@better-auth/passkey 1.5.7-beta.1 → 1.6.0

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { i as PasskeyOptions, n as PASSKEY_ERROR_CODES, r as Passkey, t as passkey } from "./index-BfRDyiNp.mjs";
+import { n as PASSKEY_ERROR_CODES, o as PasskeyOptions, r as Passkey, t as passkey } from "./index-DD5Lute1.mjs";
 export { PASSKEY_ERROR_CODES, Passkey, PasskeyOptions, passkey };

package/dist/index.mjs

@@ -1,10 +1,10 @@
-import { t as PASSKEY_ERROR_CODES } from "./error-codes-BwAsYefH.mjs";
+import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-DSSbBvqx.mjs";
 import { mergeSchema } from "better-auth/db";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import { APIError } from "@better-auth/core/error";
 import { base64 } from "@better-auth/utils/base64";
 import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
-import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { freshSessionMiddleware, getSessionFromCtx, requireResourceOwnership, sessionMiddleware } from "better-auth/api";
 import { setSessionCookie } from "better-auth/cookies";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
@@ -14,136 +14,183 @@ function getRpID(options, baseURL) {
 }
 //#endregion
 //#region src/routes.ts
+const resolveExtensions = async (extensions, ctx) => {
+	if (!extensions) return;
+	if (typeof extensions === "function") return await extensions({ ctx });
+	return extensions;
+};
+const resolveRegistrationUser = async (opts, ctx) => {
+	if (opts.registration?.requireSession ?? true) {
+		const session = ctx.context?.session;
+		if (!session?.user?.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.SESSION_REQUIRED);
+		const sessionName = session.user.email || session.user.id;
+		return {
+			id: session.user.id,
+			name: sessionName,
+			displayName: sessionName
+		};
+	}
+	const session = await getSessionFromCtx(ctx);
+	if (session?.user?.id) {
+		const sessionName = session.user.email || session.user.id;
+		return {
+			id: session.user.id,
+			name: sessionName,
+			displayName: sessionName
+		};
+	}
+	if (!opts.registration?.resolveUser) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.RESOLVE_USER_REQUIRED);
+	const resolvedUser = await opts.registration.resolveUser({
+		ctx,
+		context: ctx.query?.context ?? null
+	});
+	if (!resolvedUser?.id || !resolvedUser?.name) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.RESOLVED_USER_INVALID);
+	return resolvedUser;
+};
 const generatePasskeyQuerySchema = z.object({
 	authenticatorAttachment: z.enum(["platform", "cross-platform"]).optional(),
-	name: z.string().optional()
+	name: z.string().optional(),
+	context: z.string().optional()
 }).optional();
-const generatePasskeyRegistrationOptions = (opts, { maxAgeInSeconds }) => createAuthEndpoint("/passkey/generate-register-options", {
-	method: "GET",
-	use: [freshSessionMiddleware],
-	query: generatePasskeyQuerySchema,
-	metadata: { openapi: {
-		operationId: "generatePasskeyRegistrationOptions",
-		description: "Generate registration options for a new passkey",
-		responses: { 200: {
-			description: "Success",
-			parameters: { query: {
-				authenticatorAttachment: {
-					description: `Type of authenticator to use for registration.
+const generatePasskeyRegistrationOptions = (opts, { maxAgeInSeconds }) => {
+	return createAuthEndpoint("/passkey/generate-register-options", {
+		method: "GET",
+		use: opts.registration?.requireSession ?? true ? [freshSessionMiddleware] : void 0,
+		query: generatePasskeyQuerySchema,
+		metadata: { openapi: {
+			operationId: "generatePasskeyRegistrationOptions",
+			description: "Generate registration options for a new passkey",
+			responses: { 200: {
+				description: "Success",
+				parameters: { query: {
+					authenticatorAttachment: {
+						description: `Type of authenticator to use for registration.
                           "platform" for device-specific authenticators,
                           "cross-platform" for authenticators that can be used across devices.`,
-					required: false
-				},
-				name: {
-					description: `Optional custom name for the passkey.
-                          This can help identify the passkey when managing multiple credentials.`,
-					required: false
-				}
-			} },
-			content: { "application/json": { schema: {
-				type: "object",
-				properties: {
-					challenge: { type: "string" },
-					rp: {
-						type: "object",
-						properties: {
-							name: { type: "string" },
-							id: { type: "string" }
-						}
+						required: false
 					},
-					user: {
-						type: "object",
-						properties: {
-							id: { type: "string" },
-							name: { type: "string" },
-							displayName: { type: "string" }
-						}
+					name: {
+						description: `Optional custom name for the passkey.
