTP 404 === API root === root HTTP 200
{"command":"mkdir -p playwright/.auth && cp /Users/bakker/dev/gangkhar/sherpa-test/playwright/.auth/user.json playwright/.auth/user.json 2>&1 && echo \"auth seed copied\" || echo \"auth copy failed\" ; ls -la playwright/.auth/ 2>&1","description":"Seed worktree auth state from primary"}auth seed copied total 32 drwxr-xr-x@ 3 bakker staff 96 May 31 14:27 . drwxr-xr-x@ 3 bakker staff 96 May 31 14:27 .. -rw-r--r--@ 1 bakker staff 13813 May 31 14:27 user.json
{"command":"npm install > /tmp/sherpa-test-install-466.log 2>&1 ; echo \"test npm install exit=$?\" ; tail -3 /tmp/sherpa-test-install-466.log","description":"Install test worktree deps (background)","run_in_background":true}Command running in background with ID: bm0kznzyh. Output is being written to: /private/tmp/claude-501/-Users-bakker-dev-gangkhar/ea18def1-fdd0-41d7-91e7-263fc61f1b62/tasks/bm0kznzyh.output. You will be notified when it completes. To check interim output, use Read on that file path.
API up (root 200; /health 404 is fine — runbook accepts /). Portal+embed were 200. Test deps installing (browsers present, auth seeded). Stack gate green.
Now implement. Edit 1: mount PasskeysSection in customer profile (covers embed too).
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx","old_string":"import LogoutSection from \"@/app/components/profile/LogoutSection\";\nimport PasswordChangeSection from \"@/app/components/profile/PasswordChangeSection\";\nimport PersonalInfoSection from \"@/app/components/profile/PersonalInfoSection\";","new_string":"import LogoutSection from \"@/app/components/profile/LogoutSection\";\nimport PasskeysSection from \"@/app/components/profile/PasskeysSection\";\nimport PasswordChangeSection from \"@/app/components/profile/PasswordChangeSection\";\nimport PersonalInfoSection from \"@/app/components/profile/PersonalInfoSection\";"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx","old_string":" <TwoFactorChangeSection\n userId={user.id}\n onSuccess={() =>\n showSuccessToast(t('Two-factor authentication method updated successfully'))\n }\n onError={(errorMessage) => setError(errorMessage)}\n />\n <LogoutSection />","new_string":" <TwoFactorChangeSection\n userId={user.id}\n onSuccess={() =>\n showSuccessToast(t('Two-factor authentication method updated successfully'))\n }\n onError={(errorMessage) => setError(errorMessage)}\n />\n <PasskeysSection onError={(errorMessage) => setError(errorMessage)} />\n <LogoutSection />"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Edit 1 done (profile management — covers customer-portal + embed). Test deps installed. Now Edit 2: create-account skippable passkey step. Apply surgical edits.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":"import React, { Suspense } from \"react\";\nimport { useState, useEffect } from \"react\";\n\n\nimport Link from \"next/link\";\nimport { useRouter, useSearchParams } from \"next/navigation\";\n\nimport { useForm } from \"react-hook-form\";\n\nimport { useTranslation } from \"@gangkharai/lmt/client\";\nimport { useAuth } from \"../components/AuthProvider\";\nimport { EnhancedLocaleSwitcher } from \"../components/EnhancedLocaleSwitcher\";\nimport { LOCALE_LABELS } from \"@/app/lib/supported-locales\";\nimport Loader from \"../components/Loader\";\nimport { useOrganization } from \"../components/OrganizationProvider\";\nimport PasswordValidation from \"../components/PasswordValidation\";\nimport SocialCreateAccountButtons from \"../components/SocialCreateAccountButtons\";\nimport Toast, { showErrorToast, showSuccessToast } from \"../components/Toast\";\nimport { Button } from \"../components/ui/button\";\nimport { Input } from \"../components/ui/input\";\nimport api from \"../src/utils/api\";\nimport useAuthStore from \"../src/store/authStore\";","new_string":"import React, { Suspense } from \"react\";\nimport { useState, useEffect, useRef } from \"react\";\n\n\nimport Link from \"next/link\";\nimport { useRouter, useSearchParams } from \"next/navigation\";\n\nimport { KeyRound, ShieldCheck } from \"lucide-react\";\nimport { useForm } from \"react-hook-form\";\n\nimport { useTranslation } from \"@gangkharai/lmt/client\";\nimport { useAuth } from \"../components/AuthProvider\";\nimport { EnhancedLocaleSwitcher } from \"../components/EnhancedLocaleSwitcher\";\nimport { LOCALE_LABELS } from \"@/app/lib/supported-locales\";\nimport Loader from \"../components/Loader\";\nimport { useOrganization } from \"../components/OrganizationProvider\";\nimport PasswordValidation from \"../components/PasswordValidation\";\nimport SocialCreateAccountButtons from \"../components/SocialCreateAccountButtons\";\nimport Toast, { showErrorToast, showSuccessToast } from \"../components/Toast\";\nimport { Button } from \"../components/ui/button\";\nimport { Input } from \"../components/ui/input\";\nimport api from \"../src/utils/api\";\nimport {\n extractPasskeyError,\n isPasskeyCancellation,\n isPasskeySupported,\n registerPasskey,\n} from \"../src/utils/passkeys\";\nimport useAuthStore from \"../src/store/authStore\";"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
State, ref, feature-detect, finalize + enrol handlers.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" const [isLoading, setIsLoading] = useState(false);\n const [error, setError] = useState(\"\");\n const [token, setToken] = useState(\"\");\n const router = useRouter();\n const searchParams = useSearchParams();\n const { login, user, loading: authLoading } = useAuth();\n const { organization, isLoading: orgLoading, error: orgError } = useOrganization();\n const storeLogout = useAuthStore((state) => state.logout);","new_string":" const [isLoading, setIsLoading] = useState(false);\n const [error, setError] = useState(\"\");\n const [token, setToken] = useState(\"\");\n const router = useRouter();\n const searchParams = useSearchParams();\n const { login, user, loading: authLoading } = useAuth();\n const { organization, isLoading: orgLoading, error: orgError } = useOrganization();\n const storeLogout = useAuthStore((state) => state.logout);\n const setTokens = useAuthStore((state) => state.setTokens);\n\n // Passkey enrolment step shown right after the account is created.\n const [passkeySupported, setPasskeySupported] = useState(false);\n const [showPasskeySetup, setShowPasskeySetup] = useState(false);\n const [isEnrolling, setIsEnrolling] = useState(false);\n const [passkeyName, setPasskeyName] = useState(\"\");\n // Tokens from the post-creation auto-login, held so passkey enrolment can run\n // against an authenticated session before we finish redirecting into the portal.\n const pendingTokensRef = useRef<{ accessToken: string; refreshToken: string } | null>(null);\n // Set once we deliberately authenticate this session for enrolment, so the\n // \"clear stale session\" effect below doesn't tear it back down.\n const selfInitiatedAuthRef = useRef(false);"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Feature-detect on mount + guard the stale-session logout effect.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" useEffect(() => {\n if (!authLoading && user) {\n storeLogout();\n }\n }, [authLoading, user, storeLogout]);","new_string":" // Resolve passkey support client-side only (PublicKeyCredential is undefined\n // during SSR) to avoid a hydration mismatch.\n useEffect(() => {\n setPasskeySupported(isPasskeySupported());\n }, []);\n\n useEffect(() => {\n // Clear any stale, pre-existing session when landing on this page — but never\n // the session we just established ourselves for passkey enrolment.\n if (!authLoading && user && !selfInitiatedAuthRef.current) {\n storeLogout();\n }\n }, [authLoading, user, storeLogout]);"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Add finalize + enrol handlers, then rewire the post-signup auto-login to show the passkey step.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" if (authLoading || (orgLoading && !orgError)) {\n return <Loader />;\n }\n\n const handleCreateAccount = async (data: CreateAccountFormData) => {","new_string":" if (authLoading || (orgLoading && !orgError)) {\n return <Loader />;\n }\n\n // Finish landing the freshly-created account in the portal, whether or not a\n // passkey was set up. Mirrors the original post-creation redirect.\n const finalizeAccount = async () => {\n const tokens = pendingTokensRef.current;\n if (!tokens) {\n router.push(\"/login?registered=true\");\n return;\n }\n await login(tokens.accessToken, tokens.refreshToken);\n router.push(\"/dashboard\");\n };\n\n const handleEnrollPasskey = async () => {\n const name = passkeyName.trim() || t(\"My passkey\");\n setIsEnrolling(true);\n try {\n await registerPasskey(name);\n showSuccessToast(t(\"Passkey set up. You can now sign in without a password.\"));\n await finalizeAccount();\n } catch (enrollError) {\n // A dismissed/timed-out prompt is a soft cancel — stay on the step so the\n // user can retry or skip.\n if (isPasskeyCancellation(enrollError)) {\n setIsEnrolling(false);\n return;\n }\n console.error(\"Passkey enrolment failed:\", enrollError);\n showErrorToast(\n extractPasskeyError(\n enrollError,\n t(\"Could not set up a passkey. You can add one later from your profile.\")\n )\n );\n setIsEnrolling(false);\n }\n };\n\n const handleCreateAccount = async (data: CreateAccountFormData) => {"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Now rewire the auto-login block to show the passkey step when supported.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" // If the API returns user email, attempt auto-login\n if (response.data.data?.email) {\n try {\n const loginResponse = await api.post(\"/v1/auth/login\", {\n email: response.data.data.email,\n password: data.password,\n });\n\n if (loginResponse.data.status === \"success\" && loginResponse.data.data) {\n await login(\n loginResponse.data.data.accessToken,\n loginResponse.data.data.refreshToken\n );\n router.push(\"/dashboard\");\n return;\n }\n } catch (loginError) {\n console.error(\"Auto-login failed:\", loginError);\n }\n }","new_string":" // If the API returns user email, attempt auto-login\n if (response.data.data?.email) {\n try {\n const loginResponse = await api.post(\"/v1/auth/login\", {\n email: response.data.data.email,\n password: data.password,\n });\n\n if (loginResponse.data.status === \"success\" && loginResponse.data.data) {\n const { accessToken, refreshToken } = loginResponse.data.data;\n\n // Offer passkey enrolment before entering the portal. Authenticate\n // the API client now (so /auth/passkeys/register/* carries a bearer\n // token) but defer the redirect until the user sets up a passkey or\n // skips. On browsers without passkey support, behave as before.\n if (passkeySupported) {\n pendingTokensRef.current = { accessToken, refreshToken };\n selfInitiatedAuthRef.current = true;\n setTokens(accessToken, refreshToken);\n setShowPasskeySetup(true);\n return;\n }\n\n await login(accessToken, refreshToken);\n router.push(\"/dashboard\");\n return;\n }\n } catch (loginError) {\n console.error(\"Auto-login failed:\", loginError);\n }\n }"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Render the passkey step. Make heading conditional.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" <h2 className=\"mt-6 text-center text-3xl font-extrabold text-gray-900\">\n {t(\"Create Your Account\")}\n </h2>\n <p className=\"mt-2 text-center text-sm text-gray-600\">\n {t(\"Set up your customer portal account to manage your policies\")}\n </p>\n </div>","new_string":" <h2 className=\"mt-6 text-center text-3xl font-extrabold text-gray-900\">\n {showPasskeySetup ? t(\"Set up a passkey\") : t(\"Create Your Account\")}\n </h2>\n <p className=\"mt-2 text-center text-sm text-gray-600\">\n {showPasskeySetup\n ? t(\"Your account is ready. Add a passkey to sign in with your fingerprint, face, or device PIN — no password needed.\")\n : t(\"Set up your customer portal account to manage your policies\")}\n </p>\n </div>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Swap card body: passkey step when showPasskeySetup, else the existing form.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" {error && (\n <div className=\"mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700\">\n {error}\n </div>\n )}\n\n <form className=\"space-y-6\" onSubmit={handleSubmit(handleCreateAccount)}>","new_string":" {error && (\n <div className=\"mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700\">\n {error}\n </div>\n )}\n\n {showPasskeySetup ? (\n <div className=\"space-y-6\">\n <div className=\"flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800\">\n <ShieldCheck className=\"mt-0.5 h-4 w-4 flex-shrink-0\" />\n <span>\n {t(\"Passkeys are an additional sign-in method. Your password still works, so adding one can never lock you out of your account.\")}\n </span>\n </div>\n\n <div>\n <label htmlFor=\"passkey-name\" className=\"block text-sm font-medium text-gray-700\">\n {t(\"Name this passkey\")}\n </label>\n <div className=\"mt-1\">\n <Input\n id=\"passkey-name\"\n type=\"text\"\n maxLength={100}\n placeholder={t(\"e.g. My iPhone\")}\n value={passkeyName}\n onChange={(e) => setPasskeyName(e.target.value)}\n disabled={isEnrolling}\n />\n </div>\n </div>\n\n <Button\n type=\"button\"\n onClick={handleEnrollPasskey}\n disabled={isEnrolling}\n className=\"flex w-full items-center justify-center gap-2\"\n >\n <KeyRound className=\"h-5 w-5\" />\n {isEnrolling ? t(\"Waiting for passkey…\") : t(\"Set up a passkey\")}\n </Button>\n\n <Button\n type=\"button\"\n variant=\"outline\"\n onClick={finalizeAccount}\n disabled={isEnrolling}\n className=\"w-full justify-center\"\n >\n {t(\"Skip for now\")}\n </Button>\n\n <p className=\"text-center text-xs text-gray-500\">\n {t(\"You can always add or remove passkeys later from your profile.\")}\n </p>\n </div>\n ) : (\n <>\n <form className=\"space-y-6\" onSubmit={handleSubmit(handleCreateAccount)}>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" <div className=\"mt-6 text-center\">\n <p className=\"text-sm text-gray-600\">\n {t(\"Already have an account?\")}{\" \"}\n <Link href=\"/login\" className=\"font-medium text-blue-600 hover:text-blue-500\">\n {t(\"Sign in\")}\n </Link>\n </p>\n </div>\n </div>\n </div>","new_string":" <div className=\"mt-6 text-center\">\n <p className=\"text-sm text-gray-600\">\n {t(\"Already have an account?\")}{\" \"}\n <Link href=\"/login\" className=\"font-medium text-blue-600 hover:text-blue-500\">\n {t(\"Sign in\")}\n </Link>\n </p>\n </div>\n </>\n )}\n </div>\n </div>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Verify the edited create-account render is balanced + run portal type-check.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":200,"limit":120}200 console.error("Create account error:", error);
201 let errorMsg = t("Failed to create account. Please try again.");
202
203 if (error && typeof error === "object" && "response" in error) {
204 const axiosError = error as { response?: { data?: { error?: { message?: string } } } };
205 const apiErrorMessage = axiosError.response?.data?.error?.message;
206
207 if (apiErrorMessage === "Invalid or expired token") {
208 errorMsg = t("This invitation link has expired or is invalid. Please request a new invitation link from your administrator.");
209 } else if (apiErrorMessage) {
210 errorMsg = apiErrorMessage;
211 }
212 }
213
214 setError(errorMsg);
215 showErrorToast(errorMsg);
216 } finally {
217 setIsLoading(false);
218 }
219 };
220
221 return (
222 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
223 <Toast />
224 <div className="absolute top-4 right-4">
225 <EnhancedLocaleSwitcher locales={LOCALE_LABELS} />
226 </div>
227 <div className="sm:mx-auto sm:w-full sm:max-w-md">
228 <div className="flex justify-center bg-white">
229 <img
230 src={organization?.settings?.branding?.logoUrl || "/assets/GangkharLogo.svg"}
231 alt={`${organization?.settings?.branding?.applicationName || organization?.displayName || organization?.name || "Portal"} Logo`}
232 width={240}
233 height={80}
234 className="object-contain"
235 />
236 </div>
237 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
238 {showPasskeySetup ? t("Set up a passkey") : t("Create Your Account")}
239 </h2>
240 <p className="mt-2 text-center text-sm text-gray-600">
241 {showPasskeySetup
242 ? t("Your account is ready. Add a passkey to sign in with your fingerprint, face, or device PIN — no password needed.")
243 : t("Set up your customer portal account to manage your policies")}
244 </p>
245 </div>
246
247 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
248 <div className="bg-white px-4 py-8 shadow sm:rounded-md sm:px-10">
249 {error && (
250 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
251 {error}
252 </div>
253 )}
254
255 {showPasskeySetup ? (
256 <div className="space-y-6">
257 <div className="flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800">
258 <ShieldCheck className="mt-0.5 h-4 w-4 flex-shrink-0" />
259 <span>
260 {t("Passkeys are an additional sign-in method. Your password still works, so adding one can never lock you out of your account.")}
261 </span>
262 </div>
263
264 <div>
265 <label htmlFor="passkey-name" className="block text-sm font-medium text-gray-700">
266 {t("Name this passkey")}
267 </label>
268 <div className="mt-1">
269 <Input
270 id="passkey-name"
271 type="text"
272 maxLength={100}
273 placeholder={t("e.g. My iPhone")}
274 value={passkeyName}
275 onChange={(e) => setPasskeyName(e.target.value)}
276 disabled={isEnrolling}
277 />
278 </div>
279 </div>
280
281 <Button
282 type="button"
283 onClick={handleEnrollPasskey}
284 disabled={isEnrolling}
285 className="flex w-full items-center justify-center gap-2"
286 >
287 <KeyRound className="h-5 w-5" />
288 {isEnrolling ? t("Waiting for passkey…") : t("Set up a passkey")}
289 </Button>
290
291 <Button
292 type="button"
293 variant="outline"
294 onClick={finalizeAccount}
295 disabled={isEnrolling}
296 className="w-full justify-center"
297 >
298 {t("Skip for now")}
299 </Button>
300
301 <p className="text-center text-xs text-gray-500">
302 {t("You can always add or remove passkeys later from your profile.")}
303 </p>
304 </div>
305 ) : (
306 <>
307 <form className="space-y-6" onSubmit={handleSubmit(handleCreateAccount)}>
308 <div>
309 <label htmlFor="password" className="block text-sm font-medium text-gray-700">
310 {t("Password")}
311 </label>
312 <div className="mt-1">
313 <Input
314 id="password"
315 type="password"
316 {...register("password", {
317 required: t("Password is required"),
318 validate: {
319 length: (v) => v.length >= 8 || t("Password must be at least 8 characters"),Structure balanced. Run portal type-check.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login && npx tsc --noEmit 2>&1 | head -50 ; echo \"tsc exit: ${pipestatus[1]:-$?}\"","description":"Type-check portal worktree","timeout":300000}tsc exit: 0
Portal tsc clean. Now solve PROOF. Passkey E2E headless needs: (a) WebAuthn virtual authenticator via CDP, (b) a CUSTOMER session on the test tenant. Seeded auth is admin-only — insufficient. Investigate test-org config + customer creds, re-verify stack, check embed login surface.
{"command":"echo \"=== re-verify stack ===\" ; curl -fsS -o /dev/null -w \"api root %{http_code}\\n\" http://localhost:4003/ ; curl -fsS -o /dev/null -w \"portal %{http_code}\\n\" http://localhost:3003 ; curl -fsS -o /dev/null -w \"embed %{http_code}\\n\" http://localhost:3103 ; echo ; echo \"=== test org resolution (test.localhost:3003) ===\" ; curl -fsS -H \"Origin: http://test.localhost:3003\" \"http://localhost:4003/v1/organization?by=origin\" 2>&1 | python3 -m json.tool 2>&1 | head -50","description":"Re-verify stack + resolve test org config"}=== re-verify stack ===
api root 200
portal 200
embed 200
=== test org resolution (test.localhost:3003) ===
{
"id": "12345678-9abc-def0-1234-56789abcdef0",
"name": "Test Organization",
"portalType": "customer",
"portalMode": "standalone",
"portalDomain": "test.localhost",
"displayName": "Customer Portal",
"settings": {
"branding": {
"logoUrl": "/assets/test-logo.svg",
"primaryColor": "#2563eb",
"applicationName": "Customer Portal"
},
"features": {
"azureAdIntegration": false,
"socialLogin": true
},
"customerPortal": {
"templateId": null
}
},
"active": true,
"widgetToken": "T4twSh-9rkhO0qQoPAO0Gg"
}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login 2>/dev/null; echo \"=== .env customer/test creds ===\" ; rg -i 'customer|passkey|TEST_USER|PASSWORD|test\\.localhost|PORTAL' .env .env.* 2>/dev/null | rg -iv 'AZURE|SECRET=' | head -40 ; echo \"=== customer-portal specs ===\" ; fd -e ts . tests 2>/dev/null | rg -i 'customer|passkey|profile|login' | head -30","description":"Check test env creds + customer specs"}=== .env customer/test creds ===
.env.reference:SHERPA_PORTAL_HTTP=http://localhost:3000
.env.reference:SHERPA_PORTAL_HTTPS=https://portal.${DEVELOPER_NAME}.dev.gangkhar.dev
.env.reference:SHERPA_PORTAL_DEV_HTTPS=https://portal.dev.gangkhar.dev
.env.reference:SHERPA_PORTAL_STAGING_HTTPS=https://portal.staging.gangkhar.dev
.env.reference:SHERPA_PORTAL_PROD_HTTPS=https://portal.your-domain.com
.env.reference:WAYNI_PORTAL_URL=https://portal.wayni.${DEVELOPER_NAME}.dev.gangkhar.dev
.env.reference:WAYNI_PORTAL_DEV_URL=https://portal.wayni.dev.gangkhar.dev
.env.reference:WAYNI_PORTAL_STAGING_URL=https://portal.wayni.staging.gangkhar.dev
.env.reference:[email protected]
.env.reference:TEST_USER_PASSWORD="TestPass123!@#"
.env:SHERPA_PORTAL_HTTP=http://localhost:3000
.env:SHERPA_PORTAL_HTTPS=https://portal.${DEVELOPER_NAME}.dev.gangkhar.dev
.env:SHERPA_PORTAL_DEV_HTTPS=https://portal.dev.gangkhar.dev
.env:SHERPA_PORTAL_STAGING_HTTPS=https://portal.staging.gangkhar.dev
.env:SHERPA_PORTAL_PROD_HTTPS=https://portal.your-domain.com
.env:WAYNI_PORTAL_URL=https://portal.wayni.${DEVELOPER_NAME}.dev.gangkhar.dev
.env:WAYNI_PORTAL_DEV_URL=https://portal.wayni.dev.gangkhar.dev
.env:WAYNI_PORTAL_STAGING_URL=https://portal.wayni.staging.gangkhar.dev
.env:[email protected]
.env:TEST_USER_PASSWORD="TestPass123!@#"
=== customer-portal specs ===
tests/customer-auth.spec.ts
tests/customer-portal-typed-signal.spec.ts
tests/passkey.spec.ts{"command":"cd /Users/bakker/dev/gangkhar/sherpa-embed-api-466-passkey-webauthn-login 2>/dev/null; echo \"=== embed login surface? ===\" ; rg -il 'navigator.credentials|webauthn|passkey|/login|auth/login|sign in' src 2>/dev/null | head -20 ; echo \"--- routes ---\" ; fd -e tsx -e ts 'page|route|App' src 2>/dev/null | head -20","description":"Check if embed has a login surface"}=== embed login surface? === --- routes --- src/components/customizable-form/CustomizableMultipageForm.tsx
test org = customer/standalone on test.localhost ✓. Embed funnel has NO login surface → no embed changes needed (confirms human only flagged portal). Crucially, prior run left tests/passkey.spec.ts + customer-auth.spec.ts — read them for the customer-login + virtual-authenticator pattern.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login/tests/passkey.spec.ts"}1 import { test, expect, type Page } from '@playwright/test';
2 import { type CDPSession } from 'playwright-core';
3 import * as fs from 'fs';
4 import * as path from 'path';
5
6 import { getPortalUrl } from './utils/urls';
7
8 // Screenshots double as the ticket's browser proof. The runner points
9 // PASSKEY_PROOF_DIR at the api worktree's .auto-proof/ so they land in the repo.
10 const PROOF_DIR = process.env.PASSKEY_PROOF_DIR || path.join('test-results', 'passkey-proof');
11
12 // A resident-key + user-verifying authenticator that auto-approves prompts
13 // headlessly. Chrome allows only ONE "internal" (platform) authenticator per
14 // environment, so a second enrolled device must be a "usb" roaming key — which
15 // is exactly the platform-authenticator-OR-roaming-key split the feature targets.
16 function authenticatorOptions(transport: 'internal' | 'usb') {
17 return {
18 protocol: 'ctap2' as const,
19 transport,
20 hasResidentKey: true,
21 hasUserVerification: true,
22 isUserVerified: true,
23 automaticPresenceSimulation: true,
24 };
25 }
26
27 async function addVirtualAuthenticator(
28 client: CDPSession,
29 transport: 'internal' | 'usb'
30 ): Promise<string> {
31 const { authenticatorId } = (await client.send('WebAuthn.addVirtualAuthenticator', {
32 options: authenticatorOptions(transport),
33 })) as { authenticatorId: string };
34 return authenticatorId;
35 }
36
37 // Only "present" authenticators answer a ceremony. Toggling presence lets us
38 // pick exactly which enrolled device responds to a discoverable login.
39 async function setPresence(client: CDPSession, authenticatorId: string, enabled: boolean) {
40 await client.send('WebAuthn.setAutomaticPresenceSimulation', { authenticatorId, enabled });
41 }
42
43 async function openProfilePasskeys(page: Page, portalUrl: string) {
44 await page.goto(`${portalUrl}/profile`);
45 await expect(page.getByRole('heading', { name: 'Passkeys', exact: true })).toBeVisible({
46 timeout: 30_000,
47 });
48 // The "Add passkey" button is disabled until the initial list load resolves;
49 // wait for it so interactions don't race the load.
50 await expect(page.getByRole('button', { name: 'Add passkey', exact: true })).toBeEnabled({
51 timeout: 15_000,
52 });
53 }
54
55 // One enrolled passkey == one "Revoke passkey" action button in the list.
56 function passkeyCount(page: Page) {
57 return page.getByRole('button', { name: 'Revoke passkey' }).count();
58 }
59
60 // The test account is shared and persists passkeys across runs, so revoke any
61 // that already exist. This makes the counts below deterministic and stops
62 // passkeys accumulating on the account run after run.
63 async function clearAllPasskeys(page: Page, portalUrl: string) {
64 await openProfilePasskeys(page, portalUrl);
65 for (let guard = 0; guard < 25; guard++) {
66 const revokeButtons = page.getByRole('button', { name: 'Revoke passkey' });
67 const remaining = await revokeButtons.count();
68 if (remaining === 0) break;
69 await revokeButtons.first().click();
70 await page.getByRole('button', { name: 'Remove', exact: true }).click();
71 await expect(revokeButtons).toHaveCount(remaining - 1, { timeout: 15_000 });
72 }
73 await expect(page.getByRole('button', { name: 'Revoke passkey' })).toHaveCount(0);
74 }
75
76 async function addPasskeyViaUI(page: Page, label: string) {
77 await page.getByRole('button', { name: 'Add passkey', exact: true }).click();
78 await page.getByLabel('Name this passkey').fill(label);
79 await page.getByRole('button', { name: 'Create passkey' }).click();
80 // The new credential shows up in the list once the ceremony + verify resolve.
81 await expect(page.getByText(label, { exact: true })).toBeVisible({ timeout: 20_000 });
82 }
83
84 async function passkeyLoginFromLoginPage(page: Page, portalUrl: string) {
85 await page.goto(`${portalUrl}/login`);
86 const button = page.getByRole('button', { name: 'Sign in with a passkey' });
87 await expect(button).toBeVisible({ timeout: 20_000 });
88 await button.click();
89 }
90
91 async function logout(page: Page, portalUrl: string) {
92 await page.goto(`${portalUrl}/profile`);
93 await page.getByRole('button', { name: 'Logout', exact: true }).first().click();
94 await page.waitForURL(/\/login/, { timeout: 20_000 });
95 }
96
97 test.describe('Passkey (WebAuthn) login & management', () => {
98 test.beforeAll(() => {
99 fs.mkdirSync(PROOF_DIR, { recursive: true });
100 });
101
102 test('register, sign in, add a second, rename, revoke, and reject the revoked passkey', async ({
103 page,
104 context,
105 }) => {
106 const portalUrl = getPortalUrl();
107 const shot = (name: string) => page.screenshot({ path: path.join(PROOF_DIR, name) });
108
109 const client = await context.newCDPSession(page);
110 await client.send('WebAuthn.enable', { enableUI: false });
111
112 // Device A — the user's first device, a platform authenticator (e.g. a laptop).
113 const deviceA = await addVirtualAuthenticator(client, 'internal');
114
115 // Start from a clean slate on the shared test account.
116 await clearAllPasskeys(page, portalUrl);
117
118 // 1. Enrol the first passkey from Profile → Security → Passkeys.
119 await openProfilePasskeys(page, portalUrl);
120 await addPasskeyViaUI(page, 'MacBook Touch ID');
121 expect(await passkeyCount(page)).toBe(1);
122 await shot('01-profile-first-passkey.png');
123
124 // 2. Sign out, then sign back in with the passkey button (discoverable flow,
125 // no email typed). Only device A is enrolled, so it answers.
126 await logout(page, portalUrl);
127 await passkeyLoginFromLoginPage(page, portalUrl);
128 await page.waitForURL((url) => !url.pathname.startsWith('/login'), { timeout: 20_000 });
129 await shot('02-passwordless-login-success.png');
130
131 // 3. Add a second passkey from a second device — a roaming (USB) key. Disable
132 // A so the new credential is created on B (A is also excluded server-side).
133 const deviceB = await addVirtualAuthenticator(client, 'usb');
134 await setPresence(client, deviceA, false);
135 await openProfilePasskeys(page, portalUrl);
136 await addPasskeyViaUI(page, 'iPhone Face ID');
137 expect(await passkeyCount(page)).toBe(2);
138 await setPresence(client, deviceA, true);
139 await shot('03-profile-two-passkeys.png');
140
141 // 4. Rename the second passkey from the management screen.
142 const iphoneRow = page.locator('li', { hasText: 'iPhone Face ID' });
143 await iphoneRow.getByRole('button', { name: 'Rename passkey' }).click();
144 await page.getByLabel('New passkey name').fill('iPhone 15 Pro');
145 await page.getByRole('button', { name: 'Save name' }).click();
146 await expect(page.getByText('iPhone 15 Pro', { exact: true })).toBeVisible({ timeout: 15_000 });
147 await shot('04-profile-renamed-passkey.png');
148
149 // 5. Revoke the first passkey (MacBook, on device A). List drops to 1.
150 const macRow = page.locator('li', { hasText: 'MacBook Touch ID' });
151 await macRow.getByRole('button', { name: 'Revoke passkey' }).click();
152 await macRow.getByRole('button', { name: 'Remove', exact: true }).click();
153 await expect(page.getByText('MacBook Touch ID', { exact: true })).toHaveCount(0, {
154 timeout: 15_000,
155 });
156 expect(await passkeyCount(page)).toBe(1);
157 await shot('05-profile-after-revoke.png');
158
159 // 6. The revoked passkey can no longer authenticate. Make ONLY device A
160 // (the revoked MacBook credential) present and attempt a passkey login —
161 // the server rejects it and the user stays on /login with an error.
162 await logout(page, portalUrl);
163 await setPresence(client, deviceA, true);
164 await setPresence(client{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login/tests/customer-auth.spec.ts"}1 import { test, expect } from '@playwright/test';
2 import { getApiUrl, getPortalUrl } from './utils/urls';
3 import crypto from 'crypto';
4
5 const API_URL = getApiUrl();
6 const PORTAL_URL = getPortalUrl();
7 const CLIENT_ID = process.env.SHERPA_TEST_CLIENT_ID;
8 const CLIENT_SECRET = process.env.SHERPA_TEST_CLIENT_SECRET;
9
10 interface CustomerData {
11 id: number;
12 email: string;
13 firstName: string;
14 lastName: string;
15 organizationId: string;
16 }
17
18 interface CustomerTokens {
19 accessToken: string;
20 refreshToken: string;
21 }
22
23 const getClientHeaders = () => ({
24 'Authorization': `Client ${CLIENT_ID}:${CLIENT_SECRET}`,
25 'Content-Type': 'application/json',
26 });
27
28 test.describe('Customer Authentication Flows', () => {
29 let registeredCustomerEmail: string;
30 const testPassword = 'TestPassword123!@#';
31 let customerTokens: CustomerTokens | null = null;
32
33 test.describe.serial('Customer Registration Flow', () => {
34 test('should register customer successfully with valid Origin', async ({ request }) => {
35 registeredCustomerEmail = `test-customer-${Date.now()}@example.com`;
36
37 const response = await request.post(`${API_URL}/v1/auth/register`, {
38 headers: {
39 'Content-Type': 'application/json',
40 'Origin': PORTAL_URL,
41 },
42 data: {
43 firstName: 'Test',
44 lastName: 'Customer',
45 email: registeredCustomerEmail,
46 password: testPassword,
47 phoneNumber: '+1234567890',
48 country: 'US',
49 region: 'CA',
50 address: '123 Test Street',
51 city: 'Test City',
52 postalCode: '12345',
53 },
54 });
55
56 const status = response.status();
57 const body = await response.json();
58
59 expect(status).toBe(200);
60 expect(body.status).toBe('success');
61 expect(body.data.user.email).toBe(registeredCustomerEmail);
62 expect(body.data.accessToken).toBeDefined();
63 expect(body.data.refreshToken).toBeDefined();
64
65 customerTokens = {
66 accessToken: body.data.accessToken,
67 refreshToken: body.data.refreshToken,
68 };
69
70 console.log(`✅ Customer registered successfully`);
71 console.log(` Email: ${body.data.user.email}`);
72 console.log(` Organization: ${body.data.user.organizationId}`);
73 });
74
75 test('should reject registration with forged Origin header', async ({ request }) => {
76 const response = await request.post(`${API_URL}/v1/auth/register`, {
77 headers: {
78 'Content-Type': 'application/json',
79 'Origin': 'https://attacker.evil.com',
80 },
81 data: {
82 firstName: 'Attacker',
83 lastName: 'Evil',
84 email: `attacker-${Date.now()}@evil.com`,
85 password: testPassword,
86 phoneNumber: '+1234567890',
87 country: 'US',
88 region: 'CA',
89 address: '666 Evil Street',
90 city: 'Evil City',
91 postalCode: '66666',
92 },
93 });
94
95 const status = response.status();
96
97 expect(status).toBe(404);
98
99 console.log(`✅ Forged Origin correctly rejected (status: ${status})`);
100 });
101
102 test('should reject duplicate registration', async ({ request }) => {
103 const response = await request.post(`${API_URL}/v1/auth/register`, {
104 headers: {
105 'Content-Type': 'application/json',
106 'Origin': PORTAL_URL,
107 },
108 data: {
109 firstName: 'Test',
110 lastName: 'Duplicate',
111 email: registeredCustomerEmail,
112 password: testPassword,
113 phoneNumber: '+1234567890',
114 country: 'US',
115 region: 'CA',
116 address: '123 Test Street',
117 city: 'Test City',
118 postalCode: '12345',
119 },
120 });
121
122 expect(response.status()).toBe(409);
123
124 console.log(`✅ Duplicate registration correctly rejected`);
125 });
126 });
127
128 test.describe.serial('Customer Login Flow', () => {
129 test('should login with valid credentials', async ({ request }) => {
130 const response = await request.post(`${API_URL}/v1/auth/customer/login`, {
131 headers: {
132 'Content-Type': 'application/json',
133 'Origin': PORTAL_URL,
134 },
135 data: {
136 email: registeredCustomerEmail,
137 password: testPassword,
138 },
139 });
140
141 const status = response.status();
142 const body = await response.json();
143
144 expect(status).toBe(200);
145 expect(body.status).toBe('success');
146 expect(body.data.accessToken).toBeDefined();
147 expect(body.data.refreshToken).toBeDefined();
148
149 customerTokens = {
150 accessToken: body.data.accessToken,
151 refreshToken: body.data.refreshToken,
152 };
153
154 console.log(`✅ Customer login successful`);
155 });
156
157 test('should reject login with invalid password', async ({ request }) => {
158 const response = await request.post(`${API_URL}/v1/auth/customer/login`, {
159 headers: {
160 'Content-Type': 'application/json',
161 'Origin': PORTAL_URL,
162 },
163 data: {
164 email: registeredCustomerEmail,
165 password: 'WrongPassword123!@#',
166 },
167 });
168
169 expect(response.status()).toBe(401);
170
171 console.log(`✅ Invalid password correctly rejected`);
172 });
173
174 test('should reject login with forged Origin', async ({ request }) => {
175 const response = await request.post(`${API_URL}/v1/auth/customer/login`, {
176 headers: {
177 'Content-Type': 'application/json',
178 'Origin': 'https://attacker.evil.com',
179 },
180 data: {
181 email: registeredCustomerEmail,
182 password: testPassword,
183 },
184 });
185
186 const status = response.status();
187
188 expect(status).toBe(404);
189
190 console.log(`✅ Forged Origin on login correctly rejected (status: ${status})`);
191 });
192 });
193
194 test.describe.serial('Customer Token Refresh Flow', () => {
195 test('should refresh token with valid customer refresh token', async ({ request }) => {
196 if (!customerTokens) {
197 test.skip();
198 return;
199 }
200
201 const response = await request.post(`${API_URL}/v1/auth/customer/refresh-token`, {
202 headers: {
203 'Content-Type': 'application/json',
204 },
205 data: {
206 refreshToken: customerTokens.refreshToken,
207 },
208 });
209
210 const status = response.status();
211 const body = await response.json();
212
213 expect(status).toBe(200);
214 expect(body.status).toBe('success');
215 expect(body.data.accessToken).toBeDefined();
216 expect(body.data.refreshToken).toBeDefined();
217
218 customerTokens = {
219 accessToken: body.data.accessToken,
220 refreshToken: body.data.refreshToken,
221 };
222
223 console.log(`✅ Customer token refreshed successfully`);
224 });
225
226 test('should reject refresh with invalid token', async ({ request }) => {
227 const response = await request.post(`${API_URL}/v1/auth/customer/refresh-token`, {
228 headers: {
229 'Content-Type': 'application/json',
230 },
231 data: {
232 refreshToken: 'invalid-token-' + crypto.randomUUID(),
233 },
234 });
235
236 const status = response.status();
237
238 if (status =Gold: prior run's passkey.spec.ts already drives the full flow with CDP virtual authenticators (internal + usb) + screenshots — but assumes a logged-in customer storageState. And customer-auth.spec.ts shows customer self-registration via POST /v1/auth/register with Origin header → returns tokens. That's my path to a real customer session.
For point 1 (create-account), I need an invite token (/v1/auth/create-account differs from /register). Investigate the API invite mechanism + authStore persist shape + playwright config.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== create-account route + invite token gen ===\" ; rg -rl \"create-account|createAccount|invite\" src 2>/dev/null | head -20","description":"Find create-account/invite handlers in API"}=== create-account route + invite token gen ===
src/services/azureAdUserService.ts: lRedeemUrl: string;
src/services/azureAdUserService.ts: ldUser: {
src/services/azureAdUserService.ts: async lUser(userData: AzureUserData, redirectUrl?: string): Promise<AzureInvitationResponse> {
src/services/azureAdUserService.ts: ldUserEmailAddress: userData.email,
src/services/azureAdUserService.ts: ldUserDisplayName: `${userData.firstName} ${userData.lastName}`,
src/services/azureAdUserService.ts: lRedirectUrl: redirectUrl || 'https://portal.azure.com',
src/services/azureAdUserService.ts: ldUserMessageInfo: {
src/services/azureAdUserService.ts: customizedMessageBody: `Hi ${userData.firstName},\n\nYou have been ld to join our CRM system. Please click the link below to accept the invitation and set up your account.\n\nBest regards,\nThe Team`
src/services/azureAdUserService.ts: ldUserEmailAddress: invitationRequest.ldUserEmailAddress,
src/services/azureAdUserService.ts: ldUserDisplayName: invitationRequest.ldUserDisplayName,
src/services/azureAdUserService.ts: lRedirectUrl: invitationRequest.lRedirectUrl
src/services/azureAdUserService.ts: lRedeemUrl: response.data.lRedeemUrl,
src/services/azureAdUserService.ts: ldUserId: response.data.ldUser?.id,
src/services/azureAdUserService.ts: userPrincipalName: response.data.ldUser?.userPrincipalName,
src/services/azureAdUserService.ts: async createUser(userData: AzureUserData, redirectUrl?: string): Promise<{ id: string; userPrincipalName: string; displayName: string; lRedeemUrl: string }> {
src/services/azureAdUserService.ts: const invitation = await this.lUser(userData, redirectUrl);
src/services/azureAdUserService.ts: id: invitation.ldUser.id,
src/services/azureAdUserService.ts: userPrincipalName: invitation.ldUser.userPrincipalName,
src/services/azureAdUserService.ts: displayName: invitation.ldUser.displayName,
src/services/azureAdUserService.ts: lRedeemUrl: invitation.lRedeemUrl{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== invite token signing ===\" ; rg -n \"create-account|invitation|inviteToken|invite_token|createAccountToken\" src --type ts -i 2>/dev/null | rg -i \"sign|jwt|token|generat|secret|expir\" | head -30","description":"Find invite token signing logic"}=== invite token signing ===
src/services/bundleWelcomeEmailService.ts:56: baseTemplateData.createAccountLink = `${organization.portalUrl}/create-account?token=${customer.resetToken}`;
src/services/userService.ts:221: return `${organization.portalUrl}/create-account?token=${resetToken}`;
src/services/userService.ts:225: return `${frontendUrl}/create-account?token=${resetToken}`;
src/routes/plus/customerRoutes.ts:250: 'Resends the customer-portal invitation for a customer who has not yet set a password. If the existing reset token is missing or expired a new 30-day token is generated. Returns the create-account link so the caller can re-deliver it. Returns 409 if the customer has already activated their account.',{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login ; echo \"=== authStore persist shape ===\" ; sed -n '1,100p' app/src/store/authStore.ts 2>/dev/null | rg -n \"partialize|name:|accessToken|refreshToken|user|hydrated|version|persist|setTokens\" | head -40 ; echo \"=== playwright config projects/storageState ===\" ; cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login ; rg -n \"storageState|project|name:|testMatch|passkey|setup\" playwright.config.ts 2>/dev/null | head -40","description":"authStore persist shape + playwright projects"}=== authStore persist shape ===
4:import { persist } from "zustand/middleware";
6:import { UserData } from "../../types/user";
10: accessToken: string | null;
11: refreshToken: string | null;
12: user: UserData | null;
17: hydrated: boolean;
18: setTokens: (accessToken: string, refreshToken: string) => void;
19: setUser: (user: UserData) => void;
25: setHydrated: (hydrated: boolean) => void;
32: persist(
34: accessToken: null,
35: refreshToken: null,
36: user: null,
41: hydrated: false,
42: setTokens: (accessToken, refreshToken) => set({ accessToken, refreshToken }),
43: setUser: (user) => set({ user }),
48: setHydrated: (hydrated) => set({ hydrated }),
52: localStorage.removeItem("accessToken");
53: localStorage.removeItem("refreshToken");
59: accessToken: null,
60: refreshToken: null,
61: user: null,
70: name: "auth-storage",
90: // We instead mark the store as hydrated after creation via the fallback
=== playwright config projects/storageState ===
18: /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
28: /* Configure projects for major browsers */
29: projects: [
31: name: 'plus-insurance',
32: testMatch: /plus-insurance\/.*\.spec\.ts/,
38: name: 'embed-translations',
39: testMatch: /embed-translations\/.*\.spec\.ts/,
43: storageState: 'playwright/.auth/user.json',
47: dependencies: ['setup'],
50: name: 'payments',
51: testMatch: /payments\/.*\.spec\.ts/,
57: name: 'multi-currency',
58: testMatch: /multi-currency\/.*\.spec\.ts/,
64: name: 'widget',
65: testMatch: /widget\/.*\.spec\.ts/,
71: name: 'api',
72: testMatch: /security\.spec\.ts/,
76: name: 'customer-auth',
77: testMatch: /customer-auth\.spec\.ts/,
82: name: 'frontend-security',
83: testMatch: /security-frontend\.spec\.ts/,
89: // don't expose. Authenticated via the shared storageState.
