@better-auth/passkey 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { a as PasskeyExtensionsResolver, c as PasskeyRegistrationUser, i as PasskeyAuthenticationOptions, l as WebAuthnChallengeValue, n as PASSKEY_ERROR_CODES, o as PasskeyOptions, r as Passkey, s as PasskeyRegistrationOptions, t as passkey } from "./index-BoC1i3hA.mjs";
+import { a as Passkey, c as PasskeyOptions, d as WebAuthnChallengeValue, l as PasskeyRegistrationOptions, n as PASSKEY_ERROR_CODES, o as PasskeyAuthenticationOptions, s as PasskeyExtensionsResolver, t as passkey, u as PasskeyRegistrationUser } from "./index-Ci52vhOT.mjs";
 import { AuthenticationExtensionsClientInputs, AuthenticationExtensionsClientOutputs, AuthenticationResponseJSON, RegistrationResponseJSON } from "@simplewebauthn/server";
 import * as better_auth_client0 from "better-auth/client";
 import * as nanostores from "nanostores";

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-kd5ipnRY.mjs";
+import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-tMqL0F6x.mjs";
 import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { useAuthQuery } from "better-auth/client";
 import { atom } from "nanostores";

package/dist/{index-BoC1i3hA.d.mts → index-Ci52vhOT.d.mts}

@@ -100,7 +100,13 @@ interface PasskeyRegistrationOptions {
   }) => Awaitable<PasskeyRegistrationUser>) | undefined;
   /**
    * Callback after a successful registration verification.
-   * Useful for user linking or auditing.
+   * Useful for user linking, auditing, or labeling the passkey.
+   *
+   * Return `userId` to attribute the passkey to a different user. Return `name`
+   * to set the stored label when the client did not provide one; the AAGUID is
+   * available via `verification.registrationInfo?.aaguid`. A non-empty
+   * client-supplied name always takes precedence over the returned `name`;
+   * whitespace-only input is treated as absent.
    */
   afterVerification?: ((args: {
     ctx: GenericEndpointContext;
@@ -110,6 +116,7 @@ interface PasskeyRegistrationOptions {
     context?: string | null | undefined;
   }) => Awaitable<{
     userId?: string;
+    name?: string;
   } | void>) | undefined;
   /**
    * Optional WebAuthn extensions to include in registration options.
@@ -196,6 +203,30 @@ type Passkey = {
   aaguid?: string | undefined;
 };
 //#endregion
+//#region src/authenticator-metadata.d.ts
+/**
+ * Best-effort map of common authenticator AAGUIDs to a human-readable provider
+ * name, for labeling passkeys in management UIs.
+ *
+ * An AAGUID identifies an authenticator *model* (not a device or a user) and is
+ * present only in the registration response. Better Auth stores it on every
+ * passkey row and returns it from `listPasskeys`, so a display label can be
+ * resolved wherever passkeys are rendered.
+ *
+ * This list is intentionally small and not authoritative. Many authenticators
+ * are missing, and privacy-preserving platforms report an all-zero AAGUID
+ * (`00000000-0000-0000-0000-000000000000`) that matches nothing here. Notably,
+ * Apple devices zero the AAGUID under the default `attestation: "none"` flow, so
+ * the Apple entries below only appear in attested or managed contexts. For full
+ * coverage, resolve against the community-maintained source instead:
+ *
+ * - https://github.com/passkeydeveloper/passkey-authenticator-aaguids
+ *
+ * Names mirror that source verbatim.
+ */
+declare const commonAuthenticatorNames: Record<string, string>;
+declare const getAuthenticatorName: (aaguid: string | null | undefined) => string | undefined;
+//#endregion
 //#region src/error-codes.d.ts
 declare const PASSKEY_ERROR_CODES: {
   CHALLENGE_NOT_FOUND: better_auth0.RawError<"CHALLENGE_NOT_FOUND">;
@@ -817,4 +848,4 @@ declare const passkey: (options?: PasskeyOptions | undefined) => {
   options: PasskeyOptions | undefined;
 };
 //#endregion
-export { PasskeyExtensionsResolver as a, PasskeyRegistrationUser as c, PasskeyAuthenticationOptions as i, WebAuthnChallengeValue as l, PASSKEY_ERROR_CODES as n, PasskeyOptions as o, Passkey as r, PasskeyRegistrationOptions as s, passkey as t };
+export { Passkey as a, PasskeyOptions as c, WebAuthnChallengeValue as d, getAuthenticatorName as i, PasskeyRegistrationOptions as l, PASSKEY_ERROR_CODES as n, PasskeyAuthenticationOptions as o, commonAuthenticatorNames as r, PasskeyExtensionsResolver as s, passkey as t, PasskeyRegistrationUser as u };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { n as PASSKEY_ERROR_CODES, o as PasskeyOptions, r as Passkey, t as passkey } from "./index-BoC1i3hA.mjs";
-export { PASSKEY_ERROR_CODES, Passkey, PasskeyOptions, passkey };
