@axium/core 0.16.0 → 0.17.1

package/dist/api.js

@@ -1 +1,106 @@
-export {};
+import * as z from 'zod';
+import { AccessControl, AccessMap } from './access.js';
+import { App } from './apps.js';
+import { AuditEvent, AuditFilter, Severity } from './audit.js';
+import { NewSessionResponse, Session, Verification, VerificationInternal } from './auth.js';
+import { PackageVersionInfo } from './packages.js';
+import { Passkey, PasskeyAuthOptions, PasskeyAuthResponse, PasskeyChangeable, PasskeyCreationOptions, PasskeyRegistration, } from './passkeys.js';
+import { PluginInternal } from './plugins.js';
+import { LogoutSessions, User, UserAuthOptions, UserChangeable, UserPublic, UserRegistration, UserRegistrationInit } from './user.js';
+export const AdminSummary = z.object({
+    users: z.number(),
+    passkeys: z.number(),
+    sessions: z.number(),
+    auditEvents: z.tuple(Array(Severity.Debug + 1).fill(z.number())),
+    configFiles: z.number(),
+    plugins: z.number(),
+    versions: z.record(z.literal(['core', 'server', 'client']), PackageVersionInfo),
+});
+/**
+ * Schemas for all API endpoints
+ * @internal
+ */
+const _API = {
+    metadata: {
+        GET: z.object({
+            versions: PackageVersionInfo.array(),
+            routes: z.record(z.string(), z.object({ params: z.record(z.string(), z.string().nullable()), methods: z.string().array() })),
+        }),
+    },
+    apps: {
+        GET: App.array(),
+    },
+    session: {
+        GET: z.object({ ...Session.shape, user: User }),
+        DELETE: Session,
+    },
+    register: {
+        OPTIONS: [UserRegistrationInit, z.object({ userId: z.uuid(), options: PasskeyCreationOptions })],
+        POST: [UserRegistration, NewSessionResponse],
+    },
+    'users/:id': {
+        GET: UserPublic,
+        PATCH: [UserChangeable, User],
+        DELETE: User,
+    },
+    'users/:id/full': {
+        GET: z.object({ ...User.shape, sessions: Session.array() }),
+    },
+    'users/:id/auth': {
+        OPTIONS: [UserAuthOptions, PasskeyAuthOptions],
+        POST: [PasskeyAuthResponse, NewSessionResponse],
+    },
+    'users/:id/sessions': {
+        GET: Session.array(),
+        DELETE: [LogoutSessions, Session.array()],
+    },
+    'users/:id/passkeys': {
+        OPTIONS: PasskeyCreationOptions,
+        GET: Passkey.array(),
+        PUT: [PasskeyRegistration, Passkey],
+    },
+    'users/:id/verify/email': {
+        OPTIONS: z.object({ enabled: z.boolean() }),
+        GET: Verification,
+        POST: [z.object({ token: z.string() }), z.object({})],
+    },
+    'users/:id/verify/login': {
+        POST: [z.object({ token: z.string() }), NewSessionResponse],
+    },
+    'passkeys/:id': {
+        GET: Passkey,
+        PATCH: [PasskeyChangeable, Passkey],
+        DELETE: Passkey,
+    },
+    user_id: {
+        POST: [z.object({ using: z.literal(['email', 'handle']), value: z.string() }), z.object({ id: z.uuid() })],
+    },
+    'acl/:itemType/:itemId': {
+        GET: AccessControl.array(),
+        POST: [AccessMap, AccessControl.array()],
+    },
+    'admin/summary': {
+        GET: AdminSummary,
+    },
+    'admin/users': {
+        GET: User.array(),
+        PUT: [z.object({ name: z.string(), email: z.email() }), z.object({ user: User, verification: VerificationInternal })],
+    },
+    'admin/config': {
+        GET: z.object({
+            files: z.record(z.string(), z.any()),
+            config: z.record(z.string(), z.unknown()),
+        }),
+    },
+    'admin/plugins': {
+        GET: z.object({ ...PluginInternal.omit({ _hooks: true, _client: true }).shape, ...PackageVersionInfo.shape }).array(),
+    },
+    'admin/audit/events': {
+        OPTIONS: z.object({ name: z.string().array(), source: z.string().array(), tags: z.string().array() }).or(z.literal(false)),
+        GET: [AuditFilter, AuditEvent.array()],
+    },
+    'admin/audit/:eventId': {
+        GET: AuditEvent,
+    },
+};
+export const $API = _API;

