@mrgnw/anahtar 0.0.6

package/dist/db/sqlite.js

@@ -0,0 +1,187 @@
+import { randomUUID } from 'node:crypto';
+export function sqliteAdapter(db, options = {}) {
+    const p = options.tablePrefix ?? 'auth_';
+    const t = {
+        users: `${p}users`,
+        sessions: `${p}sessions`,
+        otpCodes: `${p}otp_codes`,
+        passkeys: `${p}passkeys`,
+        challenges: `${p}challenges`
+    };
+    return {
+        init() {
+            db.pragma('journal_mode = WAL');
+            db.pragma('foreign_keys = ON');
+            db.exec(`
+				CREATE TABLE IF NOT EXISTS ${t.users} (
+					id TEXT PRIMARY KEY,
+					email TEXT UNIQUE NOT NULL,
+					skip_passkey_prompt INTEGER DEFAULT 0,
+					created_at INTEGER DEFAULT (unixepoch())
+				);
+				CREATE TABLE IF NOT EXISTS ${t.sessions} (
+					id TEXT PRIMARY KEY,
+					user_id TEXT NOT NULL REFERENCES ${t.users}(id),
+					expires_at INTEGER NOT NULL,
+					created_at INTEGER DEFAULT (unixepoch())
+				);
+				CREATE TABLE IF NOT EXISTS ${t.otpCodes} (
+					id TEXT PRIMARY KEY,
+					email TEXT NOT NULL,
+					code TEXT NOT NULL,
+					attempts INTEGER NOT NULL DEFAULT 0,
+					expires_at INTEGER NOT NULL,
+					created_at INTEGER DEFAULT (unixepoch())
+				);
+				CREATE TABLE IF NOT EXISTS ${t.passkeys} (
+					id TEXT PRIMARY KEY,
+					user_id TEXT NOT NULL REFERENCES ${t.users}(id),
+					credential_id TEXT UNIQUE NOT NULL,
+					public_key BLOB NOT NULL,
+					counter INTEGER NOT NULL DEFAULT 0,
+					transports TEXT,
+					name TEXT,
+					created_at INTEGER DEFAULT (unixepoch())
+				);
+				CREATE TABLE IF NOT EXISTS ${t.challenges} (
+					challenge TEXT PRIMARY KEY,
+					user_id TEXT NOT NULL,
+					expires_at INTEGER NOT NULL,
+					created_at INTEGER DEFAULT (unixepoch())
+				);
+			`);
+        },
+        getUserByEmail(email) {
+            const row = db
+                .prepare(`SELECT id, email, skip_passkey_prompt, created_at FROM ${t.users} WHERE email = ?`)
+                .get(email);
+            if (!row)
+                return null;
+            return {
+                id: row.id,
+                email: row.email,
+                skipPasskeyPrompt: row.skip_passkey_prompt === 1,
+                createdAt: row.created_at
+            };
+        },
+        createUser(email) {
+            const id = randomUUID();
+            db.prepare(`INSERT INTO ${t.users} (id, email) VALUES (?, ?)`).run(id, email);
+            return {
+                id,
+                email,
+                skipPasskeyPrompt: false,
+                createdAt: Math.floor(Date.now() / 1000)
+            };
+        },
+        setSkipPasskeyPrompt(userId, skip) {
+            db.prepare(`UPDATE ${t.users} SET skip_passkey_prompt = ? WHERE id = ?`).run(skip ? 1 : 0, userId);
+        },
+        createSession(tokenHash, userId, expiresAt) {
+            db.prepare(`INSERT INTO ${t.sessions} (id, user_id, expires_at) VALUES (?, ?, ?)`).run(tokenHash, userId, expiresAt);
+        },
+        getSession(tokenHash) {
+            const row = db
+                .prepare(`SELECT s.id, s.user_id, s.expires_at, u.email
+					FROM ${t.sessions} s
+					JOIN ${t.users} u ON u.id = s.user_id
+					WHERE s.id = ?`)
+                .get(tokenHash);
+            if (!row)
+                return null;
+            return {
+                id: row.id,
+                userId: row.user_id,
+                expiresAt: row.expires_at,
+                email: row.email
+            };
+        },
+        deleteSession(tokenHash) {
+            db.prepare(`DELETE FROM ${t.sessions} WHERE id = ?`).run(tokenHash);
+        },
+        storeOTP(email, id, code, expiresAt) {
+            db.prepare(`INSERT INTO ${t.otpCodes} (id, email, code, expires_at) VALUES (?, ?, ?, ?)`).run(id, email, code, expiresAt);
