@glydi/passkey-server 0.1.0

package/README.md

@@ -0,0 +1,207 @@
+# @glydi/passkey-server
+
+Lightweight, framework-agnostic WebAuthn challenge + verification handlers for Glide. Built on @simplewebauthn/server.
+
+## Install
+
+Glide is not yet published to npm. Install from a packed tarball or via `pnpm link`.
+
+**Tarball (recommended):**
+
+```json
+{
+  "dependencies": {
+    "@glydi/passkey-server": "file:../glide/dist-packs/glydi-passkey-server-0.1.0.tgz",
+    "@glydi/passkey-core":   "file:../glide/dist-packs/glydi-passkey-core-0.1.0.tgz"
+  },
+  "pnpm": {
+    "overrides": {
+      "@glydi/passkey-core": "file:../glide/dist-packs/glydi-passkey-core-0.1.0.tgz"
+    }
+  }
+}
+```
+
+The `pnpm.overrides` entry for `@glydi/passkey-core` prevents pnpm from trying to fetch
+the transitive peer from the npm registry. See [docs/DISTRIBUTION.md](../../docs/DISTRIBUTION.md)
+for full tarball and `pnpm link` instructions.
+
+> **Forthcoming:** `npm install @glydi/passkey-server` will be the public form once the
+> package is published. It is not yet available on npm.
+
+## Minimal Usage
+
+The correct pattern for Next.js App Router is **lazy initialization** — wrapping
+`createGlideServer` and `createPasskeyRouteHandler` inside functions that construct
+on first call rather than at module scope. This is required because `createInMemoryStore()`
+throws under `NODE_ENV=production`, and `next build` evaluates module-level code with
+`NODE_ENV=production` — so eager construction breaks the build.
+
+**`lib/glide.ts` — lazy server initializer:**
+
+```ts
+import { createGlideServer, createInMemoryStore } from "@glydi/passkey-server";
+
+const RP_ID = process.env.GLIDE_RP_ID ?? "localhost";
+const ORIGIN = process.env.GLIDE_ORIGIN ?? "http://localhost:3000";
+
+let _glide: ReturnType<typeof createGlideServer> | null = null;
+
+export function getGlide(): ReturnType<typeof createGlideServer> {
+  if (_glide === null) {
+    _glide = createGlideServer({
+      rpName: "My App",
+      rpID: RP_ID,
+      origin: ORIGIN,
+      store: createInMemoryStore(),
+    });
+  }
+  return _glide;
+}
+```
+
+**`app/api/passkey/[action]/route.ts` — lazy route handler:**
+
+```ts
+import { createPasskeyRouteHandler } from "@glydi/passkey-server";
+import { getGlide } from "../../../../lib/glide";
+import {
+  getOrCreateSessionId,
+  getSessionUserId,
+  startUserSession,
+} from "../../../../lib/session";
+
+let handler: ((request: Request) => Promise<Response>) | null = null;
+
+export function POST(request: Request): Promise<Response> {
+  if (handler === null) {
+    handler = createPasskeyRouteHandler({
+      server: getGlide(),
+      getSessionId: () => getOrCreateSessionId(),
+      getUserId: () => getSessionUserId(),
+      onAuthSuccess: (user) => startUserSession(user.id),
+    });
+  }
+  return handler(request);
+}
+```
+
+The handler is a Web-standard `(request: Request) => Promise<Response>` — it mounts
+directly as a Next.js App Router `POST` export. It dispatches to the correct ceremony
+handler by reading the last URL segment: `register-begin`, `register-finish`,
+`authenticate-begin`, `authenticate-finish`.
+
+See the [Quickstart](../../docs/QUICKSTART.md) for the full Next.js wiring including
+session helpers and the client button.
+
+## API
+
+### `createGlideServer(config)`
+
+Creates the four WebAuthn ceremony handlers. Returns an object with:
+
+- `registerBegin(ctx: BeginContext): Promise<PublicKeyCredentialCreationOptionsJSON>`
+- `registerFinish(ctx: FinishContext): Promise<GlideAuthResult>`
+- `authenticateBegin(ctx: BeginContext): Promise<PublicKeyCredentialRequestOptionsJSON>`
+- `authenticateFinish(ctx: FinishContext): Promise<GlideAuthResult>`
+
+**`GlideServerConfig` fields:**
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `rpName` | `string` | yes | Human-readable Relying Party name shown in some UIs. |
+| `rpID` | `string` | yes | Registrable domain, e.g. `"localhost"` or `"example.com"`. |
+| `origin` | `string \| string[]` | yes | Exact expected origin(s), e.g. `"http://localhost:3000"`. |
+| `store` | `GlideStore` | yes | Storage implementation (challenges, credentials, users). |
+| `challengeTtlMs` | `number` | no | Challenge TTL in ms. Default `120000` (2 min). |
+| `userVerification` | `"required" \| "preferred" \| "discouraged"` | no | WebAuthn user verification. Default `"preferred"`. |
+
+### `createPasskeyRouteHandler(config)`
+
+Creates a single Web-standard request handler that dispatches all four passkey routes.
+Returns `(request: Request) => Promise<Response>`.
+
+**`PasskeyRouteHandlerConfig` fields:**
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `server` | `ReturnType<typeof createGlideServer>` | yes | The Glide server instance. |
+| `getSessionId` | `(request: Request) => Promise<string>` | yes | Returns the pre-auth session id (from an HttpOnly cookie). |
+| `getUserId` | `(request: Request) => Promise<string \| undefined>` | no | Returns the authenticated user id for add-a-device flows. Must only return the currently authenticated user. |
+| `onAuthSuccess` | `(user: GlideAuthResult["user"], request: Request) => Promise<void>` | no | Called after successful authentication to mint your session. |
+
+**Response codes:** `405` (non-POST), `404` (unknown action), `400` (`GlideServerError`), `500` (unexpected).
+
+### `createInMemoryStore()`
+
+Creates an in-memory `GlideStore` for development and testing. Returns a `GlideStore`
+implementing `challenges`, `credentials`, and `users` sub-stores.
+
+> **Dev only:** `createInMemoryStore()` loses all data on process restart.
+>
+> **Production guard:** Under `NODE_ENV=production`, `createInMemoryStore()` throws unless
+> `GLIDE_ALLOW_INMEMORY="1"` is set. This prevents accidentally running with an ephemeral
+> store in production.
+>
+> For production, implement a persistent store against the `GlideStore` interface — see
+> [STORE.md](./STORE.md) for the contract and invariants, and `apps/demo/lib/sqlite-store.ts`
+> for a SQLite reference implementation.
+
+### `assertSecureSecret(envVar, value)`
+
+```ts
+function assertSecureSecret(envVar: string, value: string | undefined): asserts value is string
+```
+
+Validates that a secret environment variable is safe to use. Call this lazily inside
+your `getSecret()` function (at request time, not at module scope) so it does not fire
+during `next build`.
+
+- **Throws** if `value` is `undefined`, an empty string, or equals the dev placeholder
+  `"dev-only-insecure-secret-change-me"`.
+- **Warns** (does not throw) if `value.length < 32`.
+
+### Exported types
+
+`GlideServerConfig`, `BeginContext`, `FinishContext`, `GlideAuthResult`, `GlideServerError`,
+`GlideStore`, `ChallengeStore`, `CredentialStore`, `UserStore`, `StoredCredential`,
+`GlideUserRecord`, `AuthenticatorTransportFuture`, `PasskeyRouteHandlerConfig`
+
+## Security
+
+### HARD-01: `GLIDE_SESSION_SECRET` (required)
+
+The session module must sign user session cookies with a strong secret. Set this in your
+`.env.local` before starting the server:
+
+```bash
+GLIDE_SESSION_SECRET=$(openssl rand -base64 32)
+```
+
+`assertSecureSecret("GLIDE_SESSION_SECRET", raw)` is called at request time when the
+session is first signed or verified. If the value is unset, empty, or equals the dev
+placeholder, it throws immediately — the first passkey attempt will fail with an internal
+server error. Secrets shorter than 32 characters produce a warning.
+
+See [SECURITY.md](../../SECURITY.md) for the full token-storage and session rules.
+
+### HARD-02: In-memory store is dev only
+
+`createInMemoryStore()` is blocked under `NODE_ENV=production` (unless
+`GLIDE_ALLOW_INMEMORY="1"` is explicitly set). For production, replace it with a
+persistent `GlideStore` implementation. See [STORE.md](./STORE.md) for the interface
+contract and the store skeleton.
+
+### `getUserId` callback security
+
+The optional `getUserId(request)` callback is the add-a-device seam. It **must** only
+return the id of the currently authenticated user — derived from a tamper-evident session
+(HttpOnly cookie or signed token), never from an unsigned query parameter. Returning any
+other user's id allows an attacker to attach their passkey to a victim's account.
+
+## Links
+
+- [Root README](../../README.md) — architecture overview
+- [Quickstart](../../docs/QUICKSTART.md) — full Next.js App Router integration walkthrough
+- [Distribution guide](../../docs/DISTRIBUTION.md) — tarball and pnpm link install details
+- [STORE.md](./STORE.md) — GlideStore contract and BYO-store guidance

package/dist/index.d.ts

@@ -0,0 +1,244 @@
+import * as _simplewebauthn_server from '@simplewebauthn/server';
+
+/**
+ * Storage interfaces the Glide server needs, plus a dev-only in-memory impl.
