npm - @glydi/passkey-firebase - Versions diffs - 0.1.0 - Mend

@glydi/passkey-firebase 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +84 -0
package/dist/chunk-JP6DMV6X.js +21 -0
package/dist/chunk-JP6DMV6X.js.map +1 -0
package/dist/client.d.ts +40 -0
package/dist/client.js +15 -0
package/dist/client.js.map +1 -0
package/dist/express.d.ts +122 -0
package/dist/express.js +163 -0
package/dist/express.js.map +1 -0
package/dist/server.d.ts +66 -0
package/dist/server.js +3 -0
package/dist/server.js.map +1 -0
package/package.json +60 -0

package/README.md ADDED Viewed

@@ -0,0 +1,84 @@
+# @glydi/passkey-firebase
+Drop **Glide passkeys** onto an app that already uses **Firebase Auth** — without
+replacing anything. A passkey login becomes *another door into the same Firebase
+session*: your existing `verifyIdToken` middleware, custom-claim roles, and user
+records keep working untouched.
+```
+passkey verified  →  mint Firebase custom token  →  signInWithCustomToken  →  normal Firebase session
+   (Glide)              (this package, server)         (this package, client)        (your app, unchanged)
+```
+Three tree-shakeable entry points:
+| Import | Side | Purpose |
+|---|---|---|
+| `@glydi/passkey-firebase/server` | backend | `createFirebaseBridge({ auth })` → an `onAuthSuccess` that mints a custom token and returns it in the response |
+| `@glydi/passkey-firebase/express` | backend | `toExpressHandler(handler)` — adapts Glide's Web-standard handler to Express `(req, res)` |
+| `@glydi/passkey-firebase/client` | browser | `completePasskeySignIn(auth, result)` — exchanges the minted token via `signInWithCustomToken` |
+Peers (install what you use): `firebase-admin` (server), `firebase` (client),
+`express` (express adapter), `@glydi/passkey-server`.
+## Server (Express)
+```ts
+import { getAuth } from "firebase-admin/auth";
+import { Router } from "express";
+import { createGlideServer, createPasskeyRouteHandler } from "@glydi/passkey-server";
+import { createFirebaseBridge } from "@glydi/passkey-firebase/server";
+import { toExpressHandler } from "@glydi/passkey-firebase/express";
+const glide = createGlideServer({ rpName, rpID, origin, store }); // store: your GlideStore
+const glideHandler = toExpressHandler(
+  createPasskeyRouteHandler({
+    server: glide,
+    getSessionId,                                   // read/set the glide_sid cookie
+    getUserId: async (req) => req.user?.uid,        // verified Firebase UID (register-*)
+    onAuthSuccess: createFirebaseBridge({ auth: getAuth() }),
+  }),
+);
+const router = Router();
+// Login: public — the passkey IS the proof.
+router.post("/authenticate-begin", glideHandler);
+router.post("/authenticate-finish", glideHandler);
+// Register (add-a-passkey): behind your existing auth — links to the signed-in UID.
+router.post("/register-begin", requireAuth, glideHandler);
+router.post("/register-finish", requireAuth, glideHandler);
+```
+> **Identity rule:** your `GlideStore` must set `user.id` to the **Firebase UID**.
+> `createFirebaseBridge` mints the token for exactly that id.
+## Client
+```tsx
+import { getAuth } from "firebase/auth";
+import { PasskeyButton } from "@glydi/passkey-react";
+import { completePasskeySignIn } from "@glydi/passkey-firebase/client";
+<PasskeyButton
+  mode="signin"
+  endpoints={{
+    authenticateBegin: `${API}/api/v1/passkey/authenticate-begin`,
+    authenticateFinish: `${API}/api/v1/passkey/authenticate-finish`,
+    registerBegin: `${API}/api/v1/passkey/register-begin`,
+    registerFinish: `${API}/api/v1/passkey/register-finish`,
+  }}
+  fetchOptions={{ credentials: "include" }}            // carries the glide_sid cookie
+  onSuccess={(result) => completePasskeySignIn(getAuth(), result)}
+/>
+```
+After `completePasskeySignIn`, Firebase's `onIdTokenChanged` fires and your app
+proceeds exactly as if the user signed in any other way.
+## Cross-origin note
+If your web app and API are on different domains, the `glide_sid` cookie must be
+`SameSite=None; Secure`, the client must send `credentials: "include"` (set above),
+and the API's CORS must allow credentials and echo the web origin. `rpID` is the
+**browser** domain (where the button renders), independent of where the API runs.

package/dist/chunk-JP6DMV6X.js ADDED Viewed

@@ -0,0 +1,21 @@
+// src/server.ts
+function createFirebaseBridge(options) {
+  const field = options.tokenField ?? "accessToken";
+  return async function onAuthSuccess(user) {
+    if (!user?.id) {
+      throw new Error(
+        "[glide-firebase] Cannot mint a custom token: the verified user has no id. Ensure your GlideStore sets user.id to the Firebase UID."
+      );
+    }
+    const claims = options.developerClaims ? await options.developerClaims(user) : void 0;
+    const token = await options.auth.createCustomToken(
+      user.id,
+      claims
+    );
+    return { [field]: token };
+  };
+}
+export { createFirebaseBridge };
+//# sourceMappingURL=out.js.map
+//# sourceMappingURL=chunk-JP6DMV6X.js.map

