bitwarden · iinuwa · Sep 24, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -0,0 +1,33 @@
+import Foundation
+
+extension Data {
+    public func base64UrlEncodedString(trimPadding: Bool? = true) -> String {
+        let shouldTrim = if trimPadding != nil { trimPadding! } else { true }
+        let encoded = base64EncodedString().replacingOccurrences(of: "+", with: "-").replacingOccurrences(of: "/", with: "_")
+        if shouldTrim {
+            return encoded.trimmingCharacters(in: CharacterSet(["="]))
+        } else {
+            return encoded
+        }
+    }
+
+    public init?(base64UrlEncoded str: String) {
+        self.init(base64Encoded: normalizeBase64Url(str))
+    }
+}
+
+private func normalizeBase64Url(_ str: String) -> String {
+    let hasPadding = str.last == "="
+    let padding = if !hasPadding {
+        switch str.count % 4 {
+        case 2: "=="
+        case 3: "="
+        default: ""
+        }
+    } else { "" }
+    return str
+        .replacingOccurrences(of: "-", with: "+")
+        .replacingOccurrences(of: "_", with: "/")
+    + padding
+}
+
@@ -0,0 +1,31 @@
+import Foundation
+import Networking
+
+struct SecretVerificationRequestModel: JSONRequestBody, Equatable {
+    static let encoder = JSONEncoder()
+
+    // MARK: Properties
+
+    let authRequestAccessCode: String?
+    let masterPasswordHash: String?
+    let otp: String?
+
+
+    init(passwordHash: String) {
+        authRequestAccessCode = nil
+        masterPasswordHash = passwordHash
+        otp = nil
+    }
+
+    init(otp: String) {
+        masterPasswordHash = nil
+        self.otp = otp
+        authRequestAccessCode = nil
+    }
+
+    init(accessCode: String) {
+        authRequestAccessCode = accessCode
+        masterPasswordHash = nil
+        otp = nil
+    }
+}
@@ -0,0 +1,48 @@
+import Foundation
+import Networking
+
+// MARK: - SaveCredentialRequestModel
+
+/// The request body for an answer login request request.
+///
+struct WebAuthnLoginSaveCredentialRequestModel: JSONRequestBody, Equatable {
+    static let encoder = JSONEncoder()
+
+    // MARK: Properties
+    // The response received from the authenticator.
+    // This contains all information needed for future authentication flows.
+    let deviceResponse: WebAuthnLoginAttestationResponseRequest
+
+    // Nickname chosen by the user to identify this credential
+    let name: String
+
+    // Token required by the server to complete the creation.
+    // It contains encrypted information that the server needs to verify the credential.
+    let token: String
+
+    // True if the credential was created with PRF support.
+    let supportsPrf: Bool
+
+    // Used for vault encryption. See {@link RotateableKeySet.encryptedUserKey }
+    let encryptedUserKey: String?
+
+    // Used for vault encryption. See {@link RotateableKeySet.encryptedPublicKey }
+    let encryptedPublicKey: String?
+
+    // Used for vault encryption. See {@link RotateableKeySet.encryptedPrivateKey }
+    let encryptedPrivateKey: String?
+}
+
+struct WebAuthnLoginAttestationResponseRequest: Encodable, Equatable {
+    let id: String
+    let rawId: String
+    let type: String
+    // let extensions: [String: Any]
+    let response: WebAuthnLoginAttestationResponseRequestInner
+}
+
+struct WebAuthnLoginAttestationResponseRequestInner: Encodable, Equatable {
+    let attestationObject: String
+    let clientDataJson: String
+
+}
@@ -0,0 +1,19 @@
+import Foundation
+import Networking
+
+struct WebAuthnLoginCredentialAssertionOptionsResponse: JSONResponse, Equatable, Sendable {
+    /// Options to be provided to the webauthn authenticator.
+    let options: PublicKeyCredentialAssertionOptions;
+
+    /// Contains an encrypted version of the {@link options}.
+    /// Used by the server to validate the attestation response of newly created credentials.
+    let token: String;
+}
+
+struct PublicKeyCredentialAssertionOptions: Codable, Equatable, Hashable {
+    let allowCredentials: [BwPublicKeyCredentialDescriptor]?
+    let challenge: String
+    let extensions: AuthenticationExtensionsClientInputs?
+    let rpId: String
+    let timeout: Int?
+}
@@ -0,0 +1,59 @@
+import Foundation
+import Networking
+
+struct WebAuthnLoginCredentialCreationOptionsResponse: JSONResponse, Equatable, Sendable {
+    /// Options to be provided to the webauthn authenticator.
+    let options: PublicKeyCredentialCreationOptions;
+
+    /// Contains an encrypted version of the {@link options}.
+    /// Used by the server to validate the attestation response of newly created credentials.
+    let token: String;
+}
+
+struct PublicKeyCredentialCreationOptions: Codable, Equatable, Hashable {
+    // attestation?: AttestationConveyancePreference
+    // let authenticatorSelection: AuthenticatorSelectionCriteria?
+    let challenge: String
+    let excludeCredentials: [BwPublicKeyCredentialDescriptor]?
+    let extensions: AuthenticationExtensionsClientInputs?
+    let pubKeyCredParams: [BwPublicKeyCredentialParameters]
+    let rp: BwPublicKeyCredentialRpEntity
+    let timeout: Int?
+    let user: BwPublicKeyCredentialUserEntity
+}
+
+
+struct AuthenticationExtensionsClientInputs: Codable, Equatable, Hashable {
+    let prf: AuthenticationExtensionsPRFInputs?
+}
+
+struct AuthenticationExtensionsPRFInputs: Codable, Equatable, Hashable {
+    let eval: AuthenticationExtensionsPRFValues?
+    let evalByCredential: [String: AuthenticationExtensionsPRFValues]?
+}
+
+struct AuthenticationExtensionsPRFValues: Codable, Equatable, Hashable {
+    let first: String
+    let second: String?
+}
+
+struct BwPublicKeyCredentialDescriptor: Codable, Equatable, Hashable {
+    let type: String
+    let id: String
+    // let transports: [String]?
+}
+
+struct BwPublicKeyCredentialParameters: Codable, Equatable, Hashable {
+    let type: String
+    let alg: Int
+}
+
+struct BwPublicKeyCredentialRpEntity: Codable, Equatable, Hashable {
+    let id: String
+    let name: String
+}
+
+struct BwPublicKeyCredentialUserEntity: Codable, Equatable, Hashable {
+    let id: String
+    let name: String
+}
@@ -20,6 +20,16 @@ protocol AuthAPIService {
     /// - Returns: The pending login request.
     ///
     func checkPendingLoginRequest(withId id: String, accessCode: String) async throws -> LoginRequest
+
+    /// Retrieves the parameters for creating a new WebAuthn credential.
+    ///  - Parameters:
+    ///    - request: The data needed to send the request.
+    func getCredentialCreationOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialCreationOptionsResponse
+
+    /// Retrieves the parameters for authenticating with a WebAuthn credential.
+    ///  - Parameters:
+    ///    - request: The data needed to send the request.
+    func getCredentialAssertionOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialAssertionOptionsResponse
 
