npm - @chipi-stack/chipi-passkey - Versions diffs - 0.1.0 - Mend

@chipi-stack/chipi-passkey 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,246 @@
+'use strict';
+var browser = require('@simplewebauthn/browser');
+// src/passkey.ts
+var WALLET_PRF_SALT_STRING = "chipi-wallet-encryption-key-v1";
+var WALLET_CREDENTIAL_KEY = "chipi_wallet_passkey_credential";
+function generateRandomBase64URL(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return btoa(String.fromCharCode(...array)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function stringToBase64URL(str) {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function arrayBufferToHex(buffer) {
+  const bytes = new Uint8Array(buffer);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64URLToArrayBuffer(base64url) {
+  const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  const paddedBase64 = base64.padEnd(
+    base64.length + (4 - base64.length % 4) % 4,
+    "="
+  );
+  const binary = atob(paddedBase64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+function getPRFSaltBase64URL() {
+  return stringToBase64URL(WALLET_PRF_SALT_STRING);
+}
+function isWebAuthnSupported() {
+  if (typeof window === "undefined") return false;
+  return browser.browserSupportsWebAuthn();
+}
+function getStoredCredential() {
+  if (typeof window === "undefined") return null;
+  const stored = localStorage.getItem(WALLET_CREDENTIAL_KEY);
+  if (!stored) return null;
+  try {
+    return JSON.parse(stored);
+  } catch {
+    return null;
+  }
+}
+function storeCredential(metadata) {
+  localStorage.setItem(WALLET_CREDENTIAL_KEY, JSON.stringify(metadata));
+}
+function removeStoredCredential() {
+  localStorage.removeItem(WALLET_CREDENTIAL_KEY);
+}
+function hasWalletPasskey() {
+  return getStoredCredential() !== null;
+}
+async function createWalletPasskey(userId, userName) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const challenge = generateRandomBase64URL(32);
+  const userIdBase64 = stringToBase64URL(userId);
+  const prfSalt = getPRFSaltBase64URL();
+  const registrationOptions = {
+    challenge,
+    rp: {
+      name: "Chipi Wallet",
+      id: window.location.hostname
+    },
+    user: {
+      id: userIdBase64,
+      name: userName,
+      displayName: `${userName} - Wallet Key`
+    },
+    pubKeyCredParams: [
+      { alg: -7, type: "public-key" },
+      // ES256
+      { alg: -257, type: "public-key" }
+      // RS256
+    ],
+    authenticatorSelection: {
+      authenticatorAttachment: "platform",
+      residentKey: "required",
+      userVerification: "required"
+    },
+    timeout: 6e4,
+    attestation: "none",
+    extensions: {
+      // @ts-expect-error - PRF extension not in types yet
+      prf: {
+        eval: {
+          first: base64URLToArrayBuffer(prfSalt)
+        }
+      }
+    }
+  };
+  let registration;
+  try {
+    registration = await browser.startRegistration(registrationOptions);
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.name === "NotAllowedError") {
+        throw new Error("Passkey creation was cancelled");
+      }
+      if (error.name === "InvalidStateError") {
+        throw new Error("A passkey already exists for this account");
+      }
+    }
+    throw error;
+  }
+  const credentialId = registration.id;
+  const prfResults = registration.clientExtensionResults?.prf;
+  let encryptKey;
+  let prfSupported = false;
+  if (prfResults?.results?.first) {
+    const prfOutput = prfResults.results.first;
+    if (typeof prfOutput === "string") {
+      encryptKey = arrayBufferToHex(base64URLToArrayBuffer(prfOutput));
+    } else {
+      encryptKey = arrayBufferToHex(prfOutput);
+    }
+    prfSupported = true;
+  } else if (prfResults?.enabled) {
+    const prfOutput = await getWalletEncryptKey(credentialId);
+    if (!prfOutput) {
+      throw new Error("Failed to derive encryption key from passkey");
+    }
+    encryptKey = prfOutput;
+    prfSupported = true;
+  } else {
+    console.warn("PRF extension not supported, using fallback key derivation");
+    encryptKey = await deriveKeyFromCredential(credentialId, userId);
+    prfSupported = false;
+  }
+  const transports = registration.response.transports;
+  storeCredential({
+    credentialId,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    userId,
+    transports
+  });
+  return {
+    encryptKey,
+    credentialId,
+    prfSupported
+  };
+}
+async function getWalletEncryptKey(credentialId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const storedCredential = getStoredCredential();
+  const targetCredentialId = credentialId || storedCredential?.credentialId;
+  if (!targetCredentialId) {
+    throw new Error("No wallet passkey found");
+  }
+  const challenge = generateRandomBase64URL(32);
+  const prfSalt = getPRFSaltBase64URL();
+  const authenticationOptions = {
+    challenge,
+    rpId: window.location.hostname,
+    allowCredentials: [
+      {
+        id: targetCredentialId,
+        type: "public-key",
+        transports: storedCredential?.transports
+      }
+    ],
+    userVerification: "required",
+    timeout: 6e4,
+    extensions: {
+      // @ts-expect-error - PRF extension not in types
+      prf: {
+        eval: {
+          first: base64URLToArrayBuffer(prfSalt)
+        }
+      }
+    }
+  };
+  let authentication;
+  try {
+    authentication = await browser.startAuthentication(authenticationOptions);
+  } catch (error) {
+    if (error instanceof Error && error.name === "NotAllowedError") {
+      return null;
+    }
+    throw error;
+  }
+  const prfResults = authentication.clientExtensionResults?.prf;
+  if (prfResults?.results?.first) {
+    const prfOutput = prfResults.results.first;
+    if (typeof prfOutput === "string") {
+      return arrayBufferToHex(base64URLToArrayBuffer(prfOutput));
+    }
+    return arrayBufferToHex(prfOutput);
+  }
+  console.warn("PRF not available, using fallback key derivation");
+  if (storedCredential) {
+    return deriveKeyFromCredential(targetCredentialId, storedCredential.userId);