+                          This can help identify the passkey when managing multiple credentials.`,
+						required: false
 					},
-					pubKeyCredParams: {
-						type: "array",
-						items: {
+					context: {
+						description: "Optional context for passkey-first registration flows.",
+						required: false
+					}
+				} },
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						challenge: { type: "string" },
+						rp: {
 							type: "object",
 							properties: {
-								type: { type: "string" },
-								alg: { type: "number" }
+								name: { type: "string" },
+								id: { type: "string" }
 							}
-						}
-					},
-					timeout: { type: "number" },
-					excludeCredentials: {
-						type: "array",
-						items: {
+						},
+						user: {
 							type: "object",
 							properties: {
 								id: { type: "string" },
-								type: { type: "string" },
-								transports: {
-									type: "array",
-									items: { type: "string" }
+								name: { type: "string" },
+								displayName: { type: "string" }
+							}
+						},
+						pubKeyCredParams: {
+							type: "array",
+							items: {
+								type: "object",
+								properties: {
+									type: { type: "string" },
+									alg: { type: "number" }
 								}
 							}
-						}
-					},
-					authenticatorSelection: {
-						type: "object",
-						properties: {
-							authenticatorAttachment: { type: "string" },
-							requireResidentKey: { type: "boolean" },
-							userVerification: { type: "string" }
-						}
-					},
-					attestation: { type: "string" },
-					extensions: { type: "object" }
-				}
-			} } }
+						},
+						timeout: { type: "number" },
+						excludeCredentials: {
+							type: "array",
+							items: {
+								type: "object",
+								properties: {
+									id: { type: "string" },
+									type: { type: "string" },
+									transports: {
+										type: "array",
+										items: { type: "string" }
+									}
+								}
+							}
+						},
+						authenticatorSelection: {
+							type: "object",
+							properties: {
+								authenticatorAttachment: { type: "string" },
+								requireResidentKey: { type: "boolean" },
+								userVerification: { type: "string" }
+							}
+						},
+						attestation: { type: "string" },
+						extensions: { type: "object" }
+					}
+				} } }
+			} }
 		} }
-	} }
-}, async (ctx) => {
-	const { session } = ctx.context;
-	const userPasskeys = await ctx.context.adapter.findMany({
-		model: "passkey",
-		where: [{
-			field: "userId",
-			value: session.user.id
-		}]
-	});
-	const userID = new TextEncoder().encode(generateRandomString(32, "a-z", "0-9"));
-	const baseURLString = typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : void 0;
-	const options = await generateRegistrationOptions({
-		rpName: opts.rpName || ctx.context.appName,
-		rpID: getRpID(opts, baseURLString),
-		userID,
-		userName: ctx.query?.name || session.user.email || session.user.id,
-		userDisplayName: session.user.email || session.user.id,
-		attestationType: "none",
-		excludeCredentials: userPasskeys.map((passkey) => ({
-			id: passkey.credentialID,
-			transports: passkey.transports?.split(",")
-		})),
-		authenticatorSelection: {
-			residentKey: "preferred",
-			userVerification: "preferred",
-			...opts.authenticatorSelection || {},
-			...ctx.query?.authenticatorAttachment ? { authenticatorAttachment: ctx.query.authenticatorAttachment } : {}
-		}
-	});
-	const verificationToken = generateRandomString(32);
-	const webAuthnCookie = ctx.context.createAuthCookie(opts.advanced.webAuthnChallengeCookie);
-	await ctx.setSignedCookie(webAuthnCookie.name, verificationToken, ctx.context.secret, {
-		...webAuthnCookie.attributes,
-		maxAge: maxAgeInSeconds
-	});
-	const expirationTime = new Date(Date.now() + maxAgeInSeconds * 1e3);
-	await ctx.context.internalAdapter.createVerificationValue({
-		identifier: verificationToken,
-		value: JSON.stringify({
-			expectedChallenge: options.challenge,
-			userData: { id: session.user.id }
-		}),
-		expiresAt: expirationTime
+	}, async (ctx) => {
+		const user = await resolveRegistrationUser(opts, ctx);