+ *
+ * In production, back these with your own DB/Redis. The point of the interface
+ * is that Glide never owns your user data — "bring your own backend".
+ */
+interface StoredCredential {
+    /** Owning user's stable id. */
+    userId: string;
+    /** base64url credential id (PublicKeyCredential.id). */
+    credentialId: string;
+    /** COSE public key bytes. */
+    publicKey: Uint8Array;
+    /** Signature counter; updated on every successful authentication. */
+    counter: number;
+    transports?: AuthenticatorTransportFuture[] | undefined;
+    /** "singleDevice" | "multiDevice" — multiDevice = synced passkey. */
+    deviceType?: string | undefined;
+    backedUp?: boolean | undefined;
+    /** User-facing label, e.g. "MacBook Touch ID". Optional. */
+    name?: string | undefined;
+    /** Unix ms when the credential was registered. */
+    createdAt?: number | undefined;
+}
+/** Minimal transport list mirror to avoid importing DOM lib on the server. */
+type AuthenticatorTransportFuture = "ble" | "cable" | "hybrid" | "internal" | "nfc" | "smart-card" | "usb";
+interface GlideUserRecord {
+    /** Opaque, stable, app-owned user id (NOT the email). */
+    id: string;
+    name?: string;
+    email?: string;
+}
+/**
+ * Per-session challenge store. The challenge MUST be:
+ *  - random (handled by @simplewebauthn), single-use, short-lived,
+ *  - bound to THIS session id (never accept another session's challenge).
+ * Back this with your server-side session (Redis) or a sealed HttpOnly cookie.
+ */
+interface ChallengeStore {
+    get(sessionId: string): Promise<string | undefined>;
+    set(sessionId: string, challenge: string, ttlMs: number): Promise<void>;
+    /** Clear on success AND failure to enforce single-use. */
+    clear(sessionId: string): Promise<void>;
+}
+interface CredentialStore {
+    findById(credentialId: string): Promise<StoredCredential | undefined>;
+    listByUser(userId: string): Promise<StoredCredential[]>;
+    save(userId: string, cred: Omit<StoredCredential, "userId">): Promise<void>;
+    updateCounter(credentialId: string, counter: number): Promise<void>;
+    /** Remove a credential (account management — "remove this passkey"). */
+    delete(credentialId: string): Promise<void>;
+    /** Set a user-facing label. */
+    rename(credentialId: string, name: string): Promise<void>;
+}
+interface UserStore {
+    findByUsername(username: string): Promise<GlideUserRecord | undefined>;
+    findById(userId: string): Promise<GlideUserRecord | undefined>;
+    /** Create-or-get; returns the stable user record. */
+    upsert(username: string | undefined): Promise<GlideUserRecord>;
+}
+interface GlideStore {
+    challenges: ChallengeStore;
+    credentials: CredentialStore;
+    users: UserStore;
+}
+/**
+ * In-memory store for local development and tests ONLY. Not for production:
+ * it's per-process, unbounded, and lost on restart.
+ */
+declare function createInMemoryStore(): GlideStore;
+
+interface GlideServerConfig {
+    /** Human-readable RP name shown in some authenticator UIs. */
+    rpName: string;
+    /** Registrable domain, e.g. "example.com" (a suffix of every origin). */
+    rpID: string;
+    /** Exact expected origin(s), e.g. "https://app.example.com". */
+    origin: string | string[];
+    store: GlideStore;
+    /** Challenge lifetime; should match the client `timeout`. Default 120s. */
+    challengeTtlMs?: number;
+    /** "required" forces biometric/PIN; "preferred" is the smooth default. */
+    userVerification?: "required" | "preferred" | "discouraged";
+}
+interface BeginContext {
+    /** Stable id for the current (pre-auth) browser session. */
+    sessionId: string;
+    /** Optional username hint from the client (used for known-user flows). */
+    username?: string;
+    /**
+     * Register a new credential for an EXISTING user (add-a-device). When set,
+     * the ceremony attaches to this user id instead of upserting by username —
+     * the correct path for "add another passkey" while already signed in.
+     * (registerBegin only.)
+     */
+    userId?: string;
+}
+interface FinishContext {
+    sessionId: string;
+    /** The raw JSON the browser produced (registration or assertion response). */
+    body: any;
+}
+interface GlideAuthResult {
+    user: {
+        id: string;
+        name?: string;
+        email?: string;
+    };
+    /**
+     * The SDK does NOT mint tokens for you — issue your own session here
+     * (set an HttpOnly cookie in your transport layer). Returned for convenience
+     * if you choose to hand a short-lived access token to the client (memory only).
+     */
+    accessToken?: string;
+}
+declare function createGlideServer(config: GlideServerConfig): {
+    /** POST /register/begin — returns PublicKeyCredentialCreationOptionsJSON. */
+    registerBegin(ctx: BeginContext): Promise<_simplewebauthn_server.PublicKeyCredentialCreationOptionsJSON>;
+    /** POST /register/finish — verifies attestation, persists the credential. */
+    registerFinish(ctx: FinishContext): Promise<GlideAuthResult>;
+    /** POST /authenticate/begin — returns PublicKeyCredentialRequestOptionsJSON. */
+    authenticateBegin(ctx: BeginContext): Promise<_simplewebauthn_server.PublicKeyCredentialRequestOptionsJSON>;
+    /** POST /authenticate/finish — verifies the assertion, bumps the counter. */
+    authenticateFinish(ctx: FinishContext): Promise<GlideAuthResult>;
+};
+declare class GlideServerError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
+
+/**
+ * Assert that a named secret env var is set, non-empty, and not the known
+ * dev placeholder. Declared with `asserts value is string` so TypeScript
+ * narrows the type at the call site — no non-null assertion needed.
+ *
+ * Call before the secret is first used to sign/verify so misconfigured
+ * deployments fail fast rather than silently signing sessions with an insecure
+ * key. In Next.js App Router, call it lazily (e.g. inside the function that
+ * reads the secret), NOT at module top-level — a module-load throw fires during
+ * `next build` page-data collection and breaks the build.
+ *
+ * Warns (does not throw) when the secret is shorter than 32 chars.
+ *
+ * @example
+ * const SECRET = process.env.GLIDE_SESSION_SECRET;
+ * assertSecureSecret("GLIDE_SESSION_SECRET", SECRET);
+ * // TypeScript now narrows SECRET to `string`
+ *
+ * @param envVar - The name of the environment variable (used in error/warn messages).
+ * @param value  - The raw value to assert against.
+ */
+declare function assertSecureSecret(envVar: string, value: string | undefined): asserts value is string;
+
+/**
+ * Framework-neutral route-handler factory for the four Glide WebAuthn ceremonies.
+ *
+ * Returns a single `(request: Request) => Promise<Response>` handler that
+ * integrators can mount directly as a Next.js App Router POST route, or adapt
+ * to any framework that accepts Web-standard Request/Response objects.
+ *
+ * The factory imports nothing from `next/server` — it uses only the Web Fetch
+ * API (`Request`, `Response`) so it stays framework-neutral.
+ *
+ * @example Next.js App Router (apps/demo/app/api/passkey/[action]/route.ts):
+ * ```ts
+ * import { createPasskeyRouteHandler } from "@glydi/passkey-server";
+ * import { glide } from "../../../../lib/glide";
+ * import { getOrCreateSessionId, getSessionUserId, startUserSession } from "../../../../lib/session";
+ *
+ * export const POST = createPasskeyRouteHandler({
+ *   server: glide,
+ *   getSessionId: () => getOrCreateSessionId(),
+ *   getUserId: () => getSessionUserId(),
+ *   onAuthSuccess: (user) => startUserSession(user.id),
+ * });
+ * ```
+ */
+
+interface PasskeyRouteHandlerConfig {
+    /**
+     * The GlideServer instance returned by createGlideServer().
+     * Create it once at module load and pass it in — do NOT call createGlideServer
+     * inside this config.
+     */
+    server: ReturnType<typeof createGlideServer>;
+    /**
+     * Resolve (or create) the pre-auth session id for this request.
+     *
+     * In Next.js App Router: return `getOrCreateSessionId()` which reads/writes
+     * via `cookies()` from `next/headers`. The `request` parameter is provided
+     * for framework-neutral cookie reading (Express: `request.headers.get("cookie")`);
+     * Next.js apps can safely ignore it.
+     */
+    getSessionId: (request: Request) => Promise<string>;
+    /**
+     * Optional: return the currently signed-in user id for add-a-device flows.
+     *
+     * When provided and non-undefined, `register-begin` attaches the new credential
+     * to this existing user instead of creating a fresh sign-up.
+     *
+     * SECURITY: This callback MUST only return the authenticated user's id — verified
+     * from a tamper-evident session cookie (e.g., HMAC-signed as the demo does with
+     * `getSessionUserId`). Returning any arbitrary user id would allow credential
+     * hijacking.
+     */
+    getUserId?: (request: Request) => Promise<string | undefined>;
+    /**
+     * Optional: called after `register-finish` and `authenticate-finish` with the
+     * authenticated user. Use this to mint your own login session (set an HttpOnly
+     * cookie). The factory does not issue tokens — this is your moment to do so.
