npm - @noy-db/on-webauthn - Versions diffs - 0.1.0-pre.3 - Mend

@noy-db/on-webauthn 0.1.0-pre.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 vLannaAi
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,33 @@
+# @noy-db/on-webauthn
+[![npm](https://img.shields.io/npm/v/%40noy-db/on-webauthn.svg)](https://www.npmjs.com/package/@noy-db/on-webauthn)
+> WebAuthn hardware-key keyrings for noy-db
+Part of [**`@noy-db/hub`**](https://www.npmjs.com/package/@noy-db/hub) — the zero-knowledge, offline-first, encrypted document store.
+## Install
+```bash
+pnpm add @noy-db/hub @noy-db/on-webauthn
+```
+## What it is
+WebAuthn hardware-key keyrings for noy-db — Touch ID, Face ID, Windows Hello, YubiKey, FIDO2 passkeys
+## Status
+**Pre-release** (`0.1.0-pre.1`). API may change before `1.0`.
+## Documentation
+See the [main repository](https://github.com/vLannaAi/noy-db#readme) for setup, examples, and the full subsystem catalog.
+- Source — [`packages/on-webauthn`](https://github.com/vLannaAi/noy-db/tree/main/packages/on-webauthn)
+- Issues — [github.com/vLannaAi/noy-db/issues](https://github.com/vLannaAi/noy-db/issues)
+- Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db/blob/main/SPEC.md)
+## License
+[MIT](./LICENSE) © vLannaAi

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,303 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ValidationError: () => import_hub3.ValidationError,
+  WebAuthnCancelledError: () => WebAuthnCancelledError,
+  WebAuthnMultiDeviceError: () => WebAuthnMultiDeviceError,
+  WebAuthnNotAvailableError: () => WebAuthnNotAvailableError,
+  WebAuthnPRFUnavailableError: () => WebAuthnPRFUnavailableError,
+  enrollWebAuthn: () => enrollWebAuthn,
+  isValidEnrollment: () => isValidEnrollment,
+  isWebAuthnAvailable: () => isWebAuthnAvailable,
+  unlockWebAuthn: () => unlockWebAuthn
+});
+module.exports = __toCommonJS(index_exports);
+var import_hub = require("@noy-db/hub");
+var import_hub2 = require("@noy-db/hub");
+var import_hub3 = require("@noy-db/hub");
+var WebAuthnNotAvailableError = class extends Error {
+  code = "WEBAUTHN_NOT_AVAILABLE";
+  constructor() {
+    super("WebAuthn is not available in this environment. A browser with navigator.credentials support is required.");
+    this.name = "WebAuthnNotAvailableError";
+  }
+};
+var WebAuthnCancelledError = class extends Error {
+  code = "WEBAUTHN_CANCELLED";
+  constructor(op) {
+    super(`WebAuthn ${op} was cancelled by the user.`);
+    this.name = "WebAuthnCancelledError";
+  }
+};
+var WebAuthnMultiDeviceError = class extends Error {
+  code = "WEBAUTHN_MULTI_DEVICE";
+  constructor() {
+    super(
+      "This credential is backup-eligible (BE flag set) and may be synced across devices. The vault requires a single-device credential (requireSingleDevice: true). Please use a hardware security key (YubiKey, Titan, SoloKey) or a platform authenticator that does not sync credentials across devices."
+    );
+    this.name = "WebAuthnMultiDeviceError";
+  }
+};
+var WebAuthnPRFUnavailableError = class extends Error {
+  code = "WEBAUTHN_PRF_UNAVAILABLE";
+  constructor() {
+    super(
+      "The PRF extension is not available on this authenticator. Enrollment will fall back to rawId-based key derivation. This provides weaker binding to the specific authenticator."
