feat(snjs): add authenticator use cases (#2145)

* feat(snjs): add authenticator use case

* feat(snjs): add use cases for listing, deleting and verifying authenticators

* fix(snjs): spec for deleting authenticator

packages/services/src/Domain/Authenticator/AuthenticatorClientInterface.ts

@@ -1,12 +1,14 @@
+import { Username, Uuid } from '@standardnotes/domain-core'
+
 export interface AuthenticatorClientInterface {
   list(): Promise<Array<{ id: string; name: string }>>
-  delete(authenticatorId: string): Promise<boolean>
+  delete(authenticatorId: Uuid): Promise<boolean>
-  generateRegistrationOptions(userUuid: string, username: string): Promise<Record<string, unknown> | null>
+  generateRegistrationOptions(userUuid: Uuid, username: Username): Promise<Record<string, unknown> | null>
   verifyRegistrationResponse(
-    userUuid: string,
+    userUuid: Uuid,
     name: string,
     registrationCredential: Record<string, unknown>,
   ): Promise<boolean>
   generateAuthenticationOptions(): Promise<Record<string, unknown> | null>
-  verifyAuthenticationResponse(userUuid: string, authenticationCredential: Record<string, unknown>): Promise<boolean>
+  verifyAuthenticationResponse(userUuid: Uuid, authenticationCredential: Record<string, unknown>): Promise<boolean>
 }

packages/services/src/Domain/Authenticator/AuthenticatorManager.ts

@@ -1,6 +1,7 @@
 /* istanbul ignore file */
 
 import { AuthenticatorApiServiceInterface } from '@standardnotes/api'
+import { Username, Uuid } from '@standardnotes/domain-core'
 
 import { InternalEventBusInterface } from '../Internal/InternalEventBusInterface'
 import { AbstractService } from '../Service/AbstractService'
@@ -28,9 +29,9 @@ export class AuthenticatorManager extends AbstractService implements Authenticat
     }
   }
 
-  async delete(authenticatorId: string): Promise<boolean> {
+  async delete(authenticatorId: Uuid): Promise<boolean> {
     try {
-      const result = await this.authenticatorApiService.delete(authenticatorId)
+      const result = await this.authenticatorApiService.delete(authenticatorId.value)
 
       if (result.data.error) {
         return false
@@ -42,9 +43,9 @@ export class AuthenticatorManager extends AbstractService implements Authenticat
     }
   }
 
-  async generateRegistrationOptions(userUuid: string, username: string): Promise<Record<string, unknown> | null> {
+  async generateRegistrationOptions(userUuid: Uuid, username: Username): Promise<Record<string, unknown> | null> {
     try {
-      const result = await this.authenticatorApiService.generateRegistrationOptions(userUuid, username)
+      const result = await this.authenticatorApiService.generateRegistrationOptions(userUuid.value, username.value)
 
       if (result.data.error) {
         return null
@@ -57,13 +58,13 @@ export class AuthenticatorManager extends AbstractService implements Authenticat
   }
 
   async verifyRegistrationResponse(
-    userUuid: string,
+    userUuid: Uuid,
     name: string,
     registrationCredential: Record<string, unknown>,
   ): Promise<boolean> {
     try {
       const result = await this.authenticatorApiService.verifyRegistrationResponse(
-        userUuid,
+        userUuid.value,
         name,
         registrationCredential,
       )
@@ -93,11 +94,14 @@ export class AuthenticatorManager extends AbstractService implements Authenticat
   }
 
   async verifyAuthenticationResponse(
-    userUuid: string,
+    userUuid: Uuid,
     authenticationCredential: Record<string, unknown>,
   ): Promise<boolean> {
     try {
-      const result = await this.authenticatorApiService.verifyAuthenticationResponse(userUuid, authenticationCredential)
+      const result = await this.authenticatorApiService.verifyAuthenticationResponse(
+        userUuid.value,
+        authenticationCredential,
+      )
 
