@metamask-previews/passkey-controller 0.0.0-preview-4c0846313

package/dist/webauthn/types.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.cjs","sourceRoot":"","sources":["../../src/webauthn/types.ts"],"names":[],"mappings":"","sourcesContent":["import type {\n  AuthenticatorTransportFuture,\n  Base64URLString as Base64URL,\n} from '../types';\n\nexport type PublicKeyCredentialDescriptorJSON = {\n  id: Base64URL;\n  type: 'public-key';\n  transports?: AuthenticatorTransportFuture[];\n};\n\nexport type PublicKeyCredentialHint =\n  | 'hybrid'\n  | 'security-key'\n  | 'client-device';\n\nexport type PasskeyRegistrationOptions = {\n  rp: { name: string; id: string };\n  user: {\n    id: Base64URL;\n    name: string;\n    displayName: string;\n  };\n  challenge: Base64URL;\n  pubKeyCredParams: { alg: number; type: 'public-key' }[];\n  timeout?: number;\n  excludeCredentials?: PublicKeyCredentialDescriptorJSON[];\n  authenticatorSelection?: {\n    authenticatorAttachment?: 'cross-platform' | 'platform';\n    residentKey?: 'discouraged' | 'preferred' | 'required';\n    requireResidentKey?: boolean;\n    userVerification?: 'discouraged' | 'preferred' | 'required';\n  };\n  hints?: PublicKeyCredentialHint[];\n  attestation?: 'direct' | 'enterprise' | 'indirect' | 'none';\n  extensions?: Record<string, unknown>;\n};\n\nexport type PasskeyRegistrationResponse = {\n  id: Base64URL;\n  rawId: Base64URL;\n  type: 'public-key';\n  response: {\n    clientDataJSON: Base64URL;\n    attestationObject: Base64URL;\n    transports?: string[];\n    publicKeyAlgorithm?: number;\n    publicKey?: Base64URL;\n    authenticatorData?: Base64URL;\n  };\n  authenticatorAttachment?: 'cross-platform' | 'platform';\n  clientExtensionResults: Record<string, unknown>;\n};\n\nexport type PasskeyAuthenticationOptions = {\n  challenge: Base64URL;\n  timeout?: number;\n  rpId?: string;\n  allowCredentials?: PublicKeyCredentialDescriptorJSON[];\n  userVerification?: 'discouraged' | 'preferred' | 'required';\n  hints?: PublicKeyCredentialHint[];\n  extensions?: Record<string, unknown>;\n};\n\nexport type PasskeyAuthenticationResponse = {\n  id: Base64URL;\n  rawId: Base64URL;\n  type: 'public-key';\n  response: {\n    clientDataJSON: Base64URL;\n    authenticatorData: Base64URL;\n    signature: Base64URL;\n    userHandle?: Base64URL;\n  };\n  authenticatorAttachment?: 'cross-platform' | 'platform';\n  clientExtensionResults: Record<string, unknown>;\n};\n\nexport type ClientDataJSON = {\n  type: string;\n  challenge: string;\n  origin: string;\n  crossOrigin?: boolean;\n  tokenBinding?: {\n    id?: string;\n    status: 'present' | 'supported' | 'not-supported';\n  };\n};\n\nexport type AttestationFormat =\n  | 'fido-u2f'\n  | 'packed'\n  | 'android-safetynet'\n  | 'android-key'\n  | 'tpm'\n  | 'apple'\n  | 'none';\n\nexport type AttestationObject = {\n  get(key: 'fmt'): AttestationFormat;\n  get(key: 'attStmt'): AttestationStatement;\n  get(key: 'authData'): Uint8Array;\n};\n\nexport type AttestationStatement = {\n  get(key: 'sig'): Uint8Array | undefined;\n  get(key: 'x5c'): Uint8Array[] | undefined;\n  get(key: 'alg'): number | undefined;\n  readonly size: number;\n};\n\nexport type AuthenticatorDataFlags = {\n  up: boolean;\n  uv: boolean;\n  be: boolean;\n  bs: boolean;\n  at: boolean;\n  ed: boolean;\n  flagsByte: number;\n};\n\nexport type ParsedAuthenticatorData = {\n  rpIdHash: Uint8Array;\n  flags: AuthenticatorDataFlags;\n  counter: number;\n  aaguid?: Uint8Array;\n  credentialID?: Uint8Array;\n  credentialPublicKey?: Uint8Array;\n  extensionsData?: Map<string, unknown>;\n  extensionsDataBuffer?: Uint8Array;\n};\n"]}

