@metamask-previews/passkey-controller 2.0.0-preview-938a7fe → 2.0.0-preview-d3f1b8bd9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/dist/PasskeyController.cjs +5 -6
  3. package/dist/PasskeyController.cjs.map +1 -1
  4. package/dist/PasskeyController.d.cts.map +1 -1
  5. package/dist/PasskeyController.d.mts.map +1 -1
  6. package/dist/PasskeyController.mjs +5 -6
  7. package/dist/PasskeyController.mjs.map +1 -1
  8. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ### Changed
11
+
12
+ - `PasskeyController` verifies registration and authentication responses with `requireUserVerification: true`, so the WebAuthn user verification (UV) flag must be set; assertions with user presence only no longer pass verification ([#8696](https://github.com/MetaMask/core/pull/8696))
13
+
14
+ ### Fixed
15
+
16
+ - `generateAuthenticationOptions` now sets `userVerification: 'required'` so client WebAuthn requests align with server-side verification requirements and do not fail on authenticators that skip UV when set to `'preferred'` ([#8696](https://github.com/MetaMask/core/pull/8696))
17
+
10
18
  ## [2.0.0]
11
19
 
12
20
  ### Added
package/dist/PasskeyController.cjs CHANGED
@@ -145,7 +145,7 @@ class PasskeyController extends base_controller_1.BaseController {
145
145
  ],
146
146
  timeout: ceremony_manager_1.WEBAUTHN_TIMEOUT_MS,
147
147
  authenticatorSelection: {
148
- userVerification: 'preferred',
148
+ userVerification: 'required',
149
149
  authenticatorAttachment: 'platform',
150
150
  residentKey: 'preferred',
151
151
  },
@@ -194,7 +194,7 @@ class PasskeyController extends base_controller_1.BaseController {
194
194
  transports: registrationResponse.response.transports,
195
195
  },
196
196
  ],
197
- userVerification: 'preferred',
197
+ userVerification: 'required',
198
198
  hints: ['client-device', 'hybrid'],
199
199
  timeout: ceremony_manager_1.WEBAUTHN_TIMEOUT_MS,
200
200
  extensions,
@@ -228,7 +228,7 @@ class PasskeyController extends base_controller_1.BaseController {
228
228
  transports: record.credential.transports,
229
229
  },
230
230
  ],
231
- userVerification: 'preferred',
231
+ userVerification: 'required',
232
232
  hints: ['client-device', 'hybrid'],
233
233
  timeout: ceremony_manager_1.WEBAUTHN_TIMEOUT_MS,
234
234
  extensions,
@@ -267,7 +267,7 @@ class PasskeyController extends base_controller_1.BaseController {
267
267
  expectedChallenge: registrationCeremony.challenge,
268
268
  expectedOrigin: __classPrivateFieldGet(this, _PasskeyController_expectedOrigin, "f"),
269
269
  expectedRPIDs: __classPrivateFieldGet(this, _PasskeyController_expectedRPIDs, "f"),
270
- requireUserVerification: false,
270
+ requireUserVerification: true,
271
271
  }).catch((error) => {
272
272
  log('Error verifying passkey registration response', error);
273
273
  throw new errors_1.PasskeyControllerError(constants_1.PasskeyControllerErrorMessage.RegistrationVerificationFailed, {
@@ -483,8 +483,7 @@ async function _PasskeyController_verifyAuthenticationResponse(authenticationRes
483
483
  counter: credential.counter,
484
484
  transports: credential.transports,
485
485
  },
486
- // UV optional for device compatibility; vault key remains password-gated.
487
- requireUserVerification: false,
486
+ requireUserVerification: true,
488
487
  }).catch((error) => {
489
488
  log('Error verifying passkey authentication response', error instanceof Error ? error : new Error(String(error)));
490
489
  throw new errors_1.PasskeyControllerError(constants_1.PasskeyControllerErrorMessage.AuthenticationVerificationFailed, {
package/dist/PasskeyController.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"PasskeyController.cjs","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAKA,+DAA2D;AAE3D,2CAAqE;AAErE,6DAA0E;AAC1E,+CAIqB;AACrB,yCAAkD;AAClD,yDAAuE;AACvE,yCAA6D;AAQ7D,+CAIwB;AACxB,mDAAsE;AACtE,wDAA+C;AAC/C,oFAA0E;AAO1E,kGAAyF;AACzF,8FAAqF;AAoCrF;;;;GAIG;AACH,SAAgB,gCAAgC;IAC9C,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAFD,4EAEC;AAED,MAAM,yBAAyB,GAAG;IAChC,aAAa,EAAE;QACb,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,kBAAkB,EAAE,KAAK;QACzB,QAAQ,EAAE,IAAI;KACf;CAC8C,CAAC;AAElD,MAAM,GAAG,GAAG,IAAA,2BAAkB,EAAC,sBAAa,EAAE,0BAAc,CAAC,CAAC;AAE9D;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG;IACxC,uBAAuB,EAAE,CAAC,KAA6B,EAAW,EAAE,CAClE,KAAK,CAAC,aAAa,KAAK,IAAI;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAa,iBAAkB,SAAQ,gCAItC;IAeC;;;;;;;;;;;;;;;OAeG;IACH,YAAY,EACV,SAAS,EACT,KAAK,GAAG,EAAE,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAUhB;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,0BAAc;YACpB,KAAK,EAAE,EAAE,GAAG,gCAAgC,EAAE,EAAE,GAAG,KAAK,EAAE;SAC3D,CAAC,CAAC;;QAtDI,6CAAmB,IAAI,kCAAe,EAAE,EAAC;QAEzC,mDAAyB;QAEzB,0CAA0B;QAE1B,4CAAgB;QAEhB,oDAAmC;QAEnC,8CAAkB;QAElB,qDAAyB;QA4ChC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACnB,uBAAA,IAAI,oCAAkB,CAAC,GAAG,aAAa,CAAC,MAAA,CAAC;QACzC,uBAAA,IAAI,2BAAS,IAAI,MAAA,CAAC;QAClB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,qCAAmB,cAAc,MAAA,CAAC;QACtC,uBAAA,IAAI,+BAAa,QAAQ,IAAI,MAAM,MAAA,CAAC;QACpC,uBAAA,IAAI,sCAAoB,eAAe,IAAI,MAAM,MAAA,CAAC;IACpD,CAAC;IAmBD;;;;OAIG;IACH,iBAAiB;QACf,OAAO,kCAA0B,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAE3B;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,sCAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,qBAAqB,EAAE,YAAY,KAAK,KAAK,CAAC;QACjE,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACpE,MAAM,UAAU,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAA+B;YAC1C,EAAE,EAAE;gBACF,IAAI,EAAE,uBAAA,IAAI,iCAAQ;gBAClB,EAAE,EAAE,uBAAA,IAAI,+BAAM;aACf;YACD,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU;gBACd,IAAI,EAAE,uBAAA,IAAI,mCAAU;gBACpB,WAAW,EAAE,uBAAA,IAAI,0CAAiB;aACnC;YACD,SAAS;YACT,gBAAgB,EAAE;gBAChB,EAAE,GAAG,EAAE,mBAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,mBAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,mBAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;aAC3C;YACD,OAAO,EAAE,sCAAmB;YAC5B,sBAAsB,EAAE;gBACtB,gBAAgB,EAAE,WAAW;gBAC7B,uBAAuB,EAAE,UAAU;gBACnC,WAAW,EAAE,WAAW;aACzB;YACD,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,WAAW,EAAE,MAAM;YACnB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,SAAS,EAAE;YACxD,UAAU;YACV,OAAO;YACP,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAE7C;QACC,4BAA4B;QAC5B,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAAC;QACxC,MAAM,YAAY,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACvB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,YAAY,CAAC,CAAC;QAC9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,sCAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,SAAS,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,oBAAoB,CAAC,OAAO,EAAE,CAAC;YACjC,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QACD,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,oBAAoB,CAAC,EAAE;oBAC3B,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,oBAAoB,CAAC,QAAQ,CAAC,UAE7B;iBACd;aACF;YACD,gBAAgB,EAAE,WAAW;YAC7B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,sCAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,qBAAqB;QACrB,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACH,6BAA6B;QAC3B,MAAM,MAAM,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAEvC,MAAM,SAAS,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QAED,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE;oBACxB,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU;iBACzC;aACF;YACD,gBAAgB,EAAE,WAAW;YAC7B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,sCAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,0BAA0B,CAAC,MAIhC;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,sCAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAE1E,4BAA4B;QAC5B,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,sCAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,+BAA+B;YAC/B,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,yDAA0B,EAAC;gBACtE,QAAQ,EAAE,oBAAoB;gBAC9B,iBAAiB,EAAE,oBAAoB,CAAC,SAAS;gBACjD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;gBACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;gBAClC,uBAAuB,EAAE,KAAK;aAC/B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBACjB,GAAG,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBAC5D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,8BAA8B,EAC5D;oBACE,IAAI,EAAE,sCAA0B,CAAC,8BAA8B;oBAC/D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;iBACjE,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACnC,GAAG,CACD,oFAAoF,CACrF,CAAC;gBACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,8BAA8B,EAC5D,EAAE,IAAI,EAAE,sCAA0B,CAAC,8BAA8B,EAAE,CACpE,CAAC;YACJ,CAAC;YAED,iCAAiC;YACjC,MAAM,UAAU,GAAG;gBACjB,EAAE,EAAE,gBAAgB,CAAC,YAAY;gBACjC,SAAS,EAAE,IAAA,2BAAgB,EAAC,gBAAgB,CAAC,SAAS,CAAC;gBACvD,OAAO,EAAE,gBAAgB,CAAC,OAAO;gBACjC,UAAU,EAAE,gBAAgB,CAAC,UAAU;gBACvC,MAAM,EAAE,gBAAgB,CAAC,MAAM;aAChC,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,UAAU,CACX,CAAC;YAEF,kCAAkC;YAClC,MAAM,QAAQ,GACZ,sBAAsB,CAAC,sBACxB,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC;YACvB,MAAM,gBAAgB,GACpB,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YACtD,MAAM,aAAa,GACjB,gBAAgB,IAAI,oBAAoB,CAAC,OAAO;gBAC9C,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB,CAAC,OAAO,EAAE;gBAC1D,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;YAE/B,IACE,aAAa,CAAC,MAAM,KAAK,YAAY;gBACrC,sBAAsB,CAAC,QAAQ,CAAC,UAAU;oBACxC,oBAAoB,CAAC,UAAU,EACjC,CAAC;gBACD,GAAG,CACD,6EAA6E,CAC9E,CAAC;gBACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gCAAgC,EAC9D,EAAE,IAAI,EAAE,sCAA0B,CAAC,gCAAgC,EAAE,CACtE,CAAC;YACJ,CAAC;YAED,mCAAmC;YACnC,MAAM,MAAM,GAAG,IAAA,oDAAmC,EAChD,sBAAsB,EACtB,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,IAAA,uBAAc,EAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAE5D,yBAAyB;YACzB,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpB,KAAK,CAAC,aAAa,GAAG;oBACpB,UAAU,EAAE;wBACV,GAAG,UAAU;wBACb,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC;qBAClD;oBACD,iBAAiB,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;oBACrC,aAAa;iBACd,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,+BAA+B;YAC/B,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,oDAAoD;QACpD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,aAAa,CAAC,UAAU,CACzB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,WAAW,EACzC,EAAE,IAAI,EAAE,sCAA0B,CAAC,WAAW,EAAE,CACjD,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,CAC/C,UAAU,EACV,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,CACvC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,aAAa;QACb,MAAM,MAAM,GAAG,IAAA,oDAAmC,EAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAA,uBAAc,EAC7B,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,yCAAyC,EACzC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,sCAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,2BAA2B,CAAC,sBAAsB,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,KAAK,YAAY,+BAAsB,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACxE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAI7B;QACC,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,CAAC;QAC1C,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,aAAa;QACb,MAAM,MAAM,GAAG,IAAA,oDAAmC,EAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,iBAAyB,CAAC;QAC9B,IAAI,CAAC;YACH,iBAAiB,GAAG,IAAA,uBAAc,EAChC,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,6DAA6D,EAC7D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,sCAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAC5C,IACE,CAAC,IAAA,2BAAmB,EAClB,IAAA,qBAAa,EAAC,iBAAiB,CAAC,EAChC,IAAA,qBAAa,EAAC,WAAW,CAAC,CAC3B,EACD,CAAC;YACD,GAAG,CACD,0EAA0E,CAC3E,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gBAAgB,EAC9C,EAAE,IAAI,EAAE,sCAA0B,CAAC,gBAAgB,EAAE,CACtD,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,IAAA,uBAAc,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE/D,4EAA4E;QAC5E,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,WAAW,EACzC;oBACE,IAAI,EAAE,sCAA0B,CAAC,WAAW;iBAC7C,CACF,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,iBAAiB,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,aAAa;QACX,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,gCAAgC,EAAE,CAAC,CAAC;QACtD,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;QAC9B,KAAK,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC;CAyEF;AAroBD,8CAqoBC;;IA5jBG,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,WAAW,EACzC;YACE,IAAI,EAAE,sCAA0B,CAAC,WAAW;SAC7C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,yGAE2B,cAAsB;IAChD,OAAO,IAAA,8CAAoB,EAAC,cAAc,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAueD;;;;;;GAMG;AACH,KAAK,0DACH,sBAAqD,EACrD,UAAiC;IAEjC,gBAAgB;IAChB,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,sBAAsB,CAAC,QAAQ,CAAC,cAAc,CAC/C,CAAC;IAEF,8BAA8B;IAC9B,MAAM,sBAAsB,GAC1B,uBAAA,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;IAC7D,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAC/D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,wBAAwB,EACtD,EAAE,IAAI,EAAE,sCAA0B,CAAC,wBAAwB,EAAE,CAC9D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAA,6DAA4B,EAAC;YAChD,QAAQ,EAAE,sBAAsB;YAChC,iBAAiB,EAAE,sBAAsB,CAAC,SAAS;YACnD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;YACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;YAClC,UAAU,EAAE;gBACV,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,SAAS,EAAE,IAAA,2BAAgB,EAAC,UAAU,CAAC,SAAS,CAAC;gBACjD,OAAO,EAAE,UAAU,CAAC,OAAO;gBAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;aAClC;YACD,0EAA0E;YAC1E,uBAAuB,EAAE,KAAK;SAC/B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,GAAG,CACD,iDAAiD,EACjD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,sCAA0B,CAAC,gCAAgC;gBACjE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,GAAG,CAAC,yDAAyD,CAAC,CAAC;YAC/D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,sCAA0B,CAAC,gCAAgC;aAClE,CACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,iCAAiC;QACjC,uBAAA,IAAI,0CAAiB,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;AACH,CAAC","sourcesContent":["import type {\n ControllerGetStateAction,\n ControllerStateChangedEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport { BaseController } from '@metamask/base-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport { areUint8ArraysEqual, stringToBytes } from '@metamask/utils';\n\nimport { WEBAUTHN_TIMEOUT_MS, CeremonyManager } from './ceremony-manager';\nimport {\n controllerName,\n PasskeyControllerErrorCode,\n PasskeyControllerErrorMessage,\n} from './constants';\nimport { PasskeyControllerError } from './errors';\nimport { deriveKeyFromAuthenticationResponse } from './key-derivation';\nimport { createModuleLogger, projectLogger } from './logger';\nimport type {\n AuthenticatorTransportFuture,\n PasskeyCredentialInfo,\n PasskeyKeyDerivation,\n PasskeyRecord,\n PrfClientExtensionResults,\n} from './types';\nimport {\n decryptWithKey,\n encryptWithKey,\n randomBytesToBase64URL,\n} from './utils/crypto';\nimport { base64URLToBytes, bytesToBase64URL } from './utils/encoding';\nimport { COSEALG } from './webauthn/constants';\nimport { decodeClientDataJSON } from './webauthn/decode-client-data-json';\nimport type {\n PasskeyAuthenticationOptions,\n PasskeyAuthenticationResponse,\n PasskeyRegistrationOptions,\n PasskeyRegistrationResponse,\n} from './webauthn/types';\nimport { verifyAuthenticationResponse } from './webauthn/verify-authentication-response';\nimport { verifyRegistrationResponse } from './webauthn/verify-registration-response';\n\nexport type PasskeyControllerState = {\n passkeyRecord: PasskeyRecord | null;\n};\n\nexport type PasskeyControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n PasskeyControllerState\n>;\n\n/**\n * Actions exposed by {@link PasskeyController} on its messenger.\n *\n * Only `:getState` is exposed. Derived enrollment status is available via\n * {@link passkeyControllerSelectors.selectIsPasskeyEnrolled}, and lifecycle\n * methods ({@link PasskeyController.generateRegistrationOptions},\n * {@link PasskeyController.protectVaultKeyWithPasskey}, etc.) accept or\n * return non-`Json` runtime values (WebAuthn `PublicKeyCredential` objects\n * and the vault key string), so they require a direct controller reference.\n */\nexport type PasskeyControllerActions = PasskeyControllerGetStateAction;\n\nexport type PasskeyControllerStateChangedEvent = ControllerStateChangedEvent<\n typeof controllerName,\n PasskeyControllerState\n>;\n\nexport type PasskeyControllerEvents = PasskeyControllerStateChangedEvent;\n\nexport type PasskeyControllerMessenger = Messenger<\n typeof controllerName,\n PasskeyControllerActions,\n PasskeyControllerEvents\n>;\n\n/**\n * Returns the default (empty) state for {@link PasskeyController}.\n *\n * @returns A fresh state object with no enrolled passkey.\n */\nexport function getDefaultPasskeyControllerState(): PasskeyControllerState {\n return { passkeyRecord: null };\n}\n\nconst passkeyControllerMetadata = {\n passkeyRecord: {\n persist: true,\n includeInDebugSnapshot: false,\n includeInStateLogs: false,\n usedInUi: true,\n },\n} satisfies StateMetadata<PasskeyControllerState>;\n\nconst log = createModuleLogger(projectLogger, controllerName);\n\n/**\n * Selectors for {@link PasskeyControllerState}.