       if (result.data.error) {
         return false

packages/snjs/lib/Application/Application.ts

@@ -1,9 +1,7 @@
 import {
   AuthApiService,
   AuthenticatorApiService,
-  AuthenticatorApiServiceInterface,
   AuthenticatorServer,
-  AuthenticatorServerInterface,
   AuthServer,
   HttpService,
   HttpServiceInterface,
@@ -98,6 +96,10 @@ import { LegacySessionStorageMapper } from '@Lib/Services/Mapping/LegacySessionS
 import { SignInWithRecoveryCodes } from '@Lib/Domain/UseCase/SignInWithRecoveryCodes/SignInWithRecoveryCodes'
 import { UseCaseContainerInterface } from '@Lib/Domain/UseCase/UseCaseContainerInterface'
 import { GetRecoveryCodes } from '@Lib/Domain/UseCase/GetRecoveryCodes/GetRecoveryCodes'
+import { AddAuthenticator } from '@Lib/Domain/UseCase/AddAuthenticator/AddAuthenticator'
+import { ListAuthenticators } from '@Lib/Domain/UseCase/ListAuthenticators/ListAuthenticators'
+import { DeleteAuthenticator } from '@Lib/Domain/UseCase/DeleteAuthenticator/DeleteAuthenticator'
+import { VerifyAuthenticator } from '@Lib/Domain/UseCase/VerifyAuthenticator/VerifyAuthenticator'
 
 /** How often to automatically sync, in milliseconds */
 const DEFAULT_AUTO_SYNC_INTERVAL = 30_000
@@ -172,13 +174,15 @@ export class SNApplication implements ApplicationInterface, AppGroupManagedAppli
   private filesBackupService?: FilesBackupService
   private declare sessionStorageMapper: MapperInterface<Session, Record<string, unknown>>
   private declare legacySessionStorageMapper: MapperInterface<LegacySession, Record<string, unknown>>
-  private declare authenticatorApiService: AuthenticatorApiServiceInterface
-  private declare authenticatorServer: AuthenticatorServerInterface
   private declare authenticatorManager: AuthenticatorClientInterface
   private declare authManager: AuthClientInterface
 
   private declare _signInWithRecoveryCodes: SignInWithRecoveryCodes
   private declare _getRecoveryCodes: GetRecoveryCodes
+  private declare _addAuthenticator: AddAuthenticator
+  private declare _listAuthenticators: ListAuthenticators
+  private declare _deleteAuthenticator: DeleteAuthenticator
+  private declare _verifyAuthenticator: VerifyAuthenticator
 
   private internalEventBus!: ExternalServices.InternalEventBusInterface
 
@@ -269,6 +273,22 @@ export class SNApplication implements ApplicationInterface, AppGroupManagedAppli
     return this._getRecoveryCodes
   }
 
+  get addAuthenticator(): UseCaseInterface<void> {
+    return this._addAuthenticator
+  }
+
+  get listAuthenticators(): UseCaseInterface<Array<{ id: string; name: string }>> {
+    return this._listAuthenticators
+  }
+
+  get deleteAuthenticator(): UseCaseInterface<void> {
+    return this._deleteAuthenticator
+  }
+
+  get verifyAuthenticator(): UseCaseInterface<void> {
+    return this._verifyAuthenticator
+  }
+
   public get files(): FilesClientInterface {
     return this.fileService
   }
@@ -1166,8 +1186,6 @@ export class SNApplication implements ApplicationInterface, AppGroupManagedAppli
     this.createMutatorService()
     this.createListedService()
     this.createActionsManager()
-    this.createAuthenticatorServer()
-    this.createAuthenticatorApiService()
     this.createAuthenticatorManager()
     this.createAuthManager()
 