+    );
+    this.name = "WebAuthnPRFUnavailableError";
+  }
+};
+function isWebAuthnAvailable() {
+  return typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator !== "undefined" && typeof navigator.credentials !== "undefined";
+}
+var PRF_SALT = new TextEncoder().encode("noydb-webauthn-kek-derive");
+async function deriveKeyFromPRF(prfOutput) {
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    prfOutput,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: PRF_SALT,
+      info: new TextEncoder().encode("noydb-kek-wrap-v1")
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function deriveKeyFromRawId(rawId) {
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    rawId,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new TextEncoder().encode("noydb-webauthn-rawid-fallback"),
+      info: new TextEncoder().encode("noydb-kek-wrap-v1")
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+function extractBEFlag(authData) {
+  const bytes = new Uint8Array(authData);
+  if (bytes.length < 33) return false;
+  const flagsByte = bytes[32];
+  return (flagsByte & 8) !== 0;
+}
+async function wrapKeyringSummary(keyring, wrappingKey) {
+  const dekMap = {};
+  for (const [collName, dek] of keyring.deks) {
+    const raw = await globalThis.crypto.subtle.exportKey("raw", dek);
+    dekMap[collName] = (0, import_hub.bufferToBase64)(raw);
+  }
+  const payload = JSON.stringify({
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: dekMap,
+    salt: (0, import_hub.bufferToBase64)(keyring.salt)
+  });
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    wrappingKey,
+    new TextEncoder().encode(payload)
+  );
+  return { wrappedPayload: (0, import_hub.bufferToBase64)(encrypted), wrapIv: (0, import_hub.bufferToBase64)(iv) };
+}
+async function unwrapKeyringSummary(enrollment, wrappingKey) {
+  const iv = (0, import_hub.base64ToBuffer)(enrollment.wrapIv);
+  const ciphertext = (0, import_hub.base64ToBuffer)(enrollment.wrappedPayload);
+  let plaintext;
+  try {
+    plaintext = await globalThis.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      wrappingKey,
+      ciphertext
+    );
+  } catch {
+    throw new import_hub2.ValidationError("WebAuthn decryption failed \u2014 the authenticator may have changed or the enrollment may be corrupt.");
+  }
+  const parsed = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {
+    const dek = await globalThis.crypto.subtle.importKey(
+      "raw",
+      (0, import_hub.base64ToBuffer)(rawBase64),
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(collName, dek);
+  }
+  return {
+    userId: parsed.userId,
+    displayName: parsed.displayName,
+    role: parsed.role,
+    permissions: parsed.permissions,
+    deks,
+    kek: null,
+    salt: (0, import_hub.base64ToBuffer)(parsed.salt)
+  };
+}
+async function enrollWebAuthn(keyring, vault, options = {}) {
+  if (!isWebAuthnAvailable()) {
+    throw new WebAuthnNotAvailableError();
+  }
+  const rpId = options.rp?.id ?? (typeof window !== "undefined" ? window.location.hostname : "localhost");
+  const rpName = options.rp?.name ?? "NOYDB";
+  const timeout = options.timeout ?? 6e4;
+  const challenge = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const userIdBytes = new TextEncoder().encode(keyring.userId);
+  const authenticatorSelection = {
+    userVerification: "required",
+    residentKey: "preferred"
+  };
+  if (options.preferCrossPlatform === true) {
+    authenticatorSelection.authenticatorAttachment = "cross-platform";
+  } else if (options.preferCrossPlatform === false) {
+    authenticatorSelection.authenticatorAttachment = "platform";
+  }
+  const extensionsInput = {
+    prf: { eval: { first: PRF_SALT } }
+  };
+  const credential = await navigator.credentials.create({
+    publicKey: {
+      challenge,
+      rp: { id: rpId, name: rpName },
+      user: {
+        id: userIdBytes,
+        name: keyring.userId,
+        displayName: keyring.displayName
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 },
+        // ES256
+        { type: "public-key", alg: -257 },
+        // RS256
+        { type: "public-key", alg: -8 }
+        // EdDSA
+      ],
+      authenticatorSelection,
+      extensions: extensionsInput,
+      timeout
+    }
+  });
+  if (!credential) {
+    throw new WebAuthnCancelledError("enrollment");
+  }
+  const authData = credential.response.getAuthenticatorData();