+        },
+        getLatestOTP(email) {
+            const row = db
+                .prepare(`SELECT id, email, code, attempts, expires_at FROM ${t.otpCodes} WHERE email = ? ORDER BY created_at DESC LIMIT 1`)
+                .get(email);
+            if (!row)
+                return null;
+            return {
+                id: row.id,
+                email: row.email,
+                code: row.code,
+                attempts: row.attempts,
+                expiresAt: row.expires_at
+            };
+        },
+        updateOTPAttempts(id, attempts) {
+            db.prepare(`UPDATE ${t.otpCodes} SET attempts = ? WHERE id = ?`).run(attempts, id);
+        },
+        deleteOTP(id) {
+            db.prepare(`DELETE FROM ${t.otpCodes} WHERE id = ?`).run(id);
+        },
+        deleteOTPsForEmail(email) {
+            db.prepare(`DELETE FROM ${t.otpCodes} WHERE email = ?`).run(email);
+        },
+        storeChallenge(challenge, userId, expiresAt) {
+            db.prepare(`DELETE FROM ${t.challenges} WHERE expires_at < ?`).run(Date.now());
+            db.prepare(`INSERT INTO ${t.challenges} (challenge, user_id, expires_at) VALUES (?, ?, ?)`).run(challenge, userId, expiresAt);
+        },
+        consumeChallenge(challenge) {
+            const row = db.prepare(`SELECT user_id, expires_at FROM ${t.challenges} WHERE challenge = ?`).get(challenge);
+            if (!row)
+                return null;
+            db.prepare(`DELETE FROM ${t.challenges} WHERE challenge = ?`).run(challenge);
+            if (row.expires_at < Date.now())
+                return null;
+            return { userId: row.user_id };
+        },
+        getPasskeyByCredentialId(credentialId) {
+            const row = db
+                .prepare(`SELECT p.id, p.user_id, p.credential_id, p.public_key, p.counter, p.transports, p.name, p.created_at, u.email
+					FROM ${t.passkeys} p
+					JOIN ${t.users} u ON u.id = p.user_id
+					WHERE p.credential_id = ?`)
+                .get(credentialId);
+            if (!row)
+                return null;
+            return {
+                id: row.id,
+                userId: row.user_id,
+                credentialId: row.credential_id,
+                publicKey: new Uint8Array(row.public_key),
+                counter: row.counter,
+                transports: row.transports,
+                name: row.name,
+                createdAt: row.created_at,
+                email: row.email
+            };
+        },
+        getUserPasskeys(userId) {
+            const rows = db
+                .prepare(`SELECT id, credential_id, public_key, counter, transports, name, created_at FROM ${t.passkeys} WHERE user_id = ?`)
+                .all(userId);
+            return rows.map((row) => ({
+                id: row.id,
+                credentialId: row.credential_id,
+                publicKey: new Uint8Array(row.public_key),
+                counter: row.counter,
+                transports: row.transports,
+                name: row.name,
+                createdAt: row.created_at
+            }));
+        },
+        storePasskey(passkey) {
+            db.prepare(`INSERT INTO ${t.passkeys} (id, user_id, credential_id, public_key, counter, transports, name) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(passkey.id, passkey.userId, passkey.credentialId, Buffer.from(passkey.publicKey), passkey.counter, passkey.transports, passkey.name);
+        },
+        updatePasskeyCounter(id, counter) {
+            db.prepare(`UPDATE ${t.passkeys} SET counter = ? WHERE id = ?`).run(counter, id);
+        },
+        deletePasskey(id, userId) {
+            const result = db.prepare(`DELETE FROM ${t.passkeys} WHERE id = ? AND user_id = ?`).run(id, userId);
+            return result.changes > 0;
+        }
+    };
+}