\n *\n * Use these instead of dedicated getter methods on the controller, so that\n * derived values can be consumed from Redux selectors and other places that\n * only have access to a state object.\n */\nexport const passkeyControllerSelectors = {\n selectIsPasskeyEnrolled: (state: PasskeyControllerState): boolean =>\n state.passkeyRecord !== null,\n};\n\n/**\n * Controller that enrolls a WebAuthn passkey and uses it to protect and unlock\n * the vault encryption key.\n */\nexport class PasskeyController extends BaseController<\n typeof controllerName,\n PasskeyControllerState,\n PasskeyControllerMessenger\n> {\n readonly #ceremonyManager = new CeremonyManager();\n\n readonly #expectedRPIDs: string[];\n\n readonly #rpId: string | undefined;\n\n readonly #rpName: string;\n\n readonly #expectedOrigin: string | string[];\n\n readonly #userName: string;\n\n readonly #userDisplayName: string;\n\n /**\n * Creates a passkey controller with WebAuthn relying-party settings.\n *\n * @param args - Constructor options.\n * @param args.messenger - Controller messenger.\n * @param args.state - Partial initial state; merged with {@link getDefaultPasskeyControllerState}.\n * @param args.expectedRPID - Relying party ID(s) for verification (SHA-256 hash match in\n * authenticator data). Pass a string or array of strings; an empty array skips RP ID\n * allowlist checks in {@link verifyRegistrationResponse} / {@link verifyAuthenticationResponse}.\n * @param args.rpId - When set, included as `rp.id` on registration options and `rpId` on\n * authentication options. When omitted, those fields are left unset (client default RP ID).\n * @param args.rpName - Relying party name shown in the platform passkey UI.\n * @param args.expectedOrigin - Allowed value(s) for the WebAuthn client origin.\n * @param args.userName - Optional passkey user name; defaults to `rpName`.\n * @param args.userDisplayName - Optional display name; defaults to `rpName`.\n */\n constructor({\n messenger,\n state = {},\n rpId,\n expectedRPID,\n rpName,\n expectedOrigin,\n userName,\n userDisplayName,\n }: {\n messenger: PasskeyControllerMessenger;\n state?: Partial<PasskeyControllerState>;\n rpId?: string;\n expectedRPID: string | string[];\n rpName: string;\n expectedOrigin: string | string[];\n userName?: string;\n userDisplayName?: string;\n }) {\n super({\n messenger,\n metadata: passkeyControllerMetadata,\n name: controllerName,\n state: { ...getDefaultPasskeyControllerState(), ...state },\n });\n\n const expectedRPIDs = Array.isArray(expectedRPID)\n ? expectedRPID\n : [expectedRPID];\n this.#expectedRPIDs = [...expectedRPIDs];\n this.#rpId = rpId;\n this.#rpName = rpName;\n this.#expectedOrigin = expectedOrigin;\n this.#userName = userName ?? rpName;\n this.#userDisplayName = userDisplayName ?? rpName;\n }\n\n #requireEnrolled(): PasskeyRecord {\n const record = this.state.passkeyRecord;\n if (!record) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n return record;\n }\n\n #getChallengeFromClientData(clientDataJSON: string): string {\n return decodeClientDataJSON(clientDataJSON).challenge;\n }\n\n /**\n * Whether a passkey is enrolled and vault key material is stored.\n *\n * @returns `true` if enrolled, otherwise `false`.\n */\n isPasskeyEnrolled(): boolean {\n return passkeyControllerSelectors.selectIsPasskeyEnrolled(this.state);\n }\n\n /**\n * Builds WebAuthn credential creation options for passkey enrollment.\n *\n * @param creationOptionsConfig - Optional creation behavior.\n * @param creationOptionsConfig.prfAvailable - Request the PRF extension unless `false`. Defaults to `true`.\n * @returns Public key credential creation options for `navigator.credentials.create()`.\n */\n generateRegistrationOptions(creationOptionsConfig?: {\n prfAvailable?: boolean;\n }): PasskeyRegistrationOptions {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n\n const includePrf = creationOptionsConfig?.prfAvailable !== false;\n const prfSalt = includePrf ? randomBytesToBase64URL(32) : undefined;\n const userHandle = randomBytesToBase64URL(64);\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (prfSalt) {\n extensions.prf = { eval: { first: prfSalt } };\n }\n\n const options: PasskeyRegistrationOptions = {\n rp: {\n name: this.#rpName,\n id: this.#rpId,\n },\n user: {\n id: userHandle,\n name: this.#userName,\n displayName: this.#userDisplayName,\n },\n challenge,\n pubKeyCredParams: [\n { alg: COSEALG.EdDSA, type: 'public-key' },\n { alg: COSEALG.ES256, type: 'public-key' },\n { alg: COSEALG.RS256, type: 'public-key' },\n ],\n timeout: WEBAUTHN_TIMEOUT_MS,\n authenticatorSelection: {\n userVerification: 'preferred',\n authenticatorAttachment: 'platform',\n residentKey: 'preferred',\n },\n hints: ['client-device', 'hybrid'],\n attestation: 'none',\n ...(Object.keys(extensions).length > 0 ? { extensions } : {}),\n };\n\n this.#ceremonyManager.saveRegistrationCeremony(challenge, {\n userHandle,\n prfSalt,\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the post-registration\n * authentication step (between `create` and {@link protectVaultKeyWithPasskey}).\n *\n * @param params - Input for the pending registration ceremony.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generatePostRegistrationAuthenticationOptions(params: {\n registrationResponse: PasskeyRegistrationResponse;\n }): PasskeyAuthenticationOptions {\n // get registration ceremony\n const { registrationResponse } = params;\n const regChallenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(regChallenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n // build auth options\n const challenge = randomBytesToBase64URL(32);\n const extensions: Record<string, unknown> = {};\n if (registrationCeremony.prfSalt) {\n extensions.prf = { eval: { first: registrationCeremony.prfSalt } };\n }\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: registrationResponse.id,\n type: 'public-key',\n transports: registrationResponse.response.transports as\n | AuthenticatorTransportFuture[]\n | undefined,\n },\n ],\n userVerification: 'preferred',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n // save auth ceremony\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the enrolled passkey.\n *\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generateAuthenticationOptions(): PasskeyAuthenticationOptions {\n const record = this.#requireEnrolled();\n\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (record.keyDerivation.method === 'prf') {\n extensions.prf = { eval: { first: record.keyDerivation.prfSalt } };\n }\n\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: record.credential.id,\n type: 'public-key',\n transports: record.credential.transports,\n },\n ],\n userVerification: 'preferred',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Verifies registration and post-registration authentication, then stores the\n * vault key encrypted under the new passkey.\n *\n * @param params - Enrollment completion inputs.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @param params.authenticationResponse - Result of `navigator.credentials.get()` after {@link generatePostRegistrationAuthenticationOptions}.\n * @param params.vaultKey - Vault encryption key to encrypt and persist.\n */\n async protectVaultKeyWithPasskey(params: {\n registrationResponse: PasskeyRegistrationResponse;\n authenticationResponse: PasskeyAuthenticationResponse;\n vaultKey: string;\n }): Promise<void> {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n const { registrationResponse, authenticationResponse, vaultKey } = params;\n\n // get registration ceremony\n const challenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(challenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n try {\n // verify registration response\n const { verified, registrationInfo } = await verifyRegistrationResponse({\n response: registrationResponse,\n expectedChallenge: registrationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n requireUserVerification: false,\n }).catch((error) => {\n log('Error verifying passkey registration response', error);\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.RegistrationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!verified || !registrationInfo) {\n log(\n 'Passkey registration verification returned unverified or missing registration info',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n { code: PasskeyControllerErrorCode.RegistrationVerificationFailed },\n );\n }\n\n // verify authentication response\n const credential = {\n id: registrationInfo.credentialId,\n publicKey: bytesToBase64URL(registrationInfo.publicKey),\n counter: registrationInfo.counter,\n transports: registrationInfo.transports,\n aaguid: registrationInfo.aaguid,\n };\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n credential,\n );\n\n // determine key derivation method\n const prfFirst = (\n authenticationResponse.clientExtensionResults as PrfClientExtensionResults\n )?.prf?.results?.first;\n const authHasPrfOutput =\n typeof prfFirst === 'string' && prfFirst.length > 0;\n const keyDerivation: PasskeyKeyDerivation =\n authHasPrfOutput && registrationCeremony.prfSalt\n ? { method: 'prf', prfSalt: registrationCeremony.prfSalt }\n : { method: 'userHandle' };\n\n if (\n keyDerivation.method === 'userHandle' &&\n authenticationResponse.response.userHandle !==\n registrationCeremony.userHandle\n ) {\n log(\n 'Post-registration assertion userHandle does not match registration ceremony',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n { code: PasskeyControllerErrorCode.AuthenticationVerificationFailed },\n );\n }\n\n // derive key and encrypt vault key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n { credential, keyDerivation },\n );\n const { ciphertext, iv } = encryptWithKey(vaultKey, encKey);\n\n // persist passkey record\n this.update((state) => {\n state.passkeyRecord = {\n credential: {\n ...credential,\n counter: Math.max(newCounter, credential.counter),\n },\n encryptedVaultKey: { ciphertext, iv },\n keyDerivation,\n };\n });\n } finally {\n // delete registration ceremony\n this.#ceremonyManager.deleteRegistrationCeremony(challenge);\n }\n }\n\n /**\n * Verifies an authentication assertion and returns the decrypted vault key.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns The plaintext vault encryption key.\n */\n async retrieveVaultKeyWithPasskey(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<string> {\n const passkeyRecord = this.#requireEnrolled();\n\n // verify authentication response and update counter\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n passkeyRecord.credential,\n );\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n { code: PasskeyControllerErrorCode.NotEnrolled },\n );\n }\n state.passkeyRecord.credential.counter = Math.max(\n newCounter,\n state.passkeyRecord.credential.counter,\n );\n });\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n try {\n const vaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n return vaultKey;\n } catch (cause) {\n log(\n 'Error decrypting vault key with passkey',\n cause instanceof Error ? cause : new Error(String(cause)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: cause instanceof Error ? cause : new Error(String(cause)),\n },\n );\n }\n }\n\n /**\n * Checks whether the given authentication assertion is valid for the enrolled passkey.\n *\n * On failure, returns `false` for {@link PasskeyControllerError} with a `code`;\n * other errors propagate.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns `true` if verification succeeds, otherwise `false`.\n */\n async verifyPasskeyAuthentication(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<boolean> {\n try {\n await this.retrieveVaultKeyWithPasskey(authenticationResponse);\n return true;\n } catch (error: unknown) {\n if (error instanceof PasskeyControllerError && error.code !== undefined) {\n return false;\n }\n throw error;\n }\n }\n\n /**\n * Re-wraps the vault key after rotation. Updates persisted `encryptedVaultKey` on success.\n *\n * Does not verify WebAuthn or ceremony state—call only after your layer has authenticated\n * the user (passkey `get()` + verified assertion, or verified password). On passkey paths,\n * pass the same `authenticationResponse` you just verified (e.g. from\n * {@link retrieveVaultKeyWithPasskey} / {@link verifyPasskeyAuthentication}).\n *\n * @param params - Re-wrap inputs.\n * @param params.authenticationResponse - Used to derive the wrapping key.\n * @param params.oldVaultKey - Expected current vault key.\n * @param params.newVaultKey - New vault key to encrypt under the passkey.\n */\n async renewVaultKeyProtection(params: {\n authenticationResponse: PasskeyAuthenticationResponse;\n oldVaultKey: string;\n newVaultKey: string;\n }): Promise<void> {\n const { authenticationResponse } = params;\n const passkeyRecord = this.#requireEnrolled();\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n let decryptedVaultKey: string;\n try {\n decryptedVaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n } catch (error) {\n log(\n 'Error decrypting vault key during passkey vault key renewal',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n }\n\n // check if vault key matches\n const { oldVaultKey, newVaultKey } = params;\n if (\n !areUint8ArraysEqual(\n stringToBytes(decryptedVaultKey),\n stringToBytes(oldVaultKey),\n )\n ) {\n log(\n 'Passkey renewal rejected: decrypted vault key does not match oldVaultKey',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyMismatch,\n { code: PasskeyControllerErrorCode.VaultKeyMismatch },\n );\n }\n\n // encrypt new vault key\n const { ciphertext, iv } = encryptWithKey(newVaultKey, encKey);\n\n // persist passkey record (mutate current state only for vault key material)\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n state.passkeyRecord.encryptedVaultKey = { ciphertext, iv };\n });\n }\n\n /**\n * Clears enrolled passkey state and in-flight ceremonies. Call only after the same\n * auth gate as renewal (verified passkey assertion or password).\n */\n removePasskey(): void {\n this.update(() => getDefaultPasskeyControllerState());\n this.#ceremonyManager.clear();\n }\n\n /**\n * Resets state and clears in-flight registration/authentication ceremonies.\n */\n clearState(): void {\n this.removePasskey();\n }\n\n /**\n * Releases all in-flight ceremony state and tears down the messenger.\n */\n destroy(): void {\n this.#ceremonyManager.clear();\n super.destroy();\n }\n\n /**\n * Validates a WebAuthn authentication response against stored credential data.\n *\n * @param authenticationResponse - Parsed authentication response from the client.\n * @param credential - Credential identifiers and public key material for verification.\n * @returns Updated authenticator signature counter.\n */\n async #verifyAuthenticationResponse(\n authenticationResponse: PasskeyAuthenticationResponse,\n credential: PasskeyCredentialInfo,\n ): Promise<{ newCounter: number }> {\n // get challenge\n const challenge = this.#getChallengeFromClientData(\n authenticationResponse.response.clientDataJSON,\n );\n\n // get authentication ceremony\n const authenticationCeremony =\n this.#ceremonyManager.getAuthenticationCeremony(challenge);\n if (!authenticationCeremony) {\n log('No active passkey authentication ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoAuthenticationCeremony,\n { code: PasskeyControllerErrorCode.NoAuthenticationCeremony },\n );\n }\n\n try {\n // verify authentication response\n const result = await verifyAuthenticationResponse({\n response: authenticationResponse,\n expectedChallenge: authenticationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n credential: {\n id: credential.id,\n publicKey: base64URLToBytes(credential.publicKey),\n counter: credential.counter,\n transports: credential.transports,\n },\n // UV optional for device compatibility; vault key remains password-gated.\n requireUserVerification: false,\n }).catch((error) => {\n log(\n 'Error verifying passkey authentication response',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!result.verified) {\n log('Passkey authentication verification returned unverified');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n },\n );\n }\n\n return { newCounter: result.authenticationInfo.newCounter };\n } finally {\n // delete authentication ceremony\n this.#ceremonyManager.deleteAuthenticationCeremony(challenge);\n }\n }\n}\n"]}
1