package/dist/audit.d.ts

@@ -1,5 +1,4 @@
 import * as z from 'zod';
-import type { User } from './user.js';
 export declare enum Severity {
     Emergency = 0,
     Alert = 1,
@@ -11,23 +10,32 @@ export declare enum Severity {
     Debug = 7
 }
 export declare const severityNames: Lowercase<keyof typeof Severity>[];
-export interface AuditEvent<T extends Record<string, unknown> = Record<string, unknown>> {
-    /** UUID of the event */
-    id: string;
-    /** UUID of the user that triggered the event. `null` for events triggered via the server CLI */
-    userId: string | null;
-    user?: (Pick<User, 'id' | 'name'> & Partial<User>) | null;
-    /** When the event happened */
-    timestamp: Date;
-    /** How severe the event is */
-    severity: Severity;
-    /** Snake case name for the event */
-    name: string;
-    /** The source of the event. This should be a package name */
-    source: string;
-    /** Tags for the event. For example, `auth` for authentication events */
-    tags: string[];
-    /** Additional event specific data. */
+export declare const AuditEvent: z.ZodObject<{
+    id: z.ZodUUID;
+    userId: z.ZodNullable<z.ZodUUID>;
+    user: z.ZodOptional<z.ZodNullable<z.ZodObject<{
+        id: z.ZodNonOptional<z.ZodOptional<z.ZodUUID>>;
+        name: z.ZodNonOptional<z.ZodOptional<z.ZodString>>;
+        email: z.ZodOptional<z.ZodEmail>;
+        emailVerified: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodCoercedDate<unknown>>>>;
+        image: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodURL>>>;
+        preferences: z.ZodOptional<z.ZodLazy<z.ZodObject<{
+            debug: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>>;
+        roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        registeredAt: z.ZodOptional<z.ZodCoercedDate<unknown>>;
+        isAdmin: z.ZodOptional<z.ZodBoolean>;
+        isSuspended: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>>;
+    timestamp: z.ZodCoercedDate<unknown>;
+    severity: z.ZodEnum<typeof Severity>;
+    name: z.ZodString;
+    source: z.ZodString;
+    tags: z.ZodArray<z.ZodString>;
+    extra: z.ZodRecord<z.ZodAny, z.ZodUnknown>;
+}, z.core.$strip>;
+export interface AuditEvent<T extends Record<string, unknown> = Record<string, unknown>> extends z.infer<typeof AuditEvent> {
     extra: T;
 }
 export declare const AuditFilter: z.ZodObject<{

package/dist/audit.js

@@ -1,5 +1,6 @@
 import { capitalize, uncapitalize } from 'utilium/string.js';
 import * as z from 'zod';
+import { User } from './user.js';
 export var Severity;
 (function (Severity) {
     Severity[Severity["Emergency"] = 0] = "Emergency";
@@ -14,6 +15,25 @@ export var Severity;
 export const severityNames = Object.keys(Severity)
     .filter(k => isNaN(Number(k)))
     .map(uncapitalize);
+export const AuditEvent = z.object({
+    /** UUID of the event */
+    id: z.uuid(),
+    /** UUID of the user that triggered the event. `null` for events triggered via the server CLI */
+    userId: z.uuid().nullable(),
+    user: User.partial().required({ id: true, name: true }).nullish(),
+    /** When the event happened */
+    timestamp: z.coerce.date(),
+    /** How severe the event is */
+    severity: z.enum(Severity),
+    /** Snake case name for the event */
+    name: z.string(),
+    /** The source of the event. This should be a package name */
+    source: z.string(),
+    /** Tags for the event. For example, `auth` for authentication events */
+    tags: z.string().array(),
+    /** Additional event specific data. */
+    extra: z.record(z.any(), z.unknown()),
+});
 export const AuditFilter = z.object({
     since: z.coerce.date().optional(),
     until: z.coerce.date().optional(),

