bitwarden · iinuwa · Sep 24, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -0,0 +1,33 @@
+import Foundation
+
+extension Data {
+    public func base64UrlEncodedString(trimPadding: Bool? = true) -> String {
+        let shouldTrim = if trimPadding != nil { trimPadding! } else { true }
+        let encoded = base64EncodedString().replacingOccurrences(of: "+", with: "-").replacingOccurrences(of: "/", with: "_")
+        if shouldTrim {
+            return encoded.trimmingCharacters(in: CharacterSet(["="]))
+        } else {
+            return encoded
+        }
+    }
+
+    public init?(base64UrlEncoded str: String) {
+        self.init(base64Encoded: normalizeBase64Url(str))
+    }
+}
+
+private func normalizeBase64Url(_ str: String) -> String {
+    let hasPadding = str.last == "="
+    let padding = if !hasPadding {
+        switch str.count % 4 {
+        case 2: "=="
+        case 3: "="
+        default: ""
+        }
+    } else { "" }
+    return str
+        .replacingOccurrences(of: "-", with: "+")
+        .replacingOccurrences(of: "_", with: "/")
+    + padding
+}
+
@@ -0,0 +1,31 @@
+import Foundation
+import Networking
+
+struct SecretVerificationRequestModel: JSONRequestBody, Equatable {
+    static let encoder = JSONEncoder()
+
+    // MARK: Properties
+
+    let authRequestAccessCode: String?
+    let masterPasswordHash: String?
+    let otp: String?
+
+
+    init(passwordHash: String) {
+        authRequestAccessCode = nil
+        masterPasswordHash = passwordHash
+        otp = nil
+    }
+
+    init(otp: String) {
+        masterPasswordHash = nil
+        self.otp = otp
+        authRequestAccessCode = nil
+    }
+
+    init(accessCode: String) {
+        authRequestAccessCode = accessCode
+        masterPasswordHash = nil
+        otp = nil
+    }
+}
@@ -0,0 +1,48 @@
+import Foundation
+import Networking
+
+// MARK: - SaveCredentialRequestModel
+
+/// The request body for an answer login request request.
+///
+struct WebAuthnLoginSaveCredentialRequestModel: JSONRequestBody, Equatable {
+    static let encoder = JSONEncoder()
+
+    // MARK: Properties
+    // The response received from the authenticator.
+    // This contains all information needed for future authentication flows.
+    let deviceResponse: WebAuthnLoginAttestationResponseRequest
+
+    // Nickname chosen by the user to identify this credential
+    let name: String
+
+    // Token required by the server to complete the creation.
+    // It contains encrypted information that the server needs to verify the credential.
+    let token: String
+
+    // True if the credential was created with PRF support.
+    let supportsPrf: Bool
+
+    // Used for vault encryption. See {@link RotateableKeySet.encryptedUserKey }
+    let encryptedUserKey: String?
+
+    // Used for vault encryption. See {@link RotateableKeySet.encryptedPublicKey }
+    let encryptedPublicKey: String?
+
+    // Used for vault encryption. See {@link RotateableKeySet.encryptedPrivateKey }
+    let encryptedPrivateKey: String?
+}
+
+struct WebAuthnLoginAttestationResponseRequest: Encodable, Equatable {
+    let id: String
+    let rawId: String
+    let type: String
+    // let extensions: [String: Any]
+    let response: WebAuthnLoginAttestationResponseRequestInner
+}
+
+struct WebAuthnLoginAttestationResponseRequestInner: Encodable, Equatable {
+    let attestationObject: String
+    let clientDataJson: String
+
+}
@@ -0,0 +1,19 @@
+import Foundation
+import Networking
+
+struct WebAuthnLoginCredentialAssertionOptionsResponse: JSONResponse, Equatable, Sendable {
+    /// Options to be provided to the webauthn authenticator.
+    let options: PublicKeyCredentialAssertionOptions;
+
+    /// Contains an encrypted version of the {@link options}.
+    /// Used by the server to validate the attestation response of newly created credentials.
+    let token: String;
+}
+
+struct PublicKeyCredentialAssertionOptions: Codable, Equatable, Hashable {
+    let allowCredentials: [BwPublicKeyCredentialDescriptor]?
+    let challenge: String
+    let extensions: AuthenticationExtensionsClientInputs?
+    let rpId: String
+    let timeout: Int?
+}
@@ -0,0 +1,59 @@
+import Foundation
+import Networking
+
+struct WebAuthnLoginCredentialCreationOptionsResponse: JSONResponse, Equatable, Sendable {
+    /// Options to be provided to the webauthn authenticator.
+    let options: PublicKeyCredentialCreationOptions;
+
+    /// Contains an encrypted version of the {@link options}.
+    /// Used by the server to validate the attestation response of newly created credentials.
+    let token: String;
+}
+
+struct PublicKeyCredentialCreationOptions: Codable, Equatable, Hashable {
+    // attestation?: AttestationConveyancePreference
+    // let authenticatorSelection: AuthenticatorSelectionCriteria?
+    let challenge: String
+    let excludeCredentials: [BwPublicKeyCredentialDescriptor]?
+    let extensions: AuthenticationExtensionsClientInputs?
+    let pubKeyCredParams: [BwPublicKeyCredentialParameters]
+    let rp: BwPublicKeyCredentialRpEntity
+    let timeout: Int?
+    let user: BwPublicKeyCredentialUserEntity
+}
+
+
+struct AuthenticationExtensionsClientInputs: Codable, Equatable, Hashable {
+    let prf: AuthenticationExtensionsPRFInputs?
+}
+
+struct AuthenticationExtensionsPRFInputs: Codable, Equatable, Hashable {
+    let eval: AuthenticationExtensionsPRFValues?
+    let evalByCredential: [String: AuthenticationExtensionsPRFValues]?
+}
+
+struct AuthenticationExtensionsPRFValues: Codable, Equatable, Hashable {
+    let first: String
+    let second: String?
+}
+
+struct BwPublicKeyCredentialDescriptor: Codable, Equatable, Hashable {
+    let type: String
+    let id: String
+    // let transports: [String]?
+}
+
+struct BwPublicKeyCredentialParameters: Codable, Equatable, Hashable {
+    let type: String
+    let alg: Int
+}
+
+struct BwPublicKeyCredentialRpEntity: Codable, Equatable, Hashable {
+    let id: String
+    let name: String
+}
+
+struct BwPublicKeyCredentialUserEntity: Codable, Equatable, Hashable {
+    let id: String
+    let name: String
+}
@@ -20,6 +20,16 @@ protocol AuthAPIService {
     /// - Returns: The pending login request.
     ///
     func checkPendingLoginRequest(withId id: String, accessCode: String) async throws -> LoginRequest
+
+    /// Retrieves the parameters for creating a new WebAuthn credential.
+    ///  - Parameters:
+    ///    - request: The data needed to send the request.
+    func getCredentialCreationOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialCreationOptionsResponse
+
+    /// Retrieves the parameters for authenticating with a WebAuthn credential.
+    ///  - Parameters:
+    ///    - request: The data needed to send the request.
+    func getCredentialAssertionOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialAssertionOptionsResponse
 