+  }
+  throw new Error("Unable to derive encryption key");
+}
+async function deriveKeyFromCredential(credentialId, userId) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(credentialId),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const salt = encoder.encode(`chipi-wallet-${userId}`);
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: 1e5,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    256
+  );
+  return arrayBufferToHex(derivedBits);
+}
+async function verifyWalletPasskey() {
+  try {
+    const encryptKey = await getWalletEncryptKey();
+    return encryptKey !== null;
+  } catch {
+    return false;
+  }
+}
+var isWebAuthnPRFSupported = isWebAuthnSupported;
+exports.createWalletPasskey = createWalletPasskey;
+exports.getStoredCredential = getStoredCredential;
+exports.getWalletEncryptKey = getWalletEncryptKey;
+exports.hasWalletPasskey = hasWalletPasskey;
+exports.isWebAuthnPRFSupported = isWebAuthnPRFSupported;
+exports.isWebAuthnSupported = isWebAuthnSupported;
+exports.removeStoredCredential = removeStoredCredential;
+exports.verifyWalletPasskey = verifyWalletPasskey;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/passkey.ts"],"names":["browserSupportsWebAuthn","startRegistration","startAuthentication"],"mappings":";;;;;AAuBA,IAAM,sBAAA,GAAyB,gCAAA;AAG/B,IAAM,qBAAA,GAAwB,iCAAA;AAY9B,SAAS,uBAAA,CAAwB,SAAiB,EAAA,EAAY;AAC5D,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,EAAA,OAAO,KAAK,MAAA,CAAO,YAAA,CAAa,GAAG,KAAK,CAAC,CAAA,CACtC,OAAA,CAAQ,KAAA,EAAO,GAAG,EAClB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,MAAM,EAAE,CAAA;AACrB;AAKA,SAAS,kBAAkB,GAAA,EAAqB;AAC9C,EAAA,OAAO,IAAA,CAAK,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,EAAE,CAAA;AAC3E;AAKA,SAAS,iBAAiB,MAAA,EAA6B;AACrD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,OAAO,MAAM,IAAA,CAAK,KAAK,CAAA,CACpB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAKA,SAAS,uBAAuB,SAAA,EAAgC;AAC9D,EAAA,MAAM,MAAA,GAAS,UAAU,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC7D,EAAA,MAAM,eAAe,MAAA,CAAO,MAAA;AAAA,IAC1B,MAAA,CAAO,MAAA,GAAA,CAAW,CAAA,GAAK,MAAA,CAAO,SAAS,CAAA,IAAM,CAAA;AAAA,IAC7C;AAAA,GACF;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,YAAY,CAAA;AAChC,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,KAAA,CAAM,MAAA;AACf;AAKA,SAAS,mBAAA,GAA8B;AACrC,EAAA,OAAO,kBAAkB,sBAAsB,CAAA;AACjD;AAKO,SAAS,mBAAA,GAA+B;AAC7C,EAAA,IAAI,OAAO,MAAA,KAAW,WAAA,EAAa,OAAO,KAAA;AAC1C,EAAA,OAAOA,+BAAA,EAAwB;AACjC;AAKO,SAAS,mBAAA,GAAuD;AACrE,EAAA,IAAI,OAAO,MAAA,KAAW,WAAA,EAAa,OAAO,IAAA;AAE1C,EAAA,MAAM,MAAA,GAAS,YAAA,CAAa,OAAA,CAAQ,qBAAqB,CAAA;AACzD,EAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AAEpB,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,MAAM,MAAM,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAKA,SAAS,gBAAgB,QAAA,EAA0C;AACjE,EAAA,YAAA,CAAa,OAAA,CAAQ,qBAAA,EAAuB,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AACtE;AAKO,SAAS,sBAAA,GAA+B;AAC7C,EAAA,YAAA,CAAa,WAAW,qBAAqB,CAAA;AAC/C;AAKO,SAAS,gBAAA,GAA4B;AAC1C,EAAA,OAAO,qBAAoB,KAAM,IAAA;AACnC;AAWA,eAAsB,mBAAA,CACpB,QACA,QAAA,EACoC;AACpC,EAAA,IAAI,CAAC,qBAAoB,EAAG;AAC1B,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,SAAA,GAAY,wBAAwB,EAAE,CAAA;AAC5C,EAAA,MAAM,YAAA,GAAe,kBAAkB,MAAM,CAAA;AAC7C,EAAA,MAAM,UAAU,mBAAA,EAAoB;AAGpC,EAAA,MAAM,mBAAA,GAA8D;AAAA,IAClE,SAAA;AAAA,IACA,EAAA,EAAI;AAAA,MACF,IAAA,EAAM,cAAA;AAAA,MACN,EAAA,EAAI,OAAO,QAAA,CAAS;AAAA,KACtB;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,EAAA,EAAI,YAAA;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa,GAAG,QAAQ,CAAA,aAAA;AAAA,KAC1B;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB,EAAE,GAAA,EAAK,EAAA,EAAI,IAAA,EAAM,YAAA,EAAa;AAAA;AAAA,MAC9B,EAAE,GAAA,EAAK,IAAA,EAAM,IAAA,EAAM,YAAA;AAAa;AAAA,KAClC;AAAA,IACA,sBAAA,EAAwB;AAAA,MACtB,uBAAA,EAAyB,UAAA;AAAA,MACzB,WAAA,EAAa,UAAA;AAAA,MACb,gBAAA,EAAkB;AAAA,KACpB;AAAA,IACA,OAAA,EAAS,GAAA;AAAA,IACT,WAAA,EAAa,MAAA;AAAA,IACb,UAAA,EAAY;AAAA;AAAA,MAEV,GAAA,EAAK;AAAA,QACH,IAAA,EAAM;AAAA,UACJ,KAAA,EAAO,uBAAuB,OAAO;AAAA;AACvC;AACF;AACF,GACF;AAEA,EAAA,IAAI,YAAA;AACJ,EAAA,IAAI;AACF,IAAA,YAAA,GAAe,MAAMC,0BAAkB,mBAAmB,CAAA;AAAA,EAC5D,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,MAAA,IAAI,KAAA,CAAM,SAAS,iBAAA,EAAmB;AACpC,QAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,MAClD;AACA,MAAA,IAAI,KAAA,CAAM,SAAS,mBAAA,EAAqB;AACtC,QAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,MAC7D;AAAA,IACF;AACA,IAAA,MAAM,KAAA;AAAA,EACR;AAEA,EAAA,MAAM,eAAe,YAAA,CAAa,EAAA;AAIlC,EAAA,MAAM,UAAA,GAAa,aAAa,sBAAA,EAAwB,GAAA;AAExD,EAAA,IAAI,UAAA;AACJ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,IAAI,UAAA,EAAY,SAAS,KAAA,EAAO;AAE9B,IAAA,MAAM,SAAA,GAAY,WAAW,OAAA,CAAQ,KAAA;AACrC,IAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,MAAA,UAAA,GAAa,gBAAA,CAAiB,sBAAA,CAAuB,SAAS,CAAC,CAAA;AAAA,IACjE,CAAA,MAAO;AACL,MAAA,UAAA,GAAa,iBAAiB,SAAS,CAAA;AAAA,IACzC;AACA,IAAA,YAAA,GAAe,IAAA;AAAA,EACjB,CAAA,MAAA,IAAW,YAAY,OAAA,EAAS;AAE9B,IAAA,MAAM,SAAA,GAAY,MAAM,mBAAA,CAAoB,YAAY,CAAA;AACxD,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,IAChE;AACA,IAAA,UAAA,GAAa,SAAA;AACb,IAAA,YAAA,GAAe,IAAA;AAAA,EACjB,CAAA,MAAO;AAEL,IAAA,OAAA,CAAQ,KAAK,4DAA4D,CAAA;AACzE,IAAA,UAAA,GAAa,MAAM,uBAAA,CAAwB,YAAA,EAAc,MAAM,CAAA;AAC/D,IAAA,YAAA,GAAe,KAAA;AAAA,EACjB;AAGA,EAAA,MAAM,UAAA,GAAa,aAAa,QAAA,CAAS,UAAA;AAKzC,EAAA,eAAA,CAAgB;AAAA,IACd,YAAA;AAAA,IACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IAClC,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,OAAO;AAAA,IACL,UAAA;AAAA,IACA,YAAA;AAAA,IACA;AAAA,GACF;AACF;AAKA,eAAsB,oBACpB,YAAA,EACwB;AACxB,EAAA,IAAI,CAAC,qBAAoB,EAAG;AAC1B,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,mBAAmB,mBAAA,EAAoB;AAC7C,EAAA,MAAM,kBAAA,GAAqB,gBAAgB,gBAAA,EAAkB,YAAA;AAE7D,EAAA,IAAI,CAAC,kBAAA,EAAoB;AACvB,IAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,MAAM,SAAA,GAAY,wBAAwB,EAAE,CAAA;AAC5C,EAAA,MAAM,UAAU,mBAAA,EAAoB;AAGpC,EAAA,MAAM,qBAAA,GAA+D;AAAA,IACnE,SAAA;AAAA,IACA,IAAA,EAAM,OAAO,QAAA,CAAS,QAAA;AAAA,IACtB,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,EAAA,EAAI,kBAAA