@@ -1219,12 +1237,14 @@ export class SNApplication implements ApplicationInterface, AppGroupManagedAppli
     ;(this.statusService as unknown) = undefined
     ;(this.sessionStorageMapper as unknown) = undefined
     ;(this.legacySessionStorageMapper as unknown) = undefined
-    ;(this.authenticatorApiService as unknown) = undefined
-    ;(this.authenticatorServer as unknown) = undefined
     ;(this.authenticatorManager as unknown) = undefined
     ;(this.authManager as unknown) = undefined
     ;(this._signInWithRecoveryCodes as unknown) = undefined
     ;(this._getRecoveryCodes as unknown) = undefined
+    ;(this._addAuthenticator as unknown) = undefined
+    ;(this._listAuthenticators as unknown) = undefined
+    ;(this._deleteAuthenticator as unknown) = undefined
+    ;(this._verifyAuthenticator as unknown) = undefined
 
     this.services = []
   }
@@ -1754,16 +1774,12 @@ export class SNApplication implements ApplicationInterface, AppGroupManagedAppli
     this.services.push(this.statusService)
   }
 
-  private createAuthenticatorServer() {
-    this.authenticatorServer = new AuthenticatorServer(this.httpService)
-  }
-
-  private createAuthenticatorApiService() {
-    this.authenticatorApiService = new AuthenticatorApiService(this.authenticatorServer)
-  }
-
   private createAuthenticatorManager() {
-    this.authenticatorManager = new AuthenticatorManager(this.authenticatorApiService, this.internalEventBus)
+    const authenticatorServer = new AuthenticatorServer(this.httpService)
+
+    const authenticatorApiService = new AuthenticatorApiService(authenticatorServer)
+
+    this.authenticatorManager = new AuthenticatorManager(authenticatorApiService, this.internalEventBus)
   }
 
   private createAuthManager() {
@@ -1785,5 +1801,19 @@ export class SNApplication implements ApplicationInterface, AppGroupManagedAppli
     )
 
     this._getRecoveryCodes = new GetRecoveryCodes(this.authManager, this.settingsService)
+
+    this._addAuthenticator = new AddAuthenticator(
+      this.authenticatorManager,
+      this.options.u2fAuthenticatorRegistrationPromptFunction,
+    )
+
+    this._listAuthenticators = new ListAuthenticators(this.authenticatorManager)
+
+    this._deleteAuthenticator = new DeleteAuthenticator(this.authenticatorManager)
+
+    this._verifyAuthenticator = new VerifyAuthenticator(
+      this.authenticatorManager,
+      this.options.u2fAuthenticatorVerificationPromptFunction,
+    )
   }
 }

packages/snjs/lib/Application/Options/OptionalOptions.ts

@@ -17,4 +17,24 @@ export interface ApplicationOptionalConfiguratioOptions {
    * URL for WebSocket providing permissions and roles information.
    */
   webSocketUrl?: string
+
+  /**
+   * 3rd party library function for prompting U2F authenticator device registration
+   *
+   * @param registrationOptions - Registration options generated by the server
+   * @returns authenticator device response
+   */
+  u2fAuthenticatorRegistrationPromptFunction?: (
+    registrationOptions: Record<string, unknown>,
+  ) => Promise<Record<string, unknown>>
+
+  /**
+   * 3rd party library function for prompting U2F authenticator device authentication
+   *
+   * @param registrationOptions - Registration options generated by the server
+   * @returns authenticator device response
+   */
+  u2fAuthenticatorVerificationPromptFunction?: (
+    authenticationOptions: Record<string, unknown>,
+  ) => Promise<Record<string, unknown>>
 }