+     *
+     * Return value: anything you return is shallow-merged into the JSON response
+     * body (on top of the ceremony's `{ user, ... }` result). This is how an auth
+     * bridge hands the client a token it must exchange — e.g. the Glide↔Firebase
+     * bridge returns `{ accessToken: firebaseCustomToken }`, which surfaces to the
+     * client's `onSuccess(result)` as `result.accessToken`. Returning `void` (the
+     * common case, when you only set a cookie) leaves the body untouched.
+     *
+     * Errors thrown here are treated as 500 internal errors (the callback runs inside
+     * the try/catch, so a session-minting failure is a request failure).
+     */
+    onAuthSuccess?: (user: GlideAuthResult["user"], request: Request) => Promise<void | ({
+        accessToken?: string;
+    } & Record<string, unknown>)>;
+}
+/**
+ * Creates a Web-standard `(request: Request) => Promise<Response>` handler
+ * that dispatches to all four Glide WebAuthn ceremonies based on the last path
+ * segment of the request URL:
+ *   - `register-begin`
+ *   - `register-finish`
+ *   - `authenticate-begin`
+ *   - `authenticate-finish`
+ *
+ * Non-POST requests → 405
+ * Unknown actions → 404 `{ error: "unknown_action" }`
+ * GlideServerError → 400 `{ error: code, message }`
+ * Unexpected errors → 500 `{ error: "internal" }` (logged server-side)
+ */
+declare function createPasskeyRouteHandler(config: PasskeyRouteHandlerConfig): (request: Request) => Promise<Response>;
+
+export { type AuthenticatorTransportFuture, type BeginContext, type ChallengeStore, type CredentialStore, type FinishContext, type GlideAuthResult, type GlideServerConfig, GlideServerError, type GlideStore, type GlideUserRecord, type PasskeyRouteHandlerConfig, type StoredCredential, type UserStore, assertSecureSecret, createGlideServer, createInMemoryStore, createPasskeyRouteHandler };

package/dist/index.js

@@ -0,0 +1,331 @@
+import { verifyAuthenticationResponse, generateAuthenticationOptions, verifyRegistrationResponse, generateRegistrationOptions } from '@simplewebauthn/server';
+
+// src/glide-server.ts
+var enc = new TextEncoder();
+function createGlideServer(config) {
+  const ttl = config.challengeTtlMs ?? 12e4;
+  const uv = config.userVerification ?? "preferred";
+  const expectedOrigin = config.origin;
+  return {
+    /** POST /register/begin — returns PublicKeyCredentialCreationOptionsJSON. */
+    async registerBegin(ctx) {
+      const user = ctx.userId ? await config.store.users.findById(ctx.userId) : await config.store.users.upsert(ctx.username);
+      if (!user) {
+        throw new GlideServerError("unknown_user", "No such user to register for.");
+      }
+      const existing = await config.store.credentials.listByUser(user.id);
+      const options = await generateRegistrationOptions({
+        rpName: config.rpName,
+        rpID: config.rpID,
+        userName: user.name ?? user.id,
+        userDisplayName: user.name ?? "New user",
+        // Tie the credential to OUR stable user id (opaque handle, not email).
+        userID: enc.encode(user.id),
+        attestationType: "none",
+        authenticatorSelection: {
+          residentKey: "required",
+          // make it a true discoverable passkey
+          userVerification: uv
+        },
+        // Prevent re-registering an authenticator the user already has.
+        excludeCredentials: existing.map((c) => ({
+          id: c.credentialId,
+          ...c.transports ? { transports: c.transports } : {}
+        })),
+        supportedAlgorithmIDs: [-7, -257]
+        // ES256, RS256
+      });
+      await config.store.challenges.set(ctx.sessionId, options.challenge, ttl);
+      await config.store.challenges.set(
+        userKey(ctx.sessionId),
+        user.id,
+        ttl
+      );
+      return options;
+    },
+    /** POST /register/finish — verifies attestation, persists the credential. */
+    async registerFinish(ctx) {
+      const expectedChallenge = await config.store.challenges.get(ctx.sessionId);
+      const userId = await config.store.challenges.get(userKey(ctx.sessionId));
+      await config.store.challenges.clear(ctx.sessionId);
+      await config.store.challenges.clear(userKey(ctx.sessionId));
+      if (!expectedChallenge || !userId) {
+        throw new GlideServerError("no_challenge", "No active challenge.");
+      }
+      const verification = await verifyRegistrationResponse({
+        response: ctx.body,
+        expectedChallenge,
+        expectedOrigin,
+        expectedRPID: config.rpID,
+        requireUserVerification: uv === "required"
+      });
+      if (!verification.verified || !verification.registrationInfo) {
+        throw new GlideServerError("not_verified", "Registration failed verification.");
+      }
+      const { credential, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
+      await config.store.credentials.save(userId, {
+        credentialId: credential.id,
+        publicKey: credential.publicKey,
+        counter: credential.counter,
+        transports: credential.transports,
+        deviceType: credentialDeviceType,
+        backedUp: credentialBackedUp,
+        createdAt: Date.now()
+      });
+      const user = await config.store.users.findById(userId);
+      return { user: user ?? { id: userId } };
+    },
+    /** POST /authenticate/begin — returns PublicKeyCredentialRequestOptionsJSON. */
+    async authenticateBegin(ctx) {
+      let allowCredentials;
+      if (ctx.username) {
+        const user = await config.store.users.findByUsername(ctx.username);
+        if (user) {
+          const creds = await config.store.credentials.listByUser(user.id);
+          allowCredentials = creds.map((c) => ({
+            id: c.credentialId,
+            ...c.transports ? { transports: c.transports } : {}
+          }));
+        }
+      }
+      const options = await generateAuthenticationOptions({
+        rpID: config.rpID,
+        userVerification: uv,
+        ...allowCredentials ? { allowCredentials } : {}
+      });
+      await config.store.challenges.set(ctx.sessionId, options.challenge, ttl);
+      return options;
+    },
+    /** POST /authenticate/finish — verifies the assertion, bumps the counter. */
+    async authenticateFinish(ctx) {
+      const expectedChallenge = await config.store.challenges.get(ctx.sessionId);
+      await config.store.challenges.clear(ctx.sessionId);
+      if (!expectedChallenge) {
+        throw new GlideServerError("no_challenge", "No active challenge.");
+      }
+      const dbCred = await config.store.credentials.findById(ctx.body?.id);
+      if (!dbCred) {
+        throw new GlideServerError("unknown_credential", "Unrecognized passkey.");
+      }
+      const verification = await verifyAuthenticationResponse({
+        response: ctx.body,
+        expectedChallenge,
+        expectedOrigin,
+        expectedRPID: config.rpID,
+        requireUserVerification: uv === "required",
+        credential: {
+          id: dbCred.credentialId,
+          publicKey: dbCred.publicKey,
+          counter: dbCred.counter,
+          ...dbCred.transports ? { transports: dbCred.transports } : {}
+        }
+      });
+      if (!verification.verified) {
+        throw new GlideServerError("not_verified", "Authentication failed.");
+      }
+      await config.store.credentials.updateCounter(
+        dbCred.credentialId,
+        verification.authenticationInfo.newCounter
+      );
+      const owner = await config.store.users.findById(dbCred.userId);
+      return { user: owner ?? { id: dbCred.userId } };
+    }
+  };
+}
+var GlideServerError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "GlideServerError";
+    this.code = code;
+  }
+};
+function userKey(sessionId) {
+  return `${sessionId}::reg-user`;
+}
+
+// src/store.ts
+function createInMemoryStore() {
+  if (process.env.NODE_ENV === "production" && process.env.GLIDE_ALLOW_INMEMORY !== "1") {
+    throw new Error(
+      "[Glide] createInMemoryStore() is not allowed in production. Use a persistent store (e.g. createSqliteStore()), or set GLIDE_ALLOW_INMEMORY=1 to explicitly opt in (e.g. Vercel demo)."