;AAAA,QACJ,IAAA,EAAM,YAAA;AAAA,QACN,YAAY,gBAAA,EAAkB;AAAA;AAChC,KACF;AAAA,IACA,gBAAA,EAAkB,UAAA;AAAA,IAClB,OAAA,EAAS,GAAA;AAAA,IACT,UAAA,EAAY;AAAA;AAAA,MAEV,GAAA,EAAK;AAAA,QACH,IAAA,EAAM;AAAA,UACJ,KAAA,EAAO,uBAAuB,OAAO;AAAA;AACvC;AACF;AACF,GACF;AAEA,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI;AACF,IAAA,cAAA,GAAiB,MAAMC,4BAAoB,qBAAqB,CAAA;AAAA,EAClE,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,KAAA,YAAiB,KAAA,IAAS,KAAA,CAAM,IAAA,KAAS,iBAAA,EAAmB;AAE9D,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,MAAM,KAAA;AAAA,EACR;AAIA,EAAA,MAAM,UAAA,GAAa,eAAe,sBAAA,EAAwB,GAAA;AAE1D,EAAA,IAAI,UAAA,EAAY,SAAS,KAAA,EAAO;AAC9B,IAAA,MAAM,SAAA,GAAY,WAAW,OAAA,CAAQ,KAAA;AACrC,IAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,MAAA,OAAO,gBAAA,CAAiB,sBAAA,CAAuB,SAAS,CAAC,CAAA;AAAA,IAC3D;AACA,IAAA,OAAO,iBAAiB,SAAS,CAAA;AAAA,EACnC;AAGA,EAAA,OAAA,CAAQ,KAAK,kDAAkD,CAAA;AAC/D,EAAA,IAAI,gBAAA,EAAkB;AACpB,IAAA,OAAO,uBAAA,CAAwB,kBAAA,EAAoB,gBAAA,CAAiB,MAAM,CAAA;AAAA,EAC5E;AAEA,EAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AACnD;AAKA,eAAe,uBAAA,CACb,cACA,MAAA,EACiB;AACjB,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,WAAA,GAAc,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IACtC,KAAA;AAAA,IACA,OAAA,CAAQ,OAAO,YAAY,CAAA;AAAA,IAC3B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACf;AAEA,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,MAAA,CAAO,CAAA,aAAA,EAAgB,MAAM,CAAA,CAAE,CAAA;AAEpD,EAAA,MAAM,WAAA,GAAc,MAAM,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IACtC;AAAA,MACE,IAAA,EAAM,QAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA,EAAY,GAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACR;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,OAAO,iBAAiB,WAAW,CAAA;AACrC;AAKA,eAAsB,mBAAA,GAAwC;AAC5D,EAAA,IAAI;AACF,IAAA,MAAM,UAAA,GAAa,MAAM,mBAAA,EAAoB;AAC7C,IAAA,OAAO,UAAA,KAAe,IAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAGO,IAAM,sBAAA,GAAyB","file":"index.js","sourcesContent":["/* eslint-disable no-undef */\n/**\n * Wallet Passkey Utilities\n *\n * This module provides WebAuthn passkey functionality with PRF (Pseudo-Random Function)\n * extension support for securely deriving encryption keys for wallet creation.\n *\n * Uses @simplewebauthn/browser for robust browser compatibility.\n */\n\nimport {\n startRegistration,\n startAuthentication,\n browserSupportsWebAuthn,\n} from \"@simplewebauthn/browser\";\nimport type {\n PublicKeyCredentialCreationOptionsJSON,\n PublicKeyCredentialRequestOptionsJSON,\n AuthenticationResponseJSON,\n RegistrationResponseJSON,\n} from \"@simplewebauthn/types\";\n\n// Salt used for PRF - this should be constant for your app\nconst WALLET_PRF_SALT_STRING = \"chipi-wallet-encryption-key-v1\";\n\n// Storage key for credential metadata\nconst WALLET_CREDENTIAL_KEY = \"chipi_wallet_passkey_credential\";\n\nexport interface WalletCredentialMetadata {\n credentialId: string;\n createdAt: string;\n userId: string;\n transports?: AuthenticatorTransport[];\n}\n\n/**\n * Generate a random base64url string for challenges\n */\nfunction generateRandomBase64URL(length: number = 32): string {\n const array = new Uint8Array(length);\n crypto.getRandomValues(array);\n return btoa(String.fromCharCode(...array))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=/g, \"\");\n}\n\n/**\n * Convert string to base64url\n */\nfunction stringToBase64URL(str: string): string {\n return btoa(str).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=/g, \"\");\n}\n\n/**\n * Convert ArrayBuffer to hex string\n */\nfunction arrayBufferToHex(buffer: ArrayBuffer): string {\n const bytes = new Uint8Array(buffer);\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Convert base64url to ArrayBuffer\n */\nfunction base64URLToArrayBuffer(base64url: string): ArrayBuffer {\n const base64 = base64url.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const paddedBase64 = base64.padEnd(\n base64.length + ((4 - (base64.length % 4)) % 4),\n \"=\"\n );\n const binary = atob(paddedBase64);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes.buffer;\n}\n\n/**\n * Get PRF salt as base64url for SimpleWebAuthn\n */\nfunction getPRFSaltBase64URL(): string {\n return stringToBase64URL(WALLET_PRF_SALT_STRING);\n}\n\n/**\n * Check if WebAuthn is supported in this browser\n */\nexport function isWebAuthnSupported(): boolean {\n if (typeof window === \"undefined\") return false;\n return browserSupportsWebAuthn();\n}\n\n/**\n * Get stored credential metadata\n */\nexport function getStoredCredential(): WalletCredentialMetadata | null {\n if (typeof window === \"undefined\") return null;\n\n const stored = localStorage.getItem(WALLET_CREDENTIAL_KEY);\n if (!stored) return null;\n\n try {\n return JSON.parse(stored) as WalletCredentialMetadata;\n } catch {\n return null;\n }\n}\n\n/**\n * Store credential metadata\n */\nfunction storeCredential(metadata: WalletCredentialMetadata): void {\n localStorage.setItem(WALLET_CREDENTIAL_KEY, JSON.stringify(metadata));\n}\n\n/**\n * Remove stored credential\n */\nexport function removeStoredCredential(): void {\n localStorage.removeItem(WALLET_CREDENTIAL_KEY);\n}\n\n/**\n * Check if a wallet passkey already exists\n */\nexport function hasWalletPasskey(): boolean {\n return getStoredCredential() !