packages/snjs/lib/Domain/UseCase/AddAuthenticator/AddAuthenticator.spec.ts

@@ -0,0 +1,146 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+import { AddAuthenticator } from './AddAuthenticator'
+
+describe('AddAuthenticator', () => {
+  let authenticatorClient: AuthenticatorClientInterface
+  let authenticatorRegistrationPromptFunction: (
+    registrationOptions: Record<string, unknown>,
+  ) => Promise<Record<string, unknown>>
+
+
+  const createUseCase = () => new AddAuthenticator(authenticatorClient, authenticatorRegistrationPromptFunction)
+
+  beforeEach(() => {
+    authenticatorClient = {} as jest.Mocked<AuthenticatorClientInterface>
+    authenticatorClient.generateRegistrationOptions = jest.fn().mockReturnValue({ foo: 'bar' })
+    authenticatorClient.verifyRegistrationResponse = jest.fn().mockReturnValue(true)
+
+    authenticatorRegistrationPromptFunction = jest.fn()
+  })
+
+  it('should return error if userUuid is invalid', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: 'invalid',
+      username: 'username',
+      authenticatorName: 'authenticatorName',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator registration options: Given value is not a valid uuid: invalid')
+  })
+
+  it('should return error if username is invalid', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: '',
+      authenticatorName: 'authenticatorName',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator registration options: Username cannot be empty')
+  })
+
+  it('should return error if authenticatorName is invalid', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: '',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator registration options: Given value is empty: ')
+  })
+
+  it('should return error if registration options are null', async () => {
+    authenticatorClient.generateRegistrationOptions = jest.fn().mockReturnValue(null)
+
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: 'authenticator',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator registration options')
+  })
+
+  it('should return error if authenticatorRegistrationPromptFunction throws', async () => {
+    authenticatorRegistrationPromptFunction = jest.fn().mockRejectedValue(new Error('error'))
+
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: 'authenticator',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator registration options: error')
+  })
+
+  it('should return error if authenticatorRegistrationPromptFunction throws InvalidStateError', async () => {
+    const error = new Error('error')
+    error.name = 'InvalidStateError'
+    authenticatorRegistrationPromptFunction = jest.fn().mockRejectedValue(error)
+
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: 'authenticator',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Authenticator was probably already registered by user')
+  })
+
+  it('should return error if registration response verification returns false', async () => {
+    authenticatorClient.verifyRegistrationResponse = jest.fn().mockReturnValue(false)
+
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: 'authenticator',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not verify authenticator registration response')
+  })
+
+  it('should register an authenticator', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: 'authenticator',
+    })
+
+    expect(result.isFailed()).toBe(false)
+  })
+
+  it('should return error if authenticator registration prompt function is not passed', async () => {
+    const useCase = new AddAuthenticator(authenticatorClient)
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      username: 'username',
+      authenticatorName: 'authenticator',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator registration options: No authenticator registration prompt function provided')
+  })
+})

