@abraca/dabra 1.1.2 → 1.2.0

package/src/CryptoIdentityKeystore.ts

@@ -1,14 +1,18 @@
 /**
  * CryptoIdentityKeystore
  *
- * Per-device Ed25519 keypair, private key protected by WebAuthn PRF + AES-256-GCM.
- * Stored in IndexedDB under "abracadabra:identity" / "identity" / key "current".
+ * Per-user Ed25519 keypair derived deterministically from a synced WebAuthn
+ * passkey's PRF extension output. The same passkey on any device produces the
+ * same identity — no private key storage needed.
  *
- * No private key is ever shared between devices. Each device generates its own
- * keypair, encrypts the private key with the PRF output from its own WebAuthn
- * credential, and stores the ciphertext in IndexedDB.
+ * Derivation chain:
+ *   Synced Passkey → PRF(constant salt) → HKDF-SHA256 → Ed25519 seed → keypair
  *
- * Dependencies: @noble/ed25519, @noble/hashes (for HKDF)
+ * IndexedDB is used only as a lightweight cache for the public key and
+ * credential ID. Loss of IndexedDB is non-catastrophic — a passkey assertion
+ * re-derives everything.
+ *
+ * Dependencies: @noble/ed25519, @noble/hashes (for HKDF), @noble/curves (for X25519)
  */
 
 import * as ed from "@noble/ed25519";
@@ -16,25 +20,31 @@ import { hkdf } from "@noble/hashes/hkdf";
 import { sha256 } from "@noble/hashes/sha256";
 import { ed25519 as nobleEd25519Curves } from "@noble/curves/ed25519.js";
 
+// ── Constants ───────────────────────────────────────────────────────────────
+
+/**
+ * Fixed PRF eval salt. Must be constant across all devices so the same synced
+ * passkey produces the same PRF output everywhere.
+ *
+ * Value: SHA-256("abracadabra-prf-salt-v1"), precomputed.
+ */
+const PRF_SALT = new Uint8Array([
+	0xb7, 0x79, 0x41, 0xa2, 0xe7, 0x85, 0x1d, 0xfa,
+	0x5e, 0xc1, 0xab, 0xb6, 0x50, 0x1a, 0x5c, 0x85,
+	0x75, 0xfd, 0x3e, 0x3f, 0x92, 0xc9, 0xe1, 0xa7,
+	0x4e, 0xba, 0x71, 0xfc, 0xf2, 0xb1, 0x12, 0xcf,
+]);
+
+const HKDF_INFO = new TextEncoder().encode("abracadabra-identity-v1");
+
 // ── Types ────────────────────────────────────────────────────────────────────
 
+/** Lightweight cache record — no private key material. */
 interface StoredIdentity {
-	/**
-	 * Internal label stored locally. NOT sent to the server during the
-	 * challenge-response handshake — the public key is the sole auth identifier.
-	 * This may be used as a hint when calling POST /auth/register (first device)
-	 * or displayed to the user before they set a real display name.
-	 */
 	username: string;
-	/** base64url-encoded Ed25519 public key (32 bytes). Primary auth identifier. */
+	/** base64url-encoded Ed25519 public key (32 bytes). */
 	publicKey: string;
-	/** AES-GCM ciphertext of the 32-byte private key */
-	encryptedPrivateKey: ArrayBuffer;
-	/** 12-byte AES-GCM nonce */
-	iv: Uint8Array;
-	/** 32-byte constant PRF input salt (per-enrollment) */
-	salt: Uint8Array;
-	/** WebAuthn credential ID */
+	/** WebAuthn credential ID for allowCredentials hint. */
 	credentialId: ArrayBuffer;
 }
 
@@ -56,44 +66,74 @@ function fromBase64url(b64: string): Uint8Array {
 
 const DB_NAME = "abracadabra:identity";
 const STORE_NAME = "identity";
-const RECORD_KEY = "current";
-const HKDF_INFO = new TextEncoder().encode("abracadabra-identity-v1");
 