== null;\n}\n\nexport interface CreateWalletPasskeyResult {\n encryptKey: string;\n credentialId: string;\n prfSupported: boolean;\n}\n\n/**\n * Create a new wallet passkey with PRF extension\n */\nexport async function createWalletPasskey(\n userId: string,\n userName: string\n): Promise<CreateWalletPasskeyResult> {\n if (!isWebAuthnSupported()) {\n throw new Error(\"WebAuthn is not supported in this browser\");\n }\n\n const challenge = generateRandomBase64URL(32);\n const userIdBase64 = stringToBase64URL(userId);\n const prfSalt = getPRFSaltBase64URL();\n\n // Build registration options for SimpleWebAuthn\n const registrationOptions: PublicKeyCredentialCreationOptionsJSON = {\n challenge,\n rp: {\n name: \"Chipi Wallet\",\n id: window.location.hostname,\n },\n user: {\n id: userIdBase64,\n name: userName,\n displayName: `${userName} - Wallet Key`,\n },\n pubKeyCredParams: [\n { alg: -7, type: \"public-key\" }, // ES256\n { alg: -257, type: \"public-key\" }, // RS256\n ],\n authenticatorSelection: {\n authenticatorAttachment: \"platform\",\n residentKey: \"required\",\n userVerification: \"required\",\n },\n timeout: 60000,\n attestation: \"none\",\n extensions: {\n // @ts-expect-error - PRF extension not in types yet\n prf: {\n eval: {\n first: base64URLToArrayBuffer(prfSalt),\n },\n },\n },\n };\n\n let registration: RegistrationResponseJSON;\n try {\n registration = await startRegistration(registrationOptions);\n } catch (error) {\n if (error instanceof Error) {\n if (error.name === \"NotAllowedError\") {\n throw new Error(\"Passkey creation was cancelled\");\n }\n if (error.name === \"InvalidStateError\") {\n throw new Error(\"A passkey already exists for this account\");\n }\n }\n throw error;\n }\n\n const credentialId = registration.id;\n\n // Check PRF results\n // @ts-expect-error - PRF extension not in types\n const prfResults = registration.clientExtensionResults?.prf;\n\n let encryptKey: string;\n let prfSupported = false;\n\n if (prfResults?.results?.first) {\n // PRF was evaluated during creation\n const prfOutput = prfResults.results.first;\n if (typeof prfOutput === \"string\") {\n encryptKey = arrayBufferToHex(base64URLToArrayBuffer(prfOutput));\n } else {\n encryptKey = arrayBufferToHex(prfOutput);\n }\n prfSupported = true;\n } else if (prfResults?.enabled) {\n // PRF is supported but needs assertion to get output\n const prfOutput = await getWalletEncryptKey(credentialId);\n if (!prfOutput) {\n throw new Error(\"Failed to derive encryption key from passkey\");\n }\n encryptKey = prfOutput;\n prfSupported = true;\n } else {\n // PRF not supported - use fallback derivation\n console.warn(\"PRF extension not supported, using fallback key derivation\");\n encryptKey = await deriveKeyFromCredential(credentialId, userId);\n prfSupported = false;\n }\n\n // Get transports if available\n const transports = registration.response.transports as\n | AuthenticatorTransport[]\n | undefined;\n\n // Store credential metadata\n storeCredential({\n credentialId,\n createdAt: new Date().toISOString(),\n userId,\n transports,\n });\n\n return {\n encryptKey,\n credentialId,\n prfSupported,\n };\n}\n\n/**\n * Get the encryption key by authenticating with the wallet passkey\n */\nexport async function getWalletEncryptKey(\n credentialId?: string\n): Promise<string | null> {\n if (!isWebAuthnSupported()) {\n throw new Error(\"WebAuthn is not supported in this browser\");\n }\n\n const storedCredential = getStoredCredential();\n const targetCredentialId = credentialId || storedCredential?.credentialId;\n\n if (!targetCredentialId) {\n throw new Error(\"No wallet passkey found\");\n }\n\n const challenge = generateRandomBase64URL(32);\n const prfSalt = getPRFSaltBase64URL();\n\n // Build authentication options\n const authenticationOptions: PublicKeyCredentialRequestOptionsJSON = {\n challenge,\n rpId: window.location.hostname,\n allowCredentials: [\n {\n id: targetCredentialId,\n type: \"public-key\",\n transports: storedCredential?.transports,\n },\n ],\n userVerification: \"required\",\n timeout: 60000,\n extensions: {\n // @ts-expect-error - PRF extension not in types\n prf: {\n eval: {\n first: base64URLToArrayBuffer(prfSalt),\n },\n },\n },\n };\n\n let authentication: AuthenticationResponseJSON;\n try {\n authentication = await startAuthentication(authenticationOptions);\n } catch (error) {\n if (error instanceof Error && error.name === \"NotAllowedError\") {\n // User cancelled\n return null;\n }\n throw error;\n }\n\n // Check PRF results\n // @ts-expect-error - PRF extension not in types\n const prfResults = authentication.clientExtensionResults?.prf;\n\n if (prfResults?.results?.first) {\n const prfOutput = prfResults.results.first;\n if (typeof prfOutput === \"string\") {\n return arrayBufferToHex(base64URLToArrayBuffer(prfOutput));\n }\n return arrayBufferToHex(prfOutput);\n }\n\n // PRF not available, use fallback\n console.warn(\"PRF not available, using fallback key derivation\");\n if (storedCredential) {\n return deriveKeyFromCredential(targetCredentialId, storedCredential.userId);\n }\n\n throw new Error(\"Unable to derive encryption key\");\n}\n\n/**\n * Fallback key derivation when PRF is not supported\n */\nasync function deriveKeyFromCredential(\n credentialId: string,\n userId: string\n): Promise<string> {\n const encoder = new TextEncoder();\n const keyMaterial = await crypto.subtle.importKey(\n \"raw\",\n encoder.encode(credentialId),\n \"PBKDF2\",\n false,\n [\"deriveBits\"]\n );\n\n const salt = encoder.encode(`chipi-wallet-${userId}`);\n\n const derivedBits = await crypto.subtle.deriveBits(\n {\n name: \"PBKDF2\",\n salt,\n iterations: 100000,\n hash: \"SHA-256\",\n },\n keyMaterial,\n 256\n );\n\n return arrayBufferToHex(derivedBits);\n}\n\n/**\n * Verify that the stored passkey is still valid\n */\nexport async function verifyWalletPasskey(): Promise<boolean> {\n try {\n const encryptKey = await getWalletEncryptKey();\n return encryptKey !== null;\n } catch {\n return false;\n }\n}\n\n// Re-export for backwards compatibility\nexport const isWebAuthnPRFSupported = isWebAuthnSupported;\n"]}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,237 @@
+import { browserSupportsWebAuthn, startRegistration, startAuthentication } from '@simplewebauthn/browser';
+// src/passkey.ts
+var WALLET_PRF_SALT_STRING = "chipi-wallet-encryption-key-v1";
+var WALLET_CREDENTIAL_KEY = "chipi_wallet_passkey_credential";
+function generateRandomBase64URL(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return btoa(String.fromCharCode(...array)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function stringToBase64URL(str) {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function arrayBufferToHex(buffer) {