+  const beFlag = extractBEFlag(authData);
+  if (options.requireSingleDevice && beFlag) {
+    throw new WebAuthnMultiDeviceError();
+  }
+  const extensions = credential.getClientExtensionResults();
+  const prfOutput = extensions.prf?.results?.first;
+  const prfUsed = !!prfOutput;
+  const wrappingKey = prfOutput ? await deriveKeyFromPRF(prfOutput) : await deriveKeyFromRawId(credential.rawId);
+  const { wrappedPayload, wrapIv } = await wrapKeyringSummary(keyring, wrappingKey);
+  return {
+    _noydb_webauthn: 1,
+    vault,
+    userId: keyring.userId,
+    credentialId: (0, import_hub.bufferToBase64)(credential.rawId),
+    prfUsed,
+    beFlag,
+    requireSingleDevice: options.requireSingleDevice ?? false,
+    wrappedPayload,
+    wrapIv,
+    enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function unlockWebAuthn(enrollment, options = {}) {
+  if (!isWebAuthnAvailable()) {
+    throw new WebAuthnNotAvailableError();
+  }
+  const timeout = options.timeout ?? 6e4;
+  const credentialId = (0, import_hub.base64ToBuffer)(enrollment.credentialId);
+  const extensionsInput = enrollment.prfUsed ? { prf: { eval: { first: PRF_SALT } } } : {};
+  const assertion = await navigator.credentials.get({
+    publicKey: {
+      challenge: globalThis.crypto.getRandomValues(new Uint8Array(32)),
+      allowCredentials: [{ type: "public-key", id: credentialId }],
+      userVerification: "required",
+      extensions: extensionsInput,
+      timeout
+    }
+  });
+  if (!assertion) {
+    throw new WebAuthnCancelledError("assertion");
+  }
+  const authData = assertion.response.authenticatorData;
+  const beFlag = extractBEFlag(authData);
+  if (enrollment.requireSingleDevice && beFlag) {
+    throw new WebAuthnMultiDeviceError();
+  }
+  let wrappingKey;
+  if (enrollment.prfUsed) {
+    const extensions = assertion.getClientExtensionResults();
+    const prfOutput = extensions.prf?.results?.first;
+    if (!prfOutput) {
+      throw new import_hub2.ValidationError(
+        "PRF extension output not available at assertion time. The authenticator may not support PRF. Re-enroll without PRF support."
+      );
+    }
+    wrappingKey = await deriveKeyFromPRF(prfOutput);
+  } else {
+    wrappingKey = await deriveKeyFromRawId(assertion.rawId);
+  }
+  return unwrapKeyringSummary(enrollment, wrappingKey);
+}
+function isValidEnrollment(value) {
+  if (!value || typeof value !== "object") return false;
+  const e = value;
+  return e._noydb_webauthn === 1 && typeof e.vault === "string" && typeof e.userId === "string" && typeof e.credentialId === "string" && typeof e.wrappedPayload === "string" && typeof e.wrapIv === "string";
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ValidationError,
+  WebAuthnCancelledError,
+  WebAuthnMultiDeviceError,
+  WebAuthnNotAvailableError,
+  WebAuthnPRFUnavailableError,
+  enrollWebAuthn,
+  isValidEnrollment,
+  isWebAuthnAvailable,
+  unlockWebAuthn
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @noy-db/on-webauthn —\n *\n * Hardware-key keyring for noy-db using the WebAuthn API.\n *\n * Covers every form factor:\n * - Platform authenticators: Touch ID, Face ID, Windows Hello, Android biometric\n * - Roaming authenticators: YubiKey (5C NFC, Bio), SoloKey, Titan, any FIDO2 key\n * - Passkey-capable platform authenticators: iCloud Keychain, Google Password Manager\n *\n * Key derivation model\n * ────────────────────\n * This package uses the **PRF (Pseudo-Random Function) extension** when\n * available to derive a deterministic wrapping key from the WebAuthn\n * credential. The PRF output is consistent across assertions on the same\n * device/credential, enabling unlock-without-passphrase while keeping the\n * derived key bound to the physical authenticator.\n *\n * When PRF is not supported by the authenticator (common on older hardware),\n * the package falls back to HKDF-SHA256 over the credential's `rawId` —\n * the same approach as the pre-existing `@noy-db/core` biometric module.\n *\n * The derived key is NEVER persisted. It exists only in memory during the\n * unlock operation. What IS persisted (in the noy-db adapter, not in browser\n * storage) is the wrapped KEK: `encrypt(KEK, derivedKey)`.