 // ── IndexedDB helpers ─────────────────────────────────────────────────────────
 
 function openDb(): Promise<IDBDatabase> {
 	return new Promise((resolve, reject) => {
-		const req = indexedDB.open(DB_NAME, 1);
+		const req = indexedDB.open(DB_NAME, 2);
 		req.onupgradeneeded = () => {
-			req.result.createObjectStore(STORE_NAME);
+			const db = req.result;
+			// v1 had a plain object store; v2 uses credentialId-keyed records
+			if (!db.objectStoreNames.contains(STORE_NAME)) {
+				db.createObjectStore(STORE_NAME);
+			}
 		};
 		req.onsuccess = () => resolve(req.result);
 		req.onerror = () => reject(req.error);
 	});
 }
 
-async function dbGet(db: IDBDatabase): Promise<StoredIdentity | undefined> {
+async function dbGetAll(db: IDBDatabase): Promise<{ key: IDBValidKey; value: StoredIdentity }[]> {
 	return new Promise((resolve, reject) => {
 		const tx = db.transaction(STORE_NAME, "readonly");
-		const req = tx.objectStore(STORE_NAME).get(RECORD_KEY);
+		const store = tx.objectStore(STORE_NAME);
+		const results: { key: IDBValidKey; value: StoredIdentity }[] = [];
+		const req = store.openCursor();
+		req.onsuccess = () => {
+			const cursor = req.result;
+			if (cursor) {
+				results.push({ key: cursor.key, value: cursor.value as StoredIdentity });
+				cursor.continue();
+			} else {
+				resolve(results);
+			}
+		};
+		req.onerror = () => reject(req.error);
+	});
+}
+
+async function dbGet(db: IDBDatabase, key: string): Promise<StoredIdentity | undefined> {
+	return new Promise((resolve, reject) => {
+		const tx = db.transaction(STORE_NAME, "readonly");
+		const req = tx.objectStore(STORE_NAME).get(key);
 		req.onsuccess = () => resolve(req.result as StoredIdentity | undefined);
 		req.onerror = () => reject(req.error);
 	});
 }
 
-async function dbPut(db: IDBDatabase, value: StoredIdentity): Promise<void> {
+async function dbPut(db: IDBDatabase, key: string, value: StoredIdentity): Promise<void> {
 	return new Promise((resolve, reject) => {
 		const tx = db.transaction(STORE_NAME, "readwrite");
-		const req = tx.objectStore(STORE_NAME).put(value, RECORD_KEY);
+		const req = tx.objectStore(STORE_NAME).put(value, key);
 		req.onsuccess = () => resolve();
 		req.onerror = () => reject(req.error);
 	});
 }
 
-async function dbDelete(db: IDBDatabase): Promise<void> {
+async function dbDelete(db: IDBDatabase, key: string): Promise<void> {
 	return new Promise((resolve, reject) => {
 		const tx = db.transaction(STORE_NAME, "readwrite");
-		const req = tx.objectStore(STORE_NAME).delete(RECORD_KEY);
+		const req = tx.objectStore(STORE_NAME).delete(key);
+		req.onsuccess = () => resolve();
+		req.onerror = () => reject(req.error);
+	});
+}
+
+async function dbClear(db: IDBDatabase): Promise<void> {
+	return new Promise((resolve, reject) => {
+		const tx = db.transaction(STORE_NAME, "readwrite");
+		const req = tx.objectStore(STORE_NAME).clear();
 		req.onsuccess = () => resolve();
 		req.onerror = () => reject(req.error);
 	});
@@ -101,40 +141,68 @@ async function dbDelete(db: IDBDatabase): Promise<void> {
 
 // ── Key derivation ────────────────────────────────────────────────────────────
 
