fix: passkey login (#1067)

## Description

Fixed issue where passkeys do not work on https deployments.

apps/web/src/app/(dashboard)/admin/documents/[id]/page.tsx

@@ -14,6 +14,7 @@ import { LocaleDate } from '~/components/formatter/locale-date';
 
 import { AdminActions } from './admin-actions';
 import { RecipientItem } from './recipient-item';
+import { SuperDeleteDocumentDialog } from './super-delete-document-dialog';
 
 type AdminDocumentDetailsPageProps = {
   params: {
@@ -81,6 +82,10 @@ export default async function AdminDocumentDetailsPage({ params }: AdminDocument
           ))}
         </Accordion>
       </div>
+
+      <hr className="my-4" />
+
+      {document && <SuperDeleteDocumentDialog document={document} />}
     </div>
   );
 }

apps/web/src/app/(dashboard)/admin/documents/[id]/super-delete-document-dialog.tsx

@@ -0,0 +1,130 @@
+'use client';
+
+import { useState } from 'react';
+
+import { useRouter } from 'next/navigation';
+
+import type { Document } from '@documenso/prisma/client';
+import { TRPCClientError } from '@documenso/trpc/client';
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+} from '@documenso/ui/primitives/dialog';
+import { Input } from '@documenso/ui/primitives/input';
+import { useToast } from '@documenso/ui/primitives/use-toast';
+
+export type SuperDeleteDocumentDialogProps = {
+  document: Document;
+};
+
+export const SuperDeleteDocumentDialog = ({ document }: SuperDeleteDocumentDialogProps) => {
+  const { toast } = useToast();
+  const router = useRouter();
+
+  const [reason, setReason] = useState('');
+
+  const { mutateAsync: deleteDocument, isLoading: isDeletingDocument } =
+    trpc.admin.deleteDocument.useMutation();
+
+  const handleDeleteDocument = async () => {
+    try {
+      if (!reason) {
+        return;
+      }
+
+      await deleteDocument({ id: document.id, reason });
+
+      toast({
+        title: 'Document deleted',
+        description: 'The Document has been deleted successfully.',
+        duration: 5000,
+      });
+
+      router.push('/admin/documents');
+    } catch (err) {
+      if (err instanceof TRPCClientError && err.data?.code === 'BAD_REQUEST') {
+        toast({
+          title: 'An error occurred',
+          description: err.message,
+          variant: 'destructive',
+        });
+      } else {
+        toast({
+          title: 'An unknown error occurred',
+          variant: 'destructive',
+          description:
+            err.message ??
+            'We encountered an unknown error while attempting to delete your document. Please try again later.',
+        });
+      }
+    }
+  };
+
+  return (
+    <div>
+      <div>
+        <Alert
+          className="flex flex-col items-center justify-between gap-4 p-6 md:flex-row "
+          variant="neutral"
+        >
+          <div>
+            <AlertTitle>Delete Document</AlertTitle>
+            <AlertDescription className="mr-2">
+              Delete the document. This action is irreversible so proceed with caution.
+            </AlertDescription>
+          </div>
+
+          <div className="flex-shrink-0">
+            <Dialog>
+              <DialogTrigger asChild>
+                <Button variant="destructive">Delete Document</Button>
+              </DialogTrigger>
+
+              <DialogContent>
+                <DialogHeader className="space-y-4">
+                  <DialogTitle>Delete Document</DialogTitle>
+
+                  <Alert variant="destructive">
+                    <AlertDescription className="selection:bg-red-100">
+                      This action is not reversible. Please be certain.
+                    </AlertDescription>
+                  </Alert>
+                </DialogHeader>
+
+                <div>
+                  <DialogDescription>To confirm, please enter the reason</DialogDescription>
+
+                  <Input
+                    className="mt-2"
+                    type="text"
+                    value={reason}
+                    onChange={(e) => setReason(e.target.value)}
+                  />
+                </div>
+
+                <DialogFooter>
+                  <Button
+                    onClick={handleDeleteDocument}
+                    loading={isDeletingDocument}
+                    variant="destructive"
+                    disabled={!reason}
+                  >
+                    {isDeletingDocument ? 'Deleting document...' : 'Delete Document'}
+                  </Button>
+                </DialogFooter>
+              </DialogContent>
+            </Dialog>
+          </div>
+        </Alert>
+      </div>
+    </div>
+  );
+};

apps/web/src/app/(dashboard)/settings/security/passkeys/create-passkey-dialog.tsx

@@ -38,7 +38,6 @@ import { useToast } from '@documenso/ui/primitives/use-toast';
 
 export type CreatePasskeyDialogProps = {
   trigger?: React.ReactNode;
-  onSuccess?: () => void;
 } & Omit<DialogPrimitive.DialogProps, 'children'>;
 
 const ZCreatePasskeyFormSchema = z.object({
@@ -49,7 +48,7 @@ type TCreatePasskeyFormSchema = z.infer<typeof ZCreatePasskeyFormSchema>;
 
 const parser = new UAParser();
 
-export const CreatePasskeyDialog = ({ trigger, onSuccess, ...props }: CreatePasskeyDialogProps) => {
+export const CreatePasskeyDialog = ({ trigger, ...props }: CreatePasskeyDialogProps) => {
   const [open, setOpen] = useState(false);
   const [formError, setFormError] = useState<string | null>(null);
 
@@ -85,7 +84,6 @@ export const CreatePasskeyDialog = ({ trigger, onSuccess, ...props }: CreatePass
         duration: 5000,
       });
 
-      onSuccess?.();
       setOpen(false);
     } catch (err) {
       if (err.name === 'NotAllowedError') {

apps/web/src/app/(signing)/sign/[token]/document-action-auth-2fa.tsx

@@ -1,172 +0,0 @@
-import { useEffect, useState } from 'react';
-
-import { zodResolver } from '@hookform/resolvers/zod';
-import { useForm } from 'react-hook-form';
-import { z } from 'zod';
-
-import { AppError } from '@documenso/lib/errors/app-error';
-import { DocumentAuth, type TRecipientActionAuth } from '@documenso/lib/types/document-auth';
-import { RecipientRole } from '@documenso/prisma/client';
-import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
-import { Button } from '@documenso/ui/primitives/button';
-import { DialogFooter } from '@documenso/ui/primitives/dialog';
-import {
-  Form,
-  FormControl,
-  FormField,
-  FormItem,
-  FormLabel,
-  FormMessage,
-} from '@documenso/ui/primitives/form/form';
-import { Input } from '@documenso/ui/primitives/input';
-
-import { EnableAuthenticatorAppDialog } from '~/components/forms/2fa/enable-authenticator-app-dialog';
-
-import { useRequiredDocumentAuthContext } from './document-auth-provider';
-
-export type DocumentActionAuth2FAProps = {
-  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
-  open: boolean;
-  onOpenChange: (value: boolean) => void;
-  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
-};
-
-const Z2FAAuthFormSchema = z.object({
-  token: z
-    .string()
-    .min(4, { message: 'Token must at least 4 characters long' })
-    .max(10, { message: 'Token must be at most 10 characters long' }),
-});
-
-type T2FAAuthFormSchema = z.infer<typeof Z2FAAuthFormSchema>;
-
-export const DocumentActionAuth2FA = ({
-  actionTarget = 'FIELD',
-  actionVerb = 'sign',
-  onReauthFormSubmit,
-  open,
-  onOpenChange,
-}: DocumentActionAuth2FAProps) => {
-  const { recipient, user, isCurrentlyAuthenticating, setIsCurrentlyAuthenticating } =
-    useRequiredDocumentAuthContext();
-
-  const form = useForm<T2FAAuthFormSchema>({
-    resolver: zodResolver(Z2FAAuthFormSchema),
-    defaultValues: {
-      token: '',
-    },
-  });
-
-  const [is2FASetupSuccessful, setIs2FASetupSuccessful] = useState(false);
-  const [formErrorCode, setFormErrorCode] = useState<string | null>(null);
-
-  const onFormSubmit = async ({ token }: T2FAAuthFormSchema) => {
-    try {
-      setIsCurrentlyAuthenticating(true);
-
-      await onReauthFormSubmit({
-        type: DocumentAuth.TWO_FACTOR_AUTH,
-        token,
-      });
-
-      setIsCurrentlyAuthenticating(false);
-
-      onOpenChange(false);
-    } catch (err) {
-      setIsCurrentlyAuthenticating(false);
-
-      const error = AppError.parseError(err);
-      setFormErrorCode(error.code);
-
-      // Todo: Alert.
-    }
-  };
-
-  useEffect(() => {
-    form.reset({
-      token: '',
-    });
-
-    setIs2FASetupSuccessful(false);
-    setFormErrorCode(null);
-
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [open]);
-
-  if (!user?.twoFactorEnabled && !is2FASetupSuccessful) {
-    return (
-      <div className="space-y-4">
-        <Alert variant="warning">
-          <AlertDescription>
-            <p>
-              {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT'
-                ? 'You need to setup 2FA to mark this document as viewed.'
-                : `You need to setup 2FA to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`}
-            </p>
-
-            {user?.identityProvider === 'DOCUMENSO' && (
-              <p className="mt-2">
-                By enabling 2FA, you will be required to enter a code from your authenticator app
-                every time you sign in.
-              </p>
-            )}
-          </AlertDescription>
-        </Alert>
-
-        <DialogFooter>
-          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-            Close
-          </Button>
-
-          <EnableAuthenticatorAppDialog onSuccess={() => setIs2FASetupSuccessful(true)} />
-        </DialogFooter>
-      </div>
-    );
-  }
-
-  return (
-    <Form {...form}>
-      <form onSubmit={form.handleSubmit(onFormSubmit)}>
-        <fieldset disabled={isCurrentlyAuthenticating}>
-          <div className="space-y-4">
-            <FormField
-              control={form.control}
-              name="token"
-              render={({ field }) => (
-                <FormItem>
-                  <FormLabel required>2FA token</FormLabel>
-
-                  <FormControl>
-                    <Input {...field} placeholder="Token" />
-                  </FormControl>
-
-                  <FormMessage />
-                </FormItem>
-              )}
-            />
-
-            {formErrorCode && (
-              <Alert variant="destructive">
-                <AlertTitle>Unauthorized</AlertTitle>
-                <AlertDescription>
-                  We were unable to verify your details. Please try again or contact support
-                </AlertDescription>
-              </Alert>
-            )}
-
-            <DialogFooter>
-              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-                Cancel
-              </Button>
-
-              <Button type="submit" loading={isCurrentlyAuthenticating}>
-                Sign
-              </Button>
-            </DialogFooter>
-          </div>
-        </fieldset>
-      </form>
-    </Form>
-  );
-};