90: name: 'passkeys',
91: testMatch: /passkey\.spec\.ts/,
95: storageState: 'playwright/.auth/user.json',
99: dependencies: ['setup'],
102: name: 'setup',
103: testMatch: /.*\.setup\.ts/,
110: name: 'chromium',
111: testMatch: /.*\.spec\.ts/,
112: testIgnore: [/security\.spec\.ts/, /customer-auth\.spec\.ts/, /plus-insurance\//, /payments\//, /embed-translations\//, /widget\//, /passkey\.spec\.ts/],
115: storageState: 'playwright/.auth/user.json',
117: dependencies: ['setup'],
121: name: 'firefox',
122: testMatch: /.*\.spec\.ts/,
123: testIgnore: [/security\.spec\.ts/, /customer-auth\.spec\.ts/, /plus-insurance\//, /payments\//, /embed-translations\//, /widget\//, /passkey\.spec\.ts/],
126: storageState: 'playwright/.auth/user.json',
128: dependencies: ['setup'],
132: name: 'webkit',
133: testMatch: /.*\.spec\.ts/,create-account token = customer resetToken; admin endpoint at customerRoutes.ts:250 resends invitation and returns the create-account link. So I can mint a real invite. Need client creds + the create-customer endpoint shape. Read customerRoutes + check env creds.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/plus/customerRoutes.ts","offset":230,"limit":130}230 response: {
231 200: {
232 type: 'object',
233 properties: {
234 status: { type: 'string', example: 'success' },
235 message: { type: 'string', example: 'Customer deleted successfully' },
236 },
237 },
238 },
239 },
240 preHandler: [fastify.requirePermission(PERMISSIONS.users.delete.value)],
241 },
242 deleteCustomer
243 );
244
245 fastify.post<{ Params: { id: string } }>(
246 '/:id/resend-invitation',
247 {
248 schema: {
249 description:
250 'Resends the customer-portal invitation for a customer who has not yet set a password. If the existing reset token is missing or expired a new 30-day token is generated. Returns the create-account link so the caller can re-deliver it. Returns 409 if the customer has already activated their account.',
251 tags: [TAG],
252 security: [{ Bearer: [] }],
253 params: {
254 type: 'object',
255 additionalProperties: true,
256 properties: {
257 id: { type: 'string', format: 'uuid', description: 'Customer ID', example: '550e8400-e29b-41d4-a716-446655440000' },
258 },
259 required: ['id'],
260 },
261 response: {
262 200: {
263 type: 'object',
264 properties: {
265 status: { type: 'string', example: 'success' },
266 data: {
267 type: 'object',
268 additionalProperties: true,
269 properties: {
270 customerId: {
271 type: 'string',
272 example: '550e8400-e29b-41d4-a716-446655440000',
273 },
274 email: { type: 'string', example: '[email protected]' },
275 createAccountLink: {
276 type: 'string',
277 example: 'https://example.com/onboarding?token=...',
278 },
279 tokenExpired: {
280 type: 'boolean',
281 description: 'True if the previous reset token was missing or expired and a fresh one was issued.',
282 example: false,
283 },
284 },
285 },
286 },
287 },
288 },
289 },
290 },
291 resendInvitation
292 );
293 });
294 };
295 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login ; echo \"=== client creds present? ===\" ; rg -n \"SHERPA_TEST_CLIENT_ID|SHERPA_TEST_CLIENT_SECRET\" .env 2>/dev/null | sed 's/=.*/=<set>/' ; echo \"=== urls helper ===\" ; cat tests/utils/urls.ts 2>/dev/null | head -60","description":"Check client creds + urls helper"}=== client creds present? ===
25:SHERPA_TEST_CLIENT_ID=<set>
26:SHERPA_TEST_CLIENT_SECRET=<set>
=== urls helper ===
export function getPortalUrl(): string {
const env = process.env.ENV || 'local';
if (env === 'local') {
return process.env.SHERPA_PORTAL_HTTP || 'http://localhost:3000';
}
if (env === 'dev') {
return process.env.SHERPA_PORTAL_DEV_HTTPS || '';
}
if (env === 'staging') {
return process.env.SHERPA_PORTAL_STAGING_HTTPS || '';
}
if (env === 'production') {
return process.env.SHERPA_PORTAL_PROD_HTTPS || '';
}
return process.env.SHERPA_PORTAL_HTTPS || '';
}
export function getApiUrl(): string {
const env = process.env.ENV || 'local';
if (env === 'local') {
return process.env.SHERPA_API_HTTP || 'http://localhost:4000';
}
if (env === 'dev') {
return process.env.SHERPA_API_DEV_HTTPS || '';
}
if (env === 'staging') {
return process.env.SHERPA_API_STAGING_HTTPS || '';
}
if (env === 'production') {
return process.env.SHERPA_API_PROD_HTTPS || '';
}
return process.env.SHERPA_API_HTTPS || '';
}
export function getEmbedUrl(): string {
const env = process.env.ENV || 'local';
if (env === 'local') {
return process.env.SHERPA_EMBED_HTTP || 'http://localhost:3101';
}
if (env === 'dev') {
return process.env.SHERPA_EMBED_DEV_HTTPS || '';
}
if (env === 'staging') {
return process.env.SHERPA_EMBED_STAGING_HTTPS || '';
}
if (env === 'production') {Have it: POST /v1/plus/customers/:id/resend-invitation → createAccountLink (client-creds auth works); creds are set. For create-account proof I need an unactivated customer (self-register activates → 409). Find the create-customer endpoint shape + sanity-check register against the test org.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== POST create-customer routes ===\" ; rg -n \"fastify\\.(post|put)\" src/routes/plus/customerRoutes.ts | head ; echo \"=== handler imports ===\" ; rg -n \"createCustomer|resendInvitation|from '\" src/routes/plus/customerRoutes.ts | head -20","description":"Locate create-customer route + handlers"}=== POST create-customer routes ===
198: fastify.put<{
245: fastify.post<{ Params: { id: string } }>(
=== handler imports ===
1:import { FastifyInstance, FastifyPluginAsync } from 'fastify';
7: resendInvitation,
8:} from '@/controllers/customerController.js';
9:import { PERMISSIONS } from '@/types/permissions.js';
291: resendInvitation{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login ; source .env 2>/dev/null; CID=$(rg -n '^SHERPA_TEST_CLIENT_ID=' .env | sed 's/^[^=]*=//'); CSEC=$(rg -n '^SHERPA_TEST_CLIENT_SECRET=' .env | sed 's/^[^=]*=//'); echo \"=== self-register test customer against test org ===\" ; curl -sS -X POST \"http://localhost:4003/v1/auth/register\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d \"{\\\"firstName\\\":\\\"Passkey\\\",\\\"lastName\\\":\\\"Prover\\\",\\\"email\\\":\\\"passkey-prover-$(date +%s)@example.com\\\",\\\"password\\\":\\\"TestPass123!@#\\\",\\\"phoneNumber\\\":\\\"+12025550142\\\",\\\"country\\\":\\\"US\\\",\\\"region\\\":\\\"CA\\\",\\\"address\\\":\\\"1 Test St\\\",\\\"city\\\":\\\"Testville\\\",\\\"postalCode\\\":\\\"12345\\\"}\" 2>&1 | python3 -c \"import sys,json; d=json.load(sys.stdin); print('status:',d.get('status')); print('user email:',(d.get('data') or {}).get('user',{}).get('email')); print('has tokens:', bool((d.get('data') or {}).get('accessToken')))\" 2>&1 | head","description":"Sanity-check customer self-register against test org"}=== self-register test customer against test org === status: success user email: [email protected] has tokens: True
Self-register works (Customer X for login/profile proof). For create-account I need an unactivated customer with a resetToken. No POST-create in customerRoutes — find where customers get created with a resetToken (the invite path).
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== resetToken generation sites ===\" ; rg -n \"resetToken\" src --type ts | rg -i \"generat|sign|jwt|crypto|randomBytes|=|create\" | rg -iv \"create-account|createAccountLink|email\" | head -25 ; echo ; echo \"=== customer create endpoints (any route) ===\" ; rg -rn \"fastify\\.post\" src/routes --type ts | rg -i \"customer|/register|invite|customers'\" | head ; echo ; echo \"=== resendInvitation controller ===\" ; rg -n \"resendInvitation|resetToken|generateResetToken|create-account\" src/controllers/customerController.ts 2>/dev/null | head -20","description":"Find customer-create + resetToken generation"}=== resetToken generation sites ===
src/services/userService.ts:177: updateData.resetToken = generateResetToken();
src/services/userService.ts:178: updateData.resetTokenExpiry = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
src/services/userService.ts:205: resetToken: generateResetToken(),
src/controllers/customerController.ts:291: const tokenExpired = !customer.resetTokenExpiry || customer.resetTokenExpiry < new Date();
src/controllers/customerController.ts:294: const resetToken = generateResetToken();
src/controllers/customerController.ts:295: const resetTokenExpiry = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
src/controllers/authController.ts:583: const resetToken = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
src/controllers/authController.ts:584: const resetTokenExpiry = new Date(Date.now() + 3600000); // 1 hour from now
src/controllers/authController.ts:794: WHERE "resetToken" = :token AND "resetTokenExpiry" > NOW() AND password IS NULL AND deleted = false
src/controllers/authController.ts:809: `UPDATE "Customers" SET password = :hashedPassword, "resetToken" = NULL, "resetTokenExpiry" = NULL, "updatedAt" = NOW()
src/db/migrations/2026.01.30T00.00.00.create-customers-table.ts:67: resetToken: {
src/db/migrations/2026.01.30T00.00.00.create-customers-table.ts:71: resetTokenExpiry: {
src/db/migrations/2026.04.03T00.00.01.migrate-customer-id-integer-to-uuid.ts:158:-- 15. Widen resetToken from VARCHAR(255) to TEXT (customer JWTs with UUID payload may exceed 255 chars)
src/db/migrations/2026.04.03T00.00.01.migrate-customer-id-integer-to-uuid.ts:164:UPDATE "Customers" SET "resetToken" = NULL;
src/schemas/typebox/auth/Customer.ts:23:export const CustomerPrivateFields = ['password', 'resetToken', 'resetTokenExpiry', 'deleted'] as const;
=== customer create endpoints (any route) ===
src/routes/plus/customerRoutes.ts: n<{ Params: { id: string } }>(
src/routes/authRoutes.ts: n('/customer/login', {
src/routes/authRoutes.ts: n('/register', {
src/routes/authRoutes.ts: n('/customer/refresh-token', {
src/routes/customerPortalRoutes.ts: n('/sessions', {
src/routes/organizationSwitchingRoutes.ts: n('/organizations/:organizationId/invite', {
=== resendInvitation controller ===
6:import { generateResetToken } from '@/utils/crypto.js';
55: exclude: ['password', 'resetToken', 'resetTokenExpiry'],
133: exclude: ['password', 'resetToken', 'resetTokenExpiry'],
264:export const resendInvitation = async (
291: const tokenExpired = !customer.resetTokenExpiry || customer.resetTokenExpiry < new Date();
293: if (!customer.resetToken || tokenExpired) {
294: const resetToken = generateResetToken();
295: const resetTokenExpiry = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
296: await customer.update({ resetToken, resetTokenExpiry });
300: customer.resetToken!,
338: exclude: ['password', 'resetToken', 'resetTokenExpiry'],
424: resendInvitation,create-account verifies token against a customer with password IS NULL (unactivated); resendInvitation mints the link for any such customer. Need to find the reachable customer-create endpoint. Read userService creation path.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/services/userService.ts","offset":160,"limit":75}160 // portal resolves sessions exclusively by externalClientId, leaving the
161 // customer un-findable. Only set when empty so we never clobber an existing
162 // partner identifier.
163 if (externalClientId && !existingCustomer.externalClientId) {
164 updateData.externalClientId = externalClientId;
165 }
166
167 // Only mint a new reset token when the customer doesn't already hold a
168 // valid one. Rotating on every find-or-create would invalidate the link in
169 // an earlier welcome email the moment the same customer re-submits a form
170 // (or the activation hook touches the row), which broke create-account.
171 if (email && !existingCustomer.password) {
172 const tokenStillValid =
173 !!existingCustomer.resetToken &&
174 !!existingCustomer.resetTokenExpiry &&
175 existingCustomer.resetTokenExpiry.getTime() > Date.now();
176 if (!tokenStillValid) {
177 updateData.resetToken = generateResetToken();
178 updateData.resetTokenExpiry = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
179 }
180 }
181
182 if (Object.keys(updateData).length > 0) {
183 await existingCustomer.update(updateData);
184 }
185
186 return existingCustomer;
187 }
188
189 const mappedFields = mapParametersToCustomerFields(parameters);
190
191 const customer = await Customer.create({ organizationId }, {
192 organizationId,
193 externalClientId: externalClientId || null,
194 firstName: mappedFields.firstName || '',
195 lastName: mappedFields.lastName || '',
196 email: email ? email.toLowerCase() : `${externalClientId}@external.partner`,
197 password: null,
198 phoneNumber: mappedFields.phoneNumber || null,
199 country: mappedFields.country || null,
200 region: mappedFields.region || null,
201 address: mappedFields.address || null,
202 city: mappedFields.city || null,
203 postalCode: mappedFields.postalCode || null,
204 ...(email ? {
205 resetToken: generateResetToken(),
206 resetTokenExpiry: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
207 } : {}),
208 });
209
210 return customer;
211 }
212
213 export async function generateCustomerCreateAccountLink(
214 resetToken: string,
215 organizationId: string,
216 request: FastifyRequest
217 ): Promise<string> {
218 const organization = await Organization.findByPk(organizationId);
219
220 if (organization?.portalUrl) {
221 return `${organization.portalUrl}/create-account?token=${resetToken}`;
222 }
223
224 const frontendUrl = getPortalUrl(request.protocol);
225 return `${frontendUrl}/create-account?token=${resetToken}`;
226 }
227 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== who calls the customer-creating userService fn ===\" ; rg -n \"createCustomer|createCustomerWithInvite|inviteCustomer|sendInvitation|createAccountLink\" src/controllers src/routes --type ts | head -20","description":"Find controller/route that creates a customer"}=== who calls the customer-creating userService fn ===
src/routes/plus/customerRoutes.ts:7: resendInvitation,
src/routes/plus/customerRoutes.ts:275: createAccountLink: {
src/routes/plus/customerRoutes.ts:291: resendInvitation
src/controllers/policyOrderController.ts:69:import { createCustomerFromPolicyParameters } from '@/services/userService.js';
src/controllers/policyOrderController.ts:752: const customer = await createCustomerFromPolicyParameters(parameters, organizationId);
src/controllers/policyOrderController.ts:2860: const customer = await createCustomerFromPolicyParameters(parameters, clientInfo.organizationId, externalClientId);
src/controllers/policyOrderController.ts:3813: existingCustomer || (await createCustomerFromPolicyParameters(policyParams, clientInfo.organizationId, externalClientId));
src/controllers/customerController.ts:264:export const resendInvitation = async (
src/controllers/customerController.ts:299: const createAccountLink = await generateCustomerCreateAccountLink(
src/controllers/customerController.ts:310: createAccountLink,
src/controllers/customerController.ts:424: resendInvitation,createCustomerFromPolicyParameters (password:null + resetToken) is only reached via policy-purchase — too heavy to drive for a proof. Lighter path: find an existing unactivated customer (password NULL) in the test org, then mint its invite link via the real resend-invitation API. Check DB access (read-only) for one.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== db service + creds ===\" ; rg -n \"POSTGRES_|DATABASE_URL|DB_NAME|DB_USER|DB_PASS|services:|db:|postgres\" docker-compose*.yml .env 2>/dev/null | rg -iv \"azure|foundry\" | head -30","description":"Find DB service + credentials"}=== db service + creds === .env:65:DB_NAME=sherpa_local .env:66:DB_USER=sherpa_user .env:67:DB_PASS=sherpa_password .env:189:TEST_DB_NAME=sherpa_api_test docker-compose.yml:10:services:
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== compose services ===\" ; rg -n \"^ [a-z].*:|container_name|image:\" docker-compose.yml | head -30 ; echo \"=== db host/port in env ===\" ; rg -n \"DB_HOST|DB_PORT\" .env | head","description":"List compose services + DB host/port"}=== compose services === 11: api: 12: container_name: sherpa-api-api-466-passkey-webauthn-login 13: image: sherpa-api-api-466-passkey-webauthn-login:latest 36: sherpa-api-api-466-passkey-webauthn-login-node_modules: 39: sherpa-vnet: 44: npmrc: === db host/port in env === 63:DB_HOST=sherpa-pg-main 64:DB_PORT=5432
DB is the shared sherpa-pg-main container. Query read-only for an unactivated customer in the test org.
{"command":"docker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -t -A -F'|' -c \"SELECT id, email, (\\\"resetToken\\\" IS NOT NULL) AS has_token FROM \\\"Customers\\\" WHERE \\\"organizationId\\\"='12345678-9abc-def0-1234-56789abcdef0' AND password IS NULL AND deleted=false ORDER BY \\\"createdAt\\\" DESC LIMIT 8;\" 2>&1 | head -20","description":"Find unactivated customers in test org"}ada17e4c-c3e0-4816-89a4-49a3040ca0c2|[email protected]|t 41a58d97-2ec7-494e-9674-d4eb0b6ca7c0|[email protected]|t e5566532-90b9-4ce7-bcbb-00e47ab315b1|[email protected]|t 5cacc647-0da6-446a-b81d-cf0badcac999|[email protected]|t 5adc17d9-3f0e-4235-bdfd-0832672578bf|[email protected]|t d694f2f9-27a2-4e8b-b595-df84ae8023ad|[email protected]|t d21076f2-e071-45eb-8456-401e7a6b70f5|[email protected]|t 627bc466-c125-45ea-a63a-0a33e80ba86d|[email protected]|t
Unactivated test customers exist. But critical correctness check first: create-account's auto-login uses /v1/auth/login — if that's org-user-only, it fails for a customer, and my passkey step (gated inside auto-login success) never shows. Must verify empirically. Mint a token, activate, test both login endpoints.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login\nCID=$(rg -n '^SHERPA_TEST_CLIENT_ID=' .env | sed 's/^[^=]*=//' | tr -d '\"'); CSEC=$(rg -n '^SHERPA_TEST_CLIENT_SECRET=' .env | sed 's/^[^=]*=//' | tr -d '\"')\nCUST_ID=\"ada17e4c-c3e0-4816-89a4-49a3040ca0c2\"\necho \"=== 1. resend-invitation (get token) ===\"\nLINK=$(curl -sS -X POST \"http://localhost:4003/v1/plus/customers/${CUST_ID}/resend-invitation\" -H \"Authorization: Client ${CID}:${CSEC}\" -H \"Content-Type: application/json\" 2>&1 | python3 -c \"import sys,json;d=json.load(sys.stdin);print((d.get('data') or {}).get('createAccountLink',''))\" 2>&1)\necho \"link: $LINK\"\nTOKEN=$(echo \"$LINK\" | sed 's/.*token=//')\necho \"token (first 40): ${TOKEN:0:40}...\"\necho \"TOKEN=$TOKEN\" > /tmp/pk-token-466.env\necho \"=== 2. create-account (activate, set password) ===\"\ncurl -sS -X POST \"http://localhost:4003/v1/auth/create-account\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d \"{\\\"token\\\":\\\"${TOKEN}\\\",\\\"password\\\":\\\"TestPass123!@#\\\"}\" 2>&1 | python3 -c \"import sys,json;d=json.load(sys.stdin);print('status:',d.get('status'),'| email:',(d.get('data') or {}).get('email'),'| msg:',d.get('message'))\" 2>&1\necho \"=== 3a. /v1/auth/login (org-user login) with this customer ===\"\ncurl -sS -o /dev/null -w \"auth/login HTTP %{http_code}\\n\" -X POST \"http://localhost:4003/v1/auth/login\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d \"{\\\"email\\\":\\\"[email protected]\\\",\\\"password\\\":\\\"TestPass123!@#\\\"}\"\necho \"=== 3b. /v1/auth/customer/login ===\"\ncurl -sS -o /dev/null -w \"auth/customer/login HTTP %{http_code}\\n\" -X POST \"http://localhost:4003/v1/auth/customer/login\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d \"{\\\"email\\\":\\\"[email protected]\\\",\\\"password\\\":\\\"TestPass123!@#\\\"}\"","description":"Mint invite, activate customer, test both login endpoints"}=== 1. resend-invitation (get token) === link: token (first 40): ... === 2. create-account (activate, set password) === status: None | email: None | msg: None === 3a. /v1/auth/login (org-user login) with this customer === auth/login HTTP 401 === 3b. /v1/auth/customer/login === auth/customer/login HTTP 401
Empty link — resend-invitation failed silently. Debug the raw response (likely auth format).
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login\nCID=$(rg -n '^SHERPA_TEST_CLIENT_ID=' .env | sed 's/^[^=]*=//' | tr -d '\"'); CSEC=$(rg -n '^SHERPA_TEST_CLIENT_SECRET=' .env | sed 's/^[^=]*=//' | tr -d '\"')\necho \"CID len: ${#CID} CSEC len: ${#CSEC}\"\necho \"=== raw resend-invitation ===\"\ncurl -sS -X POST \"http://localhost:4003/v1/plus/customers/ada17e4c-c3e0-4816-89a4-49a3040ca0c2/resend-invitation\" -H \"Authorization: Client ${CID}:${CSEC}\" -H \"Content-Type: application/json\" -w \"\\nHTTP %{http_code}\\n\" 2>&1 | head -20","description":"Raw resend-invitation response"}CID len: 39 CSEC len: 39
=== raw resend-invitation ===
{"error":{"message":"Body cannot be empty when content-type is set to 'application/json'"}}
HTTP 400Empty-body rejection. Resend with {}.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login\nCID=$(rg -n '^SHERPA_TEST_CLIENT_ID=' .env | sed 's/^[^=]*=//' | tr -d '\"'); CSEC=$(rg -n '^SHERPA_TEST_CLIENT_SECRET=' .env | sed 's/^[^=]*=//' | tr -d '\"')\nfor CUST_ID in ada17e4c-c3e0-4816-89a4-49a3040ca0c2 41a58d97-2ec7-494e-9674-d4eb0b6ca7c0 e5566532-90b9-4ce7-bcbb-00e47ab315b1; do\n RESP=$(curl -sS -X POST \"http://localhost:4003/v1/plus/customers/${CUST_ID}/resend-invitation\" -H \"Authorization: Client ${CID}:${CSEC}\" -H \"Content-Type: application/json\" -d '{}' 2>&1)\n echo \"$CUST_ID -> $RESP\" | head -c 400 ; echo\ndone","description":"Resend-invitation with empty JSON body for a few customers"}ada17e4c-c3e0-4816-89a4-49a3040ca0c2 -> {"error":{"message":"Customer not found"}}
41a58d97-2ec7-494e-9674-d4eb0b6ca7c0 -> {"error":{"message":"Customer not found"}}
e5566532-90b9-4ce7-bcbb-00e47ab315b1 -> {"error":{"message":"Customer not found"}}"Customer not found" — client creds are scoped to a different org than the test org, so resend-invitation can't reach test-org customers. More importantly this exposes a correctness question: create-account's auto-login hardcodes /v1/auth/login (org-user), but the test org is a customer portal. If that endpoint is customer-incompatible, the passkey step (gated on auto-login success) never shows for real customers. Read the login + create-account handlers.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== route->handler map (auth) ===\" ; rg -n \"fastify\\.\\w+\\(|handler:|createAccount|customerLogin|\\blogin\\b\" src/routes/authRoutes.ts | head -40","description":"Map auth routes to handlers"}=== route->handler map (auth) ===
6:import { login, customerLogin, register, refreshToken, customerRefreshToken, logout, requestPasswordReset, resetPassword, socialAuthCallback, resend2FAEmail, createAccountWithToken } from '@/controllers/authController.js';
21: createAccountWithTokenBodySchema,
41: await fastify.register(async function (fastify: FastifyInstance) {
44: fastify.post('/login', {
46: description: 'Authenticates a CRM/portal user (a Sherpa Plus operator inside a partner organization) with email and password and issues a JWT access token plus refresh token. Use this when a back-office user signs in to the partner portal. Do NOT use this for end-customers signing in on a customer-facing portal — use POST /v1/auth/customer/login instead. If the user has 2FA enabled, the response contains a short-lived `tempToken` and `require2FA: true` instead of access/refresh tokens; complete the flow by calling the 2FA verify endpoint with that tempToken.',
53: description: 'Either a successful login envelope (with access/refresh tokens) or a 2FA challenge envelope (with tempToken and require2FA=true).',
58: require2FA: { type: 'boolean', description: 'True when the user has 2FA enabled and the login is not yet complete. When true, only `tempToken` is returned (no access/refresh tokens).', example: false },
86: }, login);
88: // Customer login route (authenticates against Customers table)
89: fastify.post('/customer/login', {
91: description: 'Authenticates an end-customer (the policyholder) against the Customers table for the organization that owns the request domain, and issues a customer-scoped JWT access/refresh token pair. Use this from the customer-facing portal of a partner organization. Requires the request to come from the organization\'s configured `portalDomain` — the Origin/Referer header is validated against it. Do NOT use this for partner back-office users; call POST /v1/auth/login instead.',
98: description: 'Successful customer login envelope.',
112: description: 'The authenticated customer record. Note: in this response the customer is exposed under the `user` key for symmetry with the partner login response.',
128: }, customerLogin);
131: fastify.post('/register', {
133: description: 'Registers a new end-customer in the organization that owns the request domain, persists their contact details, and immediately issues a customer-scoped JWT access/refresh token pair (no separate login step needed). Use this from the customer-facing registration form of a partner organization\'s portal. The Origin/Referer header is validated against the organization\'s configured `portalDomain`. Do NOT use this to create back-office users — back-office users are provisioned via Sherpa Plus invites, not this endpoint.',
151: description: 'The newly created customer (returned under `user` for symmetry with /v1/auth/login).',
172: fastify.post('/refresh-token', {
200: fastify.post('/customer/refresh-token', {
202: description: 'Exchanges a valid customer refresh token for a fresh customer access token and a rotated customer refresh token. Use this from the customer-facing portal when the customer\'s access token nears expiry. The supplied token must have been issued by POST /v1/auth/customer/login or POST /v1/auth/register; tokens of any other type are rejected with 401.',
228: fastify.post('/password-reset-request', {
248: fastify.post('/password-reset', {
268: fastify.post('/create-account', {
272: body: createAccountWithTokenBodySchema,
285: }, createAccountWithToken);
288: fastify.get('/callback/:provider', {
290: description: 'OAuth2 callback used by social-login providers to deliver an authorization payload back to the API. The handler issues access/refresh tokens and 302-redirects the browser back into the partner portal — there is no JSON response. Browsers hit this endpoint, not API clients; do not call it directly from server-side code.',
297: fastify.get('/providers', {
299: description: 'Returns the list of social-login providers the platform currently has enabled (e.g. google, microsoft, facebook). Use this on the login screen to decide which "Sign in with ..." buttons to render. The list reflects the global SocialAuthProvider table — providers can be enabled or disabled at runtime.',
325: fastify.post('/resend-2fa-email', {
327: description: 'Re-sends the 6-digit email-based 2FA code to the user identified by the temporary token returned from POST /v1/auth/login. Use this when the original 2FA email did not arrive or expired (codes expire 10 minutes after issue). Only valid for users whose configured `twoFactorMethod` is "email"; users on app-based (TOTP) 2FA do not receive emails and must use their authenticator app.',
348: await fastify.register(async function (fastify: FastifyInstance) {
349: fastify.addHook('preHandler', fastify.authenticate);
352: fastify.post('/logout', {
371: fastify.post('/change-2fa-method', {
392: fastify.post('/verify-2fa-method-change', {
415: fastify.get('/session', {
470: fastify.get('/me/permissions', {
515: await fastify.register(async function (fastify: FastifyInstance) {
518: fastify.post('/token', {Confirmed via route docs: /v1/auth/login = back-office USER (Users table); /v1/auth/customer/login = end-customer (Customers table); create-account activates a customer. So the existing auto-login via /v1/auth/login always 401s for customers → passkey step could never show. This is a real correctness bug I must fix: pick the login endpoint by org type (like the login page). Read the two handlers to confirm response shapes.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== createAccountWithToken handler ===\" ; rg -n \"export const createAccountWithToken|res.*status.*success|data:|email|accessToken\" src/controllers/authController.ts | rg -A0 \"createAccountWithToken\" ; sed -n '770,835p' src/controllers/authController.ts","description":"Read create-account handler response shape"}=== createAccountWithToken handler ===
message: '2FA code resent to email',
emailSent: emailResult,
};
if (NODE_ENV !== 'production') {
const responseWithToken = response as typeof response & { token: string };
responseWithToken.token = emailToken;
}
return response;
}
export async function createAccountWithToken(request: FastifyRequest<{
Body: { token: string; password: string; socialProvider?: string }
}>) {
const { token, password, socialProvider } = request.body;
if (!token) {
throw new StatusError(400, 'Token is required');
}
// Use systemSequelize to bypass RLS — this is a public endpoint with no org context
const [customerRow] = await systemSequelize.query<{ id: number }>( // SAFE-SYSTEM: auth bootstrap
`SELECT id FROM "Customers"
WHERE "resetToken" = :token AND "resetTokenExpiry" > NOW() AND password IS NULL AND deleted = false
LIMIT 1`,
{ replacements: { token }, type: QueryTypes.SELECT }
);
if (customerRow) {
if (socialProvider) {
throw new StatusError(400, 'Social authentication setup not yet implemented');
}
if (!password) {
throw new StatusError(400, 'Password is required');
}
const hashedPassword = await bcryptjs.hash(password, 10);
await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
`UPDATE "Customers" SET password = :hashedPassword, "resetToken" = NULL, "resetTokenExpiry" = NULL, "updatedAt" = NOW()
WHERE id = :customerId`,
{ replacements: { hashedPassword, customerId: customerRow.id }, type: QueryTypes.UPDATE }
);
return {
status: 'success',
message: 'Account created successfully',
};
}
const user = await User.findOne({
where: {
resetToken: token,
resetTokenExpiry: { [Op.gt]: new Date() },
password: null,
deleted: false,
},
});
if (!user) {
throw new StatusError(400, 'Invalid or expired token');
}
if (socialProvider) {
throw new StatusError(400, 'Social authentication setup not yet implemented');
} else {Critical: for a customer, createAccountWithToken returns only {status, message} — no data.email. So the FE auto-login branch (if (response.data.data?.email)) is skipped → customer is dumped to /login, never authenticated, passkey step never shows. To make the feature actually work for customers, the API must return the customer's email. Read the user-branch response to mirror its contract.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":835,"limit":60}835 } else {
836 if (!password) {
837 throw new StatusError(400, 'Password is required');
838 }
839
840 await user.update({
841 password: password,
842 resetToken: null,
843 resetTokenExpiry: null,
844 });
845 }
846
847 return {
848 status: 'success',
849 message: 'Account created successfully',
850 };
851 }
852
853 // Legacy export for backward compatibility
854 export default {
855 login,
856 customerLogin,
857 register,
858 refreshToken,
859 customerRefreshToken,
860 logout,
861 requestPasswordReset,
862 resetPassword,
863 socialAuthCallback,
864 resend2FAEmail,
865 };
866 Neither branch returns data — so the FE auto-login was always dead code; create-account always fell to /login. To make passkey enrolment possible after customer signup, the API must return the customer's email. Two real fixes needed: (1) backend returns data.email for the customer branch; (2) FE auto-login picks the customer endpoint. Check the create-account route has no response schema that would strip data.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/authRoutes.ts","offset":266,"limit":22}266
267 // Create account with token route
268 fastify.post('/create-account', {
269 schema: {
270 description: 'Activates an account that was provisioned without a password (typically via an invite or a self-service customer record created by an agent) by consuming a one-time activation token and setting an initial password. Use this when the user clicks the "Set up your account" link emailed to them. The endpoint resolves the token first against pending Customer records, then against pending User records.',
271 tags: ['Authentication'],
272 body: createAccountWithTokenBodySchema,
273 response: {
274 200: {
275 type: 'object',
276 additionalProperties: true,
277 description: 'Account activation success envelope.',
278 properties: {
279 status: { type: 'string', description: 'Always "success" on a 2xx response.', example: 'success' },
280 message: { type: 'string', description: 'Confirmation message.', example: 'Account created successfully' },
281 },
282 },
283 },
284 },
285 }, createAccountWithToken);
286
287 // Social auth callbackResponse schema is additionalProperties: true (won't strip data). Making the two backend fixes + FE endpoint selection.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","old_string":" const [customerRow] = await systemSequelize.query<{ id: number }>( // SAFE-SYSTEM: auth bootstrap\n `SELECT id FROM \"Customers\"\n WHERE \"resetToken\" = :token AND \"resetTokenExpiry\" > NOW() AND password IS NULL AND deleted = false\n LIMIT 1`,\n { replacements: { token }, type: QueryTypes.SELECT }\n );","new_string":" const [customerRow] = await systemSequelize.query<{ id: number; email: string }>( // SAFE-SYSTEM: auth bootstrap\n `SELECT id, email FROM \"Customers\"\n WHERE \"resetToken\" = :token AND \"resetTokenExpiry\" > NOW() AND password IS NULL AND deleted = false\n LIMIT 1`,\n { replacements: { token }, type: QueryTypes.SELECT }\n );"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","old_string":" return {\n status: 'success',\n message: 'Account created successfully',\n };\n }\n\n const user = await User.findOne({","new_string":" return {\n status: 'success',\n message: 'Account created successfully',\n // Echo the activated customer's email so the portal can sign them in via\n // /v1/auth/customer/login and offer passkey enrolment right after sign-up.\n // The email isn't part of the request body (the token identifies them).\n data: { email: customerRow.email },\n };\n }\n\n const user = await User.findOne({"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Document data.email in the route response schema.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/authRoutes.ts","old_string":" description: 'Account activation success envelope.',\n properties: {\n status: { type: 'string', description: 'Always \"success\" on a 2xx response.', example: 'success' },\n message: { type: 'string', description: 'Confirmation message.', example: 'Account created successfully' },\n },","new_string":" description: 'Account activation success envelope.',\n properties: {\n status: { type: 'string', description: 'Always \"success\" on a 2xx response.', example: 'success' },\n message: { type: 'string', description: 'Confirmation message.', example: 'Account created successfully' },\n data: {\n type: 'object',\n description: 'Present when a customer account was activated; lets the portal sign the customer in to offer passkey enrolment.',\n properties: {\n email: { type: 'string', description: 'The activated customer\\'s email.', example: '[email protected]' },\n },\n },\n },"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/authRoutes.ts has been updated successfully. (file state is current in your context — no need to Read it back)
FE: pick the customer login endpoint for customer-portal orgs (mirror the login page).
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" // If the API returns user email, attempt auto-login\n if (response.data.data?.email) {\n try {\n const loginResponse = await api.post(\"/v1/auth/login\", {\n email: response.data.data.email,\n password: data.password,\n });","new_string":" // If the API returns the account's email, attempt auto-login. Customer\n // portals authenticate against the Customers table via a different\n // endpoint than back-office users, so pick it the same way the login\n // page does (by org portalType).\n if (response.data.data?.email) {\n try {\n const isCustomerLogin = organization?.portalType\n ? organization.portalType === \"customer\"\n : !!organization?.settings?.customerPortal;\n const loginEndpoint = isCustomerLogin\n ? \"/v1/auth/customer/login\"\n : \"/v1/auth/login\";\n const loginResponse = await api.post(loginEndpoint, {\n email: response.data.data.email,\n password: data.password,\n });"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Backend + FE wired. Restart API to load controller changes; re-run portal tsc; type-check API in-container.
{"command":"curl -fsS -X POST http://localhost:7777/api/restart -H 'Content-Type: application/json' -d '{\"paths\":[\"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\"]}' 2>&1 | python3 -c \"import sys,json;d=json.load(sys.stdin);r=d.get('results',[{}])[0];print('api restart ok:',r.get('ok'),'readyMs:',r.get('readyMs'))\" 2>&1","description":"Restart API to load backend changes"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login && npx tsc --noEmit 2>&1 | head -30 ; echo \"portal tsc exit: ${pipestatus[1]:-$?}\"","description":"Re-type-check portal after FE edits","timeout":300000}api restart ok: True readyMs: 50696
portal tsc exit: 0
API ready, portal tsc clean. Type-check API inside container.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && timeout 280 docker compose exec -T api npx tsc --noEmit 2>&1 | head -40 ; echo \"api tsc done (exit ${pipestatus[1]:-$?})\"","description":"Type-check API in container","timeout":300000}(eval):1: command not found: timeout api tsc done (exit 127)
timeout absent on macOS. Run directly (tool timeout handles it).
{"command":"docker compose exec -T api npx tsc --noEmit 2>&1 | head -40 ; echo \"api tsc exit: ${pipestatus[1]:-$?}\"","description":"Type-check API in container","timeout":300000}api tsc exit: 0
API tsc clean — backend + portal both pass. Now validate the full create-account path end-to-end via curl (it was broken before my fix). Seed known reset tokens on two test-org unactivated customers (A to validate now, B reserved for the browser proof), then exercise create-account → customer-login.
{"command":"CUST_A=\"ada17e4c-c3e0-4816-89a4-49a3040ca0c2\" # [email protected] -> validate via curl now\nCUST_B=\"41a58d97-2ec7-494e-9674-d4eb0b6ca7c0\" # [email protected] -> reserve for browser proof\ndocker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -c \"UPDATE \\\"Customers\\\" SET \\\"resetToken\\\"='pkproofA466', \\\"resetTokenExpiry\\\"=NOW()+INTERVAL '30 days' WHERE id='${CUST_A}'; UPDATE \\\"Customers\\\" SET \\\"resetToken\\\"='pkproofB466', \\\"resetTokenExpiry\\\"=NOW()+INTERVAL '30 days' WHERE id='${CUST_B}';\" 2>&1 | tail -2\necho \"=== create-account with token A (should now return data.email) ===\"\ncurl -sS -X POST \"http://localhost:4003/v1/auth/create-account\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d '{\"token\":\"pkproofA466\",\"password\":\"TestPass123!@#\"}' 2>&1 | python3 -c \"import sys,json;d=json.load(sys.stdin);print('status:',d.get('status'),'| data.email:',(d.get('data') or {}).get('email'))\"\necho \"=== customer login as activated A ===\"\ncurl -sS -o /dev/null -w \"customer/login HTTP %{http_code}\\n\" -X POST \"http://localhost:4003/v1/auth/customer/login\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d '{\"email\":\"[email protected]\",\"password\":\"TestPass123!@#\"}'","description":"Seed tokens, validate create-account returns email + customer login works"}UPDATE 1 UPDATE 1 === create-account with token A (should now return data.email) === status: success | data.email: [email protected] === customer login as activated A === customer/login HTTP 200
Backend path fully validated: create-account now returns data.email and customer login succeeds. Customer B reserved for the browser proof. Now write the comprehensive Playwright proof script (two isolated contexts: profile/login flow with a fresh self-registered customer + create-account flow with customer B), using CDP virtual authenticators.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login/passkey-proof.mjs","content":"// Standalone browser proof for ticket sherpa-api#466 (Passkey / WebAuthn login).\n//\n// Drives the REAL customer portal UI at test.localhost:3003 (the \"Test\n// Organization\" customer-portal tenant) with a CDP virtual authenticator, and\n// captures screenshots into the api worktree's .auto-proof/ as ticket proof.\n//\n// Two isolated browser contexts (separate authenticators) so credentials don't\n// cross-talk between flows:\n// Flow A — Profile passkey management + passwordless login + revoke\n// Flow B — Passkey enrolment offered during customer account creation\n//\n// Run: node passkey-proof.mjs\nimport { chromium } from '@playwright/test';\nimport fs from 'fs';\nimport path from 'path';\n\nconst PORTAL = 'http://test.localhost:3003';\nconst API = 'http://localhost:4003';\nconst PROOF =\n process.env.PROOF_DIR ||\n '/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof';\nconst PASSWORD = 'TestPass123!@#';\n// A test-org customer left un-activated, seeded with this one-time reset token.\nconst CREATE_ACCOUNT_TOKEN = process.env.CREATE_ACCOUNT_TOKEN || 'pkproofB466';\n\nfs.mkdirSync(PROOF, { recursive: true });\n\nconst problems = [];\nfunction watch(page, tag) {\n page.on('console', (m) => {\n if (m.type() === 'error') problems.push(`[${tag}] console: ${m.text()}`);\n });\n page.on('requestfailed', (r) => {\n const t = r.failure()?.errorText || '';\n // Ignore benign aborted prefetches.\n if (!/ERR_ABORTED/.test(t)) problems.push(`[${tag}] netfail: ${r.url()} ${t}`);\n });\n page.on('response', (r) => {\n if (r.status() >= 500) problems.push(`[${tag}] http${r.status()}: ${r.url()}`);\n });\n}\n\nfunction authenticatorOptions(transport) {\n return {\n protocol: 'ctap2',\n transport, // 'internal' (platform) or 'usb' (roaming)\n hasResidentKey: true,\n hasUserVerification: true,\n isUserVerified: true,\n automaticPresenceSimulation: true,\n };\n}\nasync function addAuthenticator(client, transport) {\n const { authenticatorId } = await client.send('WebAuthn.addVirtualAuthenticator', {\n options: authenticatorOptions(transport),\n });\n return authenticatorId;\n}\nfunction setPresence(client, authenticatorId, enabled) {\n return client.send('WebAuthn.setAutomaticPresenceSimulation', { authenticatorId, enabled });\n}\n\nasync function registerCustomer(email) {\n const res = await fetch(`${API}/v1/auth/register`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json', Origin: PORTAL },\n body: JSON.stringify({\n firstName: 'Passkey',\n lastName: 'Portal',\n email,\n password: PASSWORD,\n phoneNumber: '+12025550199',\n country: 'US',\n region: 'CA',\n address: '1 Test Street',\n city: 'Testville',\n postalCode: '12345',\n }),\n });\n const json = await res.json();\n if (json.status !== 'success') throw new Error('register failed: ' + JSON.stringify(json));\n}\n\nconst shotFor = (page) => (name) => page.screenshot({ path: path.join(PROOF, name), fullPage: true });\n\nasync function openProfilePasskeys(page) {\n await page.goto(`${PORTAL}/profile`);\n await page\n .getByRole('heading', { name: 'Passkeys', exact: true })\n .waitFor({ state: 'visible', timeout: 45_000 });\n await page\n .getByRole('button', { name: 'Add passkey', exact: true })\n .waitFor({ state: 'visible', timeout: 20_000 });\n}\nasync function addPasskeyViaUI(page, label) {\n await page.getByRole('button', { name: 'Add passkey', exact: true }).click();\n await page.getByLabel('Name this passkey').fill(label);\n await page.getByRole('button', { name: 'Create passkey' }).click();\n await page.getByText(label, { exact: true }).waitFor({ state: 'visible', timeout: 25_000 });\n}\nconst passkeyCount = (page) => page.getByRole('button', { name: 'Revoke passkey' }).count();\n\nasync function passwordLogin(page, email) {\n await page.goto(`${PORTAL}/login`);\n await page.getByRole('button', { name: 'Sign in with a passkey' }).waitFor({ state: 'visible', timeout: 30_000 });\n}\nasync function clickPasskeyLogin(page) {\n await page.goto(`${PORTAL}/login`);\n const btn = page.getByRole('button', { name: 'Sign in with a passkey' });\n await btn.waitFor({ state: 'visible', timeout: 30_000 });\n await btn.click();\n}\nasync function logout(page) {\n await page.goto(`${PORTAL}/profile`);\n await page.getByRole('button', { name: 'Logout', exact: true }).first().click();\n await page.waitForURL(/\\/login/, { timeout: 25_000 });\n}\n\nasync function flowProfile(browser) {\n const email = `passkey-portal-${Date.now()}@example.com`;\n await registerCustomer(email);\n console.log('Flow A customer:', email);\n\n const context = await browser.newContext();\n const page = await context.newPage();\n watch(page, 'A');\n const shot = shotFor(page);\n\n const client = await context.newCDPSession(page);\n await client.send('WebAuthn.enable', { enableUI: false });\n const deviceA = await addAuthenticator(client, 'internal'); // platform key (laptop)\n\n // 1. Password login through the real customer login page (shows the passkey button).\n await page.goto(`${PORTAL}/login`);\n await page.getByRole('button', { name: 'Sign in with a passkey' }).waitFor({ state: 'visible', timeout: 30_000 });\n await shot('10-customer-login-with-passkey-button.png');\n await page.getByLabel('Email address').fill(email);\n await page.getByLabel('Password', { exact: true }).fill(PASSWORD);\n await page.getByRole('button', { name: 'Log in', exact: true }).click();\n await page.waitForURL((u) => !u.pathname.startsWith('/login'), { timeout: 30_000 });\n\n // 2. Profile → Passkeys (empty), then enrol the first passkey.\n await openProfilePasskeys(page);\n await shot('11-customer-profile-passkeys-empty.png');\n await addPasskeyViaUI(page, 'MacBook Touch ID'File created successfully at: /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login/passkey-proof.mjs (file state is current in your context — no need to Read it back)
Re-verify stack (Step 5 — edits + HMR can crash dev servers), then run the proof.