+		const userPasskeys = await ctx.context.adapter.findMany({
+			model: "passkey",
+			where: [{
+				field: "userId",
+				value: user.id
+			}]
+		});
+		const registrationExtensions = await resolveExtensions(opts.registration?.extensions, ctx);
+		const userID = new TextEncoder().encode(generateRandomString(32, "a-z", "0-9"));
+		const baseURLString = typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : void 0;
+		const options = await generateRegistrationOptions({
+			rpName: opts.rpName || ctx.context.appName,
+			rpID: getRpID(opts, baseURLString),
+			userID,
+			userName: ctx.query?.name || user.name || user.id,
+			userDisplayName: user.displayName || user.name || user.id,
+			attestationType: "none",
+			excludeCredentials: userPasskeys.map((passkey) => ({
+				id: passkey.credentialID,
+				transports: passkey.transports?.split(",")
+			})),
+			authenticatorSelection: {
+				residentKey: "preferred",
+				userVerification: "preferred",
+				...opts.authenticatorSelection || {},
+				...ctx.query?.authenticatorAttachment ? { authenticatorAttachment: ctx.query.authenticatorAttachment } : {}
+			},
+			extensions: registrationExtensions
+		});
+		const verificationToken = generateRandomString(32);
+		const webAuthnCookie = ctx.context.createAuthCookie(opts.advanced.webAuthnChallengeCookie);
+		await ctx.setSignedCookie(webAuthnCookie.name, verificationToken, ctx.context.secret, {
+			...webAuthnCookie.attributes,
+			maxAge: maxAgeInSeconds
+		});
+		const expirationTime = new Date(Date.now() + maxAgeInSeconds * 1e3);
+		await ctx.context.internalAdapter.createVerificationValue({
+			identifier: verificationToken,
+			value: JSON.stringify({
+				expectedChallenge: options.challenge,
+				userData: {
+					id: user.id,
+					name: user.name,
+					displayName: user.displayName
+				},
+				context: ctx.query?.context ?? null
+			}),
+			expiresAt: expirationTime
+		});
+		return ctx.json(options, { status: 200 });
 	});
-	return ctx.json(options, { status: 200 });
-});
+};
 const generatePasskeyAuthenticationOptions = (opts, { maxAgeInSeconds }) => createAuthEndpoint("/passkey/generate-authenticate-options", {
 	method: "GET",
 	metadata: { openapi: {
@@ -209,9 +256,12 @@ const generatePasskeyAuthenticationOptions = (opts, { maxAgeInSeconds }) => crea
 			value: session.user.id
 		}]
 	});
+	const baseURLString = typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : void 0;
+	const authenticationExtensions = await resolveExtensions(opts.authentication?.extensions, ctx);
 	const options = await generateAuthenticationOptions({
-		rpID: getRpID(opts, typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : void 0),
+		rpID: getRpID(opts, baseURLString),
 		userVerification: "preferred",
+		extensions: authenticationExtensions,
 		...userPasskeys.length ? { allowCredentials: userPasskeys.map((passkey) => ({
 			id: passkey.credentialID,
 			transports: passkey.transports?.split(",")
@@ -239,66 +289,91 @@ const verifyPasskeyRegistrationBodySchema = z.object({
 	response: z.any(),
 	name: z.string().meta({ description: "Name of the passkey" }).optional()
 });
-const verifyPasskeyRegistration = (options) => createAuthEndpoint("/passkey/verify-registration", {
-	method: "POST",
-	body: verifyPasskeyRegistrationBodySchema,
-	use: [freshSessionMiddleware],
-	metadata: { openapi: {
-		operationId: "passkeyVerifyRegistration",
-		description: "Verify registration of a new passkey",
-		responses: {
-			200: {
-				description: "Success",
-				content: { "application/json": { schema: { $ref: "#/components/schemas/Passkey" } } }
-			},
-			400: { description: "Bad request" }
+const verifyPasskeyRegistration = (options) => {
+	const requireSession = options.registration?.requireSession ?? true;
+	return createAuthEndpoint("/passkey/verify-registration", {
+		method: "POST",
+		body: verifyPasskeyRegistrationBodySchema,
+		use: requireSession ? [freshSessionMiddleware] : void 0,
+		metadata: { openapi: {
+			operationId: "passkeyVerifyRegistration",
+			description: "Verify registration of a new passkey",
+			responses: {
+				200: {
+					description: "Success",
