Merge pull request #5 from helioauth/feature/app-id-authentication

Support authentication for signup flow

Author: vstanchev

docs/openapi/components/schemas/SignInStartResponse.yaml

@@ -10,6 +10,5 @@ properties:
   options:
     type: string
     description: >
-      JSON string representing the options argument that should be passed to `navigator.credentials.get(options)` if 
+      JSON object representing the options argument that should be passed to `navigator.credentials.get(options)` if 
       `accountExists` is `true` or to `navigator.credentials.create(options)` if `accountExists` is `false`.
-    x-field-extra-annotation: '@com.fasterxml.jackson.annotation.JsonRawValue'

docs/openapi/components/schemas/SignUpStartResponse.yaml

@@ -8,5 +8,4 @@ properties:
     description: Unique identifier for the sign-up request.
   options:
     type: string
-    description: Options to pass to `navigator.credentials.create()`
-    x-field-extra-annotation: '@com.fasterxml.jackson.annotation.JsonRawValue'
+    description: Options to pass to `navigator.credentials.create()` serialized in a JSON string

docs/openapi/openapi.yaml

@@ -77,3 +77,11 @@ components:
       type: apiKey
       name: X-Api-Key
       in: header
+    app-id:
+      type: apiKey
+      name: X-App-Id
+      in: header
+    app-api-key:
+      type: apiKey
+      name: X-Api-Key
+      in: header

docs/openapi/paths/v1_signin_finish.yaml

@@ -17,3 +17,5 @@ post:
         application/json:
           schema:
             $ref: ../components/schemas/SignInFinishResponse.yaml
+  security:
+    - app-api-key: []

docs/openapi/paths/v1_signin_start.yaml

@@ -21,3 +21,5 @@ post:
         application/json:
           schema:
             $ref: ../components/schemas/SignInStartResponse.yaml
+  security:
+    - app-id: []

docs/openapi/paths/v1_signup_finish.yaml

@@ -19,3 +19,5 @@ post:
         application/json:
           schema:
             $ref: ../components/schemas/SignUpFinishResponse.yaml
+  security:
+    - app-api-key: []

docs/openapi/paths/v1_signup_start.yaml

@@ -21,3 +21,5 @@ post:
         application/json:
           schema:
             $ref: ../components/schemas/SignUpStartResponse.yaml
+  security:
+    - app-id: []

…RequestHeaderAuthenticationProvider.java …auth/AdminApiAuthenticationProvider.javasrc/main/java/com/helioauth/passkeys/api/auth/RequestHeaderAuthenticationProvider.java renamed to src/main/java/com/helioauth/passkeys/api/auth/AdminApiAuthenticationProvider.java src/main/java/com/helioauth/passkeys/api/auth/RequestHeaderAuthenticationProvider.java renamed to src/main/java/com/helioauth/passkeys/api/auth/AdminApiAuthenticationProvider.java

@@ -33,7 +33,7 @@
  */
 @Service
 @RequiredArgsConstructor
-public class RequestHeaderAuthenticationProvider implements AuthenticationProvider {
+public class AdminApiAuthenticationProvider implements AuthenticationProvider {
 
     private final AdminConfigProperties adminConfigProperties;
 

src/main/java/com/helioauth/passkeys/api/auth/ApplicationApiKeyAuthenticationProvider.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.helioauth.passkeys.api.auth;
+
+import com.helioauth.passkeys.api.domain.ClientApplication;
+import com.helioauth.passkeys.api.domain.ClientApplicationRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.stereotype.Service;
+
+import java.util.List;
+
+@Service
+@RequiredArgsConstructor
+public class ApplicationApiKeyAuthenticationProvider implements AuthenticationProvider {
+
+    private final ClientApplicationRepository clientApplicationRepository;
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        String apiKeyHeader = (String) authentication.getPrincipal();
+        
+        if (apiKeyHeader == null || apiKeyHeader.isBlank()) {
+            throw new BadCredentialsException("Application API key header is missing or empty");
+        }
+        
+        ClientApplication clientApp = clientApplicationRepository.findByApiKey(apiKeyHeader)
+            .orElseThrow(() -> new BadCredentialsException("Invalid api key"));
+
+        PreAuthenticatedAuthenticationToken authenticatedToken = new PreAuthenticatedAuthenticationToken(
+            clientApp.getId(),
+            clientApp,
+            List.of(new SimpleGrantedAuthority("ROLE_APPLICATION"))
+        );
+        authenticatedToken.setDetails(clientApp);
+
+        return authenticatedToken;
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+}

src/main/java/com/helioauth/passkeys/api/auth/ApplicationIdAuthenticationProvider.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.helioauth.passkeys.api.auth;
+
+import com.helioauth.passkeys.api.domain.ClientApplication;
+import com.helioauth.passkeys.api.domain.ClientApplicationRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.stereotype.Service;
+
+import java.util.List;
+import java.util.UUID;
+
+@Service
+@RequiredArgsConstructor
+public class ApplicationIdAuthenticationProvider implements AuthenticationProvider {
+
+    private final ClientApplicationRepository clientApplicationRepository;
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        String appIdHeader = (String) authentication.getPrincipal();
+        
+        if (appIdHeader == null || appIdHeader.isBlank()) {
+            throw new BadCredentialsException("Application ID header is missing or empty");
+        }
+        
+        try {
+            UUID appId = UUID.fromString(appIdHeader);
+            ClientApplication clientApp = clientApplicationRepository.findById(appId)
+                .orElseThrow(() -> new BadCredentialsException("Invalid application ID"));
+            
+            PreAuthenticatedAuthenticationToken authenticatedToken = new PreAuthenticatedAuthenticationToken(
+                clientApp.getId(),
+                clientApp,
+                List.of(new SimpleGrantedAuthority("ROLE_FRONTEND_APPLICATION"))
+            );
+            authenticatedToken.setDetails(clientApp);
+            
+            return authenticatedToken;
+        } catch (IllegalArgumentException e) {
+            throw new BadCredentialsException("Invalid application ID format");
+        }
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+}