     /// Performs the identity token request and returns the response.
     ///
@@ -83,6 +93,8 @@ protocol AuthAPIService {
     ///   - model: The data needed to send the request.
     ///
     func updateTrustedDeviceKeys(deviceIdentifier: String, model: TrustedDeviceKeysRequestModel) async throws
+
+    func saveCredential(_ model: WebAuthnLoginSaveCredentialRequestModel) async throws
 }
 
 extension APIService: AuthAPIService {
@@ -93,6 +105,14 @@ extension APIService: AuthAPIService {
     func checkPendingLoginRequest(withId id: String, accessCode: String) async throws -> LoginRequest {
         try await apiUnauthenticatedService.send(CheckLoginRequestRequest(accessCode: accessCode, id: id))
     }
+
+    func getCredentialCreationOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialCreationOptionsResponse {
+        try await apiService.send(WebAuthnLoginGetCredentialCreationOptionsRequest(requestModel: request))
+    }
+
+    func getCredentialAssertionOptions(_ request: SecretVerificationRequestModel) async throws -> WebAuthnLoginCredentialAssertionOptionsResponse {
+        try await apiService.send(WebAuthnLoginGetCredentialAssertionOptionsRequest(requestModel: request))
+    }
 
     func getIdentityToken(_ request: IdentityTokenRequestModel) async throws -> IdentityTokenResponseModel {
         try await identityService.send(IdentityTokenRequest(requestModel: request))
@@ -133,6 +153,10 @@ extension APIService: AuthAPIService {
         _ = try await apiUnauthenticatedService.send(ResendNewDeviceOtpRequest(model: model))
     }
 
+    func saveCredential(_ model: WebAuthnLoginSaveCredentialRequestModel) async throws {
+        _ = try await apiService.send(WebAuthnLoginSaveCredentialRequest(requestModel: model))
+    }
+
     func updateTrustedDeviceKeys(deviceIdentifier: String, model: TrustedDeviceKeysRequestModel) async throws {
         _ = try await apiService.send(TrustedDeviceKeysRequest(deviceIdentifier: deviceIdentifier, requestModel: model))
     }

@@ -0,0 +1,13 @@
+import Networking
+
+struct WebAuthnLoginGetCredentialAssertionOptionsRequest : Request {
+    typealias Response = WebAuthnLoginCredentialAssertionOptionsResponse
+
+    var body: SecretVerificationRequestModel? { requestModel }
+
+    var path: String { "/webauthn/assertion-options" }
+
+    var method: HTTPMethod { .post }
+
+    let requestModel: SecretVerificationRequestModel
+}
@@ -0,0 +1,13 @@
+import Networking
+
+struct WebAuthnLoginGetCredentialCreationOptionsRequest : Request {
+    typealias Response = WebAuthnLoginCredentialCreationOptionsResponse
+
+    var body: SecretVerificationRequestModel? { requestModel }
+
+    var path: String { "/webauthn/attestation-options" }
+
+    var method: HTTPMethod { .post }
+
+    let requestModel: SecretVerificationRequestModel
+}
@@ -0,0 +1,13 @@
+import Networking
+
+struct WebAuthnLoginSaveCredentialRequest : Request {
+    typealias Response = EmptyResponse
+
+    var body: WebAuthnLoginSaveCredentialRequestModel? { requestModel }
+
+    var path: String { "/webauthn" }
+
+    var method: HTTPMethod { .post }
+
+    let requestModel: WebAuthnLoginSaveCredentialRequestModel
+}