apps/web/src/app/(signing)/sign/[token]/document-action-auth-account.tsx

@@ -1,79 +0,0 @@
-import { useState } from 'react';
-
-import { DateTime } from 'luxon';
-import { signOut } from 'next-auth/react';
-
-import { RecipientRole } from '@documenso/prisma/client';
-import { trpc } from '@documenso/trpc/react';
-import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
-import { Button } from '@documenso/ui/primitives/button';
-import { DialogFooter } from '@documenso/ui/primitives/dialog';
-
-import { useRequiredDocumentAuthContext } from './document-auth-provider';
-
-export type DocumentActionAuthAccountProps = {
-  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
-  onOpenChange: (value: boolean) => void;
-};
-
-export const DocumentActionAuthAccount = ({
-  actionTarget = 'FIELD',
-  actionVerb = 'sign',
-  onOpenChange,
-}: DocumentActionAuthAccountProps) => {
-  const { recipient } = useRequiredDocumentAuthContext();
-
-  const [isSigningOut, setIsSigningOut] = useState(false);
-
-  const { mutateAsync: encryptSecondaryData } = trpc.crypto.encryptSecondaryData.useMutation();
-
-  const handleChangeAccount = async (email: string) => {
-    try {
-      setIsSigningOut(true);
-
-      const encryptedEmail = await encryptSecondaryData({
-        data: email,
-        expiresAt: DateTime.now().plus({ days: 1 }).toMillis(),
-      });
-
-      await signOut({
-        callbackUrl: `/signin?email=${encodeURIComponent(encryptedEmail)}`,
-      });
-    } catch {
-      setIsSigningOut(false);
-
-      // Todo: Alert.
-    }
-  };
-
-  return (
-    <fieldset disabled={isSigningOut} className="space-y-4">
-      <Alert variant="warning">
-        <AlertDescription>
-          {actionTarget === 'DOCUMENT' && recipient.role === RecipientRole.VIEWER ? (
-            <span>
-              To mark this document as viewed, you need to be logged in as{' '}
-              <strong>{recipient.email}</strong>
-            </span>
-          ) : (
-            <span>
-              To {actionVerb.toLowerCase()} this {actionTarget.toLowerCase()}, you need to be logged
-              in as <strong>{recipient.email}</strong>
-            </span>
-          )}
-        </AlertDescription>
-      </Alert>
-
-      <DialogFooter>
-        <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-          Cancel
-        </Button>
-
-        <Button onClick={async () => handleChangeAccount(recipient.email)} loading={isSigningOut}>
-          Login
-        </Button>
-      </DialogFooter>
-    </fieldset>
-  );
-};

apps/web/src/app/(signing)/sign/[token]/document-action-auth-dialog.tsx

@@ -1,4 +1,13 @@
-import { P, match } from 'ts-pattern';
+/**
+ * Note: This file has some commented out stuff for password auth which is no longer possible.
+ *
+ * Leaving it here until after we add passkeys and 2FA since it can be reused.
+ */
+import { useState } from 'react';
+
+import { DateTime } from 'luxon';
+import { signOut } from 'next-auth/react';
+import { match } from 'ts-pattern';
 
 import {
   DocumentAuth,
@@ -6,17 +15,18 @@ import {
   type TRecipientActionAuthTypes,
 } from '@documenso/lib/types/document-auth';
 import type { FieldType } from '@documenso/prisma/client';
+import { trpc } from '@documenso/trpc/react';
+import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
+import { Button } from '@documenso/ui/primitives/button';
 import {
   Dialog,
   DialogContent,
   DialogDescription,
+  DialogFooter,
   DialogHeader,
   DialogTitle,
 } from '@documenso/ui/primitives/dialog';
 
-import { DocumentActionAuth2FA } from './document-action-auth-2fa';
-import { DocumentActionAuthAccount } from './document-action-auth-account';
-import { DocumentActionAuthPasskey } from './document-action-auth-passkey';
 import { useRequiredDocumentAuthContext } from './document-auth-provider';
 
 export type DocumentActionAuthDialogProps = {
@@ -24,6 +34,7 @@ export type DocumentActionAuthDialogProps = {
   documentAuthType: TRecipientActionAuthTypes;
   description?: string;
   actionTarget: FieldType | 'DOCUMENT';
+  isSubmitting?: boolean;
   open: boolean;
   onOpenChange: (value: boolean) => void;
 
@@ -33,24 +44,96 @@ export type DocumentActionAuthDialogProps = {
   onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
 };
 
+// const ZReauthFormSchema = z.object({
+//   password: ZCurrentPasswordSchema,
+// });
+// type TReauthFormSchema = z.infer<typeof ZReauthFormSchema>;
+
 export const DocumentActionAuthDialog = ({
   title,
   description,
   documentAuthType,
+  // onReauthFormSubmit,
+  isSubmitting,
   open,
   onOpenChange,
-  onReauthFormSubmit,
 }: DocumentActionAuthDialogProps) => {
-  const { recipient, user, isCurrentlyAuthenticating } = useRequiredDocumentAuthContext();
+  const { recipient } = useRequiredDocumentAuthContext();
+
+  // const form = useForm({
+  //   resolver: zodResolver(ZReauthFormSchema),
+  //   defaultValues: {
+  //     password: '',
+  //   },
+  // });
+
+  const [isSigningOut, setIsSigningOut] = useState(false);
+
+  const isLoading = isSigningOut || isSubmitting; // || form.formState.isSubmitting;
+
+  const { mutateAsync: encryptSecondaryData } = trpc.crypto.encryptSecondaryData.useMutation();
+
+  // const [formErrorCode, setFormErrorCode] = useState<string | null>(null);
+  // const onFormSubmit = async (_values: TReauthFormSchema) => {
+  //   const documentAuthValue: TRecipientActionAuth = match(documentAuthType)
+  //     // Todo: Add passkey.
+  //     // .with(DocumentAuthType.PASSKEY, (type) => ({
+  //     //   type,
+  //     //   value,
+  //     // }))
+  //     .otherwise((type) => ({
+  //       type,
+  //     }));
+
+  //   try {
+  //     await onReauthFormSubmit(documentAuthValue);
+
+  //     onOpenChange(false);
+  //   } catch (e) {
+  //     const error = AppError.parseError(e);
+  //     setFormErrorCode(error.code);
+
+  //     // Suppress unauthorized errors since it's handled in this component.
+  //     if (error.code === AppErrorCode.UNAUTHORIZED) {
+  //       return;
+  //     }
+
+  //     throw error;
+  //   }
+  // };
+
+  const handleChangeAccount = async (email: string) => {
+    try {
+      setIsSigningOut(true);
+
+      const encryptedEmail = await encryptSecondaryData({
+        data: email,
+        expiresAt: DateTime.now().plus({ days: 1 }).toMillis(),
+      });
+
+      await signOut({
+        callbackUrl: `/signin?email=${encodeURIComponent(encryptedEmail)}`,
+      });
+    } catch {
+      setIsSigningOut(false);
+
+      // Todo: Alert.
+    }
+  };
 
   const handleOnOpenChange = (value: boolean) => {
-    if (isCurrentlyAuthenticating) {
+    if (isLoading) {
       return;
     }
 
     onOpenChange(value);
   };
 
+  // useEffect(() => {
+  //   form.reset();
+  //   setFormErrorCode(null);
+  // }, [open, form]);
+
   return (
     <Dialog open={open} onOpenChange={handleOnOpenChange}>
       <DialogContent>
@@ -58,32 +141,100 @@ export const DocumentActionAuthDialog = ({
           <DialogTitle>{title || 'Sign field'}</DialogTitle>
 
           <DialogDescription>
-            {description || 'Reauthentication is required to sign this field'}
+            {description || `Reauthentication is required to sign the field`}
           </DialogDescription>
         </DialogHeader>
 