package/dist/auth.d.ts

@@ -8,11 +8,25 @@ export declare const Session: z.ZodObject<{
 }, z.core.$strip>;
 export interface Session extends z.infer<typeof Session> {
 }
-export interface Verification {
-    userId: string;
-    expires: Date;
+export declare const Verification: z.ZodObject<{
+    userId: z.ZodUUID;
+    expires: z.ZodCoercedDate<unknown>;
+}, z.core.$strip>;
+export interface Verification extends z.infer<typeof Verification> {
 }
-export interface NewSessionResponse {
-    userId: string;
-    token: string;
+export declare const VerificationRole: z.ZodLiteral<"email" | "login">;
+export type VerificationRole = z.infer<typeof VerificationRole>;
+export declare const VerificationInternal: z.ZodObject<{
+    userId: z.ZodUUID;
+    expires: z.ZodCoercedDate<unknown>;
+    token: z.ZodString;
+    role: z.ZodLiteral<"email" | "login">;
+}, z.core.$strip>;
+export interface VerificationInternal extends z.infer<typeof VerificationInternal> {
+}
+export declare const NewSessionResponse: z.ZodObject<{
+    userId: z.ZodUUID;
+    token: z.ZodString;
+}, z.core.$strip>;
+export interface NewSessionResponse extends z.infer<typeof NewSessionResponse> {
 }

package/dist/auth.js

@@ -6,3 +6,16 @@ export const Session = z.object({
     created: z.coerce.date(),
     elevated: z.boolean(),
 });
+export const Verification = z.object({
+    userId: z.uuid(),
+    expires: z.coerce.date(),
+});
+export const VerificationRole = z.literal(['email', 'login']);
+export const VerificationInternal = Verification.extend({
+    token: z.string(),
+    role: VerificationRole,
+});
+export const NewSessionResponse = z.object({
+    userId: z.uuid(),
+    token: z.string(),
+});

package/dist/format.js

@@ -1,7 +1,7 @@
 export function formatDateRange(date) {
     const rawDays = (date.getTime() - Date.now()) / (24 * 3600_000);
     const daysCount = Math.abs(rawDays);
-    const daysText = Number.isInteger(daysCount) ? daysCount : daysCount.toFixed(1);
+    const daysText = Math.round(daysCount);
     const plural = daysCount == 1 ? '' : 's';
     return `${date.toLocaleString()} (${rawDays >= 0 ? `in ${daysText} day${plural}` : `${daysText} day${plural} ago`})`;
 }

package/dist/node/packages.d.ts

@@ -0,0 +1,8 @@
+import type { PackageVersionInfo } from '../packages.js';
+export declare function locatePackage(specifier: string, loadedBy: string): string;
+export declare function setPackageCacheTTL(seconds: number): void;
+/**
+ * @param name Package name
+ * @param version The current/installed version
+ */
+export declare function getVersionInfo(specifier: string, from?: string): Promise<PackageVersionInfo>;

