@better-auth/passkey 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { a as PasskeyExtensionsResolver, c as PasskeyRegistrationUser, i as PasskeyAuthenticationOptions, l as WebAuthnChallengeValue, n as PASSKEY_ERROR_CODES, o as PasskeyOptions, r as Passkey, s as PasskeyRegistrationOptions, t as passkey } from "./index-BoC1i3hA.mjs";
+import { a as Passkey, c as PasskeyOptions, d as WebAuthnChallengeValue, l as PasskeyRegistrationOptions, n as PASSKEY_ERROR_CODES, o as PasskeyAuthenticationOptions, s as PasskeyExtensionsResolver, t as passkey, u as PasskeyRegistrationUser } from "./index-z0BvlclO.mjs";
 import { AuthenticationExtensionsClientInputs, AuthenticationExtensionsClientOutputs, AuthenticationResponseJSON, RegistrationResponseJSON } from "@simplewebauthn/server";
 import * as better_auth_client0 from "better-auth/client";
 import * as nanostores from "nanostores";

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-D_0sS5d6.mjs";
+import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-DvfQNSl9.mjs";
 import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { useAuthQuery } from "better-auth/client";
 import { atom } from "nanostores";

package/dist/{index-BoC1i3hA.d.mts → index-z0BvlclO.d.mts}

@@ -100,7 +100,13 @@ interface PasskeyRegistrationOptions {
   }) => Awaitable<PasskeyRegistrationUser>) | undefined;
   /**
    * Callback after a successful registration verification.
-   * Useful for user linking or auditing.
+   * Useful for user linking, auditing, or labeling the passkey.
+   *
+   * Return `userId` to attribute the passkey to a different user. Return `name`
+   * to set the stored label when the client did not provide one; the AAGUID is
+   * available via `verification.registrationInfo?.aaguid`. A non-empty
+   * client-supplied name always takes precedence over the returned `name`;
+   * whitespace-only input is treated as absent.
    */
   afterVerification?: ((args: {
     ctx: GenericEndpointContext;
@@ -110,6 +116,7 @@ interface PasskeyRegistrationOptions {
     context?: string | null | undefined;
   }) => Awaitable<{
     userId?: string;
+    name?: string;
   } | void>) | undefined;
   /**
    * Optional WebAuthn extensions to include in registration options.
@@ -196,6 +203,30 @@ type Passkey = {
   aaguid?: string | undefined;
 };
 //#endregion
+//#region src/authenticator-metadata.d.ts
+/**
+ * Best-effort map of common authenticator AAGUIDs to a human-readable provider
+ * name, for labeling passkeys in management UIs.
+ *
+ * An AAGUID identifies an authenticator *model* (not a device or a user) and is
+ * present only in the registration response. Better Auth stores it on every
+ * passkey row and returns it from `listPasskeys`, so a display label can be
+ * resolved wherever passkeys are rendered.
+ *
+ * This list is intentionally small and not authoritative. Many authenticators
+ * are missing, and privacy-preserving platforms report an all-zero AAGUID
+ * (`00000000-0000-0000-0000-000000000000`) that matches nothing here. Notably,
+ * Apple devices zero the AAGUID under the default `attestation: "none"` flow, so
+ * the Apple entries below only appear in attested or managed contexts. For full
+ * coverage, resolve against the community-maintained source instead:
+ *
+ * - https://github.com/passkeydeveloper/passkey-authenticator-aaguids
+ *
+ * Names mirror that source verbatim.