package/dist/webauthn/types.d.cts

@@ -0,0 +1,113 @@
+import type { AuthenticatorTransportFuture, Base64URLString as Base64URL } from "../types.cjs";
+export type PublicKeyCredentialDescriptorJSON = {
+    id: Base64URL;
+    type: 'public-key';
+    transports?: AuthenticatorTransportFuture[];
+};
+export type PublicKeyCredentialHint = 'hybrid' | 'security-key' | 'client-device';
+export type PasskeyRegistrationOptions = {
+    rp: {
+        name: string;
+        id: string;
+    };
+    user: {
+        id: Base64URL;
+        name: string;
+        displayName: string;
+    };
+    challenge: Base64URL;
+    pubKeyCredParams: {
+        alg: number;
+        type: 'public-key';
+    }[];
+    timeout?: number;
+    excludeCredentials?: PublicKeyCredentialDescriptorJSON[];
+    authenticatorSelection?: {
+        authenticatorAttachment?: 'cross-platform' | 'platform';
+        residentKey?: 'discouraged' | 'preferred' | 'required';
+        requireResidentKey?: boolean;
+        userVerification?: 'discouraged' | 'preferred' | 'required';
+    };
+    hints?: PublicKeyCredentialHint[];
+    attestation?: 'direct' | 'enterprise' | 'indirect' | 'none';
+    extensions?: Record<string, unknown>;
+};
+export type PasskeyRegistrationResponse = {
+    id: Base64URL;
+    rawId: Base64URL;
+    type: 'public-key';
+    response: {
+        clientDataJSON: Base64URL;
+        attestationObject: Base64URL;
+        transports?: string[];
+        publicKeyAlgorithm?: number;
+        publicKey?: Base64URL;
+        authenticatorData?: Base64URL;
+    };
+    authenticatorAttachment?: 'cross-platform' | 'platform';
+    clientExtensionResults: Record<string, unknown>;
+};
+export type PasskeyAuthenticationOptions = {
+    challenge: Base64URL;
+    timeout?: number;
+    rpId?: string;
+    allowCredentials?: PublicKeyCredentialDescriptorJSON[];
+    userVerification?: 'discouraged' | 'preferred' | 'required';
+    hints?: PublicKeyCredentialHint[];
+    extensions?: Record<string, unknown>;
+};
+export type PasskeyAuthenticationResponse = {
+    id: Base64URL;
+    rawId: Base64URL;
+    type: 'public-key';
+    response: {
+        clientDataJSON: Base64URL;
+        authenticatorData: Base64URL;
+        signature: Base64URL;
+        userHandle?: Base64URL;
+    };
+    authenticatorAttachment?: 'cross-platform' | 'platform';
+    clientExtensionResults: Record<string, unknown>;
+};
+export type ClientDataJSON = {
+    type: string;
+    challenge: string;
+    origin: string;
+    crossOrigin?: boolean;
+    tokenBinding?: {
+        id?: string;
+        status: 'present' | 'supported' | 'not-supported';
+    };
+};
+export type AttestationFormat = 'fido-u2f' | 'packed' | 'android-safetynet' | 'android-key' | 'tpm' | 'apple' | 'none';
+export type AttestationObject = {
+    get(key: 'fmt'): AttestationFormat;
+    get(key: 'attStmt'): AttestationStatement;
+    get(key: 'authData'): Uint8Array;
+};
+export type AttestationStatement = {
+    get(key: 'sig'): Uint8Array | undefined;
+    get(key: 'x5c'): Uint8Array[] | undefined;
+    get(key: 'alg'): number | undefined;
+    readonly size: number;
+};
+export type AuthenticatorDataFlags = {
+    up: boolean;
+    uv: boolean;
+    be: boolean;
+    bs: boolean;
+    at: boolean;
+    ed: boolean;
+    flagsByte: number;
+};
+export type ParsedAuthenticatorData = {
+    rpIdHash: Uint8Array;
+    flags: AuthenticatorDataFlags;
+    counter: number;
+    aaguid?: Uint8Array;
+    credentialID?: Uint8Array;
+    credentialPublicKey?: Uint8Array;
+    extensionsData?: Map<string, unknown>;
+    extensionsDataBuffer?: Uint8Array;
+};
+//# sourceMappingURL=types.d.cts.map

package/dist/webauthn/types.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.cts","sourceRoot":"","sources":["../../src/webauthn/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,4BAA4B,EAC5B,eAAe,IAAI,SAAS,EAC7B,qBAAiB;AAElB,MAAM,MAAM,iCAAiC,GAAG;IAC9C,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,YAAY,CAAC;IACnB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAC/B,QAAQ,GACR,cAAc,GACd,eAAe,CAAC;AAEpB,MAAM,MAAM,0BAA0B,GAAG;IACvC,EAAE,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACjC,IAAI,EAAE;QACJ,EAAE,EAAE,SAAS,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,SAAS,EAAE,SAAS,CAAC;IACrB,gBAAgB,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,YAAY,CAAA;KAAE,EAAE,CAAC;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,iCAAiC,EAAE,CAAC;IACzD,sBAAsB,CAAC,EAAE;QACvB,uBAAuB,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAAC;QACxD,WAAW,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;QACvD,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,gBAAgB,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;KAC7D,CAAC;IACF,KAAK,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClC,WAAW,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,UAAU,GAAG,MAAM,CAAC;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,SAAS,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE;QACR,cAAc,EAAE,SAAS,CAAC;QAC1B,iBAAiB,EAAE,SAAS,CAAC;QAC7B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,iBAAiB,CAAC,EAAE,SAAS,CAAC;KAC/B,CAAC;IACF,uBAAuB,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAAC;IACxD,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjD,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,iCAAiC,EAAE,CAAC;IACvD,gBAAgB,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;IAC5D,KAAK,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,SAAS,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE;QACR,cAAc,EAAE,SAAS,CAAC;QAC1B,iBAAiB,EAAE,SAAS,CAAC;QAC7B,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,CAAC,EAAE,SAAS,CAAC;KACxB,CAAC;IACF,uBAAuB,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAAC;IACxD,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjD,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,YAAY,CAAC,EAAE;QACb,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,eAAe,CAAC;KACnD,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,iBAAiB,GACzB,UAAU,GACV,QAAQ,GACR,mBAAmB,GACnB,aAAa,GACb,KAAK,GACL,OAAO,GACP,MAAM,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,iBAAiB,CAAC;IACnC,GAAG,CAAC,GAAG,EAAE,SAAS,GAAG,oBAAoB,CAAC;IAC1C,GAAG,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,UAAU,GAAG,SAAS,CAAC;IACxC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,UAAU,EAAE,GAAG,SAAS,CAAC;IAC1C,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE,sBAAsB,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,YAAY,CAAC,EAAE,UAAU,CAAC;IAC1B,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,cAAc,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,oBAAoB,CAAC,EAAE,UAAU,CAAC;CACnC,CAAC"}