package/dist/chunk-JP6DMV6X.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/server.ts"],"names":[],"mappings":";AAqEO,SAAS,qBACd,SAC+E;AAC/E,QAAM,QAAQ,QAAQ,cAAc;AAEpC,SAAO,eAAe,cAAc,MAAM;AACxC,QAAI,CAAC,MAAM,IAAI;AACb,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AAEA,UAAM,SAAS,QAAQ,kBACnB,MAAM,QAAQ,gBAAgB,IAAI,IAClC;AAEJ,UAAM,QAAQ,MAAM,QAAQ,KAAK;AAAA,MAC/B,KAAK;AAAA,MACL;AAAA,IACF;AAEA,WAAO,EAAE,CAAC,KAAK,GAAG,MAAM;AAAA,EAC1B;AACF","sourcesContent":["/**\n * Server bridge: Glide passkey → Firebase custom token.\n *\n * Glide's WebAuthn ceremony verifies the user and hands you `{ user }` (where\n * `user.id` is whatever id your store assigned — set it to the Firebase UID).\n * This bridge turns that verified user into a *Firebase custom token* by calling\n * `admin.auth().createCustomToken(uid)`, and returns it shaped so Glide's route\n * handler merges it into the JSON response (`{ accessToken }`). The browser then\n * exchanges it via `signInWithCustomToken` (see `@glydi/passkey-firebase/client`).\n *\n * The net effect: a passkey login becomes *another door into the same Firebase\n * session* — your existing `verifyIdToken` middleware, custom-claim roles, and\n * user records keep working untouched.\n *\n * @example\n * ```ts\n * import { getAuth } from \"firebase-admin/auth\";\n * import { createPasskeyRouteHandler } from \"@glydi/passkey-server\";\n * import { createFirebaseBridge } from \"@glydi/passkey-firebase/server\";\n *\n * const handler = createPasskeyRouteHandler({\n * server: glide,\n * getSessionId,\n * getUserId, // verified Firebase UID (register-*)\n * onAuthSuccess: createFirebaseBridge({ auth: getAuth() }),\n * });\n * ```\n */\n\nimport type { Auth } from \"firebase-admin/auth\";\n\n/** The authenticated-user shape Glide hands to `onAuthSuccess`. */\nexport interface GlideBridgeUser {\n /** Stable user id from your store — MUST be the Firebase UID for the bridge. */\n id: string;\n name?: string;\n email?: string;\n}\n\nexport interface FirebaseBridgeOptions {\n /**\n * A firebase-admin `Auth` instance, e.g. `getAuth()` from \"firebase-admin/auth\".\n * Injected (not imported) so this package never bundles firebase-admin and you\n * keep a single initialized Admin app.\n */\n auth: Auth;\n\n /**\n * Optional: extra Firebase custom claims to embed in *this* minted token.\n * Receives the Glide user (`user.id` === Firebase UID). Useful for one-shot\n * claims; for durable role claims prefer `auth.setCustomUserClaims(uid, ...)`\n * in your own onboarding flow.\n */\n developerClaims?: (\n user: GlideBridgeUser,\n ) => Record<string, unknown> | Promise<Record<string, unknown>>;\n\n /**\n * Response field that carries the minted token to the client.\n * Defaults to `\"accessToken\"` (already typed on Glide's `AuthResult`, so the\n * client helper and React `onSuccess` see it with no extra wiring).\n */\n tokenField?: string;\n}\n\n/**\n * Build an `onAuthSuccess` callback for `createPasskeyRouteHandler` that mints a\n * Firebase custom token for the verified user and returns it in the response body.\n */\nexport function createFirebaseBridge(\n options: FirebaseBridgeOptions,\n): (user: GlideBridgeUser, request?: unknown) => Promise<Record<string, string>> {\n const field = options.tokenField ?? \"accessToken\";\n\n return async function onAuthSuccess(user) {\n if (!user?.id) {\n throw new Error(\n \"[glide-firebase] Cannot mint a custom token: the verified user has no id. \" +\n \"Ensure your GlideStore sets user.id to the Firebase UID.\",\n );\n }\n\n const claims = options.developerClaims\n ? await options.developerClaims(user)\n : undefined;\n\n const token = await options.auth.createCustomToken(\n user.id,\n claims as object | undefined,\n );\n\n return { [field]: token };\n };\n}\n"]}

package/dist/client.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+import { Auth, UserCredential } from 'firebase/auth';
+/**
+ * Client helper: exchange a Glide passkey result for a Firebase session.
+ *
+ * After a passkey ceremony succeeds, Glide's `onSuccess(result)` carries the
+ * minted Firebase custom token on `result.accessToken` (because the server
+ * bridge returned it). Hand that to Firebase and you get a normal signed-in
+ * session — `onIdTokenChanged` fires and the rest of your app proceeds exactly
+ * as if the user had signed in any other way.
+ *
+ * @example
+ * ```ts
+ * import { getAuth } from "firebase/auth";
+ * import { completePasskeySignIn } from "@glydi/passkey-firebase/client";
+ *
+ * <PasskeyButton
+ *   mode="signin"
+ *   endpoints={{ ... }}
+ *   fetchOptions={{ credentials: "include" }}
+ *   onSuccess={(result) => completePasskeySignIn(getAuth(), result)}
+ * />
+ * ```
+ */
+/** Minimal shape of Glide's `AuthResult` this helper needs. */
+interface PasskeyResultLike {
+    /** Firebase custom token minted by the server bridge (`createFirebaseBridge`). */
+    accessToken?: string;
+}
+/**
+ * Complete a Glide passkey sign-in by exchanging the minted custom token for a
+ * Firebase session via `signInWithCustomToken`.
+ *
+ * @throws if `result.accessToken` is missing — almost always means the server
+ *   side isn't wired to `createFirebaseBridge` (so no token was returned).
+ */
+declare function completePasskeySignIn(auth: Auth, result: PasskeyResultLike): Promise<UserCredential>;
+export { type PasskeyResultLike, completePasskeySignIn };

package/dist/client.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { signInWithCustomToken } from 'firebase/auth';
+// src/client.ts
+async function completePasskeySignIn(auth, result) {
+  if (!result?.accessToken) {
+    throw new Error(
+      "[glide-firebase] Passkey result has no accessToken to exchange. Wire your server's onAuthSuccess to createFirebaseBridge() so it mints and returns a Firebase custom token."
+    );
+  }
+  return signInWithCustomToken(auth, result.accessToken);
+}
+export { completePasskeySignIn };
+//# sourceMappingURL=out.js.map
+//# sourceMappingURL=client.js.map