package/dist/node/packages.js

@@ -0,0 +1,51 @@
+import * as fs from 'node:fs';
+import { dirname, join, resolve } from 'node:path/posix';
+import { fileURLToPath } from 'node:url';
+import { lt as ltVersion } from 'semver';
+import { warn } from '../io.js';
+function isRelative(specifier) {
+    return specifier[0] == '/' || ['.', '..'].includes(specifier.split('/')[0]);
+}
+export function locatePackage(specifier, loadedBy) {
+    if (isRelative(specifier)) {
+        const path = resolve(dirname(loadedBy), specifier);
+        const stats = fs.statSync(path);
+        if (stats.isFile())
+            return path;
+        if (!stats.isDirectory())
+            throw new Error('Can not resolve package path: ' + path);
+        return join(path, 'package.json');
+    }
+    let packageDir = dirname(fileURLToPath(import.meta.resolve(specifier)));
+    for (; !fs.existsSync(join(packageDir, 'package.json')); packageDir = dirname(packageDir))
+        ;
+    return join(packageDir, 'package.json');
+}
+let cacheTTL = 1000 * 60 * 60;
+export function setPackageCacheTTL(seconds) {
+    cacheTTL = seconds * 1000;
+}
+const cache = new Map();
+/**
+ * @param name Package name
+ * @param version The current/installed version
+ */
+export async function getVersionInfo(specifier, from = import.meta.filename) {
+    const path = locatePackage(specifier, from);
+    const { version, name } = JSON.parse(fs.readFileSync(path, 'utf8'));
+    const info = { name, version, latest: null };
+    if (isRelative(specifier))
+        return info;
+    const cached = cache.get(specifier);
+    const useCache = cached && Date.now() - cached.timestamp < cacheTTL;
+    try {
+        const pkg = useCache ? cached.data : await fetch('https://registry.npmjs.org/' + specifier).then(res => res.json());
+        if (!useCache)
+            cache.set(specifier, { timestamp: Date.now(), data: pkg });
+        info.latest = pkg['dist-tags']?.latest || Object.keys(pkg.versions).sort((a, b) => (ltVersion(a, b) ? 1 : -1))[0];
+    }
+    catch (e) {
+        warn(`Failed to fetch version info for package ${name}: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    return info;
+}

package/dist/node/plugins.js

@@ -5,7 +5,7 @@ import { dirname, resolve } from 'node:path/posix';
 import { styleText } from 'node:util';
 import { _throw } from 'utilium';
 import { apps } from '../apps.js';
-import { locatePackage } from '../packages.js';
+import { locatePackage } from './packages.js';
 export function* pluginText(plugin) {
     yield styleText('whiteBright', plugin.name);
     yield `Version: ${plugin.version}`;

package/dist/packages.d.ts

@@ -1,12 +1,8 @@
-export declare function locatePackage(specifier: string, loadedBy: string): string;
-export interface PackageVersionInfo {
-    name: string;
-    version: string;
-    latest: string | null;
+import * as z from 'zod';
+export declare const PackageVersionInfo: z.ZodObject<{
+    name: z.ZodString;
+    version: z.ZodString;
+    latest: z.ZodNullable<z.ZodString>;
+}, z.core.$strip>;
+export interface PackageVersionInfo extends z.infer<typeof PackageVersionInfo> {
 }
-export declare function setPackageCacheTTL(seconds: number): void;
-/**
- * @param name Package name
- * @param version The current/installed version
- */
-export declare function getVersionInfo(specifier: string, from?: string): Promise<PackageVersionInfo>;