+ {"version":3,"file":"PasskeyController.cjs","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAKA,+DAA2D;AAE3D,2CAAqE;AAErE,6DAA0E;AAC1E,+CAIqB;AACrB,yCAAkD;AAClD,yDAAuE;AACvE,yCAA6D;AAQ7D,+CAIwB;AACxB,mDAAsE;AACtE,wDAA+C;AAC/C,oFAA0E;AAO1E,kGAAyF;AACzF,8FAAqF;AAoCrF;;;;GAIG;AACH,SAAgB,gCAAgC;IAC9C,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAFD,4EAEC;AAED,MAAM,yBAAyB,GAAG;IAChC,aAAa,EAAE;QACb,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,kBAAkB,EAAE,KAAK;QACzB,QAAQ,EAAE,IAAI;KACf;CAC8C,CAAC;AAElD,MAAM,GAAG,GAAG,IAAA,2BAAkB,EAAC,sBAAa,EAAE,0BAAc,CAAC,CAAC;AAE9D;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG;IACxC,uBAAuB,EAAE,CAAC,KAA6B,EAAW,EAAE,CAClE,KAAK,CAAC,aAAa,KAAK,IAAI;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAa,iBAAkB,SAAQ,gCAItC;IAeC;;;;;;;;;;;;;;;OAeG;IACH,YAAY,EACV,SAAS,EACT,KAAK,GAAG,EAAE,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAUhB;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,0BAAc;YACpB,KAAK,EAAE,EAAE,GAAG,gCAAgC,EAAE,EAAE,GAAG,KAAK,EAAE;SAC3D,CAAC,CAAC;;QAtDI,6CAAmB,IAAI,kCAAe,EAAE,EAAC;QAEzC,mDAAyB;QAEzB,0CAA0B;QAE1B,4CAAgB;QAEhB,oDAAmC;QAEnC,8CAAkB;QAElB,qDAAyB;QA4ChC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACnB,uBAAA,IAAI,oCAAkB,CAAC,GAAG,aAAa,CAAC,MAAA,CAAC;QACzC,uBAAA,IAAI,2BAAS,IAAI,MAAA,CAAC;QAClB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,qCAAmB,cAAc,MAAA,CAAC;QACtC,uBAAA,IAAI,+BAAa,QAAQ,IAAI,MAAM,MAAA,CAAC;QACpC,uBAAA,IAAI,sCAAoB,eAAe,IAAI,MAAM,MAAA,CAAC;IACpD,CAAC;IAmBD;;;;OAIG;IACH,iBAAiB;QACf,OAAO,kCAA0B,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAE3B;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,sCAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,qBAAqB,EAAE,YAAY,KAAK,KAAK,CAAC;QACjE,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACpE,MAAM,UAAU,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAA+B;YAC1C,EAAE,EAAE;gBACF,IAAI,EAAE,uBAAA,IAAI,iCAAQ;gBAClB,EAAE,EAAE,uBAAA,IAAI,+BAAM;aACf;YACD,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU;gBACd,IAAI,EAAE,uBAAA,IAAI,mCAAU;gBACpB,WAAW,EAAE,uBAAA,IAAI,0CAAiB;aACnC;YACD,SAAS;YACT,gBAAgB,EAAE;gBAChB,EAAE,GAAG,EAAE,mBAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,mBAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,mBAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;aAC3C;YACD,OAAO,EAAE,sCAAmB;YAC5B,sBAAsB,EAAE;gBACtB,gBAAgB,EAAE,UAAU;gBAC5B,uBAAuB,EAAE,UAAU;gBACnC,WAAW,EAAE,WAAW;aACzB;YACD,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,WAAW,EAAE,MAAM;YACnB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,SAAS,EAAE;YACxD,UAAU;YACV,OAAO;YACP,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAE7C;QACC,4BAA4B;QAC5B,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAAC;QACxC,MAAM,YAAY,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACvB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,YAAY,CAAC,CAAC;QAC9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,sCAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,SAAS,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,oBAAoB,CAAC,OAAO,EAAE,CAAC;YACjC,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QACD,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,oBAAoB,CAAC,EAAE;oBAC3B,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,oBAAoB,CAAC,QAAQ,CAAC,UAE7B;iBACd;aACF;YACD,gBAAgB,EAAE,UAAU;YAC5B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,sCAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,qBAAqB;QACrB,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACH,6BAA6B;QAC3B,MAAM,MAAM,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAEvC,MAAM,SAAS,GAAG,IAAA,+BAAsB,EAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QAED,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE;oBACxB,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU;iBACzC;aACF;YACD,gBAAgB,EAAE,UAAU;YAC5B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,sCAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,0BAA0B,CAAC,MAIhC;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,sCAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAE1E,4BAA4B;QAC5B,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,sCAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,+BAA+B;YAC/B,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,yDAA0B,EAAC;gBACtE,QAAQ,EAAE,oBAAoB;gBAC9B,iBAAiB,EAAE,oBAAoB,CAAC,SAAS;gBACjD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;gBACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;gBAClC,uBAAuB,EAAE,IAAI;aAC9B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBACjB,GAAG,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBAC5D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,8BAA8B,EAC5D;oBACE,IAAI,EAAE,sCAA0B,CAAC,8BAA8B;oBAC/D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;iBACjE,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACnC,GAAG,CACD,oFAAoF,CACrF,CAAC;gBACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,8BAA8B,EAC5D,EAAE,IAAI,EAAE,sCAA0B,CAAC,8BAA8B,EAAE,CACpE,CAAC;YACJ,CAAC;YAED,iCAAiC;YACjC,MAAM,UAAU,GAAG;gBACjB,EAAE,EAAE,gBAAgB,CAAC,YAAY;gBACjC,SAAS,EAAE,IAAA,2BAAgB,EAAC,gBAAgB,CAAC,SAAS,CAAC;gBACvD,OAAO,EAAE,gBAAgB,CAAC,OAAO;gBACjC,UAAU,EAAE,gBAAgB,CAAC,UAAU;gBACvC,MAAM,EAAE,gBAAgB,CAAC,MAAM;aAChC,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,UAAU,CACX,CAAC;YAEF,kCAAkC;YAClC,MAAM,QAAQ,GACZ,sBAAsB,CAAC,sBACxB,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC;YACvB,MAAM,gBAAgB,GACpB,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YACtD,MAAM,aAAa,GACjB,gBAAgB,IAAI,oBAAoB,CAAC,OAAO;gBAC9C,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB,CAAC,OAAO,EAAE;gBAC1D,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;YAE/B,IACE,aAAa,CAAC,MAAM,KAAK,YAAY;gBACrC,sBAAsB,CAAC,QAAQ,CAAC,UAAU;oBACxC,oBAAoB,CAAC,UAAU,EACjC,CAAC;gBACD,GAAG,CACD,6EAA6E,CAC9E,CAAC;gBACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gCAAgC,EAC9D,EAAE,IAAI,EAAE,sCAA0B,CAAC,gCAAgC,EAAE,CACtE,CAAC;YACJ,CAAC;YAED,mCAAmC;YACnC,MAAM,MAAM,GAAG,IAAA,oDAAmC,EAChD,sBAAsB,EACtB,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,IAAA,uBAAc,EAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAE5D,yBAAyB;YACzB,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpB,KAAK,CAAC,aAAa,GAAG;oBACpB,UAAU,EAAE;wBACV,GAAG,UAAU;wBACb,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC;qBAClD;oBACD,iBAAiB,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;oBACrC,aAAa;iBACd,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,+BAA+B;YAC/B,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,oDAAoD;QACpD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,aAAa,CAAC,UAAU,CACzB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,WAAW,EACzC,EAAE,IAAI,EAAE,sCAA0B,CAAC,WAAW,EAAE,CACjD,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,CAC/C,UAAU,EACV,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,CACvC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,aAAa;QACb,MAAM,MAAM,GAAG,IAAA,oDAAmC,EAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAA,uBAAc,EAC7B,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,yCAAyC,EACzC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,sCAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,2BAA2B,CAAC,sBAAsB,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,KAAK,YAAY,+BAAsB,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACxE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAI7B;QACC,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,CAAC;QAC1C,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,aAAa;QACb,MAAM,MAAM,GAAG,IAAA,oDAAmC,EAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,iBAAyB,CAAC;QAC9B,IAAI,CAAC;YACH,iBAAiB,GAAG,IAAA,uBAAc,EAChC,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,6DAA6D,EAC7D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,sCAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAC5C,IACE,CAAC,IAAA,2BAAmB,EAClB,IAAA,qBAAa,EAAC,iBAAiB,CAAC,EAChC,IAAA,qBAAa,EAAC,WAAW,CAAC,CAC3B,EACD,CAAC;YACD,GAAG,CACD,0EAA0E,CAC3E,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gBAAgB,EAC9C,EAAE,IAAI,EAAE,sCAA0B,CAAC,gBAAgB,EAAE,CACtD,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,IAAA,uBAAc,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE/D,4EAA4E;QAC5E,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,WAAW,EACzC;oBACE,IAAI,EAAE,sCAA0B,CAAC,WAAW;iBAC7C,CACF,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,iBAAiB,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,aAAa;QACX,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,gCAAgC,EAAE,CAAC,CAAC;QACtD,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;QAC9B,KAAK,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC;CAwEF;AApoBD,8CAooBC;;IA3jBG,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,WAAW,EACzC;YACE,IAAI,EAAE,sCAA0B,CAAC,WAAW;SAC7C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,yGAE2B,cAAsB;IAChD,OAAO,IAAA,8CAAoB,EAAC,cAAc,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAueD;;;;;;GAMG;AACH,KAAK,0DACH,sBAAqD,EACrD,UAAiC;IAEjC,gBAAgB;IAChB,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,sBAAsB,CAAC,QAAQ,CAAC,cAAc,CAC/C,CAAC;IAEF,8BAA8B;IAC9B,MAAM,sBAAsB,GAC1B,uBAAA,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;IAC7D,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAC/D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,wBAAwB,EACtD,EAAE,IAAI,EAAE,sCAA0B,CAAC,wBAAwB,EAAE,CAC9D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAA,6DAA4B,EAAC;YAChD,QAAQ,EAAE,sBAAsB;YAChC,iBAAiB,EAAE,sBAAsB,CAAC,SAAS;YACnD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;YACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;YAClC,UAAU,EAAE;gBACV,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,SAAS,EAAE,IAAA,2BAAgB,EAAC,UAAU,CAAC,SAAS,CAAC;gBACjD,OAAO,EAAE,UAAU,CAAC,OAAO;gBAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;aAClC;YACD,uBAAuB,EAAE,IAAI;SAC9B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,GAAG,CACD,iDAAiD,EACjD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,sCAA0B,CAAC,gCAAgC;gBACjE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,GAAG,CAAC,yDAAyD,CAAC,CAAC;YAC/D,MAAM,IAAI,+BAAsB,CAC9B,yCAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,sCAA0B,CAAC,gCAAgC;aAClE,CACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,iCAAiC;QACjC,uBAAA,IAAI,0CAAiB,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;AACH,CAAC","sourcesContent":["import type {\n ControllerGetStateAction,\n ControllerStateChangedEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport { BaseController } from '@metamask/base-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport { areUint8ArraysEqual, stringToBytes } from '@metamask/utils';\n\nimport { WEBAUTHN_TIMEOUT_MS, CeremonyManager } from './ceremony-manager';\nimport {\n controllerName,\n PasskeyControllerErrorCode,\n PasskeyControllerErrorMessage,\n} from './constants';\nimport { PasskeyControllerError } from './errors';\nimport { deriveKeyFromAuthenticationResponse } from './key-derivation';\nimport { createModuleLogger, projectLogger } from './logger';\nimport type {\n AuthenticatorTransportFuture,\n PasskeyCredentialInfo,\n PasskeyKeyDerivation,\n PasskeyRecord,\n PrfClientExtensionResults,\n} from './types';\nimport {\n decryptWithKey,\n encryptWithKey,\n randomBytesToBase64URL,\n} from './utils/crypto';\nimport { base64URLToBytes, bytesToBase64URL } from './utils/encoding';\nimport { COSEALG } from './webauthn/constants';\nimport { decodeClientDataJSON } from './webauthn/decode-client-data-json';\nimport type {\n PasskeyAuthenticationOptions,\n PasskeyAuthenticationResponse,\n PasskeyRegistrationOptions,\n PasskeyRegistrationResponse,\n} from './webauthn/types';\nimport { verifyAuthenticationResponse } from './webauthn/verify-authentication-response';\nimport { verifyRegistrationResponse } from './webauthn/verify-registration-response';\n\nexport type PasskeyControllerState = {\n passkeyRecord: PasskeyRecord | null;\n};\n\nexport type PasskeyControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n PasskeyControllerState\n>;\n\n/**\n * Actions exposed by {@link PasskeyController} on its messenger.\n *\n * Only `:getState` is exposed. Derived enrollment status is available via\n * {@link passkeyControllerSelectors.selectIsPasskeyEnrolled}, and lifecycle\n * methods ({@link PasskeyController.generateRegistrationOptions},\n * {@link PasskeyController.protectVaultKeyWithPasskey}, etc.) accept or\n * return non-`Json` runtime values (WebAuthn `PublicKeyCredential` objects\n * and the vault key string), so they require a direct controller reference.\n */\nexport type PasskeyControllerActions = PasskeyControllerGetStateAction;\n\nexport type PasskeyControllerStateChangedEvent = ControllerStateChangedEvent<\n typeof controllerName,\n PasskeyControllerState\n>;\n\nexport type PasskeyControllerEvents = PasskeyControllerStateChangedEvent;\n\nexport type PasskeyControllerMessenger = Messenger<\n typeof controllerName,\n PasskeyControllerActions,\n PasskeyControllerEvents\n>;\n\n/**\n * Returns the default (empty) state for {@link PasskeyController}.\n *\n * @returns A fresh state object with no enrolled passkey.\n */\nexport function getDefaultPasskeyControllerState(): PasskeyControllerState {\n return { passkeyRecord: null };\n}\n\nconst passkeyControllerMetadata = {\n passkeyRecord: {\n persist: true,\n includeInDebugSnapshot: false,\n includeInStateLogs: false,\n usedInUi: true,\n },\n} satisfies StateMetadata<PasskeyControllerState>;\n\nconst log = createModuleLogger(projectLogger, controllerName);\n\n/**\n * Selectors for {@link PasskeyControllerState}.\n *\n * Use these instead of dedicated getter methods on the controller, so that\n * derived values can be consumed from Redux selectors and other places that\n * only have access to a state object.\n */\nexport const passkeyControllerSelectors = {\n selectIsPasskeyEnrolled: (state: PasskeyControllerState): boolean =>\n state.passkeyRecord !== null,\n};\n\n/**\n * Controller that enrolls a WebAuthn passkey and uses it to protect and unlock\n * the vault encryption key.\n */\nexport class PasskeyController extends BaseController<\n typeof controllerName,\n PasskeyControllerState,\n PasskeyControllerMessenger\n> {\n readonly #ceremonyManager = new CeremonyManager();\n\n readonly #expectedRPIDs: string[];\n\n readonly #rpId: string | undefined;\n\n readonly #rpName: string;\n\n readonly #expectedOrigin: string | string[];\n\n readonly #userName: string;\n\n readonly #userDisplayName: string;\n\n /**\n * Creates a passkey controller with WebAuthn relying-party settings.\n *\n * @param args - Constructor options.\n * @param args.messenger - Controller messenger.\n * @param args.state - Partial initial state; merged with {@link getDefaultPasskeyControllerState}.\n * @param args.expectedRPID - Relying party ID(s) for verification (SHA-256 hash match in\n * authenticator data). Pass a string or array of strings; an empty array skips RP ID\n * allowlist checks in {@link verifyRegistrationResponse} / {@link verifyAuthenticationResponse}.\n * @param args.rpId - When set, included as `rp.id` on registration options and `rpId` on\n * authentication options. When omitted, those fields are left unset (client default RP ID).\n * @param args.rpName - Relying party name shown in the platform passkey UI.\n * @param args.expectedOrigin - Allowed value(s) for the WebAuthn client origin.\n * @param args.userName - Optional passkey user name; defaults to `rpName`.\n * @param args.userDisplayName - Optional display name; defaults to `rpName`.\n */\n constructor({\n messenger,\n state = {},\n rpId,\n expectedRPID,\n rpName,\n expectedOrigin,\n userName,\n userDisplayName,\n }: {\n messenger: PasskeyControllerMessenger;\n state?: Partial<PasskeyControllerState>;\n rpId?: string;\n expectedRPID: string | string[];\n rpName: string;\n expectedOrigin: string | string[];\n userName?: string;\n userDisplayName?: string;\n }) {\n super({\n messenger,\n metadata: passkeyControllerMetadata,\n name: controllerName,\n state: { ...getDefaultPasskeyControllerState(), ...state },\n });\n\n const expectedRPIDs = Array.isArray(expectedRPID)\n ? expectedRPID\n : [expectedRPID];\n this.#expectedRPIDs = [...expectedRPIDs];\n this.#rpId = rpId;\n this.#rpName = rpName;\n this.#expectedOrigin = expectedOrigin;\n this.#userName = userName ?? rpName;\n this.#userDisplayName = userDisplayName ?? rpName;\n }\n\n #requireEnrolled(): PasskeyRecord {\n const record = this.state.passkeyRecord;\n if (!record) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n return record;\n }\n\n #getChallengeFromClientData(clientDataJSON: string): string {\n return decodeClientDataJSON(clientDataJSON).challenge;\n }\n\n /**\n * Whether a passkey is enrolled and vault key material is stored.\n *\n * @returns `true` if enrolled, otherwise `false`.\n */\n isPasskeyEnrolled(): boolean {\n return passkeyControllerSelectors.selectIsPasskeyEnrolled(this.state);\n }\n\n /**\n * Builds WebAuthn credential creation options for passkey enrollment.\n *\n * @param creationOptionsConfig - Optional creation behavior.\n * @param creationOptionsConfig.prfAvailable - Request the PRF extension unless `false`. Defaults to `true`.\n * @returns Public key credential creation options for `navigator.credentials.create()`.\n */\n generateRegistrationOptions(creationOptionsConfig?: {\n prfAvailable?: boolean;\n }): PasskeyRegistrationOptions {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n\n const includePrf = creationOptionsConfig?.prfAvailable !== false;\n const prfSalt = includePrf ? randomBytesToBase64URL(32) : undefined;\n const userHandle = randomBytesToBase64URL(64);\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (prfSalt) {\n extensions.prf = { eval: { first: prfSalt } };\n }\n\n const options: PasskeyRegistrationOptions = {\n rp: {\n name: this.#rpName,\n id: this.#rpId,\n },\n user: {\n id: userHandle,\n name: this.#userName,\n displayName: this.