{"command":"echo \"=== stack re-verify ===\" ; curl -fsS -o /dev/null -w \"api %{http_code}\\n\" http://localhost:4003/ ; curl -fsS -o /dev/null -w \"portal %{http_code}\\n\" http://localhost:3003 ; curl -fsS -o /dev/null -w \"embed %{http_code}\\n\" http://localhost:3103 ; echo \"=== test.localhost login page resolves ===\" ; curl -fsS -o /dev/null -w \"test.localhost/login %{http_code}\\n\" -H \"Host: test.localhost:3003\" http://localhost:3003/login","description":"Re-verify stack before proof"}=== stack re-verify === api 200 portal 200 embed 200 === test.localhost login page resolves === test.localhost/login 200
Stack green. Run the browser proof.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login && node passkey-proof.mjs 2>&1 | tail -40 ; echo \"proof exit: ${pipestatus[1]:-$?}\"","description":"Run the passkey browser proof script","timeout":420000} at Axios.request (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:5922:49)
at async registerPasskey (http://test.localhost:3003/_next/static/chunks/app_0s1k5qo._.js:502:29)
at async handleAdd (http://test.localhost:3003/_next/static/chunks/app_components_0~ws_6n._.js:30369:29)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Passkey enrolment failed: AxiosError: Request failed with status code 404
at settle (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:4557:16)
at XMLHttpRequest.onloadend (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:5102:174)
at Axios.request (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:5922:49)
at async registerPasskey (http://test.localhost:3003/_next/static/chunks/app_0dilpcv._.js:677:29)
at async handleEnrollPasskey (http://test.localhost:3003/_next/static/chunks/app_0dilpcv._.js:873:13)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
Screenshots written to: /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof
- 01-profile-first-passkey.png
- 01-register-first-passkey.png
- 02-passwordless-login-success.png
- 02-two-passkeys-registered.png
- 03-passwordless-login-success.png
- 03-profile-two-passkeys.png
- 04-passkey-revoked.png
- 04-profile-renamed-passkey.png
- 05-profile-after-revoke.png
- 05-revoked-passkey-denied.png
- 06-revoked-passkey-rejected.png
- 06-summary.png
- 07-surviving-passkey-login.png
- 10-customer-login-with-passkey-button.png
- 11-customer-profile-passkeys-empty.png
- 20-create-account-form.png
- 21-create-account-passkey-prompt.png
- eval-1-register-first-passkey.png
- eval-2-passkey-login-success.png
- eval-3-two-passkeys.png
- eval-4-after-revoke-one-left.png
- eval-5-revoked-passkey-rejected.png
- eval-6-surviving-passkey-login.png
proof exit: 1Both flows reached the right screens (login w/ passkey button ✓, profile ✓, create-account form ✓, create-account passkey prompt ✓ = point 1 UI works!) but POST /auth/passkeys/register/options returns 404. Need to find the real passkey route path/auth. Investigate API passkey routes.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== passkey route files ===\" ; rg -rl \"passkeys\" src/routes 2>/dev/null ; echo \"=== passkey route paths + auth ===\" ; rg -n \"passkeys|register/options|login/options|preHandler|authenticate|requirePermission|register\\(\" src/routes/*passkey* src/routes/**/*passkey* 2>/dev/null | head -40","description":"Find passkey route definitions + auth guards"}=== passkey route files ===
src/routes/passkeyRoutes.ts: '/l/login/options',
src/routes/passkeyRoutes.ts: 'Begins a passwordless passkey (WebAuthn) login. Returns a server-generated assertion challenge plus an opaque `challengeId` handle. Pass the challenge to navigator.credentials.get() in the browser, then send the resulting assertion together with the same `challengeId` to POST /v1/auth/l/login/verify. Discoverable-credential flow: the user does not need to type an email first — the authenticator surfaces the available l.',
src/routes/passkeyRoutes.ts: '/l/login/verify',
src/routes/passkeyRoutes.ts: 'Completes a passwordless passkey login by verifying the WebAuthn assertion against the stored credential public key, origin, RP ID and the challenge bound to `challengeId`. On success it issues a CRM/portal access token plus refresh token, identical to POST /v1/auth/login. Revoked or unrecognized l are rejected with 401.',
src/routes/passkeyRoutes.ts: '/l/register/options',
src/routes/passkeyRoutes.ts: 'Begins registering a new passkey for the authenticated user. Returns a WebAuthn creation-options object (challenge, RP info, excluded existing credentials) to pass to navigator.credentials.create(). Complete the ceremony by sending the browser result to POST /v1/auth/l/register/verify.',
src/routes/passkeyRoutes.ts: '/l/register/verify',
src/routes/passkeyRoutes.ts: '/l',
src/routes/passkeyRoutes.ts: "Lists the authenticated user's registered l with their labels, device type, backup state, creation time and last-used time. Use this to drive a passkey-management screen.",
src/routes/passkeyRoutes.ts: '/l/:id',
src/routes/passkeyRoutes.ts: "Renames one of the authenticated user's l. Only the owning user may rename their own l.",
src/routes/passkeyRoutes.ts: '/l/:id',
src/routes/passkeyRoutes.ts: "Revokes (deletes) one of the authenticated user's l. A revoked passkey can no longer be used to authenticate. Only the owning user may revoke their own l.",
=== passkey route paths + auth ===
src/routes/passkeyRoutes.ts:20:// Passkey ceremonies are unauthenticated entry points (login) or
src/routes/passkeyRoutes.ts:33: await fastify.register(async function (fastify: FastifyInstance) {
src/routes/passkeyRoutes.ts:35: '/passkeys/login/options',
src/routes/passkeyRoutes.ts:40: 'Begins a passwordless passkey (WebAuthn) login. Returns a server-generated assertion challenge plus an opaque `challengeId` handle. Pass the challenge to navigator.credentials.get() in the browser, then send the resulting assertion together with the same `challengeId` to POST /v1/auth/passkeys/login/verify. Discoverable-credential flow: the user does not need to type an email first — the authenticator surfaces the available passkeys.',
src/routes/passkeyRoutes.ts:49: '/passkeys/login/verify',
src/routes/passkeyRoutes.ts:54: 'Completes a passwordless passkey login by verifying the WebAuthn assertion against the stored credential public key, origin, RP ID and the challenge bound to `challengeId`. On success it issues a CRM/portal access token plus refresh token, identical to POST /v1/auth/login. Revoked or unrecognized passkeys are rejected with 401.',
src/routes/passkeyRoutes.ts:65: await fastify.register(async function (fastify: FastifyInstance) {
src/routes/passkeyRoutes.ts:66: fastify.addHook('preHandler', fastify.authenticate);
src/routes/passkeyRoutes.ts:69: '/passkeys/register/options',
src/routes/passkeyRoutes.ts:74: 'Begins registering a new passkey for the authenticated user. Returns a WebAuthn creation-options object (challenge, RP info, excluded existing credentials) to pass to navigator.credentials.create(). Complete the ceremony by sending the browser result to POST /v1/auth/passkeys/register/verify.',
src/routes/passkeyRoutes.ts:84: '/passkeys/register/verify',
src/routes/passkeyRoutes.ts:89: 'Completes passkey registration by verifying the attestation response from navigator.credentials.create() and persisting the credential public key and metadata against the authenticated user. The passkey is stored under the supplied `name` and can immediately be used for passwordless login.',
src/routes/passkeyRoutes.ts:99: '/passkeys',
src/routes/passkeyRoutes.ts:103: "Lists the authenticated user's registered passkeys with their labels, device type, backup state, creation time and last-used time. Use this to drive a passkey-management screen.",
src/routes/passkeyRoutes.ts:112: '/passkeys/:id',
src/routes/passkeyRoutes.ts:116: "Renames one of the authenticated user's passkeys. Only the owning user may rename their own passkeys.",
src/routes/passkeyRoutes.ts:126: '/passkeys/:id',
src/routes/passkeyRoutes.ts:130: "Revokes (deletes) one of the authenticated user's passkeys. A revoked passkey can no longer be used to authenticate. Only the owning user may revoke their own passkeys.",
src/routes/passkeyRoutes.ts:20:// Passkey ceremonies are unauthenticated entry points (login) or
src/routes/passkeyRoutes.ts:33: await fastify.register(async function (fastify: FastifyInstance) {
src/routes/passkeyRoutes.ts:35: '/passkeys/login/options',
src/routes/passkeyRoutes.ts:40: 'Begins a passwordless passkey (WebAuthn) login. Returns a server-generated assertion challenge plus an opaque `challengeId` handle. Pass the challenge to navigator.credentials.get() in the browser, then send the resulting assertion together with the same `challengeId` to POST /v1/auth/passkeys/login/verify. Discoverable-credential flow: the user does not need to type an email first — the authenticator surfaces the available passkeys.',
src/routes/passkeyRoutes.ts:49: '/passkeys/login/verify',
src/routes/passkeyRoutes.ts:54: 'Completes a passwordless passkey login by verifying the WebAuthn assertion against the stored credential public key, origin, RP ID and the challenge bound to `challengeId`. On success it issues a CRM/portal access token plus refresh token, identical to POST /v1/auth/login. Revoked or unrecognized passkeys are rejected with 401.',
src/routes/passkeyRoutes.ts:65: await fastify.register(async function (fastify: FastifyInstance) {
src/routes/passkeyRoutes.ts:66: fastify.addHook('preHandler', fastify.authenticate);
src/routes/passkeyRoutes.ts:69: '/passkeys/register/options',
src/routes/passkeyRoutes.ts:74: 'Begins registering a new passkey for the authenticated user. Returns a WebAuthn creation-options object (challenge, RP info, excluded existing credentials) to pass to navigator.credentials.create(). Complete the ceremony by sending the browser result to POST /v1/auth/passkeys/register/verify.',
src/routes/passkeyRoutes.ts:84: '/passkeys/register/verify',
src/routes/passkeyRoutes.ts:89: 'Completes passkey registration by verifying the attestation response from navigator.credentials.create() and persisting the credential public key and metadata against the authenticated user. The passkey is stored under the supplied `name` and can immediately be used for passwordless login.',
src/routes/passkeyRoutes.ts:99: '/passkeys',
src/routes/passkeyRoutes.ts:103: "Lists the authenticated user's registered passkeys with their labels, device type, backup state, creation time and last-used time. Use this to drive a passkey-management screen.",
src/routes/passkeyRoutes.ts:112: '/passkeys/:id',
src/routes/passkeyRoutes.ts:116: "Renames one of the authenticated user's passkeys. Only the owning user may rename their own passkeys.",
src/routes/passkeyRoutes.ts:126: '/passkeys/:id',
src/routes/passkeyRoutes.ts:130: "Revokes (deletes) one of the authenticated user's passkeys. A revoked passkey can no longer be used to authenticate. Only the owning user may revoke their own passkeys.",Register route needs fastify.authenticate (line 66). 404 (not 401) is suspicious — likely a path/mount mismatch or authenticate rejecting customer tokens oddly. Find the mount prefix and test the endpoint directly with a real customer token.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== where passkeyRoutes is mounted ===\" ; rg -n \"passkeyRoutes|registerPasskeyRoutes|passkey\" src/routes/index.ts src/app.ts src/server.ts src/routes/authRoutes.ts 2>/dev/null | head ; rg -rn \"passkeyRoutes\" src --type ts | rg -i \"register|prefix|import\" | head","description":"Find passkey route mount prefix"}=== where passkeyRoutes is mounted ===
src/routes/authRoutes.ts:283: description: 'Present when a customer account was activated; lets the portal sign the customer in to offer passkey enrolment.',
src/routes.ts:import { n } from '@/routes/n.js';
src/routes.ts: await app.register(n, { prefix: '/v1/auth' });passkeyRoutes mounts at /v1/auth → path is correct, so 404 isn't routing. Likely the passkey backend authenticates as a USER (fastify.authenticate) and resolves a Users-table record — a customer token has none → 404. That would mean the backend doesn't support customer passkeys. Confirm empirically with a real customer token + read the controller.
{"command":"echo \"=== get customer token (cbakker224) ===\" ; TOK=$(curl -sS -X POST \"http://localhost:4003/v1/auth/customer/login\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d '{\"email\":\"[email protected]\",\"password\":\"TestPass123!@#\"}' | python3 -c \"import sys,json;print((json.load(sys.stdin).get('data') or {}).get('accessToken',''))\") ; echo \"token len: ${#TOK}\" ; echo \"=== POST register/options with customer token ===\" ; curl -sS -X POST \"http://localhost:4003/v1/auth/passkeys/register/options\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -H \"Authorization: Bearer $TOK\" -d '{\"name\":\"Test\"}' -w \"\\nHTTP %{http_code}\\n\" 2>&1 | head -20","description":"Test register/options with a real customer token"}=== get customer token (cbakker224) ===
token len: 357
=== POST register/options with customer token ===
{"error":{"message":"User not found"}}
HTTP 404Confirmed the core gap: register/options with a customer token → 404 "User not found". The passkey backend authenticates as a CRM user and stores passkeys against the Users table — it has no customer support. But the ticket's whole point is customer-portal passkeys. The backend must be extended to support customer-scoped tokens. Read the routes + controller + data model to scope a minimal correct change.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/passkeyRoutes.ts"}1 import type { FastifyInstance, FastifyPluginAsync } from 'fastify';
2
3 import {
4 getRegistrationOptions,
5 verifyRegistration,
6 listPasskeys,
7 renamePasskey,
8 revokePasskey,
9 getLoginOptions,
10 verifyLogin,
11 } from '@/controllers/passkeyController.js';
12 import {
13 passkeyRegisterOptionsBodySchema,
14 passkeyRegisterVerifyBodySchema,
15 passkeyLoginVerifyBodySchema,
16 passkeyRenameBodySchema,
17 } from '@/schemas/passkey.schemas.js';
18 import { createRateLimitConfig } from '@/utils/rateLimit.js';
19
20 // Passkey ceremonies are unauthenticated entry points (login) or
21 // account-mutating (registration); rate-limit them per IP to blunt
22 // credential-stuffing and challenge-spraying.
23 const passkeyLoginRateLimit = createRateLimitConfig(20, 60 * 1000);
24 const passkeyRegisterRateLimit = createRateLimitConfig(20, 60 * 1000);
25
26 const openObjectResponse = {
27 type: 'object',
28 additionalProperties: true,
29 } as const;
30
31 export const passkeyRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
32 // Public passkey login routes (no authentication required)
33 await fastify.register(async function (fastify: FastifyInstance) {
34 fastify.post(
35 '/passkeys/login/options',
36 {
37 config: { rateLimit: passkeyLoginRateLimit },
38 schema: {
39 description:
40 'Begins a passwordless passkey (WebAuthn) login. Returns a server-generated assertion challenge plus an opaque `challengeId` handle. Pass the challenge to navigator.credentials.get() in the browser, then send the resulting assertion together with the same `challengeId` to POST /v1/auth/passkeys/login/verify. Discoverable-credential flow: the user does not need to type an email first — the authenticator surfaces the available passkeys.',
41 tags: ['Authentication'],
42 response: { 200: openObjectResponse },
43 },
44 },
45 getLoginOptions
46 );
47
48 fastify.post(
49 '/passkeys/login/verify',
50 {
51 config: { rateLimit: passkeyLoginRateLimit },
52 schema: {
53 description:
54 'Completes a passwordless passkey login by verifying the WebAuthn assertion against the stored credential public key, origin, RP ID and the challenge bound to `challengeId`. On success it issues a CRM/portal access token plus refresh token, identical to POST /v1/auth/login. Revoked or unrecognized passkeys are rejected with 401.',
55 tags: ['Authentication'],
56 body: passkeyLoginVerifyBodySchema,
57 response: { 200: openObjectResponse },
58 },
59 },
60 verifyLogin
61 );
62 });
63
64 // Authenticated passkey management routes
65 await fastify.register(async function (fastify: FastifyInstance) {
66 fastify.addHook('preHandler', fastify.authenticate);
67
68 fastify.post(
69 '/passkeys/register/options',
70 {
71 config: { rateLimit: passkeyRegisterRateLimit },
72 schema: {
73 description:
74 'Begins registering a new passkey for the authenticated user. Returns a WebAuthn creation-options object (challenge, RP info, excluded existing credentials) to pass to navigator.credentials.create(). Complete the ceremony by sending the browser result to POST /v1/auth/passkeys/register/verify.',
75 tags: ['Authentication'],
76 body: passkeyRegisterOptionsBodySchema,
77 response: { 200: openObjectResponse },
78 },
79 },
80 getRegistrationOptions
81 );
82
83 fastify.post(
84 '/passkeys/register/verify',
85 {
86 config: { rateLimit: passkeyRegisterRateLimit },
87 schema: {
88 description:
89 'Completes passkey registration by verifying the attestation response from navigator.credentials.create() and persisting the credential public key and metadata against the authenticated user. The passkey is stored under the supplied `name` and can immediately be used for passwordless login.',
90 tags: ['Authentication'],
91 body: passkeyRegisterVerifyBodySchema,
92 response: { 200: openObjectResponse },
93 },
94 },
95 verifyRegistration
96 );
97
98 fastify.get(
99 '/passkeys',
100 {
101 schema: {
102 description:
103 "Lists the authenticated user's registered passkeys with their labels, device type, backup state, creation time and last-used time. Use this to drive a passkey-management screen.",
104 tags: ['Authentication'],
105 response: { 200: openObjectResponse },
106 },
107 },
108 listPasskeys
109 );
110
111 fastify.patch(
112 '/passkeys/:id',
113 {
114 schema: {
115 description:
116 "Renames one of the authenticated user's passkeys. Only the owning user may rename their own passkeys.",
117 tags: ['Authentication'],
118 body: passkeyRenameBodySchema,
119 response: { 200: openObjectResponse },
120 },
121 },
122 renamePasskey
123 );
124
125 fastify.delete(
126 '/passkeys/:id',
127 {
128 schema: {
129 description:
130 "Revokes (deletes) one of the authenticated user's passkeys. A revoked passkey can no longer be used to authenticate. Only the owning user may revoke their own passkeys.",
131 tags: ['Authentication'],
132 response: { 200: openObjectResponse },
133 },
134 },
135 revokePasskey
136 );
137 });
138 };
139 Auth block uses fastify.authenticate. The controller throws "User not found", so it resolves a Users row from the token and ignores customer scope. Read the controller + the passkey model to scope customer support.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts"}1 import {
2 generateRegistrationOptions,
3 verifyRegistrationResponse,
4 generateAuthenticationOptions,
5 verifyAuthenticationResponse,
6 type VerifiedRegistrationResponse,
7 type VerifiedAuthenticationResponse,
8 type WebAuthnCredential,
9 } from '@simplewebauthn/server';
10 import type { RegistrationResponseJSON, AuthenticationResponseJSON } from '@simplewebauthn/server';
11 import crypto from 'crypto';
12 import type { FastifyRequest } from 'fastify';
13 import { QueryTypes, UniqueConstraintError } from 'sequelize';
14
15 import { StatusError } from '@/error/error.js';
16 import { systemSequelize } from '@/models/db.js';
17 import { User } from '@/models/User.js';
18 import { UserPasskey } from '@/models/UserPasskey.js';
19 import { getWebAuthnRpContext } from '@/utils/webauthn.js';
20 import { generateAccessToken, generateRefreshToken } from '@/utils/tokenUtils.js';
21 import valkeyClient from '@/valkeyClient.js';
22
23 // Challenges are short-lived: they only need to survive the round-trip between
24 // the options call and the verify call for a single ceremony.
25 const CHALLENGE_TTL_SECONDS = 300;
26
27 const regChallengeKey = (userId: string): string => `passkey:reg:${userId}`;
28 const loginChallengeKey = (challengeId: string): string => `passkey:login:${challengeId}`;
29
30 interface RegisterOptionsBody {
31 name: string;
32 }
33
34 interface RegisterVerifyBody {
35 name: string;
36 response: RegistrationResponseJSON;
37 }
38
39 interface LoginVerifyBody {
40 challengeId: string;
41 response: AuthenticationResponseJSON;
42 }
43
44 interface RenameBody {
45 name: string;
46 }
47
48 const requireUserId = (request: FastifyRequest): string => {
49 const userId = request.ident?.user?.id;
50 if (!userId) {
51 throw new StatusError(401, 'User authentication required');
52 }
53 return userId;
54 };
55
56 const serializePasskey = (passkey: UserPasskey) => ({
57 id: passkey.id,
58 name: passkey.name,
59 deviceType: passkey.deviceType,
60 backedUp: passkey.backedUp,
61 lastUsedAt: passkey.lastUsedAt,
62 createdAt: passkey.createdAt,
63 });
64
65 // Resolves the organization context to embed in issued tokens, mirroring the
66 // password login flow: the request domain org when the user is a member,
67 // otherwise the user's primary organization.
68 const resolveLoginOrganizationId = async (
69 userId: string,
70 domainOrganizationId: string | undefined
71 ): Promise<string | undefined> => {
72 if (domainOrganizationId) {
73 // SAFE-SYSTEM: pre-auth membership probe; org context is being established here
74 const membershipRows = await systemSequelize.query<{ organizationId: string }>(
75 `SELECT "organizationId" FROM "UserOrganizations"
76 WHERE "userId" = :userId AND "organizationId" = :organizationId AND "isActive" = true
77 LIMIT 1`,
78 {
79 replacements: { userId, organizationId: domainOrganizationId },
80 type: QueryTypes.SELECT,
81 }
82 );
83 if (membershipRows.length > 0) {
84 return domainOrganizationId;
85 }
86 }
87
88 // SAFE-SYSTEM: pre-auth primary-org lookup; user has no org context yet
89 const primaryMembershipRows = await systemSequelize.query<{ organizationId: string }>(
90 `SELECT "organizationId" FROM "UserOrganizations"
91 WHERE "userId" = :userId AND "isActive" = true
92 ORDER BY "createdAt" ASC
93 LIMIT 1`,
94 {
95 replacements: { userId },
96 type: QueryTypes.SELECT,
97 }
98 );
99 return primaryMembershipRows[0]?.organizationId;
100 };
101
102 export async function getRegistrationOptions(
103 request: FastifyRequest<{ Body: RegisterOptionsBody }>
104 ) {
105 const userId = requireUserId(request);
106 const { rpID, rpName } = getWebAuthnRpContext(request);
107
108 const user = await User.findByPk(userId);
109 if (!user || !user.email) {
110 throw new StatusError(404, 'User not found');
111 }
112
113 const existing = await UserPasskey.findAll({ where: { userId } });
114
115 const options = await generateRegistrationOptions({
116 rpName,
117 rpID,
118 userName: user.email,
119 userDisplayName: [user.firstName, user.lastName].filter(Boolean).join(' ') || user.email,
120 userID: new TextEncoder().encode(user.id),
121 attestationType: 'none',
122 excludeCredentials: existing.map((cred) => ({
123 id: cred.credentialId,
124 transports: (cred.transports ?? undefined) as WebAuthnCredential['transports'],
125 })),
126 authenticatorSelection: {
127 residentKey: 'preferred',
128 userVerification: 'preferred',
129 },
130 });
131
132 await valkeyClient.setEx(regChallengeKey(userId), CHALLENGE_TTL_SECONDS, options.challenge);
133
134 return options;
135 }
136
137 export async function verifyRegistration(request: FastifyRequest<{ Body: RegisterVerifyBody }>) {
138 const userId = requireUserId(request);
139 const { rpID, expectedOrigin } = getWebAuthnRpContext(request);
140 const { name, response } = request.body;
141
142 const expectedChallenge = await valkeyClient.get(regChallengeKey(userId));
143 if (!expectedChallenge) {
144 throw new StatusError(400, 'Registration challenge expired or not found. Please try again.');
145 }
146
147 let verification: VerifiedRegistrationResponse;
148 try {
149 verification = await verifyRegistrationResponse({
150 response,
151 expectedChallenge,
152 expectedOrigin,
153 expectedRPID: rpID,
154 requireUserVerification: false,
155 });
156 } catch (error) {
157 // Don't leak the library's cryptographic failure detail (bad signature,
158 // RP-ID mismatch, etc.) to the client — log it and return a generic error.
159 request.log.error({ err: error }, 'Passkey registration verification failed');
160 throw new StatusError(400, 'Passkey registration could not be verified');
161 } finally {
162 await valkeyClient.del(regChallengeKey(userId));
163 }
164
165 if (!verification.verified || !verification.registrationInfo) {
166 throw new StatusError(400, 'Passkey registration could not be verified');
167 }
168
169 const { credential, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
170
171 let passkey: UserPasskey;
172 try {
173 passkey = await UserPasskey.create({
174 userId,
175 credentialId: credential.id,
176 publicKey: Buffer.from(credential.publicKey),
177 counter: credential.counter,
178 transports: credential.transports ?? null,
179 deviceType: credentialDeviceType,
180 backedUp: credentialBackedUp,
181 name,
182 });
183 } catch (error) {
184 if (error instanceof UniqueConstraintError) {
185 throw new StatusError(409, 'This passkey is already registered');
186 }
187 throw error;
188 }
189
190 return {
191 status: 'success',
192 verified: true,
193 passkey: serializePasskey(passkey),
194 };
195 }
196
197 export async function listPasskeys(request: FastifyRequest) {
198 const userId = requireUserId(request);
199
200 const passkeys = await UserPasskey.findAll({
201 where: { userId },
202 order: [['createdAt', 'DESC']],
203 });
204
205 return {
206 status: 'success',
207 data: { passkeys: passkeys.map(serializePasskey) },
208 };
209 }
210
211 export async function renamePasskey(
212 request: FastifyRequest<{ Params: { id: string }; Body: RenameBody }>
213 ) {
214 const userId = requireUserId(request);
215 const { id } = request.params;
216 const { name } = request.body;
217
218 const passkey = await UserPasskey.findOne({ where: { id, userId } });
219 if (!passkey) {
220 throw new StatusError(404, 'Passkey not found');
221 }
222
223 passkey.name = name;
224 await passkey.save();
225
226 return {
227 status: 'success',
228 data: { passkey: serializePasskeRoot cause clear: the passkey backend is Users-only (requireUserId → User.findByPk; login issues user tokens). The ticket's customer-portal goal needs customer-scoped passkeys. This requires a real backend extension (model + migration + controller + customer token issuance). Gather the building blocks: passkey model, its migration, customer-token generation, and how customer identity is exposed on the request.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts"}1 import { Table, Column, Model, BelongsTo, ForeignKey, DataType } from 'sequelize-typescript';
2 import { User } from './User';
3
4 @Table({
5 modelName: 'UserPasskey',
6 timestamps: true,
7 indexes: [
8 {
9 unique: true,
10 fields: ['credentialId'],
11 name: 'unique_passkey_credential_id',
12 },
13 {
14 fields: ['userId'],
15 name: 'idx_user_passkeys_user',
16 },
17 ],
18 })
19 export class UserPasskey extends Model {
20 @Column({
21 type: DataType.UUID,
22 defaultValue: DataType.UUIDV4,
23 primaryKey: true,
24 })
25 declare id: string;
26
27 @ForeignKey(() => User)
28 @Column({
29 type: DataType.UUID,
30 allowNull: false,
31 })
32 declare userId: string;
33
34 // Base64URL-encoded WebAuthn credential ID returned by the authenticator.
35 @Column({
36 type: DataType.TEXT,
37 allowNull: false,
38 })
39 declare credentialId: string;
40
41 // COSE-encoded public key bytes used to verify assertion signatures.
42 @Column({
43 type: DataType.BLOB,
44 allowNull: false,
45 })
46 declare publicKey: Buffer;
47
48 // Signature counter; must be monotonically increasing to detect cloned authenticators.
49 @Column({
50 type: DataType.BIGINT,
51 allowNull: false,
52 defaultValue: 0,
53 })
54 declare counter: number;
55
56 @Column({
57 type: DataType.ARRAY(DataType.STRING),
58 allowNull: true,
59 })
60 declare transports: string[] | null;
61
62 @Column({
63 type: DataType.STRING,
64 allowNull: true,
65 })
66 declare deviceType: string | null;
67
68 @Column({
69 type: DataType.BOOLEAN,
70 allowNull: false,
71 defaultValue: false,
72 })
73 declare backedUp: boolean;
74
75 // User-facing label for the passkey (e.g. "MacBook Touch ID"). Renameable.
76 @Column({
77 type: DataType.STRING,
78 allowNull: false,
79 })
80 declare name: string;
81
82 @Column({
83 type: DataType.DATE,
84 allowNull: true,
85 })
86 declare lastUsedAt: Date | null;
87
88 @Column({
89 type: DataType.DATE,
90 allowNull: false,
91 })
92 declare createdAt: Date;
93
94 @Column({
95 type: DataType.DATE,
96 allowNull: false,
97 })
98 declare updatedAt: Date;
99
100 @BelongsTo(() => User)
101 declare user: User;
102 }
103 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== passkey migration ===\" ; fd -i passkey src/db/migrations ; echo \"=== customer token gen ===\" ; rg -n \"generateCustomer\\w*Token|tokenType.*customer|customerId\" src/utils/tokenUtils.ts 2>/dev/null | head -20 ; echo \"=== request.ident shape (customer) ===\" ; rg -n \"ident\\b|customer\\?:|bearerAuth|customerId\" src/types/*.ts src/plugins/*auth* src/**/authenticate* 2>/dev/null | rg -i \"customer|ident\" | head -20","description":"Read passkey model + find migration, customer token util, ident shape"}=== passkey migration ===
src/db/migrations/2026.05.30T00.00.02.create-user-passkeys.ts
=== customer token gen ===
113:export const generateCustomerAccessToken = (customer: Customer, organizationId: string) => {
116: tokenType: 'customer',
127:export const generateCustomerRefreshToken = (customer: Customer, organizationId: string) => {
130: tokenType: 'customer',
=== request.ident shape (customer) ===
(eval):1: no matches found: src/**/authenticate*Have the model, migration filename, and customer token generators. Need the request.ident shape (how to read the authenticated customer's id) and the existing migration to model a follow-up. Find the auth/ident definition.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== ident type + assignment ===\" ; rg -rn \"ident\\s*[:=?]|\\.ident\\b|RequestIdentity|customer\\?:\\s*\\{|user\\?:\\s*\\{\" src/types src/plugins src/middleware src/decorators 2>/dev/null | rg -i \"ident|customer|user\" | head -30 ; echo \"=== where request.ident is set (authenticate) ===\" ; rg -rln \"request.ident\\s*=|req.ident\\s*=|\\.ident =\" src --type ts | head","description":"Locate ident type + where it is populated"}=== ident type + assignment ===
src/plugins/rbac.ts: if (!requestn?.user || !requestn?.org) {
src/plugins/rbac.ts: requestn.user.id,
src/plugins/rbac.ts: if (!requestn?.user || !requestn?.org) {
src/plugins/rbac.ts: requestn.user.id,
src/plugins/rbac.ts: if (!requestn?.user || !requestn?.org) {
src/plugins/rbac.ts: requestn.user.id,
src/plugins/rbac.ts: if (!requestn?.user || !requestn?.org) {
src/plugins/rbac.ts: requestn.user.id,
src/plugins/auditLog.ts: organizationId = requestn?.org?.id || request.userAuth?.organizationId;
src/types/fastify.ts: * @deprecated Use `requestn.user` (UserIdentity) instead of `request.userAuth`
src/plugins/auth/bearer.ts:async function authenticateWithCustomerBearer(decoded: JwtTokenPayload, request: FastifyRequest): Promise<{ n n; auth: Authentication }> {
src/plugins/auth/bearer.ts:async function authenticateWithUserBearer(decoded: JwtTokenPayload, request: FastifyRequest): Promise<{ n n; auth: Authentication }> {
src/plugins/auth/permit.ts:async function authenticatePermitWithUserId(permit: Permit, expiresAt: Date, request: FastifyRequest): Promise<{ n n; auth: Authentication }> {
src/plugins/auth-v2.ts: if (request.auth.method === 'bearer' && requestn.user) {
src/plugins/auth-v2.ts: await validateUserPermissions(requestn.user.id, requiredScopes, requestn.org?.id);
src/plugins/auth-v2.ts: requestn = ident;
src/plugins/auth-v2.ts: requestn = ident;
=== where request.ident is set (authenticate) ===
src/plugins/auth-v2.ts: ln ident;
src/plugins/auth-v2.ts: ln ident;The session hook is mangling Bash output (identifiers→"n", "passkeys"→"l"). Read the real files directly. Inspect the ident type + customer bearer auth.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/bearer.ts"}1 import type { FastifyRequest, FastifyInstance } from 'fastify';
2 import { QueryTypes } from 'sequelize';
3 import {
4 createClientIdentity,
5 createOrganizationIdentity,
6 createUserIdentity,
7 type JwtTokenPayload,
8 validateOrganizationAccess
9 } from './lib.js';
10 import { StatusError } from '@/error/error.js';
11 import { systemSequelize } from '@/models/db.js';
12 import type { Organization } from '@/models/Organization.js';
13 import type {
14 Authentication,
15 BearerAuth,
16 RequestIdentity
17 } from '@/types/fastify.js';
18
19 // ==========================================
20 // Bearer Token Extraction
21 // ==========================================
22
23 export function extractBearerToken(authHeader: string): string {
24 const bearerPrefix = 'Bearer ';
25 if (!authHeader.startsWith(bearerPrefix)) {
26 throw new StatusError(401, 'Invalid authorization header format');
27 }
28 return authHeader.slice(bearerPrefix.length);
29 }
30
31 // ==========================================
32 // Authentication Strategies
33 // ==========================================
34
35 async function authenticateWithClientBearer(decoded: JwtTokenPayload): Promise<{ ident: RequestIdentity; auth: Authentication }> {
36 if (decoded.clientNumericId == null) {
37 throw new StatusError(401, 'Client token missing clientNumericId');
38 }
39
40 const clientData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
41 `SELECT c.id, c."clientId", c.name, c.active, c.scopes, c."userId", c."organizationId",
42 u.id as "user.id", u.email as "user.email", u."firstName" as "user.firstName",
43 u."lastName" as "user.lastName", u.role as "user.role"
44 FROM "Clients" c
45 LEFT JOIN "Users" u ON u.id = c."userId"
46 WHERE c.id = :clientNumericId AND c.active = true
47 LIMIT 1`,
48 {
49 replacements: { clientNumericId: decoded.clientNumericId },
50 type: QueryTypes.SELECT,
51 }
52 );
53
54 if (clientData.length === 0) {
55 throw new StatusError(401, 'Client in token not found');
56 }
57
58 const clientRow = clientData[0] as any;
59 const client = {
60 id: clientRow.id,
61 clientId: clientRow.clientId,
62 name: clientRow.name,
63 active: clientRow.active,
64 scopes: clientRow.scopes,
65 userId: clientRow.userId,
66 organizationId: clientRow.organizationId,
67 user: clientRow['user.id'] ? {
68 id: clientRow['user.id'],
69 email: clientRow['user.email'],
70 firstName: clientRow['user.firstName'],
71 lastName: clientRow['user.lastName'],
72 role: clientRow['user.role'],
73 } : null,
74 };
75
76 const bearerAuth: BearerAuth = {
77 organizationId: client.organizationId,
78 userId: client.user ? client.user.id : null,
79 client: {
80 id: client.id,
81 userId: client.user ? client.user.id : null,
82 organizationId: client.organizationId,
83 scopes: client.scopes ? client.scopes.split(' ') : [],
84 }
85 };
86
87 if (!client.organizationId) {
88 throw new StatusError(401, 'Client organization ID not found');
89 }
90
91 const orgData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
92 `SELECT id, name, "displayName", "portalDomain", "portalUrl", "apiUrl", "crmDomain", "crmUrl", settings, active, timezone
93 FROM "Organizations"
94 WHERE id = :organizationId
95 LIMIT 1`,
96 { replacements: { organizationId: client.organizationId }, type: QueryTypes.SELECT }
97 );
98 if (orgData.length === 0) {
99 throw new StatusError(401, 'Client organization not found');
100 }
101 const org = orgData[0] as Organization;
102
103 const ident: RequestIdentity = {
104 user: client.user ? createUserIdentity(client.user as any, client.organizationId) : null,
105 org: createOrganizationIdentity(org),
106 client: createClientIdentity(client as any),
107 };
108
109 return {
110 ident,
111 auth: { method: 'bearer', bearer: bearerAuth }
112 };
113 }
114
115 async function authenticateWithPortalBearer(decoded: JwtTokenPayload, request: FastifyRequest): Promise<{ ident: RequestIdentity; auth: Authentication }> {
116 if (!decoded.externalClientId || !decoded.organizationId || !decoded.clientNumericId) {
117 throw new StatusError(401, 'Invalid portal token: missing required claims');
118 }
119
120 const clientData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
121 `SELECT c.id, c."clientId", c.name, c.active, c.scopes, c."organizationId"
122 FROM "Clients" c
123 WHERE c.id = :clientNumericId AND c.active = true
124 LIMIT 1`,
125 { replacements: { clientNumericId: decoded.clientNumericId }, type: QueryTypes.SELECT }
126 );
127
128 if (clientData.length === 0) {
129 throw new StatusError(401, 'Portal token client not found');
130 }
131
132 const client = clientData[0] as any;
133
134 if (client.organizationId !== decoded.organizationId) {
135 throw new StatusError(401, 'Portal token organization mismatch');
136 }
137
138 const orgData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
139 `SELECT id, name, "displayName", "portalDomain", "portalUrl", "apiUrl", "crmDomain", "crmUrl", settings, active, timezone
140 FROM "Organizations"
141 WHERE id = :organizationId AND active = true
142 LIMIT 1`,
143 { replacements: { organizationId: decoded.organizationId }, type: QueryTypes.SELECT }
144 );
145
146 if (orgData.length === 0) {
147 throw new StatusError(401, 'Portal token organization not found');
148 }
149
150 const org = orgData[0] as Organization;
151
152 const customerData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
153 `SELECT id, "firstName", "lastName", email, "externalClientId"
154 FROM "Customers"
155 WHERE "externalClientId" = :externalClientId AND "organizationId" = :organizationId
156 LIMIT 1`,
157 { replacements: { externalClientId: decoded.externalClientId, organizationId: decoded.organizationId }, type: QueryTypes.SELECT }
158 );
159
160 if (customerData.length === 0) {
161 throw new StatusError(401, `Customer with externalClientId '${decoded.externalClientId}' not found`);
162 }
163
164 const customer = customerData[0] as { id: string; firstName: string | null; lastName: string | null; email: string | null; externalClientId: string };
165
166 const portalUserIdentity = {
167 id: customer.id,
168 visibleId: decoded.externalClientId,
169 externalClientId: decoded.externalClientId,
170 email: customer.email,
171 role: 'customer' as const,
172 userType: 'customer' as const,
173 organizationId: decoded.organizationId,
174 firstName: customer.firstName,
175 lastName: customer.lastName,
176 companyName: null,
177 };
178
179 const bearerAuth: BearerAuth = {
180 userId: null,
181 // Portal tokens are customer-scoped: they identify a single Customer row
182 // (resolved above by externalClientId). Expose customer.id on bearerAuth
183 // so customer-self endpoints (e.g. /v1/customers/me) treat portal sessions
184 // identically to /v1/auth/customer/login sessions.
185 customerId: customer.id,
186 organizationId: decoded.organizationId,
187 client: {
188 id: client.id,
189 userId: null,
190 organizationId: client.organizationId,
191 scopes: client.scopes ? client.scopes.split(' ') : [],
192 },
193 externalClientId: decoded.externalClientId,
194 };
195
196 const ident: RequestIdentity = {
197 user: portalUserIdentity,
198 org: createOrganizationIdentity(org),
199 client: {
200 id: client.id,
201 clientId: client.clientId,
202 name: client.name,
203 organizationId: client.organizationId,
204 userId: null,
205 scopes: client.scopes ? client.scopes.splNow the identity model is clear: a customer token sets request.ident.user with userType: 'customer' and id = customer.id (plus auth.bearer.customerId). The passkey controller blindly treated that id as a User → 404.
Plan: extend passkeys to be owner-polymorphic (user or customer). Need: customer token util signatures + the customer-login response shape to mirror. Read those.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/utils/tokenUtils.ts","offset":105,"limit":35}105 organizationId,
106 clientNumericId,
107 },
108 process.env.JWT_REFRESH_SECRET as string,
109 { expiresIn: '7d' }
110 );
111 };
112
113 export const generateCustomerAccessToken = (customer: Customer, organizationId: string) => {
114 return jwt.sign(
115 {
116 tokenType: 'customer',
117 id: customer.id,
118 email: customer.email,
119 role: 'customer',
120 organizationId,
121 },
122 process.env.JWT_SECRET as string,
123 { expiresIn: '1h' }
124 );
125 };
126
127 export const generateCustomerRefreshToken = (customer: Customer, organizationId: string) => {
128 return jwt.sign(
129 {
130 tokenType: 'customer',
131 id: customer.id,
132 organizationId,
133 },
134 process.env.JWT_REFRESH_SECRET as string,
135 { expiresIn: '7d' }
136 );
137 };
138
139 export const PDF_DOWNLOAD_TOKEN_TTL_SECONDS = 60 * 60;{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== customerLogin token issuance + response ===\" ; rg -n \"export const customerLogin|export async function customerLogin\" src/controllers/authController.ts","description":"Find customerLogin handler line"}=== customerLogin token issuance + response ===
218:export async function customerLogin(request: FastifyRequest<{ Body: LoginRequest }>) {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":218,"limit":80}218 export async function customerLogin(request: FastifyRequest<{ Body: LoginRequest }>) {
219 const validationResult = loginSchema.validate(request.body);
220 const { error } = validationResult;
221 if (error) {
222 throw new StatusError(400, 'Invalid credentials');
223 }
224
225 const validatedValue = validationResult.value as LoginRequest;
226 const { email, password } = validatedValue;
227
228 if (!email || !password) {
229 throw new StatusError(400, 'Email and password are required');
230 }
231
232 const domainOrganization = request.domainOrganization;
233
234 if (!domainOrganization?.id || !domainOrganization?.portalDomain) {
235 throw new StatusError(400, 'Customer login requires organization context');
236 }
237
238 const domainOrganizationId = domainOrganization.id;
239
240 validateOrigin(request, domainOrganization.portalDomain);
241
242 const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
243 where: {
244 email: email.toLowerCase(),
245 deleted: false
246 },
247 });
248
249 if (!customer) {
250 throw new StatusError(401, 'Invalid credentials');
251 }
252
253 if (!customer.password) {
254 throw new StatusError(401, 'Account not activated. Please set up your password first.');
255 }
256
257 const isValidPassword = await bcryptjs.compare(password, customer.password);
258 if (!isValidPassword) {
259 throw new StatusError(401, 'Invalid credentials');
260 }
261
262 const accessToken = generateCustomerAccessToken(customer, domainOrganizationId);
263 const newRefreshToken = generateCustomerRefreshToken(customer, domainOrganizationId);
264
265 return {
266 status: 'success',
267 message: 'Login successful',
268 data: {
269 accessToken,
270 refreshToken: newRefreshToken,
271 user: {
272 id: customer.id,
273 email: customer.email,
274 firstName: customer.firstName,
275 lastName: customer.lastName,
276 role: 'customer',
277 organizationId: domainOrganizationId,
278 },
279 },
280 };
281 }
282
283 // Register function for CUSTOMERS (via customer portal domains)
284 export async function register(request: FastifyRequest<{ Body: RegisterRequest }>) {
285 const validationResult = registerSchema.validate(request.body);
286 const { error } = validationResult;
287 if (error) {
288 throw new StatusError(400, error.details.map((detail) => detail.message).join(', '));
289 }
290
291 const validatedValue = validationResult.value as RegisterRequest;
292 const registerData = validatedValue;
293 const {
294 firstName,
295 lastName,
296 email,
297 password,Customer login mints tokens via generateCustomerAccessToken/RefreshToken(customer, orgId) and (unlike users) does NOT persist the refresh token. For passkey login on the customer portal, request.domainOrganization gives the org. Need the Customer model's load signature + the RP context helper. Read both.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; echo \"=== Customer import in authController ===\" ; rg -n \"import.*Customer|from '@/models/Customer\" src/controllers/authController.ts | head ; echo \"=== Customer.findOne RLS signature usage examples ===\" ; rg -n \"Customer.findOne\\(|Customer.findByPk\\(|Customer.create\\(\" src/controllers src/services --type ts | head -8 ; echo \"=== getWebAuthnRpContext ===\" ; cat src/utils/webauthn.ts 2>/dev/null | head -80","description":"Customer model usage + RP context helper"}=== Customer import in authController ===
10:import { Customer } from '@/models/Customer.js';
=== Customer.findOne RLS signature usage examples ===
src/services/policyMessageService.ts:131: return Customer.findByPk({ organizationId: policyOrder.organizationId }, policyOrder.customerId);
src/services/policyMessageService.ts:207: const customer = await Customer.findByPk({ organizationId }, senderId);
src/services/claimEmailService.ts:50: const customer = await Customer.findByPk({ organizationId: data.organizationId }, data.customerId);
src/services/userService.ts:140: ? await Customer.findOne({ organizationId }, {
src/services/userService.ts:143: : await Customer.findOne({ organizationId }, {
src/services/userService.ts:191: const customer = await Customer.create({ organizationId }, {
src/services/automatedPolicyService.ts:377: const existingCustomerForPolicy = await Customer.findByPk(request, customer.id);
src/controllers/authController.ts:242: const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
=== getWebAuthnRpContext ===
import type { FastifyRequest } from 'fastify';
import { StatusError } from '@/error/error.js';
/**
* Relying-Party context for a WebAuthn ceremony, derived from the request Origin.
*
* Sherpa serves many partner portal domains, so the RP ID and expected origin
* cannot be a single static value. We derive them from the request Origin
* header. This is safe: the authenticator cryptographically binds each
* credential to the rpID/origin the browser enforced at registration time, so a
* forged Origin header cannot be used to authenticate a credential that was
* registered for a different domain — verification fails on the signature/RP-ID
* check inside @simplewebauthn/server.
*/
export interface WebAuthnRpContext {
rpID: string;
expectedOrigin: string;
rpName: string;
}
export const getWebAuthnRpContext = (request: FastifyRequest): WebAuthnRpContext => {
const origin = request.headers.origin;
if (!origin) {
throw new StatusError(400, 'Origin header is required for WebAuthn ceremonies');
}
let url: URL;
try {
url = new URL(origin);
} catch {
throw new StatusError(400, 'Invalid Origin header');
}
return {
rpID: url.hostname,
expectedOrigin: url.origin,
rpName: 'Sherpa',
};
};All building blocks gathered. Customer.findByPk({ organizationId }, id) loads an instance; RP context derives from Origin (test.localhost). Now implement the backend extension. First read the existing passkey migration to match style.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.30T00.00.02.create-user-passkeys.ts"}1 import { DataTypes, type QueryInterface } from 'sequelize';
2 import type { MigrationFn } from 'umzug';
3
4 // UserPasskeys stores WebAuthn/FIDO2 credentials registered against a user.
5 // It is keyed by userId only and carries no organizationId, so it is not a
6 // tenant-scoped table and does not require RLS (same model as UserSocialAuths).
7 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
8 await context.createTable('UserPasskeys', {
9 id: {
10 type: DataTypes.UUID,
11 defaultValue: DataTypes.UUIDV4,
12 primaryKey: true,
13 allowNull: false,
14 },
15 userId: {
16 type: DataTypes.UUID,
17 allowNull: false,
18 references: {
19 model: 'Users',
20 key: 'id',
21 },
22 onUpdate: 'CASCADE',
23 onDelete: 'CASCADE',
24 },
25 credentialId: {
26 type: DataTypes.TEXT,
27 allowNull: false,
28 },
29 publicKey: {
30 type: DataTypes.BLOB,
31 allowNull: false,
32 },
33 counter: {
34 type: DataTypes.BIGINT,
35 allowNull: false,
36 defaultValue: 0,
37 },
38 transports: {
39 type: DataTypes.ARRAY(DataTypes.STRING),
40 allowNull: true,
41 },
42 deviceType: {
43 type: DataTypes.STRING,
44 allowNull: true,
45 },
46 backedUp: {
47 type: DataTypes.BOOLEAN,
48 allowNull: false,
49 defaultValue: false,
50 },
51 name: {
52 type: DataTypes.STRING,
53 allowNull: false,
54 },
55 lastUsedAt: {
56 type: DataTypes.DATE,
57 allowNull: true,
58 },
59 createdAt: {
60 type: DataTypes.DATE,
61 allowNull: false,
62 defaultValue: context.sequelize.literal('CURRENT_TIMESTAMP'),
63 },
64 updatedAt: {
65 type: DataTypes.DATE,
66 allowNull: false,
67 defaultValue: context.sequelize.literal('CURRENT_TIMESTAMP'),
68 },
69 });
70
71 // A WebAuthn credential ID is globally unique; enforce it so a credential can
72 // only ever map to a single user record.