-        {match({ documentAuthType, user })
-          .with(
-            { documentAuthType: DocumentAuth.ACCOUNT },
-            { user: P.when((user) => !user || user.email !== recipient.email) }, // Assume all current auth methods requires them to be logged in.
-            () => <DocumentActionAuthAccount onOpenChange={onOpenChange} />,
-          )
-          .with({ documentAuthType: DocumentAuth.PASSKEY }, () => (
-            <DocumentActionAuthPasskey
-              open={open}
-              onOpenChange={onOpenChange}
-              onReauthFormSubmit={onReauthFormSubmit}
-            />
+        {match(documentAuthType)
+          .with(DocumentAuth.ACCOUNT, () => (
+            <fieldset disabled={isSigningOut} className="space-y-4">
+              <Alert>
+                <AlertDescription>
+                  To sign this field, you need to be logged in as <strong>{recipient.email}</strong>
+                </AlertDescription>
+              </Alert>
+
+              <DialogFooter>
+                <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+                  Cancel
+                </Button>
+
+                <Button
+                  type="submit"
+                  onClick={async () => handleChangeAccount(recipient.email)}
+                  loading={isSigningOut}
+                >
+                  Login
+                </Button>
+              </DialogFooter>
+            </fieldset>
           ))
-          .with({ documentAuthType: DocumentAuth.TWO_FACTOR_AUTH }, () => (
-            <DocumentActionAuth2FA
-              open={open}
-              onOpenChange={onOpenChange}
-              onReauthFormSubmit={onReauthFormSubmit}
-            />
-          ))
-          .with({ documentAuthType: DocumentAuth.EXPLICIT_NONE }, () => null)
+          .with(DocumentAuth.EXPLICIT_NONE, () => null)
           .exhaustive()}
+
+        {/* <Form {...form}>
+            <form onSubmit={form.handleSubmit(onFormSubmit)}>
+              <fieldset className="flex h-full flex-col space-y-4" disabled={isLoading}>
+                <FormItem>
+                  <FormLabel required>Email</FormLabel>
+
+                  <FormControl>
+                    <Input className="bg-background" value={recipient.email} disabled />
+                  </FormControl>
+                </FormItem>
+
+                <FormField
+                  control={form.control}
+                  name="password"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel required>Password</FormLabel>
+
+                      <FormControl>
+                        <PasswordInput className="bg-background" {...field} />
+                      </FormControl>
+
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+
+                {formErrorCode && (
+                  <Alert variant="destructive">
+                    {match(formErrorCode)
+                      .with(AppErrorCode.UNAUTHORIZED, () => (
+                        <>
+                          <AlertTitle>Unauthorized</AlertTitle>
+                          <AlertDescription>
+                            We were unable to verify your details. Please ensure the details are
+                            correct
+                          </AlertDescription>
+                        </>
+                      ))
+                      .otherwise(() => (
+                        <>
+                          <AlertTitle>Something went wrong</AlertTitle>
+                          <AlertDescription>
+                            We were unable to sign this field at this time. Please try again or
+                            contact support.
+                          </AlertDescription>
+                        </>
+                      ))}
+                  </Alert>
+                )}
+
+                <DialogFooter>
+                  <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+                    Cancel
+                  </Button>
+
+                  <Button type="submit" loading={isLoading}>
+                    Sign field
+                  </Button>
+                </DialogFooter>
+              </fieldset>
+            </form>
+          </Form> */}
       </DialogContent>
     </Dialog>
   );

apps/web/src/app/(signing)/sign/[token]/document-action-auth-passkey.tsx

@@ -1,252 +0,0 @@
-import { useEffect, useState } from 'react';
-
-import { zodResolver } from '@hookform/resolvers/zod';
-import { browserSupportsWebAuthn, startAuthentication } from '@simplewebauthn/browser';
-import { Loader } from 'lucide-react';
-import { useForm } from 'react-hook-form';
-import { z } from 'zod';
-
-import { AppError } from '@documenso/lib/errors/app-error';
-import { DocumentAuth, type TRecipientActionAuth } from '@documenso/lib/types/document-auth';
-import { RecipientRole } from '@documenso/prisma/client';
-import { trpc } from '@documenso/trpc/react';
-import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
-import { Button } from '@documenso/ui/primitives/button';
-import { DialogFooter } from '@documenso/ui/primitives/dialog';
-import {
-  Form,
-  FormControl,
-  FormField,
-  FormItem,
-  FormLabel,
-  FormMessage,
-} from '@documenso/ui/primitives/form/form';
-import {
-  Select,
-  SelectContent,
-  SelectItem,
-  SelectTrigger,
-  SelectValue,
-} from '@documenso/ui/primitives/select';
-
-import { CreatePasskeyDialog } from '~/app/(dashboard)/settings/security/passkeys/create-passkey-dialog';
-
-import { useRequiredDocumentAuthContext } from './document-auth-provider';
-
-export type DocumentActionAuthPasskeyProps = {
-  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
-  open: boolean;
-  onOpenChange: (value: boolean) => void;
-  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
-};
-
-const ZPasskeyAuthFormSchema = z.object({
-  passkeyId: z.string(),
-});
-
-type TPasskeyAuthFormSchema = z.infer<typeof ZPasskeyAuthFormSchema>;
-
-export const DocumentActionAuthPasskey = ({
-  actionTarget = 'FIELD',
-  actionVerb = 'sign',
-  onReauthFormSubmit,
-  open,
-  onOpenChange,
-}: DocumentActionAuthPasskeyProps) => {
-  const {
-    recipient,
-    passkeyData,
-    preferredPasskeyId,
-    setPreferredPasskeyId,
-    isCurrentlyAuthenticating,
-    setIsCurrentlyAuthenticating,
-    refetchPasskeys,
-  } = useRequiredDocumentAuthContext();
-
-  const form = useForm<TPasskeyAuthFormSchema>({
-    resolver: zodResolver(ZPasskeyAuthFormSchema),
-    defaultValues: {
-      passkeyId: preferredPasskeyId || '',
-    },
-  });
-
-  const { mutateAsync: createPasskeyAuthenticationOptions } =
-    trpc.auth.createPasskeyAuthenticationOptions.useMutation();
-
-  const [formErrorCode, setFormErrorCode] = useState<string | null>(null);
-
-  const onFormSubmit = async ({ passkeyId }: TPasskeyAuthFormSchema) => {
-    try {
-      setPreferredPasskeyId(passkeyId);
-      setIsCurrentlyAuthenticating(true);
-
-      const { options, tokenReference } = await createPasskeyAuthenticationOptions({
-        preferredPasskeyId: passkeyId,
-      });
-
-      const authenticationResponse = await startAuthentication(options);
-
-      await onReauthFormSubmit({
-        type: DocumentAuth.PASSKEY,
-        authenticationResponse,
-        tokenReference,
-      });
-
-      setIsCurrentlyAuthenticating(false);
-
-      onOpenChange(false);
-    } catch (err) {
-      setIsCurrentlyAuthenticating(false);
-
-      if (err.name === 'NotAllowedError') {
-        return;
-      }
-
-      const error = AppError.parseError(err);
-      setFormErrorCode(error.code);
-
-      // Todo: Alert.
-    }
-  };
-
-  useEffect(() => {
-    form.reset({
-      passkeyId: preferredPasskeyId || '',
-    });
-
-    setFormErrorCode(null);
-  }, [open, form, preferredPasskeyId]);
-
-  if (!browserSupportsWebAuthn()) {
-    return (
-      <div className="space-y-4">
-        <Alert variant="warning">
-          <AlertDescription>
-            Your browser does not support passkeys, which is required to {actionVerb.toLowerCase()}{' '}
-            this {actionTarget.toLowerCase()}.
-          </AlertDescription>
-        </Alert>
-
-        <DialogFooter>
-          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-            Close
-          </Button>
-        </DialogFooter>
-      </div>
-    );
-  }
-
-  if (passkeyData.isInitialLoading || (passkeyData.isError && passkeyData.passkeys.length === 0)) {
-    return (
-      <div className="flex h-28 items-center justify-center">
-        <Loader className="text-muted-foreground h-6 w-6 animate-spin" />
-      </div>
-    );
-  }
-
-  if (passkeyData.isError) {
-    return (
-      <div className="h-28 space-y-4">
-        <Alert variant="destructive">
-          <AlertDescription>Something went wrong while loading your passkeys.</AlertDescription>
-        </Alert>
-
-        <DialogFooter>
-          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-            Cancel
-          </Button>
-
-          <Button type="button" onClick={() => void refetchPasskeys()}>
-            Retry
-          </Button>
-        </DialogFooter>
-      </div>
-    );
-  }
-
-  if (passkeyData.passkeys.length === 0) {
-    return (
-      <div className="space-y-4">
-        <Alert variant="warning">
-          <AlertDescription>
-            {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT'
-              ? 'You need to setup a passkey to mark this document as viewed.'
-              : `You need to setup a passkey to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`}
-          </AlertDescription>
-        </Alert>
-
-        <DialogFooter>
-          <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-            Cancel
-          </Button>
-
-          <CreatePasskeyDialog
-            onSuccess={async () => refetchPasskeys()}
-            trigger={<Button>Setup</Button>}
-          />
-        </DialogFooter>
-      </div>
-    );
-  }
-
-  return (
-    <Form {...form}>
-      <form onSubmit={form.handleSubmit(onFormSubmit)}>
-        <fieldset disabled={isCurrentlyAuthenticating}>
-          <div className="space-y-4">
-            <FormField
-              control={form.control}
-              name="passkeyId"
-              render={({ field }) => (
-                <FormItem>
-                  <FormLabel required>Passkey</FormLabel>
-
-                  <FormControl>
-                    <Select {...field} onValueChange={field.onChange}>
-                      <SelectTrigger className="bg-background text-muted-foreground">
-                        <SelectValue
-                          data-testid="documentAccessSelectValue"
-                          placeholder="Select passkey"
-                        />
-                      </SelectTrigger>
-
-                      <SelectContent position="popper">
-                        {passkeyData.passkeys.map((passkey) => (
-                          <SelectItem key={passkey.id} value={passkey.id}>
-                            {passkey.name}
-                          </SelectItem>
-                        ))}
-                      </SelectContent>
-                    </Select>
-                  </FormControl>
-
-                  <FormMessage />
-                </FormItem>
-              )}
-            />
-
-            {formErrorCode && (
-              <Alert variant="destructive">
-                <AlertTitle>Unauthorized</AlertTitle>
-                <AlertDescription>
-                  We were unable to verify your details. Please try again or contact support
-                </AlertDescription>
-              </Alert>
-            )}
-
-            <DialogFooter>
-              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-                Cancel
-              </Button>
-
-              <Button type="submit" loading={isCurrentlyAuthenticating}>
-                Sign
-              </Button>
-            </DialogFooter>
-          </div>
-        </fieldset>
-      </form>
-    </Form>
-  );
-};

apps/web/src/app/(signing)/sign/[token]/document-auth-provider.tsx

@@ -1,10 +1,10 @@
 'use client';
 
-import { createContext, useContext, useEffect, useMemo, useState } from 'react';
+import { createContext, useContext, useMemo, useState } from 'react';
 
 import { match } from 'ts-pattern';
 
-import { MAXIMUM_PASSKEYS } from '@documenso/lib/constants/auth';
+import { DOCUMENT_AUTH_TYPES } from '@documenso/lib/constants/document-auth';
 import type {
   TDocumentAuthOptions,
   TRecipientAccessAuthTypes,
@@ -13,25 +13,11 @@ import type {
 } from '@documenso/lib/types/document-auth';
 import { DocumentAuth } from '@documenso/lib/types/document-auth';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
-import {
-  type Document,
-  FieldType,
-  type Passkey,
-  type Recipient,
-  type User,
-} from '@documenso/prisma/client';
-import { trpc } from '@documenso/trpc/react';
+import { type Document, FieldType, type Recipient, type User } from '@documenso/prisma/client';
 
 import type { DocumentActionAuthDialogProps } from './document-action-auth-dialog';
 import { DocumentActionAuthDialog } from './document-action-auth-dialog';
 