package/dist/webauthn/types.d.mts

@@ -0,0 +1,113 @@
+import type { AuthenticatorTransportFuture, Base64URLString as Base64URL } from "../types.mjs";
+export type PublicKeyCredentialDescriptorJSON = {
+    id: Base64URL;
+    type: 'public-key';
+    transports?: AuthenticatorTransportFuture[];
+};
+export type PublicKeyCredentialHint = 'hybrid' | 'security-key' | 'client-device';
+export type PasskeyRegistrationOptions = {
+    rp: {
+        name: string;
+        id: string;
+    };
+    user: {
+        id: Base64URL;
+        name: string;
+        displayName: string;
+    };
+    challenge: Base64URL;
+    pubKeyCredParams: {
+        alg: number;
+        type: 'public-key';
+    }[];
+    timeout?: number;
+    excludeCredentials?: PublicKeyCredentialDescriptorJSON[];
+    authenticatorSelection?: {
+        authenticatorAttachment?: 'cross-platform' | 'platform';
+        residentKey?: 'discouraged' | 'preferred' | 'required';
+        requireResidentKey?: boolean;
+        userVerification?: 'discouraged' | 'preferred' | 'required';
+    };
+    hints?: PublicKeyCredentialHint[];
+    attestation?: 'direct' | 'enterprise' | 'indirect' | 'none';
+    extensions?: Record<string, unknown>;
+};
+export type PasskeyRegistrationResponse = {
+    id: Base64URL;
+    rawId: Base64URL;
+    type: 'public-key';
+    response: {
+        clientDataJSON: Base64URL;
+        attestationObject: Base64URL;
+        transports?: string[];
+        publicKeyAlgorithm?: number;
+        publicKey?: Base64URL;
+        authenticatorData?: Base64URL;
+    };
+    authenticatorAttachment?: 'cross-platform' | 'platform';
+    clientExtensionResults: Record<string, unknown>;
+};
+export type PasskeyAuthenticationOptions = {
+    challenge: Base64URL;
+    timeout?: number;
+    rpId?: string;
+    allowCredentials?: PublicKeyCredentialDescriptorJSON[];
+    userVerification?: 'discouraged' | 'preferred' | 'required';
+    hints?: PublicKeyCredentialHint[];
+    extensions?: Record<string, unknown>;
+};
+export type PasskeyAuthenticationResponse = {
+    id: Base64URL;
+    rawId: Base64URL;
+    type: 'public-key';
+    response: {
+        clientDataJSON: Base64URL;
+        authenticatorData: Base64URL;
+        signature: Base64URL;
+        userHandle?: Base64URL;
+    };
+    authenticatorAttachment?: 'cross-platform' | 'platform';
+    clientExtensionResults: Record<string, unknown>;
+};
+export type ClientDataJSON = {
+    type: string;
+    challenge: string;
+    origin: string;
+    crossOrigin?: boolean;
+    tokenBinding?: {
+        id?: string;
+        status: 'present' | 'supported' | 'not-supported';
+    };
+};
+export type AttestationFormat = 'fido-u2f' | 'packed' | 'android-safetynet' | 'android-key' | 'tpm' | 'apple' | 'none';
+export type AttestationObject = {
+    get(key: 'fmt'): AttestationFormat;
+    get(key: 'attStmt'): AttestationStatement;
+    get(key: 'authData'): Uint8Array;
+};
+export type AttestationStatement = {
+    get(key: 'sig'): Uint8Array | undefined;
+    get(key: 'x5c'): Uint8Array[] | undefined;
+    get(key: 'alg'): number | undefined;
+    readonly size: number;
+};
+export type AuthenticatorDataFlags = {
+    up: boolean;
+    uv: boolean;
+    be: boolean;
+    bs: boolean;
+    at: boolean;
+    ed: boolean;
+    flagsByte: number;
+};
+export type ParsedAuthenticatorData = {
+    rpIdHash: Uint8Array;
+    flags: AuthenticatorDataFlags;
+    counter: number;
+    aaguid?: Uint8Array;
+    credentialID?: Uint8Array;
+    credentialPublicKey?: Uint8Array;
+    extensionsData?: Map<string, unknown>;
+    extensionsDataBuffer?: Uint8Array;
+};
+//# sourceMappingURL=types.d.mts.map

package/dist/webauthn/types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.mts","sourceRoot":"","sources":["../../src/webauthn/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,4BAA4B,EAC5B,eAAe,IAAI,SAAS,EAC7B,qBAAiB;AAElB,MAAM,MAAM,iCAAiC,GAAG;IAC9C,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,YAAY,CAAC;IACnB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAC/B,QAAQ,GACR,cAAc,GACd,eAAe,CAAC;AAEpB,MAAM,MAAM,0BAA0B,GAAG;IACvC,EAAE,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACjC,IAAI,EAAE;QACJ,EAAE,EAAE,SAAS,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,SAAS,EAAE,SAAS,CAAC;IACrB,gBAAgB,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,YAAY,CAAA;KAAE,EAAE,CAAC;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,iCAAiC,EAAE,CAAC;IACzD,sBAAsB,CAAC,EAAE;QACvB,uBAAuB,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAAC;QACxD,WAAW,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;QACvD,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,gBAAgB,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;KAC7D,CAAC;IACF,KAAK,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClC,WAAW,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,UAAU,GAAG,MAAM,CAAC;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,SAAS,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE;QACR,cAAc,EAAE,SAAS,CAAC;QAC1B,iBAAiB,EAAE,SAAS,CAAC;QAC7B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,iBAAiB,CAAC,EAAE,SAAS,CAAC;KAC/B,CAAC;IACF,uBAAuB,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAAC;IACxD,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjD,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,iCAAiC,EAAE,CAAC;IACvD,gBAAgB,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;IAC5D,KAAK,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,SAAS,CAAC;IACjB,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE;QACR,cAAc,EAAE,SAAS,CAAC;QAC1B,iBAAiB,EAAE,SAAS,CAAC;QAC7B,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,CAAC,EAAE,SAAS,CAAC;KACxB,CAAC;IACF,uBAAuB,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAAC;IACxD,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjD,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,YAAY,CAAC,EAAE;QACb,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,eAAe,CAAC;KACnD,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,iBAAiB,GACzB,UAAU,GACV,QAAQ,GACR,mBAAmB,GACnB,aAAa,GACb,KAAK,GACL,OAAO,GACP,MAAM,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,iBAAiB,CAAC;IACnC,GAAG,CAAC,GAAG,EAAE,SAAS,GAAG,oBAAoB,CAAC;IAC1C,GAAG,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,UAAU,GAAG,SAAS,CAAC;IACxC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,UAAU,EAAE,GAAG,SAAS,CAAC;IAC1C,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE,sBAAsB,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,YAAY,CAAC,EAAE,UAAU,CAAC;IAC1B,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,cAAc,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,oBAAoB,CAAC,EAAE,UAAU,CAAC;CACnC,CAAC"}