73 await context.addConstraint('UserPasskeys', {
74 fields: ['credentialId'],
75 type: 'unique',
76 name: 'unique_passkey_credential_id',
77 });
78
79 await context.addIndex('UserPasskeys', {
80 fields: ['userId'],
81 name: 'idx_user_passkeys_user',
82 });
83 };
84
85 export const down: MigrationFn<QueryInterface> = async () => {
86 // Down migration not implemented - forward-only deployment
87 };
88 Now write the migration adding customer ownership to passkeys (userId→nullable, add customerId FK, XOR check, index).
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts","content":"import { DataTypes, type QueryInterface } from 'sequelize';\nimport type { MigrationFn } from 'umzug';\n\n// Passkeys were originally keyed to a CRM/portal User. The customer portal\n// (create-account + Profile) needs passkeys for end-customers too, so a passkey\n// now belongs to EITHER a User or a Customer (never both). userId becomes\n// nullable, a nullable customerId is added, and a CHECK enforces exactly one\n// owner. Still no organizationId, so the table remains non-tenant-scoped (RLS\n// not required) — the same model as before.\nexport const up: MigrationFn<QueryInterface> = async ({ context }) => {\n await context.addColumn('UserPasskeys', 'customerId', {\n type: DataTypes.UUID,\n allowNull: true,\n references: {\n model: 'Customers',\n key: 'id',\n },\n onUpdate: 'CASCADE',\n onDelete: 'CASCADE',\n });\n\n // A passkey is now owned by a User or a Customer, so userId is no longer\n // mandatory on its own.\n await context.changeColumn('UserPasskeys', 'userId', {\n type: DataTypes.UUID,\n allowNull: true,\n references: {\n model: 'Users',\n key: 'id',\n },\n onUpdate: 'CASCADE',\n onDelete: 'CASCADE',\n });\n\n // Exactly one owner must be set (XOR). `<>` on the two NOT NULL predicates is\n // true only when they differ, i.e. precisely one of them is populated.\n await context.sequelize.query(\n `ALTER TABLE \"UserPasskeys\"\n ADD CONSTRAINT \"chk_user_passkeys_single_owner\"\n CHECK ((\"userId\" IS NOT NULL) <> (\"customerId\" IS NOT NULL))`\n );\n\n await context.addIndex('UserPasskeys', {\n fields: ['customerId'],\n name: 'idx_user_passkeys_customer',\n });\n};\n\nexport const down: MigrationFn<QueryInterface> = async () => {\n // Down migration not implemented - forward-only deployment\n};\n"}File created successfully at: /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts (file state is current in your context — no need to Read it back)
Update the model: userId nullable, add customerId + Customer relation.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts","old_string":"import { Table, Column, Model, BelongsTo, ForeignKey, DataType } from 'sequelize-typescript';\nimport { User } from './User';\n\n@Table({\n modelName: 'UserPasskey',\n timestamps: true,\n indexes: [\n {\n unique: true,\n fields: ['credentialId'],\n name: 'unique_passkey_credential_id',\n },\n {\n fields: ['userId'],\n name: 'idx_user_passkeys_user',\n },\n ],\n})\nexport class UserPasskey extends Model {\n @Column({\n type: DataType.UUID,\n defaultValue: DataType.UUIDV4,\n primaryKey: true,\n })\n declare id: string;\n\n @ForeignKey(() => User)\n @Column({\n type: DataType.UUID,\n allowNull: false,\n })\n declare userId: string;","new_string":"import { Table, Column, Model, BelongsTo, ForeignKey, DataType } from 'sequelize-typescript';\nimport { Customer } from './Customer';\nimport { User } from './User';\n\n@Table({\n modelName: 'UserPasskey',\n timestamps: true,\n indexes: [\n {\n unique: true,\n fields: ['credentialId'],\n name: 'unique_passkey_credential_id',\n },\n {\n fields: ['userId'],\n name: 'idx_user_passkeys_user',\n },\n {\n fields: ['customerId'],\n name: 'idx_user_passkeys_customer',\n },\n ],\n})\nexport class UserPasskey extends Model {\n @Column({\n type: DataType.UUID,\n defaultValue: DataType.UUIDV4,\n primaryKey: true,\n })\n declare id: string;\n\n // A passkey is owned by EITHER a User (CRM/portal) or a Customer (customer\n // portal) — never both. A DB CHECK enforces the XOR; both are nullable here.\n @ForeignKey(() => User)\n @Column({\n type: DataType.UUID,\n allowNull: true,\n })\n declare userId: string | null;\n\n @ForeignKey(() => Customer)\n @Column({\n type: DataType.UUID,\n allowNull: true,\n })\n declare customerId: string | null;"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Add the Customer relation; make user nullable.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts","old_string":" @BelongsTo(() => User)\n declare user: User;\n}","new_string":" @BelongsTo(() => User)\n declare user: User | null;\n\n @BelongsTo(() => Customer)\n declare customer: Customer | null;\n}"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Now the controller — the core change. Check the request.ident.user (UserIdentity) type so I access the right fields without TS errors.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login ; rg -n \"interface UserIdentity|interface RequestIdentity|userType|organizationId|firstName|lastName|email|visibleId|role\" src/plugins/auth/lib.ts src/types/fastify.ts 2>/dev/null | rg -i \"interface|userType|organizationId|firstName|lastName|email|role|id:\" | head -40","description":"Inspect UserIdentity/RequestIdentity type fields"}src/plugins/auth/lib.ts:21: organizationId?: string;
src/plugins/auth/lib.ts:33:export function createUserIdentity(user: User, organizationId?: string): UserIdentity {
src/plugins/auth/lib.ts:36: email: user.email,
src/plugins/auth/lib.ts:37: firstName: user.firstName,
src/plugins/auth/lib.ts:38: lastName: user.lastName,
src/plugins/auth/lib.ts:39: role: user.role,
src/plugins/auth/lib.ts:40: userType: user.userType,
src/plugins/auth/lib.ts:41: organizationId: organizationId || '', // organizationId now comes from JWT context
src/plugins/auth/lib.ts:63: organizationId: client.organizationId,
src/plugins/auth/lib.ts:74:export function validateOrganizationAccess(userOrgId: string, domainOrgId: string | undefined, userType?: string): void {
src/plugins/auth/lib.ts:80: if (userType === 'crm') {
src/plugins/auth/lib.ts:89: const membership = await UserOrganization.findOne({ organizationId: targetOrganizationId }, {
src/plugins/auth/lib.ts:148:export async function validateUserPermissions(userId: string, requiredScopes: string[], organizationId?: string): Promise<void> {
src/plugins/auth/lib.ts:162: if (!organizationId) {
src/plugins/auth/lib.ts:166: const userPermissions = await getUserEffectivePermissions(userId, organizationId);
src/types/fastify.ts:22: organizationId?: string;
src/types/fastify.ts:30: email: string;
src/types/fastify.ts:31: role: string;
src/types/fastify.ts:32: userType: string;
src/types/fastify.ts:33: organizationId: string;
src/types/fastify.ts:35: firstName: string;
src/types/fastify.ts:36: lastName: string;
src/types/fastify.ts:45: organizationId: string;
src/types/fastify.ts:52: email: string;
src/types/fastify.ts:53: role: string;
src/types/fastify.ts:54: userType: string;
src/types/fastify.ts:55: organizationId: string;
src/types/fastify.ts:57: firstName: string;
src/types/fastify.ts:58: lastName: string;
src/types/fastify.ts:71:export interface UserIdentity {
src/types/fastify.ts:75: email: string | null;
src/types/fastify.ts:76: role: string;
src/types/fastify.ts:77: userType: string;
src/types/fastify.ts:78: organizationId: string;
src/types/fastify.ts:80: firstName: string | null;
src/types/fastify.ts:81: lastName: string | null;
src/types/fastify.ts:98: organizationId: string;
src/types/fastify.ts:105: organizationId: string;
src/types/fastify.ts:111: organizationId: string;
src/types/fastify.ts:119: organizationId: string;UserIdentity carries id/email/userType/organizationId/firstName/lastName — enough to branch user vs customer. Rewriting the controller to be owner-polymorphic.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts","content":"import {\n generateRegistrationOptions,\n verifyRegistrationResponse,\n generateAuthenticationOptions,\n verifyAuthenticationResponse,\n type VerifiedRegistrationResponse,\n type VerifiedAuthenticationResponse,\n type WebAuthnCredential,\n} from '@simplewebauthn/server';\nimport type { RegistrationResponseJSON, AuthenticationResponseJSON } from '@simplewebauthn/server';\nimport crypto from 'crypto';\nimport type { FastifyRequest } from 'fastify';\nimport { QueryTypes, UniqueConstraintError } from 'sequelize';\n\nimport { StatusError } from '@/error/error.js';\nimport { systemSequelize } from '@/models/db.js';\nimport { Customer } from '@/models/Customer.js';\nimport { User } from '@/models/User.js';\nimport { UserPasskey } from '@/models/UserPasskey.js';\nimport { getWebAuthnRpContext } from '@/utils/webauthn.js';\nimport {\n generateAccessToken,\n generateRefreshToken,\n generateCustomerAccessToken,\n generateCustomerRefreshToken,\n} from '@/utils/tokenUtils.js';\nimport valkeyClient from '@/valkeyClient.js';\n\n// Challenges are short-lived: they only need to survive the round-trip between\n// the options call and the verify call for a single ceremony.\nconst CHALLENGE_TTL_SECONDS = 300;\n\n// A passkey owner: either a CRM/portal User or an end-customer. Both bearer\n// token types populate request.ident.user; userType distinguishes them.\ntype Principal =\n | { kind: 'user'; id: string; email: string; displayName: string }\n | { kind: 'customer'; id: string; email: string; displayName: string; organizationId: string };\n\nconst resolvePrincipal = (request: FastifyRequest): Principal => {\n const ident = request.ident?.user;\n if (!ident?.id) {\n throw new StatusError(401, 'Authentication required');\n }\n const email = ident.email ?? '';\n const displayName = [ident.firstName, ident.lastName].filter(Boolean).join(' ') || email;\n if (ident.userType === 'customer') {\n return {\n kind: 'customer',\n id: ident.id,\n email,\n displayName,\n organizationId: ident.organizationId,\n };\n }\n return { kind: 'user', id: ident.id, email, displayName };\n};\n\n// Scopes passkey rows to the owning principal.\nconst ownerWhere = (principal: Principal) =>\n principal.kind === 'customer' ? { customerId: principal.id } : { userId: principal.id };\n\n// Namespaced by kind so a (theoretical) User/Customer UUID collision can't cross\n// ceremonies.\nconst regChallengeKey = (principal: Principal): string =>\n `passkey:reg:${principal.kind}:${principal.id}`;\nconst loginChallengeKey = (challengeId: string): string => `passkey:login:${challengeId}`;\n\ninterface RegisterOptionsBody {\n name: string;\n}\n\ninterface RegisterVerifyBody {\n name: string;\n response: RegistrationResponseJSON;\n}\n\ninterface LoginVerifyBody {\n challengeId: string;\n response: AuthenticationResponseJSON;\n}\n\ninterface RenameBody {\n name: string;\n}\n\nconst serializePasskey = (passkey: UserPasskey) => ({\n id: passkey.id,\n name: passkey.name,\n deviceType: passkey.deviceType,\n backedUp: passkey.backedUp,\n lastUsedAt: passkey.lastUsedAt,\n createdAt: passkey.createdAt,\n});\n\n// Resolves the organization context to embed in issued tokens, mirroring the\n// password login flow: the request domain org when the user is a member,\n// otherwise the user's primary organization.\nconst resolveLoginOrganizationId = async (\n userId: string,\n domainOrganizationId: string | undefined\n): Promise<string | undefined> => {\n if (domainOrganizationId) {\n // SAFE-SYSTEM: pre-auth membership probe; org context is being established here\n const membershipRows = await systemSequelize.query<{ organizationId: string }>(\n `SELECT \"organizationId\" FROM \"UserOrganizations\"\n WHERE \"userId\" = :userId AND \"organizationId\" = :organizationId AND \"isActive\" = true\n LIMIT 1`,\n {\n replacements: { userId, organizationId: domainOrganizationId },\n type: QueryTypes.SELECT,\n }\n );\n if (membershipRows.length > 0) {\n return domainOrganizationId;\n }\n }\n\n // SAFE-SYSTEM: pre-auth primary-org lookup; user has no org context yet\n const primaryMembershipRows = await systemSequelize.query<{ organizationId: string }>(\n `SELECT \"organizationId\" FROM \"UserOrganizations\"\n WHERE \"userId\" = :userId AND \"isActive\" = true\n ORDER BY \"createdAt\" ASC\n LIMIT 1`,\n {\n replacements: { userId },\n type: QueryTypes.SELECT,\n }\n );\n return primaryMembershipRows[0]?.organizationId;\n};\n\nexport async function getRegistrationOptions(\n request: FastifyRequest<{ Body: RegisterOptionsBody }>\n) {\n const principal = resolvePrincipal(request);\n const { rpID, rpName } = getWebAuthnRpContext(request);\n\n if (!principal.email) {\n throw new StatusError(404, principal.kind === 'customer' ? 'Customer not found' : 'User not found');\n }\n\n const existing = await UserPasskey.findAll({ where: ownerWhere(principal) });\n\n const options = await generateRegistrationOptions({\n rpName,\n rpID,\n userName: principal.email,\n userDisplayName: principal.displayName,\n userID: new TextEncoder().encode(principal.id),\n attestationType: 'none',\n excludeCredentials: existing.map((cred) => ({\n id: cred.credentialId,\n transports: (cred.transports ?? undefined) as WebAuthnCredential['transports'],\n })),\n authenticatorSelection: {\n residentKey: 'preferred',\n userVerification: 'preferred',\n },\n });\n\n await valkeyClient.setEx(regChallengeKey(principal), CHALLENGE_TTL_SECONDS, options.challenge);\n\n return options;\n}\n\nexport async function verifyRegistration(request: FastifyRequest<{ Body: RegisterVerifyBody }>) {\n const principal = resolvePrincipal(request);\n const { rpID, expectedOrigThe file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Backend extension complete. Run the new migration, restart API, type-check in container.
{"command":"curl -fsS -X POST http://localhost:7777/api/api-action -H 'Content-Type: application/json' -d '{\"path\":\"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\",\"action\":\"migrate\"}' >/dev/null 2>&1 ; echo \"migrate kicked; polling...\" ; for i in 1 2 3 4 5 6 7 8 9 10; do sleep 4; S=$(curl -fsS \"http://localhost:7777/api/api-action?path=/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\" 2>/dev/null | python3 -c \"import sys,json;d=json.load(sys.stdin);print(d.get('status'),d.get('exitCode'))\" 2>/dev/null); echo \"poll $i: $S\"; echo \"$S\" | rg -q \"done|error\" && break; done ; echo \"--- migrate tail ---\" ; curl -fsS \"http://localhost:7777/api/api-action?path=/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\" 2>/dev/null | python3 -c \"import sys,json;print(json.load(sys.stdin).get('tail','')[-400:])\"","description":"Run new migration + poll to completion"}migrate kicked; polling...
poll 1: failed 1
poll 2: failed 1
poll 3: failed 1
poll 4: failed 1
poll 5: failed 1
poll 6: failed 1
poll 7: failed 1
poll 8: failed 1
poll 9: failed 1
poll 10: failed 1
--- migrate tail ---
s/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:50:26
at Array.forEach (<anonymous>)
at Sequelize.associateModels (/app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:46:16)
at Sequelize.addModels (/app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:38:14)
at <anonymous> (/app/src/models/db.ts:200:11)
Node.js v22.16.0Migrate failed in model association (my @BelongsTo(Customer) likely). Get the full error.
{"command":"docker compose logs --tail=40 api 2>&1 | rg -i \"error|passkey|customer|associat|cannot|undefined\" | head -30 ; echo \"=== direct migrate run for clean error ===\" ; docker compose exec -T api npx tsx src/db/migrate.ts up 2>&1 | tail -25","description":"Get full association error"}sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:12.391Z","msg":"Job completed: welcome_email","jobId":"892","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:13.784Z","msg":"No active welcome_email template found for product: electric_vehicle_extended_warranty_1780263860120"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:13.784Z","msg":"Job completed: welcome_email","jobId":"901","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:14.703Z","msg":"No active welcome_email template found for product: electric_vehicle_extended_warranty_1780263860120"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:14.703Z","msg":"Job completed: welcome_email","jobId":"907","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:15.656Z","msg":"No active welcome_email template found for product: electric_vehicle_extended_warranty_1780263860120"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:15.657Z","msg":"Job completed: welcome_email","jobId":"913","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:16.070Z","msg":"No active welcome_email template found for product: electric_vehicle_extended_warranty_1780263860120"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:16.071Z","msg":"Job completed: welcome_email","jobId":"919","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:18.621Z","msg":"No active renewal_email template found for product: extended_warranty_1780263854359"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:18.621Z","msg":"Job completed: policy_renewal","jobId":"97","jobType":"policy_renewal"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:18.830Z","msg":"No active renewal_email template found for product: extended_warranty_1780263854359"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:18.831Z","msg":"Job completed: policy_renewal","jobId":"103","jobType":"policy_renewal"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:25.188Z","msg":"No active welcome_email template found for product: electric_vehicle_extended_warranty_1780263860120"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:25.189Z","msg":"Job completed: welcome_email","jobId":"925","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:28.773Z","msg":"No active welcome_email template found for product: extended_warranty_1780263854359"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:28.773Z","msg":"Job completed: welcome_email","jobId":"931","jobType":"welcome_email"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:31.174Z","msg":"No active document template found for product: extended_warranty_1780263854359, email will be sent without PDF"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:31.226Z","messageId":"<[email protected]>","to":"[email protected]","subject":"Policy P100010000189 suspended","msg":"Email sent successfully:"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:45:31.227Z","msg":"Job completed: suspension_email","jobId":"9","jobType":"suspension_email"}
sherpa-api-api-466-passkey-webauthn-login | 9:47:20 PM [tsx] change in ./src/models/UserPasskey.ts Restarting...
sherpa-api-api-466-passkey-webauthn-login | Received SIGTERM, shutting down gracefully
sherpa-api-api-466-passkey-webauthn-login | 9:47:24 PM [tsx] change in ./src/models/UserPasskey.ts Process hasn't exited. Killing process...
sherpa-api-api-466-passkey-webauthn-login | /app/node_modules/reflect-metadata/Reflect.js:367
sherpa-api-api-466-passkey-webauthn-login | throw new TypeError();
sherpa-api-api-466-passkey-webauthn-login | ^
sherpa-api-api-466-passkey-webauthn-login |
sherpa-api-api-466-passkey-webauthn-login | TypeError
sherpa-api-api-466-passkey-webauthn-login | at Reflect.getMetadata (/app/node_modules/reflect-metadata/Reflect.js:367:23)
sherpa-api-api-466-passkey-webauthn-login | at getModelName (/app/node_modules/sequelize-typescript/dist/model/shared/model-service.js:21:20)
=== direct migrate run for clean error ===
/app/node_modules/reflect-metadata/Reflect.js:367
throw new TypeError();
^
TypeError
at Reflect.getMetadata (/app/node_modules/reflect-metadata/Reflect.js:367:23)
at getModelName (/app/node_modules/sequelize-typescript/dist/model/shared/model-service.js:21:20)
at Sequelize.model (/app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:30:65)
at /app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:52:46
at Array.forEach (<anonymous>)
at /app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:50:26
at Array.forEach (<anonymous>)
at Sequelize.associateModels (/app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:46:16)
at Sequelize.addModels (/app/node_modules/sequelize-typescript/dist/sequelize/sequelize/sequelize.js:38:14)
at <anonymous> (/app/src/models/db.ts:200:11)
Node.js v22.16.0Association resolution crashes (getModelName TypeError) — the Customer forward-ref/import doesn't play well here. The controller never traverses the passkey.customer association (it loads Customer directly), and the FK is enforced by the migration. So drop the Customer decorators/import and keep customerId as a plain column.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts","old_string":"import { Table, Column, Model, BelongsTo, ForeignKey, DataType } from 'sequelize-typescript';\nimport { Customer } from './Customer';\nimport { User } from './User';","new_string":"import { Table, Column, Model, BelongsTo, ForeignKey, DataType } from 'sequelize-typescript';\nimport { User } from './User';"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts","old_string":" @ForeignKey(() => Customer)\n @Column({\n type: DataType.UUID,\n allowNull: true,\n })\n declare customerId: string | null;","new_string":" // Customer owner (customer portal). Plain column: the FK is enforced by the\n // migration, and nothing traverses a Customer association from here, so we\n // avoid the sequelize-typescript association wiring.\n @Column({\n type: DataType.UUID,\n allowNull: true,\n })\n declare customerId: string | null;"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts","old_string":" @BelongsTo(() => User)\n declare user: User | null;\n\n @BelongsTo(() => Customer)\n declare customer: Customer | null;\n}","new_string":" @BelongsTo(() => User)\n declare user: User | null;\n}"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Retry migrate directly in-container for a clean signal.
{"command":"docker compose exec -T api npx tsx src/db/migrate.ts up 2>&1 | tail -20 ; echo \"exit ${pipestatus[1]:-$?}\"","description":"Run migration in container"}{
event: 'migrating',
name: '2026.05.31T00.00.00.add-customer-to-user-passkeys.ts'
}
{
event: 'migrated',
name: '2026.05.31T00.00.00.add-customer-to-user-passkeys.ts',
durationSeconds: 0.032
}
exit 0Migration applied. Verify API health, DB schema, and re-test register/options with a customer token (was 404).
{"command":"echo \"=== API health ===\" ; curl -fsS -o /dev/null -w \"api root %{http_code}\\n\" http://localhost:4003/\necho \"=== DB column + constraint ===\" ; docker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -t -A -c \"SELECT column_name, is_nullable FROM information_schema.columns WHERE table_name='UserPasskeys' AND column_name IN ('userId','customerId') ORDER BY column_name;\" 2>&1\ndocker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -t -A -c \"SELECT conname FROM pg_constraint WHERE conname='chk_user_passkeys_single_owner';\" 2>&1\necho \"=== register/options with CUSTOMER token (expect 200 now) ===\" \nTOK=$(curl -sS -X POST \"http://localhost:4003/v1/auth/customer/login\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d '{\"email\":\"[email protected]\",\"password\":\"TestPass123!@#\"}' | python3 -c \"import sys,json;print((json.load(sys.stdin).get('data') or {}).get('accessToken',''))\")\ncurl -sS -X POST \"http://localhost:4003/v1/auth/passkeys/register/options\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -H \"Authorization: Bearer $TOK\" -d '{\"name\":\"Test\"}' -w \"\\nHTTP %{http_code}\\n\" 2>&1 | python3 -c \"import sys; raw=sys.stdin.read(); print(raw[-220:])\"","description":"Verify schema + customer register/options works"}=== API health ===
curl: (52) Empty reply from server
api root 000
=== DB column + constraint ===
customerId|YES
userId|NO
chk_user_passkeys_single_owner
=== register/options with CUSTOMER token (expect 200 now) ===
curl: (52) Empty reply from server
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/json/__init__.py", line 293, in load
return loads(fp.read(),
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
curl: (52) Empty reply from server
HTTP 000Two issues: API is down (likely tsx crash-loop on the new code) and userId is still NOT NULL (Sequelize changeColumn didn't drop it). Fix the migration to use raw DROP NOT NULL, apply it now, and check the API boot error.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts","old_string":" // A passkey is now owned by a User or a Customer, so userId is no longer\n // mandatory on its own.\n await context.changeColumn('UserPasskeys', 'userId', {\n type: DataTypes.UUID,\n allowNull: true,\n references: {\n model: 'Users',\n key: 'id',\n },\n onUpdate: 'CASCADE',\n onDelete: 'CASCADE',\n });","new_string":" // A passkey is now owned by a User or a Customer, so userId is no longer\n // mandatory on its own. Drop NOT NULL directly (Sequelize changeColumn does\n // not reliably emit DROP NOT NULL on a column that carries an FK); the\n // existing Users FK is left untouched.\n await context.sequelize.query(\n `ALTER TABLE \"UserPasskeys\" ALTER COLUMN \"userId\" DROP NOT NULL`\n );"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Apply the DROP NOT NULL to the already-migrated dev DB, check the API boot error, and restart.
{"command":"echo \"=== apply DROP NOT NULL now (migration already recorded) ===\" ; docker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -c \"ALTER TABLE \\\"UserPasskeys\\\" ALTER COLUMN \\\"userId\\\" DROP NOT NULL;\" 2>&1\ndocker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -t -A -c \"SELECT column_name,is_nullable FROM information_schema.columns WHERE table_name='UserPasskeys' AND column_name='userId';\" 2>&1\necho \"=== API boot state ===\" ; docker compose logs --tail=15 api 2>&1 | tail -15","description":"Drop NOT NULL + inspect API boot logs"}=== apply DROP NOT NULL now (migration already recorded) ===
ALTER TABLE
userId|YES
=== API boot state ===
sherpa-api-api-466-passkey-webauthn-login |
sherpa-api-api-466-passkey-webauthn-login | Quick Access Links:
sherpa-api-api-466-passkey-webauthn-login | Health Check: http://localhost:4003/v1/health
sherpa-api-api-466-passkey-webauthn-login | API Docs: http://localhost:4003/docs
sherpa-api-api-466-passkey-webauthn-login | API Docs JSON: http://localhost:4003/docs/json
sherpa-api-api-466-passkey-webauthn-login | Root API: http://localhost:4003/
sherpa-api-api-466-passkey-webauthn-login |
sherpa-api-api-466-passkey-webauthn-login | Development Tools:
sherpa-api-api-466-passkey-webauthn-login | Mailcatcher: http://localhost:1080
sherpa-api-api-466-passkey-webauthn-login |
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:51:09.831Z","msg":"Starting inline workers..."}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:51:09.831Z","msg":"Journey stream processor starting"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:51:10.092Z","reqId":"req-1","method":"OPTIONS","url":"/v1/plus/claim-records/notifications/sse","msg":"request"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:51:10.093Z","reqId":"req-1","method":"OPTIONS","url":"/v1/plus/claim-records/notifications/sse","status":204,"msg":"response"}
sherpa-api-api-466-passkey-webauthn-login | {"time":"2026-05-31T21:51:10.094Z","reqId":"req-2","method":"GET","url":"/v1/plus/claim-records/notifications/sse","msg":"request"}userId nullable now; API back up (health is /v1/health). Re-test the customer register/options path + run API tsc.
{"command":"echo \"=== API health ===\" ; curl -fsS -o /dev/null -w \"root %{http_code}\\n\" http://localhost:4003/ ; curl -fsS -o /dev/null -w \"/v1/health %{http_code}\\n\" http://localhost:4003/v1/health\necho \"=== customer register/options (expect 200) ===\" \nTOK=$(curl -sS -X POST \"http://localhost:4003/v1/auth/customer/login\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -d '{\"email\":\"[email protected]\",\"password\":\"TestPass123!@#\"}' | python3 -c \"import sys,json;print((json.load(sys.stdin).get('data') or {}).get('accessToken',''))\")\ncurl -sS -o /dev/null -w \"register/options HTTP %{http_code}\\n\" -X POST \"http://localhost:4003/v1/auth/passkeys/register/options\" -H \"Content-Type: application/json\" -H \"Origin: http://test.localhost:3003\" -H \"Authorization: Bearer $TOK\" -d '{\"name\":\"Test\"}'\necho \"=== list passkeys (expect 200) ===\" \ncurl -sS -o /dev/null -w \"GET /passkeys HTTP %{http_code}\\n\" \"http://localhost:4003/v1/auth/passkeys\" -H \"Authorization: Bearer $TOK\" -H \"Origin: http://test.localhost:3003\"","description":"Verify customer passkey endpoints reachable"}=== API health === root 200 /v1/health 200 === customer register/options (expect 200) === register/options HTTP 200 === list passkeys (expect 200) === GET /passkeys HTTP 200
{"command":"docker compose exec -T api npx tsc --noEmit 2>&1 | head -30 ; echo \"api tsc exit: ${pipestatus[1]:-$?}\"","description":"Type-check API after controller/model changes","timeout":300000}api tsc exit: 0
Customer passkey endpoints now return 200; API tsc clean. The first proof run consumed token B (Flow B reached the passkey prompt = create-account succeeded). Seed a fresh token on another unactivated customer, clean stale proof PNGs, re-verify stack, re-run proof.
{"command":"echo \"=== still-unactivated test-org customers ===\" ; docker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -t -A -F'|' -c \"SELECT id, email FROM \\\"Customers\\\" WHERE \\\"organizationId\\\"='12345678-9abc-def0-1234-56789abcdef0' AND password IS NULL AND deleted=false ORDER BY \\\"createdAt\\\" DESC LIMIT 5;\" 2>&1\necho \"=== seed fresh token pkproofC466 on cbakker832 ===\" ; docker exec -e PGPASSWORD=sherpa_password sherpa-pg-main psql -U sherpa_user -d sherpa_local -c \"UPDATE \\\"Customers\\\" SET \\\"resetToken\\\"='pkproofC466', \\\"resetTokenExpiry\\\"=NOW()+INTERVAL '30 days' WHERE email='[email protected]' AND password IS NULL;\" 2>&1 | tail -1\necho \"=== clean stale proof PNGs ===\" ; rm -f /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/*.png && echo \"cleaned\" ; ls /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/ 2>&1 | head\necho \"=== stack re-verify ===\" ; curl -fsS -o /dev/null -w \"api %{http_code}\\n\" http://localhost:4003/ ; curl -fsS -o /dev/null -w \"portal %{http_code}\\n\" http://localhost:3003 ; curl -fsS -o /dev/null -w \"embed %{http_code}\\n\" http://localhost:3103","description":"Seed fresh create-account token, clean proof dir, re-verify stack"}=== still-unactivated test-org customers === e5566532-90b9-4ce7-bcbb-00e47ab315b1|[email protected] 5cacc647-0da6-446a-b81d-cf0badcac999|[email protected] 5adc17d9-3f0e-4235-bdfd-0832672578bf|[email protected] d694f2f9-27a2-4e8b-b595-df84ae8023ad|[email protected] d21076f2-e071-45eb-8456-401e7a6b70f5|[email protected] === seed fresh token pkproofC466 on cbakker832 === UPDATE 1 === clean stale proof PNGs === cleaned === stack re-verify === api 200 portal 200 embed 200
Fresh token seeded (pkproofC466 on cbakker832), proof dir clean, stack green. Re-run the full proof.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login && CREATE_ACCOUNT_TOKEN=pkproofC466 node passkey-proof.mjs 2>&1 | tail -45 ; echo \"proof exit: ${pipestatus[1]:-$?}\"","description":"Re-run passkey browser proof with customer backend support","timeout":450000}[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[A] console: Failed to load resource: the server responded with a status of 401 (Unauthorized)
[A] console: Passkey login error: AxiosError: Request failed with status code 401
at settle (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:4557:16)
at XMLHttpRequest.onloadend (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:5102:174)
at Axios.request (http://test.localhost:3003/_next/static/chunks/node_modules_11t42_o._.js:5922:49)
at async loginWithPasskey (http://test.localhost:3003/_next/static/chunks/app_0s70b_4._.js:563:28)
at async handlePasskeyLogin (http://test.localhost:3003/_next/static/chunks/app_0s70b_4._.js:791:51)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
[B] console: Failed to load resource: the server responded with a status of 404 (Not Found)
Screenshots written to: /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof
- 10-customer-login-with-passkey-button.png
- 11-customer-profile-passkeys-empty.png
- 12-customer-profile-one-passkey.png
- 13-passwordless-passkey-login-success.png
- 14-customer-profile-two-passkeys.png
- 15-customer-profile-after-revoke.png
- 16-revoked-passkey-rejected.png
- 20-create-account-form.png
- 21-create-account-passkey-prompt.png
- 22-create-account-passkey-enrolled-in-portal.png
proof exit: 0Proof exit 0 — all 10 screenshots captured, both flows completed. The 404 console noise is the org's missing /assets/test-logo.svg; the single 401 is the intended revoked-passkey rejection. Now visually verify the key screenshots myself (runbook Step 6.2).
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/21-create-account-passkey-prompt.png"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/12-customer-profile-one-passkey.png"}Both human-feedback points proven: 21 = create-account "Set up a passkey" step (point 1); 12 = customer profile Passkeys section with a registered passkey + rename/revoke (point 2). Verify the remaining acceptance-criteria shots.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/14-customer-profile-two-passkeys.png"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/16-revoked-passkey-rejected.png"}14: two passkeys listed (iPhone Face ID + MacBook Touch ID, "Last used May 31" ← proves the passwordless login used it). 16: rejected passkey login stays on /login with error banner (top, pink). Confirm 13 (passwordless success), 15 (after-revoke→1), 22 (enrolled→portal).
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/13-passwordless-passkey-login-success.png"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/15-customer-profile-after-revoke.png"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/.auto-proof/22-create-account-passkey-enrolled-in-portal.png"}All criteria proven in real customer-portal UI: 13 passwordless login → "Hi Passkey" dashboard; 15 after-revoke → 1 passkey left; 22 create-account enrolment → landed in portal as the new customer (cbakker832).
Now Step 4 — mandatory review. iterative-review isn't a registered skill here, so I'll emulate its design: two independent parallel Explore reviewers over the full diff, fix HIGH/MEDIUM, repeat. Launching round 1.
{"description":"Review API backend passkey changes","prompt":"You are a senior code reviewer. Independently review uncommitted changes in the sherpa-api worktree for CORRECTNESS and SECURITY bugs. Be rigorous and skeptical. Use rg/fd, never grep/find.\n\nRepo: /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login\nRun `git -C <repo> diff` and `git -C <repo> status` to see all changes. Also read full files where needed.\n\nContext: This branch adds passkey (WebAuthn) support for the CUSTOMER portal. The passkey backend was originally USER-only; it was extended so a passkey can belong to EITHER a CRM User OR an end-Customer. Changed files:\n- src/controllers/passkeyController.ts (made owner-polymorphic: resolvePrincipal reads request.ident.user; userType==='customer' → customer principal. register/list/rename/revoke scope by userId OR customerId. verifyLogin issues customer tokens for customer-owned passkeys, user tokens otherwise.)\n- src/models/UserPasskey.ts (userId now nullable; added nullable customerId plain column; kept @ForeignKey/@BelongsTo only for User.)\n- src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts (adds customerId FK col, drops NOT NULL on userId via raw SQL, adds XOR CHECK chk_user_passkeys_single_owner, adds index.)\n- src/controllers/authController.ts (createAccountWithToken now returns data.email for the activated CUSTOMER branch.)\n- src/routes/authRoutes.ts (added data.email to the create-account response schema.)\n\nFocus your review on:\n1. AUTH/IDENTITY: Is resolvePrincipal correct? Could a CRM user token ever be mis-treated as a customer or vice versa? Is request.ident.user.userType the right discriminator (compare to how bearer.ts sets it for 'customer' vs 'portal' vs user)? What about 'portal' tokenType (embed sessions) — does it set userType='customer'? If a portal-token customer enrolls a passkey, what owner is stored, and can they later log in / list it? Read src/plugins/auth/bearer.ts to verify.\n2. verifyLogin: For a customer-owned passkey, it loads Customer via `Customer.findOne({organizationId}, {where:{id, deleted:false}})` using request.domainOrganization?.id. Is domainOrganization reliably populated on the public (unauthenticated) /passkeys/login/verify route? If a customer's passkey is presented on a DIFFERENT org's portal, what happens (should be rejected)? Any way to get a customer token for the wrong org?\n3. XOR constraint & data integrity: Does the migration correctly enforce exactly-one-owner? Is the raw DROP NOT NULL safe? Does UserPasskey.create with only customerId satisfy the model (userId nullable)?\n4. Token issuance: customer branch uses generateCustomerAccessToken/RefreshToken(customer, orgId) and does NOT persist refreshToken — confirm this matches customerLogin (authController customerLogin). User branch persists refreshToken — preserved?\n5. Any SQL injection, missing await, unhandled null, or info leak. Any regression to the existing USER passkey flow.\n6. createAccountWithToken: returning data.email — any privacy/security concern (it's the email of the account just activated by the token holder, so acceptable)? Does the user-branch still return no data (fine)?\n\nReport findings as a list, each tagged [HIGH]/[MEDIUM]/[LOW] with file:line, the concrete problem, and a suggested fix. If something is actually fine, don't invent issues. End with a one-line verdict: CLEAN or NEEDS-FIXES.","subagent_type":"Explore"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && git diff"}diff --git a/.auto-proof/01-profile-first-passkey.png b/.auto-proof/01-profile-first-passkey.png
deleted file mode 100644
index 1a631f8f..00000000
Binary files a/.auto-proof/01-profile-first-passkey.png and /dev/null differ
diff --git a/.auto-proof/01-register-first-passkey.png b/.auto-proof/01-register-first-passkey.png
deleted file mode 100644
index 51aec9d8..00000000
Binary files a/.auto-proof/01-register-first-passkey.png and /dev/null differ
diff --git a/.auto-proof/02-passwordless-login-success.png b/.auto-proof/02-passwordless-login-success.png
deleted file mode 100644
index 08fa2d15..00000000
Binary files a/.auto-proof/02-passwordless-login-success.png and /dev/null differ
diff --git a/.auto-proof/02-two-passkeys-registered.png b/.auto-proof/02-two-passkeys-registered.png
deleted file mode 100644
index c6b78cfb..00000000
Binary files a/.auto-proof/02-two-passkeys-registered.png and /dev/null differ
diff --git a/.auto-proof/03-passwordless-login-success.png b/.auto-proof/03-passwordless-login-success.png
deleted file mode 100644
index 78e30100..00000000
Binary files a/.auto-proof/03-passwordless-login-success.png and /dev/null differ
diff --git a/.auto-proof/03-profile-two-passkeys.png b/.auto-proof/03-profile-two-passkeys.png
deleted file mode 100644
index d971067e..00000000
Binary files a/.auto-proof/03-profile-two-passkeys.png and /dev/null differ
diff --git a/.auto-proof/04-passkey-revoked.png b/.auto-proof/04-passkey-revoked.png
deleted file mode 100644
index 01f6c28d..00000000
Binary files a/.auto-proof/04-passkey-revoked.png and /dev/null differ
diff --git a/.auto-proof/04-profile-renamed-passkey.png b/.auto-proof/04-profile-renamed-passkey.png
deleted file mode 100644
index 0805d35b..00000000
Binary files a/.auto-proof/04-profile-renamed-passkey.png and /dev/null differ
diff --git a/.auto-proof/05-profile-after-revoke.png b/.auto-proof/05-profile-after-revoke.png
deleted file mode 100644
index f8616284..00000000
Binary files a/.auto-proof/05-profile-after-revoke.png and /dev/null differ
diff --git a/.auto-proof/05-revoked-passkey-denied.png b/.auto-proof/05-revoked-passkey-denied.png
deleted file mode 100644
index 4c16a9bd..00000000
Binary files a/.auto-proof/05-revoked-passkey-denied.png and /dev/null differ
diff --git a/.auto-proof/06-revoked-passkey-rejected.png b/.auto-proof/06-revoked-passkey-rejected.png
deleted file mode 100644
index 14b4bdb7..00000000
Binary files a/.auto-proof/06-revoked-passkey-rejected.png and /dev/null differ
diff --git a/.auto-proof/06-summary.png b/.auto-proof/06-summary.png
deleted file mode 100644
index 5885e1fc..00000000
Binary files a/.auto-proof/06-summary.png and /dev/null differ
diff --git a/.auto-proof/07-surviving-passkey-login.png b/.auto-proof/07-surviving-passkey-login.png
deleted file mode 100644
index e9a451d3..00000000
Binary files a/.auto-proof/07-surviving-passkey-login.png and /dev/null differ
diff --git a/.auto-proof/eval-1-register-first-passkey.png b/.auto-proof/eval-1-register-first-passkey.png
deleted file mode 100644
index 8e8a3e12..00000000
Binary files a/.auto-proof/eval-1-register-first-passkey.png and /dev/null differ
diff --git a/.auto-proof/eval-2-passkey-login-success.png b/.auto-proof/eval-2-passkey-login-success.png
deleted file mode 100644
index 268bf494..00000000
Binary files a/.auto-proof/eval-2-passkey-login-success.png and /dev/null differ
diff --git a/.auto-proof/eval-3-two-passkeys.png b/.auto-proof/eval-3-two-passkeys.png
deleted file mode 100644
index 03e19e0d..00000000
Binary files a/.auto-proof/eval-3-two-passkeys.png and /dev/null differ
diff --git a/.auto-proof/eval-4-after-revoke-one-left.png b/.auto-proof/eval-4-after-revoke-one-left.png
deleted file mode 100644
index 2a11ab28..00000000
Binary files a/.auto-proof/eval-4-after-revoke-one-left.png and /dev/null differ
diff --git a/.auto-proof/eval-5-revoked-passkey-rejected.png b/.auto-proof/eval-5-revoked-passkey-rejected.png
deleted file mode 100644
index 66a958a3..00000000
Binary files a/.auto-proof/eval-5-revoked-passkey-rejected.png and /dev/null differ
diff --git a/.auto-proof/eval-6-surviving-passkey-login.png b/.auto-proof/eval-6-surviving-passkey-login.png
deleted file mode 100644
index e9a451d3..00000000
Binary files a/.auto-proof/eval-6-surviving-passkey-login.png and /dev/null differ
diff --git a/src/controllers/authController.ts b/src/controllers/authController.ts
index 85fb4ae7..20988c91 100644
--- a/src/controllers/authController.ts
+++ b/src/controllers/authController.ts
@@ -789,8 +789,8 @@ export async function createAccountWithToken(request: FastifyRequest<{
}
// Use systemSequelize to bypass RLS — this is a public endpoint with no org context
- const [customerRow] = await systemSequelize.query<{ id: number }>( // SAFE-SYSTEM: auth bootstrap
- `SELECT id FROM "Customers"
+ const [customerRow] = await systemSequelize.query<{ id: number; email: string }>( // SAFE-SYSTEM: auth bootstrap
+ `SELECT id, email FROM "Customers"
WHERE "resetToken" = :token AND "resetTokenExpiry" > NOW() AND password IS NULL AND deleted = false
LIMIT 1`,
{ replacements: { token }, type: QueryTypes.SELECT }
@@ -814,6 +814,10 @@ export async function createAccountWithToken(request: FastifyRequest<{
return {
status: 'success',
message: 'Account created successfully',
+ // Echo the activated customer's email so the portal can sign them in via
+ // /v1/auth/customer/login and offer passkey enrolment right after sign-up.
+ // The email isn't part of the request body (the token identifies them).
+ data: { email: customerRow.email },
};
}
diff --git a/src/controllers/passkeyController.ts b/src/controllers/passkeyController.ts
index 41de26b7..bc344d9a 100644
--- a/src/controllers/passkeyController.ts
+++ b/src/controllers/passkeyController.ts
@@ -14,17 +14,55 @@ import { QueryTypes, UniqueConstraintError } from 'sequelize';
import { StatusError } from '@/error/error.js';
import { systemSequelize } from '@/models/db.js';
+import { Customer } from '@/models/Customer.js';
import { User } from '@/models/User.js';
import { UserPasskey } from '@/models/UserPasskey.js';
import { getWebAuthnRpContext } from '@/utils/webauthn.js';
-import { generateAccessToken, generateRefreshToken } from '@/utils/tokenUtils.js';
+import {
+ generateAccessToken,
+ generateRefreshToken,
+ generateCustomerAccessToken,
+ generateCustomerRefreshToken,
+} from '@/utils/tokenUtils.js';
import valkeyClient from '@/valkeyClient.js';
// Challenges are short-lived: they only need to survive the round-trip between
// the options call and the verify call for a single ceremony.
const CHALLENGE_TTL_SECONDS = 300;
-const regChallengeKey = (userId: string): string => `passkey:reg:${userId}`;
+// A passkey owner: either a CRM/portal User or an end-customer. Both bearer
+// token types populate request.ident.user; userType distinguishes them.
+type Principal =
+ | { kind: 'user'; id: string; email: string; displayName: string }
+ | { kind: 'customer'; id: string; email: string; displayName: string; organizationId: string };
+
+const resolvePrincipal = (request: FastifyRequest): Principal => {
+ const ident = request.ident?.user;
+ if (!ident?.id) {
+ throw new StatusError(401, 'Authentication required');
+ }
+ const email = ident.email ?? '';
+ const displayName = [ident.firstName, ident.lastName].filter(Boolean).join(' ') || email;
+ if (ident.userType === 'customer') {
+ return {
+ kind: 'customer',
+ id: ident.id,
+ email,
+ displayName,
+ organizationId: ident.organizationId,
+ };
+ }
+ return { kind: 'user', id: ident.id, email, displayName };
+};
+
+// Scopes passkey rows to the owning principal.
+const ownerWhere = (principal: Principal) =>
+ principal.kind === 'customer' ? { customerId: principal.id } : { userId: principal.id };
+
+// Namespaced by kind so a (theoretical) User/Customer UUID collision can't cross
+// c{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/UserPasskey.ts"}1 import { Table, Column, Model, BelongsTo, ForeignKey, DataType } from 'sequelize-typescript';
2 import { User } from './User';
3
4 @Table({
5 modelName: 'UserPasskey',
6 timestamps: true,
7 indexes: [
8 {
9 unique: true,
10 fields: ['credentialId'],
11 name: 'unique_passkey_credential_id',
12 },
13 {
14 fields: ['userId'],
15 name: 'idx_user_passkeys_user',
16 },
17 {
18 fields: ['customerId'],
19 name: 'idx_user_passkeys_customer',
20 },
21 ],
22 })
23 export class UserPasskey extends Model {
24 @Column({
25 type: DataType.UUID,
26 defaultValue: DataType.UUIDV4,
27 primaryKey: true,
28 })
29 declare id: string;
30
31 // A passkey is owned by EITHER a User (CRM/portal) or a Customer (customer
32 // portal) — never both. A DB CHECK enforces the XOR; both are nullable here.
33 @ForeignKey(() => User)
34 @Column({
35 type: DataType.UUID,
36 allowNull: true,
37 })
38 declare userId: string | null;
39
40 // Customer owner (customer portal). Plain column: the FK is enforced by the
41 // migration, and nothing traverses a Customer association from here, so we
42 // avoid the sequelize-typescript association wiring.
43 @Column({
44 type: DataType.UUID,
45 allowNull: true,
46 })
47 declare customerId: string | null;
48
49 // Base64URL-encoded WebAuthn credential ID returned by the authenticator.
50 @Column({
51 type: DataType.TEXT,
52 allowNull: false,
53 })
54 declare credentialId: string;
55
56 // COSE-encoded public key bytes used to verify assertion signatures.
57 @Column({
58 type: DataType.BLOB,
59 allowNull: false,
60 })
61 declare publicKey: Buffer;
62
63 // Signature counter; must be monotonically increasing to detect cloned authenticators.
64 @Column({
65 type: DataType.BIGINT,
66 allowNull: false,
67 defaultValue: 0,
68 })
69 declare counter: number;
70
71 @Column({
72 type: DataType.ARRAY(DataType.STRING),
73 allowNull: true,
74 })
75 declare transports: string[] | null;
76
77 @Column({
78 type: DataType.STRING,
79 allowNull: true,
80 })
81 declare deviceType: string | null;
82
83 @Column({
84 type: DataType.BOOLEAN,
85 allowNull: false,
86 defaultValue: false,
87 })
88 declare backedUp: boolean;
89
90 // User-facing label for the passkey (e.g. "MacBook Touch ID"). Renameable.
91 @Column({
92 type: DataType.STRING,
93 allowNull: false,
94 })
95 declare name: string;
96
97 @Column({
98 type: DataType.DATE,
99 allowNull: true,
100 })
101 declare lastUsedAt: Date | null;
102
103 @Column({
104 type: DataType.DATE,
105 allowNull: false,
106 })
107 declare createdAt: Date;
108
109 @Column({
110 type: DataType.DATE,
111 allowNull: false,
112 })
113 declare updatedAt: Date;
114
115 @BelongsTo(() => User)
116 declare user: User | null;
117 }
118 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts"}1 import {
2 generateRegistrationOptions,
3 verifyRegistrationResponse,
4 generateAuthenticationOptions,
5 verifyAuthenticationResponse,
6 type VerifiedRegistrationResponse,
7 type VerifiedAuthenticationResponse,
8 type WebAuthnCredential,
9 } from '@simplewebauthn/server';
10 import type { RegistrationResponseJSON, AuthenticationResponseJSON } from '@simplewebauthn/server';
11 import crypto from 'crypto';
12 import type { FastifyRequest } from 'fastify';
13 import { QueryTypes, UniqueConstraintError } from 'sequelize';
14
15 import { StatusError } from '@/error/error.js';
16 import { systemSequelize } from '@/models/db.js';
17 import { Customer } from '@/models/Customer.js';
18 import { User } from '@/models/User.js';
19 import { UserPasskey } from '@/models/UserPasskey.js';
20 import { getWebAuthnRpContext } from '@/utils/webauthn.js';
21 import {
22 generateAccessToken,
23 generateRefreshToken,
24 generateCustomerAccessToken,
25 generateCustomerRefreshToken,
26 } from '@/utils/tokenUtils.js';
27 import valkeyClient from '@/valkeyClient.js';
28
29 // Challenges are short-lived: they only need to survive the round-trip between
30 // the options call and the verify call for a single ceremony.
31 const CHALLENGE_TTL_SECONDS = 300;
32
33 // A passkey owner: either a CRM/portal User or an end-customer. Both bearer
34 // token types populate request.ident.user; userType distinguishes them.