-type PasskeyData = {
-  passkeys: Omit<Passkey, 'credentialId' | 'credentialPublicKey'>[];
-  isInitialLoading: boolean;
-  isRefetching: boolean;
-  isError: boolean;
-};
-
 export type DocumentAuthContextValue = {
   executeActionAuthProcedure: (_value: ExecuteActionAuthProcedureOptions) => Promise<void>;
   document: Document;
@@ -43,13 +29,7 @@ export type DocumentAuthContextValue = {
   derivedRecipientAccessAuth: TRecipientAccessAuthTypes | null;
   derivedRecipientActionAuth: TRecipientActionAuthTypes | null;
   isAuthRedirectRequired: boolean;
-  isCurrentlyAuthenticating: boolean;
-  setIsCurrentlyAuthenticating: (_value: boolean) => void;
-  passkeyData: PasskeyData;
-  preferredPasskeyId: string | null;
-  setPreferredPasskeyId: (_value: string | null) => void;
   user?: User | null;
-  refetchPasskeys: () => Promise<void>;
 };
 
 const DocumentAuthContext = createContext<DocumentAuthContextValue | null>(null);
@@ -84,9 +64,6 @@ export const DocumentAuthProvider = ({
   const [document, setDocument] = useState(initialDocument);
   const [recipient, setRecipient] = useState(initialRecipient);
 
-  const [isCurrentlyAuthenticating, setIsCurrentlyAuthenticating] = useState(false);
-  const [preferredPasskeyId, setPreferredPasskeyId] = useState<string | null>(null);
-
   const {
     documentAuthOption,
     recipientAuthOption,
@@ -101,23 +78,6 @@ export const DocumentAuthProvider = ({
     [document, recipient],
   );
 
-  const passkeyQuery = trpc.auth.findPasskeys.useQuery(
-    {
-      perPage: MAXIMUM_PASSKEYS,
-    },
-    {
-      keepPreviousData: true,
-      enabled: derivedRecipientActionAuth === DocumentAuth.PASSKEY,
-    },
-  );
-
-  const passkeyData: PasskeyData = {
-    passkeys: passkeyQuery.data?.data || [],
-    isInitialLoading: passkeyQuery.isInitialLoading,
-    isRefetching: passkeyQuery.isRefetching,
-    isError: passkeyQuery.isError,
-  };
-
   const [documentAuthDialogPayload, setDocumentAuthDialogPayload] =
     useState<ExecuteActionAuthProcedureOptions | null>(null);
 
@@ -141,7 +101,7 @@ export const DocumentAuthProvider = ({
     .with(DocumentAuth.EXPLICIT_NONE, () => ({
       type: DocumentAuth.EXPLICIT_NONE,
     }))
-    .with(DocumentAuth.PASSKEY, DocumentAuth.TWO_FACTOR_AUTH, null, () => null)
+    .with(null, () => null)
     .exhaustive();
 
   const executeActionAuthProcedure = async (options: ExecuteActionAuthProcedureOptions) => {
@@ -164,27 +124,11 @@ export const DocumentAuthProvider = ({
     });
   };
 
-  useEffect(() => {
-    const { passkeys } = passkeyData;
-
-    if (!preferredPasskeyId && passkeys.length > 0) {
-      setPreferredPasskeyId(passkeys[0].id);
-    }
-
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [passkeyData.passkeys]);
-
-  // Assume that a user must be logged in for any auth requirements.
   const isAuthRedirectRequired = Boolean(
-    derivedRecipientActionAuth &&
-      derivedRecipientActionAuth !== DocumentAuth.EXPLICIT_NONE &&
-      user?.email !== recipient.email,
+    DOCUMENT_AUTH_TYPES[derivedRecipientActionAuth || '']?.isAuthRedirectRequired &&
+      !preCalculatedActionAuthOptions,
   );
 
-  const refetchPasskeys = async () => {
-    await passkeyQuery.refetch();
-  };
-
   return (
     <DocumentAuthContext.Provider
       value={{
@@ -199,12 +143,6 @@ export const DocumentAuthProvider = ({
         derivedRecipientAccessAuth,
         derivedRecipientActionAuth,
         isAuthRedirectRequired,
-        isCurrentlyAuthenticating,
-        setIsCurrentlyAuthenticating,
-        passkeyData,
-        preferredPasskeyId,
-        setPreferredPasskeyId,
-        refetchPasskeys,
       }}
     >
       {children}

apps/web/src/app/(signing)/sign/[token]/form.tsx

@@ -42,10 +42,10 @@ export const SigningForm = ({ document, recipient, fields, redirectUrl }: Signin
   const { mutateAsync: completeDocumentWithToken } =
     trpc.recipient.completeDocumentWithToken.useMutation();
 
-  const { handleSubmit, formState } = useForm();
-
-  // Keep the loading state going if successful since the redirect may take some time.
-  const isSubmitting = formState.isSubmitting || formState.isSubmitSuccessful;
+  const {
+    handleSubmit,
+    formState: { isSubmitting },
+  } = useForm();
 
   const uninsertedFields = useMemo(() => {
     return sortFieldsByPosition(fields.filter((field) => !field.inserted));

apps/web/src/components/forms/2fa/enable-authenticator-app-dialog.tsx

@@ -41,13 +41,8 @@ export const ZEnable2FAForm = z.object({
 
 export type TEnable2FAForm = z.infer<typeof ZEnable2FAForm>;
 
-export type EnableAuthenticatorAppDialogProps = {
-  onSuccess?: () => void;
-};
-
-export const EnableAuthenticatorAppDialog = ({ onSuccess }: EnableAuthenticatorAppDialogProps) => {
+export const EnableAuthenticatorAppDialog = () => {
   const { toast } = useToast();
-
   const router = useRouter();
 
   const [isOpen, setIsOpen] = useState(false);
@@ -84,7 +79,6 @@ export const EnableAuthenticatorAppDialog = ({ onSuccess }: EnableAuthenticatorA
       const data = await enable2FA({ code: token });
 
       setRecoveryCodes(data.recoveryCodes);
-      onSuccess?.();
 
       toast({
         title: 'Two-factor authentication enabled',
@@ -95,7 +89,7 @@ export const EnableAuthenticatorAppDialog = ({ onSuccess }: EnableAuthenticatorA
       toast({
         title: 'Unable to setup two-factor authentication',
         description:
-          'We were unable to setup two-factor authentication for your account. Please ensure that you have entered your code correctly and try again.',
+          'We were unable to setup two-factor authentication for your account. Please ensure that you have entered your password correctly and try again.',
         variant: 'destructive',
       });
     }

apps/web/src/components/forms/signin.tsx

@@ -124,7 +124,7 @@ export const SignInForm = ({ className, initialEmail, isGoogleSSOEnabled }: Sign
   };
 
   const onSignInWithPasskey = async () => {
-    if (!browserSupportsWebAuthn()) {
+    if (!browserSupportsWebAuthn) {
       toast({
         title: 'Not supported',
         description: 'Passkeys are not supported on this browser',

apps/web/src/components/ui/user-profile-skeleton.tsx

@@ -24,7 +24,7 @@ export const UserProfileSkeleton = ({ className, user, rows = 2 }: UserProfileSk
         className,
       )}
     >
-      <div className="border-border bg-background text-muted-foreground inline-block max-w-full truncate rounded-md border px-2.5 py-1.5 text-sm">
+      <div className="border-border bg-background text-muted-foreground inline-block max-w-full truncate rounded-md border px-2.5 py-1.5 text-sm lowercase">
         {baseUrl.host}/u/{user.url}
       </div>
 

packages/app-tests/e2e/document-auth/action-auth.spec.ts

@@ -191,7 +191,7 @@ test('[DOCUMENT_AUTH]: should deny signing fields when required for global auth'
 
       await page.locator(`#field-${field.id}`).getByRole('button').click();
       await expect(page.getByRole('paragraph')).toContainText(
-        'Reauthentication is required to sign this field',
+        'Reauthentication is required to sign the field',
       );
       await page.getByRole('button', { name: 'Cancel' }).click();
     }
@@ -260,7 +260,7 @@ test('[DOCUMENT_AUTH]: should allow field signing when required for recipient au
 
         await page.locator(`#field-${field.id}`).getByRole('button').click();
         await expect(page.getByRole('paragraph')).toContainText(
-          'Reauthentication is required to sign this field',
+          'Reauthentication is required to sign the field',
         );
         await page.getByRole('button', { name: 'Cancel' }).click();
       }
@@ -371,7 +371,7 @@ test('[DOCUMENT_AUTH]: should allow field signing when required for recipient an
 
         await page.locator(`#field-${field.id}`).getByRole('button').click();
         await expect(page.getByRole('paragraph')).toContainText(
-          'Reauthentication is required to sign this field',
+          'Reauthentication is required to sign the field',
         );
         await page.getByRole('button', { name: 'Cancel' }).click();
       }

packages/email/template-components/template-document-super-delete.tsx

@@ -0,0 +1,45 @@
+import { Section, Text } from '../components';
+import { TemplateDocumentImage } from './template-document-image';
+
+export interface TemplateDocumentDeleteProps {
+  reason: string;
+  documentName: string;
+  assetBaseUrl: string;
+}
+
+export const TemplateDocumentDelete = ({
+  reason,
+  documentName,
+  assetBaseUrl,
+}: TemplateDocumentDeleteProps) => {
+  return (
+    <>
+      <TemplateDocumentImage className="mt-6" assetBaseUrl={assetBaseUrl} />
+
+      <Section>
+        <Text className="text-primary mb-0 mt-6 text-left text-lg font-semibold">
+          Your document has been deleted by an admin!
+        </Text>
+
+        <Text className="mx-auto mb-6 mt-1 text-left text-base text-slate-400">
+          "{documentName}" has been deleted by an admin.
+        </Text>
+
+        <Text className="mx-auto mb-6 mt-1 text-left text-base text-slate-400">
+          This document can not be recovered, if you would like to dispute the reason for future
+          documents please contact support.
+        </Text>
+
+        <Text className="mx-auto mt-1 text-left text-base text-slate-400">
+          The reason provided for deletion is the following:
+        </Text>
+
+        <Text className="mx-auto mb-6 mt-1 text-left text-base italic text-slate-400">
+          {reason}
+        </Text>
+      </Section>
+    </>
+  );
+};
+
+export default TemplateDocumentDelete;