package/dist/packages.js

@@ -1,51 +1,6 @@
-import * as fs from 'node:fs';
-import { dirname, join, resolve } from 'node:path/posix';
-import { fileURLToPath } from 'node:url';
-import { lt as ltVersion } from 'semver';
-import { warn } from './io.js';
-function isRelative(specifier) {
-    return specifier[0] == '/' || ['.', '..'].includes(specifier.split('/')[0]);
-}
-export function locatePackage(specifier, loadedBy) {
-    if (isRelative(specifier)) {
-        const path = resolve(dirname(loadedBy), specifier);
-        const stats = fs.statSync(path);
-        if (stats.isFile())
-            return path;
-        if (!stats.isDirectory())
-            throw new Error('Can not resolve package path: ' + path);
-        return join(path, 'package.json');
-    }
-    let packageDir = dirname(fileURLToPath(import.meta.resolve(specifier)));
-    for (; !fs.existsSync(join(packageDir, 'package.json')); packageDir = dirname(packageDir))
-        ;
-    return join(packageDir, 'package.json');
-}
-let cacheTTL = 1000 * 60 * 60;
-export function setPackageCacheTTL(seconds) {
-    cacheTTL = seconds * 1000;
-}
-const cache = new Map();
-/**
- * @param name Package name
- * @param version The current/installed version
- */
-export async function getVersionInfo(specifier, from = import.meta.filename) {
-    const path = locatePackage(specifier, from);
-    const { version, name } = JSON.parse(fs.readFileSync(path, 'utf8'));
-    const info = { name, version, latest: null };
-    if (isRelative(specifier))
-        return info;
-    const cached = cache.get(specifier);
-    const useCache = cached && Date.now() - cached.timestamp < cacheTTL;
-    try {
-        const pkg = useCache ? cached.data : await fetch('https://registry.npmjs.org/' + specifier).then(res => res.json());
-        if (!useCache)
-            cache.set(specifier, { timestamp: Date.now(), data: pkg });
-        info.latest = pkg['dist-tags']?.latest || Object.keys(pkg.versions).sort((a, b) => (ltVersion(a, b) ? 1 : -1))[0];
-    }
-    catch (e) {
-        warn(`Failed to fetch version info for package ${name}: ${e instanceof Error ? e.message : String(e)}`);
-    }
-    return info;
-}
+import * as z from 'zod';
+export const PackageVersionInfo = z.object({
+    name: z.string(),
+    version: z.string(),
+    latest: z.string().nullable(),
+});