#userDisplayName,\n },\n challenge,\n pubKeyCredParams: [\n { alg: COSEALG.EdDSA, type: 'public-key' },\n { alg: COSEALG.ES256, type: 'public-key' },\n { alg: COSEALG.RS256, type: 'public-key' },\n ],\n timeout: WEBAUTHN_TIMEOUT_MS,\n authenticatorSelection: {\n userVerification: 'required',\n authenticatorAttachment: 'platform',\n residentKey: 'preferred',\n },\n hints: ['client-device', 'hybrid'],\n attestation: 'none',\n ...(Object.keys(extensions).length > 0 ? { extensions } : {}),\n };\n\n this.#ceremonyManager.saveRegistrationCeremony(challenge, {\n userHandle,\n prfSalt,\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the post-registration\n * authentication step (between `create` and {@link protectVaultKeyWithPasskey}).\n *\n * @param params - Input for the pending registration ceremony.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generatePostRegistrationAuthenticationOptions(params: {\n registrationResponse: PasskeyRegistrationResponse;\n }): PasskeyAuthenticationOptions {\n // get registration ceremony\n const { registrationResponse } = params;\n const regChallenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(regChallenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n // build auth options\n const challenge = randomBytesToBase64URL(32);\n const extensions: Record<string, unknown> = {};\n if (registrationCeremony.prfSalt) {\n extensions.prf = { eval: { first: registrationCeremony.prfSalt } };\n }\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: registrationResponse.id,\n type: 'public-key',\n transports: registrationResponse.response.transports as\n | AuthenticatorTransportFuture[]\n | undefined,\n },\n ],\n userVerification: 'required',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n // save auth ceremony\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the enrolled passkey.\n *\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generateAuthenticationOptions(): PasskeyAuthenticationOptions {\n const record = this.#requireEnrolled();\n\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (record.keyDerivation.method === 'prf') {\n extensions.prf = { eval: { first: record.keyDerivation.prfSalt } };\n }\n\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: record.credential.id,\n type: 'public-key',\n transports: record.credential.transports,\n },\n ],\n userVerification: 'required',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Verifies registration and post-registration authentication, then stores the\n * vault key encrypted under the new passkey.\n *\n * @param params - Enrollment completion inputs.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @param params.authenticationResponse - Result of `navigator.credentials.get()` after {@link generatePostRegistrationAuthenticationOptions}.\n * @param params.vaultKey - Vault encryption key to encrypt and persist.\n */\n async protectVaultKeyWithPasskey(params: {\n registrationResponse: PasskeyRegistrationResponse;\n authenticationResponse: PasskeyAuthenticationResponse;\n vaultKey: string;\n }): Promise<void> {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n const { registrationResponse, authenticationResponse, vaultKey } = params;\n\n // get registration ceremony\n const challenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(challenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n try {\n // verify registration response\n const { verified, registrationInfo } = await verifyRegistrationResponse({\n response: registrationResponse,\n expectedChallenge: registrationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n requireUserVerification: true,\n }).catch((error) => {\n log('Error verifying passkey registration response', error);\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.RegistrationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!verified || !registrationInfo) {\n log(\n 'Passkey registration verification returned unverified or missing registration info',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n { code: PasskeyControllerErrorCode.RegistrationVerificationFailed },\n );\n }\n\n // verify authentication response\n const credential = {\n id: registrationInfo.credentialId,\n publicKey: bytesToBase64URL(registrationInfo.publicKey),\n counter: registrationInfo.counter,\n transports: registrationInfo.transports,\n aaguid: registrationInfo.aaguid,\n };\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n credential,\n );\n\n // determine key derivation method\n const prfFirst = (\n authenticationResponse.clientExtensionResults as PrfClientExtensionResults\n )?.prf?.results?.first;\n const authHasPrfOutput =\n typeof prfFirst === 'string' && prfFirst.length > 0;\n const keyDerivation: PasskeyKeyDerivation =\n authHasPrfOutput && registrationCeremony.prfSalt\n ? { method: 'prf', prfSalt: registrationCeremony.prfSalt }\n : { method: 'userHandle' };\n\n if (\n keyDerivation.method === 'userHandle' &&\n authenticationResponse.response.userHandle !==\n registrationCeremony.userHandle\n ) {\n log(\n 'Post-registration assertion userHandle does not match registration ceremony',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n { code: PasskeyControllerErrorCode.AuthenticationVerificationFailed },\n );\n }\n\n // derive key and encrypt vault key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n { credential, keyDerivation },\n );\n const { ciphertext, iv } = encryptWithKey(vaultKey, encKey);\n\n // persist passkey record\n this.update((state) => {\n state.passkeyRecord = {\n credential: {\n ...credential,\n counter: Math.max(newCounter, credential.counter),\n },\n encryptedVaultKey: { ciphertext, iv },\n keyDerivation,\n };\n });\n } finally {\n // delete registration ceremony\n this.#ceremonyManager.deleteRegistrationCeremony(challenge);\n }\n }\n\n /**\n * Verifies an authentication assertion and returns the decrypted vault key.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns The plaintext vault encryption key.\n */\n async retrieveVaultKeyWithPasskey(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<string> {\n const passkeyRecord = this.#requireEnrolled();\n\n // verify authentication response and update counter\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n passkeyRecord.credential,\n );\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n { code: PasskeyControllerErrorCode.NotEnrolled },\n );\n }\n state.passkeyRecord.credential.counter = Math.max(\n newCounter,\n state.passkeyRecord.credential.counter,\n );\n });\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n try {\n const vaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n return vaultKey;\n } catch (cause) {\n log(\n 'Error decrypting vault key with passkey',\n cause instanceof Error ? cause : new Error(String(cause)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: cause instanceof Error ? cause : new Error(String(cause)),\n },\n );\n }\n }\n\n /**\n * Checks whether the given authentication assertion is valid for the enrolled passkey.\n *\n * On failure, returns `false` for {@link PasskeyControllerError} with a `code`;\n * other errors propagate.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns `true` if verification succeeds, otherwise `false`.\n */\n async verifyPasskeyAuthentication(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<boolean> {\n try {\n await this.retrieveVaultKeyWithPasskey(authenticationResponse);\n return true;\n } catch (error: unknown) {\n if (error instanceof PasskeyControllerError && error.code !== undefined) {\n return false;\n }\n throw error;\n }\n }\n\n /**\n * Re-wraps the vault key after rotation. Updates persisted `encryptedVaultKey` on success.\n *\n * Does not verify WebAuthn or ceremony state—call only after your layer has authenticated\n * the user (passkey `get()` + verified assertion, or verified password). On passkey paths,\n * pass the same `authenticationResponse` you just verified (e.g. from\n * {@link retrieveVaultKeyWithPasskey} / {@link verifyPasskeyAuthentication}).\n *\n * @param params - Re-wrap inputs.\n * @param params.authenticationResponse - Used to derive the wrapping key.\n * @param params.oldVaultKey - Expected current vault key.\n * @param params.newVaultKey - New vault key to encrypt under the passkey.\n */\n async renewVaultKeyProtection(params: {\n authenticationResponse: PasskeyAuthenticationResponse;\n oldVaultKey: string;\n newVaultKey: string;\n }): Promise<void> {\n const { authenticationResponse } = params;\n const passkeyRecord = this.#requireEnrolled();\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n let decryptedVaultKey: string;\n try {\n decryptedVaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n } catch (error) {\n log(\n 'Error decrypting vault key during passkey vault key renewal',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n }\n\n // check if vault key matches\n const { oldVaultKey, newVaultKey } = params;\n if (\n !areUint8ArraysEqual(\n stringToBytes(decryptedVaultKey),\n stringToBytes(oldVaultKey),\n )\n ) {\n log(\n 'Passkey renewal rejected: decrypted vault key does not match oldVaultKey',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyMismatch,\n { code: PasskeyControllerErrorCode.VaultKeyMismatch },\n );\n }\n\n // encrypt new vault key\n const { ciphertext, iv } = encryptWithKey(newVaultKey, encKey);\n\n // persist passkey record (mutate current state only for vault key material)\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n state.passkeyRecord.encryptedVaultKey = { ciphertext, iv };\n });\n }\n\n /**\n * Clears enrolled passkey state and in-flight ceremonies. Call only after the same\n * auth gate as renewal (verified passkey assertion or password).\n */\n removePasskey(): void {\n this.update(() => getDefaultPasskeyControllerState());\n this.#ceremonyManager.clear();\n }\n\n /**\n * Resets state and clears in-flight registration/authentication ceremonies.\n */\n clearState(): void {\n this.removePasskey();\n }\n\n /**\n * Releases all in-flight ceremony state and tears down the messenger.\n */\n destroy(): void {\n this.#ceremonyManager.clear();\n super.destroy();\n }\n\n /**\n * Validates a WebAuthn authentication response against stored credential data.\n *\n * @param authenticationResponse - Parsed authentication response from the client.\n * @param credential - Credential identifiers and public key material for verification.\n * @returns Updated authenticator signature counter.\n */\n async #verifyAuthenticationResponse(\n authenticationResponse: PasskeyAuthenticationResponse,\n credential: PasskeyCredentialInfo,\n ): Promise<{ newCounter: number }> {\n // get challenge\n const challenge = this.#getChallengeFromClientData(\n authenticationResponse.response.clientDataJSON,\n );\n\n // get authentication ceremony\n const authenticationCeremony =\n this.#ceremonyManager.getAuthenticationCeremony(challenge);\n if (!authenticationCeremony) {\n log('No active passkey authentication ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoAuthenticationCeremony,\n { code: PasskeyControllerErrorCode.NoAuthenticationCeremony },\n );\n }\n\n try {\n // verify authentication response\n const result = await verifyAuthenticationResponse({\n response: authenticationResponse,\n expectedChallenge: authenticationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n credential: {\n id: credential.id,\n publicKey: base64URLToBytes(credential.publicKey),\n counter: credential.counter,\n transports: credential.transports,\n },\n requireUserVerification: true,\n }).catch((error) => {\n log(\n 'Error verifying passkey authentication response',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!result.verified) {\n log('Passkey authentication verification returned unverified');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n },\n );\n }\n\n return { newCounter: result.authenticationInfo.newCounter };\n } finally {\n // delete authentication ceremony\n this.#ceremonyManager.deleteAuthenticationCeremony(challenge);\n }\n }\n}\n"]}
package/dist/PasskeyController.d.cts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"PasskeyController.d.cts","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,wBAAwB,EACxB,2BAA2B,EAE5B,kCAAkC;AACnC,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AAIrD,OAAO,EACL,cAAc,EAGf,wBAAoB;AAIrB,OAAO,KAAK,EAIV,aAAa,EAEd,oBAAgB;AASjB,OAAO,KAAK,EACV,4BAA4B,EAC5B,6BAA6B,EAC7B,0BAA0B,EAC1B,2BAA2B,EAC5B,6BAAyB;AAI1B,MAAM,MAAM,sBAAsB,GAAG;IACnC,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG,wBAAwB,CACpE,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,MAAM,wBAAwB,GAAG,+BAA+B,CAAC;AAEvE,MAAM,MAAM,kCAAkC,GAAG,2BAA2B,CAC1E,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,kCAAkC,CAAC;AAEzE,MAAM,MAAM,0BAA0B,GAAG,SAAS,CAChD,OAAO,cAAc,EACrB,wBAAwB,EACxB,uBAAuB,CACxB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gCAAgC,IAAI,sBAAsB,CAEzE;AAaD;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;qCACJ,sBAAsB,KAAG,OAAO;CAElE,CAAC;AAEF;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,cAAc,CACnD,OAAO,cAAc,EACrB,sBAAsB,EACtB,0BAA0B,CAC3B;;IAeC;;;;;;;;;;;;;;;OAeG;gBACS,EACV,SAAS,EACT,KAAU,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAChB,EAAE;QACD,SAAS,EAAE,0BAA0B,CAAC;QACtC,KAAK,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAChC,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B;IAoCD;;;;OAIG;IACH,iBAAiB,IAAI,OAAO;IAI5B;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAAqB,CAAC,EAAE;QAClD,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,GAAG,0BAA0B;IAuD9B;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAAM,EAAE;QACpD,oBAAoB,EAAE,2BAA2B,CAAC;KACnD,GAAG,4BAA4B;IAiDhC;;;;OAIG;IACH,6BAA6B,IAAI,4BAA4B;IAkC7D;;;;;;;;OAQG;IACG,0BAA0B,CAAC,MAAM,EAAE;QACvC,oBAAoB,EAAE,2BAA2B,CAAC;QAClD,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,IAAI,CAAC;IAiHjB;;;;;OAKG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,MAAM,CAAC;IAkDlB;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,OAAO,CAAC;IAYnB;;;;;;;;;;;;OAYG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkEjB;;;OAGG;IACH,aAAa,IAAI,IAAI;IAKrB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,OAAO,IAAI,IAAI;CA4EhB"}
1
+ {"version":3,"file":"PasskeyController.d.cts","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,wBAAwB,EACxB,2BAA2B,EAE5B,kCAAkC;AACnC,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AAIrD,OAAO,EACL,cAAc,EAGf,wBAAoB;AAIrB,OAAO,KAAK,EAIV,aAAa,EAEd,oBAAgB;AASjB,OAAO,KAAK,EACV,4BAA4B,EAC5B,6BAA6B,EAC7B,0BAA0B,EAC1B,2BAA2B,EAC5B,6BAAyB;AAI1B,MAAM,MAAM,sBAAsB,GAAG;IACnC,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG,wBAAwB,CACpE,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,MAAM,wBAAwB,GAAG,+BAA+B,CAAC;AAEvE,MAAM,MAAM,kCAAkC,GAAG,2BAA2B,CAC1E,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,kCAAkC,CAAC;AAEzE,MAAM,MAAM,0BAA0B,GAAG,SAAS,CAChD,OAAO,cAAc,EACrB,wBAAwB,EACxB,uBAAuB,CACxB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gCAAgC,IAAI,sBAAsB,CAEzE;AAaD;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;qCACJ,sBAAsB,KAAG,OAAO;CAElE,CAAC;AAEF;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,cAAc,CACnD,OAAO,cAAc,EACrB,sBAAsB,EACtB,0BAA0B,CAC3B;;IAeC;;;;;;;;;;;;;;;OAeG;gBACS,EACV,SAAS,EACT,KAAU,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAChB,EAAE;QACD,SAAS,EAAE,0BAA0B,CAAC;QACtC,KAAK,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAChC,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B;IAoCD;;;;OAIG;IACH,iBAAiB,IAAI,OAAO;IAI5B;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAAqB,CAAC,EAAE;QAClD,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,GAAG,0BAA0B;IAuD9B;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAAM,EAAE;QACpD,oBAAoB,EAAE,2BAA2B,CAAC;KACnD,GAAG,4BAA4B;IAiDhC;;;;OAIG;IACH,6BAA6B,IAAI,4BAA4B;IAkC7D;;;;;;;;OAQG;IACG,0BAA0B,CAAC,MAAM,EAAE;QACvC,oBAAoB,EAAE,2BAA2B,CAAC;QAClD,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,IAAI,CAAC;IAiHjB;;;;;OAKG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,MAAM,CAAC;IAkDlB;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,OAAO,CAAC;IAYnB;;;;;;;;;;;;OAYG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkEjB;;;OAGG;IACH,aAAa,IAAI,IAAI;IAKrB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,OAAO,IAAI,IAAI;CA2EhB"}
package/dist/PasskeyController.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"PasskeyController.d.mts","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,wBAAwB,EACxB,2BAA2B,EAE5B,kCAAkC;AACnC,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AAIrD,OAAO,EACL,cAAc,EAGf,wBAAoB;AAIrB,OAAO,KAAK,EAIV,aAAa,EAEd,oBAAgB;AASjB,OAAO,KAAK,EACV,4BAA4B,EAC5B,6BAA6B,EAC7B,0BAA0B,EAC1B,2BAA2B,EAC5B,6BAAyB;AAI1B,MAAM,MAAM,sBAAsB,GAAG;IACnC,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG,wBAAwB,CACpE,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,MAAM,wBAAwB,GAAG,+BAA+B,CAAC;AAEvE,MAAM,MAAM,kCAAkC,GAAG,2BAA2B,CAC1E,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,kCAAkC,CAAC;AAEzE,MAAM,MAAM,0BAA0B,GAAG,SAAS,CAChD,OAAO,cAAc,EACrB,wBAAwB,EACxB,uBAAuB,CACxB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gCAAgC,IAAI,sBAAsB,CAEzE;AAaD;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;qCACJ,sBAAsB,KAAG,OAAO;CAElE,CAAC;AAEF;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,cAAc,CACnD,OAAO,cAAc,EACrB,sBAAsB,EACtB,0BAA0B,CAC3B;;IAeC;;;;;;;;;;;;;;;OAeG;gBACS,EACV,SAAS,EACT,KAAU,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAChB,EAAE;QACD,SAAS,EAAE,0BAA0B,CAAC;QACtC,KAAK,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAChC,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B;IAoCD;;;;OAIG;IACH,iBAAiB,IAAI,OAAO;IAI5B;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAAqB,CAAC,EAAE;QAClD,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,GAAG,0BAA0B;IAuD9B;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAAM,EAAE;QACpD,oBAAoB,EAAE,2BAA2B,CAAC;KACnD,GAAG,4BAA4B;IAiDhC;;;;OAIG;IACH,6BAA6B,IAAI,4BAA4B;IAkC7D;;;;;;;;OAQG;IACG,0BAA0B,CAAC,MAAM,EAAE;QACvC,oBAAoB,EAAE,2BAA2B,CAAC;QAClD,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,IAAI,CAAC;IAiHjB;;;;;OAKG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,MAAM,CAAC;IAkDlB;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,OAAO,CAAC;IAYnB;;;;;;;;;;;;OAYG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkEjB;;;OAGG;IACH,aAAa,IAAI,IAAI;IAKrB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,OAAO,IAAI,IAAI;CA4EhB"}
