feat(reception): add passport device authentication flows and alert delivery management

2026-04-20 10:26:22 +00:00
parent 3cd7499f3f
commit 6044928c70
26 changed files with 2943 additions and 4 deletions
@@ -3,6 +3,9 @@ export type TActivityAction =
  | 'logout'
  | 'session_created'
  | 'session_revoked'
+  | 'passport_device_enrolled'
+  | 'passport_device_revoked'
+  | 'passport_challenge_approved'
  | 'org_created'
  | 'org_joined'
  | 'org_left'
@@ -0,0 +1,35 @@
+export type TAlertSeverity = 'low' | 'medium' | 'high' | 'critical';
+
+export type TAlertStatus = 'pending' | 'seen' | 'dismissed';
+
+export type TAlertCategory = 'security' | 'admin' | 'system';
+
+export type TAlertNotificationStatus = 'pending' | 'sent' | 'failed' | 'seen';
+
+export interface IAlert {
+  id: string;
+  data: {
+    recipientUserId: string;
+    organizationId?: string;
+    category: TAlertCategory;
+    eventType: string;
+    severity: TAlertSeverity;
+    title: string;
+    body: string;
+    actorUserId?: string;
+    relatedEntityId?: string;
+    relatedEntityType?: string;
+    notification: {
+      hintId: string;
+      status: TAlertNotificationStatus;
+      attemptCount: number;
+      createdAt: number;
+      deliveredAt?: number | null;
+      seenAt?: number | null;
+      lastError?: string | null;
+    };
+    createdAt: number;
+    seenAt?: number | null;
+    dismissedAt?: number | null;
+  };
+}
@@ -0,0 +1,22 @@
+import type { TAlertSeverity } from './alert.js';
+
+export type TAlertRuleScope = 'global' | 'organization';
+
+export type TAlertRuleRecipientMode = 'global_admins' | 'org_admins' | 'specific_users';
+
+export interface IAlertRule {
+  id: string;
+  data: {
+    scope: TAlertRuleScope;
+    organizationId?: string;
+    eventType: string;
+    minimumSeverity: TAlertSeverity;
+    recipientMode: TAlertRuleRecipientMode;
+    recipientUserIds?: string[];
+    push: boolean;
+    enabled: boolean;
+    createdByUserId: string;
+    createdAt: number;
+    updatedAt: number;
+  };
+}
@@ -1,5 +1,7 @@
 export * from './abusewindow.js';
 export * from './activity.js';
+export * from './alert.js';
+export * from './alertrule.js';
 export * from './app.js';
 export * from './emailactiontoken.js';
 export * from './oidc.js';
@@ -10,6 +12,9 @@ export * from './jwt.js';
 export * from './loginsession.js';
 export * from './organization.js';
 export * from './paddlecheckoutdata.js';
+export * from './passportchallenge.js';
+export * from './passportdevice.js';
+export * from './passportnonce.js';
 export * from './registrationsession.js';
 export * from './role.js';
 export * from './user.js';
@@ -0,0 +1,63 @@
+import type { IPassportCapabilities } from './passportdevice.js';
+
+export type TPassportChallengeType =
+  | 'device_enrollment'
+  | 'authentication'
+  | 'step_up'
+  | 'physical_access';
+
+export type TPassportChallengeStatus = 'pending' | 'approved' | 'expired' | 'rejected';
+
+export type TPassportChallengeDeliveryStatus = 'pending' | 'sent' | 'failed' | 'seen';
+
+export type TPassportSignatureFormat = 'raw' | 'der';
+
+export interface IPassportLocationEvidence {
+  latitude: number;
+  longitude: number;
+  accuracyMeters: number;
+  capturedAt: number;
+}
+
+export interface IPassportNfcEvidence {
+  tagId?: string;
+  readerId?: string;
+}
+
+export interface IPassportChallenge {
+  id: string;
+  data: {
+    userId: string;
+    deviceId?: string | null;
+    type: TPassportChallengeType;
+    status: TPassportChallengeStatus;
+    tokenHash?: string | null;
+    challenge: string;
+    metadata: {
+      originHost?: string;
+      audience?: string;
+      notificationTitle?: string;
+      deviceLabel?: string;
+      requireLocation: boolean;
+      requireNfc: boolean;
+      requestedCapabilities?: Partial<IPassportCapabilities>;
+    };
+    evidence?: {
+      signatureFormat?: TPassportSignatureFormat;
+      location?: IPassportLocationEvidence;
+      nfc?: IPassportNfcEvidence;
+    };
+    notification?: {
+      hintId: string;
+      status: TPassportChallengeDeliveryStatus;
+      attemptCount: number;
+      createdAt: number;
+      deliveredAt?: number | null;
+      seenAt?: number | null;
+      lastError?: string | null;
+    };
+    createdAt: number;
+    expiresAt: number;
+    completedAt?: number | null;
+  };
+}
@@ -0,0 +1,46 @@
+export type TPassportDevicePlatform =
+  | 'ios'
+  | 'ipados'
+  | 'macos'
+  | 'watchos'
+  | 'android'
+  | 'web'
+  | 'unknown';
+
+export type TPassportDeviceStatus = 'active' | 'revoked';
+
+export type TPassportPushProvider = 'apns';
+
+export type TPassportPushEnvironment = 'development' | 'production';
+
+export interface IPassportCapabilities {
+  gps: boolean;
+  nfc: boolean;
+  push: boolean;
+}
+
+export interface IPassportDevice {
+  id: string;
+  data: {
+    userId: string;
+    label: string;
+    platform: TPassportDevicePlatform;
+    status: TPassportDeviceStatus;
+    publicKeyAlgorithm: 'p256';
+    publicKeyX963Base64: string;
+    capabilities: IPassportCapabilities;
+    pushRegistration?: {
+      provider: TPassportPushProvider;
+      token: string;
+      topic: string;
+      environment: TPassportPushEnvironment;
+      registeredAt: number;
+      lastDeliveredAt?: number;
+      lastError?: string;
+    };
+    appVersion?: string;
+    createdAt: number;
+    lastSeenAt?: number;
+    lastChallengeAt?: number;
+  };
+}
@@ -0,0 +1,9 @@
+export interface IPassportNonce {
+  id: string;
+  data: {
+    deviceId: string;
+    nonceHash: string;
+    createdAt: number;
+    expiresAt: number;
+  };
+}