@cedarjs/auth-dbauth-web 0.0.4

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Cedar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# Authentication
+
+## Contributing
+
+If you want to contribute a new auth provider integration we recommend you
+start by implementing it as a custom auth provider in a Redwood App first. When
+that works you can package it up as an npm package and publish it on your own.
+You can then create a PR on this repo with support for your new auth provider
+in our `yarn rw setup auth` cli command. The easiest option is probably to just
+look at one of the existing auth providers in
+`packages/cli/src/commands/setup/auth/providers` and the corresponding
+templates in `../templates`.
+
+If you need help setting up a custom auth provider you can read the auth docs
+on the web.
+
+### Contributing to the base auth implementation
+
+If you want to contribute to our auth implementation, the interface towards
+both auth service providers and RW apps we recommend you start looking in
+`authFactory.ts` and then continue to `AuthProvider.tsx`. `AuthProvider.tsx`
+has most of our implementation together with all the custom hooks it uses.
+Another file to be accustomed with is `AuthContext.ts`. The interface in there
+has pretty good code comments, and is what will be exposed to RW apps.
+
+## getCurrentUser
+
+`getCurrentUser` returns the user information together with
+an optional collection of roles used by requireAuth() to check if the user is authenticated or has role-based access.
+
+Use in conjunction with `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param decoded - The decoded access token containing user info and JWT claims like `sub`
+@param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+@param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+such as headers and cookies, and the context information about the invocation such as IP Address
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+This example is the standard use of `getCurrentUser`.
+
+```js
+export const getCurrentUser = async (
+  decoded,
+  { _token, _type },
+  { _event, _context },
+) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User details fetched via database query
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return await db.user.findUnique({ where: { decoded.email } })
+}
+```
+
+#### User info is decoded from the access token
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded }
+}
+```
+
+#### User info is contained in the decoded token and roles extracted
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User record query by email with namespaced app_metadata roles as Auth0 requires custom JWT claims to be namespaced
+
+```js
+export const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { email: decoded.email },
+  })
+
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded, namespace: NAMESPACE }).roles,
+  }
+}
+```
+
+#### User record query by an identity with app_metadata roles
+
+```js
+const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { userIdentity: decoded.sub },
+  })
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded }).roles,
+  }
+}
+```
+
+#### Cookies and other request information are available in the req parameter, just in case
+
+```js
+const getCurrentUser = async (_decoded, _raw, { event, _context }) => {
+  const cookies = cookie(event.headers.cookies)
+  const session = cookies['my.cookie.name']
+  const currentUser = await db.sessions.findUnique({ where: { id: session } })
+  return currentUser
+}
+```
+
+## requireAuth
+
+Use `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param {string=} roles - An optional role or list of roles
+@param {string[]=} roles - An optional list of roles
+
+@returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
+
+@throws {AuthenticationError} - If the currentUser is not authenticated
+@throws {ForbiddenError} If the currentUser is not allowed due to role permissions
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+```js
+requireAuth()
+```
+
+#### Checks if currentUser is authenticated and assigned one of the given roles
+
+```js
+requireAuth({ role: 'admin' })
+requireAuth({ role: ['editor', 'author'] })
+requireAuth({ role: ['publisher'] })
+```

package/dist/dbAuth.d.ts

@@ -0,0 +1,42 @@
+import type { CurrentUser } from '@cedarjs/auth';
+import type { WebAuthnClientType } from './webAuthn';
+export interface LoginAttributes {
+    username: string;
+    password: string;
+}
+export interface ResetPasswordAttributes {
+    resetToken: string;
+    password: string;
+}
+export type SignupAttributes = Record<string, unknown> & LoginAttributes;
+export declare function createAuth(dbAuthClient: ReturnType<typeof createDbAuthClient>, customProviderHooks?: {
+    useCurrentUser?: () => Promise<CurrentUser>;
+    useHasRole?: (currentUser: CurrentUser | null) => (rolesToCheck: string | string[]) => boolean;
+}): {
+    AuthContext: import("react").Context<import("@cedarjs/auth").AuthContextInterface<string | (() => void), LoginAttributes, any, unknown, boolean, SignupAttributes, any, any, ResetPasswordAttributes, any, any, import("./webAuthn").default> | undefined>;
+    AuthProvider: ({ children }: import("@cedarjs/auth").AuthProviderProps) => import("react").JSX.Element;
+    useAuth: () => import("@cedarjs/auth").AuthContextInterface<string | (() => void), LoginAttributes, any, unknown, boolean, SignupAttributes, any, any, ResetPasswordAttributes, any, any, import("./webAuthn").default>;
+};
+export interface DbAuthClientArgs {
+    webAuthn?: InstanceType<WebAuthnClientType>;
+    dbAuthUrl?: string;
+    fetchConfig?: {
+        credentials?: 'include' | 'same-origin';
+    };
+    middleware?: boolean;
+}
+export declare function createDbAuthClient({ webAuthn, dbAuthUrl, fetchConfig, middleware, }?: DbAuthClientArgs): {
+    type: string;
+    client: import("./webAuthn").default | undefined;
+    login: ({ username, password }: LoginAttributes) => Promise<any>;
+    logout: () => Promise<boolean>;
+    signup: (attributes: SignupAttributes) => Promise<any>;
+    getToken: () => Promise<string | null>;
+    getUserMetadata: () => Promise<string | (() => void) | null>;
+    forgotPassword: (username: string) => Promise<any>;
+    resetPassword: (attributes: ResetPasswordAttributes) => Promise<any>;
+    validateResetToken: (resetToken: string | null) => Promise<any>;
+    getAuthUrl: () => string;
+    middlewareAuthEnabled: boolean;
+};
+//# sourceMappingURL=dbAuth.d.ts.map