packages/snjs/lib/Domain/UseCase/AddAuthenticator/AddAuthenticator.ts

@@ -0,0 +1,67 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+import { Result, UseCaseInterface, Username, Uuid, Validator } from '@standardnotes/domain-core'
+
+import { AddAuthenticatorDTO } from './AddAuthenticatorDTO'
+
+export class AddAuthenticator implements UseCaseInterface<void> {
+  constructor(
+    private authenticatorClient: AuthenticatorClientInterface,
+    private authenticatorRegistrationPromptFunction?: (
+      registrationOptions: Record<string, unknown>,
+    ) => Promise<Record<string, unknown>>,
+  ) {}
+
+  async execute(dto: AddAuthenticatorDTO): Promise<Result<void>> {
+    if (!this.authenticatorRegistrationPromptFunction) {
+      return Result.fail(
+        'Could not generate authenticator registration options: No authenticator registration prompt function provided',
+      )
+    }
+
+    const userUuidOrError = Uuid.create(dto.userUuid)
+    if (userUuidOrError.isFailed()) {
+      return Result.fail(`Could not generate authenticator registration options: ${userUuidOrError.getError()}`)
+    }
+    const userUuid = userUuidOrError.getValue()
+
+    const usernameOrError = Username.create(dto.username)
+    if (usernameOrError.isFailed()) {
+      return Result.fail(`Could not generate authenticator registration options: ${usernameOrError.getError()}`)
+    }
+    const username = usernameOrError.getValue()
+
+    const authenticatorNameValidatorResult = Validator.isNotEmpty(dto.authenticatorName)
+    if (authenticatorNameValidatorResult.isFailed()) {
+      return Result.fail(
+        `Could not generate authenticator registration options: ${authenticatorNameValidatorResult.getError()}`,
+      )
+    }
+
+    const registrationOptions = await this.authenticatorClient.generateRegistrationOptions(userUuid, username)
+    if (registrationOptions === null) {
+      return Result.fail('Could not generate authenticator registration options')
+    }
+
+    let authenticatorResponse
+    try {
+      authenticatorResponse = await this.authenticatorRegistrationPromptFunction(registrationOptions)
+    } catch (error) {
+      if ((error as Error).name === 'InvalidStateError') {
+        return Result.fail('Authenticator was probably already registered by user')
+      } else {
+        return Result.fail(`Could not generate authenticator registration options: ${(error as Error).message}`)
+      }
+    }
+
+    const verificationResponse = await this.authenticatorClient.verifyRegistrationResponse(
+      userUuid,
+      dto.authenticatorName,
+      authenticatorResponse,
+    )
+    if (!verificationResponse) {
+      return Result.fail('Could not verify authenticator registration response')
+    }
+
+    return Result.ok()
+  }
+}

packages/snjs/lib/Domain/UseCase/AddAuthenticator/AddAuthenticatorDTO.ts

@@ -0,0 +1,5 @@
+export interface AddAuthenticatorDTO {
+  userUuid: string
+  username: string
+  authenticatorName: string
+}

packages/snjs/lib/Domain/UseCase/DeleteAuthenticator/DeleteAuthenticator.spec.ts

@@ -0,0 +1,41 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+
+import { DeleteAuthenticator } from './DeleteAuthenticator'
+
+describe('DeleteAuthenticator', () => {
+  let authenticatorClient: AuthenticatorClientInterface
+
+  const createUseCase = () => new DeleteAuthenticator(authenticatorClient)
+
+  beforeEach(() => {
+    authenticatorClient = {} as jest.Mocked<AuthenticatorClientInterface>
+    authenticatorClient.delete = jest.fn().mockReturnValue(true)
+  })
+
+  it('should delete authenticator', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({ authenticatorId: '00000000-0000-0000-0000-000000000000' })
+
+    expect(result.isFailed()).toBe(false)
+  })
+
+  it('should fail if authenticator id is invalid', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({ authenticatorId: 'invalid' })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not delete authenticator: Given value is not a valid uuid: invalid')
+  })
+
+  it('should fail if authenticator client fails to delete authenticator', async () => {
+    authenticatorClient.delete = jest.fn().mockReturnValue(false)
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({ authenticatorId: '00000000-0000-0000-0000-000000000000' })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not delete authenticator')
+  })
+})

packages/snjs/lib/Domain/UseCase/DeleteAuthenticator/DeleteAuthenticator.ts

@@ -0,0 +1,23 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+import { Result, UseCaseInterface, Uuid } from '@standardnotes/domain-core'
+
+import { DeleteAuthenticatorDTO } from './DeleteAuthenticatorDTO'
+
+export class DeleteAuthenticator implements UseCaseInterface<void> {
+  constructor(private authenticatorClient: AuthenticatorClientInterface) {}
+
+  async execute(dto: DeleteAuthenticatorDTO): Promise<Result<void>> {
+    const authenticatorIdOrError = Uuid.create(dto.authenticatorId)
+    if (authenticatorIdOrError.isFailed()) {
+      return Result.fail(`Could not delete authenticator: ${authenticatorIdOrError.getError()}`)
+    }
+    const authenticatorId = authenticatorIdOrError.getValue()
+
+    const result = await this.authenticatorClient.delete(authenticatorId)
+    if (!result) {
+      return Result.fail('Could not delete authenticator')
+    }
+
+    return Result.ok()
+  }
+}