-async function deriveAesKey(prfOutput: ArrayBuffer, salt: Uint8Array): Promise<CryptoKey> {
-	const ikm = new Uint8Array(prfOutput);
-	const keyBytes = hkdf(sha256, ikm, salt, HKDF_INFO, 32);
-	return crypto.subtle.importKey("raw", keyBytes, { name: "AES-GCM" }, false, [
-		"encrypt",
-		"decrypt",
-	]);
+/** Derive a 32-byte Ed25519 seed from raw PRF output. */
+function deriveEd25519Seed(prfOutput: ArrayBuffer): Uint8Array {
+	return hkdf(sha256, new Uint8Array(prfOutput), PRF_SALT, HKDF_INFO, 32);
+}
+
+// ── PRF extraction helper ────────────────────────────────────────────────────
+
+function extractPrfOutput(
+	credential: PublicKeyCredential,
+): ArrayBuffer {
+	const extResults = credential.getClientExtensionResults() as {
+		prf?: { results?: { first?: ArrayBuffer } };
+	};
+	const prfOutput = extResults?.prf?.results?.first;
+	if (!prfOutput) {
+		throw new Error(
+			"WebAuthn PRF extension not available on this authenticator. " +
+			"A PRF-capable platform authenticator (e.g. iCloud Keychain) is required.",
+		);
+	}
+	return prfOutput;
 }
 
 // ── Main class ───────────────────────────────────────────────────────────────
 
 export class CryptoIdentityKeystore {
+
 	/**
-	 * One-time setup for a device: generates an Ed25519 keypair, creates a
-	 * WebAuthn credential with PRF extension, encrypts the private key, and
-	 * stores everything in IndexedDB.
-	 *
-	 * Returns the base64url-encoded public key. The caller must register this
-	 * key with the server via POST /auth/register (first device) or
-	 * POST /auth/keys (additional device).
-	 *
-	 * @param username  - The user's account name.
-	 * @param rpId      - WebAuthn relying party ID (e.g. "example.com").
-	 * @param rpName    - Human-readable relying party name.
+	 * Check whether the platform supports WebAuthn with PRF extension.
+	 * Call this before offering the "Secure with Passkey" option.
 	 */
-	async register(username: string, rpId: string, rpName: string): Promise<{publicKey: string; x25519PublicKey: string}> {
-		// 1. Generate Ed25519 keypair
-		const privateKey = ed.utils.randomPrivateKey();
-		const publicKey = await ed.getPublicKeyAsync(privateKey);
-
-		// 2. Generate per-enrollment salt
-		const salt = crypto.getRandomValues(new Uint8Array(32));
+	static async isPrfAvailable(): Promise<boolean> {
+		if (typeof window === "undefined" || !window.PublicKeyCredential) return false;
+		try {
+			// Check for platform authenticator
+			const available = await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+			if (!available) return false;
+
+			// PRF is indicated by the presence of the extension in the client;
+			// there's no direct feature-detection API. We check for the
+			// AuthenticationExtensionsClientInputs type support as a proxy.
+			// The definitive test happens at registration time.
+			return true;
+		} catch {
+			return false;
+		}
+	}
 
-		// 3. Create WebAuthn credential with PRF extension
+	/**
+	 * Create a synced discoverable passkey and derive the Ed25519 identity from
+	 * its PRF output. The passkey is stored in the platform credential manager
+	 * (e.g. iCloud Keychain) and syncs across devices automatically.
+	 *
+	 * Returns the base64url-encoded public key, X25519 public key, and credential ID.
+	 * The caller must register the public key with the server.
+	 */
+	async register(
+		username: string,
+		rpId: string,
+		rpName: string,
+	): Promise<{ publicKey: string; x25519PublicKey: string; credentialId: string }> {
+		// 1. Create a discoverable WebAuthn credential with PRF
 		const credential = await navigator.credentials.create({
 			publicKey: {
 				challenge: crypto.getRandomValues(new Uint8Array(32)),
@@ -145,225 +213,266 @@ export class CryptoIdentityKeystore {
 					displayName: username,
 				},
 				pubKeyCredParams: [
-					{ alg: -7, type: "public-key" },  // ES256
-					{ alg: -257, type: "public-key" }, // RS256
+					{ alg: -7, type: "public-key" },   // ES256
+					{ alg: -257, type: "public-key" },  // RS256
 				],
 				authenticatorSelection: {
+					residentKey: "required",
+					requireResidentKey: true,
 					userVerification: "required",
 				},
 				extensions: {
-					prf: { eval: { first: salt.buffer } },
+					prf: { eval: { first: PRF_SALT.buffer } },
 				} as AuthenticationExtensionsClientInputs,
 			},
 		}) as PublicKeyCredential | null;
 