package/dist/dbAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dbAuth.d.ts","sourceRoot":"","sources":["../src/dbAuth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAuB,MAAM,eAAe,CAAA;AAMrE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AAEpD,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,CAAA;AAkBxE,wBAAgB,UAAU,CACxB,YAAY,EAAE,UAAU,CAAC,OAAO,kBAAkB,CAAC,EACnD,mBAAmB,CAAC,EAAE;IACpB,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,WAAW,CAAC,CAAA;IAC3C,UAAU,CAAC,EAAE,CACX,WAAW,EAAE,WAAW,GAAG,IAAI,KAC5B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,OAAO,CAAA;CAClD;;wCAEG,eAAgC,+BACb,OAAO;;EAI/B;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,YAAY,CAAC,kBAAkB,CAAC,CAAA;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,WAAW,CAAC,EAAE;QACZ,WAAW,CAAC,EAAE,SAAS,GAAG,aAAa,CAAA;KACxC,CAAA;IACD,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAED,wBAAgB,kBAAkB,CAAC,EACjC,QAAQ,EACR,SAAS,EACT,WAAW,EACX,UAA4C,GAC7C,GAAE,gBAAqB;;;oCA6EuB,eAAe;;yBAgC1B,gBAAgB;;;+BA9EV,MAAM;gCAmEL,uBAAuB;qCAsBlB,MAAM,GAAG,IAAI;;;EAoC5D"}