1
+ {"version":3,"file":"PasskeyController.d.mts","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,wBAAwB,EACxB,2BAA2B,EAE5B,kCAAkC;AACnC,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AAIrD,OAAO,EACL,cAAc,EAGf,wBAAoB;AAIrB,OAAO,KAAK,EAIV,aAAa,EAEd,oBAAgB;AASjB,OAAO,KAAK,EACV,4BAA4B,EAC5B,6BAA6B,EAC7B,0BAA0B,EAC1B,2BAA2B,EAC5B,6BAAyB;AAI1B,MAAM,MAAM,sBAAsB,GAAG;IACnC,aAAa,EAAE,aAAa,GAAG,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG,wBAAwB,CACpE,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,MAAM,wBAAwB,GAAG,+BAA+B,CAAC;AAEvE,MAAM,MAAM,kCAAkC,GAAG,2BAA2B,CAC1E,OAAO,cAAc,EACrB,sBAAsB,CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,kCAAkC,CAAC;AAEzE,MAAM,MAAM,0BAA0B,GAAG,SAAS,CAChD,OAAO,cAAc,EACrB,wBAAwB,EACxB,uBAAuB,CACxB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gCAAgC,IAAI,sBAAsB,CAEzE;AAaD;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;qCACJ,sBAAsB,KAAG,OAAO;CAElE,CAAC;AAEF;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,cAAc,CACnD,OAAO,cAAc,EACrB,sBAAsB,EACtB,0BAA0B,CAC3B;;IAeC;;;;;;;;;;;;;;;OAeG;gBACS,EACV,SAAS,EACT,KAAU,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAChB,EAAE;QACD,SAAS,EAAE,0BAA0B,CAAC;QACtC,KAAK,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAChC,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B;IAoCD;;;;OAIG;IACH,iBAAiB,IAAI,OAAO;IAI5B;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAAqB,CAAC,EAAE;QAClD,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,GAAG,0BAA0B;IAuD9B;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAAM,EAAE;QACpD,oBAAoB,EAAE,2BAA2B,CAAC;KACnD,GAAG,4BAA4B;IAiDhC;;;;OAIG;IACH,6BAA6B,IAAI,4BAA4B;IAkC7D;;;;;;;;OAQG;IACG,0BAA0B,CAAC,MAAM,EAAE;QACvC,oBAAoB,EAAE,2BAA2B,CAAC;QAClD,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,IAAI,CAAC;IAiHjB;;;;;OAKG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,MAAM,CAAC;IAkDlB;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,sBAAsB,EAAE,6BAA6B,GACpD,OAAO,CAAC,OAAO,CAAC;IAYnB;;;;;;;;;;;;OAYG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,sBAAsB,EAAE,6BAA6B,CAAC;QACtD,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkEjB;;;OAGG;IACH,aAAa,IAAI,IAAI;IAKrB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,OAAO,IAAI,IAAI;CA2EhB"}
package/dist/PasskeyController.mjs CHANGED
@@ -141,7 +141,7 @@ export class PasskeyController extends BaseController {
141
141
  ],
142
142
  timeout: WEBAUTHN_TIMEOUT_MS,
143
143
  authenticatorSelection: {
144
- userVerification: 'preferred',
144
+ userVerification: 'required',
145
145
  authenticatorAttachment: 'platform',
146
146
  residentKey: 'preferred',
147
147
  },
@@ -190,7 +190,7 @@ export class PasskeyController extends BaseController {
190
190
  transports: registrationResponse.response.transports,
191
191
  },
192
192
  ],
193
- userVerification: 'preferred',
193
+ userVerification: 'required',
194
194
  hints: ['client-device', 'hybrid'],
195
195
  timeout: WEBAUTHN_TIMEOUT_MS,
196
196
  extensions,
@@ -224,7 +224,7 @@ export class PasskeyController extends BaseController {
224
224
  transports: record.credential.transports,
225
225
  },
226
226
  ],
227
- userVerification: 'preferred',
227
+ userVerification: 'required',
228
228
  hints: ['client-device', 'hybrid'],
229
229
  timeout: WEBAUTHN_TIMEOUT_MS,
230
230
  extensions,
@@ -263,7 +263,7 @@ export class PasskeyController extends BaseController {
263
263
  expectedChallenge: registrationCeremony.challenge,
264
264
  expectedOrigin: __classPrivateFieldGet(this, _PasskeyController_expectedOrigin, "f"),
265
265
  expectedRPIDs: __classPrivateFieldGet(this, _PasskeyController_expectedRPIDs, "f"),
266
- requireUserVerification: false,
266
+ requireUserVerification: true,
267
267
  }).catch((error) => {
268
268
  log('Error verifying passkey registration response', error);
269
269
  throw new PasskeyControllerError(PasskeyControllerErrorMessage.RegistrationVerificationFailed, {
@@ -478,8 +478,7 @@ async function _PasskeyController_verifyAuthenticationResponse(authenticationRes
478
478
  counter: credential.counter,
479
479
  transports: credential.transports,
480
480
  },
481
- // UV optional for device compatibility; vault key remains password-gated.
482
- requireUserVerification: false,
481
+ requireUserVerification: true,
483
482
  }).catch((error) => {
484
483
  log('Error verifying passkey authentication response', error instanceof Error ? error : new Error(String(error)));
485
484
  throw new PasskeyControllerError(PasskeyControllerErrorMessage.AuthenticationVerificationFailed, {
package/dist/PasskeyController.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"PasskeyController.mjs","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAKA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAE3D,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,wBAAwB;AAErE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,+BAA2B;AAC1E,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,6BAA6B,EAC9B,wBAAoB;AACrB,OAAO,EAAE,sBAAsB,EAAE,qBAAiB;AAClD,OAAO,EAAE,mCAAmC,EAAE,6BAAyB;AACvE,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,qBAAiB;AAQ7D,OAAO,EACL,cAAc,EACd,cAAc,EACd,sBAAsB,EACvB,2BAAuB;AACxB,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,6BAAyB;AACtE,OAAO,EAAE,OAAO,EAAE,iCAA6B;AAC/C,OAAO,EAAE,oBAAoB,EAAE,+CAA2C;AAO1E,OAAO,EAAE,4BAA4B,EAAE,sDAAkD;AACzF,OAAO,EAAE,0BAA0B,EAAE,oDAAgD;AAoCrF;;;;GAIG;AACH,MAAM,UAAU,gCAAgC;IAC9C,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,yBAAyB,GAAG;IAChC,aAAa,EAAE;QACb,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,kBAAkB,EAAE,KAAK;QACzB,QAAQ,EAAE,IAAI;KACf;CAC8C,CAAC;AAElD,MAAM,GAAG,GAAG,kBAAkB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,uBAAuB,EAAE,CAAC,KAA6B,EAAW,EAAE,CAClE,KAAK,CAAC,aAAa,KAAK,IAAI;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAM,OAAO,iBAAkB,SAAQ,cAItC;IAeC;;;;;;;;;;;;;;;OAeG;IACH,YAAY,EACV,SAAS,EACT,KAAK,GAAG,EAAE,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAUhB;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,gCAAgC,EAAE,EAAE,GAAG,KAAK,EAAE;SAC3D,CAAC,CAAC;;QAtDI,6CAAmB,IAAI,eAAe,EAAE,EAAC;QAEzC,mDAAyB;QAEzB,0CAA0B;QAE1B,4CAAgB;QAEhB,oDAAmC;QAEnC,8CAAkB;QAElB,qDAAyB;QA4ChC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACnB,uBAAA,IAAI,oCAAkB,CAAC,GAAG,aAAa,CAAC,MAAA,CAAC;QACzC,uBAAA,IAAI,2BAAS,IAAI,MAAA,CAAC;QAClB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,qCAAmB,cAAc,MAAA,CAAC;QACtC,uBAAA,IAAI,+BAAa,QAAQ,IAAI,MAAM,MAAA,CAAC;QACpC,uBAAA,IAAI,sCAAoB,eAAe,IAAI,MAAM,MAAA,CAAC;IACpD,CAAC;IAmBD;;;;OAIG;IACH,iBAAiB;QACf,OAAO,0BAA0B,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAE3B;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,0BAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,qBAAqB,EAAE,YAAY,KAAK,KAAK,CAAC;QACjE,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACpE,MAAM,UAAU,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAA+B;YAC1C,EAAE,EAAE;gBACF,IAAI,EAAE,uBAAA,IAAI,iCAAQ;gBAClB,EAAE,EAAE,uBAAA,IAAI,+BAAM;aACf;YACD,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU;gBACd,IAAI,EAAE,uBAAA,IAAI,mCAAU;gBACpB,WAAW,EAAE,uBAAA,IAAI,0CAAiB;aACnC;YACD,SAAS;YACT,gBAAgB,EAAE;gBAChB,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;aAC3C;YACD,OAAO,EAAE,mBAAmB;YAC5B,sBAAsB,EAAE;gBACtB,gBAAgB,EAAE,WAAW;gBAC7B,uBAAuB,EAAE,UAAU;gBACnC,WAAW,EAAE,WAAW;aACzB;YACD,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,WAAW,EAAE,MAAM;YACnB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,SAAS,EAAE;YACxD,UAAU;YACV,OAAO;YACP,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAE7C;QACC,4BAA4B;QAC5B,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAAC;QACxC,MAAM,YAAY,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACvB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,YAAY,CAAC,CAAC;QAC9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,0BAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,SAAS,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,oBAAoB,CAAC,OAAO,EAAE,CAAC;YACjC,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QACD,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,oBAAoB,CAAC,EAAE;oBAC3B,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,oBAAoB,CAAC,QAAQ,CAAC,UAE7B;iBACd;aACF;YACD,gBAAgB,EAAE,WAAW;YAC7B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,mBAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,qBAAqB;QACrB,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACH,6BAA6B;QAC3B,MAAM,MAAM,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAEvC,MAAM,SAAS,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QAED,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE;oBACxB,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU;iBACzC;aACF;YACD,gBAAgB,EAAE,WAAW;YAC7B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,mBAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,0BAA0B,CAAC,MAIhC;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,0BAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAE1E,4BAA4B;QAC5B,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,0BAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,+BAA+B;YAC/B,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,0BAA0B,CAAC;gBACtE,QAAQ,EAAE,oBAAoB;gBAC9B,iBAAiB,EAAE,oBAAoB,CAAC,SAAS;gBACjD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;gBACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;gBAClC,uBAAuB,EAAE,KAAK;aAC/B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBACjB,GAAG,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBAC5D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,8BAA8B,EAC5D;oBACE,IAAI,EAAE,0BAA0B,CAAC,8BAA8B;oBAC/D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;iBACjE,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACnC,GAAG,CACD,oFAAoF,CACrF,CAAC;gBACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,8BAA8B,EAC5D,EAAE,IAAI,EAAE,0BAA0B,CAAC,8BAA8B,EAAE,CACpE,CAAC;YACJ,CAAC;YAED,iCAAiC;YACjC,MAAM,UAAU,GAAG;gBACjB,EAAE,EAAE,gBAAgB,CAAC,YAAY;gBACjC,SAAS,EAAE,gBAAgB,CAAC,gBAAgB,CAAC,SAAS,CAAC;gBACvD,OAAO,EAAE,gBAAgB,CAAC,OAAO;gBACjC,UAAU,EAAE,gBAAgB,CAAC,UAAU;gBACvC,MAAM,EAAE,gBAAgB,CAAC,MAAM;aAChC,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,UAAU,CACX,CAAC;YAEF,kCAAkC;YAClC,MAAM,QAAQ,GACZ,sBAAsB,CAAC,sBACxB,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC;YACvB,MAAM,gBAAgB,GACpB,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YACtD,MAAM,aAAa,GACjB,gBAAgB,IAAI,oBAAoB,CAAC,OAAO;gBAC9C,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB,CAAC,OAAO,EAAE;gBAC1D,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;YAE/B,IACE,aAAa,CAAC,MAAM,KAAK,YAAY;gBACrC,sBAAsB,CAAC,QAAQ,CAAC,UAAU;oBACxC,oBAAoB,CAAC,UAAU,EACjC,CAAC;gBACD,GAAG,CACD,6EAA6E,CAC9E,CAAC;gBACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gCAAgC,EAC9D,EAAE,IAAI,EAAE,0BAA0B,CAAC,gCAAgC,EAAE,CACtE,CAAC;YACJ,CAAC;YAED,mCAAmC;YACnC,MAAM,MAAM,GAAG,mCAAmC,CAChD,sBAAsB,EACtB,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAE5D,yBAAyB;YACzB,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpB,KAAK,CAAC,aAAa,GAAG;oBACpB,UAAU,EAAE;wBACV,GAAG,UAAU;wBACb,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC;qBAClD;oBACD,iBAAiB,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;oBACrC,aAAa;iBACd,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,+BAA+B;YAC/B,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,oDAAoD;QACpD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,aAAa,CAAC,UAAU,CACzB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,WAAW,EACzC,EAAE,IAAI,EAAE,0BAA0B,CAAC,WAAW,EAAE,CACjD,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,CAC/C,UAAU,EACV,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,CACvC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,aAAa;QACb,MAAM,MAAM,GAAG,mCAAmC,CAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,cAAc,CAC7B,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,yCAAyC,EACzC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,0BAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,2BAA2B,CAAC,sBAAsB,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,KAAK,YAAY,sBAAsB,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACxE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAI7B;QACC,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,CAAC;QAC1C,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,aAAa;QACb,MAAM,MAAM,GAAG,mCAAmC,CAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,iBAAyB,CAAC;QAC9B,IAAI,CAAC;YACH,iBAAiB,GAAG,cAAc,CAChC,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,6DAA6D,EAC7D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,0BAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAC5C,IACE,CAAC,mBAAmB,CAClB,aAAa,CAAC,iBAAiB,CAAC,EAChC,aAAa,CAAC,WAAW,CAAC,CAC3B,EACD,CAAC;YACD,GAAG,CACD,0EAA0E,CAC3E,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gBAAgB,EAC9C,EAAE,IAAI,EAAE,0BAA0B,CAAC,gBAAgB,EAAE,CACtD,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE/D,4EAA4E;QAC5E,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,WAAW,EACzC;oBACE,IAAI,EAAE,0BAA0B,CAAC,WAAW;iBAC7C,CACF,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,iBAAiB,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,aAAa;QACX,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,gCAAgC,EAAE,CAAC,CAAC;QACtD,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;QAC9B,KAAK,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC;CAyEF;;IA5jBG,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,WAAW,EACzC;YACE,IAAI,EAAE,0BAA0B,CAAC,WAAW;SAC7C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,yGAE2B,cAAsB;IAChD,OAAO,oBAAoB,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAueD;;;;;;GAMG;AACH,KAAK,0DACH,sBAAqD,EACrD,UAAiC;IAEjC,gBAAgB;IAChB,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,sBAAsB,CAAC,QAAQ,CAAC,cAAc,CAC/C,CAAC;IAEF,8BAA8B;IAC9B,MAAM,sBAAsB,GAC1B,uBAAA,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;IAC7D,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAC/D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,wBAAwB,EACtD,EAAE,IAAI,EAAE,0BAA0B,CAAC,wBAAwB,EAAE,CAC9D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC;YAChD,QAAQ,EAAE,sBAAsB;YAChC,iBAAiB,EAAE,sBAAsB,CAAC,SAAS;YACnD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;YACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;YAClC,UAAU,EAAE;gBACV,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,SAAS,EAAE,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC;gBACjD,OAAO,EAAE,UAAU,CAAC,OAAO;gBAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;aAClC;YACD,0EAA0E;YAC1E,uBAAuB,EAAE,KAAK;SAC/B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,GAAG,CACD,iDAAiD,EACjD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,0BAA0B,CAAC,gCAAgC;gBACjE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,GAAG,CAAC,yDAAyD,CAAC,CAAC;YAC/D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,0BAA0B,CAAC,gCAAgC;aAClE,CACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,iCAAiC;QACjC,uBAAA,IAAI,0CAAiB,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;AACH,CAAC","sourcesContent":["import type {\n ControllerGetStateAction,\n ControllerStateChangedEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport { BaseController } from '@metamask/base-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport { areUint8ArraysEqual, stringToBytes } from '@metamask/utils';\n\nimport { WEBAUTHN_TIMEOUT_MS, CeremonyManager } from './ceremony-manager';\nimport {\n controllerName,\n PasskeyControllerErrorCode,\n PasskeyControllerErrorMessage,\n} from './constants';\nimport { PasskeyControllerError } from './errors';\nimport { deriveKeyFromAuthenticationResponse } from './key-derivation';\nimport { createModuleLogger, projectLogger } from './logger';\nimport type {\n AuthenticatorTransportFuture,\n PasskeyCredentialInfo,\n PasskeyKeyDerivation,\n PasskeyRecord,\n PrfClientExtensionResults,\n} from './types';\nimport {\n decryptWithKey,\n encryptWithKey,\n randomBytesToBase64URL,\n} from './utils/crypto';\nimport { base64URLToBytes, bytesToBase64URL } from './utils/encoding';\nimport { COSEALG } from './webauthn/constants';\nimport { decodeClientDataJSON } from './webauthn/decode-client-data-json';\nimport type {\n PasskeyAuthenticationOptions,\n PasskeyAuthenticationResponse,\n PasskeyRegistrationOptions,\n PasskeyRegistrationResponse,\n} from './webauthn/types';\nimport { verifyAuthenticationResponse } from './webauthn/verify-authentication-response';\nimport { verifyRegistrationResponse } from './webauthn/verify-registration-response';\n\nexport type PasskeyControllerState = {\n passkeyRecord: PasskeyRecord | null;\n};\n\nexport type PasskeyControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n PasskeyControllerState\n>;\n\n/**\n * Actions exposed by {@link PasskeyController} on its messenger.