35 type Principal =
36 | { kind: 'user'; id: string; email: string; displayName: string }
37 | { kind: 'customer'; id: string; email: string; displayName: string; organizationId: string };
38
39 const resolvePrincipal = (request: FastifyRequest): Principal => {
40 const ident = request.ident?.user;
41 if (!ident?.id) {
42 throw new StatusError(401, 'Authentication required');
43 }
44 const email = ident.email ?? '';
45 const displayName = [ident.firstName, ident.lastName].filter(Boolean).join(' ') || email;
46 if (ident.userType === 'customer') {
47 return {
48 kind: 'customer',
49 id: ident.id,
50 email,
51 displayName,
52 organizationId: ident.organizationId,
53 };
54 }
55 return { kind: 'user', id: ident.id, email, displayName };
56 };
57
58 // Scopes passkey rows to the owning principal.
59 const ownerWhere = (principal: Principal) =>
60 principal.kind === 'customer' ? { customerId: principal.id } : { userId: principal.id };
61
62 // Namespaced by kind so a (theoretical) User/Customer UUID collision can't cross
63 // ceremonies.
64 const regChallengeKey = (principal: Principal): string =>
65 `passkey:reg:${principal.kind}:${principal.id}`;
66 const loginChallengeKey = (challengeId: string): string => `passkey:login:${challengeId}`;
67
68 interface RegisterOptionsBody {
69 name: string;
70 }
71
72 interface RegisterVerifyBody {
73 name: string;
74 response: RegistrationResponseJSON;
75 }
76
77 interface LoginVerifyBody {
78 challengeId: string;
79 response: AuthenticationResponseJSON;
80 }
81
82 interface RenameBody {
83 name: string;
84 }
85
86 const serializePasskey = (passkey: UserPasskey) => ({
87 id: passkey.id,
88 name: passkey.name,
89 deviceType: passkey.deviceType,
90 backedUp: passkey.backedUp,
91 lastUsedAt: passkey.lastUsedAt,
92 createdAt: passkey.createdAt,
93 });
94
95 // Resolves the organization context to embed in issued tokens, mirroring the
96 // password login flow: the request domain org when the user is a member,
97 // otherwise the user's primary organization.
98 const resolveLoginOrganizationId = async (
99 userId: string,
100 domainOrganizationId: string | undefined
101 ): Promise<string | undefined> => {
102 if (domainOrganizationId) {
103 // SAFE-SYSTEM: pre-auth membership probe; org context is being established here
104 const membershipRows = await systemSequelize.query<{ organizationId: string }>(
105 `SELECT "organizationId" FROM "UserOrganizations"
106 WHERE "userId" = :userId AND "organizationId" = :organizationId AND "isActive" = true
107 LIMIT 1`,
108 {
109 replacements: { userId, organizationId: domainOrganizationId },
110 type: QueryTypes.SELECT,
111 }
112 );
113 if (membershipRows.length > 0) {
114 return domainOrganizationId;
115 }
116 }
117
118 // SAFE-SYSTEM: pre-auth primary-org lookup; user has no org context yet
119 const primaryMembershipRows = await systemSequelize.query<{ organizationId: string }>(
120 `SELECT "organizationId" FROM "UserOrganizations"
121 WHERE "userId" = :userId AND "isActive" = true
122 ORDER BY "createdAt" ASC
123 LIMIT 1`,
124 {
125 replacements: { userId },
126 type: QueryTypes.SELECT,
127 }
128 );
129 return primaryMembershipRows[0]?.organizationId;
130 };
131
132 export async function getRegistrationOptions(
133 request: FastifyRequest<{ Body: RegisterOptionsBody }>
134 ) {
135 const principal = resolvePrincipal(request);
136 const { rpID, rpName } = getWebAuthnRpContext(request);
137
138 if (!principal.email) {
139 throw new StatusError(404, principal.kind === 'customer' ? 'Customer not found' : 'User not found');
140 }
141
142 const existing = await UserPasskey.findAll({ where: ownerWhere(principal) });
143
144 const options = await generateRegistrationOptions({
145 rpName,
146 rpID,
147 userName: principal.email,
148 userDisplayName: principal.displayName,
149 userID: new TextEncoder().encode(principal.id),
150 attestationType: 'none',
151 excludeCredentials: existing.map((cred) => ({
152 id: cred.credentialId,
153 transports: (cred.transports ?? undefined) as WebAuthnCredential['transports'],
154 })),
155 authenticatorSelection: {
156 residentKey: 'preferred',
157 userVerification: 'preferred',
158 },
159 });
160
161 await valkeyClient.setEx(regChallengeKey(principal), CHALLENGE_TTL_SECONDS, options.challenge);
162
163 return options;
164 }
165
166 export async function verifyRegistration(request: FastifyRequest<{ Body: RegisterVerifyBody }>) {
167 const principal = resolvePrincipal(request);
168 const { rpID, expectedOrigin } = getWebAuthnRpContext(request);
169 const { name, response } = request.body;
170
171 const expectedChallenge = await valkeyClient.get(regChallengeKey(principal));
172 if (!expectedChallenge) {
173 throw new StatusError(400, 'Registration challenge expired or not found. Please try again.');
174 }
175
176 let verification: VerifiedRegistrationResponse;
177 try {
178 verification = await verifyRegistrationResponse({
179 response,
180 expectedChallenge,
181 expectedOrigin,
182 expectedRPID: rpID,
183 requireUserVerification: false,
184 });
185 } catch (error) {
186 // Don't leak the library's cryptographic failure detail (bad signature,
187 // RP-ID mismatch, etc.) to the client — log it and return a generic error.
188 request.log.error({ err: error }, 'Passkey registration verification failed');
189 throw new StatusError(400, 'Passkey registration could not be verified');
190 } finally {
191 await valkeyClient.del(regChallengeKey(principal));
192 }
193
194 if (!verification.verified || !verification.registrationInfo) {
195 throw new StatusError(400, 'Passkey registration could not be verified');
196 }
197
198 const { credential, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
199
200 const owner =
201 principal.kind === 'customer' ? { customerId: principal.id } : { userId: principal.id };
202
203 let passkey: UserPasskey;
204 try {
205 passkey = await UserPasskey.create({
206 ...owner,
207 credentialId: credential.id,
208 publicKey: Buffer.from(credential.publicKey),
209 counter: credential.counter,
210 transports: credential.transports ?? null,
211 de{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && git status"}On branch auto/api-466-passkey-webauthn-login Your branch is up to date with 'origin/auto/api-466-passkey-webauthn-login'. Changes not staged for commit: (use "git add/rm <file>..." to update what will be committed) (use "git restore <file>..." to discard changes in working directory) deleted: .auto-proof/01-profile-first-passkey.png deleted: .auto-proof/01-register-first-passkey.png deleted: .auto-proof/02-passwordless-login-success.png deleted: .auto-proof/02-two-passkeys-registered.png deleted: .auto-proof/03-passwordless-login-success.png deleted: .auto-proof/03-profile-two-passkeys.png deleted: .auto-proof/04-passkey-revoked.png deleted: .auto-proof/04-profile-renamed-passkey.png deleted: .auto-proof/05-profile-after-revoke.png deleted: .auto-proof/05-revoked-passkey-denied.png deleted: .auto-proof/06-revoked-passkey-rejected.png deleted: .auto-proof/06-summary.png deleted: .auto-proof/07-surviving-passkey-login.png deleted: .auto-proof/eval-1-register-first-passkey.png deleted: .auto-proof/eval-2-passkey-login-success.png deleted: .auto-proof/eval-3-two-passkeys.png deleted: .auto-proof/eval-4-after-revoke-one-left.png deleted: .auto-proof/eval-5-revoked-passkey-rejected.png deleted: .auto-proof/eval-6-surviving-passkey-login.png modified: src/controllers/authController.ts modified: src/controllers/passkeyController.ts modified: src/models/UserPasskey.ts modified: src/routes/authRoutes.ts Untracked files: (use "git add <file>..." to include in what will be committed) .auto-proof/10-customer-login-with-passkey-button.png .auto-proof/11-customer-profile-passkeys-empty.png .auto-proof/12-customer-profile-one-passkey.png .auto-proof/13-passwordless-passkey-login-success.png .auto-proof/14-customer-profile-two-passkeys.png .auto-proof/15-customer-profile-after-revoke.png .auto-proof/16-revoked-passkey-rejected.png .auto-proof/20-create-account-form.png .auto-proof/21-create-account-passkey-prompt.png .auto-proof/22-create-account-passkey-enrolled-in-portal.png src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts no changes added to commit (use "git add" and/or "git commit -a")
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts"}1 import { DataTypes, type QueryInterface } from 'sequelize';
2 import type { MigrationFn } from 'umzug';
3
4 // Passkeys were originally keyed to a CRM/portal User. The customer portal
5 // (create-account + Profile) needs passkeys for end-customers too, so a passkey
6 // now belongs to EITHER a User or a Customer (never both). userId becomes
7 // nullable, a nullable customerId is added, and a CHECK enforces exactly one
8 // owner. Still no organizationId, so the table remains non-tenant-scoped (RLS
9 // not required) — the same model as before.
10 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
11 await context.addColumn('UserPasskeys', 'customerId', {
12 type: DataTypes.UUID,
13 allowNull: true,
14 references: {
15 model: 'Customers',
16 key: 'id',
17 },
18 onUpdate: 'CASCADE',
19 onDelete: 'CASCADE',
20 });
21
22 // A passkey is now owned by a User or a Customer, so userId is no longer
23 // mandatory on its own. Drop NOT NULL directly (Sequelize changeColumn does
24 // not reliably emit DROP NOT NULL on a column that carries an FK); the
25 // existing Users FK is left untouched.
26 await context.sequelize.query(
27 `ALTER TABLE "UserPasskeys" ALTER COLUMN "userId" DROP NOT NULL`
28 );
29
30 // Exactly one owner must be set (XOR). `<>` on the two NOT NULL predicates is
31 // true only when they differ, i.e. precisely one of them is populated.
32 await context.sequelize.query(
33 `ALTER TABLE "UserPasskeys"
34 ADD CONSTRAINT "chk_user_passkeys_single_owner"
35 CHECK (("userId" IS NOT NULL) <> ("customerId" IS NOT NULL))`
36 );
37
38 await context.addIndex('UserPasskeys', {
39 fields: ['customerId'],
40 name: 'idx_user_passkeys_customer',
41 });
42 };
43
44 export const down: MigrationFn<QueryInterface> = async () => {
45 // Down migration not implemented - forward-only deployment
46 };
47 {"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login -name \"bearer.ts\" -o -name \"*bearer*\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/bearer.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/bearer.ts"}1 import type { FastifyRequest, FastifyInstance } from 'fastify';
2 import { QueryTypes } from 'sequelize';
3 import {
4 createClientIdentity,
5 createOrganizationIdentity,
6 createUserIdentity,
7 type JwtTokenPayload,
8 validateOrganizationAccess
9 } from './lib.js';
10 import { StatusError } from '@/error/error.js';
11 import { systemSequelize } from '@/models/db.js';
12 import type { Organization } from '@/models/Organization.js';
13 import type {
14 Authentication,
15 BearerAuth,
16 RequestIdentity
17 } from '@/types/fastify.js';
18
19 // ==========================================
20 // Bearer Token Extraction
21 // ==========================================
22
23 export function extractBearerToken(authHeader: string): string {
24 const bearerPrefix = 'Bearer ';
25 if (!authHeader.startsWith(bearerPrefix)) {
26 throw new StatusError(401, 'Invalid authorization header format');
27 }
28 return authHeader.slice(bearerPrefix.length);
29 }
30
31 // ==========================================
32 // Authentication Strategies
33 // ==========================================
34
35 async function authenticateWithClientBearer(decoded: JwtTokenPayload): Promise<{ ident: RequestIdentity; auth: Authentication }> {
36 if (decoded.clientNumericId == null) {
37 throw new StatusError(401, 'Client token missing clientNumericId');
38 }
39
40 const clientData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
41 `SELECT c.id, c."clientId", c.name, c.active, c.scopes, c."userId", c."organizationId",
42 u.id as "user.id", u.email as "user.email", u."firstName" as "user.firstName",
43 u."lastName" as "user.lastName", u.role as "user.role"
44 FROM "Clients" c
45 LEFT JOIN "Users" u ON u.id = c."userId"
46 WHERE c.id = :clientNumericId AND c.active = true
47 LIMIT 1`,
48 {
49 replacements: { clientNumericId: decoded.clientNumericId },
50 type: QueryTypes.SELECT,
51 }
52 );
53
54 if (clientData.length === 0) {
55 throw new StatusError(401, 'Client in token not found');
56 }
57
58 const clientRow = clientData[0] as any;
59 const client = {
60 id: clientRow.id,
61 clientId: clientRow.clientId,
62 name: clientRow.name,
63 active: clientRow.active,
64 scopes: clientRow.scopes,
65 userId: clientRow.userId,
66 organizationId: clientRow.organizationId,
67 user: clientRow['user.id'] ? {
68 id: clientRow['user.id'],
69 email: clientRow['user.email'],
70 firstName: clientRow['user.firstName'],
71 lastName: clientRow['user.lastName'],
72 role: clientRow['user.role'],
73 } : null,
74 };
75
76 const bearerAuth: BearerAuth = {
77 organizationId: client.organizationId,
78 userId: client.user ? client.user.id : null,
79 client: {
80 id: client.id,
81 userId: client.user ? client.user.id : null,
82 organizationId: client.organizationId,
83 scopes: client.scopes ? client.scopes.split(' ') : [],
84 }
85 };
86
87 if (!client.organizationId) {
88 throw new StatusError(401, 'Client organization ID not found');
89 }
90
91 const orgData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
92 `SELECT id, name, "displayName", "portalDomain", "portalUrl", "apiUrl", "crmDomain", "crmUrl", settings, active, timezone
93 FROM "Organizations"
94 WHERE id = :organizationId
95 LIMIT 1`,
96 { replacements: { organizationId: client.organizationId }, type: QueryTypes.SELECT }
97 );
98 if (orgData.length === 0) {
99 throw new StatusError(401, 'Client organization not found');
100 }
101 const org = orgData[0] as Organization;
102
103 const ident: RequestIdentity = {
104 user: client.user ? createUserIdentity(client.user as any, client.organizationId) : null,
105 org: createOrganizationIdentity(org),
106 client: createClientIdentity(client as any),
107 };
108
109 return {
110 ident,
111 auth: { method: 'bearer', bearer: bearerAuth }
112 };
113 }
114
115 async function authenticateWithPortalBearer(decoded: JwtTokenPayload, request: FastifyRequest): Promise<{ ident: RequestIdentity; auth: Authentication }> {
116 if (!decoded.externalClientId || !decoded.organizationId || !decoded.clientNumericId) {
117 throw new StatusError(401, 'Invalid portal token: missing required claims');
118 }
119
120 const clientData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
121 `SELECT c.id, c."clientId", c.name, c.active, c.scopes, c."organizationId"
122 FROM "Clients" c
123 WHERE c.id = :clientNumericId AND c.active = true
124 LIMIT 1`,
125 { replacements: { clientNumericId: decoded.clientNumericId }, type: QueryTypes.SELECT }
126 );
127
128 if (clientData.length === 0) {
129 throw new StatusError(401, 'Portal token client not found');
130 }
131
132 const client = clientData[0] as any;
133
134 if (client.organizationId !== decoded.organizationId) {
135 throw new StatusError(401, 'Portal token organization mismatch');
136 }
137
138 const orgData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
139 `SELECT id, name, "displayName", "portalDomain", "portalUrl", "apiUrl", "crmDomain", "crmUrl", settings, active, timezone
140 FROM "Organizations"
141 WHERE id = :organizationId AND active = true
142 LIMIT 1`,
143 { replacements: { organizationId: decoded.organizationId }, type: QueryTypes.SELECT }
144 );
145
146 if (orgData.length === 0) {
147 throw new StatusError(401, 'Portal token organization not found');
148 }
149
150 const org = orgData[0] as Organization;
151
152 const customerData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
153 `SELECT id, "firstName", "lastName", email, "externalClientId"
154 FROM "Customers"
155 WHERE "externalClientId" = :externalClientId AND "organizationId" = :organizationId
156 LIMIT 1`,
157 { replacements: { externalClientId: decoded.externalClientId, organizationId: decoded.organizationId }, type: QueryTypes.SELECT }
158 );
159
160 if (customerData.length === 0) {
161 throw new StatusError(401, `Customer with externalClientId '${decoded.externalClientId}' not found`);
162 }
163
164 const customer = customerData[0] as { id: string; firstName: string | null; lastName: string | null; email: string | null; externalClientId: string };
165
166 const portalUserIdentity = {
167 id: customer.id,
168 visibleId: decoded.externalClientId,
169 externalClientId: decoded.externalClientId,
170 email: customer.email,
171 role: 'customer' as const,
172 userType: 'customer' as const,
173 organizationId: decoded.organizationId,
174 firstName: customer.firstName,
175 lastName: customer.lastName,
176 companyName: null,
177 };
178
179 const bearerAuth: BearerAuth = {
180 userId: null,
181 // Portal tokens are customer-scoped: they identify a single Customer row
182 // (resolved above by externalClientId). Expose customer.id on bearerAuth
183 // so customer-self endpoints (e.g. /v1/customers/me) treat portal sessions
184 // identically to /v1/auth/customer/login sessions.
185 customerId: customer.id,
186 organizationId: decoded.organizationId,
187 client: {
188 id: client.id,
189 userId: null,
190 organizationId: client.organizationId,
191 scopes: client.scopes ? client.scopes.split(' ') : [],
192 },
193 externalClientId: decoded.externalClientId,
194 };
195
196 const ident: RequestIdentity = {
197 user: portalUserIdentity,
198 org: createOrganizationIdentity(org),
199 client: {
200 id: client.id,
201 clientId: client.clientId,
202 name: client.name,
203 organizationId: client.organizationId,
204 userId: null,
205 scopes: client.scopes ? client.scopes.spl{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"customerLogin\\|generateCustomerAccessToken\\|generateCustomerRefreshToken\" src/controllers/authController.ts | head -30"}28: generateCustomerAccessToken,
29: generateCustomerRefreshToken,
218:export async function customerLogin(request: FastifyRequest<{ Body: LoginRequest }>) {
262: const accessToken = generateCustomerAccessToken(customer, domainOrganizationId);
263: const newRefreshToken = generateCustomerRefreshToken(customer, domainOrganizationId);
342: const accessToken = generateCustomerAccessToken(customer, domainOrganizationId);
343: const newRefreshToken = generateCustomerRefreshToken(customer, domainOrganizationId);
519: const newAccessToken = generateCustomerAccessToken(customer as Customer, customer.organizationId);
520: const newRefreshToken = generateCustomerRefreshToken(customer as Customer, customer.organizationId);
860: customerLogin,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":218,"limit":60}218 export async function customerLogin(request: FastifyRequest<{ Body: LoginRequest }>) {
219 const validationResult = loginSchema.validate(request.body);
220 const { error } = validationResult;
221 if (error) {
222 throw new StatusError(400, 'Invalid credentials');
223 }
224
225 const validatedValue = validationResult.value as LoginRequest;
226 const { email, password } = validatedValue;
227
228 if (!email || !password) {
229 throw new StatusError(400, 'Email and password are required');
230 }
231
232 const domainOrganization = request.domainOrganization;
233
234 if (!domainOrganization?.id || !domainOrganization?.portalDomain) {
235 throw new StatusError(400, 'Customer login requires organization context');
236 }
237
238 const domainOrganizationId = domainOrganization.id;
239
240 validateOrigin(request, domainOrganization.portalDomain);
241
242 const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
243 where: {
244 email: email.toLowerCase(),
245 deleted: false
246 },
247 });
248
249 if (!customer) {
250 throw new StatusError(401, 'Invalid credentials');
251 }
252
253 if (!customer.password) {
254 throw new StatusError(401, 'Account not activated. Please set up your password first.');
255 }
256
257 const isValidPassword = await bcryptjs.compare(password, customer.password);
258 if (!isValidPassword) {
259 throw new StatusError(401, 'Invalid credentials');
260 }
261
262 const accessToken = generateCustomerAccessToken(customer, domainOrganizationId);
263 const newRefreshToken = generateCustomerRefreshToken(customer, domainOrganizationId);
264
265 return {
266 status: 'success',
267 message: 'Login successful',
268 data: {
269 accessToken,
270 refreshToken: newRefreshToken,
271 user: {
272 id: customer.id,
273 email: customer.email,
274 firstName: customer.firstName,
275 lastName: customer.lastName,
276 role: 'customer',
277 organizationId: domainOrganizationId,{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -A 30 \"^export async function login(\" src/controllers/authController.ts | head -50"}export async function login(request: FastifyRequest<{ Body: LoginRequest }>) {
// Add Joi validation that was in the original
const validationResult = loginSchema.validate(request.body);
const { error } = validationResult;
if (error) {
throw new StatusError(400, 'Invalid credentials');
}
const validatedValue = validationResult.value as LoginRequest;
const { email, password } = validatedValue;
if (!email || !password) {
throw new StatusError(400, 'Email and password are required');
}
const user = await User.findOne({
where: {
email: email.toLowerCase(),
deleted: false
}
});
if (!user) {
throw new StatusError(401, 'Invalid credentials');
}
if (!user.password) {
throw new StatusError(401, 'Invalid credentials');
}
const isValidPassword = await bcryptjs.compare(password, user.password);{"description":"Review portal FE passkey changes","prompt":"You are a senior frontend/full-stack code reviewer. Independently review uncommitted changes in the sherpa-portal worktree (Next.js 16 / React 19) for CORRECTNESS bugs and React pitfalls. Be rigorous. Use rg/fd, never grep/find.\n\nRepo: /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login\nRun `git -C <repo> diff` and `git -C <repo> status`. Read full files where needed.\n\nContext: Wiring passkey (WebAuthn) UI into the CUSTOMER portal. Changed files:\n- app/customer-portal/profile/DefaultProfile.tsx (mounts <PasskeysSection onError=...> after the 2FA section; this file is ALSO used by app/embed-customer-portal/profile/page.tsx).\n- app/create-account/page.tsx (after a customer sets their password, it auto-logs-in via /v1/auth/customer/login for customer orgs, sets tokens directly via authStore.setTokens, shows a skippable \"Set up a passkey\" step, then finalizes login + redirect. A ref `selfInitiatedAuthRef` guards a pre-existing logout effect so it doesn't tear down the self-initiated session.)\n\nFocus your review on:\n1. The logout effect in create-account: `if (!authLoading && user && !selfInitiatedAuthRef.current) storeLogout()`. After setTokens, AuthProvider's initializeAuth effect hydrates `user`. Confirm the ref guard prevents the logout. Is there any render where the ref isn't yet set but user becomes truthy (race)? Could a genuinely stale pre-existing session now FAIL to be cleared (regression)? Trace the ordering.\n2. setTokens vs login(): create-account calls authStore.setTokens(access, refresh) to authenticate the api client for /auth/passkeys/register/*, then later calls AuthProvider.login() in finalizeAccount. Read app/components/AuthProvider.tsx and app/src/store/authStore.ts. Does calling login() after setTokens cause double work or a redirect loop? Does login() redirect correctly for a customer (to '/')? Is router.push('/dashboard') after login() redundant/conflicting?\n3. passkeySupported gating: the passkey step only shows if passkeySupported (feature-detected on mount). On unsupported browsers, does it fall back to the original behavior (login + redirect)? Confirm no dead-end.\n4. Endpoint selection: `isCustomerLogin = organization?.portalType ? portalType==='customer' : !!settings?.customerPortal`. Matches app/login/page.tsx? Is `organization` actually populated on /create-account (proxy.ts skips org resolution for /create-account — does OrganizationProvider still resolve it client-side)?\n5. The JSX ternary wrapping the form (showPasskeySetup ? passkeyStep : <>form</>) — is it balanced and are all states reachable? Any unused imports/vars introduced.\n6. DefaultProfile: is PasskeysSection mounted only when `user` exists (needs auth/token)? Any issue that it's shared with embed-customer-portal (embed uses portal tokens — would passkey register work there)?\n\nReport findings as a list, each tagged [HIGH]/[MEDIUM]/[LOW] with file:line, the concrete problem, and a suggested fix. Don't invent issues. End with a one-line verdict: CLEAN or NEEDS-FIXES.","subagent_type":"Explore"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -A 50 \"^export async function login(\" src/controllers/authController.ts | tail -30"} if (!user) {
throw new StatusError(401, 'Invalid credentials');
}
if (!user.password) {
throw new StatusError(401, 'Invalid credentials');
}
const isValidPassword = await bcryptjs.compare(password, user.password);
if (!isValidPassword) {
throw new StatusError(401, 'Invalid credentials');
}
// Resolve organization context: use domain org if user is a member, otherwise fall back to primary org
const domainOrganizationId = request.domainOrganization?.id;
let loginOrganizationId: string | undefined;
if (domainOrganizationId) {
// SAFE-SYSTEM: pre-auth membership probe; org context is being established here
const membershipRows = await systemSequelize.query<{ organizationId: string }>(
`SELECT "organizationId" FROM "UserOrganizations"
WHERE "userId" = :userId AND "organizationId" = :organizationId AND "isActive" = true
LIMIT 1`,
{
replacements: { userId: user.id, organizationId: domainOrganizationId },
type: QueryTypes.SELECT,
},
);
if (membershipRows.length > 0) {
loginOrganizationId = domainOrganizationId;{"command":"git -C /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login status"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && sed -n '55,150p' src/controllers/authController.ts"} region: Joi.string().min(2).max(50).required(),
address: Joi.string().min(5).max(100).required(),
city: Joi.string().min(2).max(50).required(),
postalCode: Joi.string().min(3).max(20).required(),
companyName: Joi.string().trim().max(100).allow('', null).optional(),
// Optional social registration fields
socialRegistration: Joi.boolean().optional(),
socialProvider: Joi.string().allow(null, '').optional(),
socialId: Joi.string().allow(null, '').optional(),
});
const loginSchema = Joi.object({
email: Joi.string().email().trim().lowercase().required(),
password: Joi.string().required(),
});
/**
* Validates that the request Origin matches the domainOrganization's portalDomain.
* Prevents attackers from forging Origin headers to create data in other organizations.
*/
const validateOrigin = (
request: FastifyRequest,
domainPortalDomain: string,
): void => {
const origin = request.headers.origin || request.headers.referer;
if (!origin) {
throw new StatusError(400, 'Origin header required for customer registration');
}
let originHostname: string;
try {
originHostname = new URL(origin).hostname;
} catch {
throw new StatusError(400, 'Invalid Origin header');
}
const normalizedOrigin = toProductionDomain(originHostname);
const normalizedPortal = toProductionDomain(domainPortalDomain);
if (normalizedOrigin !== normalizedPortal) {
throw new StatusError(403, 'Origin does not match organization portal domain');
}
};
// Login function with proper validation
export async function login(request: FastifyRequest<{ Body: LoginRequest }>) {
// Add Joi validation that was in the original
const validationResult = loginSchema.validate(request.body);
const { error } = validationResult;
if (error) {
throw new StatusError(400, 'Invalid credentials');
}
const validatedValue = validationResult.value as LoginRequest;
const { email, password } = validatedValue;
if (!email || !password) {
throw new StatusError(400, 'Email and password are required');
}
const user = await User.findOne({
where: {
email: email.toLowerCase(),
deleted: false
}
});
if (!user) {
throw new StatusError(401, 'Invalid credentials');
}
if (!user.password) {
throw new StatusError(401, 'Invalid credentials');
}
const isValidPassword = await bcryptjs.compare(password, user.password);
if (!isValidPassword) {
throw new StatusError(401, 'Invalid credentials');
}
// Resolve organization context: use domain org if user is a member, otherwise fall back to primary org
const domainOrganizationId = request.domainOrganization?.id;
let loginOrganizationId: string | undefined;
if (domainOrganizationId) {
// SAFE-SYSTEM: pre-auth membership probe; org context is being established here
const membershipRows = await systemSequelize.query<{ organizationId: string }>(
`SELECT "organizationId" FROM "UserOrganizations"
WHERE "userId" = :userId AND "organizationId" = :organizationId AND "isActive" = true
LIMIT 1`,
{
replacements: { userId: user.id, organizationId: domainOrganizationId },
type: QueryTypes.SELECT,
},
);
if (membershipRows.length > 0) {On branch auto/api-466-passkey-webauthn-login Your branch is up to date with 'origin/auto/api-466-passkey-webauthn-login'. Changes not staged for commit: (use "git add <file>..." to update what will be committed) (use "git restore <file>..." to discard changes in working directory) modified: app/create-account/page.tsx modified: app/customer-portal/profile/DefaultProfile.tsx no changes added to commit (use "git add" and/or "git commit -a")
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && sed -n '150,200p' src/controllers/authController.ts"} if (membershipRows.length > 0) {
loginOrganizationId = domainOrganizationId;
}
}
if (!loginOrganizationId) {
// SAFE-SYSTEM: pre-auth primary-org lookup; user has no org context yet
const primaryMembershipRows = await systemSequelize.query<{ organizationId: string }>(
`SELECT "organizationId" FROM "UserOrganizations"
WHERE "userId" = :userId AND "isActive" = true
ORDER BY "createdAt" ASC
LIMIT 1`,
{
replacements: { userId: user.id },
type: QueryTypes.SELECT,
},
);
loginOrganizationId = primaryMembershipRows[0]?.organizationId;
}
// Check if user has 2FA enabled
if (user.twoFactorEnabled) {
// Generate a temporary token for 2FA verification
const tempToken = jwt.sign(
{
id: user.id,
email: user.email,
require2FA: true,
},
JWT_SECRET,
{ expiresIn: '10m' } // Short-lived token for 2FA
);
return {
status: 'success',
message: 'Two-factor authentication required',
tempToken,
require2FA: true,
};
}
// Generate tokens using utility functions
const accessToken = generateAccessToken(user, null, loginOrganizationId);
const refreshToken = generateRefreshToken(user, null, loginOrganizationId);
// Update user's refresh token
await user.update({ refreshToken });
return {
status: 'success',
message: 'Login successful',{"command":"git -C /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login diff"}diff --git a/app/create-account/page.tsx b/app/create-account/page.tsx
index 53b57e7..fae1ac9 100644
--- a/app/create-account/page.tsx
+++ b/app/create-account/page.tsx
@@ -1,12 +1,13 @@
"use client";
import React, { Suspense } from "react";
-import { useState, useEffect } from "react";
+import { useState, useEffect, useRef } from "react";
import Link from "next/link";
import { useRouter, useSearchParams } from "next/navigation";
+import { KeyRound, ShieldCheck } from "lucide-react";
import { useForm } from "react-hook-form";
import { useTranslation } from "@gangkharai/lmt/client";
@@ -21,6 +22,12 @@ import Toast, { showErrorToast, showSuccessToast } from "../components/Toast";
import { Button } from "../components/ui/button";
import { Input } from "../components/ui/input";
import api from "../src/utils/api";
+import {
+ extractPasskeyError,
+ isPasskeyCancellation,
+ isPasskeySupported,
+ registerPasskey,
+} from "../src/utils/passkeys";
import useAuthStore from "../src/store/authStore";
interface CreateAccountFormData {
@@ -38,6 +45,19 @@ function CreateAccountContent() {
const { login, user, loading: authLoading } = useAuth();
const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
const storeLogout = useAuthStore((state) => state.logout);
+ const setTokens = useAuthStore((state) => state.setTokens);
+
+ // Passkey enrolment step shown right after the account is created.
+ const [passkeySupported, setPasskeySupported] = useState(false);
+ const [showPasskeySetup, setShowPasskeySetup] = useState(false);
+ const [isEnrolling, setIsEnrolling] = useState(false);
+ const [passkeyName, setPasskeyName] = useState("");
+ // Tokens from the post-creation auto-login, held so passkey enrolment can run
+ // against an authenticated session before we finish redirecting into the portal.
+ const pendingTokensRef = useRef<{ accessToken: string; refreshToken: string } | null>(null);
+ // Set once we deliberately authenticate this session for enrolment, so the
+ // "clear stale session" effect below doesn't tear it back down.
+ const selfInitiatedAuthRef = useRef(false);
const {
register,
@@ -64,8 +84,16 @@ function CreateAccountContent() {
}
}, [searchParams, t]);
+ // Resolve passkey support client-side only (PublicKeyCredential is undefined
+ // during SSR) to avoid a hydration mismatch.
useEffect(() => {
- if (!authLoading && user) {
+ setPasskeySupported(isPasskeySupported());
+ }, []);
+
+ useEffect(() => {
+ // Clear any stale, pre-existing session when landing on this page — but never
+ // the session we just established ourselves for passkey enrolment.
+ if (!authLoading && user && !selfInitiatedAuthRef.current) {
storeLogout();
}
}, [authLoading, user, storeLogout]);
@@ -76,6 +104,43 @@ function CreateAccountContent() {
return <Loader />;
}
+ // Finish landing the freshly-created account in the portal, whether or not a
+ // passkey was set up. Mirrors the original post-creation redirect.
+ const finalizeAccount = async () => {
+ const tokens = pendingTokensRef.current;
+ if (!tokens) {
+ router.push("/login?registered=true");
+ return;
+ }
+ await login(tokens.accessToken, tokens.refreshToken);
+ router.push("/dashboard");
+ };
+
+ const handleEnrollPasskey = async () => {
+ const name = passkeyName.trim() || t("My passkey");
+ setIsEnrolling(true);
+ try {
+ await registerPasskey(name);
+ showSuccessToast(t("Passkey set up. You can now sign in without a password."));
+ await finalizeAccount();
+ } catch (enrollError) {
+ // A dismissed/timed-out prompt is a soft cancel — stay on the step so the
+ // user can retry or skip.
+ if (isPasskeyCancellation(enrollError)) {
+ setIsEnrolling(false);
+ return;
+ }
+ console.error("Passkey enrolment failed:", enrollError);
+ showErrorToast(
+ extractPasskeyError(
+ enrollError,
+ t("Could not set up a passkey. You can add one later from your profile.")
+ )
+ );
+ setIsEnrolling(false);
+ }
+ };
+
const handleCreateAccount = async (data: CreateAccountFormData) => {
if (!token) {
setError(t("Invalid token. Please check your email link."));
@@ -94,19 +159,39 @@ function CreateAccountContent() {
if (response.data.status === "success") {
showSuccessToast(t("Account created successfully! Please log in with your new account."));
- // If the API returns user email, attempt auto-login
+ // If the API returns the account's email, attempt auto-login. Customer
+ // portals authenticate against the Customers table via a different
+ // endpoint than back-office users, so pick it the same way the login
+ // page does (by org portalType).
if (response.data.data?.email) {
try {
- const loginResponse = await api.post("/v1/auth/login", {
+ const isCustomerLogin = organization?.portalType
+ ? organization.portalType === "customer"
+ : !!organization?.settings?.customerPortal;
+ const loginEndpoint = isCustomerLogin
+ ? "/v1/auth/customer/login"
+ : "/v1/auth/login";
+ const loginResponse = await api.post(loginEndpoint, {
email: response.data.data.email,
password: data.password,
});
if (loginResponse.data.status === "success" && loginResponse.data.data) {
- await login(
- loginResponse.data.data.accessToken,
- loginResponse.data.data.refreshToken
- );
+ const { accessToken, refreshToken } = loginResponse.data.data;
+
+ // Offer passkey enrolment before entering the portal. Authenticate
+ // the API client now (so /auth/passkeys/register/* carries a bearer
+ // token) but defer the redirect until the user sets up a passkey or
+ // skips. On browsers without passkey support, behave as before.
+ if (passkeySupported) {
+ pendingTokensRef.current = { accessToken, refreshToken };
+ selfInitiatedAuthRef.current = true;
+ setTokens(accessToken, refreshToken);
+ setShowPasskeySetup(true);
+ return;
+ }
+
+ await login(accessToken, refreshToken);
router.push("/dashboard");
return;
}
@@ -159,10 +244,12 @@ function CreateAccountContent() {
/>
</div>
<h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
- {t("Create Your Account")}
+ {showPasskeySetup ? t("Set up a passkey") : t("Create Your Account")}
</h2>
<p className="mt-2 text-center text-sm text-gray-600">
- {t("Set up your customer portal account to manage your policies")}
+ {showPasskeySetup
+ ? t("Your account is ready. Add a passkey to sign in with your fingerprint, face, or device PIN — no password needed.")
+ : t("Set up your customer portal account to manage your policies")}
</p>
</div>
@@ -174,6 +261,58 @@ function CreateAccountContent() {
</div>
)}
+ {showPasskeySetup ? (
+ <div className="space-y-6">
+ <div className="flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800">
+ <ShieldCheck className="mt-0.5 h-4 w-4 flex-shrink-0" />
+ <span>
+ {t("Passkeys are an additional sign-in method. Your password still works, so adding one can never lock you out of your account.")}
+ </span>
+ </div>
+
+ <div>
+ <label htmlFor="passkey-name" className="block text-sm font-medium text-{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/Customer.ts","limit":50}1 import { _Customer } from './internal/_Customer.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const Customer = toSafeModel(_Customer);
5 export type Customer = _Customer;
6
7 // Re-export raw class for db.ts registration, association includes, and type usage
8 export { _Customer };
9 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx"}1 "use client";
2
3 import React, { createContext, useContext, useState, useEffect, useCallback } from "react";
4
5 import { usePathname, useRouter } from "next/navigation";
6
7 import { jwtDecode } from "jwt-decode";
8 import { useTranslation } from "@gangkharai/lmt/client";
9
10 import Loader from "./Loader";
11 import useAuthStore from "../src/store/authStore";
12 import useConnectionStore from "../src/store/connectionStore";
13 import api from "../src/utils/api";
14 import { endSession, redirectAfterAuth } from "../src/utils/session";
15 import { AuthContextType } from "../types/user";
16
17 // AuthProvider component - strings already in dictionary
18 const AuthContext = createContext<AuthContextType | null>(null);
19
20 // Check if we're in a browser environment
21 const isBrowser = typeof window !== "undefined";
22
23 interface DecodedToken {
24 id: string;
25 email: string;
26 role: string;
27 userType?: string;
28 tokenType?: string;
29 }
30
31 function isCustomerToken(token: string): boolean {
32 try {
33 const decoded = jwtDecode<DecodedToken>(token);
34 return decoded.tokenType === "customer";
35 } catch {
36 return false;
37 }
38 }
39
40 // Customer-scoped tokens authenticate as a Customer (server resolves the
41 // record from token claims, then exposes it via bearerAuth.customerId). Both
42 // /v1/auth/customer/login sessions (tokenType=customer) and sherpa-portal
43 // embed sessions minted by /v1/customer-portal/sessions (tokenType=portal)
44 // satisfy `/v1/customers/me` etc. — kept separate from isCustomerToken so
45 // the refresh-endpoint routing (which differs per token type) stays correct.
46 function isCustomerScopedToken(token: string): boolean {
47 try {
48 const decoded = jwtDecode<DecodedToken>(token);
49 return decoded.tokenType === "customer" || decoded.tokenType === "portal";
50 } catch {
51 return false;
52 }
53 }
54
55 export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children }) => {
56 const t = useTranslation();
57 const [loading, setLoading] = useState(true);
58 const [logoutLoading, setLogoutLoading] = useState(false);
59 const router = useRouter();
60 const pathname = usePathname();
61 const { user, accessToken, hydrated, setUser, setTokens } = useAuthStore();
62
63 const fetchUserDetails = useCallback(
64 async (userId: string | null) => {
65 if (!user) {
66 try {
67 const currentToken = useAuthStore.getState().accessToken;
68 if (currentToken && isCustomerScopedToken(currentToken)) {
69 const response = await api.get("/customers/me", { sherpaAdmin: false });
70 const customerData = response.data.data?.customer || response.data.data;
71 setUser({ ...customerData, userType: "customer" });
72 } else if (userId) {
73 const response = await api.get(`/users/${userId}`);
74 setUser(response.data.data.user);
75 }
76 } catch (error) {
77 console.error("Error fetching user details:", error);
78 throw error;
79 }
80 }
81 },
82 [user, setUser]
83 );
84
85 // Listen for storage changes to sync auth state across tabs
86 useEffect(() => {
87 if (!isBrowser) return;
88
89 const handleStorageChange = (e: StorageEvent) => {
90 // Listen for changes to the auth-storage key
91 if (e.key === "auth-storage") {
92 // If the storage was cleared (logout in another tab)
93 if (e.newValue === null || e.newValue === "") {
94 // If we currently have a user, log them out immediately
95 if (user) {
96 setLoading(false); // Clear loading state for smoother transition
97 setLogoutLoading(false); // Reset logout loading state
98 // Cross-tab logout: the other tab made the choice to leave; we
99 // mirror that here without capturing intent.
100 endSession({ captureIntent: false });
101 }
102 } else {
103 // If new auth data was set (login in another tab)
104 try {
105 const newAuthData = JSON.parse(e.newValue);
106 // If we don't have a user but new auth data exists, reload to sync
107 if (newAuthData?.state?.accessToken && !user) {
108 window.location.reload();
109 }
110 } catch (error) {
111 console.error("Error parsing storage event data:", error);
112 }
113 }
114 }
115 };
116
117 window.addEventListener("storage", handleStorageChange);
118 return () => window.removeEventListener("storage", handleStorageChange);
119 }, [user, router]);
120
121 useEffect(() => {
122 const initializeAuth = async () => {
123 // Wait for the store to be hydrated before proceeding
124 if (!hydrated) {
125 return;
126 }
127
128 try {
129 if (accessToken && !user) {
130 const decodedToken = jwtDecode<DecodedToken>(accessToken);
131 // Customer-scoped tokens (customer + portal) authenticate via
132 // /v1/customers/me, which derives identity from the token itself
133 // and ignores the userId arg. User/admin tokens still need their
134 // decoded `id` claim to hit /v1/users/:id.
135 const userId =
136 decodedToken && typeof decodedToken.id === "string" ? decodedToken.id : null;
137 if (userId || isCustomerScopedToken(accessToken)) {
138 await fetchUserDetails(userId);
139 }
140 }
141 } catch (error) {
142 const isEmbedPortal = (pathname || "").startsWith("/embed-customer-portal/");
143 console.error("Error initializing auth:", error);
144 // Auth init failure means the token was rejected. For standalone
145 // sessions endSession redirects to /login; for embedded sessions
146 // the iframe can't navigate to /login meaningfully, so we surface
147 // a loaded-but-unauthenticated state and let the parent reload.
148 if (!isEmbedPortal) {
149 endSession({ captureIntent: true });
150 }
151 } finally {
152 setLoading(false);
153 }
154 };
155
156 // Add a fallback timeout to prevent infinite loading
157 const fallbackTimer = setTimeout(() => {
158 if (!hydrated) {
159 console.warn("Store hydration timeout, proceeding anyway");
160 setLoading(false);
161 }
162 }, 1000);
163
164 initializeAuth();
165
166 return () => clearTimeout(fallbackTimer);
167 }, [accessToken, user, hydrated, fetchUserDetails, pathname]);
168
169 const login = async (accessToken: string, refreshToken: string, userData?: Partial<import("../types/user").UserData>) => {
170 setTokens(accessToken, refreshToken);
171
172 if (userData) {
173 // Use provided user data directly (e.g., from customer login response)
174 setUser(userData as import("../types/user").UserData);
175 } else {
176 const decodedToken = jwtDecode<DecodedToken>(accessToken);
177 await fetchUserDetails(typeof decodedToken.id === "string" ? decodedToken.id : null);
178 }
179
180 // redirectAfterAuth is the single reader of captured intent (§6.3): it
181 // consumes the value and routes the user, falling back to the
182 // role-appropriate landing page when no intent was captured.
183 const isCustomer = isCustomerToken(accessToken);
184 redirectAfterAuth(router, isCustomer ? "/" : "/products");
185 };
186
187 const refreshToken = async (): Promise<string | null> => {
188 if (!isBrowser) return null;
189
190 // currently embed-customer-portal section is authenticated with clientId/clientSecret, so we run a different client refresh/token url and not the userAuth refreshToken.
191 // in the future we might need to h{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/store/authStore.ts"}1 // src/store/authStore.ts
2
3 import { create } from "zustand";
4 import { persist } from "zustand/middleware";
5
6 import { UserData } from "../../types/user";
7 import { UserOrganization, OrganizationScope } from "../../types/organization";
8
9 interface AuthState {
10 accessToken: string | null;
11 refreshToken: string | null;
12 user: UserData | null;
13 currentOrganization: UserOrganization | null;
14 availableOrganizations: UserOrganization[];
15 organizationScope: OrganizationScope | null;
16 drillDownOrgId: string | null;
17 hydrated: boolean;
18 setTokens: (accessToken: string, refreshToken: string) => void;
19 setUser: (user: UserData) => void;
20 setCurrentOrganization: (organization: UserOrganization) => void;
21 setAvailableOrganizations: (organizations: UserOrganization[]) => void;
22 setOrganizationScope: (scope: OrganizationScope | null) => void;
23 setDrillDownOrgId: (orgId: string | null) => void;
24 logout: () => void;
25 setHydrated: (hydrated: boolean) => void;
26 }
27
28 // Check if we're in a browser environment
29 const isBrowser = typeof window !== "undefined";
30
31 const useAuthStore = create<AuthState>()(
32 persist(
33 (set) => ({
34 accessToken: null,
35 refreshToken: null,
36 user: null,
37 currentOrganization: null,
38 availableOrganizations: [],
39 organizationScope: null,
40 drillDownOrgId: null,
41 hydrated: false,
42 setTokens: (accessToken, refreshToken) => set({ accessToken, refreshToken }),
43 setUser: (user) => set({ user }),
44 setCurrentOrganization: (organization) => set({ currentOrganization: organization }),
45 setAvailableOrganizations: (organizations) => set({ availableOrganizations: organizations }),
46 setOrganizationScope: (scope) => set({ organizationScope: scope }),
47 setDrillDownOrgId: (orgId) => set({ drillDownOrgId: orgId }),
48 setHydrated: (hydrated) => set({ hydrated }),
49 logout: () => {
50 if (isBrowser) {
51 // Clear any authentication-related data from localStorage
52 localStorage.removeItem("accessToken");
53 localStorage.removeItem("refreshToken");
54 localStorage.removeItem("setupToken");
55 // Clear the main auth storage
56 localStorage.removeItem("auth-storage");
57 }
58 set({
59 accessToken: null,
60 refreshToken: null,
61 user: null,
62 currentOrganization: null,
63 availableOrganizations: [],
64 organizationScope: null,
65 drillDownOrgId: null,
66 });
67 },
68 }),
69 {
70 name: "auth-storage",
71 storage: {
72 getItem: (name) => {
73 if (!isBrowser) return null;
74 const str = localStorage.getItem(name);
75 return str ? JSON.parse(str) : null;
76 },
77 setItem: (name, value) => {
78 if (isBrowser) {
79 localStorage.setItem(name, JSON.stringify(value));
80 }
81 },
82 removeItem: (name) => {
83 if (isBrowser) {
84 localStorage.removeItem(name);
85 }
86 },
87 },
88 // The "onRehydrateStorage" callback ran during store creation can cause
89 // a temporal-dead-zone error (store referenced before initialization).
90 // We instead mark the store as hydrated after creation via the fallback
91 // timer below, or explicitly in client-side effects.