+    );
+  }
+  const challenges = /* @__PURE__ */ new Map();
+  const credentials = /* @__PURE__ */ new Map();
+  const credsByUser = /* @__PURE__ */ new Map();
+  const users = /* @__PURE__ */ new Map();
+  const usersByName = /* @__PURE__ */ new Map();
+  let seq = 0;
+  return {
+    challenges: {
+      async get(sessionId) {
+        const entry = challenges.get(sessionId);
+        if (!entry)
+          return void 0;
+        if (entry.expires < dateNow()) {
+          challenges.delete(sessionId);
+          return void 0;
+        }
+        return entry.value;
+      },
+      async set(sessionId, value, ttlMs) {
+        challenges.set(sessionId, { value, expires: dateNow() + ttlMs });
+      },
+      async clear(sessionId) {
+        challenges.delete(sessionId);
+      }
+    },
+    credentials: {
+      async findById(id) {
+        return credentials.get(id);
+      },
+      async listByUser(userId) {
+        const ids = credsByUser.get(userId) ?? /* @__PURE__ */ new Set();
+        return [...ids].map((id) => credentials.get(id)).filter(Boolean);
+      },
+      async save(userId, cred) {
+        credentials.set(cred.credentialId, { ...cred, userId });
+        const set = credsByUser.get(userId) ?? /* @__PURE__ */ new Set();
+        set.add(cred.credentialId);
+        credsByUser.set(userId, set);
+      },
+      async updateCounter(id, counter) {
+        const c = credentials.get(id);
+        if (c)
+          c.counter = counter;
+      },
+      async delete(id) {
+        const c = credentials.get(id);
+        if (!c)
+          return;
+        credentials.delete(id);
+        credsByUser.get(c.userId)?.delete(id);
+      },
+      async rename(id, name) {
+        const c = credentials.get(id);
+        if (c)
+          c.name = name;
+      }
+    },
+    users: {
+      async findByUsername(username) {
+        const id = usersByName.get(username);
+        return id ? users.get(id) : void 0;
+      },
+      async findById(id) {
+        return users.get(id);
+      },
+      async upsert(username) {
+        if (username) {
+          const existingId = usersByName.get(username);
+          if (existingId)
+            return users.get(existingId);
+        }
+        const id = `usr_${(++seq).toString(36)}_${randomSuffix()}`;
+        const record = username ? { id, name: username, email: username } : { id };
+        users.set(id, record);
+        if (username)
+          usersByName.set(username, id);
+        return record;
+      }
+    }
+  };
+}
+function dateNow() {
+  return Date.now();
+}
+function randomSuffix() {
+  return Math.random().toString(36).slice(2, 8);
+}
+
+// src/env-assert.ts
+var DEV_PLACEHOLDER = "dev-only-insecure-secret-change-me";
+function assertSecureSecret(envVar, value) {
+  if (!value || value === DEV_PLACEHOLDER) {
+    throw new Error(
+      `[Glide] ${envVar} is not set or equals the dev placeholder. Generate a real secret: openssl rand -base64 32`
+    );
+  }
+  if (value.length < 32) {
+    console.warn(
+      `[Glide] ${envVar} is shorter than 32 characters. Consider generating a longer secret for production.`
+    );
+  }
+}
+
+// src/route-handler.ts
+function jsonResponse(body, status) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+async function safeJson(request) {
+  try {
+    return await request.json();
+  } catch {
+    return {};
+  }
+}
+function lastSegment(url) {
+  const { pathname } = new URL(url);
+  const parts = pathname.split("/").filter(Boolean);
+  return parts[parts.length - 1] ?? "";
+}
+function createPasskeyRouteHandler(config) {
+  return async (request) => {
+    if (request.method !== "POST") {
+      return jsonResponse({ error: "method_not_allowed" }, 405);
+    }
+    const action = lastSegment(request.url);
+    const sessionId = await config.getSessionId(request);
+    const body = await safeJson(request);
+    try {
+      switch (action) {
+        case "register-begin": {
+          const userId = await config.getUserId?.(request);
+          const username = typeof body.username === "string" ? body.username : void 0;
+          const result = await config.server.registerBegin({
+            sessionId,
+            ...username !== void 0 ? { username } : {},
+            ...userId ? { userId } : {}
+          });
+          return jsonResponse(result, 200);
+        }
+        case "register-finish": {
+          const result = await config.server.registerFinish({ sessionId, body });
+          const extra = await config.onAuthSuccess?.(result.user, request);
+          return jsonResponse({ ...result, ...extra ?? {} }, 200);
+        }
+        case "authenticate-begin": {
+          const username = typeof body.username === "string" ? body.username : void 0;
+          const result = await config.server.authenticateBegin({
+            sessionId,
+            ...username !== void 0 ? { username } : {}
+          });
+          return jsonResponse(result, 200);
+        }
+        case "authenticate-finish": {
+          const result = await config.server.authenticateFinish({
+            sessionId,
+            body
+          });
+          const extra = await config.onAuthSuccess?.(result.user, request);
+          return jsonResponse({ ...result, ...extra ?? {} }, 200);
+        }
+        default:
+          return jsonResponse({ error: "unknown_action" }, 404);
+      }
+    } catch (err) {
+      if (err instanceof GlideServerError) {
+        return jsonResponse({ error: err.code, message: err.message }, 400);
+      }
+      console.error("[glide] unexpected error", err);
+      return jsonResponse({ error: "internal" }, 500);
+    }
+  };
+}
+
+export { GlideServerError, assertSecureSecret, createGlideServer, createInMemoryStore, createPasskeyRouteHandler };
+//# sourceMappingURL=out.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/glide-server.ts","../src/store.ts","../src/env-assert.ts","../src/route-handler.ts"],"names":[],"mappings":";AASA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AA+CP,IAAM,MAAM,IAAI,YAAY;AAErB,SAAS,kBAAkB,QAA2B;AAC3D,QAAM,MAAM,OAAO,kBAAkB;AACrC,QAAM,KAAK,OAAO,oBAAoB;AACtC,QAAM,iBAAiB,OAAO;AAE9B,SAAO;AAAA;AAAA,IAEL,MAAM,cAAc,KAAmB;AAGrC,YAAM,OAAO,IAAI,SACb,MAAM,OAAO,MAAM,MAAM,SAAS,IAAI,MAAM,IAC5C,MAAM,OAAO,MAAM,MAAM,OAAO,IAAI,QAAQ;AAChD,UAAI,CAAC,MAAM;AACT,cAAM,IAAI,iBAAiB,gBAAgB,+BAA+B;AAAA,MAC5E;AACA,YAAM,WAAW,MAAM,OAAO,MAAM,YAAY,WAAW,KAAK,EAAE;AAElE,YAAM,UAAU,MAAM,4BAA4B;AAAA,QAChD,QAAQ,OAAO;AAAA,QACf,MAAM,OAAO;AAAA,QACb,UAAU,KAAK,QAAQ,KAAK;AAAA,QAC5B,iBAAiB,KAAK,QAAQ;AAAA;AAAA,QAE9B,QAAQ,IAAI,OAAO,KAAK,EAAE;AAAA,QAC1B,iBAAiB;AAAA,QACjB,wBAAwB;AAAA,UACtB,aAAa;AAAA;AAAA,UACb,kBAAkB;AAAA,QACpB;AAAA;AAAA,QAEA,oBAAoB,SAAS,IAAI,CAAC,OAAO;AAAA,UACvC,IAAI,EAAE;AAAA,UACN,GAAI,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,IAAI,CAAC;AAAA,QACrD,EAAE;AAAA,QACF,uBAAuB,CAAC,IAAI,IAAI;AAAA;AAAA,MAClC,CAAC;AAED,YAAM,OAAO,MAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,WAAW,GAAG;AAEvE,YAAM,OAAO,MAAM,WAAW;AAAA,QAC5B,QAAQ,IAAI,SAAS;AAAA,QACrB,KAAK;AAAA,QACL;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA;AAAA,IAGA,MAAM,eAAe,KAA8C;AACjE,YAAM,oBAAoB,MAAM,OAAO,MAAM,WAAW,IAAI,IAAI,SAAS;AACzE,YAAM,SAAS,MAAM,OAAO,MAAM,WAAW,IAAI,QAAQ,IAAI,SAAS,CAAC;AAEvE,YAAM,OAAO,MAAM,WAAW,MAAM,IAAI,SAAS;AACjD,YAAM,OAAO,MAAM,WAAW,MAAM,QAAQ,IAAI,SAAS,CAAC;AAC1D,UAAI,CAAC,qBAAqB,CAAC,QAAQ;AACjC,cAAM,IAAI,iBAAiB,gBAAgB,sBAAsB;AAAA,MACnE;AAEA,YAAM,eAAe,MAAM,2BAA2B;AAAA,QACpD,UAAU,IAAI;AAAA,QACd;AAAA,QACA;AAAA,QACA,cAAc,OAAO;AAAA,QACrB,yBAAyB,OAAO;AAAA,MAClC,CAAC;AACD,UAAI,CAAC,aAAa,YAAY,CAAC,aAAa,kBAAkB;AAC5D,cAAM,IAAI,iBAAiB,gBAAgB,mCAAmC;AAAA,MAChF;AAEA,YAAM,EAAE,YAAY,sBAAsB,mBAAmB,IAC3D,aAAa;AACf,YAAM,OAAO,MAAM,YAAY,KAAK,QAAQ;AAAA,QAC1C,cAAc,WAAW;AAAA,QACzB,WAAW,WAAW;AAAA,QACtB,SAAS,WAAW;AAAA,QACpB,YAAY,WAAW;AAAA,QACvB,YAAY;AAAA,QACZ,UAAU;AAAA,QACV,WAAW,KAAK,IAAI;AAAA,MACtB,CAAC;AAED,YAAM,OAAO,MAAM,OAAO,MAAM,MAAM,SAAS,MAAM;AACrD,aAAO,EAAE,MAAM,QAAQ,EAAE,IAAI,OAAO,EAAE;AAAA,IACxC;AAAA;AAAA,IAGA,MAAM,kBAAkB,KAAmB;AAEzC,UAAI;AACJ,UAAI,IAAI,UAAU;AAChB,cAAM,OAAO,MAAM,OAAO,MAAM,MAAM,eAAe,IAAI,QAAQ;AACjE,YAAI,MAAM;AACR,gBAAM,QAAQ,MAAM,OAAO,MAAM,YAAY,WAAW,KAAK,EAAE;AAC/D,6BAAmB,MAAM,IAAI,CAAC,OAAO;AAAA,YACnC,IAAI,EAAE;AAAA,YACN,GAAI,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,IAAI,CAAC;AAAA,UACrD,EAAE;AAAA,QACJ;AAAA,MACF;AAEA,YAAM,UAAU,MAAM,8BAA8B;AAAA,QAClD,MAAM,OAAO;AAAA,QACb,kBAAkB;AAAA,QAClB,GAAI,mBAAmB,EAAE,iBAAiB,IAAI,CAAC;AAAA,MACjD,CAAC;AAED,YAAM,OAAO,MAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,WAAW,GAAG;AACvE,aAAO;AAAA,IACT;AAAA;AAAA,IAGA,MAAM,mBAAmB,KAA8C;AACrE,YAAM,oBAAoB,MAAM,OAAO,MAAM,WAAW,IAAI,IAAI,SAAS;AACzE,YAAM,OAAO,MAAM,WAAW,MAAM,IAAI,SAAS;AACjD,UAAI,CAAC,mBAAmB;AACtB,cAAM,IAAI,iBAAiB,gBAAgB,sBAAsB;AAAA,MACnE;AAEA,YAAM,SAAS,MAAM,OAAO,MAAM,YAAY,SAAS,IAAI,MAAM,EAAE;AACnE,UAAI,CAAC,QAAQ;AACX,cAAM,IAAI,iBAAiB,sBAAsB,uBAAuB;AAAA,MAC1E;AAEA,YAAM,eAAe,MAAM,6BAA6B;AAAA,QACtD,UAAU,IAAI;AAAA,QACd;AAAA,QACA;AAAA,QACA,cAAc,OAAO;AAAA,QACrB,yBAAyB,OAAO;AAAA,QAChC,YAAY;AAAA,UACV,IAAI,OAAO;AAAA,UACX,WAAW,OAAO;AAAA,UAClB,SAAS,OAAO;AAAA,UAChB,GAAI,OAAO,aAAa,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC;AAAA,QAC/D;AAAA,MACF,CAAC;AACD,UAAI,CAAC,aAAa,UAAU;AAC1B,cAAM,IAAI,iBAAiB,gBAAgB,wBAAwB;AAAA,MACrE;AAGA,YAAM,OAAO,MAAM,YAAY;AAAA,QAC7B,OAAO;AAAA,QACP,aAAa,mBAAmB;AAAA,MAClC;AAEA,YAAM,QAAQ,MAAM,OAAO,MAAM,MAAM,SAAS,OAAO,MAAM;AAC7D,aAAO,EAAE,MAAM,SAAS,EAAE,IAAI,OAAO,OAAO,EAAE;AAAA,IAChD;AAAA,EACF;AACF;AAEO,IAAM,mBAAN,cAA+B,MAAM;AAAA,EAE1C,YAAY,MAAc,SAAiB;AACzC,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAEA,SAAS,QAAQ,WAA2B;AAC1C,SAAO,GAAG,SAAS;AACrB;;;AC7IO,SAAS,sBAAkC;AAChD,MACE,QAAQ,IAAI,aAAa,gBACzB,QAAQ,IAAI,yBAAyB,KACrC;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AACA,QAAM,aAAa,oBAAI,IAAgD;AACvE,QAAM,cAAc,oBAAI,IAA8B;AACtD,QAAM,cAAc,oBAAI,IAAyB;AACjD,QAAM,QAAQ,oBAAI,IAA6B;AAC/C,QAAM,cAAc,oBAAI,IAAoB;AAC5C,MAAI,MAAM;AAEV,SAAO;AAAA,IACL,YAAY;AAAA,MACV,MAAM,IAAI,WAAW;AACnB,cAAM,QAAQ,WAAW,IAAI,SAAS;AACtC,YAAI,CAAC;AAAO,iBAAO;AACnB,YAAI,MAAM,UAAU,QAAQ,GAAG;AAC7B,qBAAW,OAAO,SAAS;AAC3B,iBAAO;AAAA,QACT;AACA,eAAO,MAAM;AAAA,MACf;AAAA,MACA,MAAM,IAAI,WAAW,OAAO,OAAO;AACjC,mBAAW,IAAI,WAAW,EAAE,OAAO,SAAS,QAAQ,IAAI,MAAM,CAAC;AAAA,MACjE;AAAA,MACA,MAAM,MAAM,WAAW;AACrB,mBAAW,OAAO,SAAS;AAAA,MAC7B;AAAA,IACF;AAAA,IACA,aAAa;AAAA,MACX,MAAM,SAAS,IAAI;AACjB,eAAO,YAAY,IAAI,EAAE;AAAA,MAC3B;AAAA,MACA,MAAM,WAAW,QAAQ;AACvB,cAAM,MAAM,YAAY,IAAI,MAAM,KAAK,oBAAI,IAAI;AAC/C,eAAO,CAAC,GAAG,GAAG,EAAE,IAAI,CAAC,OAAO,YAAY,IAAI,EAAE,CAAE,EAAE,OAAO,OAAO;AAAA,MAClE;AAAA,MACA,MAAM,KAAK,QAAQ,MAAM;AACvB,oBAAY,IAAI,KAAK,cAAc,EAAE,GAAG,MAAM,OAAO,CAAC;AACtD,cAAM,MAAM,YAAY,IAAI,MAAM,KAAK,oBAAI,IAAY;AACvD,YAAI,IAAI,KAAK,YAAY;AACzB,oBAAY,IAAI,QAAQ,GAAG;AAAA,MAC7B;AAAA,MACA,MAAM,cAAc,IAAI,SAAS;AAC/B,cAAM,IAAI,YAAY,IAAI,EAAE;AAC5B,YAAI;AAAG,YAAE,UAAU;AAAA,MACrB;AAAA,MACA,MAAM,OAAO,IAAI;AACf,cAAM,IAAI,YAAY,IAAI,EAAE;AAC5B,YAAI,CAAC;AAAG;AACR,oBAAY,OAAO,EAAE;AACrB,oBAAY,IAAI,EAAE,MAAM,GAAG,OAAO,EAAE;AAAA,MACtC;AAAA,MACA,MAAM,OAAO,IAAI,MAAM;AACrB,cAAM,IAAI,YAAY,IAAI,EAAE;AAC5B,YAAI;AAAG,YAAE,OAAO;AAAA,MAClB;AAAA,IACF;AAAA,IACA,OAAO;AAAA,MACL,MAAM,eAAe,UAAU;AAC7B,cAAM,KAAK,YAAY,IAAI,QAAQ;AACnC,eAAO,KAAK,MAAM,IAAI,EAAE,IAAI;AAAA,MAC9B;AAAA,MACA,MAAM,SAAS,IAAI;AACjB,eAAO,MAAM,IAAI,EAAE;AAAA,MACrB;AAAA,MACA,MAAM,OAAO,UAAU;AACrB,YAAI,UAAU;AACZ,gBAAM,aAAa,YAAY,IAAI,QAAQ;AAC3C,cAAI;AAAY,mBAAO,MAAM,IAAI,UAAU;AAAA,QAC7C;AACA,cAAM,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,CAAC,IAAI,aAAa,CAAC;AACxD,cAAM,SAA0B,WAC5B,EAAE,IAAI,MAAM,UAAU,OAAO,SAAS,IACtC,EAAE,GAAG;AACT,cAAM,IAAI,IAAI,MAAM;AACpB,YAAI;AAAU,sBAAY,IAAI,UAAU,EAAE;AAC1C,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAGA,SAAS,UAAkB;AACzB,SAAO,KAAK,IAAI;AAClB;AACA,SAAS,eAAuB;AAC9B,SAAO,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC;AAC9C;;;ACtLA,IAAM,kBAAkB;AAuBjB,SAAS,mBACd,QACA,OACyB;AACzB,MAAI,CAAC,SAAS,UAAU,iBAAiB;AACvC,UAAM,IAAI;AAAA,MACR,WAAW,MAAM;AAAA,IAEnB;AAAA,EACF;AACA,MAAI,MAAM,SAAS,IAAI;AACrB,YAAQ;AAAA,MACN,WAAW,MAAM;AAAA,IAEnB;AAAA,EACF;AACF;;;ACkDA,SAAS,aAAa,MAAe,QAA0B;AAC7D,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG;AAAA,IACxC;AAAA,IACA,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;AAEA,eAAe,SAAS,SAAoD;AAC1E,MAAI;AACF,WAAQ,MAAM,QAAQ,KAAK;AAAA,EAC7B,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAUA,SAAS,YAAY,KAAqB;AACxC,QAAM,EAAE,SAAS,IAAI,IAAI,IAAI,GAAG;AAChC,QAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,OAAO,OAAO;AAChD,SAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AACpC;AAoBO,SAAS,0BACd,QACyC;AACzC,SAAO,OAAO,YAAY;AAExB,QAAI,QAAQ,WAAW,QAAQ;AAC7B,aAAO,aAAa,EAAE,OAAO,qBAAqB,GAAG,GAAG;AAAA,IAC1D;AAEA,UAAM,SAAS,YAAY,QAAQ,GAAG;AACtC,UAAM,YAAY,MAAM,OAAO,aAAa,OAAO;AACnD,UAAM,OAAO,MAAM,SAAS,OAAO;AAEnC,QAAI;AACF,cAAQ,QAAQ;AAAA,QACd,KAAK,kBAAkB;AAErB,gBAAM,SAAS,MAAM,OAAO,YAAY,OAAO;AAG/C,gBAAM,WACJ,OAAO,KAAK,aAAa,WAAW,KAAK,WAAW;AACtD,gBAAM,SAAS,MAAM,OAAO,OAAO,cAAc;AAAA,YAC/C;AAAA,YACA,GAAI,aAAa,SAAY,EAAE,SAAS,IAAI,CAAC;AAAA,YAC7C,GAAI,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,UAC7B,CAAC;AACD,iBAAO,aAAa,QAAQ,GAAG;AAAA,QACjC;AAAA,QAEA,KAAK,mBAAmB;AACtB,gBAAM,SAAS,MAAM,OAAO,OAAO,eAAe,EAAE,WAAW,KAAK,CAAC;AAGrE,gBAAM,QAAQ,MAAM,OAAO,gBAAgB,OAAO,MAAM,OAAO;AAC/D,iBAAO,aAAa,EAAE,GAAG,QAAQ,GAAI,SAAS,CAAC,EAAG,GAAG,GAAG;AAAA,QAC1D;AAAA,QAEA,KAAK,sBAAsB;AAGzB,gBAAM,WACJ,OAAO,KAAK,aAAa,WAAW,KAAK,WAAW;AACtD,gBAAM,SAAS,MAAM,OAAO,OAAO,kBAAkB;AAAA,YACnD;AAAA,YACA,GAAI,aAAa,SAAY,EAAE,SAAS,IAAI,CAAC;AAAA,UAC/C,CAAC;AACD,iBAAO,aAAa,QAAQ,GAAG;AAAA,QACjC;AAAA,QAEA,KAAK,uBAAuB;AAC1B,gBAAM,SAAS,MAAM,OAAO,OAAO,mBAAmB;AAAA,YACpD;AAAA,YACA;AAAA,UACF,CAAC;AACD,gBAAM,QAAQ,MAAM,OAAO,gBAAgB,OAAO,MAAM,OAAO;AAC/D,iBAAO,aAAa,EAAE,GAAG,QAAQ,GAAI,SAAS,CAAC,EAAG,GAAG,GAAG;AAAA,QAC1D;AAAA,QAEA;AACE,iBAAO,aAAa,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,MACxD;AAAA,IACF,SAAS,KAAK;AACZ,UAAI,eAAe,kBAAkB;AACnC,eAAO,aAAa,EAAE,OAAO,IAAI,MAAM,SAAS,IAAI,QAAQ,GAAG,GAAG;AAAA,MACpE;AACA,cAAQ,MAAM,4BAA4B,GAAG;AAC7C,aAAO,aAAa,EAAE,OAAO,WAAW,GAAG,GAAG;AAAA,IAChD;AAAA,EACF;AACF","sourcesContent":["/**\n * Framework-agnostic WebAuthn handlers. Transport-neutral: each handler takes a\n * plain context (the caller's session id + parsed JSON body) and returns a plain\n * object to serialize. Wire them into Next route handlers, Express, Hono, etc.\n *\n * All cryptographic verification is delegated to @simplewebauthn/server (v13) —\n * we never hand-roll CBOR/COSE/attestation parsing.\n */\n\nimport {\n  generateRegistrationOptions,\n  verifyRegistrationResponse,\n  generateAuthenticationOptions,\n  verifyAuthenticationResponse,\n} from \"@simplewebauthn/server\";\nimport type { GlideStore } from \"./store.js\";\n\nexport interface GlideServerConfig {\n  /** Human-readable RP name shown in some authenticator UIs. */\n  rpName: string;\n  /** Registrable domain, e.g. \"example.com\" (a suffix of every origin). */\n  rpID: string;\n  /** Exact expected origin(s), e.g. \"https://app.example.com\". */\n  origin: string | string[];\n  store: GlideStore;\n  /** Challenge lifetime; should match the client `timeout`. Default 120s. */\n  challengeTtlMs?: number;\n  /** \"required\" forces biometric/PIN; \"preferred\" is the smooth default. */\n  userVerification?: \"required\" | \"preferred\" | \"discouraged\";\n}\n\nexport interface BeginContext {\n  /** Stable id for the current (pre-auth) browser session. */\n  sessionId: string;\n  /** Optional username hint from the client (used for known-user flows). */\n  username?: string;\n  /**\n   * Register a new credential for an EXISTING user (add-a-device). When set,\n   * the ceremony attaches to this user id instead of upserting by username —\n   * the correct path for \"add another passkey\" while already signed in.\n   * (registerBegin only.)