packages/snjs/lib/Domain/UseCase/DeleteAuthenticator/DeleteAuthenticatorDTO.ts

@@ -0,0 +1,3 @@
+export interface DeleteAuthenticatorDTO {
+  authenticatorId: string
+}

packages/snjs/lib/Domain/UseCase/ListAuthenticators/ListAuthenticators.spec.ts

@@ -0,0 +1,23 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+
+import { ListAuthenticators } from './ListAuthenticators'
+
+describe('ListAuthenticators', () => {
+  let authenticatorClient: AuthenticatorClientInterface
+
+  const createUseCase = () => new ListAuthenticators(authenticatorClient)
+
+  beforeEach(() => {
+    authenticatorClient = {} as jest.Mocked<AuthenticatorClientInterface>
+    authenticatorClient.list = jest.fn().mockReturnValue([{ id: '1-2-3', name: 'My First Key' }])
+  })
+
+  it('should list authenticators', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute()
+
+    expect(result.isFailed()).toBe(false)
+    expect(result.getValue()).toEqual([{ id: '1-2-3', name: 'My First Key' }])
+  })
+})

packages/snjs/lib/Domain/UseCase/ListAuthenticators/ListAuthenticators.ts

@@ -0,0 +1,12 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+import { Result, UseCaseInterface } from '@standardnotes/domain-core'
+
+export class ListAuthenticators implements UseCaseInterface<Array<{ id: string; name: string }>> {
+  constructor(private authenticatorClient: AuthenticatorClientInterface) {}
+
+  async execute(): Promise<Result<Array<{ id: string; name: string }>>> {
+    const authenticators = await this.authenticatorClient.list()
+
+    return Result.ok(authenticators)
+  }
+}

packages/snjs/lib/Domain/UseCase/UseCaseContainerInterface.ts

@@ -3,4 +3,8 @@ import { UseCaseInterface } from '@standardnotes/domain-core'
 export interface UseCaseContainerInterface {
   get signInWithRecoveryCodes(): UseCaseInterface<void>
   get getRecoveryCodes(): UseCaseInterface<string>
+  get addAuthenticator(): UseCaseInterface<void>
+  get listAuthenticators(): UseCaseInterface<Array<{ id: string; name: string }>>
+  get deleteAuthenticator(): UseCaseInterface<void>
+  get verifyAuthenticator(): UseCaseInterface<void>
 }