+  const bytes = new Uint8Array(buffer);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64URLToArrayBuffer(base64url) {
+  const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  const paddedBase64 = base64.padEnd(
+    base64.length + (4 - base64.length % 4) % 4,
+    "="
+  );
+  const binary = atob(paddedBase64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+function getPRFSaltBase64URL() {
+  return stringToBase64URL(WALLET_PRF_SALT_STRING);
+}
+function isWebAuthnSupported() {
+  if (typeof window === "undefined") return false;
+  return browserSupportsWebAuthn();
+}
+function getStoredCredential() {
+  if (typeof window === "undefined") return null;
+  const stored = localStorage.getItem(WALLET_CREDENTIAL_KEY);
+  if (!stored) return null;
+  try {
+    return JSON.parse(stored);
+  } catch {
+    return null;
+  }
+}
+function storeCredential(metadata) {
+  localStorage.setItem(WALLET_CREDENTIAL_KEY, JSON.stringify(metadata));
+}
+function removeStoredCredential() {
+  localStorage.removeItem(WALLET_CREDENTIAL_KEY);
+}
+function hasWalletPasskey() {
+  return getStoredCredential() !== null;
+}
+async function createWalletPasskey(userId, userName) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const challenge = generateRandomBase64URL(32);
+  const userIdBase64 = stringToBase64URL(userId);
+  const prfSalt = getPRFSaltBase64URL();
+  const registrationOptions = {
+    challenge,
+    rp: {
+      name: "Chipi Wallet",
+      id: window.location.hostname
+    },
+    user: {
+      id: userIdBase64,
+      name: userName,
+      displayName: `${userName} - Wallet Key`
+    },
+    pubKeyCredParams: [
+      { alg: -7, type: "public-key" },
+      // ES256
+      { alg: -257, type: "public-key" }
+      // RS256
+    ],
+    authenticatorSelection: {
+      authenticatorAttachment: "platform",
+      residentKey: "required",
+      userVerification: "required"
+    },
+    timeout: 6e4,
+    attestation: "none",
+    extensions: {
+      // @ts-expect-error - PRF extension not in types yet
+      prf: {
+        eval: {
+          first: base64URLToArrayBuffer(prfSalt)
+        }
+      }
+    }
+  };
+  let registration;
+  try {
+    registration = await startRegistration(registrationOptions);
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.name === "NotAllowedError") {
+        throw new Error("Passkey creation was cancelled");
+      }
+      if (error.name === "InvalidStateError") {
+        throw new Error("A passkey already exists for this account");
+      }
+    }
+    throw error;
+  }
+  const credentialId = registration.id;
+  const prfResults = registration.clientExtensionResults?.prf;
+  let encryptKey;
+  let prfSupported = false;
+  if (prfResults?.results?.first) {
+    const prfOutput = prfResults.results.first;
+    if (typeof prfOutput === "string") {
+      encryptKey = arrayBufferToHex(base64URLToArrayBuffer(prfOutput));
+    } else {
+      encryptKey = arrayBufferToHex(prfOutput);
+    }
+    prfSupported = true;
+  } else if (prfResults?.enabled) {
+    const prfOutput = await getWalletEncryptKey(credentialId);
+    if (!prfOutput) {
+      throw new Error("Failed to derive encryption key from passkey");
+    }
+    encryptKey = prfOutput;
+    prfSupported = true;
+  } else {
+    console.warn("PRF extension not supported, using fallback key derivation");
+    encryptKey = await deriveKeyFromCredential(credentialId, userId);
+    prfSupported = false;
+  }
+  const transports = registration.response.transports;
+  storeCredential({
+    credentialId,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    userId,
+    transports
+  });
+  return {
+    encryptKey,
+    credentialId,
+    prfSupported
+  };
+}
+async function getWalletEncryptKey(credentialId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const storedCredential = getStoredCredential();
+  const targetCredentialId = credentialId || storedCredential?.credentialId;
+  if (!targetCredentialId) {
+    throw new Error("No wallet passkey found");
+  }
+  const challenge = generateRandomBase64URL(32);
+  const prfSalt = getPRFSaltBase64URL();
+  const authenticationOptions = {
+    challenge,
+    rpId: window.location.hostname,
+    allowCredentials: [
+      {
+        id: targetCredentialId,
+        type: "public-key",
+        transports: storedCredential?.transports
+      }
+    ],
+    userVerification: "required",
+    timeout: 6e4,
+    extensions: {
+      // @ts-expect-error - PRF extension not in types
+      prf: {
+        eval: {
+          first: base64URLToArrayBuffer(prfSalt)
+        }
+      }
+    }
+  };
+  let authentication;
+  try {
+    authentication = await startAuthentication(authenticationOptions);
+  } catch (error) {
+    if (error instanceof Error && error.name === "NotAllowedError") {
+      return null;
+    }
+    throw error;
+  }
+  const prfResults = authentication.clientExtensionResults?.prf;
+  if (prfResults?.results?.first) {
+    const prfOutput = prfResults.results.first;
+    if (typeof prfOutput === "string") {
+      return arrayBufferToHex(base64URLToArrayBuffer(prfOutput));
+    }
+    return arrayBufferToHex(prfOutput);
+  }
+  console.warn("PRF not available, using fallback key derivation");
+  if (storedCredential) {
+    return deriveKeyFromCredential(targetCredentialId, storedCredential.userId);
+  }
+  throw new Error("Unable to derive encryption key");
+}
+async function deriveKeyFromCredential(credentialId, userId) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(credentialId),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const salt = encoder.encode(`chipi-wallet-${userId}`);
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: 1e5,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    256
+  );
+  return arrayBufferToHex(derivedBits);
+}
+async function verifyWalletPasskey() {
+  try {
+    const encryptKey = await getWalletEncryptKey();
+    return encryptKey !== null;
+  } catch {
+    return false;
+  }
+}
+var isWebAuthnPRFSupported = isWebAuthnSupported;