\n   */\n  userId?: string;\n}\n\nexport interface FinishContext {\n  sessionId: string;\n  /** The raw JSON the browser produced (registration or assertion response). */\n  body: any;\n}\n\nexport interface GlideAuthResult {\n  user: { id: string; name?: string; email?: string };\n  /**\n   * The SDK does NOT mint tokens for you — issue your own session here\n   * (set an HttpOnly cookie in your transport layer). Returned for convenience\n   * if you choose to hand a short-lived access token to the client (memory only).\n   */\n  accessToken?: string;\n}\n\nconst enc = new TextEncoder();\n\nexport function createGlideServer(config: GlideServerConfig) {\n  const ttl = config.challengeTtlMs ?? 120_000;\n  const uv = config.userVerification ?? \"preferred\";\n  const expectedOrigin = config.origin;\n\n  return {\n    /** POST /register/begin — returns PublicKeyCredentialCreationOptionsJSON. */\n    async registerBegin(ctx: BeginContext) {\n      // Add-a-device: attach to the existing signed-in user when a userId is\n      // given; otherwise upsert by username (new sign-up).\n      const user = ctx.userId\n        ? await config.store.users.findById(ctx.userId)\n        : await config.store.users.upsert(ctx.username);\n      if (!user) {\n        throw new GlideServerError(\"unknown_user\", \"No such user to register for.\");\n      }\n      const existing = await config.store.credentials.listByUser(user.id);\n\n      const options = await generateRegistrationOptions({\n        rpName: config.rpName,\n        rpID: config.rpID,\n        userName: user.name ?? user.id,\n        userDisplayName: user.name ?? \"New user\",\n        // Tie the credential to OUR stable user id (opaque handle, not email).\n        userID: enc.encode(user.id),\n        attestationType: \"none\",\n        authenticatorSelection: {\n          residentKey: \"required\", // make it a true discoverable passkey\n          userVerification: uv,\n        },\n        // Prevent re-registering an authenticator the user already has.\n        excludeCredentials: existing.map((c) => ({\n          id: c.credentialId,\n          ...(c.transports ? { transports: c.transports } : {}),\n        })),\n        supportedAlgorithmIDs: [-7, -257], // ES256, RS256\n      });\n\n      await config.store.challenges.set(ctx.sessionId, options.challenge, ttl);\n      // Stash the user id alongside the session so finish() knows who registered.\n      await config.store.challenges.set(\n        userKey(ctx.sessionId),\n        user.id,\n        ttl,\n      );\n      return options;\n    },\n\n    /** POST /register/finish — verifies attestation, persists the credential. */\n    async registerFinish(ctx: FinishContext): Promise<GlideAuthResult> {\n      const expectedChallenge = await config.store.challenges.get(ctx.sessionId);\n      const userId = await config.store.challenges.get(userKey(ctx.sessionId));\n      // Single-use: clear immediately, regardless of outcome below.\n      await config.store.challenges.clear(ctx.sessionId);\n      await config.store.challenges.clear(userKey(ctx.sessionId));\n      if (!expectedChallenge || !userId) {\n        throw new GlideServerError(\"no_challenge\", \"No active challenge.\");\n      }\n\n      const verification = await verifyRegistrationResponse({\n        response: ctx.body,\n        expectedChallenge,\n        expectedOrigin,\n        expectedRPID: config.rpID,\n        requireUserVerification: uv === \"required\",\n      });\n      if (!verification.verified || !verification.registrationInfo) {\n        throw new GlideServerError(\"not_verified\", \"Registration failed verification.\");\n      }\n\n      const { credential, credentialDeviceType, credentialBackedUp } =\n        verification.registrationInfo;\n      await config.store.credentials.save(userId, {\n        credentialId: credential.id,\n        publicKey: credential.publicKey,\n        counter: credential.counter,\n        transports: credential.transports,\n        deviceType: credentialDeviceType,\n        backedUp: credentialBackedUp,\n        createdAt: Date.now(),\n      });\n\n      const user = await config.store.users.findById(userId);\n      return { user: user ?? { id: userId } };\n    },\n\n    /** POST /authenticate/begin — returns PublicKeyCredentialRequestOptionsJSON. */\n    async authenticateBegin(ctx: BeginContext) {\n      // Usernameless/discoverable by default: empty allowCredentials.\n      let allowCredentials: { id: string; transports?: any[] }[] | undefined;\n      if (ctx.username) {\n        const user = await config.store.users.findByUsername(ctx.username);\n        if (user) {\n          const creds = await config.store.credentials.listByUser(user.id);\n          allowCredentials = creds.map((c) => ({\n            id: c.credentialId,\n            ...(c.transports ? { transports: c.transports } : {}),\n          }));\n        }\n      }\n\n      const options = await generateAuthenticationOptions({\n        rpID: config.rpID,\n        userVerification: uv,\n        ...(allowCredentials ? { allowCredentials } : {}),\n      });\n\n      await config.store.challenges.set(ctx.sessionId, options.challenge, ttl);\n      return options;\n    },\n\n    /** POST /authenticate/finish — verifies the assertion, bumps the counter. */\n    async authenticateFinish(ctx: FinishContext): Promise<GlideAuthResult> {\n      const expectedChallenge = await config.store.challenges.get(ctx.sessionId);\n      await config.store.challenges.clear(ctx.sessionId); // single-use\n      if (!expectedChallenge) {\n        throw new GlideServerError(\"no_challenge\", \"No active challenge.\");\n      }\n\n      const dbCred = await config.store.credentials.findById(ctx.body?.id);\n      if (!dbCred) {\n        throw new GlideServerError(\"unknown_credential\", \"Unrecognized passkey.\");\n      }\n\n      const verification = await verifyAuthenticationResponse({\n        response: ctx.body,\n        expectedChallenge,\n        expectedOrigin,\n        expectedRPID: config.rpID,\n        requireUserVerification: uv === \"required\",\n        credential: {\n          id: dbCred.credentialId,\n          publicKey: dbCred.publicKey,\n          counter: dbCred.counter,\n          ...(dbCred.transports ? { transports: dbCred.transports } : {}),\n        },\n      });\n      if (!verification.verified) {\n        throw new GlideServerError(\"not_verified\", \"Authentication failed.\");\n      }\n\n      // Replay protection: persist the new signature counter.\n      await config.store.credentials.updateCounter(\n        dbCred.credentialId,\n        verification.authenticationInfo.newCounter,\n      );\n\n      const owner = await config.store.users.findById(dbCred.userId);\n      return { user: owner ?? { id: dbCred.userId } };\n    },\n  };\n}\n\nexport class GlideServerError extends Error {\n  code: string;\n  constructor(code: string, message: string) {\n    super(message);\n    this.name = \"GlideServerError\";\n    this.code = code;\n  }\n}\n\nfunction userKey(sessionId: string): string {\n  return `${sessionId}::reg-user`;\n}\n","/**\n * Storage interfaces the Glide server needs, plus a dev-only in-memory impl.\n *\n * In production, back these with your own DB/Redis. The point of the interface\n * is that Glide never owns your user data — \"bring your own backend\".\n */\n\nexport interface StoredCredential {\n  /** Owning user's stable id. */\n  userId: string;\n  /** base64url credential id (PublicKeyCredential.id). */\n  credentialId: string;\n  /** COSE public key bytes. */\n  publicKey: Uint8Array;\n  /** Signature counter; updated on every successful authentication. */\n  counter: number;\n  transports?: AuthenticatorTransportFuture[] | undefined;\n  /** \"singleDevice\" | \"multiDevice\" — multiDevice = synced passkey. */\n  deviceType?: string | undefined;\n  backedUp?: boolean | undefined;\n  /** User-facing label, e.g. \"MacBook Touch ID\". Optional. */\n  name?: string | undefined;\n  /** Unix ms when the credential was registered. */\n  createdAt?: number | undefined;\n}\n\n/** Minimal transport list mirror to avoid importing DOM lib on the server. */\nexport type AuthenticatorTransportFuture =\n  | \"ble\"\n  | \"cable\"\n  | \"hybrid\"\n  | \"internal\"\n  | \"nfc\"\n  | \"smart-card\"\n  | \"usb\";\n\nexport interface GlideUserRecord {\n  /** Opaque, stable, app-owned user id (NOT the email). */\n  id: string;\n  name?: string;\n  email?: string;\n}\n\n/**\n * Per-session challenge store. The challenge MUST be:\n *  - random (handled by @simplewebauthn), single-use, short-lived,\n *  - bound to THIS session id (never accept another session's challenge).