package/dist/client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/client.ts"],"names":[],"mappings":";AAuBA,SAAS,6BAA6B;AAgBtC,eAAsB,sBACpB,MACA,QACyB;AACzB,MAAI,CAAC,QAAQ,aAAa;AACxB,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AACA,SAAO,sBAAsB,MAAM,OAAO,WAAW;AACvD","sourcesContent":["/**\n * Client helper: exchange a Glide passkey result for a Firebase session.\n *\n * After a passkey ceremony succeeds, Glide's `onSuccess(result)` carries the\n * minted Firebase custom token on `result.accessToken` (because the server\n * bridge returned it). Hand that to Firebase and you get a normal signed-in\n * session — `onIdTokenChanged` fires and the rest of your app proceeds exactly\n * as if the user had signed in any other way.\n *\n * @example\n * ```ts\n * import { getAuth } from \"firebase/auth\";\n * import { completePasskeySignIn } from \"@glydi/passkey-firebase/client\";\n *\n * <PasskeyButton\n * mode=\"signin\"\n * endpoints={{ ... }}\n * fetchOptions={{ credentials: \"include\" }}\n * onSuccess={(result) => completePasskeySignIn(getAuth(), result)}\n * />\n * ```\n */\n\nimport { signInWithCustomToken } from \"firebase/auth\";\nimport type { Auth, UserCredential } from \"firebase/auth\";\n\n/** Minimal shape of Glide's `AuthResult` this helper needs. */\nexport interface PasskeyResultLike {\n /** Firebase custom token minted by the server bridge (`createFirebaseBridge`). */\n accessToken?: string;\n}\n\n/**\n * Complete a Glide passkey sign-in by exchanging the minted custom token for a\n * Firebase session via `signInWithCustomToken`.\n *\n * @throws if `result.accessToken` is missing — almost always means the server\n * side isn't wired to `createFirebaseBridge` (so no token was returned).\n */\nexport async function completePasskeySignIn(\n auth: Auth,\n result: PasskeyResultLike,\n): Promise<UserCredential> {\n if (!result?.accessToken) {\n throw new Error(\n \"[glide-firebase] Passkey result has no accessToken to exchange. Wire your \" +\n \"server's onAuthSuccess to createFirebaseBridge() so it mints and returns \" +\n \"a Firebase custom token.\",\n );\n }\n return signInWithCustomToken(auth, result.accessToken);\n}\n"]}

package/dist/express.d.ts ADDED Viewed

@@ -0,0 +1,122 @@
+import { RequestHandler, Request as Request$1, Response as Response$1, Router } from 'express';
+import { createGlideServer } from '@glydi/passkey-server';
+import { Auth } from 'firebase-admin/auth';
+import { GlideBridgeUser } from './server.js';
+/**
+ * Express adapter for Glide's Web-standard route handler.
+ *
+ * `@glydi/passkey-server` ships a single framework-neutral
+ * `(request: Request) => Promise<Response>` handler. Express 5 speaks Node
+ * `req`/`res`, not Web `Request`/`Response`, so this shim bridges the two:
+ *   Express req → Web Request → [Glide handler] → Web Response → Express res
+ *
+ * It preserves status, headers, and — crucially — multiple `Set-Cookie` headers
+ * (the `glide_sid` pre-auth cookie rides here).
+ *
+ * Body: the adapter expects a JSON body parser (e.g. `express.json()`) to have
+ * populated `req.body`, which is the norm — the Glide client always POSTs
+ * `content-type: application/json`. The parsed body is re-serialized into the
+ * Web Request so the handler's `request.json()` works.
+ *
+ * @example
+ * ```ts
+ * import { Router } from "express";
+ * import { createPasskeyRouteHandler } from "@glydi/passkey-server";
+ * import { toExpressHandler } from "@glydi/passkey-firebase/express";
+ *
+ * const glideHandler = toExpressHandler(createPasskeyRouteHandler({ ... }));
+ * const router = Router();
+ * router.post("/authenticate-begin", glideHandler);
+ * router.post("/authenticate-finish", glideHandler);
+ * router.post("/register-begin", requireAuth, glideHandler);
+ * router.post("/register-finish", requireAuth, glideHandler);
+ * ```
+ */
+/** The Web-standard handler returned by `createPasskeyRouteHandler`. */
+type GlideRequestHandler = (request: Request) => Promise<Response>;
+interface ExpressAdapterOptions {
+    /**
+     * Absolute base origin used to construct the Web Request URL (the `Request`
+     * constructor requires an absolute URL). Glide only reads the *last* path
+     * segment, so the host is cosmetic — but it must parse. Defaults to inferring
+     * `${req.protocol}://${req.get("host")}` per request. Override when behind a
+     * proxy that rewrites the path.
+     */
+    origin?: string;
+}
+/**
+ * Wrap Glide's Web-standard handler as an Express `(req, res)` handler.
+ */
+declare function toExpressHandler(handler: GlideRequestHandler, options?: ExpressAdapterOptions): (req: Request$1, res: Response$1) => Promise<void>;
+/** Cookie settings for the `glide_sid` pre-auth (challenge-binding) cookie. */
+interface GlideSidCookieOptions {
+    /** Cookie name. Default `"glide_sid"`. */
+    name?: string;
+    /** `Secure` flag. Default `true` (required when `sameSite: "none"`). */
+    secure?: boolean;
+    /**
+     * `SameSite`. Default `"none"` (prod cross-site). Use `"lax"` for same-site
+     * local dev over http (where a `Secure` `None` cookie won't be set).
+     */
+    sameSite?: "lax" | "none" | "strict";
+    /** Optional `Domain` (e.g. `.example.com` to share across subdomains). */
+    domain?: string;
+    /** `Path`. Default `"/"`. */
+    path?: string;
+    /** Lifetime in ms. Default 10 minutes — only needs to outlive one ceremony. */
+    maxAgeMs?: number;
+}
+interface ExpressPasskeyRouterOptions {
+    /** The GlideServer from `createGlideServer()`. */
+    server: ReturnType<typeof createGlideServer>;
+    /** firebase-admin `Auth` (e.g. `getAuth()`) used to mint the custom token. */
+    auth: Auth;
+    /**
+     * Your existing auth middleware. Gates the `register-*` (add-a-passkey)
+     * routes so a passkey can only be attached by an already-signed-in user.
+     */
+    requireAuth: RequestHandler;
+    /**
+     * Pull the verified Firebase UID out of the request *after* `requireAuth`
+     * ran — e.g. `(_, res) => res.locals.user?.uid`. The new credential is bound
+     * to this UID, so your GlideStore's `user.id` must equal the Firebase UID.
+     */
+    getUserId: (req: Request$1, res: Response$1) => string | undefined | Promise<string | undefined>;
+    /** `glide_sid` cookie options (see {@link GlideSidCookieOptions}). */
+    cookie?: GlideSidCookieOptions;
+    /** Extra Firebase custom claims to embed in the minted login token. */
+    developerClaims?: (user: GlideBridgeUser) => Record<string, unknown> | Promise<Record<string, unknown>>;
+    /** Response field carrying the minted token. Default `"accessToken"`. */
+    tokenField?: string;
+}
+/**
+ * Build an Express `Router` exposing the four passkey ceremonies for a Firebase
+ * app. Mount it under your passkey path (e.g. `/api/v1/passkey`):
+ *
+ * - `POST /register-begin`  · `POST /register-finish`  — gated by `requireAuth`;
+ *   attaches a new passkey to the signed-in Firebase UID.
+ * - `POST /authenticate-begin` · `POST /authenticate-finish` — public; on success
+ *   mints a Firebase custom token and returns it as `accessToken` for the client
+ *   to exchange via `signInWithCustomToken`.
+ *
+ * @example
+ * ```ts
+ * import { getAuth } from "firebase-admin/auth";
+ * import { createGlideServer } from "@glydi/passkey-server";
+ * import { createExpressPasskeyRouter } from "@glydi/passkey-firebase/express";
+ *
+ * const glide = createGlideServer({ rpName, rpID, origin, store });
+ * app.use("/api/v1/passkey", createExpressPasskeyRouter({
+ *   server: glide,
+ *   auth: getAuth(),
+ *   requireAuth,
+ *   getUserId: (_req, res) => res.locals.user?.uid,
+ *   cookie: { secure: isProd, sameSite: isProd ? "none" : "lax" },
+ * }));
+ * ```
+ */
+declare function createExpressPasskeyRouter(options: ExpressPasskeyRouterOptions): Router;
+export { type ExpressAdapterOptions, type ExpressPasskeyRouterOptions, type GlideRequestHandler, type GlideSidCookieOptions, createExpressPasskeyRouter, toExpressHandler };