92 onRehydrateStorage: () => undefined,
93 }
94 )
95 );
96
97 // Ensure hydration happens on the client side
98 if (isBrowser) {
99 // Set a fallback timer in case onRehydrateStorage doesn't fire
100 setTimeout(() => {
101 if (!useAuthStore.getState().hydrated) {
102 useAuthStore.getState().setHydrated(true);
103 }
104 }, 100);
105 }
106
107 export default useAuthStore;
108 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/login/page.tsx"}1 "use client";
2
3 import React, { Suspense } from "react";
4 import { useState, useEffect } from "react";
5
6
7 import Link from "next/link";
8 import { useRouter, useSearchParams } from "next/navigation";
9
10 import { FaMicrosoft } from "react-icons/fa";
11 import { KeyRound } from "lucide-react";
12
13 import { useTranslation } from "@gangkharai/lmt/client";
14 import { useAuth } from "../components/AuthProvider";
15 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
16 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
17 import Loader from "../components/Loader";
18 import { useOrganization } from "../components/OrganizationProvider";
19 import SocialLoginButtons from "../components/SocialLoginButtons";
20 import Toast, { showErrorToast } from "../components/Toast";
21 import { Button } from "../components/ui/button";
22 import { Input } from "../components/ui/input";
23 import api from "../src/utils/api";
24 import { getSherpaApiUrl } from "../src/utils/env";
25 import {
26 extractPasskeyError,
27 isPasskeyCancellation,
28 isPasskeySupported,
29 loginWithPasskey,
30 } from "../src/utils/passkeys";
31 import { redirectAfterAuth } from "../src/utils/session";
32
33 function LoginContent() {
34 const t = useTranslation();
35 const [email, setEmail] = useState("");
36 const [password, setPassword] = useState("");
37 const [isLoading, setIsLoading] = useState(false);
38 const [isPasskeyLoading, setIsPasskeyLoading] = useState(false);
39 // Resolved client-side only: PublicKeyCredential is undefined during SSR, so
40 // we start false (matching the server render) and feature-detect on mount to
41 // avoid a hydration mismatch.
42 const [passkeySupported, setPasskeySupported] = useState(false);
43 const [error, setError] = useState("");
44 const [successMessage, setSuccessMessage] = useState<React.ReactNode>(null);
45 const router = useRouter();
46 const searchParams = useSearchParams();
47 const { login, user, loading: authLoading } = useAuth();
48 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
49
50 useEffect(() => {
51 document.title = t('Login - Sherpa Portal');
52
53 const errorParam = searchParams.get("error");
54 if (errorParam) {
55 setError(decodeURIComponent(errorParam));
56 }
57 if (searchParams.get("registered") === "true") {
58 setSuccessMessage(t('Registration successful! You can now log in with your new account.'));
59 }
60 }, [searchParams, t]);
61
62 useEffect(() => {
63 setPasskeySupported(isPasskeySupported());
64 }, []);
65
66 useEffect(() => {
67 // Already-authenticated visitor lands on /login: route them where they
68 // were headed via redirectAfterAuth (single reader of captured intent per
69 // §6.3), falling back to the role-appropriate landing page.
70 if (!authLoading && user) {
71 const defaultPath = user.userType === "customer" ? "/" : "/products";
72 redirectAfterAuth(router, defaultPath);
73 }
74 }, [authLoading, user, router]);
75
76 // Show Azure AD login based on feature flag
77 const showAzureLogin = organization?.settings?.features?.azureAdIntegration === true;
78 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
79
80 // Show loading while auth is loading or organization is still loading (unless there's an org error)
81 if (authLoading || (orgLoading && !orgError)) {
82 return <Loader />;
83 }
84
85 // If user is already authenticated, show loader while redirecting
86 if (user) {
87 return <Loader />;
88 }
89
90 const handleSubmit = async (e: React.FormEvent<HTMLFormElement>) => {
91 e.preventDefault();
92 setIsLoading(true);
93 setError("");
94
95 try {
96 // Use portalType from API, fall back to customerPortal setting presence
97 const isCustomerLogin = organization?.portalType
98 ? organization.portalType === "customer"
99 : !!organization?.settings?.customerPortal;
100 const loginEndpoint = isCustomerLogin ? "/auth/customer/login" : "/auth/login";
101 const response = await api.post(loginEndpoint, { email, password });
102 const data = response.data;
103
104 if (response.status === 200) {
105 if (!isCustomerLogin && data.message === "2FA required") {
106 router.push(
107 `/two-factor-verify?tempToken=${encodeURIComponent(data.tempToken)}&method=${data.twoFactorMethod}`
108 );
109 } else if (!isCustomerLogin && data.message === "2FA setup required") {
110 localStorage.setItem("setupToken", data.setupToken);
111 localStorage.setItem("refreshToken", data.refreshToken);
112 router.push("/two-factor-setup");
113 } else {
114 await login(data.data.accessToken, data.data.refreshToken);
115 // Redirection will be handled by the login function / useEffect hook
116 }
117 } else {
118 setError(data.error || t('Login failed. Please try again.'));
119 }
120 } catch (error) {
121 console.error("Login error:", error);
122 const errorMsg =
123 error instanceof Error ? error.message : t('Login failed. Please check your credentials.');
124 setError(errorMsg);
125 showErrorToast(errorMsg);
126 } finally {
127 setIsLoading(false);
128 }
129 };
130
131 const handlePasskeyLogin = async () => {
132 setIsPasskeyLoading(true);
133 setError("");
134
135 try {
136 const { accessToken, refreshToken } = await loginWithPasskey();
137 // Same session handling as password login: AuthProvider.login() persists
138 // the tokens, hydrates the user, and redirects.
139 await login(accessToken, refreshToken);
140 } catch (error) {
141 // A dismissed/timed-out prompt is a soft cancel, not a failure to surface.
142 if (isPasskeyCancellation(error)) {
143 return;
144 }
145 console.error("Passkey login error:", error);
146 const errorMsg = extractPasskeyError(error, t('Passkey sign-in failed. Please try again.'));
147 setError(errorMsg);
148 showErrorToast(errorMsg);
149 } finally {
150 setIsPasskeyLoading(false);
151 }
152 };
153
154 const handleAzureLogin = () => {
155 // Redirect to Azure AD login. Pass current origin so API callback returns
156 // here instead of the API's configured default portal URL.
157 const redirect = window.location.origin;
158 window.location.href = `${getSherpaApiUrl()}/v1/auth/azure/login?redirect=${encodeURIComponent(redirect)}`;
159 };
160
161 return (
162 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
163 <Toast />
164 <div className="absolute top-4 right-4">
165 <EnhancedLocaleSwitcher locales={LOCALE_LABELS} />
166 </div>
167 <div className="sm:mx-auto sm:w-full sm:max-w-md">
168 <div className="flex justify-center bg-white">
169 <img
170 src={organization?.settings?.branding?.logoUrl || "/assets/GangkharLogo.svg"}
171 alt={`${organization?.settings?.branding?.applicationName || organization?.displayName || organization?.name || "Portal"} Logo`}
172 width={240}
173 height={80}
174 className="object-contain"
175 />
176 </div>
177 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
178 {t('Log in to {name}', { name: organization?.settings?.branding?.applicationName ||
179 organization?.displayName ||
180 organization?.name ||
181 t('your account') })}
182 </h2>
183 </div>
184
185 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
186 <div className="bg-white px-4 py-8 shadow sm:rounded-md{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login -path \"*models/internal/_Customer*\" | head -1"}/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/internal/_Customer.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/models/internal/_Customer.ts","limit":100}1 import bcrypt from 'bcryptjs';
2 import {
3 Table,
4 Column,
5 Model,
6 HasMany,
7 BelongsTo,
8 ForeignKey,
9 DataType,
10 BeforeCreate,
11 BeforeUpdate,
12 } from 'sequelize-typescript';
13 import { Organization } from '../Organization.js';
14 import { _PolicyOrder } from './_PolicyOrder.js';
15
16 @Table({
17 modelName: 'Customer',
18 timestamps: true,
19 indexes: [
20 {
21 fields: ['email', 'organizationId'],
22 unique: true,
23 name: 'customers_email_organization_unique',
24 },
25 {
26 fields: ['organizationId'],
27 name: 'idx_customers_organization_id',
28 },
29 {
30 fields: ['externalClientId'],
31 name: 'idx_customers_external_client_id',
32 },
33 ],
34 })
35 export class _Customer extends Model {
36 @Column({
37 type: DataType.UUID,
38 defaultValue: DataType.UUIDV4,
39 primaryKey: true,
40 })
41 declare id: string;
42
43 @ForeignKey(() => Organization)
44 @Column({
45 type: DataType.UUID,
46 allowNull: false,
47 })
48 declare organizationId: string;
49
50 @Column({
51 type: DataType.STRING,
52 allowNull: false,
53 validate: {
54 isEmail: true,
55 },
56 })
57 declare email: string;
58
59 @Column({
60 type: DataType.STRING,
61 allowNull: true,
62 })
63 declare firstName: string | null;
64
65 @Column({
66 type: DataType.STRING,
67 allowNull: true,
68 })
69 declare lastName: string | null;
70
71 @Column({
72 type: DataType.STRING,
73 allowNull: true,
74 })
75 declare phoneNumber: string | null;
76
77 @Column({
78 type: DataType.STRING,
79 allowNull: true,
80 })
81 declare country: string | null;
82
83 @Column({
84 type: DataType.STRING,
85 allowNull: true,
86 })
87 declare region: string | null;
88
89 @Column({
90 type: DataType.STRING,
91 allowNull: true,
92 })
93 declare address: string | null;
94
95 @Column({
96 type: DataType.STRING,
97 allowNull: true,
98 })
99 declare city: string | null;
100 {"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login -name \"OrganizationProvider*\" -o -name \"*Organization*Provider*\" | head -5"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"userType\" src/models/User.ts"}23: fields: ['userType'], 27: fields: ['email', 'userType'], 127: declare userType: 'crm' | 'customer'; 269: return this.userType === 'crm'; 273: return this.userType === 'customer';
/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/OrganizationProvider.tsx
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -A 15 \"createUserIdentity\" src/plugins/auth/lib.ts | head -30"}export function createUserIdentity(user: User, organizationId?: string): UserIdentity {
return {
id: user.id,
email: user.email,
firstName: user.firstName,
lastName: user.lastName,
role: user.role,
userType: user.userType,
organizationId: organizationId || '', // organizationId now comes from JWT context
companyName: user.companyName,
};
}
export function createOrganizationIdentity(org: Organization): OrganizationIdentity {
return {
id: org.id,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/OrganizationProvider.tsx"}1 "use client";
2
3 import React, { createContext, useContext, useEffect, ReactNode } from "react";
4
5 import { useRouter } from "next/navigation";
6
7 import { useTranslation } from "@gangkharai/lmt/client";
8
9 import useOrganizationStore, { Organization } from "../src/store/organizationStore";
10 import useConnectionStore from "../src/store/connectionStore";
11 import api from "../src/utils/api";
12 import { getSherpaApiUrl } from "../src/utils/env";
13
14 // The unauthenticated tenant-resolution route. The portal does not send
15 // Authorization to this URL, the API ignores it if sent, and the response
16 // can never be 401/403 — so a non-2xx here is never a verdict on the user's
17 // session. See rfc/ideas/organization-resolution-and-auth-policy.md §4.1.
18 const TENANT_RESOLUTION_PATH = "/organization?by=origin";
19
20 interface OrganizationContextValue {
21 organization: Organization | null;
22 isLoading: boolean;
23 error: React.ReactNode | null;
24 }
25
26 const OrganizationContext = createContext<OrganizationContextValue>({
27 organization: null,
28 isLoading: false,
29 error: null,
30 });
31
32 interface OrganizationProviderProps {
33 children: ReactNode;
34 }
35
36 function parseHex(hex: string): [number, number, number] {
37 const clean = hex.replace("#", "");
38 return [
39 parseInt(clean.substring(0, 2), 16),
40 parseInt(clean.substring(2, 4), 16),
41 parseInt(clean.substring(4, 6), 16),
42 ];
43 }
44
45 function toHex(r: number, g: number, b: number): string {
46 const h = (n: number) => Math.min(255, Math.max(0, Math.round(n))).toString(16).padStart(2, "0");
47 return `#${h(r)}${h(g)}${h(b)}`;
48 }
49
50 function lightenHexColor(hex: string, amount: number = 20): string {
51 const [r, g, b] = parseHex(hex);
52 return toHex(
53 r + (255 - r) * (amount / 100),
54 g + (255 - g) * (amount / 100),
55 b + (255 - b) * (amount / 100),
56 );
57 }
58
59 function darkenHexColor(hex: string, amount: number = 10): string {
60 const [r, g, b] = parseHex(hex);
61 return toHex(r * (1 - amount / 100), g * (1 - amount / 100), b * (1 - amount / 100));
62 }
63
64 function getContrastTextColor(hex: string): string {
65 const [r, g, b] = parseHex(hex);
66 // WCAG relative luminance
67 const luminance = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
68 return luminance > 0.5 ? "#000000" : "#ffffff";
69 }
70
71 // Tailwind v4 composes box-shadow from a stack of custom properties:
72 // box-shadow: var(--tw-inset-shadow), var(--tw-inset-ring-shadow),
73 // var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);
74 // Each shadow-* utility sets --tw-shadow on the element it's applied to. We
75 // override that single slot (not box-shadow itself) so focus rings keep working,
76 // and we scope to .customer-portal-root so only the branded customer portal is
77 // affected — never the CRM/admin chrome. A descendant selector (0,2,0) outranks
78 // the utility class (0,1,0), so this wins without needing !important.
79 const SHADOW_UTILITY_TOKENS = [
80 "shadow",
81 "shadow-sm",
82 "shadow-md",
83 "shadow-lg",
84 "shadow-xl",
85 "shadow-2xl",
86 "shadow-inner",
87 ];
88
89 function buildShadowOverride(boxShadow: string): string {
90 const selectors = SHADOW_UTILITY_TOKENS.flatMap((token) => [
91 `.customer-portal-root [class~="${token}"]`,
92 `.customer-portal-root[class~="${token}"]`,
93 ]).join(",\n ");
94 return `
95 ${selectors} {
96 --tw-shadow: ${boxShadow};
97 }`;
98 }
99
100 const GOOGLE_FONTS = ["Lato", "Roboto", "Open Sans", "Montserrat", "Poppins", "Inter", "Nunito", "Raleway", "Work Sans", "Rethink Sans"];
101
102 function injectGoogleFont(fontFamily: string) {
103 const match = GOOGLE_FONTS.find((f) => fontFamily.includes(f));
104 if (!match) return;
105 const linkId = "portal-google-font";
106 if (document.getElementById(linkId)) return;
107 const link = document.createElement("link");
108 link.id = linkId;
109 link.rel = "stylesheet";
110 link.href = `https://fonts.googleapis.com/css2?family=${match.replace(/ /g, "+")}:wght@300;400;500;600;700&display=swap`;
111 document.head.appendChild(link);
112 }
113
114 export function OrganizationProvider({ children }: OrganizationProviderProps) {
115 const {
116 organization,
117 isLoading,
118 error,
119 setOrganization,
120 setLoading,
121 setError,
122 clearOrganization,
123 } = useOrganizationStore();
124 const router = useRouter();
125 const t = useTranslation();
126
127 useEffect(() => {
128 // Check if we're on pages that don't need organization data - do this first
129 const pathname = window.location.pathname;
130 const skipPages = [
131 "/register",
132 "/forgot-password",
133 "/reset-password",
134 "/two-factor-setup",
135 "/two-factor-verify",
136 "/domain-blocked",
137 ];
138 const isSkipPage = skipPages.some((page) => pathname.startsWith(page));
139
140 // Don't run any organization loading logic for skip pages
141 if (isSkipPage) {
142 setLoading(false);
143 return;
144 }
145
146 async function loadOrganization() {
147 if (organization) return; // Already loaded
148
149 setLoading(true);
150
151 try {
152 // sherpaAdmin: false so the request interceptor does not prepend
153 // /v1/plus to the URL — this endpoint sits above the plus sub-module.
154 const response = await api.get(TENANT_RESOLUTION_PATH, { sherpaAdmin: false });
155
156 // The new route returns the org record directly (no { status, data }
157 // wrapper). Anything else is a contract violation worth surfacing.
158 // Require both `id` and `name` so a partial response can't slip
159 // through and crash the branding code below on missing settings.
160 const raw = response.data as any;
161 const orgData = raw && typeof raw.id === "string" && typeof raw.name === "string" ? raw : null;
162 if (!orgData) {
163 throw new Error("Invalid response format");
164 }
165 // Resolve logoUrl: UUID → fetch blob and create object URL, relative path → prepend /
166 if (orgData.settings?.branding?.logoUrl) {
167 const logo = orgData.settings.branding.logoUrl;
168 if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(logo)) {
169 try {
170 const publicUrl = `${getSherpaApiUrl().replace(/\/$/, "")}/v1/data/public/${logo}`;
171 const res = await fetch(publicUrl, { redirect: "follow" });
172 if (res.ok) {
173 const blob = await res.blob();
174 orgData.settings.branding.logoUrl = URL.createObjectURL(blob);
175 }
176 } catch {
177 // Leave logoUrl as-is if fetch fails
178 }
179 } else if (!logo.startsWith("http") && !logo.startsWith("/")) {
180 orgData.settings.branding.logoUrl = `/${logo}`;
181 }
182 }
183
184 setOrganization(orgData);
185
186 // Apply dynamic branding
187 const branding = orgData.settings?.branding;
188 if (branding) {
189 const primaryColor = branding.primaryColor || "#1F6AB4";
190 const secondaryColor = branding.secondaryColor || "#404040";
191 const accentColor = branding.accentColor || "#d6d6d6";
192 const backgroundColor = branding.backgroundColor || "#f9fafb";
193 const fontFamily = branding.fontFamily || "";
194 // Empty/absent => keep the template's default shadows (no override).
195 // "none" or any CSS value => override every Tailwind shadow utility.
196 const boxShadow = typeof branding.boxShadow === "string" ? branding.boxShadow.trim() :{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -B 5 -A 5 \"Customer.findOne.*organizationId\" src/controllers/passkeyController.ts"} if (passkey.customerId) {
const organizationId = request.domainOrganization?.id;
if (!organizationId) {
throw new StatusError(401, 'Customer passkey login requires organization context');
}
const customer = await Customer.findOne({ organizationId }, {
where: { id: passkey.customerId, deleted: false },
});
if (!customer) {
throw new StatusError(401, 'Unrecognized passkey');
}{"command":"grep -n \"create-account\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/OrganizationProvider.tsx"}(Bash completed with no output)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"Customer.findOne\" src/controllers/authController.ts | head -5"}242: const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
317: const existingCustomer = await Customer.findOne({ organizationId: domainOrganizationId }, {{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && sed -n '242p;317p' src/controllers/authController.ts"} const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
const existingCustomer = await Customer.findOne({ organizationId: domainOrganizationId }, {{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && sed -n '242,246p;317,321p' src/controllers/authController.ts"} const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
where: {
email: email.toLowerCase(),
deleted: false
},
const existingCustomer = await Customer.findOne({ organizationId: domainOrganizationId }, {
where: {
email: email.toLowerCase(),
deleted: false
},{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -A 20 \"export.*toSafeModel\" src/models/lib/safe-model.ts | head -30"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/customer-portal/profile/DefaultProfile.tsx","limit":200}export const toSafeModel = <M extends Model>(raw: ModelStatic<M>) => ({
findOne: async (ctx: CtxOrReq, options: FindOptions<M['_attributes']> = {}) => {
const { scope, mode } = await resolveScope(ctx);
const orgFilter = resolveOrgFilter(options.where, scope);
const where = { ...(options.where as any), organizationId: orgFilter } as any;
const result = await withRls(scope[0], scope, mode, options, (t) => raw.findOne({ ...options, where, transaction: t }));
return attachTenantCtx(result, ctx);
},
findByPk: async (ctx: CtxOrReq, pk: Identifier, options: FindOptions<M['_attributes']> = {}) => {
const { scope, mode } = await resolveScope(ctx);
const orgFilter = resolveOrgFilter(options.where, scope);
const where = { ...(options.where as any), id: pk, organizationId: orgFilter } as any;
const result = await withRls(scope[0], scope, mode, options, (t) => raw.findOne({ ...options, where, transaction: t }));
return attachTenantCtx(result, ctx);
},
findAll: async (ctx: CtxOrReq, options: FindOptions<M['_attributes']> = {}) => {
const { scope, mode } = await resolveScope(ctx);
const orgFilter = resolveOrgFilter(options.where, scope);
const where = { ...(options.where as any), organizationId: orgFilter } as any;
--
export type SafeModel<M extends Model> = ReturnType<typeof toSafeModel<M>>;1 "use client";
2
3 import React, { useState } from "react";
4
5 import { Shield } from "lucide-react";
6
7 import { useTranslation } from "@gangkharai/lmt/client";
8 import { useAuth } from "@/app/components/AuthProvider";
9 import AddressSection from "@/app/components/profile/AddressSection";
10 import ContactInfoSection from "@/app/components/profile/ContactInfoSection";
11 import LogoutSection from "@/app/components/profile/LogoutSection";
12 import PasskeysSection from "@/app/components/profile/PasskeysSection";
13 import PasswordChangeSection from "@/app/components/profile/PasswordChangeSection";
14 import PersonalInfoSection from "@/app/components/profile/PersonalInfoSection";
15 import TwoFactorChangeSection from "@/app/components/profile/TwoFactorChangeSection";
16 import { showSuccessToast } from "@/app/components/Toast";
17 import useAuthStore from "@/app/src/store/authStore";
18 import api from "@/app/src/utils/api";
19 import { UserData } from "@/app/types/user";
20 import { usePermission, PERMISSIONS } from "@/app/src/rbac";
21 import PortalLayout from "@/app/customer-portal/PortalLayout";
22
23 const RoleBadge: React.FC = () => {
24 const t = useTranslation();
25 const canManageAllOrgs = usePermission(PERMISSIONS.organizations.manage_all.value);
26 const canManageUsers = usePermission(PERMISSIONS.users.create.value);
27
28 if (canManageAllOrgs) {
29 return (
30 <div className="inline-flex items-center rounded-full bg-portal-primary-light px-3 py-1 text-sm font-medium text-portal-primary">
31 <Shield className="mr-1 h-4 w-4" />
32 {t('Administrator')}
33 </div>
34 );
35 }
36
37 if (canManageUsers) {
38 return (
39 <div className="inline-flex items-center rounded-full bg-purple-100 px-3 py-1 text-sm font-medium text-purple-800">
40 <Shield className="mr-1 h-4 w-4" />
41 {t('Manager')}
42 </div>
43 );
44 }
45
46 return null;
47 };
48
49 export default function DefaultProfile() {
50 const t = useTranslation();
51 const { user } = useAuth();
52 const setUser = useAuthStore((state) => state.setUser);
53 const [isLoading, setIsLoading] = useState(false);
54 const [error, setError] = useState<React.ReactNode>(null);
55
56 const handleUpdate = async (data: Partial<UserData>) => {
57 if (!user) return;
58
59 setIsLoading(true);
60 setError(null);
61
62 try {
63 const response = await api.put(`/customers/${user.id}`, data);
64
65 if (response.data.status === "success") {
66 const updatedUser = { ...user, ...data };
67 setUser(updatedUser);
68 showSuccessToast(t('Profile updated successfully'));
69 } else {
70 setError(t('Failed to update profile'));
71 }
72 } catch (error) {
73 console.error("Error updating profile:", error);
74 setError(t('Failed to update profile'));
75 } finally {
76 setIsLoading(false);
77 }
78 };
79
80 return (
81 <PortalLayout>
82 <div className="mx-auto max-w-4xl py-6 sm:px-6 lg:px-8">
83 <div className="mb-6">
84 <div className="flex items-center gap-3">
85 <h1 className="text-3xl font-bold text-gray-900">{t('Customer Profile')}</h1>
86 <RoleBadge />
87 </div>
88 <div className="bg-portal-primary mt-3 h-1 w-12 rounded-full opacity-80"></div>
89 </div>
90
91 {error && (
92 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
93 {error}
94 </div>
95 )}
96
97 {user && (
98 <>
99 <PersonalInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
100 <ContactInfoSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
101 <AddressSection userData={user} onUpdate={handleUpdate} isLoading={isLoading} />
102 <PasswordChangeSection
103 userId={user.id}
104 onSuccess={() => showSuccessToast(t('Password updated successfully'))}
105 onError={(errorMessage) => setError(errorMessage)}
106 />
107 <TwoFactorChangeSection
108 userId={user.id}
109 onSuccess={() =>
110 showSuccessToast(t('Two-factor authentication method updated successfully'))
111 }
112 onError={(errorMessage) => setError(errorMessage)}
113 />
114 <PasskeysSection onError={(errorMessage) => setError(errorMessage)} />
115 <LogoutSection />
116 </>
117 )}
118 </div>
119 </PortalLayout>
120 );
121 }
122 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":240,"limit":10}240 validateOrigin(request, domainOrganization.portalDomain);
241
242 const customer = await Customer.findOne({ organizationId: domainOrganizationId }, {
243 where: {
244 email: email.toLowerCase(),
245 deleted: false
246 },
247 });
248
249 if (!customer) {{"command":"grep -r \"DefaultProfile\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/ 2>/dev/null | head -5"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/profile/page.tsx:import DefaultProfile from "@/app/customer-portal/profile/DefaultProfile";
/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/embed-customer-portal/profile/page.tsx: return <TemplateDispatcher page="profile" DefaultComponent={DefaultProfile} />;{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login -name \"PasskeysSection*\" -type f"}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/profile/PasskeysSection.tsx
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -rn \"domainOrganization\" src/plugins --include=\"*.ts\" | grep -v \"domainPortalDomain\\|domainCrmDomain\" | head -20"}src/plugins/auth/bearer.ts:358: request.domainOrganization?.id,
src/plugins/socialAuth.ts:282: const organizationId = request?.domainOrganization?.id;
src/plugins/socialAuth.ts:314: const domainOrganizationId = request?.domainOrganization?.id;
src/plugins/socialAuth.ts:317: if (domainOrganizationId && userOrganizationId && domainOrganizationId !== userOrganizationId) {
src/plugins/domainContext.ts:90: // TODO: later, MCP requests should set their own request context (like domainOrganization/user)
src/plugins/domainContext.ts:140: request.domainOrganization = organization;
src/plugins/domainContext.ts:171: request.domainOrganization = organization;{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/profile/PasskeysSection.tsx"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { Check, KeyRound, Loader2, Pencil, Plus, ShieldCheck, Trash2, X } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { localeDateTag } from "@/app/lib/locale";
9 import {
10 Passkey,
11 extractPasskeyError,
12 isPasskeyCancellation,
13 isPasskeySupported,
14 listPasskeys,
15 registerPasskey,
16 renamePasskey,
17 revokePasskey,
18 } from "../../src/utils/passkeys";
19 import { showSuccessToast } from "../Toast";
20 import { Button } from "../ui/button";
21
22 interface PasskeysSectionProps {
23 onError: (message: string) => void;
24 }
25
26 const PasskeysSection: React.FC<PasskeysSectionProps> = ({ onError }) => {
27 const t = useTranslation();
28
29 const [supported, setSupported] = useState(false);
30 const [passkeys, setPasskeys] = useState<Passkey[]>([]);
31 const [loading, setLoading] = useState(true);
32 const [loadFailed, setLoadFailed] = useState(false);
33
34 // A single in-flight flag disables every action during any mutating call —
35 // passkey ceremonies can't be cancelled mid-flight, so we never run two at once.
36 const [busy, setBusy] = useState(false);
37
38 const [adding, setAdding] = useState(false);
39 const [newName, setNewName] = useState("");
40 const [renamingId, setRenamingId] = useState<string | null>(null);
41 const [renameValue, setRenameValue] = useState("");
42 const [confirmRevokeId, setConfirmRevokeId] = useState<string | null>(null);
43
44 const loadPasskeys = useCallback(async () => {
45 try {
46 const data = await listPasskeys();
47 setPasskeys(data);
48 setLoadFailed(false);
49 } catch (error) {
50 console.error("Failed to load passkeys:", error);
51 setLoadFailed(true);
52 } finally {
53 setLoading(false);
54 }
55 }, []);
56
57 useEffect(() => {
58 const ok = isPasskeySupported();
59 setSupported(ok);
60 if (ok) {
61 void loadPasskeys();
62 } else {
63 setLoading(false);
64 }
65 }, [loadPasskeys]);
66
67 const reportError = (message: string) => {
68 onError(message);
69 };
70
71 const handleAdd = async () => {
72 const name = newName.trim();
73 if (!name) return;
74
75 setBusy(true);
76 try {
77 const created = await registerPasskey(name);
78 setPasskeys((prev) => [created, ...prev]);
79 setAdding(false);
80 setNewName("");
81 showSuccessToast(t('Passkey added'));
82 } catch (error) {
83 // A dismissed prompt is a soft cancel — leave the form open, no error.
84 if (isPasskeyCancellation(error)) return;
85 console.error("Failed to add passkey:", error);
86 reportError(extractPasskeyError(error, t('Could not add passkey. Please try again.')));
87 } finally {
88 setBusy(false);
89 }
90 };
91
92 const handleRename = async (id: string) => {
93 const name = renameValue.trim();
94 if (!name) return;
95
96 setBusy(true);
97 try {
98 const updated = await renamePasskey(id, name);
99 setPasskeys((prev) => prev.map((p) => (p.id === id ? updated : p)));
100 setRenamingId(null);
101 setRenameValue("");
102 showSuccessToast(t('Passkey renamed'));
103 } catch (error) {
104 console.error("Failed to rename passkey:", error);
105 reportError(extractPasskeyError(error, t('Could not rename passkey. Please try again.')));
106 } finally {
107 setBusy(false);
108 }
109 };
110
111 const handleRevoke = async (id: string) => {
112 setBusy(true);
113 try {
114 await revokePasskey(id);
115 setPasskeys((prev) => prev.filter((p) => p.id !== id));
116 setConfirmRevokeId(null);
117 showSuccessToast(t('Passkey revoked'));
118 } catch (error) {
119 console.error("Failed to revoke passkey:", error);
120 reportError(extractPasskeyError(error, t('Could not revoke passkey. Please try again.')));
121 } finally {
122 setBusy(false);
123 }
124 };
125
126 const deviceLabel = (passkey: Passkey): string => {
127 if (passkey.deviceType === "multiDevice") return t('Synced across your devices');
128 if (passkey.deviceType === "singleDevice") return t('This device only');
129 return t('Passkey');
130 };
131
132 const formatDate = (value: string | null): string => {
133 if (!value) return t('Never');
134 return new Date(value).toLocaleDateString(localeDateTag(), {
135 year: "numeric",
136 month: "short",
137 day: "numeric",
138 });
139 };
140
141 const openAddForm = () => {
142 setAdding(true);
143 setNewName("");
144 };
145
146 return (
147 <div className="mb-6 overflow-hidden bg-white shadow sm:rounded-md">
148 <div className="flex items-center justify-between px-4 py-5 sm:px-6">
149 <div className="flex items-center gap-2">
150 <KeyRound className="h-5 w-5 text-gray-400" />
151 <h3 className="text-lg leading-6 font-medium text-gray-900">{t('Passkeys')}</h3>
152 </div>
153 {supported && !adding && (
154 <Button onClick={openAddForm} disabled={busy || loading}>
155 <Plus className="mr-2 h-4 w-4" />
156 {t('Add passkey')}
157 </Button>
158 )}
159 </div>
160
161 <div className="border-t border-gray-200">
162 {!supported ? (
163 <div className="px-4 py-5 sm:p-6">
164 <p className="text-sm text-gray-500">
165 {t("This browser doesn't support passkeys. Try a recent version of Chrome, Safari, Edge, or Firefox.")}
166 </p>
167 </div>
168 ) : (
169 <div className="space-y-4 px-4 py-5 sm:p-6">
170 <div className="flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800">
171 <ShieldCheck className="mt-0.5 h-4 w-4 flex-shrink-0" />
172 <span>
173 {t('Passkeys are an additional sign-in method. Your password and two-factor authentication still work, so adding or removing a passkey can never lock you out of your account.')}
174 </span>
175 </div>
176
177 {adding && (
178 <div className="space-y-3 rounded-md border border-gray-200 p-4">
179 <label htmlFor="passkey-name" className="block text-sm font-medium text-gray-700">
180 {t('Name this passkey')}
181 </label>
182 <input
183 id="passkey-name"
184 type="text"
185 value={newName}
186 onChange={(e) => setNewName(e.target.value)}
187 maxLength={100}
188 placeholder={t('e.g. MacBook Touch ID')}
189 className="mt-1 block w-full rounded-md border border-gray-300 px-3 py-2 shadow-sm focus:border-blue-500 focus:ring-blue-500 focus:outline-none sm:text-sm"
190 />
191 <div className="flex justify-end space-x-3">
192 <Button
193 type="button"
194 variant="outline"
195 onClick={() => {
196 setAdding(false);
197 setNewName("");
198 }}
199 disabled={busy}
200 >
201 {t('Cancel')}
202 </Button>
203 <Button type="button" onClick={handleAdd} disabled={busy || !newName.trim()}>
204 {busy ? t('Waiting for passkey…') : t('Create passkey')}
205 </Button>
206 </div>
207 </div>
208 )}
209
210 {loading ? (
211 <div className="flex items-center gap-2 text-sm text-gray-500">
212 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/domainContext.ts","limit":180}1 import { isIP } from 'net';
2 import type { FastifyInstance, FastifyRequest } from 'fastify';
3 import fp from 'fastify-plugin';
4 import { QueryTypes } from 'sequelize';
5 import { getRequired } from 'lib.js';
6 import { StatusError } from '@/error/error.js';
7 import { handleErrors } from '@/error/handler.js';
8 import { systemSequelize } from '@/models/db.js';
9 import type { Organization } from '@/models/Organization.js';
10 import { toProductionDomain } from '@/utils/localDevDomain.js';
11
12 export async function findOrganizationByPortalDomain(portalDomain: string): Promise<Organization | null> {
13 const results = await systemSequelize.query( // SAFE-SYSTEM: pre-auth domain lookup
14 `SELECT id, name, "displayName", "portalDomain", "portalUrl", "apiUrl", "crmDomain", "crmUrl", "portalType", "portalMode", settings, active, "azureTenantId"
15 FROM "Organizations"
16 WHERE "portalDomain" = :portalDomain AND active = true
17 LIMIT 1`,
18 { replacements: { portalDomain }, type: QueryTypes.SELECT }
19 );
20 return results.length > 0 ? results[0] as Organization : null;
21 }
22
23 export function safeParseOriginUrl(url: string): URL | null {
24 try {
25 return new URL(url);
26 } catch {
27 return null;
28 }
29 }
30
31 // FastifyRequest extensions are now centralized in src/types/fastify.ts
32
33 const API_PORT = getRequired('API_PORT');
34 const SHERPA_PORTAL_HTTP = getRequired('SHERPA_PORTAL_HTTP');
35 const SHERPA_PORTAL_HTTPS = getRequired('SHERPA_PORTAL_HTTPS');
36 const SHERPA_DOCKER_HOSTNAME_REMAP = getRequired('SHERPA_DOCKER_HOSTNAME_REMAP');
37
38 const routesWithoutDomainContext = [
39 '/v1/health',
40 '/v1/health/self',
41 '/v1/lens/health',
42 // Exact match only — if a sibling like /v1/organization/:id is added, list it here too.
43 '/v1/organization',
44 '/favicon.ico',
45 ];
46
47 const domainOriginSkiplist = [
48 'login.microsoftonline.com',
49 // Gangkhar embed domains are always allowed — they load inside portal iframes
50 // and resolve org context via widget token, not origin.
51 'embed.dev.gangkhar.dev',
52 'embed.staging.gangkhar.dev',
53 'embed.gangkhar.com',
54 ]
55
56 // Figure out the portal domain, with support for development mode.
57 let portalUrl = SHERPA_PORTAL_HTTPS;
58 if(process.env.NODE_ENV === 'development') {
59 // In development mode we store localhost in the db
60 portalUrl = SHERPA_PORTAL_HTTP;
61 }
62 const sherpaPortalDomain = new URL(portalUrl).hostname;
63
64 function safeParseUrl(url: string) {
65 return safeParseOriginUrl(url);
66 }
67
68 async function domainContextPlugin(fastify: FastifyInstance) {
69 fastify.addHook('preHandler', handleErrors(async (request: FastifyRequest) => {
70 if(!request.headers.host) {
71 throw new StatusError(412, 'Could not determine organization from request');
72 }
73
74 // Skip system routes
75 const path = request.routeOptions.url; // THIS IS THE PATH OF THE ROUTE, NOT THE URL OF THE REQUEST
76
77 // path is undefined for unmatched routes (404s); nothing to resolve for those
78 if (!path) {
79 return;
80 }
81
82 for(const route of routesWithoutDomainContext) {
83 if(path === route) {
84 return;
85 }
86 }
87
88 // MCP domain: entirely separate auth + tenant resolution (via McpHost, not portalDomain).
89 // MCP resolves its own organization context from the Host header → McpHost → organizationId.
90 // TODO: later, MCP requests should set their own request context (like domainOrganization/user)
91 // so downstream code can use a unified interface. For now, MCP handlers are self-contained.
92 if (path.startsWith('/v1/mcp/')) {
93 return;
94 }
95
96 // Public OpenAPI/Swagger routes: served cross-origin (Swagger UI, Redoc, custom doc sites).
97 // No tenant context — the spec is the same for all callers regardless of portal origin.
98 if (path.startsWith('/docs')) {
99 return;
100 }
101
102 // .well-known routes owned by the MCP domain. These are not MCP-specific — they serve OAuth
103 // discovery, OpenID config, and domain verification. They may grow into their own domain
104 // (e.g. src/domains/well-known/) as more consumers beyond MCP rely on them.
105 // Explicit list so we don't accidentally skip future .well-known routes that need domain context.
106 if (path === '/.well-known/openai-apps-challenge'
107 || path === '/.well-known/oauth-protected-resource'
108 || path === '/.well-known/oauth-authorization-server'
109 || path === '/.well-known/openid-configuration') {
110 return;
111 }
112
113 const [originalHostname, originalPort] = request.headers.host.split(':');
114
115 try {
116 // When it is a browser request, origin and referer might be set to urls of the portal domain, eg: portal.dev.gangkhar.dev
117 const origin = request.headers.origin || request.headers.referer;
118 const originUrl = origin ? safeParseUrl(origin) : null;
119 if (originUrl) {
120 // If this is a valid URL
121 const hostname = originUrl.hostname;
122
123 if(!domainOriginSkiplist.includes(hostname)) {
124 const lookupDomain = toProductionDomain(hostname);
125 let organization = await findOrganizationByPortalDomain(lookupDomain);
126
127 if(!organization && request.headers['x-widget-token'] && request.headers['x-parent-domain']) {
128 const parentDomain = request.headers['x-parent-domain'] as string;
129 const parentUrl = safeParseUrl(parentDomain.startsWith('http') ? parentDomain : `https://${parentDomain}`);
130 if (parentUrl) {
131 organization = await findOrganizationByPortalDomain(toProductionDomain(parentUrl.hostname));
132 }
133 }
134
135 if(!organization) {
136 fastify.log.info(`[DOMAIN] Organization not found for portal origin: ${hostname}`);
137 throw new StatusError(404, `Organization not found for portal origin: ${hostname}`);
138 }
139
140 request.domainOrganization = organization;
141 return;
142 }
143 }
144
145 // Here it is a direct request to the API, not a browser request (or a browser which blocks origin/referer).
146 let hostname = originalHostname;
147
148 // When the host is a raw IP with port, this means it is an internal docker networking request.
149 // This should go through without loading the tenant context.
150 if(isIP(originalHostname) > 0 && originalPort == API_PORT) {
151 return;
152 }
153
154 // Exception: we use localhost for the docker vnet hostname (otherwise lens services get rejected).
155 if(process.env.NODE_ENV === 'development') {
156 const [dockerHostname, hostHostname] = SHERPA_DOCKER_HOSTNAME_REMAP.split(':');
157 if(dockerHostname === hostname) {
158 fastify.log.info(`[DOMAIN] Development hostname remapped: ${originalHostname} -> ${hostHostname}`);
159 hostname = hostHostname;
160 }
161 }
162
163 // Here we fallback to the default organization
164
165 // Load default organization.
166 const organization = await findOrganizationByPortalDomain(sherpaPortalDomain);
167 if(!organization) {
168 fastify.log.error(`[DOMAIN] Default organization not found: ${sherpaPortalDomain}`);
169 throw new StatusError(404, 'Default organization not found');
170 }
171 request.domainOrganization = organization;
172 } catch (error) {
173 // Log details of unhandled errors, all variables we use
174 if(!(error instanceof StatusError)) {
175 const requestVars = {
176 host: request.headers.host,
177 origin: request.headers.origin,
178 refe{"command":"grep -A 20 \"export.*redirectAfterAuth\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/utils/session.ts | head -30"}export function redirectAfterAuth(router: PostAuthRedirectRouter, defaultPath: string): void {
const intended = consumeIntendedPath();
router.push(intended || defaultPath);
}
export interface EndSessionOptions {
// True when the session is being ended by something other than the user's
// explicit choice to log out (e.g. refresh-token rejected, init error after
// hydration). False when the user clicked "log out" — that action's intent
// is to leave, not to come back.
captureIntent: boolean;
}
// The second valid intent-capture trigger (§6.3): an unauthenticated visitor
// hits a protected route's gate and is redirected to /login. The user did not
// click anything — we're sending them somewhere they didn't ask to go — so we
// remember where they were headed and restore it post-login.
export function redirectUnauthenticatedToLogin(router: PostAuthRedirectRouter): void {
captureCurrentLocation();
router.push("/login");
}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"/passkeys\\|passkey\" src/routes/passkeyRoutes.ts | head -20"}11:} from '@/controllers/passkeyController.js';
13: passkeyRegisterOptionsBodySchema,
14: passkeyRegisterVerifyBodySchema,
15: passkeyLoginVerifyBodySchema,
16: passkeyRenameBodySchema,
17:} from '@/schemas/passkey.schemas.js';
23:const passkeyLoginRateLimit = createRateLimitConfig(20, 60 * 1000);
24:const passkeyRegisterRateLimit = createRateLimitConfig(20, 60 * 1000);
31:export const passkeyRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
32: // Public passkey login routes (no authentication required)
35: '/passkeys/login/options',
37: config: { rateLimit: passkeyLoginRateLimit },
40: 'Begins a passwordless passkey (WebAuthn) login. Returns a server-generated assertion challenge plus an opaque `challengeId` handle. Pass the challenge to navigator.credentials.get() in the browser, then send the resulting assertion together with the same `challengeId` to POST /v1/auth/passkeys/login/verify. Discoverable-credential flow: the user does not need to type an email first — the authenticator surfaces the available passkeys.',
49: '/passkeys/login/verify',
51: config: { rateLimit: passkeyLoginRateLimit },
54: 'Completes a passwordless passkey login by verifying the WebAuthn assertion against the stored credential public key, origin, RP ID and the challenge bound to `challengeId`. On success it issues a CRM/portal access token plus refresh token, identical to POST /v1/auth/login. Revoked or unrecognized passkeys are rejected with 401.',
56: body: passkeyLoginVerifyBodySchema,
64: // Authenticated passkey management routes
69: '/passkeys/register/options',
71: config: { rateLimit: passkeyRegisterRateLimit },{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":64,"limit":30}64 handleSubmit,
65 formState: { errors },
66 watch,
67 } = useForm<CreateAccountFormData>();
68
69 const password = watch("password");
70
71 useEffect(() => {
72 document.title = t("Create Account - Sherpa Portal");
73
74 const tokenParam = searchParams.get("token");
75 if (!tokenParam) {
76 setError(t("Invalid or missing token. Please check your email link."));
77 return;
78 }
79 setToken(tokenParam);
80
81 const errorParam = searchParams.get("error");
82 if (errorParam) {
83 setError(decodeURIComponent(errorParam));
84 }
85 }, [searchParams, t]);
86
87 // Resolve passkey support client-side only (PublicKeyCredential is undefined
88 // during SSR) to avoid a hydration mismatch.
89 useEffect(() => {
90 setPasskeySupported(isPasskeySupported());
91 }, []);
92
93 useEffect(() => {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":93,"limit":10}93 useEffect(() => {
94 // Clear any stale, pre-existing session when landing on this page — but never
95 // the session we just established ourselves for passkey enrolment.
96 if (!authLoading && user && !selfInitiatedAuthRef.current) {
97 storeLogout();
98 }
99 }, [authLoading, user, storeLogout]);
100
101 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
102 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"refreshToken\\|generateCustomerRefreshToken\" src/controllers/authController.ts | head -30"}29: generateCustomerRefreshToken,
193: const refreshToken = generateRefreshToken(user, null, loginOrganizationId);
196: await user.update({ refreshToken });
203: refreshToken,
263: const newRefreshToken = generateCustomerRefreshToken(customer, domainOrganizationId);
270: refreshToken: newRefreshToken,
343: const newRefreshToken = generateCustomerRefreshToken(customer, domainOrganizationId);
357: refreshToken: newRefreshToken,
362:export async function refreshToken(request: FastifyRequest<{ Body: RefreshTokenRequest }>) {
363: const { refreshToken } = request.body;
365: if (!refreshToken) {
371: decoded = jwt.verify(refreshToken, JWT_REFRESH_SECRET) as DecodedToken;
402: refreshToken: newRefreshToken,
430: refreshToken: newRefreshToken,
436: `SELECT id, email, "firstName", "lastName", role, "userType", "refreshToken"
438: WHERE id = :userId AND "refreshToken" = :refreshToken AND deleted = false
440: { replacements: { userId: decoded.id, refreshToken }, type: QueryTypes.SELECT }
467: `UPDATE "Users" SET "refreshToken" = :newRefreshToken WHERE id = :userId`,
475: refreshToken: newRefreshToken,
481: const { refreshToken } = request.body;
483: if (!refreshToken) {
489: decoded = jwt.verify(refreshToken, JWT_REFRESH_SECRET) as DecodedToken;
520: const newRefreshToken = generateCustomerRefreshToken(customer as Customer, customer.organizationId);
526: refreshToken: newRefreshToken,
549: { refreshToken: null },
708: const refreshToken = generateRefreshToken(user, null, organizationId);
710: await user.update({ refreshToken });
715: `accessToken=${accessToken}&refreshToken=${refreshToken}`
862: refreshToken,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":[159,200]}<tool_use_error>InputValidationError: Read failed due to the following issue: The parameter `offset` type is expected as `number` but provided as `array`</tool_use_error>
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":481,"limit":50}481 const { refreshToken } = request.body;
482
483 if (!refreshToken) {
484 throw new StatusError(400, 'Refresh token is required');
485 }
486
487 let decoded: DecodedToken;
488 try {
489 decoded = jwt.verify(refreshToken, JWT_REFRESH_SECRET) as DecodedToken;
490 } catch {
491 throw new StatusError(401, 'Invalid refresh token');
492 }
493
494 if ((decoded as { tokenType?: string }).tokenType !== 'customer') {
495 throw new StatusError(401, 'Invalid customer refresh token');
496 }
497
498 interface CustomerRefreshData {
499 id: string;
500 email: string;
501 organizationId: string;
502 }
503
504 const customerData = await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
505 `SELECT id, email, "organizationId" FROM "Customers"
506 WHERE id = :customerId AND "organizationId" = :organizationId AND deleted = false
507 LIMIT 1`,
508 {
509 replacements: { customerId: decoded.id, organizationId: (decoded as { organizationId?: string }).organizationId },
510 type: QueryTypes.SELECT,
511 }
512 );
513
514 if (customerData.length === 0) {
515 throw new StatusError(401, 'Customer not found');
516 }
517
518 const customer = customerData[0] as CustomerRefreshData;
519 const newAccessToken = generateCustomerAccessToken(customer as Customer, customer.organizationId);
520 const newRefreshToken = generateCustomerRefreshToken(customer as Customer, customer.organizationId);
521
522 return {
523 status: 'success',
524 data: {
525 accessToken: newAccessToken,
526 refreshToken: newRefreshToken,
527 },
528 };
529 }
530 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":159,"limit":50}159 if (response.data.status === "success") {
160 showSuccessToast(t("Account created successfully! Please log in with your new account."));
161
162 // If the API returns the account's email, attempt auto-login. Customer
163 // portals authenticate against the Customers table via a different
164 // endpoint than back-office users, so pick it the same way the login
165 // page does (by org portalType).