\n *\n * BE-flag guards\n * ──────────────\n * The backup-eligibility (BE) flag in a WebAuthn authenticator data signals\n * that the credential is (or can be) synced across devices — e.g. stored in\n * iCloud Keychain. For single-device security policies (air-gapped USB sticks,\n * high-security terminals), this is a threat: the credential is available on\n * any device where the user's iCloud account is signed in.\n *\n * The `requireSingleDevice: true` option rejects credentials with the BE flag\n * set during enrollment. Existing enrollments are checked at assertion time —\n * if the authenticator data shows BE=1 but `requireSingleDevice` was set at\n * enrollment, the assertion throws `WebAuthnMultiDeviceError`.\n *\n * Enrollment flow\n * ───────────────\n * 1. User is already authenticated (passphrase or existing session).\n * 2. Call `enrollWebAuthn(keyring, options)`.\n * 3. WebAuthn credential is created; PRF or rawId-derived key wraps the KEK.\n * 4. Returns a `WebAuthnEnrollment` — persist this to the noy-db adapter\n * via `saveEnrollment()`, or store it yourself in any encrypted collection.\n *\n * Unlock flow\n * ───────────\n * 1. Load the `WebAuthnEnrollment` via `loadEnrollment()`.\n * 2. Call `unlockWebAuthn(enrollment, keyring)` — triggers the WebAuthn\n * assertion prompt.\n * 3. On success, returns the unwrapped `CryptoKey` (the KEK) — use it to\n * re-hydrate the session via `createSession()`.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '@noy-db/hub'\nimport { ValidationError } from '@noy-db/hub'\nimport type { UnlockedKeyring, Role } from '@noy-db/hub'\n\n// Re-export from core for convenience\nexport { ValidationError } from '@noy-db/hub'\n\n// ─── Error types ──────────────────────────────────────────────────────\n\n/**\n * Thrown when the WebAuthn API is not available in the current environment.\n *\n * Check `isWebAuthnAvailable()` before calling `enrollWebAuthn()` or\n * `unlockWebAuthn()` and show a fallback UI (passphrase entry) if this\n * returns false. Common scenarios: Node.js environments, older browsers,\n * non-HTTPS origins (WebAuthn requires a Secure Context).\n */\nexport class WebAuthnNotAvailableError extends Error {\n readonly code = 'WEBAUTHN_NOT_AVAILABLE'\n constructor() {\n super('WebAuthn is not available in this environment. A browser with navigator.credentials support is required.')\n this.name = 'WebAuthnNotAvailableError'\n }\n}\n\n/**\n * Thrown when the user dismisses the WebAuthn prompt without completing it.\n *\n * The `op` field distinguishes enrollment cancellation (user chose not to\n * enroll a hardware key) from assertion cancellation (user dismissed the\n * unlock prompt). Treat this as a user-initiated action, not an error — show\n * a \"use passphrase instead\" option rather than an error message.\n */\nexport class WebAuthnCancelledError extends Error {\n readonly code = 'WEBAUTHN_CANCELLED'\n constructor(op: 'enrollment' | 'assertion') {\n super(`WebAuthn ${op} was cancelled by the user.`)\n this.name = 'WebAuthnCancelledError'\n }\n}\n\n/**\n * Thrown when the authenticator has the backup-eligible (BE) flag set but\n * the vault requires a single-device credential (`requireSingleDevice: true`).\n *\n * A BE credential is synced across devices (e.g. iCloud Keychain, Google\n * Password Manager), which violates the single-device security model. The\n * user must enroll a hardware security key (YubiKey, Titan, SoloKey) instead.\n */\nexport class WebAuthnMultiDeviceError extends Error {\n readonly code = 'WEBAUTHN_MULTI_DEVICE'\n constructor() {\n super(\n 'This credential is backup-eligible (BE flag set) and may be synced across devices. ' +\n 'The vault requires a single-device credential (requireSingleDevice: true). ' +\n 'Please use a hardware security key (YubiKey, Titan, SoloKey) or a platform ' +\n 'authenticator that does not sync credentials across devices.',\n )\n this.name = 'WebAuthnMultiDeviceError'\n }\n}\n\n/**\n * Thrown (as a non-fatal warning, caught internally) when the PRF extension\n * is not supported by the authenticator.\n *\n * NOYDB prefers PRF for key derivation because it produces a\n * credential-bound output that is deterministic and not extractable from\n * the authenticator. When PRF is unavailable, enrollment falls back to\n * HKDF over the credential's `rawId` — weaker binding, but still functional.\n * This error is caught at enrollment time; callers only see it if they\n * explicitly opt into strict PRF-only mode.