     /// Performs the identity token request and returns the response.
     ///
@@ -83,6 +93,8 @@ protocol AuthAPIService {
     ///   - model: The data needed to send the request.
     ///
     func updateTrustedDeviceKeys(deviceIdentifier: String, model: TrustedDeviceKeysRequestModel) async throws
+
+    func saveCredential(_ model: WebAuthnLoginSaveCredentialRequestModel) async throws
 }
 
 extension APIService: AuthAPIService {
@@ -93,6 +105,14 @@ extension APIService: AuthAPIService {
     func checkPendingLoginRequest(withId id: String, accessCode: String) async throws -> LoginRequest {
         try await apiUnauthenticatedService.send(CheckLoginRequestRequest(accessCode: accessCode, id: id))
     }
+
+    func getCredentialCreationOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialCreationOptionsResponse {
+        try await apiService.send(WebAuthnLoginGetCredentialCreationOptionsRequest(requestModel: request))
+    }
+
+    func getCredentialAssertionOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialAssertionOptionsResponse {
+        try await apiService.send(WebAuthnLoginGetCredentialAssertionOptionsRequest(requestModel: request))
+    }
 
     func getIdentityToken(_ request: IdentityTokenRequestModel) async throws -> IdentityTokenResponseModel {
         try await identityService.send(IdentityTokenRequest(requestModel: request))
@@ -133,6 +153,10 @@ extension APIService: AuthAPIService {
         _ = try await apiUnauthenticatedService.send(ResendNewDeviceOtpRequest(model: model))
     }
 
+    func saveCredential(_ model: WebAuthnLoginSaveCredentialRequestModel) async throws {
+        _ = try await apiService.send(WebAuthnLoginSaveCredentialRequest(requestModel: model))
+    }
+
     func updateTrustedDeviceKeys(deviceIdentifier: String, model: TrustedDeviceKeysRequestModel) async throws {
         _ = try await apiService.send(TrustedDeviceKeysRequest(deviceIdentifier: deviceIdentifier, requestModel: model))
     }