package/dist/express.js ADDED Viewed

@@ -0,0 +1,163 @@
+import { createFirebaseBridge } from './chunk-JP6DMV6X.js';
+import { Router } from 'express';
+import { randomUUID } from 'node:crypto';
+import { GlideServerError } from '@glydi/passkey-server';
+function toWebRequest(req, origin) {
+  const base = origin ?? `${req.protocol}://${req.get("host") ?? "localhost"}`;
+  const url = new URL(req.originalUrl, base).toString();
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value === void 0)
+      continue;
+    if (Array.isArray(value)) {
+      for (const v of value)
+        headers.append(key, v);
+    } else {
+      headers.set(key, value);
+    }
+  }
+  let body;
+  if (req.body !== void 0 && req.body !== null) {
+    body = typeof req.body === "string" ? req.body : JSON.stringify(req.body);
+    if (!headers.has("content-type")) {
+      headers.set("content-type", "application/json");
+    }
+  }
+  const init = { method: req.method, headers };
+  if (body !== void 0 && req.method !== "GET" && req.method !== "HEAD") {
+    init.body = body;
+  }
+  return new Request(url, init);
+}
+async function writeWebResponse(webResponse, res) {
+  res.status(webResponse.status);
+  const setCookies = typeof webResponse.headers.getSetCookie === "function" ? webResponse.headers.getSetCookie() : [];
+  webResponse.headers.forEach((value, key) => {
+    if (key.toLowerCase() === "set-cookie")
+      return;
+    res.setHeader(key, value);
+  });
+  for (const cookie of setCookies) {
+    res.appendHeader("set-cookie", cookie);
+  }
+  const buf = Buffer.from(await webResponse.arrayBuffer());
+  res.end(buf);
+}
+function toExpressHandler(handler, options = {}) {
+  return async (req, res) => {
+    const webRequest = toWebRequest(req, options.origin);
+    const webResponse = await handler(webRequest);
+    await writeWebResponse(webResponse, res);
+  };
+}
+function parseCookie(header, name) {
+  if (!header)
+    return void 0;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1)
+      continue;
+    if (part.slice(0, eq).trim() === name) {
+      return decodeURIComponent(part.slice(eq + 1).trim());
+    }
+  }
+  return void 0;
+}
+function readOrSetSid(req, res, opts) {
+  const name = opts.name ?? "glide_sid";
+  const existing = parseCookie(req.headers.cookie, name);
+  if (existing)
+    return existing;
+  const sid = randomUUID();
+  res.cookie(name, sid, {
+    httpOnly: true,
+    secure: opts.secure ?? true,
+    sameSite: opts.sameSite ?? "none",
+    ...opts.domain ? { domain: opts.domain } : {},
+    path: opts.path ?? "/",
+    maxAge: opts.maxAgeMs ?? 10 * 60 * 1e3
+  });
+  return sid;
+}
+function readSid(req, opts) {
+  return parseCookie(req.headers.cookie, opts.name ?? "glide_sid");
+}
+function guarded(fn) {
+  return async (req, res) => {
+    try {
+      await fn(req, res);
+    } catch (err) {
+      if (err instanceof GlideServerError) {
+        res.status(400).json({ error: err.code, message: err.message });
+      } else {
+        console.error("[glide-firebase] unexpected error", err);
+        res.status(500).json({ error: "internal" });
+      }
+    }
+  };
+}
+function createExpressPasskeyRouter(options) {
+  const router = Router();
+  const cookieOpts = options.cookie ?? {};
+  const mint = createFirebaseBridge({
+    auth: options.auth,
+    ...options.developerClaims ? { developerClaims: options.developerClaims } : {},
+    ...options.tokenField ? { tokenField: options.tokenField } : {}
+  });
+  router.post(
+    "/register-begin",
+    options.requireAuth,
+    guarded(async (req, res) => {
+      const sessionId = readOrSetSid(req, res, cookieOpts);
+      const userId = await options.getUserId(req, res);
+      if (!userId) {
+        res.status(401).json({ error: "unauthenticated" });
+        return;
+      }
+      res.json(await options.server.registerBegin({ sessionId, userId }));
+    })
+  );
+  router.post(
+    "/register-finish",
+    options.requireAuth,
+    guarded(async (req, res) => {
+      const sessionId = readSid(req, cookieOpts);
+      if (!sessionId)
+        throw new GlideServerError("no_challenge", "No active challenge.");
+      res.json(await options.server.registerFinish({ sessionId, body: req.body }));
+    })
+  );
+  router.post(
+    "/authenticate-begin",
+    guarded(async (req, res) => {
+      const sessionId = readOrSetSid(req, res, cookieOpts);
+      const username = typeof req.body?.username === "string" ? req.body.username : void 0;
+      res.json(
+        await options.server.authenticateBegin({
+          sessionId,
+          ...username ? { username } : {}
+        })
+      );
+    })
+  );
+  router.post(
+    "/authenticate-finish",
+    guarded(async (req, res) => {
+      const sessionId = readSid(req, cookieOpts);
+      if (!sessionId)
+        throw new GlideServerError("no_challenge", "No active challenge.");
+      const result = await options.server.authenticateFinish({
+        sessionId,
+        body: req.body
+      });
+      const extra = await mint(result.user);
+      res.json({ ...result, ...extra });
+    })
+  );
+  return router;
+}
+export { createExpressPasskeyRouter, toExpressHandler };
+//# sourceMappingURL=out.js.map
+//# sourceMappingURL=express.js.map