package/dist/dbAuth.js

@@ -0,0 +1,193 @@
+"use strict";
+
+var _Object$defineProperty = require("@babel/runtime-corejs3/core-js/object/define-property");
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault").default;
+_Object$defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.createAuth = createAuth;
+exports.createDbAuthClient = createDbAuthClient;
+var _stringify = _interopRequireDefault(require("@babel/runtime-corejs3/core-js/json/stringify"));
+var _auth = require("@cedarjs/auth");
+const TOKEN_CACHE_TIME = 5000;
+
+// This is the middleware-edition auth function
+// Overrides the default getCurrentUser to fetch it from middleware instead
+function createMiddlewareAuth(dbAuthClient, customProviderHooks) {
+  return (0, _auth.createAuthentication)(dbAuthClient, {
+    ...customProviderHooks,
+    useCurrentUser: customProviderHooks?.useCurrentUser ?? (() => (0, _auth.getCurrentUserFromMiddleware)(dbAuthClient.getAuthUrl()))
+  });
+}
+function createAuth(dbAuthClient, customProviderHooks) {
+  if (dbAuthClient.middlewareAuthEnabled) {
+    return createMiddlewareAuth(dbAuthClient, customProviderHooks);
+  }
+  return (0, _auth.createAuthentication)(dbAuthClient, customProviderHooks);
+}
+function createDbAuthClient({
+  webAuthn,
+  dbAuthUrl,
+  fetchConfig,
+  middleware = RWJS_ENV.RWJS_EXP_STREAMING_SSR
+} = {}) {
+  const credentials = fetchConfig?.credentials || 'same-origin';
+  webAuthn?.setAuthApiUrl(dbAuthUrl);
+  let getTokenPromise;
+  let lastTokenCheckAt = new Date('1970-01-01T00:00:00');
+  let cachedToken;
+  const getDbAuthUrl = () => {
+    if (dbAuthUrl) {
+      return dbAuthUrl;
+    }
+    return middleware ? `/middleware/dbauth` : `${RWJS_API_URL}/auth`;
+  };
+  const resetAndFetch = async (...params) => {
+    resetTokenCache();
+    return fetch(...params);
+  };
+  const isTokenCacheExpired = () => {
+    const now = new Date();
+    return now.getTime() - lastTokenCheckAt.getTime() > TOKEN_CACHE_TIME;
+  };
+  const resetTokenCache = () => {
+    lastTokenCheckAt = new Date('1970-01-01T00:00:00');
+    cachedToken = null;
+  };
+  const forgotPassword = async username => {
+    const response = await resetAndFetch(getDbAuthUrl(), {
+      credentials,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: (0, _stringify.default)({
+        username,
+        method: 'forgotPassword'
+      })
+    });
+    return response.json();
+  };
+  const getToken = async () => {
+    // Middleware auth providers doesn't need a token
+    if (middleware) {
+      return null;
+    }
+
+    // Return the existing fetch promise, so that parallel calls
+    // to getToken only cause a single fetch
+    if (getTokenPromise) {
+      return getTokenPromise;
+    }
+    if (isTokenCacheExpired()) {
+      getTokenPromise = fetch(`${getDbAuthUrl()}?method=getToken`, {
+        credentials
+      }).then(response => response.text()).then(tokenText => {
+        lastTokenCheckAt = new Date();
+        cachedToken = tokenText.length === 0 ? null : tokenText;
+        return cachedToken;
+      }).catch(() => {
+        return null;
+      }).finally(() => {
+        getTokenPromise = null;
+      });
+      return getTokenPromise;
+    }
+    return cachedToken;
+  };
+  const login = async ({
+    username,
+    password
+  }) => {
+    const response = await resetAndFetch(getDbAuthUrl(), {
+      credentials,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: (0, _stringify.default)({
+        username,
+        password,
+        method: 'login'
+      })
+    });
+    return response.json();
+  };
+  const logout = async () => {
+    await resetAndFetch(getDbAuthUrl(), {
+      credentials,
+      method: 'POST',
+      body: (0, _stringify.default)({
+        method: 'logout'
+      })
+    });
+    return true;
+  };
+  const resetPassword = async attributes => {
+    const response = await resetAndFetch(getDbAuthUrl(), {
+      credentials,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: (0, _stringify.default)({
+        ...attributes,
+        method: 'resetPassword'
+      })
+    });
+    return response.json();
+  };
+  const signup = async attributes => {
+    const response = await resetAndFetch(getDbAuthUrl(), {
+      credentials,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: (0, _stringify.default)({
+        ...attributes,
+        method: 'signup'
+      })
+    });
+    return response.json();
+  };
+  const validateResetToken = async resetToken => {
+    const response = await resetAndFetch(getDbAuthUrl(), {
+      credentials,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: (0, _stringify.default)({
+        resetToken,
+        method: 'validateResetToken'
+      })
+    });
+    return response.json();
+  };
+
+  /**
+   * dbAuth doesn't implement the concept of userMetadata. We used to return the
+   * token (i.e. userId) as the userMetadata.
+   */
+  const getUserMetadata = async () => {
+    return middleware ? () => {} : getToken();
+  };
+  return {
+    type: 'dbAuth',
+    client: webAuthn,
+    login,
+    logout,
+    signup,
+    getToken,
+    getUserMetadata,
+    forgotPassword,
+    resetPassword,
+    validateResetToken,
+    // New methods for middleware auth:
+    // This is so we can get the dbAuthUrl in getCurrentUserFromMiddleware
+    getAuthUrl: getDbAuthUrl,
+    // This is so that we can skip fetching getCurrentUser in reauthenticate
+    middlewareAuthEnabled: middleware
+  };
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from './dbAuth';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAA"}

package/dist/index.js

@@ -0,0 +1,20 @@
+"use strict";
+
+var _context;
+var _Object$defineProperty = require("@babel/runtime-corejs3/core-js/object/define-property");
+var _forEachInstanceProperty = require("@babel/runtime-corejs3/core-js/instance/for-each");
+var _Object$keys = require("@babel/runtime-corejs3/core-js/object/keys");
+_Object$defineProperty(exports, "__esModule", {
+  value: true
+});
+var _dbAuth = require("./dbAuth");
+_forEachInstanceProperty(_context = _Object$keys(_dbAuth)).call(_context, function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _dbAuth[key]) return;
+  _Object$defineProperty(exports, key, {
+    enumerable: true,
+    get: function () {
+      return _dbAuth[key];
+    }
+  });
+});