\n *\n * Only `:getState` is exposed. Derived enrollment status is available via\n * {@link passkeyControllerSelectors.selectIsPasskeyEnrolled}, and lifecycle\n * methods ({@link PasskeyController.generateRegistrationOptions},\n * {@link PasskeyController.protectVaultKeyWithPasskey}, etc.) accept or\n * return non-`Json` runtime values (WebAuthn `PublicKeyCredential` objects\n * and the vault key string), so they require a direct controller reference.\n */\nexport type PasskeyControllerActions = PasskeyControllerGetStateAction;\n\nexport type PasskeyControllerStateChangedEvent = ControllerStateChangedEvent<\n typeof controllerName,\n PasskeyControllerState\n>;\n\nexport type PasskeyControllerEvents = PasskeyControllerStateChangedEvent;\n\nexport type PasskeyControllerMessenger = Messenger<\n typeof controllerName,\n PasskeyControllerActions,\n PasskeyControllerEvents\n>;\n\n/**\n * Returns the default (empty) state for {@link PasskeyController}.\n *\n * @returns A fresh state object with no enrolled passkey.\n */\nexport function getDefaultPasskeyControllerState(): PasskeyControllerState {\n return { passkeyRecord: null };\n}\n\nconst passkeyControllerMetadata = {\n passkeyRecord: {\n persist: true,\n includeInDebugSnapshot: false,\n includeInStateLogs: false,\n usedInUi: true,\n },\n} satisfies StateMetadata<PasskeyControllerState>;\n\nconst log = createModuleLogger(projectLogger, controllerName);\n\n/**\n * Selectors for {@link PasskeyControllerState}.\n *\n * Use these instead of dedicated getter methods on the controller, so that\n * derived values can be consumed from Redux selectors and other places that\n * only have access to a state object.\n */\nexport const passkeyControllerSelectors = {\n selectIsPasskeyEnrolled: (state: PasskeyControllerState): boolean =>\n state.passkeyRecord !== null,\n};\n\n/**\n * Controller that enrolls a WebAuthn passkey and uses it to protect and unlock\n * the vault encryption key.\n */\nexport class PasskeyController extends BaseController<\n typeof controllerName,\n PasskeyControllerState,\n PasskeyControllerMessenger\n> {\n readonly #ceremonyManager = new CeremonyManager();\n\n readonly #expectedRPIDs: string[];\n\n readonly #rpId: string | undefined;\n\n readonly #rpName: string;\n\n readonly #expectedOrigin: string | string[];\n\n readonly #userName: string;\n\n readonly #userDisplayName: string;\n\n /**\n * Creates a passkey controller with WebAuthn relying-party settings.\n *\n * @param args - Constructor options.\n * @param args.messenger - Controller messenger.\n * @param args.state - Partial initial state; merged with {@link getDefaultPasskeyControllerState}.\n * @param args.expectedRPID - Relying party ID(s) for verification (SHA-256 hash match in\n * authenticator data). Pass a string or array of strings; an empty array skips RP ID\n * allowlist checks in {@link verifyRegistrationResponse} / {@link verifyAuthenticationResponse}.\n * @param args.rpId - When set, included as `rp.id` on registration options and `rpId` on\n * authentication options. When omitted, those fields are left unset (client default RP ID).\n * @param args.rpName - Relying party name shown in the platform passkey UI.\n * @param args.expectedOrigin - Allowed value(s) for the WebAuthn client origin.\n * @param args.userName - Optional passkey user name; defaults to `rpName`.\n * @param args.userDisplayName - Optional display name; defaults to `rpName`.\n */\n constructor({\n messenger,\n state = {},\n rpId,\n expectedRPID,\n rpName,\n expectedOrigin,\n userName,\n userDisplayName,\n }: {\n messenger: PasskeyControllerMessenger;\n state?: Partial<PasskeyControllerState>;\n rpId?: string;\n expectedRPID: string | string[];\n rpName: string;\n expectedOrigin: string | string[];\n userName?: string;\n userDisplayName?: string;\n }) {\n super({\n messenger,\n metadata: passkeyControllerMetadata,\n name: controllerName,\n state: { ...getDefaultPasskeyControllerState(), ...state },\n });\n\n const expectedRPIDs = Array.isArray(expectedRPID)\n ? expectedRPID\n : [expectedRPID];\n this.#expectedRPIDs = [...expectedRPIDs];\n this.#rpId = rpId;\n this.#rpName = rpName;\n this.#expectedOrigin = expectedOrigin;\n this.#userName = userName ?? rpName;\n this.#userDisplayName = userDisplayName ?? rpName;\n }\n\n #requireEnrolled(): PasskeyRecord {\n const record = this.state.passkeyRecord;\n if (!record) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n return record;\n }\n\n #getChallengeFromClientData(clientDataJSON: string): string {\n return decodeClientDataJSON(clientDataJSON).challenge;\n }\n\n /**\n * Whether a passkey is enrolled and vault key material is stored.\n *\n * @returns `true` if enrolled, otherwise `false`.\n */\n isPasskeyEnrolled(): boolean {\n return passkeyControllerSelectors.selectIsPasskeyEnrolled(this.state);\n }\n\n /**\n * Builds WebAuthn credential creation options for passkey enrollment.\n *\n * @param creationOptionsConfig - Optional creation behavior.\n * @param creationOptionsConfig.prfAvailable - Request the PRF extension unless `false`. Defaults to `true`.\n * @returns Public key credential creation options for `navigator.credentials.create()`.\n */\n generateRegistrationOptions(creationOptionsConfig?: {\n prfAvailable?: boolean;\n }): PasskeyRegistrationOptions {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n\n const includePrf = creationOptionsConfig?.prfAvailable !== false;\n const prfSalt = includePrf ? randomBytesToBase64URL(32) : undefined;\n const userHandle = randomBytesToBase64URL(64);\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (prfSalt) {\n extensions.prf = { eval: { first: prfSalt } };\n }\n\n const options: PasskeyRegistrationOptions = {\n rp: {\n name: this.#rpName,\n id: this.#rpId,\n },\n user: {\n id: userHandle,\n name: this.#userName,\n displayName: this.#userDisplayName,\n },\n challenge,\n pubKeyCredParams: [\n { alg: COSEALG.EdDSA, type: 'public-key' },\n { alg: COSEALG.ES256, type: 'public-key' },\n { alg: COSEALG.RS256, type: 'public-key' },\n ],\n timeout: WEBAUTHN_TIMEOUT_MS,\n authenticatorSelection: {\n userVerification: 'preferred',\n authenticatorAttachment: 'platform',\n residentKey: 'preferred',\n },\n hints: ['client-device', 'hybrid'],\n attestation: 'none',\n ...(Object.keys(extensions).length > 0 ? { extensions } : {}),\n };\n\n this.#ceremonyManager.saveRegistrationCeremony(challenge, {\n userHandle,\n prfSalt,\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the post-registration\n * authentication step (between `create` and {@link protectVaultKeyWithPasskey}).\n *\n * @param params - Input for the pending registration ceremony.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generatePostRegistrationAuthenticationOptions(params: {\n registrationResponse: PasskeyRegistrationResponse;\n }): PasskeyAuthenticationOptions {\n // get registration ceremony\n const { registrationResponse } = params;\n const regChallenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(regChallenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n // build auth options\n const challenge = randomBytesToBase64URL(32);\n const extensions: Record<string, unknown> = {};\n if (registrationCeremony.prfSalt) {\n extensions.prf = { eval: { first: registrationCeremony.prfSalt } };\n }\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: registrationResponse.id,\n type: 'public-key',\n transports: registrationResponse.response.transports as\n | AuthenticatorTransportFuture[]\n | undefined,\n },\n ],\n userVerification: 'preferred',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n // save auth ceremony\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the enrolled passkey.\n *\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generateAuthenticationOptions(): PasskeyAuthenticationOptions {\n const record = this.#requireEnrolled();\n\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (record.keyDerivation.method === 'prf') {\n extensions.prf = { eval: { first: record.keyDerivation.prfSalt } };\n }\n\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: record.credential.id,\n type: 'public-key',\n transports: record.credential.transports,\n },\n ],\n userVerification: 'preferred',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Verifies registration and post-registration authentication, then stores the\n * vault key encrypted under the new passkey.\n *\n * @param params - Enrollment completion inputs.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @param params.authenticationResponse - Result of `navigator.credentials.get()` after {@link generatePostRegistrationAuthenticationOptions}.\n * @param params.vaultKey - Vault encryption key to encrypt and persist.\n */\n async protectVaultKeyWithPasskey(params: {\n registrationResponse: PasskeyRegistrationResponse;\n authenticationResponse: PasskeyAuthenticationResponse;\n vaultKey: string;\n }): Promise<void> {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n const { registrationResponse, authenticationResponse, vaultKey } = params;\n\n // get registration ceremony\n const challenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(challenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n try {\n // verify registration response\n const { verified, registrationInfo } = await verifyRegistrationResponse({\n response: registrationResponse,\n expectedChallenge: registrationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n requireUserVerification: false,\n }).catch((error) => {\n log('Error verifying passkey registration response', error);\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.RegistrationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!verified || !registrationInfo) {\n log(\n 'Passkey registration verification returned unverified or missing registration info',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n { code: PasskeyControllerErrorCode.RegistrationVerificationFailed },\n );\n }\n\n // verify authentication response\n const credential = {\n id: registrationInfo.credentialId,\n publicKey: bytesToBase64URL(registrationInfo.publicKey),\n counter: registrationInfo.counter,\n transports: registrationInfo.transports,\n aaguid: registrationInfo.aaguid,\n };\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n credential,\n );\n\n // determine key derivation method\n const prfFirst = (\n authenticationResponse.clientExtensionResults as PrfClientExtensionResults\n )?.prf?.results?.first;\n const authHasPrfOutput =\n typeof prfFirst === 'string' && prfFirst.length > 0;\n const keyDerivation: PasskeyKeyDerivation =\n authHasPrfOutput && registrationCeremony.prfSalt\n ? { method: 'prf', prfSalt: registrationCeremony.prfSalt }\n : { method: 'userHandle' };\n\n if (\n keyDerivation.method === 'userHandle' &&\n authenticationResponse.response.userHandle !==\n registrationCeremony.userHandle\n ) {\n log(\n 'Post-registration assertion userHandle does not match registration ceremony',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n { code: PasskeyControllerErrorCode.AuthenticationVerificationFailed },\n );\n }\n\n // derive key and encrypt vault key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n { credential, keyDerivation },\n );\n const { ciphertext, iv } = encryptWithKey(vaultKey, encKey);\n\n // persist passkey record\n this.update((state) => {\n state.passkeyRecord = {\n credential: {\n ...credential,\n counter: Math.max(newCounter, credential.counter),\n },\n encryptedVaultKey: { ciphertext, iv },\n keyDerivation,\n };\n });\n } finally {\n // delete registration ceremony\n this.#ceremonyManager.deleteRegistrationCeremony(challenge);\n }\n }\n\n /**\n * Verifies an authentication assertion and returns the decrypted vault key.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns The plaintext vault encryption key.\n */\n async retrieveVaultKeyWithPasskey(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<string> {\n const passkeyRecord = this.#requireEnrolled();\n\n // verify authentication response and update counter\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n passkeyRecord.credential,\n );\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n { code: PasskeyControllerErrorCode.NotEnrolled },\n );\n }\n state.passkeyRecord.credential.counter = Math.max(\n newCounter,\n state.passkeyRecord.credential.counter,\n );\n });\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n try {\n const vaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n return vaultKey;\n } catch (cause) {\n log(\n 'Error decrypting vault key with passkey',\n cause instanceof Error ? cause : new Error(String(cause)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: cause instanceof Error ? cause : new Error(String(cause)),\n },\n );\n }\n }\n\n /**\n * Checks whether the given authentication assertion is valid for the enrolled passkey.\n *\n * On failure, returns `false` for {@link PasskeyControllerError} with a `code`;\n * other errors propagate.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns `true` if verification succeeds, otherwise `false`.\n */\n async verifyPasskeyAuthentication(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<boolean> {\n try {\n await this.retrieveVaultKeyWithPasskey(authenticationResponse);\n return true;\n } catch (error: unknown) {\n if (error instanceof PasskeyControllerError && error.code !== undefined) {\n return false;\n }\n throw error;\n }\n }\n\n /**\n * Re-wraps the vault key after rotation. Updates persisted `encryptedVaultKey` on success.\n *\n * Does not verify WebAuthn or ceremony state—call only after your layer has authenticated\n * the user (passkey `get()` + verified assertion, or verified password). On passkey paths,\n * pass the same `authenticationResponse` you just verified (e.g. from\n * {@link retrieveVaultKeyWithPasskey} / {@link verifyPasskeyAuthentication}).\n *\n * @param params - Re-wrap inputs.\n * @param params.authenticationResponse - Used to derive the wrapping key.\n * @param params.oldVaultKey - Expected current vault key.\n * @param params.newVaultKey - New vault key to encrypt under the passkey.\n */\n async renewVaultKeyProtection(params: {\n authenticationResponse: PasskeyAuthenticationResponse;\n oldVaultKey: string;\n newVaultKey: string;\n }): Promise<void> {\n const { authenticationResponse } = params;\n const passkeyRecord = this.#requireEnrolled();\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n let decryptedVaultKey: string;\n try {\n decryptedVaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n } catch (error) {\n log(\n 'Error decrypting vault key during passkey vault key renewal',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n }\n\n // check if vault key matches\n const { oldVaultKey, newVaultKey } = params;\n if (\n !areUint8ArraysEqual(\n stringToBytes(decryptedVaultKey),\n stringToBytes(oldVaultKey),\n )\n ) {\n log(\n 'Passkey renewal rejected: decrypted vault key does not match oldVaultKey',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyMismatch,\n { code: PasskeyControllerErrorCode.VaultKeyMismatch },\n );\n }\n\n // encrypt new vault key\n const { ciphertext, iv } = encryptWithKey(newVaultKey, encKey);\n\n // persist passkey record (mutate current state only for vault key material)\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n state.passkeyRecord.encryptedVaultKey = { ciphertext, iv };\n });\n }\n\n /**\n * Clears enrolled passkey state and in-flight ceremonies. Call only after the same\n * auth gate as renewal (verified passkey assertion or password).\n */\n removePasskey(): void {\n this.update(() => getDefaultPasskeyControllerState());\n this.#ceremonyManager.clear();\n }\n\n /**\n * Resets state and clears in-flight registration/authentication ceremonies.\n */\n clearState(): void {\n this.removePasskey();\n }\n\n /**\n * Releases all in-flight ceremony state and tears down the messenger.\n */\n destroy(): void {\n this.#ceremonyManager.clear();\n super.destroy();\n }\n\n /**\n * Validates a WebAuthn authentication response against stored credential data.\n *\n * @param authenticationResponse - Parsed authentication response from the client.\n * @param credential - Credential identifiers and public key material for verification.\n * @returns Updated authenticator signature counter.\n */\n async #verifyAuthenticationResponse(\n authenticationResponse: PasskeyAuthenticationResponse,\n credential: PasskeyCredentialInfo,\n ): Promise<{ newCounter: number }> {\n // get challenge\n const challenge = this.#getChallengeFromClientData(\n authenticationResponse.response.clientDataJSON,\n );\n\n // get authentication ceremony\n const authenticationCeremony =\n this.#ceremonyManager.getAuthenticationCeremony(challenge);\n if (!authenticationCeremony) {\n log('No active passkey authentication ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoAuthenticationCeremony,\n { code: PasskeyControllerErrorCode.NoAuthenticationCeremony },\n );\n }\n\n try {\n // verify authentication response\n const result = await verifyAuthenticationResponse({\n response: authenticationResponse,\n expectedChallenge: authenticationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n credential: {\n id: credential.id,\n publicKey: base64URLToBytes(credential.publicKey),\n counter: credential.counter,\n transports: credential.transports,\n },\n // UV optional for device compatibility; vault key remains password-gated.\n requireUserVerification: false,\n }).catch((error) => {\n log(\n 'Error verifying passkey authentication response',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!result.verified) {\n log('Passkey authentication verification returned unverified');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n },\n );\n }\n\n return { newCounter: result.authenticationInfo.newCounter };\n } finally {\n // delete authentication ceremony\n this.#ceremonyManager.deleteAuthenticationCeremony(challenge);\n }\n }\n}\n"]}