+export { createWalletPasskey, getStoredCredential, getWalletEncryptKey, hasWalletPasskey, isWebAuthnPRFSupported, isWebAuthnSupported, removeStoredCredential, verifyWalletPasskey };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/passkey.ts"],"names":[],"mappings":";;;AAuBA,IAAM,sBAAA,GAAyB,gCAAA;AAG/B,IAAM,qBAAA,GAAwB,iCAAA;AAY9B,SAAS,uBAAA,CAAwB,SAAiB,EAAA,EAAY;AAC5D,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,EAAA,OAAO,KAAK,MAAA,CAAO,YAAA,CAAa,GAAG,KAAK,CAAC,CAAA,CACtC,OAAA,CAAQ,KAAA,EAAO,GAAG,EAClB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,MAAM,EAAE,CAAA;AACrB;AAKA,SAAS,kBAAkB,GAAA,EAAqB;AAC9C,EAAA,OAAO,IAAA,CAAK,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,EAAE,CAAA;AAC3E;AAKA,SAAS,iBAAiB,MAAA,EAA6B;AACrD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,OAAO,MAAM,IAAA,CAAK,KAAK,CAAA,CACpB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAKA,SAAS,uBAAuB,SAAA,EAAgC;AAC9D,EAAA,MAAM,MAAA,GAAS,UAAU,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC7D,EAAA,MAAM,eAAe,MAAA,CAAO,MAAA;AAAA,IAC1B,MAAA,CAAO,MAAA,GAAA,CAAW,CAAA,GAAK,MAAA,CAAO,SAAS,CAAA,IAAM,CAAA;AAAA,IAC7C;AAAA,GACF;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,YAAY,CAAA;AAChC,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,KAAA,CAAM,MAAA;AACf;AAKA,SAAS,mBAAA,GAA8B;AACrC,EAAA,OAAO,kBAAkB,sBAAsB,CAAA;AACjD;AAKO,SAAS,mBAAA,GAA+B;AAC7C,EAAA,IAAI,OAAO,MAAA,KAAW,WAAA,EAAa,OAAO,KAAA;AAC1C,EAAA,OAAO,uBAAA,EAAwB;AACjC;AAKO,SAAS,mBAAA,GAAuD;AACrE,EAAA,IAAI,OAAO,MAAA,KAAW,WAAA,EAAa,OAAO,IAAA;AAE1C,EAAA,MAAM,MAAA,GAAS,YAAA,CAAa,OAAA,CAAQ,qBAAqB,CAAA;AACzD,EAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AAEpB,EAAA,IAAI;AACF,IAAA,OAAO,IAAA,CAAK,MAAM,MAAM,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAKA,SAAS,gBAAgB,QAAA,EAA0C;AACjE,EAAA,YAAA,CAAa,OAAA,CAAQ,qBAAA,EAAuB,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AACtE;AAKO,SAAS,sBAAA,GAA+B;AAC7C,EAAA,YAAA,CAAa,WAAW,qBAAqB,CAAA;AAC/C;AAKO,SAAS,gBAAA,GAA4B;AAC1C,EAAA,OAAO,qBAAoB,KAAM,IAAA;AACnC;AAWA,eAAsB,mBAAA,CACpB,QACA,QAAA,EACoC;AACpC,EAAA,IAAI,CAAC,qBAAoB,EAAG;AAC1B,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,SAAA,GAAY,wBAAwB,EAAE,CAAA;AAC5C,EAAA,MAAM,YAAA,GAAe,kBAAkB,MAAM,CAAA;AAC7C,EAAA,MAAM,UAAU,mBAAA,EAAoB;AAGpC,EAAA,MAAM,mBAAA,GAA8D;AAAA,IAClE,SAAA;AAAA,IACA,EAAA,EAAI;AAAA,MACF,IAAA,EAAM,cAAA;AAAA,MACN,EAAA,EAAI,OAAO,QAAA,CAAS;AAAA,KACtB;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,EAAA,EAAI,YAAA;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa,GAAG,QAAQ,CAAA,aAAA;AAAA,KAC1B;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB,EAAE,GAAA,EAAK,EAAA,EAAI,IAAA,EAAM,YAAA,EAAa;AAAA;AAAA,MAC9B,EAAE,GAAA,EAAK,IAAA,EAAM,IAAA,EAAM,YAAA;AAAa;AAAA,KAClC;AAAA,IACA,sBAAA,EAAwB;AAAA,MACtB,uBAAA,EAAyB,UAAA;AAAA,MACzB,WAAA,EAAa,UAAA;AAAA,MACb,gBAAA,EAAkB;AAAA,KACpB;AAAA,IACA,OAAA,EAAS,GAAA;AAAA,IACT,WAAA,EAAa,MAAA;AAAA,IACb,UAAA,EAAY;AAAA;AAAA,MAEV,GAAA,EAAK;AAAA,QACH,IAAA,EAAM;AAAA,UACJ,KAAA,EAAO,uBAAuB,OAAO;AAAA;AACvC;AACF;AACF,GACF;AAEA,EAAA,IAAI,YAAA;AACJ,EAAA,IAAI;AACF,IAAA,YAAA,GAAe,MAAM,kBAAkB,mBAAmB,CAAA;AAAA,EAC5D,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,MAAA,IAAI,KAAA,CAAM,SAAS,iBAAA,EAAmB;AACpC,QAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,MAClD;AACA,MAAA,IAAI,KAAA,CAAM,SAAS,mBAAA,EAAqB;AACtC,QAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,MAC7D;AAAA,IACF;AACA,IAAA,MAAM,KAAA;AAAA,EACR;AAEA,EAAA,MAAM,eAAe,YAAA,CAAa,EAAA;AAIlC,EAAA,MAAM,UAAA,GAAa,aAAa,sBAAA,EAAwB,GAAA;AAExD,EAAA,IAAI,UAAA;AACJ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,IAAI,UAAA,EAAY,SAAS,KAAA,EAAO;AAE9B,IAAA,MAAM,SAAA,GAAY,WAAW,OAAA,CAAQ,KAAA;AACrC,IAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,MAAA,UAAA,GAAa,gBAAA,CAAiB,sBAAA,CAAuB,SAAS,CAAC,CAAA;AAAA,IACjE,CAAA,MAAO;AACL,MAAA,UAAA,GAAa,iBAAiB,SAAS,CAAA;AAAA,IACzC;AACA,IAAA,YAAA,GAAe,IAAA;AAAA,EACjB,CAAA,MAAA,IAAW,YAAY,OAAA,EAAS;AAE9B,IAAA,MAAM,SAAA,GAAY,MAAM,mBAAA,CAAoB,YAAY,CAAA;AACxD,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,IAChE;AACA,IAAA,UAAA,GAAa,SAAA;AACb,IAAA,YAAA,GAAe,IAAA;AAAA,EACjB,CAAA,MAAO;AAEL,IAAA,OAAA,CAAQ,KAAK,4DAA4D,CAAA;AACzE,IAAA,UAAA,GAAa,MAAM,uBAAA,CAAwB,YAAA,EAAc,MAAM,CAAA;AAC/D,IAAA,YAAA,GAAe,KAAA;AAAA,EACjB;AAGA,EAAA,MAAM,UAAA,GAAa,aAAa,QAAA,CAAS,UAAA;AAKzC,EAAA,eAAA,CAAgB;AAAA,IACd,YAAA;AAAA,IACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IAClC,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,OAAO;AAAA,IACL,UAAA;AAAA,IACA,YAAA;AAAA,IACA;AAAA,GACF;AACF;AAKA,eAAsB,oBACpB,YAAA,EACwB;AACxB,EAAA,IAAI,CAAC,qBAAoB,EAAG;AAC1B,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,mBAAmB,mBAAA,EAAoB;AAC7C,EAAA,MAAM,kBAAA,GAAqB,gBAAgB,gBAAA,EAAkB,YAAA;AAE7D,EAAA,IAAI,CAAC,kBAAA,EAAoB;AACvB,IAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,MAAM,SAAA,GAAY,wBAAwB,EAAE,CAAA;AAC5C,EAAA,MAAM,UAAU,mBAAA,EAAoB;AAGpC,EAAA,MAAM,qBAAA,GAA+D;AAAA,IACnE,SAAA;AAAA,IACA,IAAA,EAAM,OAAO,QAAA,CAAS,QAAA;AAAA,IACtB,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,EAAA,EAAI,kBAAA;AAAA,QACJ,IAAA,EAAM,YAAA;AAAA,QACN,YAAY,gBAAA,EAAkB;AAAA;AAChC,KACF;AAAA,IACA,gBAAA,EAAkB,UAAA;AAAA,IAClB,OAAA,EAAS,GAAA;AAAA,IACT,UAAA,EAAY;AAAA;AAAA,MAEV,GAAA,EAAK;AAAA,QACH,IAAA,EAAM;AAAA,UACJ,KAAA,EAAO,uBAAuB,OAAO;AAAA;AACvC;AACF;AACF,GACF;AAEA,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI;AACF,IAAA,cAAA,GAAiB,MAAM,oBAAoB,qBAAqB,CAAA;AAAA,EAClE,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,KAAA,YAAiB,KAAA,IAAS,KAAA,CAAM,IAAA,KAAS,iBAAA,EAAmB;AAE9D,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,MAAM,KAAA;AAAA,EACR;AAIA,EAAA,MAAM,UAAA,GAAa,eAAe,sBAAA,EAAwB,GAAA;AAE1D,EAAA,IAAI,UAAA,EAAY,SAAS,KAAA,EAAO;AAC9B,IAAA,MAAM,SAAA,GAAY,WAAW,OAAA,CAAQ,KAAA;AACrC,IAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,MAAA,OAAO,gBAAA,CAAiB,sBAAA,CAAuB,SAAS,CAAC,CAAA;AAAA,IAC3D;AACA,IAAA,OAAO,iBAAiB,SAAS,CAAA;AAAA,EACnC;AAGA,EAAA,OAAA,CAAQ,KAAK,kDAAkD,CAAA;AAC/D,EAAA,IAAI,gBAAA,EAAkB;AACpB,IAAA,OAAO,uBAAA,CAAwB,kBAAA,EAAoB,gBAAA,CAAiB,MAAM,CAAA;AAAA,EAC5E;AAEA,EAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AACnD;AAKA,eAAe,uBAAA,CACb,cACA,MAAA,EACiB;AACjB,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,WAAA,GAAc,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IACtC,KAAA;AAAA,IACA,OAAA,CAAQ,OAAO,YAAY,CAAA;AAAA,IAC3B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACf;AAEA,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,MAAA,CAAO,CAAA,aAAA,EAAgB,MAAM,CAAA,CAAE,CAAA;AAEpD,EAAA,MAAM,WAAA,GAAc,MAAM,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IACtC;AAAA,MACE,IAAA,EAAM,QAAA;AAAA,MACN,IAAA;AAAA,MACA,UAAA,EAAY,GAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACR;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,OAAO,iBAAiB,WAAW,CAAA;AACrC;AAKA,eAAsB,mBAAA,GAAwC;AAC5D,EAAA,IAAI;AACF,IAAA,MAAM,UAAA,GAAa,MAAM,mBAAA,EAAoB;AAC7C,IAAA,OAAO,UAAA,KAAe,IAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAGO,IAAM,sBAAA,GAAyB","file":"index.mjs","sourcesContent":["/* eslint-disable