drop/server/api/v1/user/mfa/webauthn/start.post.ts

import aclManager from "~/server/internal/acls";
import prisma from "~/server/internal/db/database";
import sessionHandler from "~/server/internal/session";
import { generateRegistrationOptions } from "@simplewebauthn/server";
import { getRpId } from "~/server/internal/auth/webauthn";
import { type } from "arktype";
import { readDropValidatedBody, throwingArktype } from "~/server/arktype";

const CreatePasskey = type({
  name: "string",
}).configure(throwingArktype);

export default defineEventHandler(async (h3) => {
  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
  if (!userId)
    throw createError({
      statusCode: 403,
      message: "Not signed in or superlevelled.",
    });

  const body = await readDropValidatedBody(h3, CreatePasskey);

  const user = await prisma.user.findUnique({
    where: { id: userId },
    select: { displayName: true, username: true },
  });
  if (!user)
    throw createError({
      statusCode: 500,
      message: "Session refers to non-existed user.",
    });

  const rpID = await getRpId();

  const registrationOptions = await generateRegistrationOptions({
    rpID,
    rpName: "Drop",
    userName: user.username,
    attestationType: "none",
    authenticatorSelection: {
      requireResidentKey: true,
      residentKey: "required",
      userVerification: "preferred",
    },
  });

  await sessionHandler.setSessionDataKey(
    h3,
    "webauthn/options",
    JSON.stringify(registrationOptions),
  );

  await sessionHandler.setSessionDataKey(h3, "webauthn/passkeyname", body.name);

  return registrationOptions;
});