\n * Back this with your server-side session (Redis) or a sealed HttpOnly cookie.\n */\nexport interface ChallengeStore {\n  get(sessionId: string): Promise<string | undefined>;\n  set(sessionId: string, challenge: string, ttlMs: number): Promise<void>;\n  /** Clear on success AND failure to enforce single-use. */\n  clear(sessionId: string): Promise<void>;\n}\n\nexport interface CredentialStore {\n  findById(credentialId: string): Promise<StoredCredential | undefined>;\n  listByUser(userId: string): Promise<StoredCredential[]>;\n  save(userId: string, cred: Omit<StoredCredential, \"userId\">): Promise<void>;\n  updateCounter(credentialId: string, counter: number): Promise<void>;\n  /** Remove a credential (account management — \"remove this passkey\"). */\n  delete(credentialId: string): Promise<void>;\n  /** Set a user-facing label. */\n  rename(credentialId: string, name: string): Promise<void>;\n}\n\nexport interface UserStore {\n  findByUsername(username: string): Promise<GlideUserRecord | undefined>;\n  findById(userId: string): Promise<GlideUserRecord | undefined>;\n  /** Create-or-get; returns the stable user record. */\n  upsert(username: string | undefined): Promise<GlideUserRecord>;\n}\n\nexport interface GlideStore {\n  challenges: ChallengeStore;\n  credentials: CredentialStore;\n  users: UserStore;\n}\n\n/* ------------------------------------------------------------------ dev impl */\n\n/**\n * In-memory store for local development and tests ONLY. Not for production:\n * it's per-process, unbounded, and lost on restart.\n */\nexport function createInMemoryStore(): GlideStore {\n  if (\n    process.env.NODE_ENV === \"production\" &&\n    process.env.GLIDE_ALLOW_INMEMORY !== \"1\"\n  ) {\n    throw new Error(\n      \"[Glide] createInMemoryStore() is not allowed in production. \" +\n        \"Use a persistent store (e.g. createSqliteStore()), or set \" +\n        \"GLIDE_ALLOW_INMEMORY=1 to explicitly opt in (e.g. Vercel demo).\",\n    );\n  }\n  const challenges = new Map<string, { value: string; expires: number }>();\n  const credentials = new Map<string, StoredCredential>();\n  const credsByUser = new Map<string, Set<string>>();\n  const users = new Map<string, GlideUserRecord>();\n  const usersByName = new Map<string, string>();\n  let seq = 0;\n\n  return {\n    challenges: {\n      async get(sessionId) {\n        const entry = challenges.get(sessionId);\n        if (!entry) return undefined;\n        if (entry.expires < dateNow()) {\n          challenges.delete(sessionId);\n          return undefined;\n        }\n        return entry.value;\n      },\n      async set(sessionId, value, ttlMs) {\n        challenges.set(sessionId, { value, expires: dateNow() + ttlMs });\n      },\n      async clear(sessionId) {\n        challenges.delete(sessionId);\n      },\n    },\n    credentials: {\n      async findById(id) {\n        return credentials.get(id);\n      },\n      async listByUser(userId) {\n        const ids = credsByUser.get(userId) ?? new Set();\n        return [...ids].map((id) => credentials.get(id)!).filter(Boolean);\n      },\n      async save(userId, cred) {\n        credentials.set(cred.credentialId, { ...cred, userId });\n        const set = credsByUser.get(userId) ?? new Set<string>();\n        set.add(cred.credentialId);\n        credsByUser.set(userId, set);\n      },\n      async updateCounter(id, counter) {\n        const c = credentials.get(id);\n        if (c) c.counter = counter;\n      },\n      async delete(id) {\n        const c = credentials.get(id);\n        if (!c) return;\n        credentials.delete(id);\n        credsByUser.get(c.userId)?.delete(id);\n      },\n      async rename(id, name) {\n        const c = credentials.get(id);\n        if (c) c.name = name;\n      },\n    },\n    users: {\n      async findByUsername(username) {\n        const id = usersByName.get(username);\n        return id ? users.get(id) : undefined;\n      },\n      async findById(id) {\n        return users.get(id);\n      },\n      async upsert(username) {\n        if (username) {\n          const existingId = usersByName.get(username);\n          if (existingId) return users.get(existingId)!;\n        }\n        const id = `usr_${(++seq).toString(36)}_${randomSuffix()}`;\n        const record: GlideUserRecord = username\n          ? { id, name: username, email: username }\n          : { id };\n        users.set(id, record);\n        if (username) usersByName.set(username, id);\n        return record;\n      },\n    },\n  };\n}\n\n// Indirections so the in-memory store is easy to make deterministic in tests.\nfunction dateNow(): number {\n  return Date.now();\n}\nfunction randomSuffix(): string {\n  return Math.random().toString(36).slice(2, 8);\n}\n","const DEV_PLACEHOLDER = \"dev-only-insecure-secret-change-me\";\n\n/**\n * Assert that a named secret env var is set, non-empty, and not the known\n * dev placeholder. Declared with `asserts value is string` so TypeScript\n * narrows the type at the call site — no non-null assertion needed.\n *\n * Call before the secret is first used to sign/verify so misconfigured\n * deployments fail fast rather than silently signing sessions with an insecure\n * key. In Next.js App Router, call it lazily (e.g. inside the function that\n * reads the secret), NOT at module top-level — a module-load throw fires during\n * `next build` page-data collection and breaks the build.\n *\n * Warns (does not throw) when the secret is shorter than 32 chars.\n *\n * @example\n * const SECRET = process.env.GLIDE_SESSION_SECRET;\n * assertSecureSecret(\"GLIDE_SESSION_SECRET\", SECRET);\n * // TypeScript now narrows SECRET to `string`\n *\n * @param envVar - The name of the environment variable (used in error/warn messages).\n * @param value  - The raw value to assert against.\n */\nexport function assertSecureSecret(\n  envVar: string,\n  value: string | undefined,\n): asserts value is string {\n  if (!value || value === DEV_PLACEHOLDER) {\n    throw new Error(\n      `[Glide] ${envVar} is not set or equals the dev placeholder. ` +\n        `Generate a real secret: openssl rand -base64 32`,\n    );\n  }\n  if (value.length < 32) {\n    console.warn(\n      `[Glide] ${envVar} is shorter than 32 characters. ` +\n        `Consider generating a longer secret for production.`,\n    );\n  }\n}\n","/**\n * Framework-neutral route-handler factory for the four Glide WebAuthn ceremonies.\n *\n * Returns a single `(request: Request) => Promise<Response>` handler that\n * integrators can mount directly as a Next.js App Router POST route, or adapt\n * to any framework that accepts Web-standard Request/Response objects.\n *\n * The factory imports nothing from `next/server` — it uses only the Web Fetch\n * API (`Request`, `Response`) so it stays framework-neutral.\n *\n * @example Next.js App Router (apps/demo/app/api/passkey/[action]/route.ts):\n * ```ts\n * import { createPasskeyRouteHandler } from \"@glydi/passkey-server\";\n * import { glide } from \"../../../../lib/glide\";\n * import { getOrCreateSessionId, getSessionUserId, startUserSession } from \"../../../../lib/session\";\n *\n * export const POST = createPasskeyRouteHandler({\n *   server: glide,\n *   getSessionId: () => getOrCreateSessionId(),\n *   getUserId: () => getSessionUserId(),\n *   onAuthSuccess: (user) => startUserSession(user.id),\n * });\n * ```\n */\n\nimport type { GlideAuthResult } from \"./glide-server.js\";\nimport { GlideServerError } from \"./glide-server.js\";\nimport type { createGlideServer } from \"./glide-server.js\";\n\n// ---------------------------------------------------------------------------\n// Config interface\n// ---------------------------------------------------------------------------\n\nexport interface PasskeyRouteHandlerConfig {\n  /**\n   * The GlideServer instance returned by createGlideServer().