package/dist/passkeys.d.ts

@@ -1,7 +1,57 @@
-import type { AuthenticatorTransportFuture } from '@simplewebauthn/server';
-import type { CredentialDeviceType } from '@simplewebauthn/types';
 import * as z from 'zod';
 export declare const authenticatorAttachment: z.ZodOptional<z.ZodLiteral<"cross-platform" | "platform">>;
+/**
+ * ak/a/ `PublicKeyCredentialRequestOptionsJSON`
+ */
+export declare const PasskeyAuthOptions: z.ZodObject<{
+    challenge: z.ZodBase64URL;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    rpId: z.ZodOptional<z.ZodString>;
+    allowCredentials: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodBase64URL;
+        type: z.ZodLiteral<"public-key">;
+        transports: z.ZodOptional<z.ZodArray<z.ZodLiteral<"ble" | "cable" | "hybrid" | "internal" | "nfc" | "smart-card" | "usb">>>;
+    }, z.core.$strip>>>;
+    userVerification: z.ZodOptional<z.ZodLiteral<"required" | "preferred" | "discouraged">>;
+    extensions: z.ZodOptional<z.ZodObject<{
+        appid: z.ZodOptional<z.ZodString>;
+        credProps: z.ZodOptional<z.ZodBoolean>;
+        hmacCreateSecret: z.ZodOptional<z.ZodBoolean>;
+        minPinLength: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/**
+ * a/k/a `PublicKeyCredentialCreationOptionsJSON`
+ */
+export declare const PasskeyCreationOptions: z.ZodObject<{
+    rp: z.ZodObject<{
+        id: z.ZodOptional<z.ZodString>;
+        name: z.ZodString;
+    }, z.core.$strip>;
+    user: z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+        displayName: z.ZodString;
+    }, z.core.$strip>;
+    challenge: z.ZodBase64URL;
+    pubKeyCredParams: z.ZodArray<z.ZodObject<{
+        alg: z.ZodNumber;
+        type: z.ZodLiteral<"public-key">;
+    }, z.core.$strip>>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    excludeCredentials: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodBase64URL;
+        type: z.ZodLiteral<"public-key">;
+        transports: z.ZodOptional<z.ZodArray<z.ZodLiteral<"ble" | "cable" | "hybrid" | "internal" | "nfc" | "smart-card" | "usb">>>;
+    }, z.core.$strip>>>;
+    authenticatorSelection: z.ZodOptional<z.ZodObject<{
+        authenticatorAttachment: z.ZodOptional<z.ZodOptional<z.ZodLiteral<"cross-platform" | "platform">>>;
+        requireResidentKey: z.ZodOptional<z.ZodBoolean>;
+        residentKey: z.ZodOptional<z.ZodLiteral<"required" | "preferred" | "discouraged">>;
+        userVerification: z.ZodOptional<z.ZodLiteral<"required" | "preferred" | "discouraged">>;
+    }, z.core.$strip>>;
+    attestation: z.ZodOptional<z.ZodLiteral<"none" | "indirect" | "direct" | "enterprise">>;
+}, z.core.$strip>;
 export declare const PasskeyRegistration: z.ZodObject<{
     id: z.ZodString;
     rawId: z.ZodString;
@@ -9,15 +59,7 @@ export declare const PasskeyRegistration: z.ZodObject<{
         clientDataJSON: z.ZodString;
         attestationObject: z.ZodString;
         authenticatorData: z.ZodOptional<z.ZodString>;
-        transports: z.ZodOptional<z.ZodArray<z.ZodEnum<{
-            ble: "ble";
-            cable: "cable";
-            hybrid: "hybrid";
-            internal: "internal";
-            nfc: "nfc";
-            "smart-card": "smart-card";
-            usb: "usb";
-        }>>>;
+        transports: z.ZodOptional<z.ZodArray<z.ZodLiteral<"ble" | "cable" | "hybrid" | "internal" | "nfc" | "smart-card" | "usb">>>;
         publicKeyAlgorithm: z.ZodOptional<z.ZodNumber>;
         publicKey: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>;
@@ -28,7 +70,7 @@ export declare const PasskeyRegistration: z.ZodObject<{
 /**
  * POSTed to the `/users/:id/login` endpoint.
  */
-export declare const PasskeyAuthenticationResponse: z.ZodObject<{
+export declare const PasskeyAuthResponse: z.ZodObject<{
     id: z.ZodString;
     rawId: z.ZodString;
     response: z.ZodObject<{
@@ -44,12 +86,14 @@ export declare const PasskeyAuthenticationResponse: z.ZodObject<{
 export declare const PasskeyChangeable: z.ZodObject<{
     name: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
-export interface Passkey {
-    id: string;
-    name?: string | null;
-    createdAt: Date;
-    userId: string;
-    deviceType: CredentialDeviceType;
-    backedUp: boolean;
-    transports: AuthenticatorTransportFuture[];
+export declare const Passkey: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    createdAt: z.ZodCoercedDate<unknown>;
+    userId: z.ZodUUID;
+    deviceType: z.ZodLiteral<"singleDevice" | "multiDevice">;
+    backedUp: z.ZodBoolean;
+    transports: z.ZodArray<z.ZodLiteral<"ble" | "cable" | "hybrid" | "internal" | "nfc" | "smart-card" | "usb">>;
+}, z.core.$strip>;
+export interface Passkey extends z.infer<typeof Passkey> {
 }