packages/email/templates/document-super-delete.tsx

@@ -0,0 +1,66 @@
+import config from '@documenso/tailwind-config';
+
+import { Body, Container, Head, Hr, Html, Img, Preview, Section, Tailwind } from '../components';
+import {
+  TemplateDocumentDelete,
+  type TemplateDocumentDeleteProps,
+} from '../template-components/template-document-super-delete';
+import { TemplateFooter } from '../template-components/template-footer';
+
+export type DocumentDeleteEmailTemplateProps = Partial<TemplateDocumentDeleteProps>;
+
+export const DocumentSuperDeleteEmailTemplate = ({
+  documentName = 'Open Source Pledge.pdf',
+  assetBaseUrl = 'http://localhost:3002',
+  reason = 'Unknown',
+}: DocumentDeleteEmailTemplateProps) => {
+  const previewText = `An admin has deleted your document "${documentName}".`;
+
+  const getAssetUrl = (path: string) => {
+    return new URL(path, assetBaseUrl).toString();
+  };
+
+  return (
+    <Html>
+      <Head />
+      <Preview>{previewText}</Preview>
+      <Tailwind
+        config={{
+          theme: {
+            extend: {
+              colors: config.theme.extend.colors,
+            },
+          },
+        }}
+      >
+        <Body className="mx-auto my-auto bg-white font-sans">
+          <Section>
+            <Container className="mx-auto mb-2 mt-8 max-w-xl rounded-lg border border-solid border-slate-200 p-4 backdrop-blur-sm">
+              <Section>
+                <Img
+                  src={getAssetUrl('/static/logo.png')}
+                  alt="Documenso Logo"
+                  className="mb-4 h-6"
+                />
+
+                <TemplateDocumentDelete
+                  reason={reason}
+                  documentName={documentName}
+                  assetBaseUrl={assetBaseUrl}
+                />
+              </Section>
+            </Container>
+
+            <Hr className="mx-auto mt-12 max-w-xl" />
+
+            <Container className="mx-auto max-w-xl">
+              <TemplateFooter />
+            </Container>
+          </Section>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default DocumentSuperDeleteEmailTemplate;

packages/lib/constants/document-auth.ts

@@ -4,21 +4,26 @@ import { DocumentAuth } from '../types/document-auth';
 type DocumentAuthTypeData = {
   key: TDocumentAuth;
   value: string;
+
+  /**
+   * Whether this authentication event will require the user to halt and
+   * redirect.
+   *
+   * Defaults to false.
+   */
+  isAuthRedirectRequired?: boolean;
 };
 
 export const DOCUMENT_AUTH_TYPES: Record<string, DocumentAuthTypeData> = {
   [DocumentAuth.ACCOUNT]: {
     key: DocumentAuth.ACCOUNT,
     value: 'Require account',
+    isAuthRedirectRequired: true,
   },
-  [DocumentAuth.PASSKEY]: {
-    key: DocumentAuth.PASSKEY,
-    value: 'Require passkey',
-  },
-  [DocumentAuth.TWO_FACTOR_AUTH]: {
-    key: DocumentAuth.TWO_FACTOR_AUTH,
-    value: 'Require 2FA',
-  },
+  // [DocumentAuthType.PASSKEY]: {
+  //   key: DocumentAuthType.PASSKEY,
+  //   value: 'Require passkey',
+  // },
   [DocumentAuth.EXPLICIT_NONE]: {
     key: DocumentAuth.EXPLICIT_NONE,
     value: 'None (Overrides global settings)',

packages/lib/next-auth/auth-options.ts

@@ -22,7 +22,7 @@ import { sendConfirmationToken } from '../server-only/user/send-confirmation-tok
 import type { TAuthenticationResponseJSONSchema } from '../types/webauthn';
 import { ZAuthenticationResponseJSONSchema } from '../types/webauthn';
 import { extractNextAuthRequestMetadata } from '../universal/extract-request-metadata';
-import { getAuthenticatorOptions } from '../utils/authenticator';
+import { getAuthenticatorRegistrationOptions } from '../utils/authenticator';
 import { ErrorCode } from './error-codes';
 
 export const NEXT_AUTH_OPTIONS: AuthOptions = {
@@ -196,7 +196,7 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
 
         const user = passkey.User;
 
-        const { rpId, origin } = getAuthenticatorOptions();
+        const { rpId, origin } = getAuthenticatorRegistrationOptions();
 
         const verification = await verifyAuthenticationResponse({
           response: requestBodyCrediential,

packages/lib/server-only/auth/create-passkey-authentication-options.ts

@@ -1,76 +0,0 @@
-import { generateAuthenticationOptions } from '@simplewebauthn/server';
-import type { AuthenticatorTransportFuture } from '@simplewebauthn/types';
-import { DateTime } from 'luxon';
-
-import { prisma } from '@documenso/prisma';
-import type { Passkey } from '@documenso/prisma/client';
-
-import { AppError, AppErrorCode } from '../../errors/app-error';
-import { getAuthenticatorOptions } from '../../utils/authenticator';
-
-type CreatePasskeyAuthenticationOptions = {
-  userId: number;
-
-  /**
-   * The ID of the passkey to request authentication for.
-   *
-   * If not set, we allow the browser client to handle choosing.
-   */
-  preferredPasskeyId?: string;
-};
-
-export const createPasskeyAuthenticationOptions = async ({
-  userId,
-  preferredPasskeyId,
-}: CreatePasskeyAuthenticationOptions) => {
-  const { rpId, timeout } = getAuthenticatorOptions();
-
-  let preferredPasskey: Pick<Passkey, 'credentialId' | 'transports'> | null = null;
-
-  if (preferredPasskeyId) {
-    preferredPasskey = await prisma.passkey.findFirst({
-      where: {
-        userId,
-        id: preferredPasskeyId,
-      },
-      select: {
-        credentialId: true,
-        transports: true,
-      },
-    });
-
-    if (!preferredPasskey) {
-      throw new AppError(AppErrorCode.NOT_FOUND, 'Requested passkey not found');
-    }
-  }
-
-  const options = await generateAuthenticationOptions({
-    rpID: rpId,
-    userVerification: 'preferred',
-    timeout,
-    allowCredentials: preferredPasskey
-      ? [
-          {
-            id: preferredPasskey.credentialId,
-            type: 'public-key',
-            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-            transports: preferredPasskey.transports as AuthenticatorTransportFuture[],
-          },
-        ]
-      : undefined,
-  });
-
-  const { secondaryId } = await prisma.verificationToken.create({
-    data: {
-      userId,
-      token: options.challenge,
-      expires: DateTime.now().plus({ minutes: 2 }).toJSDate(),
-      identifier: 'PASSKEY_CHALLENGE',
-    },
-  });
-
-  return {
-    tokenReference: secondaryId,
-    options,
-  };
-};

packages/lib/server-only/auth/create-passkey-registration-options.ts

@@ -5,7 +5,7 @@ import { DateTime } from 'luxon';
 import { prisma } from '@documenso/prisma';
 
 import { PASSKEY_TIMEOUT } from '../../constants/auth';
-import { getAuthenticatorOptions } from '../../utils/authenticator';
+import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
 
 type CreatePasskeyRegistrationOptions = {
   userId: number;
@@ -27,7 +27,7 @@ export const createPasskeyRegistrationOptions = async ({
 
   const { passkeys } = user;
 
-  const { rpName, rpId: rpID } = getAuthenticatorOptions();
+  const { rpName, rpId: rpID } = getAuthenticatorRegistrationOptions();
 
   const options = await generateRegistrationOptions({
     rpName,

packages/lib/server-only/auth/create-passkey-signin-options.ts

@@ -3,14 +3,14 @@ import { DateTime } from 'luxon';
 
 import { prisma } from '@documenso/prisma';
 
-import { getAuthenticatorOptions } from '../../utils/authenticator';
+import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
 
 type CreatePasskeySigninOptions = {
   sessionId: string;
 };
 
 export const createPasskeySigninOptions = async ({ sessionId }: CreatePasskeySigninOptions) => {
-  const { rpId, timeout } = getAuthenticatorOptions();
+  const { rpId, timeout } = getAuthenticatorRegistrationOptions();
 
   const options = await generateAuthenticationOptions({
     rpID: rpId,

packages/lib/server-only/auth/create-passkey.ts

@@ -7,7 +7,7 @@ import { UserSecurityAuditLogType } from '@documenso/prisma/client';
 import { MAXIMUM_PASSKEYS } from '../../constants/auth';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
-import { getAuthenticatorOptions } from '../../utils/authenticator';
+import { getAuthenticatorRegistrationOptions } from '../../utils/authenticator';
 
 type CreatePasskeyOptions = {
   userId: number;
@@ -64,7 +64,7 @@ export const createPasskey = async ({
     throw new AppError(AppErrorCode.EXPIRED_CODE, 'Challenge token expired');
   }
 
-  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorOptions();
+  const { rpId: expectedRPID, origin: expectedOrigin } = getAuthenticatorRegistrationOptions();
 
   const verification = await verifyRegistrationResponse({
     response: verificationResponse,

packages/lib/server-only/auth/find-passkeys.ts

@@ -11,7 +11,6 @@ export interface FindPasskeysOptions {
   orderBy?: {
     column: keyof Passkey;
     direction: 'asc' | 'desc';
-    nulls?: Prisma.NullsOrder;
   };
 }
 