package/dist/express.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/express.ts"],"names":[],"mappings":";;;;;AA+BA,SAAS,cAAc;AAMvB,SAAS,kBAAkB;AAC3B,SAAS,wBAAwB;AAmBjC,SAAS,aAAa,KAAqB,QAA0B;AACnE,QAAM,OACJ,UAAU,GAAG,IAAI,QAAQ,MAAM,IAAI,IAAI,MAAM,KAAK,WAAW;AAG/D,QAAM,MAAM,IAAI,IAAI,IAAI,aAAa,IAAI,EAAE,SAAS;AAEpD,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,IAAI,OAAO,GAAG;AACtD,QAAI,UAAU;AAAW;AACzB,QAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,iBAAW,KAAK;AAAO,gBAAQ,OAAO,KAAK,CAAC;AAAA,IAC9C,OAAO;AACL,cAAQ,IAAI,KAAK,KAAK;AAAA,IACxB;AAAA,EACF;AAIA,MAAI;AACJ,MAAI,IAAI,SAAS,UAAa,IAAI,SAAS,MAAM;AAC/C,WAAO,OAAO,IAAI,SAAS,WAAW,IAAI,OAAO,KAAK,UAAU,IAAI,IAAI;AACxE,QAAI,CAAC,QAAQ,IAAI,cAAc,GAAG;AAChC,cAAQ,IAAI,gBAAgB,kBAAkB;AAAA,IAChD;AAAA,EACF;AAEA,QAAM,OAAoB,EAAE,QAAQ,IAAI,QAAQ,QAAQ;AAExD,MAAI,SAAS,UAAa,IAAI,WAAW,SAAS,IAAI,WAAW,QAAQ;AACvE,SAAK,OAAO;AAAA,EACd;AAEA,SAAO,IAAI,QAAQ,KAAK,IAAI;AAC9B;AAEA,eAAe,iBACb,aACA,KACe;AACf,MAAI,OAAO,YAAY,MAAM;AAK7B,QAAM,aACJ,OAAO,YAAY,QAAQ,iBAAiB,aACxC,YAAY,QAAQ,aAAa,IACjC,CAAC;AAEP,cAAY,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC1C,QAAI,IAAI,YAAY,MAAM;AAAc;AACxC,QAAI,UAAU,KAAK,KAAK;AAAA,EAC1B,CAAC;AACD,aAAW,UAAU,YAAY;AAC/B,QAAI,aAAa,cAAc,MAAM;AAAA,EACvC;AAEA,QAAM,MAAM,OAAO,KAAK,MAAM,YAAY,YAAY,CAAC;AACvD,MAAI,IAAI,GAAG;AACb;AAKO,SAAS,iBACd,SACA,UAAiC,CAAC,GAC4B;AAC9D,SAAO,OAAO,KAAK,QAAQ;AACzB,UAAM,aAAa,aAAa,KAAK,QAAQ,MAAM;AACnD,UAAM,cAAc,MAAM,QAAQ,UAAU;AAC5C,UAAM,iBAAiB,aAAa,GAAG;AAAA,EACzC;AACF;AA6DA,SAAS,YAAY,QAA4B,MAAkC;AACjF,MAAI,CAAC;AAAQ,WAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,KAAK,KAAK,QAAQ,GAAG;AAC3B,QAAI,OAAO;AAAI;AACf,QAAI,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK,MAAM,MAAM;AACrC,aAAO,mBAAmB,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC;AAAA,IACrD;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,aACP,KACA,KACA,MACQ;AACR,QAAM,OAAO,KAAK,QAAQ;AAC1B,QAAM,WAAW,YAAY,IAAI,QAAQ,QAAQ,IAAI;AACrD,MAAI;AAAU,WAAO;AACrB,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,MAAM,KAAK;AAAA,IACpB,UAAU;AAAA,IACV,QAAQ,KAAK,UAAU;AAAA,IACvB,UAAU,KAAK,YAAY;AAAA,IAC3B,GAAI,KAAK,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI,CAAC;AAAA,IAC7C,MAAM,KAAK,QAAQ;AAAA,IACnB,QAAQ,KAAK,YAAY,KAAK,KAAK;AAAA,EACrC,CAAC;AACD,SAAO;AACT;AAEA,SAAS,QAAQ,KAAqB,MAAiD;AACrF,SAAO,YAAY,IAAI,QAAQ,QAAQ,KAAK,QAAQ,WAAW;AACjE;AAGA,SAAS,QACP,IAC8D;AAC9D,SAAO,OAAO,KAAK,QAAQ;AACzB,QAAI;AACF,YAAM,GAAG,KAAK,GAAG;AAAA,IACnB,SAAS,KAAK;AACZ,UAAI,eAAe,kBAAkB;AACnC,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,IAAI,MAAM,SAAS,IAAI,QAAQ,CAAC;AAAA,MAChE,OAAO;AACL,gBAAQ,MAAM,qCAAqC,GAAG;AACtD,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,WAAW,CAAC;AAAA,MAC5C;AAAA,IACF;AAAA,EACF;AACF;AA4BO,SAAS,2BACd,SACQ;AACR,QAAM,SAAS,OAAO;AACtB,QAAM,aAAa,QAAQ,UAAU,CAAC;AACtC,QAAM,OAAO,qBAAqB;AAAA,IAChC,MAAM,QAAQ;AAAA,IACd,GAAI,QAAQ,kBAAkB,EAAE,iBAAiB,QAAQ,gBAAgB,IAAI,CAAC;AAAA,IAC9E,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,EACjE,CAAC;AAGD,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ,OAAO,KAAK,QAAQ;AAC1B,YAAM,YAAY,aAAa,KAAK,KAAK,UAAU;AACnD,YAAM,SAAS,MAAM,QAAQ,UAAU,KAAK,GAAG;AAC/C,UAAI,CAAC,QAAQ;AACX,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAC;AACjD;AAAA,MACF;AACA,UAAI,KAAK,MAAM,QAAQ,OAAO,cAAc,EAAE,WAAW,OAAO,CAAC,CAAC;AAAA,IACpE,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ,OAAO,KAAK,QAAQ;AAC1B,YAAM,YAAY,QAAQ,KAAK,UAAU;AACzC,UAAI,CAAC;AAAW,cAAM,IAAI,iBAAiB,gBAAgB,sBAAsB;AAEjF,UAAI,KAAK,MAAM,QAAQ,OAAO,eAAe,EAAE,WAAW,MAAM,IAAI,KAAK,CAAC,CAAC;AAAA,IAC7E,CAAC;AAAA,EACH;AAGA,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,OAAO,KAAK,QAAQ;AAC1B,YAAM,YAAY,aAAa,KAAK,KAAK,UAAU;AACnD,YAAM,WACJ,OAAO,IAAI,MAAM,aAAa,WAAW,IAAI,KAAK,WAAW;AAC/D,UAAI;AAAA,QACF,MAAM,QAAQ,OAAO,kBAAkB;AAAA,UACrC;AAAA,UACA,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC;AAAA,QACjC,CAAC;AAAA,MACH;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,OAAO,KAAK,QAAQ;AAC1B,YAAM,YAAY,QAAQ,KAAK,UAAU;AACzC,UAAI,CAAC;AAAW,cAAM,IAAI,iBAAiB,gBAAgB,sBAAsB;AACjF,YAAM,SAAS,MAAM,QAAQ,OAAO,mBAAmB;AAAA,QACrD;AAAA,QACA,MAAM,IAAI;AAAA,MACZ,CAAC;AACD,YAAM,QAAQ,MAAM,KAAK,OAAO,IAAI;AACpC,UAAI,KAAK,EAAE,GAAG,QAAQ,GAAG,MAAM,CAAC;AAAA,IAClC,CAAC;AAAA,EACH;AAEA,SAAO;AACT","sourcesContent":["/**\n * Express adapter for Glide's Web-standard route handler.\n *\n * `@glydi/passkey-server` ships a single framework-neutral\n * `(request: Request) => Promise<Response>` handler. Express 5 speaks Node\n * `req`/`res`, not Web `Request`/`Response`, so this shim bridges the two:\n * Express req → Web Request → [Glide handler] → Web Response → Express res\n *\n * It preserves status, headers, and — crucially — multiple `Set-Cookie` headers\n * (the `glide_sid` pre-auth cookie rides here).\n *\n * Body: the adapter expects a JSON body parser (e.g. `express.json()`) to have\n * populated `req.body`, which is the norm — the Glide client always POSTs\n * `content-type: application/json`. The parsed body is re-serialized into the\n * Web Request so the handler's `request.json()` works.