 		if (!credential) {
-			throw new Error("WebAuthn credential creation failed");
+			throw new Error("WebAuthn credential creation cancelled");
 		}
 
-		const extResults = credential.getClientExtensionResults() as {
-			prf?: { results?: { first?: ArrayBuffer } };
-		};
-		const prfOutput = extResults?.prf?.results?.first;
-		if (!prfOutput) {
-			throw new Error(
-				"WebAuthn PRF extension not available on this authenticator. " +
-					"A PRF-capable authenticator (e.g. platform authenticator with PRF support) is required.",
-			);
-		}
+		// 2. Extract PRF output and derive Ed25519 keypair
+		const prfOutput = extractPrfOutput(credential);
+		const seed = deriveEd25519Seed(prfOutput);
+		const publicKey = await ed.getPublicKeyAsync(seed);
+		const publicKeyB64 = toBase64url(publicKey);
 
-		// 4. Derive AES key from PRF output via HKDF
-		const aesKey = await deriveAesKey(prfOutput, salt);
+		// 3. Derive X25519 public key
+		const x25519Pub = nobleEd25519Curves.utils.toMontgomery(publicKey);
+		const x25519PubB64 = toBase64url(x25519Pub);
 
-		// 5. Encrypt private key
-		const iv = crypto.getRandomValues(new Uint8Array(12));
-		const encryptedPrivateKey = await crypto.subtle.encrypt(
-			{ name: "AES-GCM", iv },
-			aesKey,
-			privateKey,
-		);
+		// 4. Credential ID for future allowCredentials hints
+		const credentialIdB64 = toBase64url(new Uint8Array(credential.rawId));
 
-		// 6. Store in IndexedDB
+		// 5. Cache in IndexedDB (lightweight — no private key material)
 		const db = await openDb();
-		await dbPut(db, {
+		await dbPut(db, credentialIdB64, {
 			username,
-			publicKey: toBase64url(publicKey),
-			encryptedPrivateKey,
-			iv,
-			salt,
+			publicKey: publicKeyB64,
 			credentialId: credential.rawId,
 		});
 		db.close();
 
-		const x25519Pub = nobleEd25519Curves.utils.toMontgomery(publicKey);
-		return { publicKey: toBase64url(publicKey), x25519PublicKey: toBase64url(x25519Pub) };
+		// 6. Wipe seed from memory
+		seed.fill(0);
+
+		return {
+			publicKey: publicKeyB64,
+			x25519PublicKey: x25519PubB64,
+			credentialId: credentialIdB64,
+		};
 	}
 