@@ -22,9 +21,8 @@ export const findPasskeys = async ({
   perPage = 10,
   orderBy,
 }: FindPasskeysOptions) => {
-  const orderByColumn = orderBy?.column ?? 'lastUsedAt';
+  const orderByColumn = orderBy?.column ?? 'name';
   const orderByDirection = orderBy?.direction ?? 'desc';
-  const orderByNulls: Prisma.NullsOrder | undefined = orderBy?.nulls ?? 'last';
 
   const whereClause: Prisma.PasskeyWhereInput = {
     userId,
@@ -43,10 +41,7 @@ export const findPasskeys = async ({
       skip: Math.max(page - 1, 0) * perPage,
       take: perPage,
       orderBy: {
-        [orderByColumn]: {
-          sort: orderByDirection,
-          nulls: orderByNulls,
-        },
+        [orderByColumn]: orderByDirection,
       },
       select: {
         id: true,

packages/lib/server-only/document/is-recipient-authorized.ts

@@ -1,15 +1,10 @@
-import { verifyAuthenticationResponse } from '@simplewebauthn/server';
 import { match } from 'ts-pattern';
 
 import { prisma } from '@documenso/prisma';
 import type { Document, Recipient } from '@documenso/prisma/client';
 
-import { verifyTwoFactorAuthenticationToken } from '../2fa/verify-2fa-token';
-import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAuth, TDocumentAuthMethods } from '../../types/document-auth';
 import { DocumentAuth } from '../../types/document-auth';
-import type { TAuthenticationResponseJSONSchema } from '../../types/webauthn';
-import { getAuthenticatorOptions } from '../../utils/authenticator';
 import { extractDocumentAuthMethods } from '../../utils/document-auth';
 
 type IsRecipientAuthorizedOptions = {
@@ -68,20 +63,17 @@ export const isRecipientAuthorized = async ({
     return true;
   }
 
-  // Create auth options when none are passed for account.
-  if (!authOptions && authMethod === DocumentAuth.ACCOUNT) {
-    authOptions = {
-      type: DocumentAuth.ACCOUNT,
-    };
-  }
-
   // Authentication required does not match provided method.
-  if (!authOptions || authOptions.type !== authMethod || !userId) {
+  if (authOptions && authOptions.type !== authMethod) {
+    return false;
+  }
+
+  return await match(authMethod)
+    .with(DocumentAuth.ACCOUNT, async () => {
+      if (userId === undefined) {
         return false;
       }
 
-  return await match(authOptions)
-    .with({ type: DocumentAuth.ACCOUNT }, async () => {
       const recipientUser = await getUserByEmail(recipient.email);
 
       if (!recipientUser) {
@@ -90,124 +82,5 @@ export const isRecipientAuthorized = async ({
 
       return recipientUser.id === userId;
     })
-    .with({ type: DocumentAuth.PASSKEY }, async ({ authenticationResponse, tokenReference }) => {
-      return await isPasskeyAuthValid({
-        userId,
-        authenticationResponse,
-        tokenReference,
-      });
-    })
-    .with({ type: DocumentAuth.TWO_FACTOR_AUTH }, async ({ token }) => {
-      const user = await prisma.user.findFirst({
-        where: {
-          id: userId,
-        },
-      });
-
-      // Should not be possible.
-      if (!user) {
-        throw new AppError(AppErrorCode.NOT_FOUND, 'User not found');
-      }
-
-      return await verifyTwoFactorAuthenticationToken({
-        user,
-        totpCode: token,
-      });
-    })
     .exhaustive();
 };
-
-type VerifyPasskeyOptions = {
-  /**
-   * The ID of the user who initiated the request.
-   */
-  userId: number;
-
-  /**
-   * The secondary ID of the verification token.
-   */
-  tokenReference: string;
-
-  /**
-   * The response from the passkey authenticator.
-   */
-  authenticationResponse: TAuthenticationResponseJSONSchema;
-};
-
-/**
- * Whether the provided passkey authenticator response is valid and the user is
- * authenticated.
- */
-const isPasskeyAuthValid = async (options: VerifyPasskeyOptions): Promise<boolean> => {
-  return verifyPasskey(options)
-    .then(() => true)
-    .catch(() => false);
-};
-
-/**
- * Verifies whether the provided passkey authenticator is valid and the user is
- * authenticated.
- *
- * Will throw an error if the user should not be authenticated.
- */
-const verifyPasskey = async ({
-  userId,
-  tokenReference,
-  authenticationResponse,
-}: VerifyPasskeyOptions): Promise<void> => {
-  const passkey = await prisma.passkey.findFirst({
-    where: {
-      credentialId: Buffer.from(authenticationResponse.id, 'base64'),
-      userId,
-    },
-  });
-
-  if (!passkey) {
-    throw new AppError(AppErrorCode.NOT_FOUND, 'Passkey not found');
-  }
-
-  const verificationToken = await prisma.verificationToken
-    .delete({
-      where: {
-        userId,
-        secondaryId: tokenReference,
-      },
-    })
-    .catch(() => null);
-
-  if (!verificationToken) {
-    throw new AppError(AppErrorCode.NOT_FOUND, 'Token not found');
-  }
-
-  if (verificationToken.expires < new Date()) {
-    throw new AppError(AppErrorCode.EXPIRED_CODE, 'Token expired');
-  }
-
-  const { rpId, origin } = getAuthenticatorOptions();
-
-  const verification = await verifyAuthenticationResponse({
-    response: authenticationResponse,
-    expectedChallenge: verificationToken.token,
-    expectedOrigin: origin,
-    expectedRPID: rpId,
-    authenticator: {
-      credentialID: new Uint8Array(Array.from(passkey.credentialId)),
-      credentialPublicKey: new Uint8Array(passkey.credentialPublicKey),
-      counter: Number(passkey.counter),
-    },
-  }).catch(() => null); // May want to log this for insights.
-
-  if (verification?.verified !== true) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, 'User is not authorized');
-  }
-
-  await prisma.passkey.update({
-    where: {
-      id: passkey.id,
-    },
-    data: {
-      lastUsedAt: new Date(),
-      counter: verification.authenticationInfo.newCounter,
-    },
-  });
-};

packages/lib/server-only/document/seal-document.ts

@@ -2,7 +2,7 @@
 
 import { nanoid } from 'nanoid';
 import path from 'node:path';
-import { PDFDocument, PDFSignature, rectangle } from 'pdf-lib';
+import { PDFDocument } from 'pdf-lib';
 
 import PostHogServerClient from '@documenso/lib/server-only/feature-flags/get-post-hog-server-client';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
@@ -15,7 +15,9 @@ import { signPdf } from '@documenso/signing';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getFile } from '../../universal/upload/get-file';
 import { putFile } from '../../universal/upload/put-file';
+import { flattenAnnotations } from '../pdf/flatten-annotations';
 import { insertFieldInPDF } from '../pdf/insert-field-in-pdf';
+import { normalizeSignatureAppearances } from '../pdf/normalize-signature-appearances';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 import { sendCompletedEmail } from './send-completed-email';
 
@@ -91,31 +93,10 @@ export const sealDocument = async ({
 
   const doc = await PDFDocument.load(pdfData);
 
-  const form = doc.getForm();
-
-  // Remove old signatures
-  for (const field of form.getFields()) {
-    if (field instanceof PDFSignature) {
-      field.acroField.getWidgets().forEach((widget) => {
-        widget.ensureAP();
-
-        try {
-          widget.getNormalAppearance();
-        } catch (e) {
-          const { context } = widget.dict;
-
-          const xobj = context.formXObject([rectangle(0, 0, 0, 0)]);
-
-          const streamRef = context.register(xobj);
-
-          widget.setNormalAppearance(streamRef);
-        }
-      });
-    }
-  }
-
-  // Flatten the form to stop annotation layers from appearing above documenso fields
-  form.flatten();
+  // Normalize and flatten layers that could cause issues with the signature
+  normalizeSignatureAppearances(doc);
+  doc.getForm().flatten();
+  flattenAnnotations(doc);
 
   for (const field of fields) {
     await insertFieldInPDF(doc, field);

packages/lib/server-only/document/send-delete-email.ts

@@ -0,0 +1,52 @@
+import { createElement } from 'react';
+
+import { mailer } from '@documenso/email/mailer';
+import { render } from '@documenso/email/render';
+import { DocumentSuperDeleteEmailTemplate } from '@documenso/email/templates/document-super-delete';
+import { prisma } from '@documenso/prisma';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+
+export interface SendDeleteEmailOptions {
+  documentId: number;
+  reason: string;
+}
+
+export const sendDeleteEmail = async ({ documentId, reason }: SendDeleteEmailOptions) => {
+  const document = await prisma.document.findFirst({
+    where: {
+      id: documentId,
+    },
+    include: {
+      User: true,
+    },
+  });
+
+  if (!document) {
+    throw new Error('Document not found');
+  }
+
+  const { email, name } = document.User;
+
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+
+  const template = createElement(DocumentSuperDeleteEmailTemplate, {
+    documentName: document.title,
+    reason,
+    assetBaseUrl,
+  });
+
+  await mailer.sendMail({
+    to: {
+      address: email,
+      name: name || '',
+    },
+    from: {
+      name: process.env.NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso',
+      address: process.env.NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com',
+    },
+    subject: 'Document Deleted!',
+    html: render(template),
+    text: render(template, { plainText: true }),
+  });
+};