\n */\nexport class WebAuthnPRFUnavailableError extends Error {\n readonly code = 'WEBAUTHN_PRF_UNAVAILABLE'\n constructor() {\n super(\n 'The PRF extension is not available on this authenticator. ' +\n 'Enrollment will fall back to rawId-based key derivation. ' +\n 'This provides weaker binding to the specific authenticator.',\n )\n this.name = 'WebAuthnPRFUnavailableError'\n }\n}\n\n// ─── Types ────────────────────────────────────────────────────────────\n\n/**\n * A persisted WebAuthn enrollment record. Store this in a noy-db\n * collection (encrypted like any other record) or return it from\n * `saveEnrollment()` / `loadEnrollment()` helpers.\n */\nexport interface WebAuthnEnrollment {\n /** Enrollment format version. */\n readonly _noydb_webauthn: 1\n /** The vault this enrollment was created for. */\n readonly vault: string\n /** The user ID this enrollment belongs to. */\n readonly userId: string\n /** WebAuthn credential ID (base64). Use for allowCredentials in assertions. */\n readonly credentialId: string\n /** Whether PRF was used for key derivation (vs rawId HKDF fallback). */\n readonly prfUsed: boolean\n /** Whether the BE (backup-eligibility) flag was present at enrollment time. */\n readonly beFlag: boolean\n /** Whether single-device was required at enrollment time. */\n readonly requireSingleDevice: boolean\n /** The wrapped KEK: encrypt(exportedDekMap, derivedKey). Base64. */\n readonly wrappedPayload: string\n /** IV used for the wrapping. Base64. */\n readonly wrapIv: string\n /** ISO timestamp of enrollment. */\n readonly enrolledAt: string\n}\n\n/** Options for `enrollWebAuthn()`. */\nexport interface WebAuthnEnrollOptions {\n /**\n * Relying party ID and name for the WebAuthn credential.\n * Defaults to `{ id: window.location.hostname, name: 'NOYDB' }`.\n */\n rp?: { id?: string; name: string }\n /**\n * If `true`, refuse to enroll credentials with the BE flag set\n * (multi-device / syncable passkeys). Defaults to `false`.\n *\n * Set to `true` for high-security deployments where the credential\n * must be bound to a single physical device (YubiKey, Titan, etc.).\n */\n requireSingleDevice?: boolean\n /**\n * WebAuthn timeout in milliseconds. Default: 60_000.\n */\n timeout?: number\n /**\n * If `true`, prefer a cross-platform authenticator (roaming security key).\n * If `false`, prefer a platform authenticator (Touch ID, Face ID).\n * If undefined, let the browser choose.\n */\n preferCrossPlatform?: boolean\n}\n\n/** Options for `unlockWebAuthn()`. */\nexport interface WebAuthnUnlockOptions {\n /** WebAuthn timeout in milliseconds. Default: 60_000. */\n timeout?: number\n}\n\n// ─── Environment check ─────────────────────────────────────────────────\n\n/**\n * Returns `true` if WebAuthn is available and can be used for enrollment or unlock.\n *\n * Checks for `navigator.credentials`, `window.PublicKeyCredential`, and a\n * Secure Context (`window.isSecureContext`). Call this before rendering the\n * \"Register hardware key\" button to avoid showing options that will fail.\n */\nexport function isWebAuthnAvailable(): boolean {\n return (\n typeof window !== 'undefined' &&\n typeof window.PublicKeyCredential !== 'undefined' &&\n typeof navigator !== 'undefined' &&\n typeof navigator.credentials !== 'undefined'\n )\n}\n\n// ─── PRF salt ─────────────────────────────────────────────────────────\n\nconst PRF_SALT = new TextEncoder().encode('noydb-webauthn-kek-derive')\n\n// ─── Key derivation helpers ────────────────────────────────────────────\n\n/**\n * Derive a wrapping key from PRF output.\n * PRF output is 32 bytes of authenticator-bound pseudo-random data.\n */\nasync function deriveKeyFromPRF(prfOutput: ArrayBuffer): Promise<CryptoKey> {\n const keyMaterial = await globalThis.crypto.subtle.importKey(\n 'raw',\n prfOutput,\n 'HKDF',\n false,\n ['deriveKey'],\n )\n return globalThis.crypto.subtle.deriveKey(\n {\n name: 'HKDF',\n hash: 'SHA-256',\n salt: PRF_SALT,\n info: new TextEncoder().encode('noydb-kek-wrap-v1'),\n },\n keyMaterial,\n { name: 'AES-GCM', length: 256 },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n/**\n * Derive a wrapping key from the credential's rawId (fallback when PRF unavailable).\n * Weaker than PRF (rawId may be observable to the server) but universally supported.