+ */
+declare const commonAuthenticatorNames: Record<string, string>;
+declare const getAuthenticatorName: (aaguid: string | null | undefined) => string | undefined;
+//#endregion
 //#region src/error-codes.d.ts
 declare const PASSKEY_ERROR_CODES: {
   CHALLENGE_NOT_FOUND: better_auth0.RawError<"CHALLENGE_NOT_FOUND">;
@@ -263,25 +294,10 @@ declare const passkey: (options?: PasskeyOptions | undefined) => {
         openapi: {
           operationId: string;
           description: string;
+          parameters: better_call0.OpenAPIParameter[];
           responses: {
             200: {
               description: string;
-              parameters: {
-                query: {
-                  authenticatorAttachment: {
-                    description: string;
-                    required: boolean;
-                  };
-                  name: {
-                    description: string;
-                    required: boolean;
-                  };
-                  context: {
-                    description: string;
-                    required: boolean;
-                  };
-                };
-              };
               content: {
                 "application/json": {
                   schema: {
@@ -817,4 +833,4 @@ declare const passkey: (options?: PasskeyOptions | undefined) => {
   options: PasskeyOptions | undefined;
 };
 //#endregion
-export { PasskeyExtensionsResolver as a, PasskeyRegistrationUser as c, PasskeyAuthenticationOptions as i, WebAuthnChallengeValue as l, PASSKEY_ERROR_CODES as n, PasskeyOptions as o, Passkey as r, PasskeyRegistrationOptions as s, passkey as t };
+export { Passkey as a, PasskeyOptions as c, WebAuthnChallengeValue as d, getAuthenticatorName as i, PasskeyRegistrationOptions as l, PASSKEY_ERROR_CODES as n, PasskeyAuthenticationOptions as o, commonAuthenticatorNames as r, PasskeyExtensionsResolver as s, passkey as t, PasskeyRegistrationUser as u };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { n as PASSKEY_ERROR_CODES, o as PasskeyOptions, r as Passkey, t as passkey } from "./index-BoC1i3hA.mjs";
-export { PASSKEY_ERROR_CODES, Passkey, PasskeyOptions, passkey };
+import { a as Passkey, c as PasskeyOptions, i as getAuthenticatorName, n as PASSKEY_ERROR_CODES, r as commonAuthenticatorNames, t as passkey } from "./index-z0BvlclO.mjs";
+export { PASSKEY_ERROR_CODES, Passkey, PasskeyOptions, commonAuthenticatorNames, getAuthenticatorName, passkey };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-D_0sS5d6.mjs";
+import { n as PASSKEY_ERROR_CODES, t as PACKAGE_VERSION } from "./version-DvfQNSl9.mjs";
 import { mergeSchema } from "better-auth/db";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import { APIError } from "@better-auth/core/error";
@@ -52,6 +52,35 @@ const generatePasskeyQuerySchema = z.object({
 	name: z.string().optional(),
 	context: z.string().optional()
 }).optional();
+const generatePasskeyRegistrationOptionsOpenAPIParameters = [
+	{
+		name: "authenticatorAttachment",
+		in: "query",
+		required: false,
+		description: `Type of authenticator to use for registration.
+                          "platform" for device-specific authenticators,
+                          "cross-platform" for authenticators that can be used across devices.`,
+		schema: {
+			type: "string",
+			enum: ["platform", "cross-platform"]
+		}
+	},
+	{
+		name: "name",
+		in: "query",
+		required: false,
+		description: `Optional custom name for the passkey.
+                          This can help identify the passkey when managing multiple credentials.`,
+		schema: { type: "string" }
+	},
+	{
+		name: "context",
+		in: "query",
+		required: false,
+		description: "Optional context for passkey-first registration flows.",
+		schema: { type: "string" }
+	}
+];
 const generatePasskeyRegistrationOptions = (opts, { maxAgeInSeconds }) => {
 	return createAuthEndpoint("/passkey/generate-register-options", {
 		method: "GET",
@@ -60,25 +89,9 @@ const generatePasskeyRegistrationOptions = (opts, { maxAgeInSeconds }) => {
 		metadata: { openapi: {
 			operationId: "generatePasskeyRegistrationOptions",
 			description: "Generate registration options for a new passkey",
+			parameters: generatePasskeyRegistrationOptionsOpenAPIParameters,
 			responses: { 200: {
 				description: "Success",
-				parameters: { query: {
-					authenticatorAttachment: {
-						description: `Type of authenticator to use for registration.
-                          "platform" for device-specific authenticators,
-                          "cross-platform" for authenticators that can be used across devices.`,
-						required: false
-					},
-					name: {
-						description: `Optional custom name for the passkey.