\n *\n * @example\n * ```ts\n * import { Router } from \"express\";\n * import { createPasskeyRouteHandler } from \"@glydi/passkey-server\";\n * import { toExpressHandler } from \"@glydi/passkey-firebase/express\";\n *\n * const glideHandler = toExpressHandler(createPasskeyRouteHandler({ ... }));\n * const router = Router();\n * router.post(\"/authenticate-begin\", glideHandler);\n * router.post(\"/authenticate-finish\", glideHandler);\n * router.post(\"/register-begin\", requireAuth, glideHandler);\n * router.post(\"/register-finish\", requireAuth, glideHandler);\n * ```\n */\n\nimport { Router } from \"express\";\nimport type {\n Request as ExpressRequest,\n Response as ExpressResponse,\n RequestHandler,\n} from \"express\";\nimport { randomUUID } from \"node:crypto\";\nimport { GlideServerError } from \"@glydi/passkey-server\";\nimport type { createGlideServer } from \"@glydi/passkey-server\";\nimport type { Auth } from \"firebase-admin/auth\";\nimport { createFirebaseBridge, type GlideBridgeUser } from \"./server.js\";\n\n/** The Web-standard handler returned by `createPasskeyRouteHandler`. */\nexport type GlideRequestHandler = (request: Request) => Promise<Response>;\n\nexport interface ExpressAdapterOptions {\n /**\n * Absolute base origin used to construct the Web Request URL (the `Request`\n * constructor requires an absolute URL). Glide only reads the *last* path\n * segment, so the host is cosmetic — but it must parse. Defaults to inferring\n * `${req.protocol}://${req.get(\"host\")}` per request. Override when behind a\n * proxy that rewrites the path.\n */\n origin?: string;\n}\n\nfunction toWebRequest(req: ExpressRequest, origin?: string): Request {\n const base =\n origin ?? `${req.protocol}://${req.get(\"host\") ?? \"localhost\"}`;\n // originalUrl keeps the full mounted path (e.g. /api/v1/passkey/register-begin)\n // so the handler's last-segment dispatch resolves the ceremony correctly.\n const url = new URL(req.originalUrl, base).toString();\n\n const headers = new Headers();\n for (const [key, value] of Object.entries(req.headers)) {\n if (value === undefined) continue;\n if (Array.isArray(value)) {\n for (const v of value) headers.append(key, v);\n } else {\n headers.set(key, value);\n }\n }\n\n // Re-serialize the parsed JSON body. `req.body` is `{}` for empty POSTs under\n // express.json(); Glide's safeJson tolerates `{}`.\n let body: string | undefined;\n if (req.body !== undefined && req.body !== null) {\n body = typeof req.body === \"string\" ? req.body : JSON.stringify(req.body);\n if (!headers.has(\"content-type\")) {\n headers.set(\"content-type\", \"application/json\");\n }\n }\n\n const init: RequestInit = { method: req.method, headers };\n // GET/HEAD must not carry a body; Glide routes are POST-only anyway.\n if (body !== undefined && req.method !== \"GET\" && req.method !== \"HEAD\") {\n init.body = body;\n }\n\n return new Request(url, init);\n}\n\nasync function writeWebResponse(\n webResponse: Response,\n res: ExpressResponse,\n): Promise<void> {\n res.status(webResponse.status);\n\n // Multiple Set-Cookie headers must be emitted individually. The Web Headers\n // object collapses them on iteration, so pull them via getSetCookie() and skip\n // set-cookie in the generic copy below.\n const setCookies =\n typeof webResponse.headers.getSetCookie === \"function\"\n ? webResponse.headers.getSetCookie()\n : [];\n\n webResponse.headers.forEach((value, key) => {\n if (key.toLowerCase() === \"set-cookie\") return;\n res.setHeader(key, value);\n });\n for (const cookie of setCookies) {\n res.appendHeader(\"set-cookie\", cookie);\n }\n\n const buf = Buffer.from(await webResponse.arrayBuffer());\n res.end(buf);\n}\n\n/**\n * Wrap Glide's Web-standard handler as an Express `(req, res)` handler.\n */\nexport function toExpressHandler(\n handler: GlideRequestHandler,\n options: ExpressAdapterOptions = {},\n): (req: ExpressRequest, res: ExpressResponse) => Promise<void> {\n return async (req, res) => {\n const webRequest = toWebRequest(req, options.origin);\n const webResponse = await handler(webRequest);\n await writeWebResponse(webResponse, res);\n };\n}\n\n// ===========================================================================\n// High-level: Express-native passkey router for Firebase apps\n// ===========================================================================\n//\n// `toExpressHandler` adapts Glide's Web route handler, but Express integrators\n// hit two papercuts it can't solve from the Web layer: (1) the verified user\n// lives on `res.locals`, invisible to a Web Request; (2) the pre-auth session\n// cookie must be *set* on the Express response. `createExpressPasskeyRouter`\n// owns both — plus per-action auth and the Firebase token mint — so wiring a\n// Firebase app is a handful of lines.\n\n/** Cookie settings for the `glide_sid` pre-auth (challenge-binding) cookie. */\nexport interface GlideSidCookieOptions {\n /** Cookie name. Default `\"glide_sid\"`. */\n name?: string;\n /** `Secure` flag. Default `true` (required when `sameSite: \"none\"`). */\n secure?: boolean;\n /**\n * `SameSite`. Default `\"none\"` (prod cross-site). Use `\"lax\"` for same-site\n * local dev over http (where a `Secure` `None` cookie won't be set).\n */\n sameSite?: \"lax\" | \"none\" | \"strict\";\n /** Optional `Domain` (e.g. `.example.com` to share across subdomains). */\n domain?: string;\n /** `Path`. Default `\"/\"`. */\n path?: string;\n /** Lifetime in ms. Default 10 minutes — only needs to outlive one ceremony. */\n maxAgeMs?: number;\n}\n\nexport interface ExpressPasskeyRouterOptions {\n /** The GlideServer from `createGlideServer()`. */\n server: ReturnType<typeof createGlideServer>;\n /** firebase-admin `Auth` (e.g. `getAuth()`) used to mint the custom token. */\n auth: Auth;\n /**\n * Your existing auth middleware. Gates the `register-*` (add-a-passkey)\n * routes so a passkey can only be attached by an already-signed-in user.