\n   * Create it once at module load and pass it in — do NOT call createGlideServer\n   * inside this config.\n   */\n  server: ReturnType<typeof createGlideServer>;\n\n  /**\n   * Resolve (or create) the pre-auth session id for this request.\n   *\n   * In Next.js App Router: return `getOrCreateSessionId()` which reads/writes\n   * via `cookies()` from `next/headers`. The `request` parameter is provided\n   * for framework-neutral cookie reading (Express: `request.headers.get(\"cookie\")`);\n   * Next.js apps can safely ignore it.\n   */\n  getSessionId: (request: Request) => Promise<string>;\n\n  /**\n   * Optional: return the currently signed-in user id for add-a-device flows.\n   *\n   * When provided and non-undefined, `register-begin` attaches the new credential\n   * to this existing user instead of creating a fresh sign-up.\n   *\n   * SECURITY: This callback MUST only return the authenticated user's id — verified\n   * from a tamper-evident session cookie (e.g., HMAC-signed as the demo does with\n   * `getSessionUserId`). Returning any arbitrary user id would allow credential\n   * hijacking.\n   */\n  getUserId?: (request: Request) => Promise<string | undefined>;\n\n  /**\n   * Optional: called after `register-finish` and `authenticate-finish` with the\n   * authenticated user. Use this to mint your own login session (set an HttpOnly\n   * cookie). The factory does not issue tokens — this is your moment to do so.\n   *\n   * Return value: anything you return is shallow-merged into the JSON response\n   * body (on top of the ceremony's `{ user, ... }` result). This is how an auth\n   * bridge hands the client a token it must exchange — e.g. the Glide↔Firebase\n   * bridge returns `{ accessToken: firebaseCustomToken }`, which surfaces to the\n   * client's `onSuccess(result)` as `result.accessToken`. Returning `void` (the\n   * common case, when you only set a cookie) leaves the body untouched.\n   *\n   * Errors thrown here are treated as 500 internal errors (the callback runs inside\n   * the try/catch, so a session-minting failure is a request failure).\n   */\n  onAuthSuccess?: (\n    user: GlideAuthResult[\"user\"],\n    request: Request,\n  ) => Promise<void | ({ accessToken?: string } & Record<string, unknown>)>;\n}\n\n// ---------------------------------------------------------------------------\n// Module-local helpers (no top-level side effects — tree-shaking compatible)\n// ---------------------------------------------------------------------------\n\nfunction jsonResponse(body: unknown, status: number): Response {\n  return new Response(JSON.stringify(body), {\n    status,\n    headers: { \"Content-Type\": \"application/json\" },\n  });\n}\n\nasync function safeJson(request: Request): Promise<Record<string, unknown>> {\n  try {\n    return (await request.json()) as Record<string, unknown>;\n  } catch {\n    return {};\n  }\n}\n\n/**\n * Extracts the last non-empty path segment from an absolute URL.\n * `request.url` in Next.js App Router is always absolute — no base arg needed.\n *\n * Examples:\n *   \"http://localhost/api/passkey/register-begin\" → \"register-begin\"\n *   \"http://localhost/api/passkey/register-begin/\" → \"register-begin\"\n */\nfunction lastSegment(url: string): string {\n  const { pathname } = new URL(url);\n  const parts = pathname.split(\"/\").filter(Boolean);\n  return parts[parts.length - 1] ?? \"\";\n}\n\n// ---------------------------------------------------------------------------\n// Factory\n// ---------------------------------------------------------------------------\n\n/**\n * Creates a Web-standard `(request: Request) => Promise<Response>` handler\n * that dispatches to all four Glide WebAuthn ceremonies based on the last path\n * segment of the request URL:\n *   - `register-begin`\n *   - `register-finish`\n *   - `authenticate-begin`\n *   - `authenticate-finish`\n *\n * Non-POST requests → 405\n * Unknown actions → 404 `{ error: \"unknown_action\" }`\n * GlideServerError → 400 `{ error: code, message }`\n * Unexpected errors → 500 `{ error: \"internal\" }` (logged server-side)\n */\nexport function createPasskeyRouteHandler(\n  config: PasskeyRouteHandlerConfig,\n): (request: Request) => Promise<Response> {\n  return async (request) => {\n    // Method guard — the factory is POST-only; framework routing is not assumed.\n    if (request.method !== \"POST\") {\n      return jsonResponse({ error: \"method_not_allowed\" }, 405);\n    }\n\n    const action = lastSegment(request.url);\n    const sessionId = await config.getSessionId(request);\n    const body = await safeJson(request);\n\n    try {\n      switch (action) {\n        case \"register-begin\": {\n          // Add-a-device: forward userId when the visitor is already signed in.\n          const userId = await config.getUserId?.(request);\n          // Runtime guard: reject non-string values (e.g. numeric username from\n          // a malformed client) rather than forwarding them to the store layer.\n          const username =\n            typeof body.username === \"string\" ? body.username : undefined;\n          const result = await config.server.registerBegin({\n            sessionId,\n            ...(username !== undefined ? { username } : {}),\n            ...(userId ? { userId } : {}),\n          });\n          return jsonResponse(result, 200);\n        }\n\n        case \"register-finish\": {\n          const result = await config.server.registerFinish({ sessionId, body });\n          // onAuthSuccess is inside the try block: a session-minting failure is a\n          // request failure and must surface as 500, not be swallowed silently.\n          const extra = await config.onAuthSuccess?.(result.user, request);\n          return jsonResponse({ ...result, ...(extra ?? {}) }, 200);\n        }\n\n        case \"authenticate-begin\": {\n          // Runtime guard: reject non-string values (e.g. numeric username from\n          // a malformed client) rather than forwarding them to the store layer.\n          const username =\n            typeof body.username === \"string\" ? body.username : undefined;\n          const result = await config.server.authenticateBegin({\n            sessionId,\n            ...(username !== undefined ? { username } : {}),\n          });\n          return jsonResponse(result, 200);\n        }\n\n        case \"authenticate-finish\": {\n          const result = await config.server.authenticateFinish({\n            sessionId,\n            body,\n          });\n          const extra = await config.onAuthSuccess?.(result.user, request);\n          return jsonResponse({ ...result, ...(extra ?? {}) }, 200);\n        }\n\n        default:\n          return jsonResponse({ error: \"unknown_action\" }, 404);\n      }\n    } catch (err) {\n      if (err instanceof GlideServerError) {\n        return jsonResponse({ error: err.code, message: err.message }, 400);\n      }\n      console.error(\"[glide] unexpected error\", err);\n      return jsonResponse({ error: \"internal\" }, 500);\n    }\n  };\n}\n"]}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@glydi/passkey-server",
+  "version": "0.1.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "description": "Lightweight, framework-agnostic WebAuthn challenge + verification handlers for Glide. Built on @simplewebauthn/server.",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@simplewebauthn/server": "^13.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  },
+  "license": "MIT",
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
+  }
+}