-                          This can help identify the passkey when managing multiple credentials.`,
-						required: false
-					},
-					context: {
-						description: "Optional context for passkey-first registration flows.",
-						required: false
-					}
-				} },
 				content: { "application/json": { schema: {
 					type: "object",
 					properties: {
@@ -178,6 +191,7 @@ const generatePasskeyRegistrationOptions = (opts, { maxAgeInSeconds }) => {
 		await ctx.context.internalAdapter.createVerificationValue({
 			identifier: verificationToken,
 			value: JSON.stringify({
+				type: "registration",
 				expectedChallenge: options.challenge,
 				userData: {
 					id: user.id,
@@ -268,6 +282,7 @@ const generatePasskeyAuthenticationOptions = (opts, { maxAgeInSeconds }) => crea
 		})) } : {}
 	});
 	const data = {
+		type: "authentication",
 		expectedChallenge: options.challenge,
 		userData: { id: session?.user.id || "" }
 	};
@@ -287,7 +302,7 @@ const generatePasskeyAuthenticationOptions = (opts, { maxAgeInSeconds }) => crea
 });
 const verifyPasskeyRegistrationBodySchema = z.object({
 	response: z.any(),
-	name: z.string().meta({ description: "Name of the passkey" }).optional()
+	name: z.string().trim().meta({ description: "Name of the passkey" }).optional()
 });
 const verifyPasskeyRegistration = (options) => {
 	const requireSession = options.registration?.requireSession ?? true;
@@ -315,7 +330,8 @@ const verifyPasskeyRegistration = (options) => {
 		if (!verificationToken) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
 		const data = await ctx.context.internalAdapter.consumeVerificationValue(verificationToken);
 		if (!data) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
-		const { expectedChallenge, userData, context } = JSON.parse(data.value);
+		const { type: ceremony, expectedChallenge, userData, context } = JSON.parse(data.value);
+		if (ceremony !== "registration") throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
 		const session = requireSession ? ctx.context.session : await getSessionFromCtx(ctx);
 		if (session?.user?.id && userData.id !== session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
 		try {
@@ -335,6 +351,7 @@ const verifyPasskeyRegistration = (options) => {
 				displayName: userData.displayName
 			};
 			let targetUserId = resolvedUser.id;
+			let resolvedName = ctx.body.name || void 0;
 			if (options.registration?.afterVerification) {
 				const result = await options.registration.afterVerification({
 					ctx,
@@ -348,10 +365,12 @@ const verifyPasskeyRegistration = (options) => {
 					if (session?.user?.id && result.userId !== session.user.id) throw APIError.from("UNAUTHORIZED", PASSKEY_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY);
 					targetUserId = result.userId;
 				}
+				if (!resolvedName) resolvedName = result?.name?.trim() || void 0;
 			}
+			if (!targetUserId) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.RESOLVED_USER_INVALID);
 			const pubKey = base64.encode(credential.publicKey);
 			const newPasskey = {
-				name: ctx.body.name,
+				name: resolvedName,
 				userId: targetUserId,
 				credentialID: credential.id,
 				publicKey: pubKey,
@@ -404,7 +423,8 @@ const verifyPasskeyAuthentication = (options) => createAuthEndpoint("/passkey/ve
 	if (!verificationToken) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
 	const data = await ctx.context.internalAdapter.consumeVerificationValue(verificationToken);
 	if (!data) throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
-	const { expectedChallenge } = JSON.parse(data.value);
+	const { type: ceremony, expectedChallenge } = JSON.parse(data.value);
+	if (ceremony !== "authentication") throw APIError.from("BAD_REQUEST", PASSKEY_ERROR_CODES.CHALLENGE_NOT_FOUND);
 	const passkey = await ctx.context.adapter.findOne({
 		model: "passkey",
 		where: [{
@@ -576,7 +596,7 @@ const updatePasskey = createAuthEndpoint("/passkey/update-passkey", {
 	method: "POST",
 	body: z.object({
 		id: z.string().meta({ description: `The ID of the passkey which will be updated. Eg: \"passkey-id\"` }),
-		name: z.string().meta({ description: `The new name which the passkey will be updated to. Eg: \"my-new-passkey-name\"` })
+		name: z.string().trim().min(1).meta({ description: `The new name which the passkey will be updated to. Eg: \"my-new-passkey-name\"` })
 	}),
 	use: [sessionMiddleware, requireResourceOwnership({
 		model: "passkey",
@@ -660,6 +680,63 @@ const schema = { passkey: { fields: {
 	}
 } } };
 //#endregion
+//#region src/authenticator-metadata.ts
+/**
+* Best-effort map of common authenticator AAGUIDs to a human-readable provider
+* name, for labeling passkeys in management UIs.
+*
+* An AAGUID identifies an authenticator *model* (not a device or a user) and is
+* present only in the registration response. Better Auth stores it on every
+* passkey row and returns it from `listPasskeys`, so a display label can be
+* resolved wherever passkeys are rendered.