 	/**
-	 * Sign a base64url-encoded challenge using the stored Ed25519 private key.
-	 *
-	 * This triggers a WebAuthn assertion (biometric / PIN prompt) to unlock the
-	 * private key via PRF → HKDF → AES-GCM decryption. The private key is
-	 * wiped from memory after signing.
+	 * Sign a base64url-encoded challenge using the Ed25519 key derived from
+	 * a passkey assertion. Triggers a WebAuthn prompt (biometric / PIN).
 	 *
 	 * @param challengeB64 - base64url-encoded challenge bytes from the server.
+	 * @param credentialIdHint - optional credential ID to select a specific passkey.
 	 * @returns base64url-encoded Ed25519 signature (64 bytes).
 	 */
-	async sign(challengeB64: string): Promise<string> {
-		const db = await openDb();
-		const stored = await dbGet(db);
-		db.close();
-
-		if (!stored) {
-			throw new Error("No identity stored. Call register() first.");
-		}
-
-		// WebAuthn assertion with PRF
-		const assertion = await navigator.credentials.get({
-			publicKey: {
-				challenge: crypto.getRandomValues(new Uint8Array(32)),
-				allowCredentials: [
-					{
-						id: stored.credentialId,
-						type: "public-key",
-					},
-				],
-				userVerification: "required",
-				extensions: {
-					prf: { eval: { first: stored.salt.buffer } },
-				} as AuthenticationExtensionsClientInputs,
-			},
-		}) as PublicKeyCredential | null;
-
-		if (!assertion) {
-			throw new Error("WebAuthn assertion failed");
+	async sign(challengeB64: string, credentialIdHint?: string): Promise<string> {
+		const { seed } = await this._assertAndDerive(credentialIdHint);
+
+		try {
+			const challengeBytes = fromBase64url(challengeB64);
+			const signature = await ed.signAsync(challengeBytes, seed);
+			return toBase64url(signature);
+		} finally {
+			seed.fill(0);
 		}
-
-		const extResults = assertion.getClientExtensionResults() as {
-			prf?: { results?: { first?: ArrayBuffer } };
-		};
-		const prfOutput = extResults?.prf?.results?.first;
-		if (!prfOutput) {
-			throw new Error("PRF output not available from authenticator");
-		}
-
-		// Derive the same AES key
-		const aesKey = await deriveAesKey(prfOutput, stored.salt);
-
-		// Decrypt private key
-		const privateKeyBytes = await crypto.subtle.decrypt(
-			{ name: "AES-GCM", iv: stored.iv },
-			aesKey,
-			stored.encryptedPrivateKey,
-		);
-
-		const privateKey = new Uint8Array(privateKeyBytes);
-
-		// Sign the challenge
-		const challengeBytes = fromBase64url(challengeB64);
-		const signature = await ed.signAsync(challengeBytes, privateKey);
-
-		// Wipe private key from memory
-		privateKey.fill(0);
-
-		return toBase64url(signature);
 	}
 
-	/** Returns the stored base64url public key, or null if no identity exists. */
-	async getPublicKey(): Promise<string | null> {
+	/**
+	 * Returns the cached base64url public key, or null if no identity is cached.
+	 *
+	 * Does NOT trigger a WebAuthn prompt. If the cache is empty (e.g. IndexedDB
+	 * cleared), returns null — the identity can be recovered via sign() or
+	 * a fresh register() with the same synced passkey.
+	 */
+	async getPublicKey(credentialIdHint?: string): Promise<string | null> {
 		const db = await openDb();
-		const stored = await dbGet(db);
-		db.close();
-		return stored?.publicKey ?? null;
+		try {
+			if (credentialIdHint) {
+				const stored = await dbGet(db, credentialIdHint);
+				return stored?.publicKey ?? null;
+			}
+			// Return the first cached identity
+			const all = await dbGetAll(db);
+			return all.length > 0 ? all[0].value.publicKey : null;
+		} finally {
+			db.close();
+		}
 	}
 
 	/**
-	 * Returns the locally-stored internal username label, or null if no identity exists.
-	 *
-	 * This is NOT the auth identifier (the public key is). It can be used as a
-	 * hint when calling POST /auth/register, or displayed before the user sets
-	 * a real display name via PATCH /users/me.
+	 * Returns the locally-cached username label, or null if no identity is cached.
 	 */
-	async getUsername(): Promise<string | null> {
+	async getUsername(credentialIdHint?: string): Promise<string | null> {
 		const db = await openDb();
-		const stored = await dbGet(db);
-		db.close();
-		return stored?.username ?? null;
+		try {
+			if (credentialIdHint) {
+				const stored = await dbGet(db, credentialIdHint);
+				return stored?.username ?? null;
+			}
+			const all = await dbGetAll(db);
+			return all.length > 0 ? all[0].value.username : null;
+		} finally {
+			db.close();
+		}
 	}
 