package/dist/device.d.ts

@@ -0,0 +1 @@
+export declare function guessDeviceName(ua?: string): string;

package/dist/device.js

@@ -0,0 +1,36 @@
+export function guessDeviceName(ua) {
+    const s = ua ?? (typeof navigator !== 'undefined' ? navigator.userAgent : '');
+    if (!s)
+        return 'Passkey';
+    const browser = /Edg\//i.test(s)
+        ? 'Edge'
+        : /OPR\//i.test(s)
+            ? 'Opera'
+            : /Chrome\//i.test(s)
+                ? 'Chrome'
+                : /Safari\//i.test(s) && !/Chrome/i.test(s)
+                    ? 'Safari'
+                    : /Firefox\//i.test(s)
+                        ? 'Firefox'
+                        : null;
+    const os = /Windows/i.test(s)
+        ? 'Windows'
+        : /Mac OS|Macintosh/i.test(s)
+            ? 'macOS'
+            : /Android/i.test(s)
+                ? 'Android'
+                : /iPhone|iPad|iPod/i.test(s)
+                    ? 'iOS'
+                    : /Linux/i.test(s)
+                        ? 'Linux'
+                        : /CrOS/i.test(s)
+                            ? 'ChromeOS'
+                            : null;
+    if (browser && os)
+        return `${browser} on ${os}`;
+    if (browser)
+        return browser;
+    if (os)
+        return os;
+    return 'Passkey';
+}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+import type { AuthConfig } from './types.js';
+export { resolveConfig } from './config.js';
+export { guessDeviceName } from './device.js';
+export type { AuthConfig, AuthDB, AuthUser, FullPasskeyRecord, MaybePromise, NewPasskey, OTPRecord, OtpResult, PasskeyRecord, ResolvedConfig, SessionRecord } from './types.js';
+export declare function createAuth(config: AuthConfig): Promise<{
+    handle: import("@sveltejs/kit").Handle;
+    handlers: {
+        GET: (event: import("@sveltejs/kit").RequestEvent) => Promise<Response>;
+        POST: (event: import("@sveltejs/kit").RequestEvent) => Promise<Response>;
+    };
+    config: import("./types.js").ResolvedConfig;
+}>;

package/dist/index.js

@@ -0,0 +1,14 @@
+import { resolveConfig } from './config.js';
+import { createHandle } from './kit/handle.js';
+import { createHandlers } from './kit/handlers.js';
+export { resolveConfig } from './config.js';
+export { guessDeviceName } from './device.js';
+export async function createAuth(config) {
+    const resolved = resolveConfig(config);
+    await config.db.init();
+    return {
+        handle: createHandle(resolved),
+        handlers: createHandlers(resolved),
+        config: resolved
+    };
+}

package/dist/kit/handle.d.ts

@@ -0,0 +1,3 @@
+import type { Handle } from '@sveltejs/kit';
+import type { ResolvedConfig } from '../types.js';
+export declare function createHandle(config: ResolvedConfig): Handle;

package/dist/kit/handle.js

@@ -0,0 +1,18 @@
+import { validateSession } from '../session.js';
+export function createHandle(config) {
+    return async ({ event, resolve }) => {
+        const token = event.cookies.get(config.cookie);
+        if (!token) {
+            event.locals.user = null;
+            return resolve(event);
+        }
+        const result = await validateSession(config.db, token);
+        if (!result) {
+            event.cookies.delete(config.cookie, { path: '/' });
+            event.locals.user = null;
+            return resolve(event);
+        }
+        event.locals.user = result.user;
+        return resolve(event);
+    };
+}