package/dist/webauthn/types.mjs

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.mjs.map

package/dist/webauthn/types.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.mjs","sourceRoot":"","sources":["../../src/webauthn/types.ts"],"names":[],"mappings":"","sourcesContent":["import type {\n  AuthenticatorTransportFuture,\n  Base64URLString as Base64URL,\n} from '../types';\n\nexport type PublicKeyCredentialDescriptorJSON = {\n  id: Base64URL;\n  type: 'public-key';\n  transports?: AuthenticatorTransportFuture[];\n};\n\nexport type PublicKeyCredentialHint =\n  | 'hybrid'\n  | 'security-key'\n  | 'client-device';\n\nexport type PasskeyRegistrationOptions = {\n  rp: { name: string; id: string };\n  user: {\n    id: Base64URL;\n    name: string;\n    displayName: string;\n  };\n  challenge: Base64URL;\n  pubKeyCredParams: { alg: number; type: 'public-key' }[];\n  timeout?: number;\n  excludeCredentials?: PublicKeyCredentialDescriptorJSON[];\n  authenticatorSelection?: {\n    authenticatorAttachment?: 'cross-platform' | 'platform';\n    residentKey?: 'discouraged' | 'preferred' | 'required';\n    requireResidentKey?: boolean;\n    userVerification?: 'discouraged' | 'preferred' | 'required';\n  };\n  hints?: PublicKeyCredentialHint[];\n  attestation?: 'direct' | 'enterprise' | 'indirect' | 'none';\n  extensions?: Record<string, unknown>;\n};\n\nexport type PasskeyRegistrationResponse = {\n  id: Base64URL;\n  rawId: Base64URL;\n  type: 'public-key';\n  response: {\n    clientDataJSON: Base64URL;\n    attestationObject: Base64URL;\n    transports?: string[];\n    publicKeyAlgorithm?: number;\n    publicKey?: Base64URL;\n    authenticatorData?: Base64URL;\n  };\n  authenticatorAttachment?: 'cross-platform' | 'platform';\n  clientExtensionResults: Record<string, unknown>;\n};\n\nexport type PasskeyAuthenticationOptions = {\n  challenge: Base64URL;\n  timeout?: number;\n  rpId?: string;\n  allowCredentials?: PublicKeyCredentialDescriptorJSON[];\n  userVerification?: 'discouraged' | 'preferred' | 'required';\n  hints?: PublicKeyCredentialHint[];\n  extensions?: Record<string, unknown>;\n};\n\nexport type PasskeyAuthenticationResponse = {\n  id: Base64URL;\n  rawId: Base64URL;\n  type: 'public-key';\n  response: {\n    clientDataJSON: Base64URL;\n    authenticatorData: Base64URL;\n    signature: Base64URL;\n    userHandle?: Base64URL;\n  };\n  authenticatorAttachment?: 'cross-platform' | 'platform';\n  clientExtensionResults: Record<string, unknown>;\n};\n\nexport type ClientDataJSON = {\n  type: string;\n  challenge: string;\n  origin: string;\n  crossOrigin?: boolean;\n  tokenBinding?: {\n    id?: string;\n    status: 'present' | 'supported' | 'not-supported';\n  };\n};\n\nexport type AttestationFormat =\n  | 'fido-u2f'\n  | 'packed'\n  | 'android-safetynet'\n  | 'android-key'\n  | 'tpm'\n  | 'apple'\n  | 'none';\n\nexport type AttestationObject = {\n  get(key: 'fmt'): AttestationFormat;\n  get(key: 'attStmt'): AttestationStatement;\n  get(key: 'authData'): Uint8Array;\n};\n\nexport type AttestationStatement = {\n  get(key: 'sig'): Uint8Array | undefined;\n  get(key: 'x5c'): Uint8Array[] | undefined;\n  get(key: 'alg'): number | undefined;\n  readonly size: number;\n};\n\nexport type AuthenticatorDataFlags = {\n  up: boolean;\n  uv: boolean;\n  be: boolean;\n  bs: boolean;\n  at: boolean;\n  ed: boolean;\n  flagsByte: number;\n};\n\nexport type ParsedAuthenticatorData = {\n  rpIdHash: Uint8Array;\n  flags: AuthenticatorDataFlags;\n  counter: number;\n  aaguid?: Uint8Array;\n  credentialID?: Uint8Array;\n  credentialPublicKey?: Uint8Array;\n  extensionsData?: Map<string, unknown>;\n  extensionsDataBuffer?: Uint8Array;\n};\n"]}