+					content: { "application/json": { schema: { $ref: "#/components/schemas/Passkey" } } }
+				},
+				400: { description: "Bad request" }
+			}
+		} }
+	}, async (ctx) => {
+		const origin = options?.origin || ctx.headers?.get("origin") || "";
+		if (!origin) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
+		const resp = ctx.body.response;
+		const webAuthnCookie = ctx.context.createAuthCookie(options.advanced.webAuthnChallengeCookie);
+		const verificationToken = await ctx.getSignedCookie(webAuthnCookie.name, ctx.context.secret);
+		if (!verificationToken) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
+		const data = await ctx.context.internalAdapter.findVerificationValue(verificationToken);
+		if (!data) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
+		const { expectedChallenge, userData, context } = JSON.parse(data.value);
+		const session = requireSession ? ctx.context.session : await getSessionFromCtx(ctx);
+		if (session?.user?.id && userData.id !== session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
+		try {
+			const verification = await verifyRegistrationResponse({
+				response: resp,
+				expectedChallenge,
+				expectedOrigin: origin,
+				expectedRPID: getRpID(options, typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : void 0),
+				requireUserVerification: false
+			});
+			const { verified, registrationInfo } = verification;
+			if (!verified || !registrationInfo) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
+			const { aaguid, credentialDeviceType, credentialBackedUp, credential } = registrationInfo;
+			const resolvedUser = {
+				id: userData.id,
+				name: userData.name || userData.id,
+				displayName: userData.displayName
+			};
+			let targetUserId = resolvedUser.id;
+			if (options.registration?.afterVerification) {
+				const result = await options.registration.afterVerification({
+					ctx,
+					verification,
+					user: resolvedUser,
+					clientData: resp,
+					context
+				});
+				if (result?.userId) {
+					if (typeof result.userId !== "string" || !result.userId) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.RESOLVED_USER_INVALID);
+					if (session?.user?.id && result.userId !== session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
+					targetUserId = result.userId;
+				}
+			}
+			const pubKey = base64.encode(credential.publicKey);
+			const newPasskey = {
+				name: ctx.body.name,
+				userId: targetUserId,
+				credentialID: credential.id,
+				publicKey: pubKey,
+				counter: credential.counter,
+				deviceType: credentialDeviceType,
+				transports: resp.response.transports.join(","),
+				backedUp: credentialBackedUp,
+				createdAt: /* @__PURE__ */ new Date(),
+				aaguid
+			};
+			const newPasskeyRes = await ctx.context.adapter.create({
+				model: "passkey",
+				data: newPasskey
+			});
+			await ctx.context.internalAdapter.deleteVerificationByIdentifier(verificationToken);
+			return ctx.json(newPasskeyRes, { status: 200 });
+		} catch (e) {
+			ctx.context.logger.error("Failed to verify registration", e);
+			throw APIError.from("INTERNAL_SERVER_ERROR", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
 		}
-	} }
-}, async (ctx) => {
-	const origin = options?.origin || ctx.headers?.get("origin") || "";
-	if (!origin) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
-	const resp = ctx.body.response;
-	const webAuthnCookie = ctx.context.createAuthCookie(options.advanced.webAuthnChallengeCookie);
-	const verificationToken = await ctx.getSignedCookie(webAuthnCookie.name, ctx.context.secret);
-	if (!verificationToken) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
-	const data = await ctx.context.internalAdapter.findVerificationValue(verificationToken);
-	if (!data) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
-	const { expectedChallenge, userData } = JSON.parse(data.value);
-	if (userData.id !== ctx.context.session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
-	try {
-		const { verified, registrationInfo } = await verifyRegistrationResponse({
-			response: resp,
-			expectedChallenge,
-			expectedOrigin: origin,
-			expectedRPID: getRpID(options, typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : void 0),