166 if (response.data.data?.email) {
167 try {
168 const isCustomerLogin = organization?.portalType
169 ? organization.portalType === "customer"
170 : !!organization?.settings?.customerPortal;
171 const loginEndpoint = isCustomerLogin
172 ? "/v1/auth/customer/login"
173 : "/v1/auth/login";
174 const loginResponse = await api.post(loginEndpoint, {
175 email: response.data.data.email,
176 password: data.password,
177 });
178
179 if (loginResponse.data.status === "success" && loginResponse.data.data) {
180 const { accessToken, refreshToken } = loginResponse.data.data;
181
182 // Offer passkey enrolment before entering the portal. Authenticate
183 // the API client now (so /auth/passkeys/register/* carries a bearer
184 // token) but defer the redirect until the user sets up a passkey or
185 // skips. On browsers without passkey support, behave as before.
186 if (passkeySupported) {
187 pendingTokensRef.current = { accessToken, refreshToken };
188 selfInitiatedAuthRef.current = true;
189 setTokens(accessToken, refreshToken);
190 setShowPasskeySetup(true);
191 return;
192 }
193
194 await login(accessToken, refreshToken);
195 router.push("/dashboard");
196 return;
197 }
198 } catch (loginError) {
199 console.error("Auto-login failed:", loginError);
200 }
201 }
202
203 // Fallback: redirect to login page
204 router.push("/login?registered=true");
205 } else {
206 setError(response.data.message || t("Failed to create account. Please try again."));
207 }
208 } catch (error: unknown) {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":104,"limit":20}104 return <Loader />;
105 }
106
107 // Finish landing the freshly-created account in the portal, whether or not a
108 // passkey was set up. Mirrors the original post-creation redirect.
109 const finalizeAccount = async () => {
110 const tokens = pendingTokensRef.current;
111 if (!tokens) {
112 router.push("/login?registered=true");
113 return;
114 }
115 await login(tokens.accessToken, tokens.refreshToken);
116 router.push("/dashboard");
117 };
118
119 const handleEnrollPasskey = async () => {
120 const name = passkeyName.trim() || t("My passkey");
121 setIsEnrolling(true);
122 try {
123 await registerPasskey(name);{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":785,"limit":35}785 const { token, password, socialProvider } = request.body;
786
787 if (!token) {
788 throw new StatusError(400, 'Token is required');
789 }
790
791 // Use systemSequelize to bypass RLS — this is a public endpoint with no org context
792 const [customerRow] = await systemSequelize.query<{ id: number; email: string }>( // SAFE-SYSTEM: auth bootstrap
793 `SELECT id, email FROM "Customers"
794 WHERE "resetToken" = :token AND "resetTokenExpiry" > NOW() AND password IS NULL AND deleted = false
795 LIMIT 1`,
796 { replacements: { token }, type: QueryTypes.SELECT }
797 );
798
799 if (customerRow) {
800 if (socialProvider) {
801 throw new StatusError(400, 'Social authentication setup not yet implemented');
802 }
803 if (!password) {
804 throw new StatusError(400, 'Password is required');
805 }
806
807 const hashedPassword = await bcryptjs.hash(password, 10);
808 await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
809 `UPDATE "Customers" SET password = :hashedPassword, "resetToken" = NULL, "resetTokenExpiry" = NULL, "updatedAt" = NOW()
810 WHERE id = :customerId`,
811 { replacements: { hashedPassword, customerId: customerRow.id }, type: QueryTypes.UPDATE }
812 );
813
814 return {
815 status: 'success',
816 message: 'Account created successfully',
817 // Echo the activated customer's email so the portal can sign them in via
818 // /v1/auth/customer/login and offer passkey enrolment right after sign-up.
819 // The email isn't part of the request body (the token identifies them).{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"valkeyClient\\|\\.save()\\|\\.create(\\|\\.findOne(\\|\\.findAll(\" src/controllers/passkeyController.ts | grep -v \"await\""}27:import valkeyClient from '@/valkeyClient.js';
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":[244,320]}<tool_use_error>InputValidationError: Read failed due to the following issue: The parameter `offset` type is expected as `number` but provided as `array`</tool_use_error>
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts","offset":39,"limit":25}39 const resolvePrincipal = (request: FastifyRequest): Principal => {
40 const ident = request.ident?.user;
41 if (!ident?.id) {
42 throw new StatusError(401, 'Authentication required');
43 }
44 const email = ident.email ?? '';
45 const displayName = [ident.firstName, ident.lastName].filter(Boolean).join(' ') || email;
46 if (ident.userType === 'customer') {
47 return {
48 kind: 'customer',
49 id: ident.id,
50 email,
51 displayName,
52 organizationId: ident.organizationId,
53 };
54 }
55 return { kind: 'user', id: ident.id, email, displayName };
56 };
57
58 // Scopes passkey rows to the owning principal.
59 const ownerWhere = (principal: Principal) =>
60 principal.kind === 'customer' ? { customerId: principal.id } : { userId: principal.id };
61
62 // Namespaced by kind so a (theoretical) User/Customer UUID collision can't cross
63 // ceremonies.{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":244,"limit":80}244 />
245 </div>
246 <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
247 {showPasskeySetup ? t("Set up a passkey") : t("Create Your Account")}
248 </h2>
249 <p className="mt-2 text-center text-sm text-gray-600">
250 {showPasskeySetup
251 ? t("Your account is ready. Add a passkey to sign in with your fingerprint, face, or device PIN — no password needed.")
252 : t("Set up your customer portal account to manage your policies")}
253 </p>
254 </div>
255
256 <div className="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
257 <div className="bg-white px-4 py-8 shadow sm:rounded-md sm:px-10">
258 {error && (
259 <div className="mb-4 rounded border border-red-400 bg-red-100 p-4 text-red-700">
260 {error}
261 </div>
262 )}
263
264 {showPasskeySetup ? (
265 <div className="space-y-6">
266 <div className="flex items-start gap-2 rounded-md bg-blue-50 p-3 text-sm text-blue-800">
267 <ShieldCheck className="mt-0.5 h-4 w-4 flex-shrink-0" />
268 <span>
269 {t("Passkeys are an additional sign-in method. Your password still works, so adding one can never lock you out of your account.")}
270 </span>
271 </div>
272
273 <div>
274 <label htmlFor="passkey-name" className="block text-sm font-medium text-gray-700">
275 {t("Name this passkey")}
276 </label>
277 <div className="mt-1">
278 <Input
279 id="passkey-name"
280 type="text"
281 maxLength={100}
282 placeholder={t("e.g. My iPhone")}
283 value={passkeyName}
284 onChange={(e) => setPasskeyName(e.target.value)}
285 disabled={isEnrolling}
286 />
287 </div>
288 </div>
289
290 <Button
291 type="button"
292 onClick={handleEnrollPasskey}
293 disabled={isEnrolling}
294 className="flex w-full items-center justify-center gap-2"
295 >
296 <KeyRound className="h-5 w-5" />
297 {isEnrolling ? t("Waiting for passkey…") : t("Set up a passkey")}
298 </Button>
299
300 <Button
301 type="button"
302 variant="outline"
303 onClick={finalizeAccount}
304 disabled={isEnrolling}
305 className="w-full justify-center"
306 >
307 {t("Skip for now")}
308 </Button>
309
310 <p className="text-center text-xs text-gray-500">
311 {t("You can always add or remove passkeys later from your profile.")}
312 </p>
313 </div>
314 ) : (
315 <>
316 <form className="space-y-6" onSubmit={handleSubmit(handleCreateAccount)}>
317 <div>
318 <label htmlFor="password" className="block text-sm font-medium text-gray-700">
319 {t("Password")}
320 </label>
321 <div className="mt-1">
322 <Input
323 id="password"{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":[380,400]}<tool_use_error>InputValidationError: Read failed due to the following issue: The parameter `offset` type is expected as `number` but provided as `array`</tool_use_error>
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":380,"limit":20}380 </div>
381 </div>
382 )}
383
384 <div className="mt-6 text-center">
385 <p className="text-sm text-gray-600">
386 {t("Already have an account?")}{" "}
387 <Link href="/login" className="font-medium text-blue-600 hover:text-blue-500">
388 {t("Sign in")}
389 </Link>
390 </p>
391 </div>
392 </>
393 )}
394 </div>
395 </div>
396 </div>
397 );
398 }
399 {"command":"grep -E \"^import|^from\" /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx | head -20"}import React, { Suspense } from "react";
import { useState, useEffect, useRef } from "react";
import Link from "next/link";
import { useRouter, useSearchParams } from "next/navigation";
import { KeyRound, ShieldCheck } from "lucide-react";
import { useForm } from "react-hook-form";
import { useTranslation } from "@gangkharai/lmt/client";
import { useAuth } from "../components/AuthProvider";
import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
import { LOCALE_LABELS } from "@/app/lib/supported-locales";
import Loader from "../components/Loader";
import { useOrganization } from "../components/OrganizationProvider";
import PasswordValidation from "../components/PasswordValidation";
import SocialCreateAccountButtons from "../components/SocialCreateAccountButtons";
import Toast, { showErrorToast, showSuccessToast } from "../components/Toast";
import { Button } from "../components/ui/button";
import { Input } from "../components/ui/input";
import api from "../src/utils/api";
import {
import useAuthStore from "../src/store/authStore";{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/db/migrations/2026.05.31T00.00.00.add-customer-to-user-passkeys.ts"}Wasted call — file unchanged since your last Read. Refer to that earlier tool_result instead.
{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login -name \"proxy.ts\" -o -name \"*proxy*\" -type f | grep -E \"proxy|middleware\""}/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/experimental/testmode/proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/experimental/testmode/proxy.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/esm/server/lib/router-utils/proxy-request.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/esm/server/lib/router-utils/proxy-request.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/esm/build/webpack/loaders/next-flight-loader/module-proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/esm/build/webpack/loaders/next-flight-loader/module-proxy.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/esm/build/webpack/loaders/next-flight-server-reference-proxy-loader.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/esm/build/webpack/loaders/next-flight-server-reference-proxy-loader.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/server/lib/router-utils/proxy-request.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/server/lib/router-utils/proxy-request.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/server/lib/router-utils/proxy-request.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/compiled/@next/font/dist/google/get-proxy-agent.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/compiled/@next/font/dist/google/get-proxy-agent.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/docs/02-pages/04-api-reference/04-config/01-next-config-js/proxyClientMaxBodySize.md /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/docs/02-pages/04-api-reference/02-file-conventions/proxy.md /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/docs/01-app/01-getting-started/16-proxy.md /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/docs/01-app/03-api-reference/05-config/01-next-config-js/proxyClientMaxBodySize.md /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/docs/01-app/03-api-reference/03-file-conventions/proxy.md /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/webpack/loaders/next-flight-server-reference-proxy-loader.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/webpack/loaders/next-flight-loader/module-proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/webpack/loaders/next-flight-loader/module-proxy.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/webpack/loaders/next-flight-loader/module-proxy.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/webpack/loaders/next-flight-server-reference-proxy-loader.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/webpack/loaders/next-flight-server-reference-proxy-loader.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/jest/object-proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/jest/object-proxy.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/next/dist/build/jest/object-proxy.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/types/proxy/parse-proxy-response.d.ts.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/types/proxy/parse-proxy-response.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/esm/proxy/parse-proxy-response.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/esm/proxy/parse-proxy-response.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/types-ts3.8/proxy/parse-proxy-response.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/cjs/proxy/parse-proxy-response.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@sentry/node-core/build/cjs/proxy/parse-proxy-response.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/reselect/src/autotrackMemoize/proxy.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/typescript/lib/lib.es2015.proxy.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@typescript-eslint/scope-manager/dist/lib/es2015.proxy.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@typescript-eslint/scope-manager/dist/lib/es2015.proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/undici-types/env-http-proxy-agent.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/undici-types/proxy-agent.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@napi-rs/wasm-runtime/dist/fs-proxy.cjs /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/@napi-rs/wasm-runtime/fs-proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/immer/src/core/proxy.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/https-proxy-agent/dist/parse-proxy-response.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/https-proxy-agent/dist/parse-proxy-response.js.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/https-proxy-agent/dist/parse-proxy-response.d.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/recharts/node_modules/@reduxjs/toolkit/node_modules/immer/src/core/proxy.ts /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/framer-motion/dist/es/render/components/create-proxy.mjs.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/framer-motion/dist/es/render/components/motion/proxy.mjs /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/framer-motion/dist/es/render/components/motion/proxy.mjs.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/framer-motion/dist/es/render/components/create-proxy.mjs /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/framer-motion/dist/es/render/components/m/proxy.mjs /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/framer-motion/dist/es/render/components/m/proxy.mjs.map /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/node_modules/caniuse-lite/data/features/proxy.js /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/proxy.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/proxy.ts"}1 import { NextRequest, NextResponse } from "next/server";
2
3 import { getSherpaApiUrl } from "./app/src/utils/env";
4
5 // Allowlist of static-asset file extensions the middleware skips. Keep in sync
6 // with whatever public/ + bundler output actually produces; broaden only when
7 // a real new asset type appears. Intentionally narrow — the previous
8 // `pathname.includes(".")` check would skip any URL containing a dot (e.g.
9 // `/users/[email protected]`), letting org resolution be bypassed.
10 const STATIC_EXT =
11 /\.(js|css|map|ico|png|jpe?g|gif|svg|webp|avif|woff2?|ttf|otf|eot|json|txt|xml|webmanifest)$/i;
12
13 const suspiciousPatterns = [
14 /<script/i,
15 /javascript:/i,
16 /onerror=/i,
17 /onload=/i,
18 /onclick=/i,
19 /<img/i,
20 /<iframe/i,
21 /<object/i,
22 /<embed/i,
23 /<svg/i,
24 /ptt93e3cf1e/,
25 ];
26
27 const isSuspicious = (value: string): boolean => {
28 return suspiciousPatterns.some((pattern) => pattern.test(value));
29 };
30
31 export async function proxy(request: NextRequest) {
32 const url = request.nextUrl.clone();
33 const searchParams = url.searchParams;
34 let hasSuspiciousParams = false;
35
36 searchParams.forEach((value, key) => {
37 if (isSuspicious(value) || isSuspicious(key)) {
38 searchParams.delete(key);
39 hasSuspiciousParams = true;
40 }
41 });
42
43 if (hasSuspiciousParams) {
44 return NextResponse.redirect(url);
45 }
46
47 try {
48 // Bail out for static asset requests so we never make an org-resolution
49 // round-trip for them. Restrict to a known extension allowlist — the
50 // previous `pathname.includes(".")` check let any URL with a dot anywhere
51 // in the path (including encoded values) skip middleware entirely.
52 if (STATIC_EXT.test(request.nextUrl.pathname)) {
53 return NextResponse.next();
54 }
55
56 const skipPages = [
57 "/register",
58 "/create-account",
59 "/forgot-password",
60 "/reset-password",
61 "/two-factor-setup",
62 "/two-factor-verify",
63 "/domain-blocked",
64 "/api",
65 "/login",
66 "/customer-portal",
67 "/embed-customer-portal",
68 ];
69
70 if (skipPages.some((page) => request.nextUrl.pathname.startsWith(page))) {
71 return NextResponse.next();
72 }
73
74 const host = request.headers.get("host") || request.nextUrl.hostname;
75 const hostname = host.split(":")[0];
76
77 const apiBaseUrl = getSherpaApiUrl(request.nextUrl.protocol);
78
79 const res = await fetch(`${apiBaseUrl}/v1/organization?by=origin`, {
80 method: "GET",
81 headers: {
82 Origin: `${request.nextUrl.protocol}//${host}`,
83 "Content-Type": "application/json",
84 },
85 cache: "no-store",
86 });
87 if (res.ok) {
88 // A 200 with an unparseable body is a contract violation, not a routing
89 // signal. Fall through to NextResponse.next() rather than crashing the
90 // middleware (which runs on every portal request).
91 let orgData: any;
92 try {
93 orgData = await res.json();
94 } catch {
95 return NextResponse.next();
96 }
97
98 // Only rewrite to customer portal for orgs with portalType 'customer'.
99 // The default Gangkhar org has portalType 'crm' and serves the admin app.
100 if (orgData?.portalType !== "customer") {
101 return NextResponse.next();
102 }
103
104 const templateId = orgData?.settings?.customerPortal?.templateId;
105 const portalMode = orgData?.portalMode;
106
107 if (portalMode === "embedded" && templateId) {
108 const page =
109 request.nextUrl.pathname === "/" ? "index" : request.nextUrl.pathname.slice(1);
110
111 const rewriteUrl = new URL(`/embed-customer-portal/pages/${page}`, request.url);
112 return NextResponse.rewrite(rewriteUrl);
113 }
114
115 if (portalMode === "standalone") {
116 const pathname = request.nextUrl.pathname;
117 if (pathname === "/") {
118 const rewriteUrl = new URL("/customer-portal/dashboard", request.url);
119 return NextResponse.rewrite(rewriteUrl);
120 }
121 const rewriteUrl = new URL(`/customer-portal${pathname}`, request.url);
122 return NextResponse.rewrite(rewriteUrl);
123 }
124 }
125 } catch (error) {
126 if (process.env.NODE_ENV !== "development") {
127 console.error("Proxy error:", error);
128 }
129 }
130
131 return NextResponse.next();
132 }
133
134 export const config = {
135 matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
136 };
137 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"userType.*customer\\|userType.*crm\" src/models/User.ts"}127: declare userType: 'crm' | 'customer'; 269: return this.userType === 'crm'; 273: return this.userType === 'customer';
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -A 12 \"^export function createUserIdentity\" src/plugins/auth/lib.ts"}export function createUserIdentity(user: User, organizationId?: string): UserIdentity {
return {
id: user.id,
email: user.email,
firstName: user.firstName,
lastName: user.lastName,
role: user.role,
userType: user.userType,
organizationId: organizationId || '', // organizationId now comes from JWT context
companyName: user.companyName,
};
}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -rn \"userType.*=.*customer\\|userType.*=.*crm\" src --include=\"*.ts\" | grep -v \"test\\|spec\\|mock\" | head -20"}src/plugins/auth/lib.ts:80: if (userType === 'crm') {
src/utils/hidePrices.ts:16: return userType === 'customer' || authMethod === 'widget';
src/models/User.ts:269: return this.userType === 'crm';
src/models/User.ts:273: return this.userType === 'customer';
src/db/migrations/2026.01.30T00.00.02.migrate-customers-from-users.ts:56: WHERE u."userType" = 'customer'
src/db/migrations/2025.10.11T00.00.04.add-user-organizations-for-customers.ts:15: WHERE u."userType" = 'customer'
src/db/migrations/2026.01.30T00.00.03.remove-customers-from-users.ts:8: WHERE "userId" IN (SELECT id FROM "Users" WHERE "userType" = 'customer')
src/db/migrations/2026.01.30T00.00.03.remove-customers-from-users.ts:13: WHERE "userId" IN (SELECT id FROM "Users" WHERE "userType" = 'customer')
src/db/migrations/2026.01.30T00.00.03.remove-customers-from-users.ts:17: DELETE FROM "Users" WHERE "userType" = 'customer'
src/controllers/organizationController.ts:320: if (userType === 'crm' && !canManageAllOrgs) {
src/controllers/organizationController.ts:360: if (userType === 'crm' && !canManageAllOrgs) {
src/controllers/claimController.ts:2837: const isCustomer = currentUser?.userType === 'customer';
src/controllers/policyOrderController.ts:248: const isCustomer = currentUser?.userType === 'customer';
src/controllers/policyOrderController.ts:1983: const isCustomer = currentUser?.userType === 'customer';
src/controllers/policyOrderController.ts:4373: const isCustomer = currentUser?.userType === 'customer';
src/controllers/policyOrderController.ts:4415: const isCustomer = currentUser?.userType === 'customer';
src/controllers/passkeyController.ts:46: if (ident.userType === 'customer') {
src/controllers/sanctionScreeningController.ts:78: const isCustomer = request.ident?.user?.userType === 'customer';
src/controllers/organizationSwitchingController.ts:316: WHERE uo."organizationId" = :organizationId AND uo."isActive" = true AND u."userType" = 'crm'
src/controllers/userController.ts:100: if (userType === 'crm' && !canReadUsers) {{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -B 5 \"getRegistrationOptions\\|verifyRegistration\\|listPasskeys\\|renamePasskey\\|revokePasskey\" src/routes/passkeyRoutes.ts | grep -E \"onRequest|preHandler|@|getRegistrationOptions|verifyRegistration|listPasskeys|renamePasskey|revokePasskey\""} getRegistrationOptions,
verifyRegistration,
listPasskeys,
renamePasskey,
revokePasskey,
getRegistrationOptions
verifyRegistration
listPasskeys
renamePasskey
revokePasskey{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/passkeyRoutes.ts"}1 import type { FastifyInstance, FastifyPluginAsync } from 'fastify';
2
3 import {
4 getRegistrationOptions,
5 verifyRegistration,
6 listPasskeys,
7 renamePasskey,
8 revokePasskey,
9 getLoginOptions,
10 verifyLogin,
11 } from '@/controllers/passkeyController.js';
12 import {
13 passkeyRegisterOptionsBodySchema,
14 passkeyRegisterVerifyBodySchema,
15 passkeyLoginVerifyBodySchema,
16 passkeyRenameBodySchema,
17 } from '@/schemas/passkey.schemas.js';
18 import { createRateLimitConfig } from '@/utils/rateLimit.js';
19
20 // Passkey ceremonies are unauthenticated entry points (login) or
21 // account-mutating (registration); rate-limit them per IP to blunt
22 // credential-stuffing and challenge-spraying.
23 const passkeyLoginRateLimit = createRateLimitConfig(20, 60 * 1000);
24 const passkeyRegisterRateLimit = createRateLimitConfig(20, 60 * 1000);
25
26 const openObjectResponse = {
27 type: 'object',
28 additionalProperties: true,
29 } as const;
30
31 export const passkeyRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
32 // Public passkey login routes (no authentication required)
33 await fastify.register(async function (fastify: FastifyInstance) {
34 fastify.post(
35 '/passkeys/login/options',
36 {
37 config: { rateLimit: passkeyLoginRateLimit },
38 schema: {
39 description:
40 'Begins a passwordless passkey (WebAuthn) login. Returns a server-generated assertion challenge plus an opaque `challengeId` handle. Pass the challenge to navigator.credentials.get() in the browser, then send the resulting assertion together with the same `challengeId` to POST /v1/auth/passkeys/login/verify. Discoverable-credential flow: the user does not need to type an email first — the authenticator surfaces the available passkeys.',
41 tags: ['Authentication'],
42 response: { 200: openObjectResponse },
43 },
44 },
45 getLoginOptions
46 );
47
48 fastify.post(
49 '/passkeys/login/verify',
50 {
51 config: { rateLimit: passkeyLoginRateLimit },
52 schema: {
53 description:
54 'Completes a passwordless passkey login by verifying the WebAuthn assertion against the stored credential public key, origin, RP ID and the challenge bound to `challengeId`. On success it issues a CRM/portal access token plus refresh token, identical to POST /v1/auth/login. Revoked or unrecognized passkeys are rejected with 401.',
55 tags: ['Authentication'],
56 body: passkeyLoginVerifyBodySchema,
57 response: { 200: openObjectResponse },
58 },
59 },
60 verifyLogin
61 );
62 });
63
64 // Authenticated passkey management routes
65 await fastify.register(async function (fastify: FastifyInstance) {
66 fastify.addHook('preHandler', fastify.authenticate);
67
68 fastify.post(
69 '/passkeys/register/options',
70 {
71 config: { rateLimit: passkeyRegisterRateLimit },
72 schema: {
73 description:
74 'Begins registering a new passkey for the authenticated user. Returns a WebAuthn creation-options object (challenge, RP info, excluded existing credentials) to pass to navigator.credentials.create(). Complete the ceremony by sending the browser result to POST /v1/auth/passkeys/register/verify.',
75 tags: ['Authentication'],
76 body: passkeyRegisterOptionsBodySchema,
77 response: { 200: openObjectResponse },
78 },
79 },
80 getRegistrationOptions
81 );
82
83 fastify.post(
84 '/passkeys/register/verify',
85 {
86 config: { rateLimit: passkeyRegisterRateLimit },
87 schema: {
88 description:
89 'Completes passkey registration by verifying the attestation response from navigator.credentials.create() and persisting the credential public key and metadata against the authenticated user. The passkey is stored under the supplied `name` and can immediately be used for passwordless login.',
90 tags: ['Authentication'],
91 body: passkeyRegisterVerifyBodySchema,
92 response: { 200: openObjectResponse },
93 },
94 },
95 verifyRegistration
96 );
97
98 fastify.get(
99 '/passkeys',
100 {
101 schema: {
102 description:
103 "Lists the authenticated user's registered passkeys with their labels, device type, backup state, creation time and last-used time. Use this to drive a passkey-management screen.",
104 tags: ['Authentication'],
105 response: { 200: openObjectResponse },
106 },
107 },
108 listPasskeys
109 );
110
111 fastify.patch(
112 '/passkeys/:id',
113 {
114 schema: {
115 description:
116 "Renames one of the authenticated user's passkeys. Only the owning user may rename their own passkeys.",
117 tags: ['Authentication'],
118 body: passkeyRenameBodySchema,
119 response: { 200: openObjectResponse },
120 },
121 },
122 renamePasskey
123 );
124
125 fastify.delete(
126 '/passkeys/:id',
127 {
128 schema: {
129 description:
130 "Revokes (deletes) one of the authenticated user's passkeys. A revoked passkey can no longer be used to authenticate. Only the owning user may revoke their own passkeys.",
131 tags: ['Authentication'],
132 response: { 200: openObjectResponse },
133 },
134 },
135 revokePasskey
136 );
137 });
138 };
139 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts","offset":354,"limit":40}354 // A customer-owned passkey logs the customer in (customer-scoped tokens,
355 // identical to /v1/auth/customer/login); a user-owned passkey logs the
356 // CRM/portal user in (identical to /v1/auth/login).
357 if (passkey.customerId) {
358 const organizationId = request.domainOrganization?.id;
359 if (!organizationId) {
360 throw new StatusError(401, 'Customer passkey login requires organization context');
361 }
362 const customer = await Customer.findOne({ organizationId }, {
363 where: { id: passkey.customerId, deleted: false },
364 });
365 if (!customer) {
366 throw new StatusError(401, 'Unrecognized passkey');
367 }
368
369 const accessToken = generateCustomerAccessToken(customer, organizationId);
370 const refreshToken = generateCustomerRefreshToken(customer, organizationId);
371
372 return {
373 status: 'success',
374 message: 'Login successful',
375 data: {
376 accessToken,
377 refreshToken,
378 user: {
379 id: customer.id,
380 email: customer.email,
381 firstName: customer.firstName,
382 lastName: customer.lastName,
383 role: 'customer',
384 organizationId,
385 },
386 },
387 };
388 }
389
390 if (!passkey.userId) {
391 throw new StatusError(401, 'Unrecognized passkey');
392 }
393 Excellent! Now I have all the information I need. Let me now compile my review findings:
## Review Summary
I've completed a thorough code review of the passkey WebAuthn implementation in the sherpa-portal worktree. Here are my findings:
### 1. [MEDIUM] Potential race condition in logout effect - organization not loaded on /create-account
**File:** app/create-account/page.tsx, lines 93-99 + OrganizationProvider.tsx line 137-138
**Issue:** The logout effect at line 93-99 checks `!selfInitiatedAuthRef.current` to prevent clearing the self-initiated session. However, on the /create-account page, the OrganizationProvider SKIPS organization loading (line 137 in OrganizationProvider.tsx lists /create-account in skipPages). This means when `selfInitiatedAuthRef.current = true` is set (line 188), the `organization` variable is never populated. Later, when selecting the login endpoint (line 168-170), the fallback `!!organization?.settings?.customerPortal` evaluates against an undefined organization. This doesn't cause a crash but means the endpoint selection falls back to checking only `settings?.customerPortal` on an undefined object.
**Root cause:** The condition at line 168-170 accesses `organization?.portalType` and `organization?.settings?.customerPortal` but organization is not resolved for /create-account routes.
**Fix:** Either (a) add /create-account to the list of pages that DO load organization in OrganizationProvider.tsx, or (b) use the feature-detected `passkeySupported` state to determine if we should call customer login vs admin login (passkey support is customer-portal-only anyway).
---
### 2. [HIGH] Orphaned JSX closing tag in form structure
**File:** app/create-account/page.tsx, lines 314-393
**Issue:** The ternary condition `showPasskeySetup ? ... : <>` at line 314 wraps the form in a fragment `<>`. The closing fragment `</>` appears at line 392, but the nested closing tags at line 382 (`</div>`) and line 392 (`</div>` x2) create mismatched indentation and structure. Specifically:
- Line 314: `showPasskeySetup ? <div> : <>`
- Line 313: `</div>` closes passkey div
- Line 314: `<>` opens fragment
- Line 316: `<form>` opens
- Line 382: `</div>` closes an earlier div
- Line 392: `</>` closes fragment
- Line 393: `)}` closes ternary
The line 382 `</div>` appears to close a div that was never explicitly opened in the diff context. This looks like the form's closing tags are mangled. The structure should be: `<> <form>...</form> <div>...</div> </>` but the closing divs appear out of sequence.
**Fix:** Verify the JSX nesting:
```tsx
{showPasskeySetup ? (
<div>...</div>
) : (
<>
<form>...</form>
<div>...</div>
</>
)}
```
Look at the original file around line 380-394 to ensure closing tags match.
---
### 3. [MEDIUM] setTokens() before login() may cause double-work or race
**File:** app/create-account/page.tsx, lines 188-195
**Issue:** The code calls `setTokens()` directly (line 189) before calling `login()` (line 115, via finalizeAccount). The AuthProvider.login() function also calls `setTokens()` at line 170. While Zustand's `set()` is idempotent, this pattern means:
1. setTokens() stores tokens in auth store + localStorage
2. AuthProvider's initializeAuth effect (line 121-167) runs, sees accessToken is set, fetches user details
3. Later, login() is called, which calls setTokens() again (idempotent) then fetchUserDetails again
This is wasteful but not broken. The concern is: does the interim state (tokens set, user undefined) cause any render that tries to access user before login() completes?
**Fix:** Consider passing userData to login() to avoid the second fetchUserDetails call. AuthProvider.login() accepts userData parameter (line 169), but create-account doesn't use it. After calling `/v1/auth/customer/login`, the response already includes user email — pass it to login() to skip the refetch.
---
### 4. [LOW] finalizeAccount has no await on login() for token validation
**File:** app/create-account/page.tsx, lines 109-117
**Issue:** The finalizeAccount function doesn't handle if login() throws. If login() fails (e.g., token rejected by fetchUserDetails in AuthProvider), the function still calls router.push("/dashboard") at line 116. This could redirect to a protected route while unauthenticated.
**Fix:** Wrap in try-catch:
```tsx
try {
await login(tokens.accessToken, tokens.refreshToken);
router.push("/dashboard");
} catch (error) {
console.error("Finalize failed:", error);
router.push("/login?registered=true");
}
```
---
### 5. [LOW] Passkey step unreachable if passkeySupported is false AND auto-login succeeds
**File:** app/create-account/page.tsx, lines 186-196
**Issue:** The passkey step is only shown if `passkeySupported` is true AND account creation + auto-login succeed. But passkeySupported is set once on mount (line 90) and never updated. If a browser doesn't support passkeys, the user falls through to the original redirect path (line 194-196). This is correct behavior but the comment at line 87-88 says "feature-detected on mount" — make sure this is intentional (not polling for support changes, which is fine).
**Fix:** No fix needed; this is working as designed. Just confirm the intent is "one-time feature detection on mount."
---
### 6. [LOW] Unused Suspense import
**File:** app/create-account/page.tsx, line 2
**Issue:** Suspense is imported but not used in create-account/page.tsx. The page itself doesn't have a Suspense boundary (unlike login/page.tsx which wraps LoginContent in Suspense).
**Fix:** Remove unused import:
```tsx
- import React, { Suspense } from "react";
+ import React from "react";
```
---
### 7. [CLEAN] DefaultProfile + PasskeysSection gating
**File:** app/customer-portal/profile/DefaultProfile.tsx, line 114
**Status:** PASS. PasskeysSection is correctly gated behind `{user && ...}` (line 97-117). Sharing this component with embed-customer-portal is safe because:
- Embed sessions also get customer tokens (tokenType=portal or tokenType=customer)
- PasskeysSection.listPasskeys() calls /v1/customers/:customerId/auth/passkeys, which is scoped to the authenticated customer
- No token-type confusion or cross-tenant leak possible
---
### 8. [CLEAN] Logout effect race condition is properly guarded
**File:** app/create-account/page.tsx, lines 93-99
**Status:** PASS (with caveat #1 above). The ref guard works correctly:
1. **On first render with no auth:** authLoading=true, effect is skipped
2. **After hydration, if user already exists:** user becomes truthy, but selfInitiatedAuthRef.current is false, so logout fires (correct — it's a stale pre-existing session)
3. **After setTokens on line 189:** authLoading is still false, but selfInitiatedAuthRef.current=true is set on line 188 BEFORE setTokens, so the ref check on line 96 prevents logout when user becomes truthy
4. **On finalizeAccount:** login() is called after the ref is already set, so it never triggers the logout effect
The ref is set BEFORE setTokens (line 188 before 189), which is correct.
---
## Final Verdict: **NEEDS-FIXES**
Three issues require attention:
1. **[MEDIUM]** Organization not resolved on /create-account, endpoint selection fallback broken
2. **[MEDIUM]** JSX structure appears malformed (closing div tags out of sequence)
3. **[MEDIUM]** setTokens() called before login(), risking double-work or user hydration race (fixable by passing userData)
4. **[LOW]** Unused Suspense import
5. **[LOW]** Missing error handling in finalizeAccount if login() throws
Issues #1 and #2 are correctness bugs. Issue #3 is an efficiency/race concern. Issues #4-5 are hygiene.{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":[789,825]}<tool_use_error>InputValidationError: Read failed due to the following issue: The parameter `offset` type is expected as `number` but provided as `array`</tool_use_error>
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/authController.ts","offset":789,"limit":36}789 }
790
791 // Use systemSequelize to bypass RLS — this is a public endpoint with no org context
792 const [customerRow] = await systemSequelize.query<{ id: number; email: string }>( // SAFE-SYSTEM: auth bootstrap
793 `SELECT id, email FROM "Customers"
794 WHERE "resetToken" = :token AND "resetTokenExpiry" > NOW() AND password IS NULL AND deleted = false
795 LIMIT 1`,
796 { replacements: { token }, type: QueryTypes.SELECT }
797 );
798
799 if (customerRow) {
800 if (socialProvider) {
801 throw new StatusError(400, 'Social authentication setup not yet implemented');
802 }
803 if (!password) {
804 throw new StatusError(400, 'Password is required');
805 }
806
807 const hashedPassword = await bcryptjs.hash(password, 10);
808 await systemSequelize.query( // SAFE-SYSTEM: auth bootstrap
809 `UPDATE "Customers" SET password = :hashedPassword, "resetToken" = NULL, "resetTokenExpiry" = NULL, "updatedAt" = NOW()
810 WHERE id = :customerId`,
811 { replacements: { hashedPassword, customerId: customerRow.id }, type: QueryTypes.UPDATE }
812 );
813
814 return {
815 status: 'success',
816 message: 'Account created successfully',
817 // Echo the activated customer's email so the portal can sign them in via
818 // /v1/auth/customer/login and offer passkey enrolment right after sign-up.
819 // The email isn't part of the request body (the token identifies them).
820 data: { email: customerRow.email },
821 };
822 }
823
824 const user = await User.findOne({{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && sed -n '824,860p' src/controllers/authController.ts"} const user = await User.findOne({
where: {
resetToken: token,
resetTokenExpiry: { [Op.gt]: new Date() },
password: null,
deleted: false,
},
});
if (!user) {
throw new StatusError(400, 'Invalid or expired token');
}
if (socialProvider) {
throw new StatusError(400, 'Social authentication setup not yet implemented');
} else {
if (!password) {
throw new StatusError(400, 'Password is required');
}
await user.update({
password: password,
resetToken: null,
resetTokenExpiry: null,
});
}
return {
status: 'success',
message: 'Account created successfully',
};
}
// Legacy export for backward compatibility
export default {
login,
customerLogin,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/controllers/passkeyController.ts","offset":62,"limit":5}62 // Namespaced by kind so a (theoretical) User/Customer UUID collision can't cross
63 // ceremonies.
64 const regChallengeKey = (principal: Principal): string =>
65 `passkey:reg:${principal.kind}:${principal.id}`;
66 const loginChallengeKey = (challengeId: string): string => `passkey:login:${challengeId}`;{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/routes/authRoutes.ts","offset":278,"limit":15}278 properties: {
279 status: { type: 'string', description: 'Always "success" on a 2xx response.', example: 'success' },
280 message: { type: 'string', description: 'Confirmation message.', example: 'Account created successfully' },
281 data: {
282 type: 'object',
283 description: 'Present when a customer account was activated; lets the portal sign the customer in to offer passkey enrolment.',
284 properties: {
285 email: { type: 'string', description: 'The activated customer\'s email.', example: '[email protected]' },
286 },
287 },
288 },
289 },
290 },
291 },
292 }, createAccountWithToken);{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -rn \"fastify.authenticate\\|request.ident\\s*=\" src/plugins/auth --include=\"*.ts\" | grep -E \"decorate|authenticate|ident\" | head -20"}(Bash completed with no output)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"authenticate.*function\\|register.*authenticate\" src/plugins/auth/index.ts 2>/dev/null | head -10"}(Bash completed with no output)
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth -name \"*.ts\" | head -10"}/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/permit.ts /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/bearer.ts /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/client.ts /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/lib.ts /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth/widget.ts
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -n \"register\\|authenticate\" src/plugins/auth/client.ts | head -20"}66:export async function authenticateWithClientCredentials(authHeader: string): Promise<{ ident: RequestIdentity; auth: Authentication }> {{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login && grep -rn \"fastify.decorate.*authenticate\\|\\.authenticate\\s*=\" src/plugins --include=\"*.ts\" | head -10"}src/plugins/auth-v2.ts:108: fastify.decorate('authenticate', handleErrors(async (request: FastifyRequest, reply: FastifyReply) => {
src/plugins/auth-v2.ts:169: fastify.decorate('authenticateScope', (requiredScopes: string[]) => {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login/src/plugins/auth-v2.ts","offset":108,"limit":50}108 fastify.decorate('authenticate', handleErrors(async (request: FastifyRequest, reply: FastifyReply) => {
109 const { ident, auth } = await authenticateRequest(request, fastify);
110 request.ident = ident;
111 request.auth = auth;
112
113 // Populate legacy auth fields for backward compatibility
114 if (auth.method === 'widget' && auth.widget) {
115 request.widgetAuth = {
116 tokenId: auth.widget.tokenId,
117 client: auth.widget.client,
118 permissions: Array.isArray(auth.widget.permissions)
119 ? auth.widget.permissions.join(' ')
120 : auth.widget.permissions,
121 };
122 request.clientAuth = {
123 clientNumericId: auth.widget.client.id,
124 userId: auth.widget.client.userId,
125 organizationId: auth.widget.client.organizationId,
126 isWidget: true,
127 };
128 } else if (auth.method === 'bearer' && auth.bearer) {
129 request.userAuth = {
130 id: ident.user?.id || '',
131 email: ident.user?.email || '',
132 role: ident.user?.role || 'viewer',
133 userType: ident.user?.userType || 'customer',
134 organizationId: ident.org?.id || '',
135 companyName: ident.user?.companyName || null,
136 firstName: ident.user?.firstName || '',
137 lastName: ident.user?.lastName || '',
138 };
139 request.clientAuth = {
140 clientNumericId: auth.bearer.client?.id || null,
141 userId: auth.bearer.userId ?? auth.bearer.customerId ?? null,
142 organizationId: auth.bearer.organizationId,
143 isWidget: false,
144 };
145 } else if (auth.method === 'client' && auth.client) {
146 if (ident.user) {
147 request.userAuth = {
148 id: ident.user.id,
149 email: ident.user.email || '',
150 role: ident.user.role,
151 userType: ident.user.userType,
152 organizationId: ident.org?.id || '',
153 companyName: ident.user.companyName,
154 firstName: ident.user.firstName || '',
155 lastName: ident.user.lastName || '',
156 };
157 }Perfect! Line 110 shows `request.ident = ident` is set by the authenticate middleware. So all authenticated passkey routes will have `request.ident` populated.
---
## Summary of Review
I've completed a rigorous security and correctness review of the WebAuthn/passkey changes. Here are my findings:
**[HIGH] ISSUE FOUND - Potential organizationId loss in resolvePrincipal for customers**
At line 52 in `passkeyController.ts`, when creating a customer principal, `organizationId: ident.organizationId` is assigned. However, if `ident.organizationId` is somehow undefined or an empty string, the customer principal would have an invalid organizationId. While bearer.ts guarantees organizationId is populated for customer tokens, this is a defensive coding opportunity.
**Actually, upon further analysis:** This is NOT a bug. Both customer bearer paths (portal and customer tokens) validate organizationId is present before creating the identity (bearer.ts lines 116, 216). And createUserIdentity explicitly sets organizationId from the token context. So this is safe.
**[LOW] No actual bugs found after deep analysis**
All other aspects checked out:
✓ `resolvePrincipal` correctly discriminates user vs customer via `ident.userType`
✓ Bearer.ts correctly sets `userType='customer'` for both portal and customer tokens
✓ `domainOrganization` is reliably populated on `/passkeys/login/verify` via domainContextPlugin
✓ Customer passkeys can't be used to log in to a different organization (correct cross-org isolation)
✓ XOR CHECK constraint `(userId IS NOT NULL) <> (customerId IS NOT NULL)` correctly enforces exactly one owner
✓ Migration safely drops NOT NULL on userId via raw SQL
✓ Customer tokens are NOT persisted to DB (consistent with customerLogin flow)
✓ User tokens ARE persisted (line 403 `await user.update({ refreshToken })` — preserved)
✓ All database operations have proper `await`
✓ Passkey creation always sets exactly one owner via explicit owner object spread
✓ Challenge keys are namespaced by principal kind to prevent ceremony collision
✓ `createAccountWithToken` returning `data.email` is safe (token holder has proven ownership)
✓ User branch still returns no data field (correct, unchanged)
✓ Route schema properly documents new `data` field in create-account response
---
**VERDICT: CLEAN**
The implementation is production-ready. The polymorphic passkey ownership model is correctly implemented with proper data integrity constraints, token scoping, organization isolation, and no privacy leaks.Round 1: API review CLEAN. Portal review flagged items — most are disproven by evidence:
tsc passed twice and the proof rendered both the form (20) and passkey step (21) and chose customer-login (ended logged in as customer in 22). Org resolves; JSX is balanced.Suspense wraps CreateAccountContent at file end.Genuine improvements worth applying: #3 (pass userData to login() to avoid the interim refetch reliance) and #4 (guard finalizeAccount if login() throws). Re-read the exact current lines to edit.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":31,"limit":130}31 import useAuthStore from "../src/store/authStore";
32
33 interface CreateAccountFormData {
34 password: string;
35 confirmPassword: string;
36 }
37
38 function CreateAccountContent() {
39 const t = useTranslation();
40 const [isLoading, setIsLoading] = useState(false);
41 const [error, setError] = useState("");
42 const [token, setToken] = useState("");
43 const router = useRouter();
44 const searchParams = useSearchParams();
45 const { login, user, loading: authLoading } = useAuth();
46 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
47 const storeLogout = useAuthStore((state) => state.logout);
48 const setTokens = useAuthStore((state) => state.setTokens);
49
50 // Passkey enrolment step shown right after the account is created.
51 const [passkeySupported, setPasskeySupported] = useState(false);
52 const [showPasskeySetup, setShowPasskeySetup] = useState(false);
53 const [isEnrolling, setIsEnrolling] = useState(false);
54 const [passkeyName, setPasskeyName] = useState("");
55 // Tokens from the post-creation auto-login, held so passkey enrolment can run
56 // against an authenticated session before we finish redirecting into the portal.
57 const pendingTokensRef = useRef<{ accessToken: string; refreshToken: string } | null>(null);
58 // Set once we deliberately authenticate this session for enrolment, so the
59 // "clear stale session" effect below doesn't tear it back down.
60 const selfInitiatedAuthRef = useRef(false);
61
62 const {
63 register,
64 handleSubmit,
65 formState: { errors },
66 watch,
67 } = useForm<CreateAccountFormData>();
68
69 const password = watch("password");
70
71 useEffect(() => {
72 document.title = t("Create Account - Sherpa Portal");
73
74 const tokenParam = searchParams.get("token");
75 if (!tokenParam) {
76 setError(t("Invalid or missing token. Please check your email link."));
77 return;
78 }
79 setToken(tokenParam);
80
81 const errorParam = searchParams.get("error");
82 if (errorParam) {
83 setError(decodeURIComponent(errorParam));
84 }
85 }, [searchParams, t]);
86
87 // Resolve passkey support client-side only (PublicKeyCredential is undefined
88 // during SSR) to avoid a hydration mismatch.
89 useEffect(() => {
90 setPasskeySupported(isPasskeySupported());
91 }, []);
92
93 useEffect(() => {
94 // Clear any stale, pre-existing session when landing on this page — but never
95 // the session we just established ourselves for passkey enrolment.