no-undef */\n/**\n * Wallet Passkey Utilities\n *\n * This module provides WebAuthn passkey functionality with PRF (Pseudo-Random Function)\n * extension support for securely deriving encryption keys for wallet creation.\n *\n * Uses @simplewebauthn/browser for robust browser compatibility.\n */\n\nimport {\n startRegistration,\n startAuthentication,\n browserSupportsWebAuthn,\n} from \"@simplewebauthn/browser\";\nimport type {\n PublicKeyCredentialCreationOptionsJSON,\n PublicKeyCredentialRequestOptionsJSON,\n AuthenticationResponseJSON,\n RegistrationResponseJSON,\n} from \"@simplewebauthn/types\";\n\n// Salt used for PRF - this should be constant for your app\nconst WALLET_PRF_SALT_STRING = \"chipi-wallet-encryption-key-v1\";\n\n// Storage key for credential metadata\nconst WALLET_CREDENTIAL_KEY = \"chipi_wallet_passkey_credential\";\n\nexport interface WalletCredentialMetadata {\n credentialId: string;\n createdAt: string;\n userId: string;\n transports?: AuthenticatorTransport[];\n}\n\n/**\n * Generate a random base64url string for challenges\n */\nfunction generateRandomBase64URL(length: number = 32): string {\n const array = new Uint8Array(length);\n crypto.getRandomValues(array);\n return btoa(String.fromCharCode(...array))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=/g, \"\");\n}\n\n/**\n * Convert string to base64url\n */\nfunction stringToBase64URL(str: string): string {\n return btoa(str).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=/g, \"\");\n}\n\n/**\n * Convert ArrayBuffer to hex string\n */\nfunction arrayBufferToHex(buffer: ArrayBuffer): string {\n const bytes = new Uint8Array(buffer);\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Convert base64url to ArrayBuffer\n */\nfunction base64URLToArrayBuffer(base64url: string): ArrayBuffer {\n const base64 = base64url.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const paddedBase64 = base64.padEnd(\n base64.length + ((4 - (base64.length % 4)) % 4),\n \"=\"\n );\n const binary = atob(paddedBase64);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes.buffer;\n}\n\n/**\n * Get PRF salt as base64url for SimpleWebAuthn\n */\nfunction getPRFSaltBase64URL(): string {\n return stringToBase64URL(WALLET_PRF_SALT_STRING);\n}\n\n/**\n * Check if WebAuthn is supported in this browser\n */\nexport function isWebAuthnSupported(): boolean {\n if (typeof window === \"undefined\") return false;\n return browserSupportsWebAuthn();\n}\n\n/**\n * Get stored credential metadata\n */\nexport function getStoredCredential(): WalletCredentialMetadata | null {\n if (typeof window === \"undefined\") return null;\n\n const stored = localStorage.getItem(WALLET_CREDENTIAL_KEY);\n if (!stored) return null;\n\n try {\n return JSON.parse(stored) as WalletCredentialMetadata;\n } catch {\n return null;\n }\n}\n\n/**\n * Store credential metadata\n */\nfunction storeCredential(metadata: WalletCredentialMetadata): void {\n localStorage.setItem(WALLET_CREDENTIAL_KEY, JSON.stringify(metadata));\n}\n\n/**\n * Remove stored credential\n */\nexport function removeStoredCredential(): void {\n localStorage.removeItem(WALLET_CREDENTIAL_KEY);\n}\n\n/**\n * Check if a wallet passkey already exists\n */\nexport function hasWalletPasskey(): boolean {\n return getStoredCredential() !== null;\n}\n\nexport interface CreateWalletPasskeyResult {\n encryptKey: string;\n credentialId: string;\n prfSupported: boolean;\n}\n\n/**\n * Create a new wallet passkey with PRF extension\n */\nexport async function createWalletPasskey(\n userId: string,\n userName: string\n): Promise<CreateWalletPasskeyResult> {\n if (!isWebAuthnSupported()) {\n throw new Error(\"WebAuthn is not supported in this browser\");\n }\n\n const challenge = generateRandomBase64URL(32);\n const userIdBase64 = stringToBase64URL(userId);\n const prfSalt = getPRFSaltBase64URL();\n\n // Build registration options for SimpleWebAuthn\n const registrationOptions: PublicKeyCredentialCreationOptionsJSON = {\n challenge,\n rp: {\n name: \"Chipi Wallet\",\n id: window.location.hostname,\n },\n user: {\n id: userIdBase64,\n name: userName,\n displayName: `${userName} - Wallet Key`,\n },\n pubKeyCredParams: [\n { alg: -7, type: \"public-key\" }, // ES256\n { alg: -257, type: \"public-key\" }, // RS256\n ],\n authenticatorSelection: {\n authenticatorAttachment: \"platform\",\n residentKey: \"required\",\n userVerification: \"required\",\n },\n timeout: 60000,\n attestation: \"none\",\n extensions: {\n // @ts-expect-error - PRF extension not in types yet\n prf: {\n eval: {\n first: base64URLToArrayBuffer(prfSalt),\n },\n },\n },\n };\n\n let registration: RegistrationResponseJSON;\n try {\n registration = await startRegistration(registrationOptions);\n } catch (error) {\n if (error instanceof Error) {\n if (error.name === \"NotAllowedError\") {\n throw new Error(\"Passkey creation was cancelled\");\n }\n if (error.name === \"InvalidStateError\") {\n throw new Error(\"A passkey already exists for this account\");\n }\n }\n throw error;\n }\n\n const credentialId = registration.id;\n\n // Check PRF results\n // @ts-expect-error - PRF extension not in