package/dist/webAuthn.d.ts

@@ -0,0 +1,13 @@
+export default class WebAuthnClient {
+    authApiUrl: string;
+    private getAuthApiUrl;
+    setAuthApiUrl(authApiUrl?: string): void;
+    isSupported(): Promise<boolean>;
+    isEnabled(): boolean;
+    private authenticationOptions;
+    authenticate(): Promise<boolean>;
+    private registrationOptions;
+    register(): Promise<boolean>;
+}
+export type WebAuthnClientType = typeof WebAuthnClient;
+//# sourceMappingURL=webAuthn.d.ts.map

package/dist/webAuthn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webAuthn.d.ts","sourceRoot":"","sources":["../src/webAuthn.ts"],"names":[],"mappings":"AAqCA,MAAM,CAAC,OAAO,OAAO,cAAc;IACjC,UAAU,SAAK;IAEf,OAAO,CAAC,aAAa;IAIrB,aAAa,CAAC,UAAU,CAAC,EAAE,MAAM;IAM3B,WAAW;IAKjB,SAAS;YAQK,qBAAqB;IAmC7B,YAAY;IA0ClB,OAAO,CAAC,mBAAmB;IA+BrB,QAAQ;CAwCf;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,cAAc,CAAA"}

package/dist/webAuthn.js

@@ -0,0 +1,167 @@
+"use strict";
+
+var _Object$defineProperty = require("@babel/runtime-corejs3/core-js/object/define-property");
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault").default;
+_Object$defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = void 0;
+var _stringify = _interopRequireDefault(require("@babel/runtime-corejs3/core-js/json/stringify"));
+require("core-js/modules/esnext.json.parse.js");
+class WebAuthnRegistrationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'WebAuthnRegistrationError';
+  }
+}
+class WebAuthnAuthenticationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'WebAuthnAuthenticationError';
+  }
+}
+class WebAuthnAlreadyRegisteredError extends WebAuthnRegistrationError {
+  constructor() {
+    super('This device is already registered');
+    this.name = 'WebAuthnAlreadyRegisteredError';
+  }
+}
+class WebAuthnDeviceNotFoundError extends WebAuthnAuthenticationError {
+  constructor() {
+    super('WebAuthn device not found');
+    this.name = 'WebAuthnDeviceNotFoundError';
+  }
+}
+class WebAuthnNoAuthenticatorError extends WebAuthnAuthenticationError {
+  constructor() {
+    super("This device was not recognized. Use username/password login, or if you're using iOS you can try reloading this page");
+    this.name = 'WebAuthnNoAuthenticatorError';
+  }
+}
+class WebAuthnClient {
+  constructor() {
+    this.authApiUrl = '';
+  }
+  getAuthApiUrl() {
+    return this.authApiUrl || `${RWJS_API_URL}/auth`;
+  }
+  setAuthApiUrl(authApiUrl) {
+    if (authApiUrl) {
+      this.authApiUrl = authApiUrl;
+    }
+  }
+  async isSupported() {
+    const {
+      browserSupportsWebAuthn
+    } = await import('@simplewebauthn/browser');
+    return browserSupportsWebAuthn();
+  }
+  isEnabled() {
+    if (typeof window === 'undefined') {
+      return false;
+    }
+    return !!/\bwebAuthn\b/.test(document.cookie);
+  }
+  async authenticationOptions() {
+    let options;
+    try {
+      const xhr = new XMLHttpRequest();
+      xhr.withCredentials = true;
+      xhr.open('GET', `${this.getAuthApiUrl()}?method=webAuthnAuthOptions`, false);
+      xhr.setRequestHeader('content-type', 'application/json');
+      xhr.send(null);
+      options = JSON.parse(xhr.responseText);
+      if (xhr.status !== 200) {
+        if (options.error?.match(/username and password/)) {
+          throw new WebAuthnDeviceNotFoundError();
+        } else {
+          throw new WebAuthnAuthenticationError(`Could not start authentication: ${options.error}`);
+        }
+      }
+    } catch (e) {
+      console.error(e.message);
+      throw new WebAuthnAuthenticationError(`Could not start authentication: ${e.message}`);
+    }
+    return options;
+  }
+  async authenticate() {
+    const authOptions = await this.authenticationOptions();
+    const {
+      startAuthentication
+    } = await import('@simplewebauthn/browser');
+    try {
+      const browserResponse = await startAuthentication(authOptions);
+      const xhr = new XMLHttpRequest();
+      xhr.withCredentials = true;
+      xhr.open('POST', this.getAuthApiUrl(), false);
+      xhr.setRequestHeader('content-type', 'application/json');
+      xhr.send((0, _stringify.default)({
+        method: 'webAuthnAuthenticate',
+        ...browserResponse
+      }));
+      const options = JSON.parse(xhr.responseText);
+      if (xhr.status !== 200) {
+        throw new WebAuthnAuthenticationError(`Could not complete authentication: ${options.error}`);
+      }
+    } catch (e) {
+      if (e.message.match(/No available authenticator recognized any of the allowed credentials/)) {
+        throw new WebAuthnNoAuthenticatorError();
+      } else {
+        throw new WebAuthnAuthenticationError(`Error while authenticating: ${e.message}`);
+      }
+    }
+    return true;
+  }
+  registrationOptions() {
+    let options;
+    try {
+      const xhr = new XMLHttpRequest();
+      xhr.withCredentials = true;
+      xhr.open('GET', `${this.getAuthApiUrl()}?method=webAuthnRegOptions`, false);
+      xhr.setRequestHeader('content-type', 'application/json');
+      xhr.send(null);
+      options = JSON.parse(xhr.responseText);
+      if (xhr.status !== 200) {
+        throw new WebAuthnRegistrationError(`Could not start registration: ${options.error}`);
+      }
+    } catch (e) {
+      console.error(e);
+      throw new WebAuthnRegistrationError(`Could not start registration: ${e.message}`);
+    }
+    return options;
+  }
+  async register() {
+    const options = await this.registrationOptions();
+    let regResponse;
+    const {
+      startRegistration
+    } = await import('@simplewebauthn/browser');
+    try {
+      regResponse = await startRegistration(options);
+    } catch (e) {
+      if (e.name === 'InvalidStateError') {
+        throw new WebAuthnAlreadyRegisteredError();
+      } else {
+        throw new WebAuthnRegistrationError(`Error while registering: ${e.message}`);
+      }
+    }
+    try {
+      const xhr = new XMLHttpRequest();
+      xhr.withCredentials = true;
+      xhr.open('POST', this.getAuthApiUrl(), false);
+      xhr.setRequestHeader('content-type', 'application/json');
+      xhr.send((0, _stringify.default)({
+        method: 'webAuthnRegister',
+        ...regResponse
+      }));
+      const options = JSON.parse(xhr.responseText);
+      if (xhr.status !== 200) {
+        throw new WebAuthnRegistrationError(`Could not complete registration: ${options.error}`);
+      }
+    } catch (e) {
+      throw new WebAuthnRegistrationError(`Error while registering: ${e.message}`);
+    }
+    return true;
+  }
+}
+exports.default = WebAuthnClient;