\n */\n requireAuth: RequestHandler;\n /**\n * Pull the verified Firebase UID out of the request *after* `requireAuth`\n * ran — e.g. `(_, res) => res.locals.user?.uid`. The new credential is bound\n * to this UID, so your GlideStore's `user.id` must equal the Firebase UID.\n */\n getUserId: (\n req: ExpressRequest,\n res: ExpressResponse,\n ) => string | undefined | Promise<string | undefined>;\n /** `glide_sid` cookie options (see {@link GlideSidCookieOptions}). */\n cookie?: GlideSidCookieOptions;\n /** Extra Firebase custom claims to embed in the minted login token. */\n developerClaims?: (\n user: GlideBridgeUser,\n ) => Record<string, unknown> | Promise<Record<string, unknown>>;\n /** Response field carrying the minted token. Default `\"accessToken\"`. */\n tokenField?: string;\n}\n\nfunction parseCookie(header: string | undefined, name: string): string | undefined {\n if (!header) return undefined;\n for (const part of header.split(\";\")) {\n const eq = part.indexOf(\"=\");\n if (eq === -1) continue;\n if (part.slice(0, eq).trim() === name) {\n return decodeURIComponent(part.slice(eq + 1).trim());\n }\n }\n return undefined;\n}\n\nfunction readOrSetSid(\n req: ExpressRequest,\n res: ExpressResponse,\n opts: GlideSidCookieOptions,\n): string {\n const name = opts.name ?? \"glide_sid\";\n const existing = parseCookie(req.headers.cookie, name);\n if (existing) return existing;\n const sid = randomUUID();\n res.cookie(name, sid, {\n httpOnly: true,\n secure: opts.secure ?? true,\n sameSite: opts.sameSite ?? \"none\",\n ...(opts.domain ? { domain: opts.domain } : {}),\n path: opts.path ?? \"/\",\n maxAge: opts.maxAgeMs ?? 10 * 60 * 1000,\n });\n return sid;\n}\n\nfunction readSid(req: ExpressRequest, opts: GlideSidCookieOptions): string | undefined {\n return parseCookie(req.headers.cookie, opts.name ?? \"glide_sid\");\n}\n\n/** Wrap an async route, mapping GlideServerError → 400 and anything else → 500. */\nfunction guarded(\n fn: (req: ExpressRequest, res: ExpressResponse) => Promise<void>,\n): (req: ExpressRequest, res: ExpressResponse) => Promise<void> {\n return async (req, res) => {\n try {\n await fn(req, res);\n } catch (err) {\n if (err instanceof GlideServerError) {\n res.status(400).json({ error: err.code, message: err.message });\n } else {\n console.error(\"[glide-firebase] unexpected error\", err);\n res.status(500).json({ error: \"internal\" });\n }\n }\n };\n}\n\n/**\n * Build an Express `Router` exposing the four passkey ceremonies for a Firebase\n * app. Mount it under your passkey path (e.g. `/api/v1/passkey`):\n *\n * - `POST /register-begin` · `POST /register-finish` — gated by `requireAuth`;\n * attaches a new passkey to the signed-in Firebase UID.\n * - `POST /authenticate-begin` · `POST /authenticate-finish` — public; on success\n * mints a Firebase custom token and returns it as `accessToken` for the client\n * to exchange via `signInWithCustomToken`.\n *\n * @example\n * ```ts\n * import { getAuth } from \"firebase-admin/auth\";\n * import { createGlideServer } from \"@glydi/passkey-server\";\n * import { createExpressPasskeyRouter } from \"@glydi/passkey-firebase/express\";\n *\n * const glide = createGlideServer({ rpName, rpID, origin, store });\n * app.use(\"/api/v1/passkey\", createExpressPasskeyRouter({\n * server: glide,\n * auth: getAuth(),\n * requireAuth,\n * getUserId: (_req, res) => res.locals.user?.uid,\n * cookie: { secure: isProd, sameSite: isProd ? \"none\" : \"lax\" },\n * }));\n * ```\n */\nexport function createExpressPasskeyRouter(\n options: ExpressPasskeyRouterOptions,\n): Router {\n const router = Router();\n const cookieOpts = options.cookie ?? {};\n const mint = createFirebaseBridge({\n auth: options.auth,\n ...(options.developerClaims ? { developerClaims: options.developerClaims } : {}),\n ...(options.tokenField ? { tokenField: options.tokenField } : {}),\n });\n\n // ── Register (add-a-passkey): behind the host's auth; links to signed-in UID ──\n router.post(\n \"/register-begin\",\n options.requireAuth,\n guarded(async (req, res) => {\n const sessionId = readOrSetSid(req, res, cookieOpts);\n const userId = await options.getUserId(req, res);\n if (!userId) {\n res.status(401).json({ error: \"unauthenticated\" });\n return;\n }\n res.json(await options.server.registerBegin({ sessionId, userId }));\n }),\n );\n\n router.post(\n \"/register-finish\",\n options.requireAuth,\n guarded(async (req, res) => {\n const sessionId = readSid(req, cookieOpts);\n if (!sessionId) throw new GlideServerError(\"no_challenge\", \"No active challenge.\");\n // User already holds a Firebase session here — no token to mint.\n res.json(await options.server.registerFinish({ sessionId, body: req.body }));\n }),\n );\n\n // ── Authenticate (login): public — the passkey IS the proof. Mints a token. ──\n router.post(\n \"/authenticate-begin\",\n guarded(async (req, res) => {\n const sessionId = readOrSetSid(req, res, cookieOpts);\n const username =\n typeof req.body?.username === \"string\" ? req.body.username : undefined;\n res.json(\n await options.server.authenticateBegin({\n sessionId,\n ...(username ? { username } : {}),\n }),\n );\n }),\n );\n\n router.post(\n \"/authenticate-finish\",\n guarded(async (req, res) => {\n const sessionId = readSid(req, cookieOpts);\n if (!sessionId) throw new GlideServerError(\"no_challenge\", \"No active challenge.\");\n const result = await options.server.authenticateFinish({\n sessionId,\n body: req.body,\n });\n const extra = await mint(result.user);\n res.json({ ...result, ...extra });\n }),\n );\n\n return router;\n}\n"]}