-	/** Returns true if an identity is stored in IndexedDB. */
+	/** Returns true if an identity is cached in IndexedDB. */
 	async hasIdentity(): Promise<boolean> {
 		const db = await openDb();
-		const stored = await dbGet(db);
-		db.close();
-		return stored !== undefined;
+		try {
+			const all = await dbGetAll(db);
+			return all.length > 0;
+		} finally {
+			db.close();
+		}
 	}
 
-	/** Remove the stored identity from IndexedDB. */
+	/** Remove cached identity record(s) from IndexedDB. The passkey itself
+	 *  remains in the platform credential store. */
 	async clear(): Promise<void> {
 		const db = await openDb();
-		await dbDelete(db);
+		await dbClear(db);
 		db.close();
 	}
 
 	/**
-	 * Returns the X25519 public key derived from the stored Ed25519 private key.
-	 * Does NOT require WebAuthn — computed from the stored encrypted key... actually
-	 * we derive from the Ed25519 public key directly (Montgomery form), no decryption needed
-	 * since nobleEd25519Curves.utils.toMontgomery only needs the public key.
-	 * Returns null if no identity is stored.
+	 * Returns the X25519 public key derived from the cached Ed25519 public key.
+	 * Does NOT require WebAuthn — computed from the cached public key only.
+	 * Returns null if no identity is cached.
 	 */
 	async getX25519PublicKey(): Promise<Uint8Array | null> {
 		const db = await openDb();
-		const stored = await dbGet(db);
-		db.close();
-		if (!stored) return null;
-		const edPub = fromBase64url(stored.publicKey);
-		return nobleEd25519Curves.utils.toMontgomery(edPub);
+		try {
+			const all = await dbGetAll(db);
+			if (all.length === 0) return null;
+			const edPub = fromBase64url(all[0].value.publicKey);
+			return nobleEd25519Curves.utils.toMontgomery(edPub);
+		} finally {
+			db.close();
+		}
 	}
 
 	/**
-	 * Returns the X25519 private key derived from the stored Ed25519 private key.
-	 * Requires WebAuthn assertion to decrypt the private key.
+	 * Returns the X25519 private key derived from the Ed25519 seed.
+	 * Requires a WebAuthn assertion to get the PRF output.
 	 * The caller MUST wipe the returned Uint8Array after use.
 	 */
-	async getX25519PrivateKey(): Promise<Uint8Array> {
+	async getX25519PrivateKey(credentialIdHint?: string): Promise<Uint8Array> {
+		const { seed } = await this._assertAndDerive(credentialIdHint);
+		try {
+			return nobleEd25519Curves.utils.toMontgomerySecret(seed);
+		} finally {
+			seed.fill(0);
+		}
+	}
+
+	/**
+	 * Trigger a WebAuthn assertion to derive (or re-derive) the identity and
+	 * update the IndexedDB cache. Returns the public key and credential ID.
+	 *
+	 * Use this when the cache is empty but you need the public key before
+	 * signing (e.g. to send it to the server for the challenge request).
+	 */
+	async deriveIdentity(credentialIdHint?: string): Promise<{ publicKey: string; credentialId: string }> {
+		const { seed, publicKeyB64, credentialIdB64 } = await this._assertAndDerive(credentialIdHint);
+		seed.fill(0);
+		return { publicKey: publicKeyB64, credentialId: credentialIdB64 };
+	}
+
+	/**
+	 * List all cached credential IDs. Useful for account switching UI.
+	 */
+	async listCachedIdentities(): Promise<{ credentialId: string; publicKey: string; username: string }[]> {
 		const db = await openDb();
-		const stored = await dbGet(db);
-		db.close();
+		try {
+			const all = await dbGetAll(db);
+			return all.map(({ key, value }) => ({
+				credentialId: key as string,
+				publicKey: value.publicKey,
+				username: value.username,
+			}));
+		} finally {
+			db.close();
+		}
+	}
+
+	// ── Internal ─────────────────────────────────────────────────────────────
 