types\n const prfResults = registration.clientExtensionResults?.prf;\n\n let encryptKey: string;\n let prfSupported = false;\n\n if (prfResults?.results?.first) {\n // PRF was evaluated during creation\n const prfOutput = prfResults.results.first;\n if (typeof prfOutput === \"string\") {\n encryptKey = arrayBufferToHex(base64URLToArrayBuffer(prfOutput));\n } else {\n encryptKey = arrayBufferToHex(prfOutput);\n }\n prfSupported = true;\n } else if (prfResults?.enabled) {\n // PRF is supported but needs assertion to get output\n const prfOutput = await getWalletEncryptKey(credentialId);\n if (!prfOutput) {\n throw new Error(\"Failed to derive encryption key from passkey\");\n }\n encryptKey = prfOutput;\n prfSupported = true;\n } else {\n // PRF not supported - use fallback derivation\n console.warn(\"PRF extension not supported, using fallback key derivation\");\n encryptKey = await deriveKeyFromCredential(credentialId, userId);\n prfSupported = false;\n }\n\n // Get transports if available\n const transports = registration.response.transports as\n | AuthenticatorTransport[]\n | undefined;\n\n // Store credential metadata\n storeCredential({\n credentialId,\n createdAt: new Date().toISOString(),\n userId,\n transports,\n });\n\n return {\n encryptKey,\n credentialId,\n prfSupported,\n };\n}\n\n/**\n * Get the encryption key by authenticating with the wallet passkey\n */\nexport async function getWalletEncryptKey(\n credentialId?: string\n): Promise<string | null> {\n if (!isWebAuthnSupported()) {\n throw new Error(\"WebAuthn is not supported in this browser\");\n }\n\n const storedCredential = getStoredCredential();\n const targetCredentialId = credentialId || storedCredential?.credentialId;\n\n if (!targetCredentialId) {\n throw new Error(\"No wallet passkey found\");\n }\n\n const challenge = generateRandomBase64URL(32);\n const prfSalt = getPRFSaltBase64URL();\n\n // Build authentication options\n const authenticationOptions: PublicKeyCredentialRequestOptionsJSON = {\n challenge,\n rpId: window.location.hostname,\n allowCredentials: [\n {\n id: targetCredentialId,\n type: \"public-key\",\n transports: storedCredential?.transports,\n },\n ],\n userVerification: \"required\",\n timeout: 60000,\n extensions: {\n // @ts-expect-error - PRF extension not in types\n prf: {\n eval: {\n first: base64URLToArrayBuffer(prfSalt),\n },\n },\n },\n };\n\n let authentication: AuthenticationResponseJSON;\n try {\n authentication = await startAuthentication(authenticationOptions);\n } catch (error) {\n if (error instanceof Error && error.name === \"NotAllowedError\") {\n // User cancelled\n return null;\n }\n throw error;\n }\n\n // Check PRF results\n // @ts-expect-error - PRF extension not in types\n const prfResults = authentication.clientExtensionResults?.prf;\n\n if (prfResults?.results?.first) {\n const prfOutput = prfResults.results.first;\n if (typeof prfOutput === \"string\") {\n return arrayBufferToHex(base64URLToArrayBuffer(prfOutput));\n }\n return arrayBufferToHex(prfOutput);\n }\n\n // PRF not available, use fallback\n console.warn(\"PRF not available, using fallback key derivation\");\n if (storedCredential) {\n return deriveKeyFromCredential(targetCredentialId, storedCredential.userId);\n }\n\n throw new Error(\"Unable to derive encryption key\");\n}\n\n/**\n * Fallback key derivation when PRF is not supported\n */\nasync function deriveKeyFromCredential(\n credentialId: string,\n userId: string\n): Promise<string> {\n const encoder = new TextEncoder();\n const keyMaterial = await crypto.subtle.importKey(\n \"raw\",\n encoder.encode(credentialId),\n \"PBKDF2\",\n false,\n [\"deriveBits\"]\n );\n\n const salt = encoder.encode(`chipi-wallet-${userId}`);\n\n const derivedBits = await crypto.subtle.deriveBits(\n {\n name: \"PBKDF2\",\n salt,\n iterations: 100000,\n hash: \"SHA-256\",\n },\n keyMaterial,\n 256\n );\n\n return arrayBufferToHex(derivedBits);\n}\n\n/**\n * Verify that the stored passkey is still valid\n */\nexport async function verifyWalletPasskey(): Promise<boolean> {\n try {\n const encryptKey = await getWalletEncryptKey();\n return encryptKey !== null;\n } catch {\n return false;\n }\n}\n\n// Re-export for backwards compatibility\nexport const isWebAuthnPRFSupported = isWebAuthnSupported;\n"]}

package/package.json ADDED Viewed

@@ -0,0 +1,79 @@
+{
+  "name": "@chipi-stack/chipi-passkey",
+  "version": "0.1.0",
+  "description": "Chipi Passkey SDK - WebAuthn passkey utilities for secure wallet encryption",
+  "homepage": "https://github.com/chipi-pay/chipi-sdk",
+  "bugs": {
+    "url": "https://github.com/chipi-pay/chipi-sdk/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/chipi-pay/chipi-sdk.git",
+    "directory": "sdks/chipi-passkey"
+  },
+  "license": "MIT",
+  "author": "Chipi Pay",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.mts",
+        "default": "./dist/index.mjs"
+      },
+      "require": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    },
+    "./hooks": {
+      "import": {
+        "types": "./dist/hooks.d.mts",
+        "default": "./dist/hooks.mjs"
+      },
+      "require": {
+        "types": "./dist/hooks.d.ts",
+        "default": "./dist/hooks.js"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "hooks"
+  ],
+  "dependencies": {
+    "@simplewebauthn/browser": "^10.0.0",
+    "@simplewebauthn/types": "^12.0.0",
+    "@chipi-stack/types": "^12.4.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.15.15",
+    "@types/react": "^18.3.0",
+    "eslint": "^9.33.0",
+    "prettier": "^3.0.0",
+    "react": "^18.3.0",
+    "rimraf": "^5.0.0",
+    "tsup": "^8.3.6",
+    "typescript": "^5.7.3"
+  },
+  "peerDependencies": {
+    "react": ">=18.0.0"
+  },
+  "engines": {
+    "node": ">=18.17.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "clean": "rimraf ./dist",
+    "dev": "tsup --watch",
+    "format": "prettier --write src/**/*.ts",
+    "format:check": "prettier --check src/**/*.ts",
+    "lint": "eslint src",
+    "typecheck": "tsc --noEmit"
+  }
+}