package/dist/kit/handlers.d.ts

@@ -0,0 +1,8 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { ResolvedConfig } from '../types.js';
+type RouteHandler = (event: RequestEvent) => Promise<Response>;
+export declare function createHandlers(config: ResolvedConfig): {
+    GET: RouteHandler;
+    POST: RouteHandler;
+};
+export {};

package/dist/kit/handlers.js

@@ -0,0 +1,183 @@
+import { json } from '@sveltejs/kit';
+import { generateOTP, verifyOTP } from '../otp.js';
+import { generateAuthenticationChallenge, generateRegistrationChallenge, removePasskey, verifyAuthenticationResponse, verifyRegistrationResponse } from '../passkey.js';
+import { createSession, invalidateSession, validateSession } from '../session.js';
+const SESSION_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
+function requireAuth(event) {
+    const user = event.locals.user;
+    if (!user)
+        return json({ error: 'Not authenticated' }, { status: 401 });
+    return user;
+}
+export function createHandlers(config) {
+    const maxAge = Math.floor(config.sessionDuration / 1000);
+    function cookieOpts(event) {
+        return {
+            httpOnly: true,
+            secure: event.url.protocol === 'https:',
+            sameSite: 'lax',
+            path: '/',
+            maxAge
+        };
+    }
+    const routes = {
+        start: {
+            method: 'POST',
+            handler: async (event) => {
+                const body = await event.request.json().catch(() => null);
+                if (!body || typeof body.email !== 'string' || !body.email.includes('@')) {
+                    return json({ error: 'Invalid email' }, { status: 400 });
+                }
+                const { code } = await generateOTP(config.db, body.email, config);
+                await config.onSendOTP(body.email, code);
+                return json({ success: true });
+            }
+        },
+        verify: {
+            method: 'POST',
+            handler: async (event) => {
+                const body = await event.request.json().catch(() => null);
+                if (!body || typeof body.email !== 'string' || typeof body.code !== 'string') {
+                    return json({ error: 'Invalid input' }, { status: 400 });
+                }
+                const otp = await verifyOTP(config.db, body.email, body.code, config);
+                if (!otp.ok) {
+                    const messages = {
+                        invalid: 'Invalid code. Please try again.',
+                        expired: 'Code expired. Please request a new one.',
+                        rate_limited: 'Too many attempts. Please request a new code.'
+                    };
+                    return json({ error: messages[otp.error] }, { status: otp.error === 'rate_limited' ? 429 : 400 });
+                }
+                let user = await config.db.getUserByEmail(body.email);
+                if (!user) {
+                    user = await config.db.createUser(body.email);
+                }
+                const session = await createSession(config.db, user.id, config);
+                event.cookies.set(config.cookie, session.sessionToken, cookieOpts(event));
+                const passkeys = await config.db.getUserPasskeys(user.id);
+                return json({
+                    user: { id: user.id, email: user.email },
+                    hasPasskey: passkeys.length > 0,
+                    skipPasskeyPrompt: user.skipPasskeyPrompt
+                });
+            }
+        },
+        logout: {
+            method: 'POST',
+            handler: async (event) => {
+                const token = event.cookies.get(config.cookie);
+                if (token) {
+                    const result = await validateSession(config.db, token);
+                    if (result) {
+                        await invalidateSession(config.db, result.session.id);
+                    }
+                    event.cookies.delete(config.cookie, { path: '/' });
+                }
+                return json({ ok: true });
+            }
+        },
+        'passkey/login-start': {
+            method: 'GET',
+            handler: async (event) => {
+                const options = await generateAuthenticationChallenge(config.db, event.url);
+                return json(options);
+            }
+        },
+        'passkey/login-finish': {
+            method: 'POST',
+            handler: async (event) => {