-		if (!stored) {
-			throw new Error("No identity stored. Call register() first.");
+	/**
+	 * Perform a WebAuthn assertion with PRF, derive the Ed25519 seed, and
+	 * update the IndexedDB cache. Returns the seed (caller MUST wipe it).
+	 */
+	private async _assertAndDerive(credentialIdHint?: string): Promise<{
+		seed: Uint8Array;
+		publicKeyB64: string;
+		credentialIdB64: string;
+	}> {
+		// Build allowCredentials from hint or cached records
+		const allowCredentials: PublicKeyCredentialDescriptor[] = [];
+
+		if (credentialIdHint) {
+			allowCredentials.push({
+				id: fromBase64url(credentialIdHint),
+				type: "public-key",
+			});
+		} else {
+			// Try cached credential IDs for a targeted prompt
+			try {
+				const db = await openDb();
+				const all = await dbGetAll(db);
+				db.close();
+				for (const { value } of all) {
+					allowCredentials.push({
+						id: value.credentialId,
+						type: "public-key",
+					});
+				}
+			} catch {
+				// IndexedDB unavailable — proceed with discoverable credentials
+			}
 		}
 
 		const assertion = await navigator.credentials.get({
 			publicKey: {
 				challenge: crypto.getRandomValues(new Uint8Array(32)),
-				allowCredentials: [{ id: stored.credentialId, type: "public-key" }],
+				...(allowCredentials.length > 0 ? { allowCredentials } : {}),
 				userVerification: "required",
 				extensions: {
-					prf: { eval: { first: stored.salt.buffer } },
+					prf: { eval: { first: PRF_SALT.buffer } },
 				} as AuthenticationExtensionsClientInputs,
 			},
 		}) as PublicKeyCredential | null;
 
-		if (!assertion) throw new Error("WebAuthn assertion failed");
+		if (!assertion) {
+			throw new Error("WebAuthn assertion cancelled");
+		}
 
-		const extResults = assertion.getClientExtensionResults() as {
-			prf?: { results?: { first?: ArrayBuffer } };
-		};
-		const prfOutput = extResults?.prf?.results?.first;
-		if (!prfOutput) throw new Error("PRF output not available from authenticator");
-
-		const aesKey = await deriveAesKey(prfOutput, stored.salt);
-		const privateKeyBytes = await crypto.subtle.decrypt(
-			{ name: "AES-GCM", iv: stored.iv },
-			aesKey,
-			stored.encryptedPrivateKey,
-		);
-		const edPrivKey = new Uint8Array(privateKeyBytes);
-		const x25519Priv = nobleEd25519Curves.utils.toMontgomerySecret(edPrivKey);
-		edPrivKey.fill(0);
-		return x25519Priv;
+		const prfOutput = extractPrfOutput(assertion);
+		const seed = deriveEd25519Seed(prfOutput);
+		const publicKey = await ed.getPublicKeyAsync(seed);
+		const publicKeyB64 = toBase64url(publicKey);
+		const credentialIdB64 = toBase64url(new Uint8Array(assertion.rawId));
+
+		// Update cache
+		try {
+			const db = await openDb();
+			const existing = await dbGet(db, credentialIdB64);
+			await dbPut(db, credentialIdB64, {
+				username: existing?.username ?? "",
+				publicKey: publicKeyB64,
+				credentialId: assertion.rawId,
+			});
+			db.close();
+		} catch {
+			// Cache update failure is non-fatal
+		}
+
+		return { seed, publicKeyB64, credentialIdB64 };
 	}
 }