1
+ {"version":3,"file":"PasskeyController.mjs","sourceRoot":"","sources":["../src/PasskeyController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAKA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAE3D,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,wBAAwB;AAErE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,+BAA2B;AAC1E,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,6BAA6B,EAC9B,wBAAoB;AACrB,OAAO,EAAE,sBAAsB,EAAE,qBAAiB;AAClD,OAAO,EAAE,mCAAmC,EAAE,6BAAyB;AACvE,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,qBAAiB;AAQ7D,OAAO,EACL,cAAc,EACd,cAAc,EACd,sBAAsB,EACvB,2BAAuB;AACxB,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,6BAAyB;AACtE,OAAO,EAAE,OAAO,EAAE,iCAA6B;AAC/C,OAAO,EAAE,oBAAoB,EAAE,+CAA2C;AAO1E,OAAO,EAAE,4BAA4B,EAAE,sDAAkD;AACzF,OAAO,EAAE,0BAA0B,EAAE,oDAAgD;AAoCrF;;;;GAIG;AACH,MAAM,UAAU,gCAAgC;IAC9C,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,yBAAyB,GAAG;IAChC,aAAa,EAAE;QACb,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,kBAAkB,EAAE,KAAK;QACzB,QAAQ,EAAE,IAAI;KACf;CAC8C,CAAC;AAElD,MAAM,GAAG,GAAG,kBAAkB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,uBAAuB,EAAE,CAAC,KAA6B,EAAW,EAAE,CAClE,KAAK,CAAC,aAAa,KAAK,IAAI;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAM,OAAO,iBAAkB,SAAQ,cAItC;IAeC;;;;;;;;;;;;;;;OAeG;IACH,YAAY,EACV,SAAS,EACT,KAAK,GAAG,EAAE,EACV,IAAI,EACJ,YAAY,EACZ,MAAM,EACN,cAAc,EACd,QAAQ,EACR,eAAe,GAUhB;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,gCAAgC,EAAE,EAAE,GAAG,KAAK,EAAE;SAC3D,CAAC,CAAC;;QAtDI,6CAAmB,IAAI,eAAe,EAAE,EAAC;QAEzC,mDAAyB;QAEzB,0CAA0B;QAE1B,4CAAgB;QAEhB,oDAAmC;QAEnC,8CAAkB;QAElB,qDAAyB;QA4ChC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACnB,uBAAA,IAAI,oCAAkB,CAAC,GAAG,aAAa,CAAC,MAAA,CAAC;QACzC,uBAAA,IAAI,2BAAS,IAAI,MAAA,CAAC;QAClB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,qCAAmB,cAAc,MAAA,CAAC;QACtC,uBAAA,IAAI,+BAAa,QAAQ,IAAI,MAAM,MAAA,CAAC;QACpC,uBAAA,IAAI,sCAAoB,eAAe,IAAI,MAAM,MAAA,CAAC;IACpD,CAAC;IAmBD;;;;OAIG;IACH,iBAAiB;QACf,OAAO,0BAA0B,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;OAMG;IACH,2BAA2B,CAAC,qBAE3B;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,0BAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,qBAAqB,EAAE,YAAY,KAAK,KAAK,CAAC;QACjE,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACpE,MAAM,UAAU,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAA+B;YAC1C,EAAE,EAAE;gBACF,IAAI,EAAE,uBAAA,IAAI,iCAAQ;gBAClB,EAAE,EAAE,uBAAA,IAAI,+BAAM;aACf;YACD,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU;gBACd,IAAI,EAAE,uBAAA,IAAI,mCAAU;gBACpB,WAAW,EAAE,uBAAA,IAAI,0CAAiB;aACnC;YACD,SAAS;YACT,gBAAgB,EAAE;gBAChB,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;gBAC1C,EAAE,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;aAC3C;YACD,OAAO,EAAE,mBAAmB;YAC5B,sBAAsB,EAAE;gBACtB,gBAAgB,EAAE,UAAU;gBAC5B,uBAAuB,EAAE,UAAU;gBACnC,WAAW,EAAE,WAAW;aACzB;YACD,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,WAAW,EAAE,MAAM;YACnB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,SAAS,EAAE;YACxD,UAAU;YACV,OAAO;YACP,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACH,6CAA6C,CAAC,MAE7C;QACC,4BAA4B;QAC5B,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAAC;QACxC,MAAM,YAAY,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACvB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,YAAY,CAAC,CAAC;QAC9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,0BAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,SAAS,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,oBAAoB,CAAC,OAAO,EAAE,CAAC;YACjC,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QACD,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,oBAAoB,CAAC,EAAE;oBAC3B,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,oBAAoB,CAAC,QAAQ,CAAC,UAE7B;iBACd;aACF;YACD,gBAAgB,EAAE,UAAU;YAC5B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,mBAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,qBAAqB;QACrB,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACH,6BAA6B;QAC3B,MAAM,MAAM,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAEvC,MAAM,SAAS,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAE7C,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,UAAU,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,CAAC;QAED,MAAM,OAAO,GAAiC;YAC5C,SAAS;YACT,IAAI,EAAE,uBAAA,IAAI,+BAAM;YAChB,gBAAgB,EAAE;gBAChB;oBACE,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE;oBACxB,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU;iBACzC;aACF;YACD,gBAAgB,EAAE,UAAU;YAC5B,KAAK,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC;YAClC,OAAO,EAAE,mBAAmB;YAC5B,UAAU;SACX,CAAC;QAEF,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,EAAE;YAC1D,SAAS;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,0BAA0B,CAAC,MAIhC;QACC,IAAI,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,eAAe,EAC7C,EAAE,IAAI,EAAE,0BAA0B,CAAC,eAAe,EAAE,CACrD,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAE1E,4BAA4B;QAC5B,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAC7C,CAAC;QACF,MAAM,oBAAoB,GACxB,uBAAA,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,GAAG,CAAC,uDAAuD,CAAC,CAAC;YAC7D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,sBAAsB,EACpD,EAAE,IAAI,EAAE,0BAA0B,CAAC,sBAAsB,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,+BAA+B;YAC/B,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,0BAA0B,CAAC;gBACtE,QAAQ,EAAE,oBAAoB;gBAC9B,iBAAiB,EAAE,oBAAoB,CAAC,SAAS;gBACjD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;gBACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;gBAClC,uBAAuB,EAAE,IAAI;aAC9B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;gBACjB,GAAG,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBAC5D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,8BAA8B,EAC5D;oBACE,IAAI,EAAE,0BAA0B,CAAC,8BAA8B;oBAC/D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;iBACjE,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACnC,GAAG,CACD,oFAAoF,CACrF,CAAC;gBACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,8BAA8B,EAC5D,EAAE,IAAI,EAAE,0BAA0B,CAAC,8BAA8B,EAAE,CACpE,CAAC;YACJ,CAAC;YAED,iCAAiC;YACjC,MAAM,UAAU,GAAG;gBACjB,EAAE,EAAE,gBAAgB,CAAC,YAAY;gBACjC,SAAS,EAAE,gBAAgB,CAAC,gBAAgB,CAAC,SAAS,CAAC;gBACvD,OAAO,EAAE,gBAAgB,CAAC,OAAO;gBACjC,UAAU,EAAE,gBAAgB,CAAC,UAAU;gBACvC,MAAM,EAAE,gBAAgB,CAAC,MAAM;aAChC,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,UAAU,CACX,CAAC;YAEF,kCAAkC;YAClC,MAAM,QAAQ,GACZ,sBAAsB,CAAC,sBACxB,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC;YACvB,MAAM,gBAAgB,GACpB,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YACtD,MAAM,aAAa,GACjB,gBAAgB,IAAI,oBAAoB,CAAC,OAAO;gBAC9C,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB,CAAC,OAAO,EAAE;gBAC1D,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;YAE/B,IACE,aAAa,CAAC,MAAM,KAAK,YAAY;gBACrC,sBAAsB,CAAC,QAAQ,CAAC,UAAU;oBACxC,oBAAoB,CAAC,UAAU,EACjC,CAAC;gBACD,GAAG,CACD,6EAA6E,CAC9E,CAAC;gBACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gCAAgC,EAC9D,EAAE,IAAI,EAAE,0BAA0B,CAAC,gCAAgC,EAAE,CACtE,CAAC;YACJ,CAAC;YAED,mCAAmC;YACnC,MAAM,MAAM,GAAG,mCAAmC,CAChD,sBAAsB,EACtB,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;YACF,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAE5D,yBAAyB;YACzB,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpB,KAAK,CAAC,aAAa,GAAG;oBACpB,UAAU,EAAE;wBACV,GAAG,UAAU;wBACb,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC;qBAClD;oBACD,iBAAiB,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;oBACrC,aAAa;iBACd,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,+BAA+B;YAC/B,uBAAA,IAAI,0CAAiB,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,oDAAoD;QACpD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,uBAAA,IAAI,qFAA8B,MAAlC,IAAI,EAC/B,sBAAsB,EACtB,aAAa,CAAC,UAAU,CACzB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,WAAW,EACzC,EAAE,IAAI,EAAE,0BAA0B,CAAC,WAAW,EAAE,CACjD,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,CAC/C,UAAU,EACV,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,OAAO,CACvC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,aAAa;QACb,MAAM,MAAM,GAAG,mCAAmC,CAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,cAAc,CAC7B,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,yCAAyC,EACzC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,0BAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,2BAA2B,CAC/B,sBAAqD;QAErD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,2BAA2B,CAAC,sBAAsB,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,KAAK,YAAY,sBAAsB,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACxE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAI7B;QACC,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,CAAC;QAC1C,MAAM,aAAa,GAAG,uBAAA,IAAI,wEAAiB,MAArB,IAAI,CAAmB,CAAC;QAE9C,aAAa;QACb,MAAM,MAAM,GAAG,mCAAmC,CAChD,sBAAsB,EACtB,aAAa,CACd,CAAC;QAEF,oBAAoB;QACpB,IAAI,iBAAyB,CAAC;QAC9B,IAAI,CAAC;YACH,iBAAiB,GAAG,cAAc,CAChC,aAAa,CAAC,iBAAiB,CAAC,UAAU,EAC1C,aAAa,CAAC,iBAAiB,CAAC,EAAE,EAClC,MAAM,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CACD,6DAA6D,EAC7D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,wBAAwB,EACtD;gBACE,IAAI,EAAE,0BAA0B,CAAC,wBAAwB;gBACzD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAC5C,IACE,CAAC,mBAAmB,CAClB,aAAa,CAAC,iBAAiB,CAAC,EAChC,aAAa,CAAC,WAAW,CAAC,CAC3B,EACD,CAAC;YACD,GAAG,CACD,0EAA0E,CAC3E,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gBAAgB,EAC9C,EAAE,IAAI,EAAE,0BAA0B,CAAC,gBAAgB,EAAE,CACtD,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE/D,4EAA4E;QAC5E,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,WAAW,EACzC;oBACE,IAAI,EAAE,0BAA0B,CAAC,WAAW;iBAC7C,CACF,CAAC;YACJ,CAAC;YACD,KAAK,CAAC,aAAa,CAAC,iBAAiB,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,aAAa;QACX,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,gCAAgC,EAAE,CAAC,CAAC;QACtD,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,uBAAA,IAAI,0CAAiB,CAAC,KAAK,EAAE,CAAC;QAC9B,KAAK,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC;CAwEF;;IA3jBG,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,WAAW,EACzC;YACE,IAAI,EAAE,0BAA0B,CAAC,WAAW;SAC7C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,yGAE2B,cAAsB;IAChD,OAAO,oBAAoB,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAueD;;;;;;GAMG;AACH,KAAK,0DACH,sBAAqD,EACrD,UAAiC;IAEjC,gBAAgB;IAChB,MAAM,SAAS,GAAG,uBAAA,IAAI,mFAA4B,MAAhC,IAAI,EACpB,sBAAsB,CAAC,QAAQ,CAAC,cAAc,CAC/C,CAAC;IAEF,8BAA8B;IAC9B,MAAM,sBAAsB,GAC1B,uBAAA,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;IAC7D,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAC/D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,wBAAwB,EACtD,EAAE,IAAI,EAAE,0BAA0B,CAAC,wBAAwB,EAAE,CAC9D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC;YAChD,QAAQ,EAAE,sBAAsB;YAChC,iBAAiB,EAAE,sBAAsB,CAAC,SAAS;YACnD,cAAc,EAAE,uBAAA,IAAI,yCAAgB;YACpC,aAAa,EAAE,uBAAA,IAAI,wCAAe;YAClC,UAAU,EAAE;gBACV,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,SAAS,EAAE,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC;gBACjD,OAAO,EAAE,UAAU,CAAC,OAAO;gBAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;aAClC;YACD,uBAAuB,EAAE,IAAI;SAC9B,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,GAAG,CACD,iDAAiD,EACjD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;YACF,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,0BAA0B,CAAC,gCAAgC;gBACjE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aACjE,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,GAAG,CAAC,yDAAyD,CAAC,CAAC;YAC/D,MAAM,IAAI,sBAAsB,CAC9B,6BAA6B,CAAC,gCAAgC,EAC9D;gBACE,IAAI,EAAE,0BAA0B,CAAC,gCAAgC;aAClE,CACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,iCAAiC;QACjC,uBAAA,IAAI,0CAAiB,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;AACH,CAAC","sourcesContent":["import type {\n ControllerGetStateAction,\n ControllerStateChangedEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport { BaseController } from '@metamask/base-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport { areUint8ArraysEqual, stringToBytes } from '@metamask/utils';\n\nimport { WEBAUTHN_TIMEOUT_MS, CeremonyManager } from './ceremony-manager';\nimport {\n controllerName,\n PasskeyControllerErrorCode,\n PasskeyControllerErrorMessage,\n} from './constants';\nimport { PasskeyControllerError } from './errors';\nimport { deriveKeyFromAuthenticationResponse } from './key-derivation';\nimport { createModuleLogger, projectLogger } from './logger';\nimport type {\n AuthenticatorTransportFuture,\n PasskeyCredentialInfo,\n PasskeyKeyDerivation,\n PasskeyRecord,\n PrfClientExtensionResults,\n} from './types';\nimport {\n decryptWithKey,\n encryptWithKey,\n randomBytesToBase64URL,\n} from './utils/crypto';\nimport { base64URLToBytes, bytesToBase64URL } from './utils/encoding';\nimport { COSEALG } from './webauthn/constants';\nimport { decodeClientDataJSON } from './webauthn/decode-client-data-json';\nimport type {\n PasskeyAuthenticationOptions,\n PasskeyAuthenticationResponse,\n PasskeyRegistrationOptions,\n PasskeyRegistrationResponse,\n} from './webauthn/types';\nimport { verifyAuthenticationResponse } from './webauthn/verify-authentication-response';\nimport { verifyRegistrationResponse } from './webauthn/verify-registration-response';\n\nexport type PasskeyControllerState = {\n passkeyRecord: PasskeyRecord | null;\n};\n\nexport type PasskeyControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n PasskeyControllerState\n>;\n\n/**\n * Actions exposed by {@link PasskeyController} on its messenger.\n *\n * Only `:getState` is exposed. Derived enrollment status is available via\n * {@link passkeyControllerSelectors.selectIsPasskeyEnrolled}, and lifecycle\n * methods ({@link PasskeyController.generateRegistrationOptions},\n * {@link PasskeyController.protectVaultKeyWithPasskey}, etc.) accept or\n * return non-`Json` runtime values (WebAuthn `PublicKeyCredential` objects\n * and the vault key string), so they require a direct controller reference.\n */\nexport type PasskeyControllerActions = PasskeyControllerGetStateAction;\n\nexport type PasskeyControllerStateChangedEvent = ControllerStateChangedEvent<\n typeof controllerName,\n PasskeyControllerState\n>;\n\nexport type PasskeyControllerEvents = PasskeyControllerStateChangedEvent;\n\nexport type PasskeyControllerMessenger = Messenger<\n typeof controllerName,\n PasskeyControllerActions,\n PasskeyControllerEvents\n>;\n\n/**\n * Returns the default (empty) state for {@link PasskeyController}.\n *\n * @returns A fresh state object with no enrolled passkey.\n */\nexport function getDefaultPasskeyControllerState(): PasskeyControllerState {\n return { passkeyRecord: null };\n}\n\nconst passkeyControllerMetadata = {\n passkeyRecord: {\n persist: true,\n includeInDebugSnapshot: false,\n includeInStateLogs: false,\n usedInUi: true,\n },\n} satisfies StateMetadata<PasskeyControllerState>;\n\nconst log = createModuleLogger(projectLogger, controllerName);\n\n/**\n * Selectors for {@link PasskeyControllerState}.\n *\n * Use these instead of dedicated getter methods on the controller, so that\n * derived values can be consumed from Redux selectors and other places that\n * only have access to a state object.\n */\nexport const passkeyControllerSelectors = {\n selectIsPasskeyEnrolled: (state: PasskeyControllerState): boolean =>\n state.passkeyRecord !== null,\n};\n\n/**\n * Controller that enrolls a WebAuthn passkey and uses it to protect and unlock\n * the vault encryption key.\n */\nexport class PasskeyController extends BaseController<\n typeof controllerName,\n PasskeyControllerState,\n PasskeyControllerMessenger\n> {\n readonly #ceremonyManager = new CeremonyManager();\n\n readonly #expectedRPIDs: string[];\n\n readonly #rpId: string | undefined;\n\n readonly #rpName: string;\n\n readonly #expectedOrigin: string | string[];\n\n readonly #userName: string;\n\n readonly #userDisplayName: string;\n\n /**\n * Creates a passkey controller with WebAuthn relying-party settings.\n *\n * @param args - Constructor options.\n * @param args.messenger - Controller messenger.\n * @param args.state - Partial initial state; merged with {@link getDefaultPasskeyControllerState}.