+                const body = await event.request.json().catch(() => null);
+                if (!body)
+                    return json({ error: 'Invalid input' }, { status: 400 });
+                const result = await verifyAuthenticationResponse(config.db, body, event.url);
+                if (!result)
+                    return json({ error: 'Authentication failed' }, { status: 401 });
+                const session = await createSession(config.db, result.user.id, config);
+                event.cookies.set(config.cookie, session.sessionToken, cookieOpts(event));
+                return json({ user: result.user });
+            }
+        },
+        'passkey/register-start': {
+            method: 'POST',
+            handler: async (event) => {
+                const user = requireAuth(event);
+                if (user instanceof Response)
+                    return user;
+                const options = await generateRegistrationChallenge(config.db, user, event.url, config);
+                return json(options);
+            }
+        },
+        'passkey/register-finish': {
+            method: 'POST',
+            handler: async (event) => {
+                const user = requireAuth(event);
+                if (user instanceof Response)
+                    return user;
+                const body = await event.request.json().catch(() => null);
+                if (!body)
+                    return json({ error: 'Invalid input' }, { status: 400 });
+                const { name, ...response } = body;
+                const passkeyName = typeof name === 'string' && name.trim() ? name.trim() : null;
+                const success = await verifyRegistrationResponse(config.db, user.id, response, event.url, passkeyName);
+                if (!success)
+                    return json({ error: 'Passkey registration failed' }, { status: 400 });
+                return json({ success: true });
+            }
+        },
+        'passkey/remove': {
+            method: 'POST',
+            handler: async (event) => {
+                const user = requireAuth(event);
+                if (user instanceof Response)
+                    return user;
+                const body = await event.request.json().catch(() => null);
+                if (!body || typeof body.passkeyId !== 'string') {
+                    return json({ error: 'Invalid input' }, { status: 400 });
+                }
+                const success = await removePasskey(config.db, body.passkeyId, user.id);
+                if (!success)
+                    return json({ error: 'Passkey not found' }, { status: 404 });
+                return json({ success: true });
+            }
+        },
+        'skip-passkey': {
+            method: 'POST',
+            handler: async (event) => {
+                const user = requireAuth(event);
+                if (user instanceof Response)
+                    return user;
+                await config.db.setSkipPasskeyPrompt(user.id, true);
+                return json({ success: true });
+            }
+        }
+    };
+    function getRoute(event) {
+        const path = event.params.path;
+        if (typeof path === 'string')
+            return path;
+        return null;
+    }
+    return {
+        GET: async (event) => {
+            const path = getRoute(event);
+            if (!path)
+                return json({ error: 'Not found' }, { status: 404 });
+            const route = routes[path];
+            if (!route || route.method !== 'GET') {
+                return json({ error: 'Not found' }, { status: 404 });
+            }
+            return route.handler(event);
+        },
+        POST: async (event) => {
+            const path = getRoute(event);
+            if (!path)
+                return json({ error: 'Not found' }, { status: 404 });
+            const route = routes[path];
+            if (!route || route.method !== 'POST') {
+                return json({ error: 'Not found' }, { status: 404 });
+            }
+            return route.handler(event);
+        }
+    };
+}

package/dist/otp.d.ts

@@ -0,0 +1,6 @@
+import type { AuthDB, OtpResult, ResolvedConfig } from './types.js';
+export declare function generateOTP(db: AuthDB, email: string, config: ResolvedConfig): Promise<{
+    id: string;
+    code: string;
+}>;
+export declare function verifyOTP(db: AuthDB, email: string, code: string, config: ResolvedConfig): Promise<OtpResult>;