-			requireUserVerification: false
-		});
-		if (!verified || !registrationInfo) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
-		const { aaguid, credentialDeviceType, credentialBackedUp, credential } = registrationInfo;
-		const pubKey = base64.encode(credential.publicKey);
-		const newPasskey = {
-			name: ctx.body.name,
-			userId: userData.id,
-			credentialID: credential.id,
-			publicKey: pubKey,
-			counter: credential.counter,
-			deviceType: credentialDeviceType,
-			transports: resp.response.transports.join(","),
-			backedUp: credentialBackedUp,
-			createdAt: /* @__PURE__ */ new Date(),
-			aaguid
-		};
-		const newPasskeyRes = await ctx.context.adapter.create({
-			model: "passkey",
-			data: newPasskey
-		});
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(verificationToken);
-		return ctx.json(newPasskeyRes, { status: 200 });
-	} catch (e) {
-		ctx.context.logger.error("Failed to verify registration", e);
-		throw APIError.from("INTERNAL_SERVER_ERROR", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
-	}
-});
+	});
+};
 const verifyPasskeyAuthenticationBodySchema = z.object({ response: z.record(z.any(), z.any()) });
 const verifyPasskeyAuthentication = (options) => createAuthEndpoint("/passkey/verify-authentication", {
 	method: "POST",
@@ -354,6 +429,11 @@ const verifyPasskeyAuthentication = (options) => createAuthEndpoint("/passkey/ve
 		});
 		const { verified } = verification;
 		if (!verified) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.AUTHENTICATION_FAILED);
+		if (options.authentication?.afterVerification) await options.authentication.afterVerification({
+			ctx,
+			verification,
+			clientData: resp
+		});
 		await ctx.context.adapter.update({
 			model: "passkey",
 			where: [{
@@ -443,7 +523,13 @@ const listPasskeys = createAuthEndpoint("/passkey/list-user-passkeys", {
 const deletePasskey = createAuthEndpoint("/passkey/delete-passkey", {
 	method: "POST",
 	body: z.object({ id: z.string().meta({ description: "The ID of the passkey to delete. Eg: \"some-passkey-id\"" }) }),
-	use: [sessionMiddleware],
+	use: [sessionMiddleware, requireResourceOwnership({
+		model: "passkey",
+		idParam: "id",
+		idSource: "body",
+		notFoundError: PASSKEY_ERROR_CODES.PASSKEY_NOT_FOUND,
+		forbiddenStatus: "UNAUTHORIZED"
+	})],
 	metadata: { openapi: {
 		description: "Delete a specific passkey",
 		responses: { "200": {
@@ -459,20 +545,11 @@ const deletePasskey = createAuthEndpoint("/passkey/delete-passkey", {
 		} }
 	} }
 }, async (ctx) => {
-	const passkey = await ctx.context.adapter.findOne({
-		model: "passkey",
-		where: [{
-			field: "id",
-			value: ctx.body.id
-		}]
-	});
-	if (!passkey) throw APIError.from("NOT_FOUND", PASSKEY_ERROR_CODES.PASSKEY_NOT_FOUND);
-	if (passkey.userId !== ctx.context.session.user.id) throw new APIError("UNAUTHORIZED");
 	await ctx.context.adapter.delete({
 		model: "passkey",
 		where: [{
 			field: "id",
-			value: passkey.id
+			value: ctx.body.id
 		}]
 	});
 	return ctx.json({ status: true });
@@ -498,7 +575,14 @@ const updatePasskey = createAuthEndpoint("/passkey/update-passkey", {
 		id: z.string().meta({ description: `The ID of the passkey which will be updated. Eg: \"passkey-id\"` }),
 		name: z.string().meta({ description: `The new name which the passkey will be updated to. Eg: \"my-new-passkey-name\"` })
 	}),
-	use: [sessionMiddleware],
+	use: [sessionMiddleware, requireResourceOwnership({
+		model: "passkey",
+		idParam: "id",
+		idSource: "body",
+		notFoundError: PASSKEY_ERROR_CODES.PASSKEY_NOT_FOUND,
+		forbiddenError: PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY,
+		forbiddenStatus: "UNAUTHORIZED"
+	})],
 	metadata: { openapi: {
 		description: "Update a specific passkey's name",
 		responses: { "200": {
@@ -511,15 +595,6 @@ const updatePasskey = createAuthEndpoint("/passkey/update-passkey", {
 		} }
 	} }
 }, async (ctx) => {
-	const passkey = await ctx.context.adapter.findOne({
-		model: "passkey",
-		where: [{
-			field: "id",
-			value: ctx.body.id
-		}]
-	});
-	if (!passkey) throw APIError.from("NOT_FOUND", PASSKEY_ERROR_CODES.PASSKEY_NOT_FOUND);