packages/lib/server-only/document/super-delete-document.ts

@@ -0,0 +1,85 @@
+'use server';
+
+import { createElement } from 'react';
+
+import { mailer } from '@documenso/email/mailer';
+import { render } from '@documenso/email/render';
+import DocumentCancelTemplate from '@documenso/email/templates/document-cancel';
+import { prisma } from '@documenso/prisma';
+import { DocumentStatus } from '@documenso/prisma/client';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../constants/email';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
+import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+
+export type SuperDeleteDocumentOptions = {
+  id: number;
+  requestMetadata?: RequestMetadata;
+};
+
+export const superDeleteDocument = async ({ id, requestMetadata }: SuperDeleteDocumentOptions) => {
+  const document = await prisma.document.findUnique({
+    where: {
+      id,
+    },
+    include: {
+      Recipient: true,
+      documentMeta: true,
+      User: true,
+    },
+  });
+
+  if (!document) {
+    throw new Error('Document not found');
+  }
+
+  const { status, User: user } = document;
+
+  // if the document is pending, send cancellation emails to all recipients
+  if (status === DocumentStatus.PENDING && document.Recipient.length > 0) {
+    await Promise.all(
+      document.Recipient.map(async (recipient) => {
+        const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+        const template = createElement(DocumentCancelTemplate, {
+          documentName: document.title,
+          inviterName: user.name || undefined,
+          inviterEmail: user.email,
+          assetBaseUrl,
+        });
+
+        await mailer.sendMail({
+          to: {
+            address: recipient.email,
+            name: recipient.name,
+          },
+          from: {
+            name: FROM_NAME,
+            address: FROM_ADDRESS,
+          },
+          subject: 'Document Cancelled',
+          html: render(template),
+          text: render(template, { plainText: true }),
+        });
+      }),
+    );
+  }
+
+  // always hard delete if deleted from admin
+  return await prisma.$transaction(async (tx) => {
+    await tx.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        documentId: id,
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_DELETED,
+        user,
+        requestMetadata,
+        data: {
+          type: 'HARD',
+        },
+      }),
+    });
+
+    return await tx.document.delete({ where: { id } });
+  });
+};

packages/lib/server-only/pdf/flatten-annotations.ts

@@ -0,0 +1,63 @@
+import { PDFAnnotation, PDFRef } from 'pdf-lib';
+import {
+  PDFDict,
+  type PDFDocument,
+  PDFName,
+  drawObject,
+  popGraphicsState,
+  pushGraphicsState,
+  rotateInPlace,
+  translate,
+} from 'pdf-lib';
+
+export const flattenAnnotations = (document: PDFDocument) => {
+  const pages = document.getPages();
+
+  for (const page of pages) {
+    const annotations = page.node.Annots()?.asArray() ?? [];
+
+    annotations.forEach((annotation) => {
+      if (!(annotation instanceof PDFRef)) {
+        return;
+      }
+
+      const actualAnnotation = page.node.context.lookup(annotation);
+
+      if (!(actualAnnotation instanceof PDFDict)) {
+        return;
+      }
+
+      const pdfAnnot = PDFAnnotation.fromDict(actualAnnotation);
+
+      const appearance = pdfAnnot.ensureAP();
+
+      // Skip annotations without a normal appearance
+      if (!appearance.has(PDFName.of('N'))) {
+        return;
+      }
+
+      const normalAppearance = pdfAnnot.getNormalAppearance();
+      const rectangle = pdfAnnot.getRectangle();
+
+      if (!(normalAppearance instanceof PDFRef)) {
+        // Not sure how to get the reference to the normal appearance yet
+        // so we should skip this annotation for now
+        return;
+      }
+
+      const xobj = page.node.newXObject('FlatAnnot', normalAppearance);
+
+      const operators = [
+        pushGraphicsState(),
+        translate(rectangle.x, rectangle.y),
+        ...rotateInPlace({ ...rectangle, rotation: 0 }),
+        drawObject(xobj),
+        popGraphicsState(),
+      ].filter((op) => !!op);
+
+      page.pushOperators(...operators);
+
+      page.node.removeAnnot(annotation);
+    });
+  }
+};

packages/lib/server-only/pdf/normalize-signature-appearances.ts

@@ -0,0 +1,26 @@
+import type { PDFDocument } from 'pdf-lib';
+import { PDFSignature, rectangle } from 'pdf-lib';
+
+export const normalizeSignatureAppearances = (document: PDFDocument) => {
+  const form = document.getForm();
+
+  for (const field of form.getFields()) {
+    if (field instanceof PDFSignature) {
+      field.acroField.getWidgets().forEach((widget) => {
+        widget.ensureAP();
+
+        try {
+          widget.getNormalAppearance();
+        } catch {
+          const { context } = widget.dict;
+
+          const xobj = context.formXObject([rectangle(0, 0, 0, 0)]);
+
+          const streamRef = context.register(xobj);
+
+          widget.setNormalAppearance(streamRef);
+        }
+      });
+    }
+  }
+};

packages/lib/types/document-auth.ts

@@ -1,16 +1,9 @@
 import { z } from 'zod';
 
-import { ZAuthenticationResponseJSONSchema } from './webauthn';
-
 /**
  * All the available types of document authentication options for both access and action.
  */
-export const ZDocumentAuthTypesSchema = z.enum([
-  'ACCOUNT',
-  'PASSKEY',
-  'TWO_FACTOR_AUTH',
-  'EXPLICIT_NONE',
-]);
+export const ZDocumentAuthTypesSchema = z.enum(['ACCOUNT', 'EXPLICIT_NONE']);
 export const DocumentAuth = ZDocumentAuthTypesSchema.Enum;
 
 const ZDocumentAuthAccountSchema = z.object({
@@ -21,25 +14,12 @@ const ZDocumentAuthExplicitNoneSchema = z.object({
   type: z.literal(DocumentAuth.EXPLICIT_NONE),
 });
 
-const ZDocumentAuthPasskeySchema = z.object({
-  type: z.literal(DocumentAuth.PASSKEY),
-  authenticationResponse: ZAuthenticationResponseJSONSchema,
-  tokenReference: z.string().min(1),
-});
-
-const ZDocumentAuth2FASchema = z.object({
-  type: z.literal(DocumentAuth.TWO_FACTOR_AUTH),
-  token: z.string().min(4).max(10),
-});
-
 /**
  * All the document auth methods for both accessing and actioning.
  */
 export const ZDocumentAuthMethodsSchema = z.discriminatedUnion('type', [
   ZDocumentAuthAccountSchema,
   ZDocumentAuthExplicitNoneSchema,
-  ZDocumentAuthPasskeySchema,
-  ZDocumentAuth2FASchema,
 ]);
 
 /**
@@ -55,16 +35,8 @@ export const ZDocumentAccessAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
  *
  * Must keep these two in sync.
  */
-export const ZDocumentActionAuthSchema = z.discriminatedUnion('type', [
-  ZDocumentAuthAccountSchema,
-  ZDocumentAuthPasskeySchema,
-  ZDocumentAuth2FASchema,
-]);
-export const ZDocumentActionAuthTypesSchema = z.enum([
-  DocumentAuth.ACCOUNT,
-  DocumentAuth.PASSKEY,
-  DocumentAuth.TWO_FACTOR_AUTH,
-]);
+export const ZDocumentActionAuthSchema = z.discriminatedUnion('type', [ZDocumentAuthAccountSchema]); // Todo: Add passkeys here.
+export const ZDocumentActionAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
 
 /**
  * The recipient access auth methods.
@@ -82,15 +54,11 @@ export const ZRecipientAccessAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
  * Must keep these two in sync.
  */
 export const ZRecipientActionAuthSchema = z.discriminatedUnion('type', [
-  ZDocumentAuthAccountSchema,
-  ZDocumentAuthPasskeySchema,
-  ZDocumentAuth2FASchema,
+  ZDocumentAuthAccountSchema, // Todo: Add passkeys here.
   ZDocumentAuthExplicitNoneSchema,
 ]);
 export const ZRecipientActionAuthTypesSchema = z.enum([
   DocumentAuth.ACCOUNT,
-  DocumentAuth.PASSKEY,
-  DocumentAuth.TWO_FACTOR_AUTH,
   DocumentAuth.EXPLICIT_NONE,
 ]);
 

packages/lib/utils/authenticator.ts

@@ -4,7 +4,7 @@ import { PASSKEY_TIMEOUT } from '../constants/auth';
 /**
  * Extracts common fields to identify the RP (relying party)
  */
-export const getAuthenticatorOptions = () => {
+export const getAuthenticatorRegistrationOptions = () => {
   const webAppBaseUrl = new URL(WEBAPP_BASE_URL);
   const rpId = webAppBaseUrl.hostname;
 

packages/prisma/migrations/20240327074701_add_secondary_verification_id/migration.sql

@@ -1,12 +0,0 @@
-/*
-  Warnings:
-
-  - A unique constraint covering the columns `[secondaryId]` on the table `VerificationToken` will be added. If there are existing duplicate values, this will fail.
-  - The required column `secondaryId` was added to the `VerificationToken` table with a prisma-level default value. This is not possible if the table is not empty. Please add this column as optional, then populate it before making it required.
-
-*/
--- AlterTable
-ALTER TABLE "VerificationToken" ADD COLUMN     "secondaryId" TEXT NOT NULL;
-
--- CreateIndex
-CREATE UNIQUE INDEX "VerificationToken_secondaryId_key" ON "VerificationToken"("secondaryId");

packages/prisma/schema.prisma

@@ -127,7 +127,6 @@ model AnonymousVerificationToken {
 
 model VerificationToken {
   id         Int      @id @default(autoincrement())
-  secondaryId String   @unique @default(cuid())
   identifier String
   token      String   @unique
   expires    DateTime

packages/signing/helpers/add-signing-placeholder.ts

@@ -1,5 +1,6 @@
 import {
   PDFArray,
+  PDFDict,
   PDFDocument,
   PDFHexString,
   PDFName,
@@ -16,7 +17,7 @@ export type AddSigningPlaceholderOptions = {
 
 export const addSigningPlaceholder = async ({ pdf }: AddSigningPlaceholderOptions) => {
   const doc = await PDFDocument.load(pdf);
-  const pages = doc.getPages();
+  const [firstPage] = doc.getPages();
 
   const byteRange = PDFArray.withContext(doc.context);
 
@@ -25,7 +26,8 @@ export const addSigningPlaceholder = async ({ pdf }: AddSigningPlaceholderOption
   byteRange.push(PDFName.of(BYTE_RANGE_PLACEHOLDER));
   byteRange.push(PDFName.of(BYTE_RANGE_PLACEHOLDER));
 