package/dist/server.d.ts ADDED Viewed

@@ -0,0 +1,66 @@
+import { Auth } from 'firebase-admin/auth';
+/**
+ * Server bridge: Glide passkey → Firebase custom token.
+ *
+ * Glide's WebAuthn ceremony verifies the user and hands you `{ user }` (where
+ * `user.id` is whatever id your store assigned — set it to the Firebase UID).
+ * This bridge turns that verified user into a *Firebase custom token* by calling
+ * `admin.auth().createCustomToken(uid)`, and returns it shaped so Glide's route
+ * handler merges it into the JSON response (`{ accessToken }`). The browser then
+ * exchanges it via `signInWithCustomToken` (see `@glydi/passkey-firebase/client`).
+ *
+ * The net effect: a passkey login becomes *another door into the same Firebase
+ * session* — your existing `verifyIdToken` middleware, custom-claim roles, and
+ * user records keep working untouched.
+ *
+ * @example
+ * ```ts
+ * import { getAuth } from "firebase-admin/auth";
+ * import { createPasskeyRouteHandler } from "@glydi/passkey-server";
+ * import { createFirebaseBridge } from "@glydi/passkey-firebase/server";
+ *
+ * const handler = createPasskeyRouteHandler({
+ *   server: glide,
+ *   getSessionId,
+ *   getUserId,                                   // verified Firebase UID (register-*)
+ *   onAuthSuccess: createFirebaseBridge({ auth: getAuth() }),
+ * });
+ * ```
+ */
+/** The authenticated-user shape Glide hands to `onAuthSuccess`. */
+interface GlideBridgeUser {
+    /** Stable user id from your store — MUST be the Firebase UID for the bridge. */
+    id: string;
+    name?: string;
+    email?: string;
+}
+interface FirebaseBridgeOptions {
+    /**
+     * A firebase-admin `Auth` instance, e.g. `getAuth()` from "firebase-admin/auth".
+     * Injected (not imported) so this package never bundles firebase-admin and you
+     * keep a single initialized Admin app.
+     */
+    auth: Auth;
+    /**
+     * Optional: extra Firebase custom claims to embed in *this* minted token.
+     * Receives the Glide user (`user.id` === Firebase UID). Useful for one-shot
+     * claims; for durable role claims prefer `auth.setCustomUserClaims(uid, ...)`
+     * in your own onboarding flow.
+     */
+    developerClaims?: (user: GlideBridgeUser) => Record<string, unknown> | Promise<Record<string, unknown>>;
+    /**
+     * Response field that carries the minted token to the client.
+     * Defaults to `"accessToken"` (already typed on Glide's `AuthResult`, so the
+     * client helper and React `onSuccess` see it with no extra wiring).
+     */
+    tokenField?: string;
+}
+/**
+ * Build an `onAuthSuccess` callback for `createPasskeyRouteHandler` that mints a
+ * Firebase custom token for the verified user and returns it in the response body.
+ */
+declare function createFirebaseBridge(options: FirebaseBridgeOptions): (user: GlideBridgeUser, request?: unknown) => Promise<Record<string, string>>;
+export { type FirebaseBridgeOptions, type GlideBridgeUser, createFirebaseBridge };

package/dist/server.js ADDED Viewed

@@ -0,0 +1,3 @@
+export { createFirebaseBridge } from './chunk-JP6DMV6X.js';
+//# sourceMappingURL=out.js.map
+//# sourceMappingURL=server.js.map

package/dist/server.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"names":[],"mappings":""}

package/package.json ADDED Viewed

@@ -0,0 +1,60 @@
+{
+  "name": "@glydi/passkey-firebase",
+  "version": "0.1.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "description": "Drop Glide passkeys onto an app that already uses Firebase Auth. Mints a Firebase custom token from a verified passkey, plus an Express adapter and a client sign-in helper.",
+  "type": "module",
+  "exports": {
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    },
+    "./express": {
+      "types": "./dist/express.d.ts",
+      "import": "./dist/express.js"
+    },
+    "./client": {
+      "types": "./dist/client.d.ts",
+      "import": "./dist/client.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "express": ">=4",
+    "firebase": ">=10",
+    "firebase-admin": ">=12",
+    "@glydi/passkey-server": "0.1.0"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": true
+    },
+    "firebase": {
+      "optional": true
+    },
+    "firebase-admin": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.0",
+    "@types/node": "^20.0.0",
+    "express": "^5.0.0",
+    "firebase": "^11.0.0",
+    "firebase-admin": "^13.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0",
+    "@glydi/passkey-server": "0.1.0"
+  },
+  "license": "MIT",
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
+  }
+}