package/dist/webauthn/verify-authentication-response.cjs

@@ -0,0 +1,134 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyAuthenticationResponse = void 0;
+const tiny_cbor_1 = require("@levischuck/tiny-cbor");
+const utils_1 = require("@metamask/utils");
+const sha2_1 = require("@noble/hashes/sha2");
+const encoding_1 = require("../utils/encoding.cjs");
+const decode_client_data_json_1 = require("./decode-client-data-json.cjs");
+const match_expected_rp_id_1 = require("./match-expected-rp-id.cjs");
+const parse_authenticator_data_1 = require("./parse-authenticator-data.cjs");
+const verify_signature_1 = require("./verify-signature.cjs");
+/**
+ * Verifies a WebAuthn authentication (assertion) response per
+ * W3C WebAuthn Level 3 §7.2.
+ *
+ * Performs the following checks in order:
+ * 1. Credential ID presence, base64url consistency, and type.
+ * 2. `clientDataJSON` -- type is `"webauthn.get"`, challenge and origin
+ *    match.
+ * 3. `authenticatorData` -- RP ID hash matches, user-presence flag is
+ *    set, and optional user-verification flag is checked.
+ * 4. Signature verification -- `signature` is verified over
+ *    `authData || SHA-256(clientDataJSON)` using the stored credential
+ *    public key (COSE-encoded).
+ * 5. Counter monotonicity -- if either the stored or returned counter
+ *    is non-zero, the new counter must exceed the stored value.
+ *
+ * @param opts - Verification options.
+ * @param opts.response - The `PublicKeyCredential` result from
+ *   `navigator.credentials.get()`, serialized as JSON.
+ * @param opts.expectedChallenge - The base64url challenge that was issued
+ *   for this ceremony.
+ * @param opts.expectedOrigin - One or more acceptable origins.
+ * @param opts.expectedRPID - The Relying Party ID domain.
+ * @param opts.credential - The stored credential record to verify against.
+ * @param opts.credential.id - The credential ID (base64url).
+ * @param opts.credential.publicKey - The COSE-encoded public key bytes
+ *   persisted during registration.
+ * @param opts.credential.counter - The last known signature counter value.
+ * @param opts.credential.transports - Optional authenticator transports.
+ * @param opts.requireUserVerification - When `true`, verification fails
+ *   if the UV flag is not set. Defaults to `false`.
+ * @returns Verification result containing `verified` status and parsed
+ *   authentication info (new counter, origin, RP ID).
+ */
+async function verifyAuthenticationResponse(opts) {
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, credential, requireUserVerification = false, } = opts;
+    const { id, rawId, type: credentialType, response: assertionResponse, } = response;
+    // Ensure credential specified an ID
+    if (!id) {
+        throw new Error('Missing credential ID');
+    }
+    // Ensure ID is base64url-encoded
+    if (id !== rawId) {
+        throw new Error('Credential ID was not base64url-encoded');
+    }
+    // Make sure credential type is public-key
+    if (credentialType !== 'public-key') {
+        throw new Error(`Unexpected credential type ${String(credentialType)}, expected "public-key"`);
+    }
+    if (typeof assertionResponse?.clientDataJSON !== 'string') {
+        throw new Error('Credential response clientDataJSON was not a string');
+    }
+    const clientDataJSON = (0, decode_client_data_json_1.decodeClientDataJSON)(assertionResponse.clientDataJSON);
+    const { type, challenge, origin, tokenBinding } = clientDataJSON;
+    // Make sure we're handling an authentication
+    if (type !== 'webauthn.get') {
+        throw new Error(`Unexpected authentication response type: ${type}`);
+    }
+    // Ensure the device provided the challenge we gave it
+    if (challenge !== expectedChallenge) {
+        throw new Error(`Unexpected authentication response challenge "${challenge}", expected "${expectedChallenge}"`);
+    }
+    // Check that the origin is our site
+    const expectedOrigins = Array.isArray(expectedOrigin)
+        ? expectedOrigin
+        : [expectedOrigin];
+    if (!expectedOrigins.includes(origin)) {
+        throw new Error(`Unexpected authentication response origin "${origin}", expected one of: ${expectedOrigins.join(', ')}`);
+    }
+    if (assertionResponse.userHandle &&
+        typeof assertionResponse.userHandle !== 'string') {
+        throw new Error('Credential response userHandle was not a string');
+    }
+    if (tokenBinding) {
+        if (typeof tokenBinding !== 'object') {
+            throw new Error('ClientDataJSON tokenBinding was not an object');
+        }
+        if (!['present', 'supported', 'not-supported'].includes(tokenBinding.status)) {
+            throw new Error(`Unexpected tokenBinding status ${tokenBinding.status}`);
+        }
+    }
+    const authDataBuffer = (0, encoding_1.base64URLToBytes)(assertionResponse.authenticatorData);
+    const parsedAuthData = (0, parse_authenticator_data_1.parseAuthenticatorData)(authDataBuffer);
+    const { rpIdHash, flags, counter } = parsedAuthData;
+    // Make sure the response's RP ID is ours
+    const matchedRPID = (0, match_expected_rp_id_1.matchExpectedRPID)(rpIdHash, [expectedRPID]);
+    // WebAuthn only requires the user presence flag be true
+    if (!flags.up) {
+        throw new Error('User not present during authentication');
+    }
+    // Enforce user verification if required
+    if (requireUserVerification && !flags.uv) {
+        throw new Error('User verification required, but user could not be verified');
+    }
+    const clientDataHash = (0, sha2_1.sha256)((0, encoding_1.base64URLToBytes)(assertionResponse.clientDataJSON));
+    const signatureBase = (0, utils_1.concatBytes)([authDataBuffer, clientDataHash]);
+    const signature = (0, encoding_1.base64URLToBytes)(assertionResponse.signature);
+    const cosePublicKey = (0, tiny_cbor_1.decodePartialCBOR)(new Uint8Array(credential.publicKey), 0)[0];
+    const verified = await (0, verify_signature_1.verifySignature)({
+        cosePublicKey,
+        signature,
+        data: signatureBase,
+    });
+    if (!verified) {
+        return { verified: false };
+    }
+    if ((counter > 0 || credential.counter > 0) &&
+        counter <= credential.counter) {
+        throw new Error(`Response counter value ${counter} was lower than expected ${credential.counter}`);
+    }
+    return {
+        verified: true,
+        authenticationInfo: {
+            credentialId: credential.id,
+            newCounter: counter,
+            userVerified: flags.uv,
+            origin: clientDataJSON.origin,
+            rpID: matchedRPID,
+        },
+    };
+}
+exports.verifyAuthenticationResponse = verifyAuthenticationResponse;
+//# sourceMappingURL=verify-authentication-response.cjs.map