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@cedarjs/auth-dbauth-web",
+  "version": "0.0.4",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cedarjs/cedar.git",
+    "directory": "packages/auth-providers/dbAuth/web"
+  },
+  "license": "MIT",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "webAuthn"
+  ],
+  "scripts": {
+    "build": "yarn build:js && yarn build:types",
+    "build:js": "babel src -d dist --extensions \".js,.jsx,.ts,.tsx\" --copy-files --no-copy-ignored",
+    "build:pack": "yarn pack -o cedar-auth-dbauth-web.tgz",
+    "build:types": "tsc --build --verbose",
+    "build:watch": "nodemon --watch src --ext \"js,jsx,ts,tsx,template\" --ignore dist --exec \"yarn build\"",
+    "prepublishOnly": "NODE_ENV=production yarn build",
+    "test": "yarn vitest run src",
+    "test:watch": "yarn test --watch"
+  },
+  "dependencies": {
+    "@babel/runtime-corejs3": "7.26.10",
+    "@cedarjs/auth": "0.0.4",
+    "@simplewebauthn/browser": "7.4.0",
+    "core-js": "3.42.0"
+  },
+  "devDependencies": {
+    "@babel/cli": "7.26.4",
+    "@babel/core": "^7.26.10",
+    "@simplewebauthn/typescript-types": "7.4.0",
+    "@types/react": "^18.2.55",
+    "react": "18.3.1",
+    "typescript": "5.6.2",
+    "vitest": "2.1.9"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "5b4f77f985bd86ee31ee7338312627accf0cb85b"
+}

package/webAuthn/index.js

@@ -0,0 +1,2 @@
+/* eslint-env es6, commonjs */
+module.exports = require('../dist/webAuthn')

package/webAuthn/package.json

@@ -0,0 +1,4 @@
+{
+  "main": "./index.js",
+  "types": "../dist/webAuthn.d.ts"
+}