+import { a as Passkey, c as PasskeyOptions, i as getAuthenticatorName, n as PASSKEY_ERROR_CODES, r as commonAuthenticatorNames, t as passkey } from "./index-Ci52vhOT.mjs";
+export { PASSKEY_ERROR_CODES, Passkey, PasskeyOptions, commonAuthenticatorNames, getAuthenticatorName, passkey };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-kd5ipnRY.mjs";
+import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-tMqL0F6x.mjs";
 import { mergeSchema } from "better-auth/db";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import { APIError } from "@better-auth/core/error";
@@ -287,7 +287,7 @@ const generatePasskeyAuthenticationOptions = (opts, { maxAgeInSeconds }) => crea
 });
 const verifyPasskeyRegistrationBodySchema = z.object({
 	response: z.any(),
-	name: z.string().meta({ description: "Name of the passkey" }).optional()
+	name: z.string().trim().meta({ description: "Name of the passkey" }).optional()
 });
 const verifyPasskeyRegistration = (options) => {
 	const requireSession = options.registration?.requireSession ?? true;
@@ -313,7 +313,7 @@ const verifyPasskeyRegistration = (options) => {
 		const webAuthnCookie = ctx.context.createAuthCookie(options.advanced.webAuthnChallengeCookie);
 		const verificationToken = await ctx.getSignedCookie(webAuthnCookie.name, ctx.context.secret);
 		if (!verificationToken) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
-		const data = await ctx.context.internalAdapter.findVerificationValue(verificationToken);
+		const data = await ctx.context.internalAdapter.consumeVerificationValue(verificationToken);
 		if (!data) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
 		const { expectedChallenge, userData, context } = JSON.parse(data.value);
 		const session = requireSession ? ctx.context.session : await getSessionFromCtx(ctx);
@@ -335,6 +335,7 @@ const verifyPasskeyRegistration = (options) => {
 				displayName: userData.displayName
 			};
 			let targetUserId = resolvedUser.id;
+			let resolvedName = ctx.body.name || void 0;
 			if (options.registration?.afterVerification) {
 				const result = await options.registration.afterVerification({
 					ctx,
@@ -348,16 +349,17 @@ const verifyPasskeyRegistration = (options) => {
 					if (session?.user?.id && result.userId !== session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
 					targetUserId = result.userId;
 				}
+				if (!resolvedName) resolvedName = result?.name?.trim() || void 0;
 			}
 			const pubKey = base64.encode(credential.publicKey);
 			const newPasskey = {
-				name: ctx.body.name,
+				name: resolvedName,
 				userId: targetUserId,
 				credentialID: credential.id,
 				publicKey: pubKey,
 				counter: credential.counter,
 				deviceType: credentialDeviceType,
-				transports: resp.response.transports.join(","),
+				transports: resp.response.transports?.join(",") ?? "",
 				backedUp: credentialBackedUp,
 				createdAt: /* @__PURE__ */ new Date(),
 				aaguid
@@ -366,9 +368,9 @@ const verifyPasskeyRegistration = (options) => {
 				model: "passkey",
 				data: newPasskey
 			});
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(verificationToken);
 			return ctx.json(newPasskeyRes, { status: 200 });
 		} catch (e) {
+			if (e instanceof APIError) throw e;
 			ctx.context.logger.error("Failed to verify registration", e);
 			throw APIError.from("INTERNAL_SERVER_ERROR", PASSKEY_ERROR_CODES.FAILED_TO_VERIFY_REGISTRATION);
 		}
@@ -402,7 +404,7 @@ const verifyPasskeyAuthentication = (options) => createAuthEndpoint("/passkey/ve
 	const webAuthnCookie = ctx.context.createAuthCookie(options.advanced.webAuthnChallengeCookie);
 	const verificationToken = await ctx.getSignedCookie(webAuthnCookie.name, ctx.context.secret);
 	if (!verificationToken) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
-	const data = await ctx.context.internalAdapter.findVerificationValue(verificationToken);
+	const data = await ctx.context.internalAdapter.consumeVerificationValue(verificationToken);
 	if (!data) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
 	const { expectedChallenge } = JSON.parse(data.value);
 	const passkey = await ctx.context.adapter.findOne({
@@ -450,12 +452,12 @@ const verifyPasskeyAuthentication = (options) => createAuthEndpoint("/passkey/ve
 			session: s,
 			user
 		});
-		await ctx.context.internalAdapter.deleteVerificationByIdentifier(verificationToken);
 		return ctx.json({
 			session: s,
 			user
 		}, { status: 200 });
 	} catch (e) {
+		if (e instanceof APIError) throw e;
 		ctx.context.logger.error("Failed to verify authentication", e);
 		throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.AUTHENTICATION_FAILED);
 	}