package/dist/otp.js

@@ -0,0 +1,35 @@
+import { randomInt, randomUUID } from 'node:crypto';
+export async function generateOTP(db, email, config) {
+    await db.deleteOTPsForEmail(email);
+    const id = randomUUID();
+    const max = 10 ** config.otpLength;
+    const min = 10 ** (config.otpLength - 1);
+    const code = String(randomInt(min, max));
+    const expiresAt = Date.now() + config.otpExpiry;
+    await db.storeOTP(email, id, code, expiresAt);
+    return { id, code };
+}
+export async function verifyOTP(db, email, code, config) {
+    const row = await db.getLatestOTP(email);
+    if (!row)
+        return { ok: false, error: 'invalid' };
+    if (row.expiresAt < Date.now()) {
+        await db.deleteOTP(row.id);
+        return { ok: false, error: 'expired' };
+    }
+    if (row.attempts >= config.otpMaxAttempts) {
+        await db.deleteOTP(row.id);
+        return { ok: false, error: 'rate_limited', attemptsLeft: 0 };
+    }
+    if (row.code !== code) {
+        const newAttempts = row.attempts + 1;
+        await db.updateOTPAttempts(row.id, newAttempts);
+        if (newAttempts >= config.otpMaxAttempts) {
+            await db.deleteOTP(row.id);
+            return { ok: false, error: 'rate_limited', attemptsLeft: 0 };
+        }
+        return { ok: false, error: 'invalid' };
+    }
+    await db.deleteOTP(row.id);
+    return { ok: true };
+}

package/dist/passkey.d.ts

@@ -0,0 +1,20 @@
+import type { AuthenticationResponseJSON, RegistrationResponseJSON } from '@simplewebauthn/server';
+import type { AuthDB, ResolvedConfig } from './types.js';
+export declare function getWebAuthnConfig(requestUrl: URL): {
+    rpID: string;
+    origin: string;
+};
+export declare function generateRegistrationChallenge(db: AuthDB, user: {
+    id: string;
+    email: string;
+}, requestUrl: URL, config: ResolvedConfig): Promise<import("@simplewebauthn/server").PublicKeyCredentialCreationOptionsJSON>;
+export declare function verifyRegistrationResponse(db: AuthDB, userId: string, response: RegistrationResponseJSON, requestUrl: URL, name?: string | null): Promise<boolean>;
+export declare function generateAuthenticationChallenge(db: AuthDB, requestUrl: URL): Promise<import("@simplewebauthn/server").PublicKeyCredentialRequestOptionsJSON>;
+export declare function verifyAuthenticationResponse(db: AuthDB, response: AuthenticationResponseJSON, requestUrl: URL): Promise<{
+    user: {
+        id: string;
+        email: string;
+    };
+} | null>;
+export declare function getUserPasskeys(db: AuthDB, userId: string): Promise<import("./types.js").PasskeyRecord[]>;
+export declare function removePasskey(db: AuthDB, passkeyId: string, userId: string): Promise<boolean>;