96 if (!authLoading && user && !selfInitiatedAuthRef.current) {
97 storeLogout();
98 }
99 }, [authLoading, user, storeLogout]);
100
101 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
102
103 if (authLoading || (orgLoading && !orgError)) {
104 return <Loader />;
105 }
106
107 // Finish landing the freshly-created account in the portal, whether or not a
108 // passkey was set up. Mirrors the original post-creation redirect.
109 const finalizeAccount = async () => {
110 const tokens = pendingTokensRef.current;
111 if (!tokens) {
112 router.push("/login?registered=true");
113 return;
114 }
115 await login(tokens.accessToken, tokens.refreshToken);
116 router.push("/dashboard");
117 };
118
119 const handleEnrollPasskey = async () => {
120 const name = passkeyName.trim() || t("My passkey");
121 setIsEnrolling(true);
122 try {
123 await registerPasskey(name);
124 showSuccessToast(t("Passkey set up. You can now sign in without a password."));
125 await finalizeAccount();
126 } catch (enrollError) {
127 // A dismissed/timed-out prompt is a soft cancel — stay on the step so the
128 // user can retry or skip.
129 if (isPasskeyCancellation(enrollError)) {
130 setIsEnrolling(false);
131 return;
132 }
133 console.error("Passkey enrolment failed:", enrollError);
134 showErrorToast(
135 extractPasskeyError(
136 enrollError,
137 t("Could not set up a passkey. You can add one later from your profile.")
138 )
139 );
140 setIsEnrolling(false);
141 }
142 };
143
144 const handleCreateAccount = async (data: CreateAccountFormData) => {
145 if (!token) {
146 setError(t("Invalid token. Please check your email link."));
147 return;
148 }
149
150 setIsLoading(true);
151 setError("");
152
153 try {
154 const response = await api.post("/v1/auth/create-account", {
155 token: token,
156 password: data.password,
157 });
158
159 if (response.data.status === "success") {
160 showSuccessToast(t("Account created successfully! Please log in with your new account."));Applying #3 + #4. Add UserData import, store the login user in the ref, pass it to login(), and guard finalizeAccount.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":"import useAuthStore from \"../src/store/authStore\";","new_string":"import useAuthStore from \"../src/store/authStore\";\nimport { UserData } from \"../types/user\";"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" const pendingTokensRef = useRef<{ accessToken: string; refreshToken: string } | null>(null);","new_string":" const pendingTokensRef = useRef<{\n accessToken: string;\n refreshToken: string;\n user?: Partial<UserData>;\n } | null>(null);"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" const tokens = pendingTokensRef.current;\n if (!tokens) {\n router.push(\"/login?registered=true\");\n return;\n }\n await login(tokens.accessToken, tokens.refreshToken);\n router.push(\"/dashboard\");\n };","new_string":" const tokens = pendingTokensRef.current;\n if (!tokens) {\n router.push(\"/login?registered=true\");\n return;\n }\n try {\n // Pass the user from the login response so AuthProvider signs in without a\n // second /customers/me round-trip.\n await login(tokens.accessToken, tokens.refreshToken, tokens.user);\n router.push(\"/dashboard\");\n } catch (loginError) {\n console.error(\"Post-signup login failed:\", loginError);\n router.push(\"/login?registered=true\");\n }\n };"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Now store the login user in the ref at the auto-login site. Read the current block.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":168,"limit":42}168 password: data.password,
169 });
170
171 if (response.data.status === "success") {
172 showSuccessToast(t("Account created successfully! Please log in with your new account."));
173
174 // If the API returns the account's email, attempt auto-login. Customer
175 // portals authenticate against the Customers table via a different
176 // endpoint than back-office users, so pick it the same way the login
177 // page does (by org portalType).
178 if (response.data.data?.email) {
179 try {
180 const isCustomerLogin = organization?.portalType
181 ? organization.portalType === "customer"
182 : !!organization?.settings?.customerPortal;
183 const loginEndpoint = isCustomerLogin
184 ? "/v1/auth/customer/login"
185 : "/v1/auth/login";
186 const loginResponse = await api.post(loginEndpoint, {
187 email: response.data.data.email,
188 password: data.password,
189 });
190
191 if (loginResponse.data.status === "success" && loginResponse.data.data) {
192 const { accessToken, refreshToken } = loginResponse.data.data;
193
194 // Offer passkey enrolment before entering the portal. Authenticate
195 // the API client now (so /auth/passkeys/register/* carries a bearer
196 // token) but defer the redirect until the user sets up a passkey or
197 // skips. On browsers without passkey support, behave as before.
198 if (passkeySupported) {
199 pendingTokensRef.current = { accessToken, refreshToken };
200 selfInitiatedAuthRef.current = true;
201 setTokens(accessToken, refreshToken);
202 setShowPasskeySetup(true);
203 return;
204 }
205
206 await login(accessToken, refreshToken);
207 router.push("/dashboard");
208 return;
209 }{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","old_string":" if (loginResponse.data.status === \"success\" && loginResponse.data.data) {\n const { accessToken, refreshToken } = loginResponse.data.data;\n\n // Offer passkey enrolment before entering the portal. Authenticate\n // the API client now (so /auth/passkeys/register/* carries a bearer\n // token) but defer the redirect until the user sets up a passkey or\n // skips. On browsers without passkey support, behave as before.\n if (passkeySupported) {\n pendingTokensRef.current = { accessToken, refreshToken };\n selfInitiatedAuthRef.current = true;\n setTokens(accessToken, refreshToken);\n setShowPasskeySetup(true);\n return;\n }\n\n await login(accessToken, refreshToken);\n router.push(\"/dashboard\");\n return;\n }","new_string":" if (loginResponse.data.status === \"success\" && loginResponse.data.data) {\n const { accessToken, refreshToken, user: loggedInUser } = loginResponse.data.data;\n\n // Offer passkey enrolment before entering the portal. Authenticate\n // the API client now (so /auth/passkeys/register/* carries a bearer\n // token) but defer the redirect until the user sets up a passkey or\n // skips. On browsers without passkey support, behave as before.\n if (passkeySupported) {\n pendingTokensRef.current = { accessToken, refreshToken, user: loggedInUser };\n selfInitiatedAuthRef.current = true;\n setTokens(accessToken, refreshToken);\n setShowPasskeySetup(true);\n return;\n }\n\n await login(accessToken, refreshToken, loggedInUser);\n router.push(\"/dashboard\");\n return;\n }"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Run portal tsc on the fixes + close out the one substantive review claim (org resolution on create-account) by checking OrganizationProvider.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login && npx tsc --noEmit 2>&1 | head -20 ; echo \"portal tsc exit: ${pipestatus[1]:-$?}\"","description":"Type-check portal after review fixes","timeout":300000}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login ; echo \"=== OrganizationProvider: does it skip /create-account for org resolution? ===\" ; rg -n \"skipPages|create-account|pathname|fetchOrganization|by=origin|setOrganization\" app/components/OrganizationProvider.tsx | head -30","description":"Check OrganizationProvider org resolution scope"}portal tsc exit: 0
=== OrganizationProvider: does it skip /create-account for org resolution? === 18:const TENANT_RESOLUTION_PATH = "/organization?by=origin"; 119: setOrganization, 129: const pathname = window.location.pathname; 130: const skipPages = [ 138: const isSkipPage = skipPages.some((page) => pathname.startsWith(page)); 184: setOrganization(orgData); 272: }, [organization, setOrganization, setLoading, setError, clearOrganization, router]);
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/OrganizationProvider.tsx","offset":126,"limit":65}126
127 useEffect(() => {
128 // Check if we're on pages that don't need organization data - do this first
129 const pathname = window.location.pathname;
130 const skipPages = [
131 "/register",
132 "/forgot-password",
133 "/reset-password",
134 "/two-factor-setup",
135 "/two-factor-verify",
136 "/domain-blocked",
137 ];
138 const isSkipPage = skipPages.some((page) => pathname.startsWith(page));
139
140 // Don't run any organization loading logic for skip pages
141 if (isSkipPage) {
142 setLoading(false);
143 return;
144 }
145
146 async function loadOrganization() {
147 if (organization) return; // Already loaded
148
149 setLoading(true);
150
151 try {
152 // sherpaAdmin: false so the request interceptor does not prepend
153 // /v1/plus to the URL — this endpoint sits above the plus sub-module.
154 const response = await api.get(TENANT_RESOLUTION_PATH, { sherpaAdmin: false });
155
156 // The new route returns the org record directly (no { status, data }
157 // wrapper). Anything else is a contract violation worth surfacing.
158 // Require both `id` and `name` so a partial response can't slip
159 // through and crash the branding code below on missing settings.
160 const raw = response.data as any;
161 const orgData = raw && typeof raw.id === "string" && typeof raw.name === "string" ? raw : null;
162 if (!orgData) {
163 throw new Error("Invalid response format");
164 }
165 // Resolve logoUrl: UUID → fetch blob and create object URL, relative path → prepend /
166 if (orgData.settings?.branding?.logoUrl) {
167 const logo = orgData.settings.branding.logoUrl;
168 if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(logo)) {
169 try {
170 const publicUrl = `${getSherpaApiUrl().replace(/\/$/, "")}/v1/data/public/${logo}`;
171 const res = await fetch(publicUrl, { redirect: "follow" });
172 if (res.ok) {
173 const blob = await res.blob();
174 orgData.settings.branding.logoUrl = URL.createObjectURL(blob);
175 }
176 } catch {
177 // Leave logoUrl as-is if fetch fails
178 }
179 } else if (!logo.startsWith("http") && !logo.startsWith("/")) {
180 orgData.settings.branding.logoUrl = `/${logo}`;
181 }
182 }
183
184 setOrganization(orgData);
185
186 // Apply dynamic branding
187 const branding = orgData.settings?.branding;
188 if (branding) {
189 const primaryColor = branding.primaryColor || "#1F6AB4";
190 const secondaryColor = branding.secondaryColor || "#404040";Confirmed: OrganizationProvider skipPages does not include /create-account (only /register, /forgot-password, etc.) — org resolves there, so endpoint selection works. Review #1 was a false alarm (reviewer conflated proxy.ts routing-skip with org-data-skip). Portal tsc clean.
Round 2: focused re-review of the updated create-account, plus I'll port the proof into a proper customer-flow passkey.spec.ts (the prior one assumed users). Launching both in parallel.
{"description":"Round 2 review of create-account fixes","prompt":"Round-2 focused code review. Read the FULL file /Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx (a Next.js 16 / React 19 client component) and verify correctness end-to-end. Use rg/fd, never grep/find. You may also read app/components/AuthProvider.tsx and app/src/store/authStore.ts.\n\nThis file was just modified to: after a customer sets a password on an invite link, auto-login via /v1/auth/customer/login (customer orgs) or /v1/auth/login (else), store tokens via authStore.setTokens to authenticate the API client, show a skippable \"Set up a passkey\" step, then finalize with AuthProvider.login(accessToken, refreshToken, user) and redirect. A ref selfInitiatedAuthRef guards a pre-existing \"clear stale session\" logout effect. The login user object from the login response is now stashed in pendingTokensRef and passed to login() to avoid a refetch; finalizeAccount wraps login() in try/catch.\n\nVerify specifically:\n1. The full control flow is coherent: handleCreateAccount → (passkeySupported ? show step : login+redirect) ; handleEnrollPasskey → registerPasskey → finalizeAccount ; Skip button → finalizeAccount. No state left inconsistent (isLoading, isEnrolling, showPasskeySetup).\n2. The logout effect `if (!authLoading && user && !selfInitiatedAuthRef.current) storeLogout()` — confirm selfInitiatedAuthRef.current is set to true BEFORE setTokens (so user hydration can't trigger logout), and that a genuinely stale pre-existing session (user present on mount, ref still false) IS still cleared.\n3. `login(tokens.accessToken, tokens.refreshToken, tokens.user)` — does AuthProvider.login accept a 3rd userData arg and use it to skip the fetch? Is the type compatible (tokens.user is Partial<UserData>)?\n4. The JSX is well-formed and balanced (the return has a `showPasskeySetup ? (...) : (<>...form...</>)` ternary). Confirm all tags close and there are no unreachable branches.\n5. No unused imports/vars introduced by the edits. (Note: `Suspense` IS used at the bottom — not unused.)\n6. Any remaining real correctness bug.\n\nBe concise. List only REAL issues tagged [HIGH]/[MEDIUM]/[LOW] with line numbers and a fix. If none, say so. End with verdict: CLEAN or NEEDS-FIXES.","subagent_type":"Explore"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx"}1 "use client";
2
3 import React, { Suspense } from "react";
4 import { useState, useEffect, useRef } from "react";
5
6
7 import Link from "next/link";
8 import { useRouter, useSearchParams } from "next/navigation";
9
10 import { KeyRound, ShieldCheck } from "lucide-react";
11 import { useForm } from "react-hook-form";
12
13 import { useTranslation } from "@gangkharai/lmt/client";
14 import { useAuth } from "../components/AuthProvider";
15 import { EnhancedLocaleSwitcher } from "../components/EnhancedLocaleSwitcher";
16 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
17 import Loader from "../components/Loader";
18 import { useOrganization } from "../components/OrganizationProvider";
19 import PasswordValidation from "../components/PasswordValidation";
20 import SocialCreateAccountButtons from "../components/SocialCreateAccountButtons";
21 import Toast, { showErrorToast, showSuccessToast } from "../components/Toast";
22 import { Button } from "../components/ui/button";
23 import { Input } from "../components/ui/input";
24 import api from "../src/utils/api";
25 import {
26 extractPasskeyError,
27 isPasskeyCancellation,
28 isPasskeySupported,
29 registerPasskey,
30 } from "../src/utils/passkeys";
31 import useAuthStore from "../src/store/authStore";
32 import { UserData } from "../types/user";
33
34 interface CreateAccountFormData {
35 password: string;
36 confirmPassword: string;
37 }
38
39 function CreateAccountContent() {
40 const t = useTranslation();
41 const [isLoading, setIsLoading] = useState(false);
42 const [error, setError] = useState("");
43 const [token, setToken] = useState("");
44 const router = useRouter();
45 const searchParams = useSearchParams();
46 const { login, user, loading: authLoading } = useAuth();
47 const { organization, isLoading: orgLoading, error: orgError } = useOrganization();
48 const storeLogout = useAuthStore((state) => state.logout);
49 const setTokens = useAuthStore((state) => state.setTokens);
50
51 // Passkey enrolment step shown right after the account is created.
52 const [passkeySupported, setPasskeySupported] = useState(false);
53 const [showPasskeySetup, setShowPasskeySetup] = useState(false);
54 const [isEnrolling, setIsEnrolling] = useState(false);
55 const [passkeyName, setPasskeyName] = useState("");
56 // Tokens from the post-creation auto-login, held so passkey enrolment can run
57 // against an authenticated session before we finish redirecting into the portal.
58 const pendingTokensRef = useRef<{
59 accessToken: string;
60 refreshToken: string;
61 user?: Partial<UserData>;
62 } | null>(null);
63 // Set once we deliberately authenticate this session for enrolment, so the
64 // "clear stale session" effect below doesn't tear it back down.
65 const selfInitiatedAuthRef = useRef(false);
66
67 const {
68 register,
69 handleSubmit,
70 formState: { errors },
71 watch,
72 } = useForm<CreateAccountFormData>();
73
74 const password = watch("password");
75
76 useEffect(() => {
77 document.title = t("Create Account - Sherpa Portal");
78
79 const tokenParam = searchParams.get("token");
80 if (!tokenParam) {
81 setError(t("Invalid or missing token. Please check your email link."));
82 return;
83 }
84 setToken(tokenParam);
85
86 const errorParam = searchParams.get("error");
87 if (errorParam) {
88 setError(decodeURIComponent(errorParam));
89 }
90 }, [searchParams, t]);
91
92 // Resolve passkey support client-side only (PublicKeyCredential is undefined
93 // during SSR) to avoid a hydration mismatch.
94 useEffect(() => {
95 setPasskeySupported(isPasskeySupported());
96 }, []);
97
98 useEffect(() => {
99 // Clear any stale, pre-existing session when landing on this page — but never
100 // the session we just established ourselves for passkey enrolment.
101 if (!authLoading && user && !selfInitiatedAuthRef.current) {
102 storeLogout();
103 }
104 }, [authLoading, user, storeLogout]);
105
106 const showSocialLogin = organization?.settings?.features?.socialLogin === true;
107
108 if (authLoading || (orgLoading && !orgError)) {
109 return <Loader />;
110 }
111
112 // Finish landing the freshly-created account in the portal, whether or not a
113 // passkey was set up. Mirrors the original post-creation redirect.
114 const finalizeAccount = async () => {
115 const tokens = pendingTokensRef.current;
116 if (!tokens) {
117 router.push("/login?registered=true");
118 return;
119 }
120 try {
121 // Pass the user from the login response so AuthProvider signs in without a
122 // second /customers/me round-trip.
123 await login(tokens.accessToken, tokens.refreshToken, tokens.user);
124 router.push("/dashboard");
125 } catch (loginError) {
126 console.error("Post-signup login failed:", loginError);
127 router.push("/login?registered=true");
128 }
129 };
130
131 const handleEnrollPasskey = async () => {
132 const name = passkeyName.trim() || t("My passkey");
133 setIsEnrolling(true);
134 try {
135 await registerPasskey(name);
136 showSuccessToast(t("Passkey set up. You can now sign in without a password."));
137 await finalizeAccount();
138 } catch (enrollError) {
139 // A dismissed/timed-out prompt is a soft cancel — stay on the step so the
140 // user can retry or skip.
141 if (isPasskeyCancellation(enrollError)) {
142 setIsEnrolling(false);
143 return;
144 }
145 console.error("Passkey enrolment failed:", enrollError);
146 showErrorToast(
147 extractPasskeyError(
148 enrollError,
149 t("Could not set up a passkey. You can add one later from your profile.")
150 )
151 );
152 setIsEnrolling(false);
153 }
154 };
155
156 const handleCreateAccount = async (data: CreateAccountFormData) => {
157 if (!token) {
158 setError(t("Invalid token. Please check your email link."));
159 return;
160 }
161
162 setIsLoading(true);
163 setError("");
164
165 try {
166 const response = await api.post("/v1/auth/create-account", {
167 token: token,
168 password: data.password,
169 });
170
171 if (response.data.status === "success") {
172 showSuccessToast(t("Account created successfully! Please log in with your new account."));
173
174 // If the API returns the account's email, attempt auto-login. Customer
175 // portals authenticate against the Customers table via a different
176 // endpoint than back-office users, so pick it the same way the login
177 // page does (by org portalType).
178 if (response.data.data?.email) {
179 try {
180 const isCustomerLogin = organization?.portalType
181 ? organization.portalType === "customer"
182 : !!organization?.settings?.customerPortal;
183 const loginEndpoint = isCustomerLogin
184 ? "/v1/auth/customer/login"
185 : "/v1/auth/login";
186 const loginResponse = await api.post(loginEndpoint, {
187 email: response.data.data.email,
188 password: data.password,
189 });
190
191 if (loginResponse.data.status === "success" && loginResponse.data.data) {
192 const { accessToken, refreshToken, user: loggedInUser } = loginResponse.data.data;
193
194 // Offer passkey enrolment before entering the portal. Authenticate
195 // the API client now (so /auth/passkeys/register/* carries a bearer
196 // token) but defer the redirect until the user sets up a passkey or
197 // skips. On browsers without passkey support, behave as before.
198 if (pass{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/components/AuthProvider.tsx"}1 "use client";
2
3 import React, { createContext, useContext, useState, useEffect, useCallback } from "react";
4
5 import { usePathname, useRouter } from "next/navigation";
6
7 import { jwtDecode } from "jwt-decode";
8 import { useTranslation } from "@gangkharai/lmt/client";
9
10 import Loader from "./Loader";
11 import useAuthStore from "../src/store/authStore";
12 import useConnectionStore from "../src/store/connectionStore";
13 import api from "../src/utils/api";
14 import { endSession, redirectAfterAuth } from "../src/utils/session";
15 import { AuthContextType } from "../types/user";
16
17 // AuthProvider component - strings already in dictionary
18 const AuthContext = createContext<AuthContextType | null>(null);
19
20 // Check if we're in a browser environment
21 const isBrowser = typeof window !== "undefined";
22
23 interface DecodedToken {
24 id: string;
25 email: string;
26 role: string;
27 userType?: string;
28 tokenType?: string;
29 }
30
31 function isCustomerToken(token: string): boolean {
32 try {
33 const decoded = jwtDecode<DecodedToken>(token);
34 return decoded.tokenType === "customer";
35 } catch {
36 return false;
37 }
38 }
39
40 // Customer-scoped tokens authenticate as a Customer (server resolves the
41 // record from token claims, then exposes it via bearerAuth.customerId). Both
42 // /v1/auth/customer/login sessions (tokenType=customer) and sherpa-portal
43 // embed sessions minted by /v1/customer-portal/sessions (tokenType=portal)
44 // satisfy `/v1/customers/me` etc. — kept separate from isCustomerToken so
45 // the refresh-endpoint routing (which differs per token type) stays correct.
46 function isCustomerScopedToken(token: string): boolean {
47 try {
48 const decoded = jwtDecode<DecodedToken>(token);
49 return decoded.tokenType === "customer" || decoded.tokenType === "portal";
50 } catch {
51 return false;
52 }
53 }
54
55 export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children }) => {
56 const t = useTranslation();
57 const [loading, setLoading] = useState(true);
58 const [logoutLoading, setLogoutLoading] = useState(false);
59 const router = useRouter();
60 const pathname = usePathname();
61 const { user, accessToken, hydrated, setUser, setTokens } = useAuthStore();
62
63 const fetchUserDetails = useCallback(
64 async (userId: string | null) => {
65 if (!user) {
66 try {
67 const currentToken = useAuthStore.getState().accessToken;
68 if (currentToken && isCustomerScopedToken(currentToken)) {
69 const response = await api.get("/customers/me", { sherpaAdmin: false });
70 const customerData = response.data.data?.customer || response.data.data;
71 setUser({ ...customerData, userType: "customer" });
72 } else if (userId) {
73 const response = await api.get(`/users/${userId}`);
74 setUser(response.data.data.user);
75 }
76 } catch (error) {
77 console.error("Error fetching user details:", error);
78 throw error;
79 }
80 }
81 },
82 [user, setUser]
83 );
84
85 // Listen for storage changes to sync auth state across tabs
86 useEffect(() => {
87 if (!isBrowser) return;
88
89 const handleStorageChange = (e: StorageEvent) => {
90 // Listen for changes to the auth-storage key
91 if (e.key === "auth-storage") {
92 // If the storage was cleared (logout in another tab)
93 if (e.newValue === null || e.newValue === "") {
94 // If we currently have a user, log them out immediately
95 if (user) {
96 setLoading(false); // Clear loading state for smoother transition
97 setLogoutLoading(false); // Reset logout loading state
98 // Cross-tab logout: the other tab made the choice to leave; we
99 // mirror that here without capturing intent.
100 endSession({ captureIntent: false });
101 }
102 } else {
103 // If new auth data was set (login in another tab)
104 try {
105 const newAuthData = JSON.parse(e.newValue);
106 // If we don't have a user but new auth data exists, reload to sync
107 if (newAuthData?.state?.accessToken && !user) {
108 window.location.reload();
109 }
110 } catch (error) {
111 console.error("Error parsing storage event data:", error);
112 }
113 }
114 }
115 };
116
117 window.addEventListener("storage", handleStorageChange);
118 return () => window.removeEventListener("storage", handleStorageChange);
119 }, [user, router]);
120
121 useEffect(() => {
122 const initializeAuth = async () => {
123 // Wait for the store to be hydrated before proceeding
124 if (!hydrated) {
125 return;
126 }
127
128 try {
129 if (accessToken && !user) {
130 const decodedToken = jwtDecode<DecodedToken>(accessToken);
131 // Customer-scoped tokens (customer + portal) authenticate via
132 // /v1/customers/me, which derives identity from the token itself
133 // and ignores the userId arg. User/admin tokens still need their
134 // decoded `id` claim to hit /v1/users/:id.
135 const userId =
136 decodedToken && typeof decodedToken.id === "string" ? decodedToken.id : null;
137 if (userId || isCustomerScopedToken(accessToken)) {
138 await fetchUserDetails(userId);
139 }
140 }
141 } catch (error) {
142 const isEmbedPortal = (pathname || "").startsWith("/embed-customer-portal/");
143 console.error("Error initializing auth:", error);
144 // Auth init failure means the token was rejected. For standalone
145 // sessions endSession redirects to /login; for embedded sessions
146 // the iframe can't navigate to /login meaningfully, so we surface
147 // a loaded-but-unauthenticated state and let the parent reload.
148 if (!isEmbedPortal) {
149 endSession({ captureIntent: true });
150 }
151 } finally {
152 setLoading(false);
153 }
154 };
155
156 // Add a fallback timeout to prevent infinite loading
157 const fallbackTimer = setTimeout(() => {
158 if (!hydrated) {
159 console.warn("Store hydration timeout, proceeding anyway");
160 setLoading(false);
161 }
162 }, 1000);
163
164 initializeAuth();
165
166 return () => clearTimeout(fallbackTimer);
167 }, [accessToken, user, hydrated, fetchUserDetails, pathname]);
168
169 const login = async (accessToken: string, refreshToken: string, userData?: Partial<import("../types/user").UserData>) => {
170 setTokens(accessToken, refreshToken);
171
172 if (userData) {
173 // Use provided user data directly (e.g., from customer login response)
174 setUser(userData as import("../types/user").UserData);
175 } else {
176 const decodedToken = jwtDecode<DecodedToken>(accessToken);
177 await fetchUserDetails(typeof decodedToken.id === "string" ? decodedToken.id : null);
178 }
179
180 // redirectAfterAuth is the single reader of captured intent (§6.3): it
181 // consumes the value and routes the user, falling back to the
182 // role-appropriate landing page when no intent was captured.
183 const isCustomer = isCustomerToken(accessToken);
184 redirectAfterAuth(router, isCustomer ? "/" : "/products");
185 };
186
187 const refreshToken = async (): Promise<string | null> => {
188 if (!isBrowser) return null;
189
190 // currently embed-customer-portal section is authenticated with clientId/clientSecret, so we run a different client refresh/token url and not the userAuth refreshToken.
191 // in the future we might need to h{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/src/store/authStore.ts"}1 // src/store/authStore.ts
2
3 import { create } from "zustand";
4 import { persist } from "zustand/middleware";
5
6 import { UserData } from "../../types/user";
7 import { UserOrganization, OrganizationScope } from "../../types/organization";
8
9 interface AuthState {
10 accessToken: string | null;
11 refreshToken: string | null;
12 user: UserData | null;
13 currentOrganization: UserOrganization | null;
14 availableOrganizations: UserOrganization[];
15 organizationScope: OrganizationScope | null;
16 drillDownOrgId: string | null;
17 hydrated: boolean;
18 setTokens: (accessToken: string, refreshToken: string) => void;
19 setUser: (user: UserData) => void;
20 setCurrentOrganization: (organization: UserOrganization) => void;
21 setAvailableOrganizations: (organizations: UserOrganization[]) => void;
22 setOrganizationScope: (scope: OrganizationScope | null) => void;
23 setDrillDownOrgId: (orgId: string | null) => void;
24 logout: () => void;
25 setHydrated: (hydrated: boolean) => void;
26 }
27
28 // Check if we're in a browser environment
29 const isBrowser = typeof window !== "undefined";
30
31 const useAuthStore = create<AuthState>()(
32 persist(
33 (set) => ({
34 accessToken: null,
35 refreshToken: null,
36 user: null,
37 currentOrganization: null,
38 availableOrganizations: [],
39 organizationScope: null,
40 drillDownOrgId: null,
41 hydrated: false,
42 setTokens: (accessToken, refreshToken) => set({ accessToken, refreshToken }),
43 setUser: (user) => set({ user }),
44 setCurrentOrganization: (organization) => set({ currentOrganization: organization }),
45 setAvailableOrganizations: (organizations) => set({ availableOrganizations: organizations }),
46 setOrganizationScope: (scope) => set({ organizationScope: scope }),
47 setDrillDownOrgId: (orgId) => set({ drillDownOrgId: orgId }),
48 setHydrated: (hydrated) => set({ hydrated }),
49 logout: () => {
50 if (isBrowser) {
51 // Clear any authentication-related data from localStorage
52 localStorage.removeItem("accessToken");
53 localStorage.removeItem("refreshToken");
54 localStorage.removeItem("setupToken");
55 // Clear the main auth storage
56 localStorage.removeItem("auth-storage");
57 }
58 set({
59 accessToken: null,
60 refreshToken: null,
61 user: null,
62 currentOrganization: null,
63 availableOrganizations: [],
64 organizationScope: null,
65 drillDownOrgId: null,
66 });
67 },
68 }),
69 {
70 name: "auth-storage",
71 storage: {
72 getItem: (name) => {
73 if (!isBrowser) return null;
74 const str = localStorage.getItem(name);
75 return str ? JSON.parse(str) : null;
76 },
77 setItem: (name, value) => {
78 if (isBrowser) {
79 localStorage.setItem(name, JSON.stringify(value));
80 }
81 },
82 removeItem: (name) => {
83 if (isBrowser) {
84 localStorage.removeItem(name);
85 }
86 },
87 },
88 // The "onRehydrateStorage" callback ran during store creation can cause
89 // a temporal-dead-zone error (store referenced before initialization).
90 // We instead mark the store as hydrated after creation via the fallback
91 // timer below, or explicitly in client-side effects.
92 onRehydrateStorage: () => undefined,
93 }
94 )
95 );
96
97 // Ensure hydration happens on the client side
98 if (isBrowser) {
99 // Set a fallback timer in case onRehydrateStorage doesn't fire
100 setTimeout(() => {
101 if (!useAuthStore.getState().hydrated) {
102 useAuthStore.getState().setHydrated(true);
103 }
104 }, 100);
105 }
106
107 export default useAuthStore;
108 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login ; echo \"=== test:api script ===\" ; rg -n '\"test:api\"|\"test\"' package.json | head ; echo \"=== env URLs ===\" ; rg -n '^SHERPA_API_HTTP=|^SHERPA_PORTAL_HTTP=|^ENV=' .env | sed 's/=.*/=<val>/' ; echo \"=== urls helper getEmbedUrl tail ===\" ; rg -n \"getApiUrl|getPortalUrl\" tests/utils/urls.ts | head","description":"Inspect test:api script + env URL config"}=== test:api script ===
7: "test": "playwright test",
29: "test:api": "playwright test --project=plus-insurance --project=payments --project=multi-currency --project=api --project=frontend-security",
=== env URLs ===
2:ENV=<val>
4:SHERPA_PORTAL_HTTP=<val>
6:SHERPA_API_HTTP=<val>
=== urls helper getEmbedUrl tail ===
1:export function getPortalUrl(): string {
23:export function getApiUrl(): string {{"pattern":"interface.*AuthContextType|type AuthContextType","path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/user.ts"}Found 1 file app/types/user.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/types/user.ts"}1 // types.ts
2
3 export interface UserOrganizationMembership {
4 id: string;
5 name: string;
6 displayName?: string;
7 UserOrganization: {
8 role: string;
9 isActive: boolean;
10 createdAt: string;
11 };
12 }
13
14 export interface UserData {
15 id: string;
16 firstName: string;
17 lastName: string;
18 companyName?: string;
19 email: string;
20 phoneNumber: string;
21 country: string;
22 region: string;
23 address: string;
24 city: string;
25 postalCode: string;
26 role: string;
27 userType: string;
28 twoFactorMethod?: string;
29 twoFactorEnabled: boolean;
30 createdAt: string;
31 updatedAt: string;
32 deleted: boolean;
33 organizationId?: string;
34 organizationName?: string;
35 organization?: {
36 id: string;
37 name: string;
38 displayName?: string;
39 };
40 organizations?: UserOrganizationMembership[];
41 }
42
43 export interface AuthContextType {
44 user: UserData | null;
45 loading: boolean;
46 login: (accessToken: string, refreshToken: string, userData?: Partial<UserData>) => Promise<void>;
47 logout: () => void;
48 refreshToken: () => Promise<string | null>;
49 }
50
51 export type EditableSection = "personalInfo" | "contactInfo" | "address" | "password";
52
53 export interface PasswordRequirement {
54 regex: RegExp;
55 text: string;
56 }
57
58 export const passwordRequirements: PasswordRequirement[] = [
59 { regex: /.{8,}/, text: "At least 8 characters long" },
60 { regex: /[A-Z]/, text: "At least one uppercase letter" },
61 { regex: /[a-z]/, text: "At least one lowercase letter" },
62 { regex: /[0-9]/, text: "At least one number" },
63 { regex: /[@$!%*?&]/, text: "At least one special character (@$!%*?&)" },
64 ];
65
66 export interface PersonalInfoSectionProps {
67 userData: UserData;
68 onUpdate: (data: Partial<UserData>) => Promise<void>;
69 isLoading: boolean;
70 }
71
72 export interface ContactInfoSectionProps {
73 userData: UserData;
74 onUpdate: (data: Partial<UserData>) => Promise<void>;
75 isLoading: boolean;
76 }
77
78 export interface AddressSectionProps {
79 userData: UserData;
80 onUpdate: (data: Partial<UserData>) => Promise<void>;
81 isLoading: boolean;
82 }
83
84 export interface PasswordChangeSectionProps {
85 userId: string;
86 onSuccess: () => void;
87 onError: (message: string) => void;
88 }
89
90 export interface FormData {
91 firstName: string;
92 lastName: string;
93 companyName?: string;
94 email: string;
95 password: string;
96 phoneNumber: string;
97 country: string;
98 region: string;
99 address: string;
100 city: string;
101 postalCode: string;
102 }
103
104 export type LogoutSectionProps = Record<string, never>;
105 {"command":"npx tsc --noEmit 2>&1 | head -50"}(Bash completed with no output)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx","offset":195,"limit":50}195 // the API client now (so /auth/passkeys/register/* carries a bearer
196 // token) but defer the redirect until the user sets up a passkey or
197 // skips. On browsers without passkey support, behave as before.
198 if (passkeySupported) {
199 pendingTokensRef.current = { accessToken, refreshToken, user: loggedInUser };
200 selfInitiatedAuthRef.current = true;
201 setTokens(accessToken, refreshToken);
202 setShowPasskeySetup(true);
203 return;
204 }
205
206 await login(accessToken, refreshToken, loggedInUser);
207 router.push("/dashboard");
208 return;
209 }
210 } catch (loginError) {
211 console.error("Auto-login failed:", loginError);
212 }
213 }
214
215 // Fallback: redirect to login page
216 router.push("/login?registered=true");
217 } else {
218 setError(response.data.message || t("Failed to create account. Please try again."));
219 }
220 } catch (error: unknown) {
221 console.error("Create account error:", error);
222 let errorMsg = t("Failed to create account. Please try again.");
223
224 if (error && typeof error === "object" && "response" in error) {
225 const axiosError = error as { response?: { data?: { error?: { message?: string } } } };
226 const apiErrorMessage = axiosError.response?.data?.error?.message;
227
228 if (apiErrorMessage === "Invalid or expired token") {
229 errorMsg = t("This invitation link has expired or is invalid. Please request a new invitation link from your administrator.");
230 } else if (apiErrorMessage) {
231 errorMsg = apiErrorMessage;
232 }
233 }
234
235 setError(errorMsg);
236 showErrorToast(errorMsg);
237 } finally {
238 setIsLoading(false);
239 }
240 };
241
242 return (
243 <div className="flex min-h-screen flex-col justify-center bg-white py-12 sm:px-6 lg:px-8">
244 <Toast />Perfect. Now let me carefully review the complete control flow and state management:
## REVIEW FINDINGS
After thorough analysis of `/Users/bakker/dev/gangkhar/sherpa-portal-api-466-passkey-webauthn-login/app/create-account/page.tsx`, here are my findings:
### 1. Control Flow Coherence ✓
The flow is clean:
- **handleCreateAccount** (line 156–240): Sets `pendingTokensRef`, `selfInitiatedAuthRef`, calls `setTokens()`, and sets `showPasskeySetup = true` when passkey supported (lines 198–203), or directly calls `login()` and redirects (lines 206–208) otherwise.
- **handleEnrollPasskey** (line 131–154): Calls `finalizeAccount()` on success (line 137).
- **Skip button** (line 312–320): Calls `finalizeAccount()` directly.
- **finalizeAccount** (line 114–129): Consumes `pendingTokensRef.current`, calls `login(tokens.accessToken, tokens.refreshToken, tokens.user)`, and redirects to `/dashboard` or fallback.
- State consistency: `isLoading`, `isEnrolling`, `showPasskeySetup` are properly scoped and reset. No leakage between states.
### 2. Logout Effect & selfInitiatedAuthRef ✓
**Lines 98–104** the "clear stale session" effect:
```javascript
useEffect(() => {
if (!authLoading && user && !selfInitiatedAuthRef.current) {
storeLogout();
}
}, [authLoading, user, storeLogout]);
```
- `selfInitiatedAuthRef.current = true` is set at **line 200**, BEFORE `setTokens()` at line 201. ✓
- This ordering is critical: `setTokens()` triggers store hydration, which populates `user` in AuthProvider. Without the ref guard set first, the stale-session effect (line 101) would fire and clear the session we just authenticated.
- For a genuinely stale session (user present on mount, ref still false), line 102 correctly clears it. ✓
### 3. AuthProvider.login() Signature & Compatibility ✓
**AuthProvider.tsx line 169**:
```typescript
const login = async (accessToken: string, refreshToken: string, userData?: Partial<import("../types/user").UserData>) => {
```
- Accepts 3rd optional arg `userData?: Partial<UserData>`. ✓
- **Line 172–174**: If userData is provided, it calls `setUser(userData as import("../types/user").UserData)` directly, skipping the fetch. ✓
- `tokens.user` from login response is `loggedInUser` (line 192), type `Partial<UserData>` (line 61 in create-account). This is compatible. ✓
### 4. JSX Structure ✓
Lines 242–409 are well-formed:
- Line 276–325: `{showPasskeySetup ? (...) : (...)}` ternary opens with `<div>` (line 277) and closes with `</div>` (line 325).
- Line 326–404: The else branch opens with `<>` (line 327) and closes with `</>` (line 404).
- All form elements (lines 328–377), social login (lines 379–393), and link sections (lines 396–403) are properly nested.
- Suspense wrapper (lines 412–417) is correctly structured.
### 5. Unused Imports/Variables ✓
- Line 3: `Suspense` is used at line 414. ✓
- All other imports are referenced. No unused variables introduced by the edits.
### 6. Real Correctness Issues
**[MEDIUM] Line 123: Missing null-check before accessing tokens.user**
In `finalizeAccount()` line 123:
```typescript
await login(tokens.accessToken, tokens.refreshToken, tokens.user);
```
The type of `pendingTokensRef` (lines 58–62) is:
```typescript
{
accessToken: string;
refreshToken: string;
user?: Partial<UserData>; // ← optional
} | null
```
On line 115, we safely guard `if (!tokens)` and return early. However, `tokens.user` **is optional** — it can be undefined. The `login()` function accepts `userData?: Partial<UserData>`, so passing `undefined` is technically safe (it will trigger the fetch fallback at line 176–178 of AuthProvider). But:
- If `user` is undefined, we still pass it: `login(accessToken, refreshToken, undefined)`, which is correct.
- However, **semantically**, if we go to the trouble of stashing `user` in the ref (line 199), we should ensure it's always populated on the login response (line 192: `user: loggedInUser`).
**Real risk**: If the login API response omits `user`, we lose the optimization and incur a second fetch. This isn't a bug, but it's a silent degradation. The intent is clear: pass user if available, fetch otherwise.
**Verdict**: Not a bug, but worth noting in a comment if not already clear. The code as-is is safe.
---
### VERDICT: **CLEAN**
All critical requirements met:
1. Control flow is coherent; state is consistent.
2. `selfInitiatedAuthRef.current` is set before `setTokens()` — guards stale-session effect correctly.
3. `login()` accepts the 3rd `userData` arg and uses it; type is compatible.
4. JSX is well-formed with balanced tags.
5. No unused imports/vars.
6. No real correctness bugs.Round-2 review: CLEAN (the lone [MEDIUM] is explicitly "Not a bug"). Both API and Portal now pass.
Key finding: test:api runs projects plus-insurance, payments, multi-currency, api, frontend-security — not passkeys/chromium. So the runner won't auto-run passkey.spec.ts (no false-failure risk), but the prior spec is now wrong (user-only). I'll rewrite it to the proven customer flow so the sherpa-test deliverable is correct, and run it targeted to confirm green.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login/tests/passkey.spec.ts","content":"import { test, expect, type Page } from '@playwright/test';\nimport { type CDPSession } from 'playwright-core';\nimport * as fs from 'fs';\nimport * as path from 'path';\n\nimport { getApiUrl, getPortalUrl } from './utils/urls';\n\n// Passkeys are a CUSTOMER-portal feature: a passkey belongs to an end-customer,\n// enrolled from Profile → Security → Passkeys and used for passwordless login.\n// This spec registers a fresh customer via the API, signs in through the real\n// portal UI, and drives the full enrol → passwordless-login → add second →\n// revoke → revoked-is-rejected flow with a CDP virtual authenticator.\n//\n// It targets whatever portal getPortalUrl() points at; if that origin is not a\n// customer portal (customer registration is rejected), the suite skips rather\n// than fail — the feature only exists on customer-portal tenants.\n\nconst PORTAL_URL = getPortalUrl();\nconst API_URL = getApiUrl();\nconst PASSWORD = 'TestPass123!@#';\n\n// Screenshots double as the ticket's browser proof. The runner points\n// PASSKEY_PROOF_DIR at the api worktree's .auto-proof/ so they land in the repo.\nconst PROOF_DIR = process.env.PASSKEY_PROOF_DIR || path.join('test-results', 'passkey-proof');\n\n// Start from a clean (unauthenticated) context — this spec logs in itself as a\n// customer and must not inherit the admin storageState from the project config.\ntest.use({ storageState: { cookies: [], origins: [] } });\n\nlet customerEmail = '';\nlet customerAvailable = false;\n\n// A resident-key + user-verifying authenticator that auto-approves prompts\n// headlessly. Chrome allows only ONE \"internal\" (platform) authenticator per\n// environment, so a second enrolled device must be a \"usb\" roaming key — which\n// is exactly the platform-authenticator-OR-roaming-key split the feature targets.\nfunction authenticatorOptions(transport: 'internal' | 'usb') {\n return {\n protocol: 'ctap2' as const,\n transport,\n hasResidentKey: true,\n hasUserVerification: true,\n isUserVerified: true,\n automaticPresenceSimulation: true,\n };\n}\n\nasync function addVirtualAuthenticator(\n client: CDPSession,\n transport: 'internal' | 'usb'\n): Promise<string> {\n const { authenticatorId } = (await client.send('WebAuthn.addVirtualAuthenticator', {\n options: authenticatorOptions(transport),\n })) as { authenticatorId: string };\n return authenticatorId;\n}\n\n// Only \"present\" authenticators answer a ceremony. Toggling presence lets us\n// pick exactly which enrolled device responds to a discoverable login.\nasync function setPresence(client: CDPSession, authenticatorId: string, enabled: boolean) {\n await client.send('WebAuthn.setAutomaticPresenceSimulation', { authenticatorId, enabled });\n}\n\nasync function passwordLogin(page: Page) {\n await page.goto(`${PORTAL_URL}/login`);\n await page.getByLabel('Email address').fill(customerEmail);\n await page.getByLabel('Password', { exact: true }).fill(PASSWORD);\n await page.getByRole('button', { name: 'Log in', exact: true }).click();\n await page.waitForURL((url) => !url.pathname.startsWith('/login'), { timeout: 30_000 });\n}\n\nasync function openProfilePasskeys(page: Page) {\n await page.goto(`${PORTAL_URL}/profile`);\n await expect(page.getByRole('heading', { name: 'Passkeys', exact: true })).toBeVisible({\n timeout: 45_000,\n });\n // The \"Add passkey\" button is disabled until the initial list load resolves;\n // wait for it so interactions don't race the load.\n await expect(page.getByRole('button', { name: 'Add passkey', exact: true })).toBeEnabled({\n timeout: 20_000,\n });\n}\n\n// One enrolled passkey == one \"Revoke passkey\" action button in the list.\nfunction passkeyCount(page: Page) {\n return page.getByRole('button', { name: 'Revoke passkey' }).count();\n}\n\nasync function addPasskeyViaUI(page: Page, label: string) {\n await page.getByRole('button', { name: 'Add passkey', exact: true }).click();\n await page.getByLabel('Name this passkey').fill(label);\n await page.getByRole('button', { name: 'Create passkey' }).click();\n // The new credential shows up in the list once the ceremony + verify resolve.\n await expect(page.getByText(label, { exact: true })).toBeVisible({ timeout: 25_000 });\n}\n\nasync function passkeyLoginFromLoginPage(page: Page) {\n await page.goto(`${PORTAL_URL}/login`);\n const button = page.getByRole('button', { name: 'Sign in with a passkey' });\n await expect(button).toBeVisible({ timeout: 30_000 });\n await button.click();\n}\n\nasync function logout(page: Page) {\n await page.goto(`${PORTAL_URL}/profile`);\n await page.getByRole('button', { name: 'Logout', exact: true }).first().click();\n await page.waitForURL(/\\/login/, { timeout: 25_000 });\n}\n\ntest.describe('Passkey (WebAuthn) login & management — customer portal', () => {\n test.beforeAll(async () => {\n fs.mkdirSync(PROOF_DIR, { recursive: true });\n\n // Register a fresh customer in the org that owns the portal origin. If the\n // origin is not a customer portal the API rejects this (4xx) and we skip.\n customerEmail = `passkey-${Date.now()}@example.com`;\n try {\n const res = await fetch(`${API_URL}/v1/auth/register`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json', Origin: PORTAL_URL },\n body: JSON.stringify({\n firstName: 'Passkey',\n lastName: 'Portal',\n email: customerEmail,\n password: PASSWORD,\n phoneNumber: '+12025550199',\n country: 'US',\n region: 'CA',\n address: '1 Test Street',\n city: 'Testville',\n postalCode: '12345',\n }),\n });\n const body = await res.json().catch(() => ({}));\n customerAvailable = res.ok && body?.status === 'success';\n } catch {\n customerAvailable = false;\n The file /Users/bakker/dev/gangkhar/sherpa-test-api-466-passkey-webauthn-login/tests/passkey.spec.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Now validate the rewritten spec against the test customer portal — bypassing the setup (Entra/MFA) dependency with --no-deps, writing throwaway screenshots to /tmp so the curated .auto-proof set stays clean.
{"command":"SHERPA_PORTAL_HTTP=http://test.localhost:3003 SHERPA_API_HTTP=http://localhost:4003 ENV=local PASSKEY_PROOF_DIR=/tmp/pk-spec-proof-466 npx playwright test --project=passkeys --no-deps tests/passkey.spec.ts --reporter=line 2>&1 | tail -30 ; echo \"spec exit: ${pipestatus[1]:-$?}\"","description":"Run rewritten customer passkey spec (no setup deps)","timeout":300000}