feat(webauthn): add event to validateUser to track authenticated users

[atinux]

resolves #272

By giving the event as 2nd argument to validateUser(userBody, event), we can now check if the user is authenticated to check if the user.userName is part of the userSession.

Example:

export default defineWebAuthnRegisterEventHandler({
  // optional
  async validateUser(userBody, event) {
    // bonus: check if the user is already authenticated to link a credential to his account
    // We first check if the user is already authenticated by getting the session
    // And verify that the email is the same as the one in session
    const session = await getUserSession(event)
    if (session.user?.email && session.user.email !== body.userName) {
      throw createError({ statusCode: 400, message: 'Email not matching curent session' })
    }

    // If he registers a new account with credentials
    return z.object({
      // we want the userName to be a valid email
      userName: z.string().email() 
    }).parse(userBody)
  },
  // ...
})

On the frontend, we can give the email as part of the userName:

<script setup lang="ts">

const { user } = useUserSession()
const { register } = useWebAuthn()

async function registerPasskeyForUser() {
  register({ userName: user.value.email })
}
</script>

[pkg-pr-new]

Open in Stackblitz

pnpm add https://pkg.pr.new/atinux/nuxt-auth-utils@287

commit: 8eacfb3