package/dist/passkey.js

@@ -0,0 +1,112 @@
+import { randomUUID } from 'node:crypto';
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse as verifyAuthResponse, verifyRegistrationResponse as verifyRegResponse } from '@simplewebauthn/server';
+const CHALLENGE_EXPIRY_MS = 5 * 60 * 1000;
+export function getWebAuthnConfig(requestUrl) {
+    const envOrigin = process.env.ORIGIN;
+    if (envOrigin) {
+        const url = new URL(envOrigin);
+        return { rpID: url.hostname, origin: url.origin };
+    }
+    return { rpID: requestUrl.hostname, origin: requestUrl.origin };
+}
+export async function generateRegistrationChallenge(db, user, requestUrl, config) {
+    const { rpID } = getWebAuthnConfig(requestUrl);
+    const existingPasskeys = await db.getUserPasskeys(user.id);
+    const excludeCredentials = existingPasskeys.map((pk) => ({
+        id: pk.credentialId,
+        transports: pk.transports ? JSON.parse(pk.transports) : undefined
+    }));
+    const options = await generateRegistrationOptions({
+        rpName: config.rpName,
+        rpID,
+        userName: user.email,
+        userID: new TextEncoder().encode(user.id),
+        authenticatorSelection: {
+            residentKey: 'required',
+            userVerification: 'preferred'
+        },
+        excludeCredentials
+    });
+    await db.storeChallenge(options.challenge, user.id, Date.now() + CHALLENGE_EXPIRY_MS);
+    return options;
+}
+export async function verifyRegistrationResponse(db, userId, response, requestUrl, name = null) {
+    const { rpID, origin } = getWebAuthnConfig(requestUrl);
+    const challenge = JSON.parse(Buffer.from(response.response.clientDataJSON, 'base64url').toString()).challenge;
+    const stored = await db.consumeChallenge(challenge);
+    if (!stored || stored.userId !== userId)
+        return false;
+    try {
+        const verification = await verifyRegResponse({
+            response,
+            expectedChallenge: challenge,
+            expectedOrigin: origin,
+            expectedRPID: rpID
+        });
+        if (!verification.verified || !verification.registrationInfo)
+            return false;
+        const { credential } = verification.registrationInfo;
+        await db.storePasskey({
+            id: randomUUID(),
+            userId,
+            credentialId: credential.id,
+            publicKey: new Uint8Array(credential.publicKey),
+            counter: credential.counter,
+            transports: response.response.transports ? JSON.stringify(response.response.transports) : null,
+            name
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function generateAuthenticationChallenge(db, requestUrl) {
+    const { rpID } = getWebAuthnConfig(requestUrl);
+    const options = await generateAuthenticationOptions({
+        rpID,
+        allowCredentials: [],
+        userVerification: 'preferred'
+    });
+    await db.storeChallenge(options.challenge, 'anonymous', Date.now() + CHALLENGE_EXPIRY_MS);
+    return options;
+}
+export async function verifyAuthenticationResponse(db, response, requestUrl) {
+    const { rpID, origin } = getWebAuthnConfig(requestUrl);
+    const passkey = await db.getPasskeyByCredentialId(response.id);
+    if (!passkey)
+        return null;
+    const challenge = JSON.parse(Buffer.from(response.response.clientDataJSON, 'base64url').toString()).challenge;
+    const stored = await db.consumeChallenge(challenge);
+    if (!stored)
+        return null;
+    try {
+        const verification = await verifyAuthResponse({
+            response,
+            expectedChallenge: challenge,
+            expectedOrigin: origin,
+            expectedRPID: rpID,
+            credential: {
+                id: passkey.credentialId,
+                publicKey: new Uint8Array(passkey.publicKey),
+                counter: passkey.counter,
+                transports: passkey.transports ? JSON.parse(passkey.transports) : undefined
+            }
+        });
+        if (!verification.verified)
+            return null;
+        await db.updatePasskeyCounter(passkey.id, verification.authenticationInfo.newCounter);
+        return {
+            user: { id: passkey.userId, email: passkey.email }
+        };
+    }
+    catch {
+        return null;
+    }
+}
+export async function getUserPasskeys(db, userId) {
+    return db.getUserPasskeys(userId);
+}
+export async function removePasskey(db, passkeyId, userId) {
+    return db.deletePasskey(passkeyId, userId);
+}

package/dist/session.d.ts

@@ -0,0 +1,16 @@
+import type { AuthDB, ResolvedConfig } from './types.js';
+export declare function createSession(db: AuthDB, userId: string, config: ResolvedConfig): Promise<{
+    sessionToken: string;
+    expiresAt: number;
+}>;
+export declare function validateSession(db: AuthDB, token: string): Promise<{
+    user: {
+        id: string;
+        email: string;
+    };
+    session: {
+        id: string;
+        expiresAt: number;
+    };
+} | null>;
+export declare function invalidateSession(db: AuthDB, sessionId: string): Promise<void>;