packages/snjs/lib/Domain/UseCase/VerifyAuthenticator/VerifyAuthenticator.spec.ts

@@ -0,0 +1,70 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+
+import { VerifyAuthenticator } from './VerifyAuthenticator'
+
+describe('VerifyAuthenticator', () => {
+  let authenticatorClient: AuthenticatorClientInterface
+  let authenticatorVerificationPromptFunction: (
+    authenticationOptions: Record<string, unknown>,
+  ) => Promise<Record<string, unknown>>
+
+  const createUseCase = () => new VerifyAuthenticator(authenticatorClient, authenticatorVerificationPromptFunction)
+
+  beforeEach(() => {
+    authenticatorClient = {} as jest.Mocked<AuthenticatorClientInterface>
+    authenticatorClient.generateAuthenticationOptions = jest.fn().mockResolvedValue({ foo: 'bar' })
+    authenticatorClient.verifyAuthenticationResponse = jest.fn().mockResolvedValue(true)
+
+    authenticatorVerificationPromptFunction = jest.fn()
+  })
+
+  it('should return an error if authenticator client fails to generate authentication options', async () => {
+    authenticatorClient.generateAuthenticationOptions = jest.fn().mockResolvedValue(null)
+
+    const result = await createUseCase().execute({ userUuid: '00000000-0000-0000-0000-000000000000' })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator authentication options')
+  })
+
+  it('should return an error if authenticator verification prompt function fails', async () => {
+    authenticatorVerificationPromptFunction = jest.fn().mockRejectedValue(new Error('error'))
+
+    const result = await createUseCase().execute({ userUuid: '00000000-0000-0000-0000-000000000000' })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator authentication options: error')
+  })
+
+  it('should return an error if authenticator client fails to verify authentication response', async () => {
+    authenticatorClient.verifyAuthenticationResponse = jest.fn().mockResolvedValue(false)
+
+    const result = await createUseCase().execute({ userUuid: '00000000-0000-0000-0000-000000000000' })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe('Could not generate authenticator authentication options')
+  })
+
+  it('should return ok if authenticator client succeeds to verify authentication response', async () => {
+    const result = await createUseCase().execute({ userUuid: '00000000-0000-0000-0000-000000000000' })
+
+    expect(result.isFailed()).toBe(false)
+  })
+
+  it('should return an error if user uuid is invalid', async () => {
+    const result = await createUseCase().execute({ userUuid: 'invalid' })
+
+    expect(result.isFailed()).toBe(true)
+  })
+
+  it('should return error if authenticatorVerificationPromptFunction is not provided', async () => {
+    const result = await new VerifyAuthenticator(authenticatorClient).execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+    })
+
+    expect(result.isFailed()).toBe(true)
+    expect(result.getError()).toBe(
+      'Could not generate authenticator authentication options: No authenticator verification prompt function provided',
+    )
+  })
+})

packages/snjs/lib/Domain/UseCase/VerifyAuthenticator/VerifyAuthenticator.ts

@@ -0,0 +1,49 @@
+import { AuthenticatorClientInterface } from '@standardnotes/services'
+import { Result, UseCaseInterface, Uuid } from '@standardnotes/domain-core'
+
+import { VerifyAuthenticatorDTO } from './VerifyAuthenticatorDTO'
+
+export class VerifyAuthenticator implements UseCaseInterface<void> {
+  constructor(
+    private authenticatorClient: AuthenticatorClientInterface,
+    private authenticatorVerificationPromptFunction?: (
+      authenticationOptions: Record<string, unknown>,
+    ) => Promise<Record<string, unknown>>,
+  ) {}
+
+  async execute(dto: VerifyAuthenticatorDTO): Promise<Result<void>> {
+    if (!this.authenticatorVerificationPromptFunction) {
+      return Result.fail(
+        'Could not generate authenticator authentication options: No authenticator verification prompt function provided',
+      )
+    }
+
+    const userUuidOrError = Uuid.create(dto.userUuid)
+    if (userUuidOrError.isFailed()) {
+      return Result.fail(`Could not generate authenticator authentication options: ${userUuidOrError.getError()}`)
+    }
+    const userUuid = userUuidOrError.getValue()
+
+    const authenticationOptions = await this.authenticatorClient.generateAuthenticationOptions()
+    if (authenticationOptions === null) {
+      return Result.fail('Could not generate authenticator authentication options')
+    }
+
+    let authenticatorResponse
+    try {
+      authenticatorResponse = await this.authenticatorVerificationPromptFunction(authenticationOptions)
+    } catch (error) {
+      return Result.fail(`Could not generate authenticator authentication options: ${(error as Error).message}`)
+    }
+
+    const verificationResponse = await this.authenticatorClient.verifyAuthenticationResponse(
+      userUuid,
+      authenticatorResponse,
+    )
+    if (!verificationResponse) {
+      return Result.fail('Could not generate authenticator authentication options')
+    }
+
+    return Result.ok()
+  }
+}

packages/snjs/lib/Domain/UseCase/VerifyAuthenticator/VerifyAuthenticatorDTO.ts

@@ -0,0 +1,3 @@
+export interface VerifyAuthenticatorDTO {
+  userUuid: string
+}