package/dist/webauthn/verify-authentication-response.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-authentication-response.cjs","sourceRoot":"","sources":["../../src/webauthn/verify-authentication-response.ts"],"names":[],"mappings":";;;AAAA,qDAA0D;AAC1D,2CAA8C;AAC9C,6CAA4C;AAG5C,oDAAqD;AACrD,2EAAiE;AACjE,qEAA2D;AAC3D,6EAAoE;AAGpE,6DAAqD;AAerD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACI,KAAK,UAAU,4BAA4B,CAAC,IAYlD;IACC,MAAM,EACJ,QAAQ,EACR,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,UAAU,EACV,uBAAuB,GAAG,KAAK,GAChC,GAAG,IAAI,CAAC;IAET,MAAM,EACJ,EAAE,EACF,KAAK,EACL,IAAI,EAAE,cAAc,EACpB,QAAQ,EAAE,iBAAiB,GAC5B,GAAG,QAAQ,CAAC;IAEb,oCAAoC;IACpC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,iCAAiC;IACjC,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,0CAA0C;IAC1C,IAAI,cAAc,KAAK,YAAY,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,8BAA8B,MAAM,CAAC,cAAc,CAAC,yBAAyB,CAC9E,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,iBAAiB,EAAE,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,cAAc,GAAG,IAAA,8CAAoB,EAAC,iBAAiB,CAAC,cAAc,CAAC,CAAC;IAC9E,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,cAAc,CAAC;IAEjE,6CAA6C;IAC7C,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4CAA4C,IAAI,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,sDAAsD;IACtD,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,iDAAiD,SAAS,gBAAgB,iBAAiB,GAAG,CAC/F,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;QACnD,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACrB,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,8CAA8C,MAAM,uBAAuB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxG,CAAC;IACJ,CAAC;IAED,IACE,iBAAiB,CAAC,UAAU;QAC5B,OAAO,iBAAiB,CAAC,UAAU,KAAK,QAAQ,EAChD,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,IACE,CAAC,CAAC,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,EACxE,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,MAAM,cAAc,GAAG,IAAA,2BAAgB,EAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;IAC7E,MAAM,cAAc,GAClB,IAAA,iDAAsB,EAAC,cAAc,CAAC,CAAC;IACzC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC;IAEpD,yCAAyC;IACzC,MAAM,WAAW,GAAG,IAAA,wCAAiB,EAAC,QAAQ,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAEhE,wDAAwD;IACxD,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,wCAAwC;IACxC,IAAI,uBAAuB,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,IAAA,aAAM,EAC3B,IAAA,2BAAgB,EAAC,iBAAiB,CAAC,cAAc,CAAC,CACnD,CAAC;IACF,MAAM,aAAa,GAAG,IAAA,mBAAW,EAAC,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC;IAEpE,MAAM,SAAS,GAAG,IAAA,2BAAgB,EAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAEhE,MAAM,aAAa,GAAG,IAAA,6BAAiB,EACrC,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EACpC,CAAC,CACF,CAAC,CAAC,CAAqC,CAAC;IAEzC,MAAM,QAAQ,GAAG,MAAM,IAAA,kCAAe,EAAC;QACrC,aAAa;QACb,SAAS;QACT,IAAI,EAAE,aAAa;KACpB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAED,IACE,CAAC,OAAO,GAAG,CAAC,IAAI,UAAU,CAAC,OAAO,GAAG,CAAC,CAAC;QACvC,OAAO,IAAI,UAAU,CAAC,OAAO,EAC7B,CAAC;QACD,MAAM,IAAI,KAAK,CACb,0BAA0B,OAAO,4BAA4B,UAAU,CAAC,OAAO,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,kBAAkB,EAAE;YAClB,YAAY,EAAE,UAAU,CAAC,EAAE;YAC3B,UAAU,EAAE,OAAO;YACnB,YAAY,EAAE,KAAK,CAAC,EAAE;YACtB,MAAM,EAAE,cAAc,CAAC,MAAM;YAC7B,IAAI,EAAE,WAAW;SAClB;KACF,CAAC;AACJ,CAAC;AA3JD,oEA2JC","sourcesContent":["import { decodePartialCBOR } from '@levischuck/tiny-cbor';\nimport { concatBytes } from '@metamask/utils';\nimport { sha256 } from '@noble/hashes/sha2';\n\nimport type { AuthenticatorTransportFuture } from '../types';\nimport { base64URLToBytes } from '../utils/encoding';\nimport { decodeClientDataJSON } from './decode-client-data-json';\nimport { matchExpectedRPID } from './match-expected-rp-id';\nimport { parseAuthenticatorData } from './parse-authenticator-data';\nimport type { ParsedAuthenticatorData } from './types';\nimport type { PasskeyAuthenticationResponse } from './types';\nimport { verifySignature } from './verify-signature';\n\nexport type VerifiedAuthenticationResponse =\n  | { verified: false; authenticationInfo?: never }\n  | {\n      verified: true;\n      authenticationInfo: {\n        credentialId: string;\n        newCounter: number;\n        userVerified: boolean;\n        origin: string;\n        rpID: string;\n      };\n    };\n\n/**\n * Verifies a WebAuthn authentication (assertion) response per\n * W3C WebAuthn Level 3 §7.2.\n *\n * Performs the following checks in order:\n * 1. Credential ID presence, base64url consistency, and type.\n * 2. `clientDataJSON` -- type is `\"webauthn.get\"`, challenge and origin\n *    match.\n * 3. `authenticatorData` -- RP ID hash matches, user-presence flag is\n *    set, and optional user-verification flag is checked.\n * 4. Signature verification -- `signature` is verified over\n *    `authData || SHA-256(clientDataJSON)` using the stored credential\n *    public key (COSE-encoded).\n * 5. Counter monotonicity -- if either the stored or returned counter\n *    is non-zero, the new counter must exceed the stored value.\n *\n * @param opts - Verification options.\n * @param opts.response - The `PublicKeyCredential` result from\n *   `navigator.credentials.get()`, serialized as JSON.\n * @param opts.expectedChallenge - The base64url challenge that was issued\n *   for this ceremony.\n * @param opts.expectedOrigin - One or more acceptable origins.\n * @param opts.expectedRPID - The Relying Party ID domain.\n * @param opts.credential - The stored credential record to verify against.\n * @param opts.credential.id - The credential ID (base64url).\n * @param opts.credential.publicKey - The COSE-encoded public key bytes\n *   persisted during registration.\n * @param opts.credential.counter - The last known signature counter value.\n * @param opts.credential.transports - Optional authenticator transports.\n * @param opts.requireUserVerification - When `true`, verification fails\n *   if the UV flag is not set. Defaults to `false`.\n * @returns Verification result containing `verified` status and parsed\n *   authentication info (new counter, origin, RP ID).\n */\nexport async function verifyAuthenticationResponse(opts: {\n  response: PasskeyAuthenticationResponse;\n  expectedChallenge: string;\n  expectedOrigin: string | string[];\n  expectedRPID: string;\n  credential: {\n    id: string;\n    publicKey: Uint8Array;\n    counter: number;\n    transports?: AuthenticatorTransportFuture[];\n  };\n  requireUserVerification?: boolean;\n}): Promise<VerifiedAuthenticationResponse> {\n  const {\n    response,\n    expectedChallenge,\n    expectedOrigin,\n    expectedRPID,\n    credential,\n    requireUserVerification = false,\n  } = opts;\n\n  const {\n    id,\n    rawId,\n    type: credentialType,\n    response: assertionResponse,\n  } = response;\n\n  // Ensure credential specified an ID\n  if (!id) {\n    throw new Error('Missing credential ID');\n  }\n\n  // Ensure ID is base64url-encoded\n  if (id !== rawId) {\n    throw new Error('Credential ID was not base64url-encoded');\n  }\n\n  // Make sure credential type is public-key\n  if (credentialType !== 'public-key') {\n    throw new Error(\n      `Unexpected credential type ${String(credentialType)}, expected \"public-key\"`,\n    );\n  }\n\n  if (typeof assertionResponse?.clientDataJSON !== 'string') {\n    throw new Error('Credential response clientDataJSON was not a string');\n  }\n\n  const clientDataJSON = decodeClientDataJSON(assertionResponse.clientDataJSON);\n  const { type, challenge, origin, tokenBinding } = clientDataJSON;\n\n  // Make sure we're handling an authentication\n  if (type !== 'webauthn.get') {\n    throw new Error(`Unexpected authentication response type: ${type}`);\n  }\n\n  // Ensure the device provided the challenge we gave it\n  if (challenge !== expectedChallenge) {\n    throw new Error(\n      `Unexpected authentication response challenge \"${challenge}\", expected \"${expectedChallenge}\"`,\n    );\n  }\n\n  // Check that the origin is our site\n  const expectedOrigins = Array.isArray(expectedOrigin)\n    ? expectedOrigin\n    : [expectedOrigin];\n  if (!expectedOrigins.includes(origin)) {\n    throw new Error(\n      `Unexpected authentication response origin \"${origin}\", expected one of: ${expectedOrigins.join(', ')}`,\n    );\n  }\n\n  if (\n    assertionResponse.userHandle &&\n    typeof assertionResponse.userHandle !== 'string'\n  ) {\n    throw new Error('Credential response userHandle was not a string');\n  }\n\n  if (tokenBinding) {\n    if (typeof tokenBinding !== 'object') {\n      throw new Error('ClientDataJSON tokenBinding was not an object');\n    }\n\n    if (\n      !['present', 'supported', 'not-supported'].includes(tokenBinding.status)\n    ) {\n      throw new Error(`Unexpected tokenBinding status ${tokenBinding.status}`);\n    }\n  }\n\n  const authDataBuffer = base64URLToBytes(assertionResponse.authenticatorData);\n  const parsedAuthData: ParsedAuthenticatorData =\n    parseAuthenticatorData(authDataBuffer);\n  const { rpIdHash, flags, counter } = parsedAuthData;\n\n  // Make sure the response's RP ID is ours\n  const matchedRPID = matchExpectedRPID(rpIdHash, [expectedRPID]);\n\n  // WebAuthn only requires the user presence flag be true\n  if (!flags.up) {\n    throw new Error('User not present during authentication');\n  }\n\n  // Enforce user verification if required\n  if (requireUserVerification && !flags.uv) {\n    throw new Error(\n      'User verification required, but user could not be verified',\n    );\n  }\n\n  const clientDataHash = sha256(\n    base64URLToBytes(assertionResponse.clientDataJSON),\n  );\n  const signatureBase = concatBytes([authDataBuffer, clientDataHash]);\n\n  const signature = base64URLToBytes(assertionResponse.signature);\n\n  const cosePublicKey = decodePartialCBOR(\n    new Uint8Array(credential.publicKey),\n    0,\n  )[0] as Map<number, number | Uint8Array>;\n\n  const verified = await verifySignature({\n    cosePublicKey,\n    signature,\n    data: signatureBase,\n  });\n\n  if (!verified) {\n    return { verified: false };\n  }\n\n  if (\n    (counter > 0 || credential.counter > 0) &&\n    counter <= credential.counter\n  ) {\n    throw new Error(\n      `Response counter value ${counter} was lower than expected ${credential.counter}`,\n    );\n  }\n\n  return {\n    verified: true,\n    authenticationInfo: {\n      credentialId: credential.id,\n      newCounter: counter,\n      userVerified: flags.uv,\n      origin: clientDataJSON.origin,\n      rpID: matchedRPID,\n    },\n  };\n}\n"]}