@@ -576,7 +578,7 @@ const updatePasskey = createAuthEndpoint("/passkey/update-passkey", {
 	method: "POST",
 	body: z.object({
 		id: z.string().meta({ description: `The ID of the passkey which will be updated. Eg: \"passkey-id\"` }),
-		name: z.string().meta({ description: `The new name which the passkey will be updated to. Eg: \"my-new-passkey-name\"` })
+		name: z.string().trim().min(1).meta({ description: `The new name which the passkey will be updated to. Eg: \"my-new-passkey-name\"` })
 	}),
 	use: [sessionMiddleware, requireResourceOwnership({
 		model: "passkey",
@@ -660,6 +662,63 @@ const schema = { passkey: { fields: {
 	}
 } } };
 //#endregion
+//#region src/authenticator-metadata.ts
+/**
+* Best-effort map of common authenticator AAGUIDs to a human-readable provider
+* name, for labeling passkeys in management UIs.
+*
+* An AAGUID identifies an authenticator *model* (not a device or a user) and is
+* present only in the registration response. Better Auth stores it on every
+* passkey row and returns it from `listPasskeys`, so a display label can be
+* resolved wherever passkeys are rendered.
+*
+* This list is intentionally small and not authoritative. Many authenticators
+* are missing, and privacy-preserving platforms report an all-zero AAGUID
+* (`00000000-0000-0000-0000-000000000000`) that matches nothing here. Notably,
+* Apple devices zero the AAGUID under the default `attestation: "none"` flow, so
+* the Apple entries below only appear in attested or managed contexts. For full
+* coverage, resolve against the community-maintained source instead:
+*
+* - https://github.com/passkeydeveloper/passkey-authenticator-aaguids
+*
+* Names mirror that source verbatim.
+*/
+const commonAuthenticatorNames = {
+	"ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4": "Google Password Manager",
+	"fbfc3007-154e-4ecc-8c0b-6e020557d7bd": "Apple Passwords",
+	"dd4ec289-e01d-41c9-bb89-70fa845d4bf2": "iCloud Keychain (Managed)",
+	"08987058-cadc-4b81-b6e1-30de50dcbe96": "Windows Hello",
+	"9ddd1817-af5a-4672-a2b9-3e3dd95000a9": "Windows Hello",
+	"6028b017-b1d4-4c02-b4b3-afcdafc96bb2": "Windows Hello",
+	"bada5566-a7aa-401f-bd96-45619a55120d": "1Password",
+	"d548826e-79b4-db40-a3d8-11116f7e8349": "Bitwarden",
+	"531126d6-e717-415c-9320-3d9aa6981239": "Dashlane",
+	"b78a0a55-6ef8-d246-a042-ba0f6d55050c": "LastPass",
+	"b84e4048-15dc-4dd0-8640-f4f60813c8af": "NordPass",
+	"50726f74-6f6e-5061-7373-50726f746f6e": "Proton Pass",
+	"0ea242b4-43c4-4a1b-8b17-dd6d0b6baec6": "Keeper",
+	"53414d53-554e-4700-0000-000000000000": "Samsung Pass"
+};
+/**
+* Resolve a best-effort provider name for an authenticator AAGUID.
+*
+* Returns `undefined` when the AAGUID is unknown, empty, or the all-zero value
+* reported by privacy-preserving platforms. Casing and surrounding whitespace
+* are normalized before lookup.
+*
+* @example
+* ```ts
+* const label = passkey.name || getAuthenticatorName(passkey.aaguid) || "Passkey";
+* ```
+*/
+const ANONYMOUS_AAGUID = "00000000-0000-0000-0000-000000000000";
+const getAuthenticatorName = (aaguid) => {
+	const normalized = aaguid?.trim().toLowerCase();
+	if (!normalized || normalized === ANONYMOUS_AAGUID) return void 0;
+	const name = commonAuthenticatorNames[normalized];
+	return typeof name === "string" ? name : void 0;
+};
+//#endregion
 //#region src/index.ts
 const MAX_AGE_IN_SECONDS = 300;
 const passkey = (options) => {
@@ -689,4 +748,4 @@ const passkey = (options) => {
 	};
 };
 //#endregion
-export { PASSKEY_ERROR_CODES, passkey };
+export { PASSKEY_ERROR_CODES, commonAuthenticatorNames, getAuthenticatorName, passkey };

package/dist/{version-kd5ipnRY.mjs → version-tMqL0F6x.mjs}

@@ -18,6 +18,6 @@ const PASSKEY_ERROR_CODES = defineErrorCodes({
 });
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.3";
+const PACKAGE_VERSION = "1.7.0-beta.5";
 //#endregion
 export { PASSKEY_ERROR_CODES as n, PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/passkey",
-  "version": "1.7.0-beta.3",
+  "version": "1.7.0-beta.5",
   "description": "Passkey plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -55,16 +55,16 @@
   },
   "devDependencies": {
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.3",
-    "better-auth": "1.7.0-beta.3"
+    "@better-auth/core": "1.7.0-beta.5",
+    "better-auth": "1.7.0-beta.5"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
+    "@better-auth/utils": "0.4.1",
+    "@better-fetch/fetch": "1.2.2",
+    "better-call": "1.3.6",
     "nanostores": "^1.0.1",
-    "@better-auth/core": "^1.7.0-beta.3",
-    "better-auth": "^1.7.0-beta.3"
+    "@better-auth/core": "^1.7.0-beta.5",
+    "better-auth": "^1.7.0-beta.5"
   },
   "scripts": {
     "build": "tsdown",