@@ -0,0 +1,13 @@
+import Networking
+
+struct WebAuthnLoginGetCredentialAssertionOptionsRequest : Request {
+    typealias Response = WebAuthnLoginCredentialAssertionOptionsResponse
+
+    var body: SecretVerificationRequestModel? { requestModel }
+
+    var path: String { "/webauthn/assertion-options" }
+
+    var method: HTTPMethod { .post }
+
+    let requestModel: SecretVerificationRequestModel
+}
@@ -0,0 +1,13 @@
+import Networking
+
+struct WebAuthnLoginGetCredentialCreationOptionsRequest : Request {
+    typealias Response = WebAuthnLoginCredentialCreationOptionsResponse
+
+    var body: SecretVerificationRequestModel? { requestModel }
+
+    var path: String { "/webauthn/attestation-options" }
+
+    var method: HTTPMethod { .post }
+
+    let requestModel: SecretVerificationRequestModel
+}
@@ -0,0 +1,13 @@
+import Networking
+
+struct WebAuthnLoginSaveCredentialRequest : Request {
+    typealias Response = EmptyResponse
+
+    var body: WebAuthnLoginSaveCredentialRequestModel? { requestModel }
+
+    var path: String { "/webauthn" }
+
+    var method: HTTPMethod { .post }
+
+    let requestModel: WebAuthnLoginSaveCredentialRequestModel
+}
@@ -53,6 +53,9 @@ enum AuthError: Error {
 
     /// There was a problem generating the request to resend the email with new device otp.
     case unableToResendNewDeviceOtp
+
+    /// There was a problem generating the device passkey or PRF encryption key.
+    case unableToCreateDevicePasskey
 }
 
 // MARK: - LoginUnlockMethod
@@ -89,6 +92,9 @@ protocol AuthService {
     /// Check the status of the pending login request for the unauthenticated user.
     ///
     func checkPendingLoginRequest(withId id: String) async throws -> LoginRequest
+
+    /// Create device passkey with PRF encryption key.
+    func createDevicePasskey(masterPasswordHash: String) async throws
 
     /// Deny all the pending login requests.
     ///
@@ -241,6 +247,18 @@ extension AuthService {
     }
 }
 
+struct DevicePasskeyRecord: Decodable, Encodable {
+    let credId: String
+    let privKey: String
+    let prfSeed: String
+    let rpId: String
+    let rpName: String?
+    let userId: String?
+    let userName: String?
+    let userDisplayName: String?
+    let creationDate: DateTime
+}
+
 // MARK: - DefaultAuthService
 
 /// The default implementation of `AuthService`.
@@ -272,6 +290,9 @@ class DefaultAuthService: AuthService { // swiftlint:disable:this type_body_leng
     /// The store which makes credential identities available to the system for AutoFill suggestions.
     private let credentialIdentityStore: CredentialIdentityStore
 
+    /// The service used to create and assert the device passkey for logging into remote clients.
+    private let devicePasskeyService: DevicePasskeyService
+
     /// The service used by the application to manage the environment settings.
     private let environmentService: EnvironmentService
 
@@ -326,6 +347,7 @@ class DefaultAuthService: AuthService { // swiftlint:disable:this type_body_leng
     ///   - configService: The service to get server-specified configuration.
     ///   - credentialIdentityStore: The store which makes credential identities available to the
     ///     system for AutoFill suggestions.
+    ///   - devicePasskeyService: The service used to create and assert the device passkey for logging into remote clients.
     ///   - environmentService: The service used by the application to manage the environment settings.
     ///   - errorReporter: The service used by the application to report non-fatal errors.
     ///   - keychainRepository: The repository used to manages keychain items.
@@ -341,6 +363,7 @@ class DefaultAuthService: AuthService { // swiftlint:disable:this type_body_leng
         clientService: ClientService,
         configService: ConfigService,
         credentialIdentityStore: CredentialIdentityStore = ASCredentialIdentityStore.shared,
+        devicePasskeyService: DevicePasskeyService,
         environmentService: EnvironmentService,
         errorReporter: ErrorReporter,
         keychainRepository: KeychainRepository,
@@ -355,6 +378,7 @@ class DefaultAuthService: AuthService { // swiftlint:disable:this type_body_leng
         self.clientService = clientService
         self.configService = configService
         self.credentialIdentityStore = credentialIdentityStore
+        self.devicePasskeyService = devicePasskeyService
         self.environmentService = environmentService
         self.errorReporter = errorReporter
         self.keychainRepository = keychainRepository
@@ -589,7 +613,7 @@ class DefaultAuthService: AuthService { // swiftlint:disable:this type_body_leng
             email: username,
             masterPassword: masterPassword
         )
-
+        
         // Save the master password hash.
         try await saveMasterPasswordHash(password: masterPassword)
 
@@ -680,6 +704,11 @@ class DefaultAuthService: AuthService { // swiftlint:disable:this type_body_leng
 
         return false
     }
+
+    /// Create device passkey with PRF encryption key.
+    func createDevicePasskey(masterPasswordHash: String) async throws {
+        try await devicePasskeyService.createDevicePasskey(masterPasswordHash: masterPasswordHash)
+    }
 
     func loginWithSingleSignOn(code: String, email: String) async throws -> LoginUnlockMethod {
         // Get the identity token to log in to Bitwarden.