-  const signature = doc.context.obj({
+  const signature = doc.context.register(
+    doc.context.obj({
       Type: 'Sig',
       Filter: 'Adobe.PPKLite',
       SubFilter: 'adbe.pkcs7.detached',
@@ -33,56 +35,62 @@ export const addSigningPlaceholder = async ({ pdf }: AddSigningPlaceholderOption
       Contents: PDFHexString.fromText(' '.repeat(8192)),
       Reason: PDFString.of('Signed by Documenso'),
       M: PDFString.fromDate(new Date()),
-  });
+    }),
+  );
 
-  const signatureRef = doc.context.register(signature);
-
-  const widget = doc.context.obj({
+  const widget = doc.context.register(
+    doc.context.obj({
       Type: 'Annot',
       Subtype: 'Widget',
       FT: 'Sig',
       Rect: [0, 0, 0, 0],
-    V: signatureRef,
+      V: signature,
       T: PDFString.of('Signature1'),
       F: 4,
-    P: pages[0].ref,
-  });
-
-  const xobj = widget.context.formXObject([rectangle(0, 0, 0, 0)]);
-
-  const streamRef = widget.context.register(xobj);
-
-  widget.set(PDFName.of('AP'), widget.context.obj({ N: streamRef }));
-
-  const widgetRef = doc.context.register(widget);
-
-  let widgets = pages[0].node.get(PDFName.of('Annots'));
-
-  if (widgets instanceof PDFArray) {
-    widgets.push(widgetRef);
-  } else {
-    const newWidgets = PDFArray.withContext(doc.context);
-
-    newWidgets.push(widgetRef);
-
-    pages[0].node.set(PDFName.of('Annots'), newWidgets);
-
-    widgets = pages[0].node.get(PDFName.of('Annots'));
-  }
-
-  if (!widgets) {
-    throw new Error('No widgets');
-  }
-
-  pages[0].node.set(PDFName.of('Annots'), widgets);
-
-  doc.catalog.set(
-    PDFName.of('AcroForm'),
-    doc.context.obj({
-      SigFlags: 3,
-      Fields: [widgetRef],
+      P: firstPage.ref,
+      AP: doc.context.obj({
+        N: doc.context.register(doc.context.formXObject([rectangle(0, 0, 0, 0)])),
+      }),
     }),
   );
 
+  let widgets: PDFArray;
+
+  try {
+    widgets = firstPage.node.lookup(PDFName.of('Annots'), PDFArray);
+  } catch {
+    widgets = PDFArray.withContext(doc.context);
+
+    firstPage.node.set(PDFName.of('Annots'), widgets);
+  }
+
+  widgets.push(widget);
+
+  let arcoForm: PDFDict;
+
+  try {
+    arcoForm = doc.catalog.lookup(PDFName.of('AcroForm'), PDFDict);
+  } catch {
+    arcoForm = doc.context.obj({
+      Fields: PDFArray.withContext(doc.context),
+    });
+
+    doc.catalog.set(PDFName.of('AcroForm'), arcoForm);
+  }
+
+  let fields: PDFArray;
+
+  try {
+    fields = arcoForm.lookup(PDFName.of('Fields'), PDFArray);
+  } catch {
+    fields = PDFArray.withContext(doc.context);
+
+    arcoForm.set(PDFName.of('Fields'), fields);
+  }
+
+  fields.push(widget);
+
+  arcoForm.set(PDFName.of('SigFlags'), PDFNumber.of(3));
+
   return Buffer.from(await doc.save({ useObjectStreams: false }));
 };

packages/trpc/server/admin-router/router.ts

@@ -4,12 +4,16 @@ import { findDocuments } from '@documenso/lib/server-only/admin/get-all-document
 import { updateRecipient } from '@documenso/lib/server-only/admin/update-recipient';
 import { updateUser } from '@documenso/lib/server-only/admin/update-user';
 import { sealDocument } from '@documenso/lib/server-only/document/seal-document';
+import { sendDeleteEmail } from '@documenso/lib/server-only/document/send-delete-email';
+import { superDeleteDocument } from '@documenso/lib/server-only/document/super-delete-document';
 import { upsertSiteSetting } from '@documenso/lib/server-only/site-settings/upsert-site-setting';
 import { deleteUser } from '@documenso/lib/server-only/user/delete-user';
 import { getUserById } from '@documenso/lib/server-only/user/get-user-by-id';
+import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 
 import { adminProcedure, router } from '../trpc';
 import {
+  ZAdminDeleteDocumentMutationSchema,
   ZAdminDeleteUserMutationSchema,
   ZAdminFindDocumentsQuerySchema,
   ZAdminResealDocumentMutationSchema,
@@ -118,4 +122,25 @@ export const adminRouter = router({
       });
     }
   }),
+
+  deleteDocument: adminProcedure
+    .input(ZAdminDeleteDocumentMutationSchema)
+    .mutation(async ({ ctx, input }) => {
+      const { id, reason } = input;
+      try {
+        await sendDeleteEmail({ documentId: id, reason });
+
+        return await superDeleteDocument({
+          id,
+          requestMetadata: extractNextApiRequestMetadata(ctx.req),
+        });
+      } catch (err) {
+        console.log(err);
+
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'We were unable to delete the specified document. Please try again.',
+        });
+      }
+    }),
 });

packages/trpc/server/admin-router/schema.ts

@@ -48,3 +48,10 @@ export const ZAdminDeleteUserMutationSchema = z.object({
 });
 
 export type TAdminDeleteUserMutationSchema = z.infer<typeof ZAdminDeleteUserMutationSchema>;
+
+export const ZAdminDeleteDocumentMutationSchema = z.object({
+  id: z.number().min(1),
+  reason: z.string(),
+});
+
+export type TAdminDeleteDocomentMutationSchema = z.infer<typeof ZAdminDeleteDocumentMutationSchema>;

packages/trpc/server/auth-router/router.ts

@@ -7,7 +7,6 @@ import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
 import { createPasskey } from '@documenso/lib/server-only/auth/create-passkey';
-import { createPasskeyAuthenticationOptions } from '@documenso/lib/server-only/auth/create-passkey-authentication-options';
 import { createPasskeyRegistrationOptions } from '@documenso/lib/server-only/auth/create-passkey-registration-options';
 import { createPasskeySigninOptions } from '@documenso/lib/server-only/auth/create-passkey-signin-options';
 import { deletePasskey } from '@documenso/lib/server-only/auth/delete-passkey';
@@ -20,7 +19,6 @@ import { extractNextApiRequestMetadata } from '@documenso/lib/universal/extract-
 
 import { authenticatedProcedure, procedure, router } from '../trpc';
 import {
-  ZCreatePasskeyAuthenticationOptionsMutationSchema,
   ZCreatePasskeyMutationSchema,
   ZDeletePasskeyMutationSchema,
   ZFindPasskeysQuerySchema,
@@ -117,25 +115,6 @@ export const authRouter = router({
       }
     }),
 
-  createPasskeyAuthenticationOptions: authenticatedProcedure
-    .input(ZCreatePasskeyAuthenticationOptionsMutationSchema)
-    .mutation(async ({ ctx, input }) => {
-      try {
-        return await createPasskeyAuthenticationOptions({
-          userId: ctx.user.id,
-          preferredPasskeyId: input?.preferredPasskeyId,
-        });
-      } catch (err) {
-        console.error(err);
-
-        throw new TRPCError({
-          code: 'BAD_REQUEST',
-          message:
-            'We were unable to create the authentication options for the passkey. Please try again later.',
-        });
-      }
-    }),
-
   createPasskeyRegistrationOptions: authenticatedProcedure.mutation(async ({ ctx }) => {
     try {
       return await createPasskeyRegistrationOptions({
@@ -153,7 +132,10 @@ export const authRouter = router({
   }),
 
   createPasskeySigninOptions: procedure.mutation(async ({ ctx }) => {
-    const sessionIdToken = parse(ctx.req.headers.cookie ?? '')['next-auth.csrf-token'];
+    const cookies = parse(ctx.req.headers.cookie ?? '');
+
+    const sessionIdToken =
+      cookies['__Host-next-auth.csrf-token'] || cookies['next-auth.csrf-token'];
 
     if (!sessionIdToken) {
       throw new Error('Missing CSRF token');

packages/trpc/server/auth-router/schema.ts

@@ -40,12 +40,6 @@ export const ZCreatePasskeyMutationSchema = z.object({
   verificationResponse: ZRegistrationResponseJSONSchema,
 });
 
-export const ZCreatePasskeyAuthenticationOptionsMutationSchema = z
-  .object({
-    preferredPasskeyId: z.string().optional(),
-  })
-  .optional();
-
 export const ZDeletePasskeyMutationSchema = z.object({
   passkeyId: z.string().trim().min(1),
 });

packages/ui/primitives/document-flow/add-settings.tsx

@@ -219,10 +219,6 @@ export const AddSettingsFormPartial = ({
                             <li>
                               <strong>Require account</strong> - The recipient must be signed in
                             </li>
-                            <li>
-                              <strong>Require passkey</strong> - The recipient must have an account
-                              and passkey configured via their settings
-                            </li>
                             <li>
                               <strong>None</strong> - No authentication required
                             </li>

packages/ui/primitives/document-flow/add-signers.tsx

@@ -287,10 +287,6 @@ export const AddSignersFormPartial = ({
                                         <strong>Require account</strong> - The recipient must be
                                         signed in
                                       </li>
-                                      <li>
-                                        <strong>Require passkey</strong> - The recipient must have
-                                        an account and passkey configured via their settings
-                                      </li>
                                       <li>
                                         <strong>None</strong> - No authentication required
                                       </li>

packages/ui/styles/theme.css

@@ -91,11 +91,6 @@
     @apply border-border;
   }
 
-  html,
-  body {
-    scrollbar-gutter: stable;
-  }
-
   body {
     @apply bg-background text-foreground;
     font-feature-settings: 'rlig' 1, 'calt' 1;
@@ -130,7 +125,7 @@
   background: rgb(100 116 139 / 0.5);
 }
 
- /* Custom Swagger Dark Theme */
+/* Custom Swagger Dark Theme */
 .swagger-dark-theme .swagger-ui {
   filter: invert(88%) hue-rotate(180deg);
 }