package/dist/passkeys.js

@@ -1,6 +1,79 @@
 import * as z from 'zod';
-const transports = ['ble', 'cable', 'hybrid', 'internal', 'nfc', 'smart-card', 'usb'];
+const PasskeyTransport = z.literal([
+    'ble',
+    'cable',
+    'hybrid',
+    'internal',
+    'nfc',
+    'smart-card',
+    'usb',
+]);
 export const authenticatorAttachment = z.literal(['platform', 'cross-platform']).optional();
+const PublicKeyCredentialType = z.literal(['public-key']);
+/**
+ * https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentityjson
+ */
+const PublicKeyCredentialUserEntity = z.object({
+    id: z.string(),
+    name: z.string(),
+    displayName: z.string(),
+});
+/**
+ * https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptorjson
+ */
+const PublicKeyCredentialDescriptor = z.object({
+    id: z.base64url(),
+    type: PublicKeyCredentialType,
+    transports: PasskeyTransport.array().optional(),
+});
+const UserVerificationRequirement = z.literal(['required', 'preferred', 'discouraged']);
+const AuthenticationExtensionsClientInputs = z.object({
+    appid: z.string().optional(),
+    credProps: z.boolean().optional(),
+    hmacCreateSecret: z.boolean().optional(),
+    minPinLength: z.boolean().optional(),
+});
+/**
+ * ak/a/ `PublicKeyCredentialRequestOptionsJSON`
+ */
+export const PasskeyAuthOptions = z.object({
+    challenge: z.base64url(),
+    timeout: z.number().optional(),
+    rpId: z.string().optional(),
+    allowCredentials: PublicKeyCredentialDescriptor.array().optional(),
+    userVerification: UserVerificationRequirement.optional(),
+    extensions: AuthenticationExtensionsClientInputs.optional(),
+});
+const PublicKeyCredentialRpEntity = z.object({
+    id: z.string().optional(),
+    name: z.string(),
+});
+const COSEAlgorithmIdentifier = z.number();
+const PublicKeyCredentialParameters = z.object({
+    alg: COSEAlgorithmIdentifier,
+    type: PublicKeyCredentialType,
+});
+const ResidentKeyRequirement = z.literal(['required', 'preferred', 'discouraged']);
+const AuthenticatorSelectionCriteria = z.object({
+    authenticatorAttachment: authenticatorAttachment.optional(),
+    requireResidentKey: z.boolean().optional(),
+    residentKey: ResidentKeyRequirement.optional(),
+    userVerification: UserVerificationRequirement.optional(),
+});
+const AttestationConveyancePreference = z.literal(['none', 'indirect', 'direct', 'enterprise']);
+/**
+ * a/k/a `PublicKeyCredentialCreationOptionsJSON`
+ */
+export const PasskeyCreationOptions = z.object({
+    rp: PublicKeyCredentialRpEntity,
+    user: PublicKeyCredentialUserEntity,
+    challenge: z.base64url(),
+    pubKeyCredParams: PublicKeyCredentialParameters.array(),
+    timeout: z.number().optional(),
+    excludeCredentials: PublicKeyCredentialDescriptor.array().optional(),
+    authenticatorSelection: AuthenticatorSelectionCriteria.optional(),
+    attestation: AttestationConveyancePreference.optional(),
+});
 export const PasskeyRegistration = z.object({
     id: z.string(),
     rawId: z.string(),
@@ -8,7 +81,7 @@ export const PasskeyRegistration = z.object({
         clientDataJSON: z.string(),
         attestationObject: z.string(),
         authenticatorData: z.string().optional(),
-        transports: z.array(z.enum(transports)).optional(),
+        transports: PasskeyTransport.array().optional(),
         publicKeyAlgorithm: z.number().optional(),
         publicKey: z.string().optional(),
     }),
@@ -19,7 +92,7 @@ export const PasskeyRegistration = z.object({
 /**
  * POSTed to the `/users/:id/login` endpoint.
  */
-export const PasskeyAuthenticationResponse = z.object({
+export const PasskeyAuthResponse = z.object({
     id: z.string(),
     rawId: z.string(),
     response: z.object({
@@ -33,3 +106,12 @@ export const PasskeyAuthenticationResponse = z.object({
     type: z.literal('public-key'),
 });
 export const PasskeyChangeable = z.object({ name: z.string() }).partial();
+export const Passkey = z.object({
+    id: z.string(),
+    name: z.string().nullish(),
+    createdAt: z.coerce.date(),
+    userId: z.uuid(),
+    deviceType: z.literal(['singleDevice', 'multiDevice']),
+    backedUp: z.boolean(),
+    transports: z.literal(['ble', 'cable', 'hybrid', 'internal', 'nfc', 'smart-card', 'usb']).array(),
+});