\n * @param args.expectedRPID - Relying party ID(s) for verification (SHA-256 hash match in\n * authenticator data). Pass a string or array of strings; an empty array skips RP ID\n * allowlist checks in {@link verifyRegistrationResponse} / {@link verifyAuthenticationResponse}.\n * @param args.rpId - When set, included as `rp.id` on registration options and `rpId` on\n * authentication options. When omitted, those fields are left unset (client default RP ID).\n * @param args.rpName - Relying party name shown in the platform passkey UI.\n * @param args.expectedOrigin - Allowed value(s) for the WebAuthn client origin.\n * @param args.userName - Optional passkey user name; defaults to `rpName`.\n * @param args.userDisplayName - Optional display name; defaults to `rpName`.\n */\n constructor({\n messenger,\n state = {},\n rpId,\n expectedRPID,\n rpName,\n expectedOrigin,\n userName,\n userDisplayName,\n }: {\n messenger: PasskeyControllerMessenger;\n state?: Partial<PasskeyControllerState>;\n rpId?: string;\n expectedRPID: string | string[];\n rpName: string;\n expectedOrigin: string | string[];\n userName?: string;\n userDisplayName?: string;\n }) {\n super({\n messenger,\n metadata: passkeyControllerMetadata,\n name: controllerName,\n state: { ...getDefaultPasskeyControllerState(), ...state },\n });\n\n const expectedRPIDs = Array.isArray(expectedRPID)\n ? expectedRPID\n : [expectedRPID];\n this.#expectedRPIDs = [...expectedRPIDs];\n this.#rpId = rpId;\n this.#rpName = rpName;\n this.#expectedOrigin = expectedOrigin;\n this.#userName = userName ?? rpName;\n this.#userDisplayName = userDisplayName ?? rpName;\n }\n\n #requireEnrolled(): PasskeyRecord {\n const record = this.state.passkeyRecord;\n if (!record) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n return record;\n }\n\n #getChallengeFromClientData(clientDataJSON: string): string {\n return decodeClientDataJSON(clientDataJSON).challenge;\n }\n\n /**\n * Whether a passkey is enrolled and vault key material is stored.\n *\n * @returns `true` if enrolled, otherwise `false`.\n */\n isPasskeyEnrolled(): boolean {\n return passkeyControllerSelectors.selectIsPasskeyEnrolled(this.state);\n }\n\n /**\n * Builds WebAuthn credential creation options for passkey enrollment.\n *\n * @param creationOptionsConfig - Optional creation behavior.\n * @param creationOptionsConfig.prfAvailable - Request the PRF extension unless `false`. Defaults to `true`.\n * @returns Public key credential creation options for `navigator.credentials.create()`.\n */\n generateRegistrationOptions(creationOptionsConfig?: {\n prfAvailable?: boolean;\n }): PasskeyRegistrationOptions {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n\n const includePrf = creationOptionsConfig?.prfAvailable !== false;\n const prfSalt = includePrf ? randomBytesToBase64URL(32) : undefined;\n const userHandle = randomBytesToBase64URL(64);\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (prfSalt) {\n extensions.prf = { eval: { first: prfSalt } };\n }\n\n const options: PasskeyRegistrationOptions = {\n rp: {\n name: this.#rpName,\n id: this.#rpId,\n },\n user: {\n id: userHandle,\n name: this.#userName,\n displayName: this.#userDisplayName,\n },\n challenge,\n pubKeyCredParams: [\n { alg: COSEALG.EdDSA, type: 'public-key' },\n { alg: COSEALG.ES256, type: 'public-key' },\n { alg: COSEALG.RS256, type: 'public-key' },\n ],\n timeout: WEBAUTHN_TIMEOUT_MS,\n authenticatorSelection: {\n userVerification: 'required',\n authenticatorAttachment: 'platform',\n residentKey: 'preferred',\n },\n hints: ['client-device', 'hybrid'],\n attestation: 'none',\n ...(Object.keys(extensions).length > 0 ? { extensions } : {}),\n };\n\n this.#ceremonyManager.saveRegistrationCeremony(challenge, {\n userHandle,\n prfSalt,\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the post-registration\n * authentication step (between `create` and {@link protectVaultKeyWithPasskey}).\n *\n * @param params - Input for the pending registration ceremony.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generatePostRegistrationAuthenticationOptions(params: {\n registrationResponse: PasskeyRegistrationResponse;\n }): PasskeyAuthenticationOptions {\n // get registration ceremony\n const { registrationResponse } = params;\n const regChallenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(regChallenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n // build auth options\n const challenge = randomBytesToBase64URL(32);\n const extensions: Record<string, unknown> = {};\n if (registrationCeremony.prfSalt) {\n extensions.prf = { eval: { first: registrationCeremony.prfSalt } };\n }\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: registrationResponse.id,\n type: 'public-key',\n transports: registrationResponse.response.transports as\n | AuthenticatorTransportFuture[]\n | undefined,\n },\n ],\n userVerification: 'required',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n // save auth ceremony\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Builds WebAuthn credential request options for the enrolled passkey.\n *\n * @returns Public key credential request options for `navigator.credentials.get()`.\n */\n generateAuthenticationOptions(): PasskeyAuthenticationOptions {\n const record = this.#requireEnrolled();\n\n const challenge = randomBytesToBase64URL(32);\n\n const extensions: Record<string, unknown> = {};\n if (record.keyDerivation.method === 'prf') {\n extensions.prf = { eval: { first: record.keyDerivation.prfSalt } };\n }\n\n const options: PasskeyAuthenticationOptions = {\n challenge,\n rpId: this.#rpId,\n allowCredentials: [\n {\n id: record.credential.id,\n type: 'public-key',\n transports: record.credential.transports,\n },\n ],\n userVerification: 'required',\n hints: ['client-device', 'hybrid'],\n timeout: WEBAUTHN_TIMEOUT_MS,\n extensions,\n };\n\n this.#ceremonyManager.saveAuthenticationCeremony(challenge, {\n challenge,\n createdAt: Date.now(),\n });\n\n return options;\n }\n\n /**\n * Verifies registration and post-registration authentication, then stores the\n * vault key encrypted under the new passkey.\n *\n * @param params - Enrollment completion inputs.\n * @param params.registrationResponse - Result of `navigator.credentials.create()`.\n * @param params.authenticationResponse - Result of `navigator.credentials.get()` after {@link generatePostRegistrationAuthenticationOptions}.\n * @param params.vaultKey - Vault encryption key to encrypt and persist.\n */\n async protectVaultKeyWithPasskey(params: {\n registrationResponse: PasskeyRegistrationResponse;\n authenticationResponse: PasskeyAuthenticationResponse;\n vaultKey: string;\n }): Promise<void> {\n if (this.isPasskeyEnrolled()) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AlreadyEnrolled,\n { code: PasskeyControllerErrorCode.AlreadyEnrolled },\n );\n }\n const { registrationResponse, authenticationResponse, vaultKey } = params;\n\n // get registration ceremony\n const challenge = this.#getChallengeFromClientData(\n registrationResponse.response.clientDataJSON,\n );\n const registrationCeremony =\n this.#ceremonyManager.getRegistrationCeremony(challenge);\n if (!registrationCeremony) {\n log('No active passkey registration ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoRegistrationCeremony,\n { code: PasskeyControllerErrorCode.NoRegistrationCeremony },\n );\n }\n\n try {\n // verify registration response\n const { verified, registrationInfo } = await verifyRegistrationResponse({\n response: registrationResponse,\n expectedChallenge: registrationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n requireUserVerification: true,\n }).catch((error) => {\n log('Error verifying passkey registration response', error);\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.RegistrationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!verified || !registrationInfo) {\n log(\n 'Passkey registration verification returned unverified or missing registration info',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.RegistrationVerificationFailed,\n { code: PasskeyControllerErrorCode.RegistrationVerificationFailed },\n );\n }\n\n // verify authentication response\n const credential = {\n id: registrationInfo.credentialId,\n publicKey: bytesToBase64URL(registrationInfo.publicKey),\n counter: registrationInfo.counter,\n transports: registrationInfo.transports,\n aaguid: registrationInfo.aaguid,\n };\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n credential,\n );\n\n // determine key derivation method\n const prfFirst = (\n authenticationResponse.clientExtensionResults as PrfClientExtensionResults\n )?.prf?.results?.first;\n const authHasPrfOutput =\n typeof prfFirst === 'string' && prfFirst.length > 0;\n const keyDerivation: PasskeyKeyDerivation =\n authHasPrfOutput && registrationCeremony.prfSalt\n ? { method: 'prf', prfSalt: registrationCeremony.prfSalt }\n : { method: 'userHandle' };\n\n if (\n keyDerivation.method === 'userHandle' &&\n authenticationResponse.response.userHandle !==\n registrationCeremony.userHandle\n ) {\n log(\n 'Post-registration assertion userHandle does not match registration ceremony',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n { code: PasskeyControllerErrorCode.AuthenticationVerificationFailed },\n );\n }\n\n // derive key and encrypt vault key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n { credential, keyDerivation },\n );\n const { ciphertext, iv } = encryptWithKey(vaultKey, encKey);\n\n // persist passkey record\n this.update((state) => {\n state.passkeyRecord = {\n credential: {\n ...credential,\n counter: Math.max(newCounter, credential.counter),\n },\n encryptedVaultKey: { ciphertext, iv },\n keyDerivation,\n };\n });\n } finally {\n // delete registration ceremony\n this.#ceremonyManager.deleteRegistrationCeremony(challenge);\n }\n }\n\n /**\n * Verifies an authentication assertion and returns the decrypted vault key.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns The plaintext vault encryption key.\n */\n async retrieveVaultKeyWithPasskey(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<string> {\n const passkeyRecord = this.#requireEnrolled();\n\n // verify authentication response and update counter\n const { newCounter } = await this.#verifyAuthenticationResponse(\n authenticationResponse,\n passkeyRecord.credential,\n );\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n { code: PasskeyControllerErrorCode.NotEnrolled },\n );\n }\n state.passkeyRecord.credential.counter = Math.max(\n newCounter,\n state.passkeyRecord.credential.counter,\n );\n });\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n try {\n const vaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n return vaultKey;\n } catch (cause) {\n log(\n 'Error decrypting vault key with passkey',\n cause instanceof Error ? cause : new Error(String(cause)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: cause instanceof Error ? cause : new Error(String(cause)),\n },\n );\n }\n }\n\n /**\n * Checks whether the given authentication assertion is valid for the enrolled passkey.\n *\n * On failure, returns `false` for {@link PasskeyControllerError} with a `code`;\n * other errors propagate.\n *\n * @param authenticationResponse - Result of `navigator.credentials.get()`.\n * @returns `true` if verification succeeds, otherwise `false`.\n */\n async verifyPasskeyAuthentication(\n authenticationResponse: PasskeyAuthenticationResponse,\n ): Promise<boolean> {\n try {\n await this.retrieveVaultKeyWithPasskey(authenticationResponse);\n return true;\n } catch (error: unknown) {\n if (error instanceof PasskeyControllerError && error.code !== undefined) {\n return false;\n }\n throw error;\n }\n }\n\n /**\n * Re-wraps the vault key after rotation. Updates persisted `encryptedVaultKey` on success.\n *\n * Does not verify WebAuthn or ceremony state—call only after your layer has authenticated\n * the user (passkey `get()` + verified assertion, or verified password). On passkey paths,\n * pass the same `authenticationResponse` you just verified (e.g. from\n * {@link retrieveVaultKeyWithPasskey} / {@link verifyPasskeyAuthentication}).\n *\n * @param params - Re-wrap inputs.\n * @param params.authenticationResponse - Used to derive the wrapping key.\n * @param params.oldVaultKey - Expected current vault key.\n * @param params.newVaultKey - New vault key to encrypt under the passkey.\n */\n async renewVaultKeyProtection(params: {\n authenticationResponse: PasskeyAuthenticationResponse;\n oldVaultKey: string;\n newVaultKey: string;\n }): Promise<void> {\n const { authenticationResponse } = params;\n const passkeyRecord = this.#requireEnrolled();\n\n // derive key\n const encKey = deriveKeyFromAuthenticationResponse(\n authenticationResponse,\n passkeyRecord,\n );\n\n // decrypt vault key\n let decryptedVaultKey: string;\n try {\n decryptedVaultKey = decryptWithKey(\n passkeyRecord.encryptedVaultKey.ciphertext,\n passkeyRecord.encryptedVaultKey.iv,\n encKey,\n );\n } catch (error) {\n log(\n 'Error decrypting vault key during passkey vault key renewal',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyDecryptionFailed,\n {\n code: PasskeyControllerErrorCode.VaultKeyDecryptionFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n }\n\n // check if vault key matches\n const { oldVaultKey, newVaultKey } = params;\n if (\n !areUint8ArraysEqual(\n stringToBytes(decryptedVaultKey),\n stringToBytes(oldVaultKey),\n )\n ) {\n log(\n 'Passkey renewal rejected: decrypted vault key does not match oldVaultKey',\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.VaultKeyMismatch,\n { code: PasskeyControllerErrorCode.VaultKeyMismatch },\n );\n }\n\n // encrypt new vault key\n const { ciphertext, iv } = encryptWithKey(newVaultKey, encKey);\n\n // persist passkey record (mutate current state only for vault key material)\n this.update((state) => {\n if (!state.passkeyRecord) {\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NotEnrolled,\n {\n code: PasskeyControllerErrorCode.NotEnrolled,\n },\n );\n }\n state.passkeyRecord.encryptedVaultKey = { ciphertext, iv };\n });\n }\n\n /**\n * Clears enrolled passkey state and in-flight ceremonies. Call only after the same\n * auth gate as renewal (verified passkey assertion or password).\n */\n removePasskey(): void {\n this.update(() => getDefaultPasskeyControllerState());\n this.#ceremonyManager.clear();\n }\n\n /**\n * Resets state and clears in-flight registration/authentication ceremonies.\n */\n clearState(): void {\n this.removePasskey();\n }\n\n /**\n * Releases all in-flight ceremony state and tears down the messenger.\n */\n destroy(): void {\n this.#ceremonyManager.clear();\n super.destroy();\n }\n\n /**\n * Validates a WebAuthn authentication response against stored credential data.\n *\n * @param authenticationResponse - Parsed authentication response from the client.\n * @param credential - Credential identifiers and public key material for verification.\n * @returns Updated authenticator signature counter.\n */\n async #verifyAuthenticationResponse(\n authenticationResponse: PasskeyAuthenticationResponse,\n credential: PasskeyCredentialInfo,\n ): Promise<{ newCounter: number }> {\n // get challenge\n const challenge = this.#getChallengeFromClientData(\n authenticationResponse.response.clientDataJSON,\n );\n\n // get authentication ceremony\n const authenticationCeremony =\n this.#ceremonyManager.getAuthenticationCeremony(challenge);\n if (!authenticationCeremony) {\n log('No active passkey authentication ceremony for challenge');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.NoAuthenticationCeremony,\n { code: PasskeyControllerErrorCode.NoAuthenticationCeremony },\n );\n }\n\n try {\n // verify authentication response\n const result = await verifyAuthenticationResponse({\n response: authenticationResponse,\n expectedChallenge: authenticationCeremony.challenge,\n expectedOrigin: this.#expectedOrigin,\n expectedRPIDs: this.#expectedRPIDs,\n credential: {\n id: credential.id,\n publicKey: base64URLToBytes(credential.publicKey),\n counter: credential.counter,\n transports: credential.transports,\n },\n requireUserVerification: true,\n }).catch((error) => {\n log(\n 'Error verifying passkey authentication response',\n error instanceof Error ? error : new Error(String(error)),\n );\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n cause: error instanceof Error ? error : new Error(String(error)),\n },\n );\n });\n if (!result.verified) {\n log('Passkey authentication verification returned unverified');\n throw new PasskeyControllerError(\n PasskeyControllerErrorMessage.AuthenticationVerificationFailed,\n {\n code: PasskeyControllerErrorCode.AuthenticationVerificationFailed,\n },\n );\n }\n\n return { newCounter: result.authenticationInfo.newCounter };\n } finally {\n // delete authentication ceremony\n this.#ceremonyManager.deleteAuthenticationCeremony(challenge);\n }\n }\n}\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@metamask-previews/passkey-controller",
3
- "version": "2.0.0-preview-938a7fe",
3
+ "version": "2.0.0-preview-d3f1b8bd9",
4
4
  "description": "Controller and utilities for passkey-based wallet unlock",
5
5
  "keywords": [
6
6
  "Ethereum",