package/dist/webauthn/verify-authentication-response.d.cts

@@ -0,0 +1,63 @@
+import type { AuthenticatorTransportFuture } from "../types.cjs";
+import type { PasskeyAuthenticationResponse } from "./types.cjs";
+export type VerifiedAuthenticationResponse = {
+    verified: false;
+    authenticationInfo?: never;
+} | {
+    verified: true;
+    authenticationInfo: {
+        credentialId: string;
+        newCounter: number;
+        userVerified: boolean;
+        origin: string;
+        rpID: string;
+    };
+};
+/**
+ * Verifies a WebAuthn authentication (assertion) response per
+ * W3C WebAuthn Level 3 §7.2.
+ *
+ * Performs the following checks in order:
+ * 1. Credential ID presence, base64url consistency, and type.
+ * 2. `clientDataJSON` -- type is `"webauthn.get"`, challenge and origin
+ *    match.
+ * 3. `authenticatorData` -- RP ID hash matches, user-presence flag is
+ *    set, and optional user-verification flag is checked.
+ * 4. Signature verification -- `signature` is verified over
+ *    `authData || SHA-256(clientDataJSON)` using the stored credential
+ *    public key (COSE-encoded).
+ * 5. Counter monotonicity -- if either the stored or returned counter
+ *    is non-zero, the new counter must exceed the stored value.
+ *
+ * @param opts - Verification options.
+ * @param opts.response - The `PublicKeyCredential` result from
+ *   `navigator.credentials.get()`, serialized as JSON.
+ * @param opts.expectedChallenge - The base64url challenge that was issued
+ *   for this ceremony.
+ * @param opts.expectedOrigin - One or more acceptable origins.
+ * @param opts.expectedRPID - The Relying Party ID domain.
+ * @param opts.credential - The stored credential record to verify against.
+ * @param opts.credential.id - The credential ID (base64url).
+ * @param opts.credential.publicKey - The COSE-encoded public key bytes
+ *   persisted during registration.
+ * @param opts.credential.counter - The last known signature counter value.
+ * @param opts.credential.transports - Optional authenticator transports.
+ * @param opts.requireUserVerification - When `true`, verification fails
+ *   if the UV flag is not set. Defaults to `false`.
+ * @returns Verification result containing `verified` status and parsed
+ *   authentication info (new counter, origin, RP ID).
+ */
+export declare function verifyAuthenticationResponse(opts: {
+    response: PasskeyAuthenticationResponse;
+    expectedChallenge: string;
+    expectedOrigin: string | string[];
+    expectedRPID: string;
+    credential: {
+        id: string;
+        publicKey: Uint8Array;
+        counter: number;
+        transports?: AuthenticatorTransportFuture[];
+    };
+    requireUserVerification?: boolean;
+}): Promise<VerifiedAuthenticationResponse>;
+//# sourceMappingURL=verify-authentication-response.d.cts.map