+*
+* This list is intentionally small and not authoritative. Many authenticators
+* are missing, and privacy-preserving platforms report an all-zero AAGUID
+* (`00000000-0000-0000-0000-000000000000`) that matches nothing here. Notably,
+* Apple devices zero the AAGUID under the default `attestation: "none"` flow, so
+* the Apple entries below only appear in attested or managed contexts. For full
+* coverage, resolve against the community-maintained source instead:
+*
+* - https://github.com/passkeydeveloper/passkey-authenticator-aaguids
+*
+* Names mirror that source verbatim.
+*/
+const commonAuthenticatorNames = {
+	"ea9b8d66-4d01-1d21-3ce4-b6b48cb575d4": "Google Password Manager",
+	"fbfc3007-154e-4ecc-8c0b-6e020557d7bd": "Apple Passwords",
+	"dd4ec289-e01d-41c9-bb89-70fa845d4bf2": "iCloud Keychain (Managed)",
+	"08987058-cadc-4b81-b6e1-30de50dcbe96": "Windows Hello",
+	"9ddd1817-af5a-4672-a2b9-3e3dd95000a9": "Windows Hello",
+	"6028b017-b1d4-4c02-b4b3-afcdafc96bb2": "Windows Hello",
+	"bada5566-a7aa-401f-bd96-45619a55120d": "1Password",
+	"d548826e-79b4-db40-a3d8-11116f7e8349": "Bitwarden",
+	"531126d6-e717-415c-9320-3d9aa6981239": "Dashlane",
+	"b78a0a55-6ef8-d246-a042-ba0f6d55050c": "LastPass",
+	"b84e4048-15dc-4dd0-8640-f4f60813c8af": "NordPass",
+	"50726f74-6f6e-5061-7373-50726f746f6e": "Proton Pass",
+	"0ea242b4-43c4-4a1b-8b17-dd6d0b6baec6": "Keeper",
+	"53414d53-554e-4700-0000-000000000000": "Samsung Pass"
+};
+/**
+* Resolve a best-effort provider name for an authenticator AAGUID.
+*
+* Returns `undefined` when the AAGUID is unknown, empty, or the all-zero value
+* reported by privacy-preserving platforms. Casing and surrounding whitespace
+* are normalized before lookup.
+*
+* @example
+* ```ts
+* const label = passkey.name || getAuthenticatorName(passkey.aaguid) || "Passkey";
+* ```
+*/
+const ANONYMOUS_AAGUID = "00000000-0000-0000-0000-000000000000";
+const getAuthenticatorName = (aaguid) => {
+	const normalized = aaguid?.trim().toLowerCase();
+	if (!normalized || normalized === ANONYMOUS_AAGUID) return void 0;
+	const name = commonAuthenticatorNames[normalized];
+	return typeof name === "string" ? name : void 0;
+};
+//#endregion
 //#region src/index.ts
 const MAX_AGE_IN_SECONDS = 300;
 const passkey = (options) => {
@@ -689,4 +766,4 @@ const passkey = (options) => {
 	};
 };
 //#endregion
-export { PASSKEY_ERROR_CODES, passkey };
+export { PASSKEY_ERROR_CODES, commonAuthenticatorNames, getAuthenticatorName, passkey };

package/dist/{version-D_0sS5d6.mjs → version-DvfQNSl9.mjs}

@@ -18,6 +18,6 @@ const PASSKEY_ERROR_CODES = defineErrorCodes({
 });
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.4";
+const PACKAGE_VERSION = "1.7.0-beta.6";
 //#endregion
 export { PASSKEY_ERROR_CODES as n, PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/passkey",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.6",
   "description": "Passkey plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -55,16 +55,16 @@
   },
   "devDependencies": {
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.4",
-    "better-auth": "1.7.0-beta.4"
+    "@better-auth/core": "1.7.0-beta.6",
+    "better-auth": "1.7.0-beta.6"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
+    "better-call": "1.3.6",
     "nanostores": "^1.0.1",
-    "@better-auth/core": "^1.7.0-beta.4",
-    "better-auth": "^1.7.0-beta.4"
+    "@better-auth/core": "^1.7.0-beta.6",
+    "better-auth": "^1.7.0-beta.6"
   },
   "scripts": {
     "build": "tsdown",