-	if (passkey.userId !== ctx.context.session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
 	const updatedPasskey = await ctx.context.adapter.update({
 		model: "passkey",
 		where: [{
@@ -595,6 +670,7 @@ const passkey = (options) => {
 	};
 	return {
 		id: "passkey",
+		version: PACKAGE_VERSION,
 		endpoints: {
 			generatePasskeyRegistrationOptions: generatePasskeyRegistrationOptions(opts, { maxAgeInSeconds: MAX_AGE_IN_SECONDS }),
 			generatePasskeyAuthenticationOptions: generatePasskeyAuthenticationOptions(opts, { maxAgeInSeconds: MAX_AGE_IN_SECONDS }),
@@ -611,5 +687,3 @@ const passkey = (options) => {
 };
 //#endregion
 export { PASSKEY_ERROR_CODES, passkey };
-
-//# sourceMappingURL=index.mjs.map

package/dist/{error-codes-BwAsYefH.mjs → version-DSSbBvqx.mjs}

@@ -11,9 +11,13 @@ const PASSKEY_ERROR_CODES = defineErrorCodes({
 	PREVIOUSLY_REGISTERED: "Previously registered",
 	REGISTRATION_CANCELLED: "Registration cancelled",
 	AUTH_CANCELLED: "Auth cancelled",
-	UNKNOWN_ERROR: "Unknown error"
+	UNKNOWN_ERROR: "Unknown error",
+	SESSION_REQUIRED: "Passkey registration requires an authenticated session",
+	RESOLVE_USER_REQUIRED: "Passkey registration requires either an authenticated session or a resolveUser callback when requireSession is false",
+	RESOLVED_USER_INVALID: "Resolved user is invalid"
 });
 //#endregion
-export { PASSKEY_ERROR_CODES as t };
-
-//# sourceMappingURL=error-codes-BwAsYefH.mjs.map
+//#region src/version.ts
+const PACKAGE_VERSION = "1.6.0";
+//#endregion
+export { PASSKEY_ERROR_CODES as n, PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/passkey",
-  "version": "1.5.7-beta.1",
+  "version": "1.6.0",
   "description": "Passkey plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -19,6 +19,7 @@
   "publishConfig": {
     "access": "public"
   },
+  "sideEffects": false,
   "files": [
     "dist"
   ],
@@ -54,21 +55,21 @@
   },
   "devDependencies": {
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.5.7-beta.1",
-    "better-auth": "1.5.7-beta.1"
+    "@better-auth/core": "1.6.0",
+    "better-auth": "1.6.0"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.3.1",
+    "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "2.0.2",
+    "better-call": "1.3.5",
     "nanostores": "^1.0.1",
-    "@better-auth/core": "1.5.7-beta.1",
-    "better-auth": "1.5.7-beta.1"
+    "@better-auth/core": "^1.6.0",
+    "better-auth": "^1.6.0"
   },
   "scripts": {
     "build": "tsdown",
     "dev": "tsdown --watch",
-    "lint:package": "publint run --strict",
+    "lint:package": "publint run --strict --pack false",
     "lint:types": "attw --profile esm-only --pack .",
     "typecheck": "tsc --project tsconfig.json",
     "test": "vitest",

package/dist/client.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"client.mjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["import type {\n\tBetterAuthClientPlugin,\n\tClientFetchOption,\n\tClientStore,\n} from \"@better-auth/core\";\nimport type { BetterFetch } from \"@better-fetch/fetch\";\nimport type {\n\tPublicKeyCredentialCreationOptionsJSON,\n\tPublicKeyCredentialRequestOptionsJSON,\n} from \"@simplewebauthn/browser\";\nimport {\n\tstartAuthentication,\n\tstartRegistration,\n\tWebAuthnError,\n} from \"@simplewebauthn/browser\";\nimport { useAuthQuery } from \"better-auth/client\";\nimport type { Session, User } from \"better-auth/types\";\nimport { atom } from \"nanostores\";\nimport type { passkey } from \".\";\nimport { PASSKEY_ERROR_CODES } from \"./error-codes\";\nimport type { Passkey } from \"./types\";\n\nexport const getPasskeyActions = (\n\t$fetch: BetterFetch,\n\t{\n\t\t$listPasskeys,\n\t\t$store,\n\t}: {\n\t\t$listPasskeys: ReturnType<typeof atom<any>>;\n\t\t$store: ClientStore;\n\t},\n) => {\n\tconst signInPasskey = async (\n\t\topts?:\n\t\t\t| {\n\t\t\t\t\tautoFill?: boolean;\n\t\t\t\t\tfetchOptions?: ClientFetchOption;\n\t\t\t  }\n\t\t\t| undefined,\n\t\toptions?: ClientFetchOption | undefined,\n\t) => {\n\t\tconst response = await $fetch<PublicKeyCredentialRequestOptionsJSON>(\n\t\t\t\"/passkey/generate-authenticate-options\",\n\t\t\t{\n\t\t\t\tmethod: \"GET\",\n\t\t\t\tthrow: false,\n\t\t\t},\n\t\t);\n\t\tif (!response.data) {\n\t\t\treturn response;\n\t\t}\n\t\ttry {\n\t\t\tconst res = await startAuthentication({\n\t\t\t\toptionsJSON: response.data,\n\t\t\t\tuseBrowserAutofill: opts?.autoFill,\n\t\t\t});\n\t\t\tconst verified = await $fetch<{\n\t\t\t\tsession: Session;\n\t\t\t\tuser: User;\n\t\t\t}>(\"/passkey/verify-authentication\", {\n\t\t\t\tbody: {\n\t\t\t\t\tresponse: res,\n\t\t\t\t},\n\t\t\t\t...opts?.fetchOptions,\n\t\t\t\t...options,\n\t\t\t\tmethod: \"POST\",\n\t\t\t\tthrow: false,\n\t\t\t});\n\t\t\t$listPasskeys.set(Math.random());\n\t\t\t$store.notify(\"$sessionSignal\");\n\n\t\t\treturn verified;\n\t\t} catch (err) {\n\t\t\t// Error logs ran on the front-end\n\t\t\tconsole.error(`[Better Auth] Error verifying passkey`, err);\n\t\t\treturn {\n\t\t\t\tdata: null,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"AUTH_CANCELLED\",\n\t\t\t\t\tmessage: PASSKEY_ERROR_CODES.AUTH_CANCELLED,\n\t\t\t\t\tstatus: 400,\n\t\t\t\t\tstatusText: \"BAD_REQUEST\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t};\n\n\tconst registerPasskey = async (\n\t\topts?:\n\t\t\t| {\n\t\t\t\t\tfetchOptions?: ClientFetchOption;\n\t\t\t\t\t/**\n\t\t\t\t\t * The name of the passkey. This is used to\n\t\t\t\t\t * identify the passkey in the UI.\n\t\t\t\t\t */\n\t\t\t\t\tname?: string;\n\n\t\t\t\t\t/**\n\t\t\t\t\t * The type of attachment for the passkey. Defaults to both\n\t\t\t\t\t * platform and cross-platform allowed, with platform preferred.\n\t\t\t\t\t */\n\t\t\t\t\tauthenticatorAttachment?: \"platform\" | \"cross-platform\";\n\n\t\t\t\t\t/**\n\t\t\t\t\t * Try to silently create a passkey with the password manager that the user just signed\n\t\t\t\t\t * in with.\n\t\t\t\t\t * @default false\n\t\t\t\t\t */\n\t\t\t\t\tuseAutoRegister?: boolean;\n\t\t\t  }\n\t\t\t| undefined,\n\t\tfetchOpts?: ClientFetchOption | undefined,\n\t) => {\n\t\tconst options = await $fetch<PublicKeyCredentialCreationOptionsJSON>(\n\t\t\t\"/passkey/generate-register-options\",\n\t\t\t{\n\t\t\t\tmethod: \"GET\",\n\t\t\t\tquery: {\n\t\t\t\t\t...(opts?.authenticatorAttachment && {\n\t\t\t\t\t\tauthenticatorAttachment: opts.authenticatorAttachment,\n\t\t\t\t\t}),\n\t\t\t\t\t...(opts?.name && {\n\t\t\t\t\t\tname: opts.name,\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t\tthrow: false,\n\t\t\t},\n\t\t);\n\n\t\tif (!options.data) {\n\t\t\treturn options;\n\t\t}\n\t\ttry {\n\t\t\tconst res = await startRegistration({\n\t\t\t\toptionsJSON: options.data,\n\t\t\t\tuseAutoRegister: opts?.useAutoRegister,\n\t\t\t});\n\t\t\tconst verified = await $fetch<Passkey>(\"/passkey/verify-registration\", {\n\t\t\t\t...opts?.fetchOptions,\n\t\t\t\t...fetchOpts,\n\t\t\t\tbody: {\n\t\t\t\t\tresponse: res,\n\t\t\t\t\tname: opts?.name,\n\t\t\t\t},\n\t\t\t\tmethod: \"POST\",\n\t\t\t\tthrow: false,\n\t\t\t});\n\n\t\t\tif (!verified.data) {\n\t\t\t\treturn verified;\n\t\t\t}\n\t\t\t$listPasskeys.set(Math.random());\n\t\t\treturn verified;\n\t\t} catch (e) {\n\t\t\tif (e instanceof WebAuthnError) {\n\t\t\t\tif (e.code === \"ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED\") {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tdata: null,\n\t\t\t\t\t\terror: {\n\t\t\t\t\t\t\tcode: e.code,\n\t\t\t\t\t\t\tmessage: PASSKEY_ERROR_CODES.PREVIOUSLY_REGISTERED,\n\t\t\t\t\t\t\tstatus: 400,\n\t\t\t\t\t\t\tstatusText: \"BAD_REQUEST\",\n\t\t\t\t\t\t},\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t\tif (e.code === \"ERROR_CEREMONY_ABORTED\") {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tdata: null,\n\t\t\t\t\t\terror: {\n\t\t\t\t\t\t\tcode: e.code,\n\t\t\t\t\t\t\tmessage: PASSKEY_ERROR_CODES.REGISTRATION_CANCELLED,\n\t\t\t\t\t\t\tstatus: 400,\n\t\t\t\t\t\t\tstatusText: \"BAD_REQUEST\",\n\t\t\t\t\t\t},\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t\treturn {\n\t\t\t\t\tdata: null,\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: e.code,\n\t\t\t\t\t\tmessage: e.message,\n\t\t\t\t\t\tstatus: 400,\n\t\t\t\t\t\tstatusText: \"BAD_REQUEST\",\n\t\t\t\t\t},\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tdata: null,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNKNOWN_ERROR\",\n\t\t\t\t\tmessage:\n\t\t\t\t\t\te instanceof Error ? e.message : PASSKEY_ERROR_CODES.UNKNOWN_ERROR,\n\t\t\t\t\tstatus: 500,\n\t\t\t\t\tstatusText: \"INTERNAL_SERVER_ERROR\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t};\n\n\treturn {\n\t\tsignIn: {\n\t\t\t/**\n\t\t\t * Sign in with a registered passkey\n\t\t\t */\n\t\t\tpasskey: signInPasskey,\n\t\t},\n\t\tpasskey: {\n\t\t\t/**\n\t\t\t * Add a passkey to the user account\n\t\t\t */\n\t\t\taddPasskey: registerPasskey,\n\t\t},\n\t\t/**\n\t\t * Inferred Internal Types\n\t\t */\n\t\t$Infer: {} as {\n\t\t\tPasskey: Passkey;\n\t\t},\n\t};\n};\n\nexport const passkeyClient = () => {\n\tconst $listPasskeys = atom<any>();\n\treturn {\n\t\tid: \"passkey\",\n\t\t$InferServerPlugin: {} as ReturnType<typeof passkey>,\n\t\tgetActions: ($fetch, $store) =>\n\t\t\tgetPasskeyActions($fetch, {\n\t\t\t\t$listPasskeys,\n\t\t\t\t$store,\n\t\t\t}),\n\t\tgetAtoms($fetch) {\n\t\t\tconst listPasskeys = useAuthQuery<Passkey[]>(\n\t\t\t\t$listPasskeys,\n\t\t\t\t\"/passkey/list-user-passkeys\",\n\t\t\t\t$fetch,\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t},\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tlistPasskeys,\n\t\t\t\t$listPasskeys,\n\t\t\t};\n\t\t},\n\t\tpathMethods: {\n\t\t\t\"/passkey/register\": \"POST\",\n\t\t\t\"/passkey/authenticate\": \"POST\",\n\t\t},\n\t\tatomListeners: [\n\t\t\t{\n\t\t\t\tmatcher(path) {\n\t\t\t\t\treturn (\n\t\t\t\t\t\tpath === \"/passkey/verify-registration\" ||\n\t\t\t\t\t\tpath === \"/passkey/delete-passkey\" ||\n\t\t\t\t\t\tpath === \"/passkey/update-passkey\" ||\n\t\t\t\t\t\tpath === \"/sign-out\"\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t\tsignal: \"$listPasskeys\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tmatcher: (path) => path === \"/passkey/verify-authentication\",\n\t\t\t\tsignal: \"$sessionSignal\",\n\t\t\t},\n\t\t],\n\t\t$ERROR_CODES: PASSKEY_ERROR_CODES,\n\t} satisfies BetterAuthClientPlugin;\n};\n\nexport type * from \"@simplewebauthn/server\";\nexport * from \"./error-codes\";\nexport type * from \"./types\";\n"],"mappings":";;;;;AAsBA,MAAa,qBACZ,QACA,EACC,eACA,aAKG;CACJ,MAAM,gBAAgB,OACrB,MAMA,YACI;EACJ,MAAM,WAAW,MAAM,OACtB,0CACA;GACC,QAAQ;GACR,OAAO;GACP,CACD;AACD,MAAI,CAAC,SAAS,KACb,QAAO;AAER,MAAI;GAKH,MAAM,WAAW,MAAM,OAGpB,kCAAkC;IACpC,MAAM,EACL,UATU,MAAM,oBAAoB;KACrC,aAAa,SAAS;KACtB,oBAAoB,MAAM;KAC1B,CAAC,EAOA;IACD,GAAG,MAAM;IACT,GAAG;IACH,QAAQ;IACR,OAAO;IACP,CAAC;AACF,iBAAc,IAAI,KAAK,QAAQ,CAAC;AAChC,UAAO,OAAO,iBAAiB;AAE/B,UAAO;WACC,KAAK;AAEb,WAAQ,MAAM,yCAAyC,IAAI;AAC3D,UAAO;IACN,MAAM;IACN,OAAO;KACN,MAAM;KACN,SAAS,oBAAoB;KAC7B,QAAQ;KACR,YAAY;KACZ;IACD;;;CAIH,MAAM,kBAAkB,OACvB,MAuBA,cACI;EACJ,MAAM,UAAU,MAAM,OACrB,sCACA;GACC,QAAQ;GACR,OAAO;IACN,GAAI,MAAM,2BAA2B,EACpC,yBAAyB,KAAK,yBAC9B;IACD,GAAI,MAAM,QAAQ,EACjB,MAAM,KAAK,MACX;IACD;GACD,OAAO;GACP,CACD;AAED,MAAI,CAAC,QAAQ,KACZ,QAAO;AAER,MAAI;GACH,MAAM,MAAM,MAAM,kBAAkB;IACnC,aAAa,QAAQ;IACrB,iBAAiB,MAAM;IACvB,CAAC;GACF,MAAM,WAAW,MAAM,OAAgB,gCAAgC;IACtE,GAAG,MAAM;IACT,GAAG;IACH,MAAM;KACL,UAAU;KACV,MAAM,MAAM;KACZ;IACD,QAAQ;IACR,OAAO;IACP,CAAC;AAEF,OAAI,CAAC,SAAS,KACb,QAAO;AAER,iBAAc,IAAI,KAAK,QAAQ,CAAC;AAChC,UAAO;WACC,GAAG;AACX,OAAI,aAAa,eAAe;AAC/B,QAAI,EAAE,SAAS,4CACd,QAAO;KACN,MAAM;KACN,OAAO;MACN,MAAM,EAAE;MACR,SAAS,oBAAoB;MAC7B,QAAQ;MACR,YAAY;MACZ;KACD;AAEF,QAAI,EAAE,SAAS,yBACd,QAAO;KACN,MAAM;KACN,OAAO;MACN,MAAM,EAAE;MACR,SAAS,oBAAoB;MAC7B,QAAQ;MACR,YAAY;MACZ;KACD;AAEF,WAAO;KACN,MAAM;KACN,OAAO;MACN,MAAM,EAAE;MACR,SAAS,EAAE;MACX,QAAQ;MACR,YAAY;MACZ;KACD;;AAEF,UAAO;IACN,MAAM;IACN,OAAO;KACN,MAAM;KACN,SACC,aAAa,QAAQ,EAAE,UAAU,oBAAoB;KACtD,QAAQ;KACR,YAAY;KACZ;IACD;;;AAIH,QAAO;EACN,QAAQ,EAIP,SAAS,eACT;EACD,SAAS,EAIR,YAAY,iBACZ;EAID,QAAQ,EAAE;EAGV;;AAGF,MAAa,sBAAsB;CAClC,MAAM,gBAAgB,MAAW;AACjC,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EACtB,aAAa,QAAQ,WACpB,kBAAkB,QAAQ;GACzB;GACA;GACA,CAAC;EACH,SAAS,QAAQ;AAShB,UAAO;IACN,cAToB,aACpB,eACA,+BACA,QACA,EACC,QAAQ,OACR,CACD;IAGA;IACA;;EAEF,aAAa;GACZ,qBAAqB;GACrB,yBAAyB;GACzB;EACD,eAAe,CACd;GACC,QAAQ,MAAM;AACb,WACC,SAAS,kCACT,SAAS,6BACT,SAAS,6BACT,SAAS;;GAGX,QAAQ;GACR,EACD;GACC,UAAU,SAAS,SAAS;GAC5B,QAAQ;GACR,CACD;EACD,cAAc;EACd"}