package/dist/webauthn/verify-authentication-response.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-authentication-response.d.cts","sourceRoot":"","sources":["../../src/webauthn/verify-authentication-response.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,4BAA4B,EAAE,qBAAiB;AAM7D,OAAO,KAAK,EAAE,6BAA6B,EAAE,oBAAgB;AAG7D,MAAM,MAAM,8BAA8B,GACtC;IAAE,QAAQ,EAAE,KAAK,CAAC;IAAC,kBAAkB,CAAC,EAAE,KAAK,CAAA;CAAE,GAC/C;IACE,QAAQ,EAAE,IAAI,CAAC;IACf,kBAAkB,EAAE;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,OAAO,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH,CAAC;AAEN;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAsB,4BAA4B,CAAC,IAAI,EAAE;IACvD,QAAQ,EAAE,6BAA6B,CAAC;IACxC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,UAAU,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;KAC7C,CAAC;IACF,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC,GAAG,OAAO,CAAC,8BAA8B,CAAC,CA+I1C"}

package/dist/webauthn/verify-authentication-response.d.mts

@@ -0,0 +1,63 @@
+import type { AuthenticatorTransportFuture } from "../types.mjs";
+import type { PasskeyAuthenticationResponse } from "./types.mjs";
+export type VerifiedAuthenticationResponse = {
+    verified: false;
+    authenticationInfo?: never;
+} | {
+    verified: true;
+    authenticationInfo: {
+        credentialId: string;
+        newCounter: number;
+        userVerified: boolean;
+        origin: string;
+        rpID: string;
+    };
+};
+/**
+ * Verifies a WebAuthn authentication (assertion) response per
+ * W3C WebAuthn Level 3 §7.2.
+ *
+ * Performs the following checks in order:
+ * 1. Credential ID presence, base64url consistency, and type.
+ * 2. `clientDataJSON` -- type is `"webauthn.get"`, challenge and origin
+ *    match.
+ * 3. `authenticatorData` -- RP ID hash matches, user-presence flag is
+ *    set, and optional user-verification flag is checked.
+ * 4. Signature verification -- `signature` is verified over
+ *    `authData || SHA-256(clientDataJSON)` using the stored credential
+ *    public key (COSE-encoded).
+ * 5. Counter monotonicity -- if either the stored or returned counter
+ *    is non-zero, the new counter must exceed the stored value.
+ *
+ * @param opts - Verification options.
+ * @param opts.response - The `PublicKeyCredential` result from
+ *   `navigator.credentials.get()`, serialized as JSON.
+ * @param opts.expectedChallenge - The base64url challenge that was issued
+ *   for this ceremony.
+ * @param opts.expectedOrigin - One or more acceptable origins.
+ * @param opts.expectedRPID - The Relying Party ID domain.
+ * @param opts.credential - The stored credential record to verify against.
+ * @param opts.credential.id - The credential ID (base64url).
+ * @param opts.credential.publicKey - The COSE-encoded public key bytes
+ *   persisted during registration.
+ * @param opts.credential.counter - The last known signature counter value.
+ * @param opts.credential.transports - Optional authenticator transports.
+ * @param opts.requireUserVerification - When `true`, verification fails
+ *   if the UV flag is not set. Defaults to `false`.
+ * @returns Verification result containing `verified` status and parsed
+ *   authentication info (new counter, origin, RP ID).
+ */
+export declare function verifyAuthenticationResponse(opts: {
+    response: PasskeyAuthenticationResponse;
+    expectedChallenge: string;
+    expectedOrigin: string | string[];
+    expectedRPID: string;
+    credential: {
+        id: string;
+        publicKey: Uint8Array;
+        counter: number;
+        transports?: AuthenticatorTransportFuture[];
+    };
+    requireUserVerification?: boolean;
+}): Promise<VerifiedAuthenticationResponse>;
+//# sourceMappingURL=verify-authentication-response.d.mts.map

package/dist/webauthn/verify-authentication-response.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-authentication-response.d.mts","sourceRoot":"","sources":["../../src/webauthn/verify-authentication-response.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,4BAA4B,EAAE,qBAAiB;AAM7D,OAAO,KAAK,EAAE,6BAA6B,EAAE,oBAAgB;AAG7D,MAAM,MAAM,8BAA8B,GACtC;IAAE,QAAQ,EAAE,KAAK,CAAC;IAAC,kBAAkB,CAAC,EAAE,KAAK,CAAA;CAAE,GAC/C;IACE,QAAQ,EAAE,IAAI,CAAC;IACf,kBAAkB,EAAE;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,OAAO,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH,CAAC;AAEN;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAsB,4BAA4B,CAAC,IAAI,EAAE;IACvD,QAAQ,EAAE,6BAA6B,CAAC;IACxC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,UAAU,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;KAC7C,CAAC;IACF,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC,GAAG,OAAO,CAAC,8BAA8B,CAAC,CA+I1C"}