\n */\nasync function deriveKeyFromRawId(rawId: ArrayBuffer): Promise<CryptoKey> {\n const keyMaterial = await globalThis.crypto.subtle.importKey(\n 'raw',\n rawId,\n 'HKDF',\n false,\n ['deriveKey'],\n )\n return globalThis.crypto.subtle.deriveKey(\n {\n name: 'HKDF',\n hash: 'SHA-256',\n salt: new TextEncoder().encode('noydb-webauthn-rawid-fallback'),\n info: new TextEncoder().encode('noydb-kek-wrap-v1'),\n },\n keyMaterial,\n { name: 'AES-GCM', length: 256 },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── BE flag extraction ────────────────────────────────────────────────\n\n/**\n * Extract the BE (backup-eligibility) flag from WebAuthn authenticator data.\n * Authenticator data byte layout (CTAP2 spec):\n * bytes 0-31: rpIdHash\n * byte 32: flags byte\n * bytes 33-36: signCount\n * ...\n *\n * Flags byte bit layout (bit 0 = LSB):\n * bit 0 (UP): user presence\n * bit 2 (UV): user verification\n * bit 3 (BE): backup eligibility\n * bit 4 (BS): backup state\n * bit 6 (AT): attested credential data present\n * bit 7 (ED): extension data present\n */\nfunction extractBEFlag(authData: ArrayBuffer): boolean {\n const bytes = new Uint8Array(authData)\n if (bytes.length < 33) return false\n const flagsByte = bytes[32]!\n return (flagsByte & 0b00001000) !== 0 // bit 3\n}\n\n// ─── Payload wrap/unwrap ───────────────────────────────────────────────\n\n/**\n * Serialize and encrypt the DEK map from `keyring` using `wrappingKey`.\n * The wrapped payload is what gets stored in the enrollment record.\n */\nasync function wrapKeyringSummary(\n keyring: UnlockedKeyring,\n wrappingKey: CryptoKey,\n): Promise<{ wrappedPayload: string; wrapIv: string }> {\n const dekMap: Record<string, string> = {}\n for (const [collName, dek] of keyring.deks) {\n const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n dekMap[collName] = bufferToBase64(raw)\n }\n\n const payload = JSON.stringify({\n userId: keyring.userId,\n displayName: keyring.displayName,\n role: keyring.role,\n permissions: keyring.permissions,\n deks: dekMap,\n salt: bufferToBase64(keyring.salt),\n })\n\n const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n const encrypted = await globalThis.crypto.subtle.encrypt(\n { name: 'AES-GCM', iv },\n wrappingKey,\n new TextEncoder().encode(payload),\n )\n\n return { wrappedPayload: bufferToBase64(encrypted), wrapIv: bufferToBase64(iv) }\n}\n\n/**\n * Decrypt and deserialize the keyring payload using `wrappingKey`.\n */\nasync function unwrapKeyringSummary(\n enrollment: WebAuthnEnrollment,\n wrappingKey: CryptoKey,\n): Promise<UnlockedKeyring> {\n const iv = base64ToBuffer(enrollment.wrapIv)\n const ciphertext = base64ToBuffer(enrollment.wrappedPayload)\n\n let plaintext: ArrayBuffer\n try {\n plaintext = await globalThis.crypto.subtle.decrypt(\n { name: 'AES-GCM', iv },\n wrappingKey,\n ciphertext,\n )\n } catch {\n throw new ValidationError('WebAuthn decryption failed — the authenticator may have changed or the enrollment may be corrupt.')\n }\n\n const parsed = JSON.parse(new TextDecoder().decode(plaintext)) as {\n userId: string\n displayName: string\n role: Role\n permissions: Record<string, 'rw' | 'ro'>\n deks: Record<string, string>\n salt: string\n }\n\n const deks = new Map<string, CryptoKey>()\n for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n const dek = await globalThis.crypto.subtle.importKey(\n 'raw',\n base64ToBuffer(rawBase64),\n { name: 'AES-GCM', length: 256 },\n true,\n ['encrypt', 'decrypt'],\n )\n deks.set(collName, dek)\n }\n\n return {\n userId: parsed.userId,\n displayName: parsed.displayName,\n role: parsed.role,\n permissions: parsed.permissions,\n deks,\n kek: null as unknown as CryptoKey,\n salt: base64ToBuffer(parsed.salt),\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Enroll a WebAuthn credential for the given keyring.\n *\n * The caller must already have an unlocked keyring (from passphrase auth or\n * an existing session). The WebAuthn credential creation prompt is triggered\n * by this call.\n *\n * Returns a `WebAuthnEnrollment` that should be persisted — typically via\n * `saveEnrollment()` into a noy-db collection.\n *\n * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.\n * @throws `WebAuthnCancelledError` if the user cancels the credential creation.\n * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` is true and the\n * authenticator returned a credential with the BE flag set.\n */\nexport async function enrollWebAuthn(\n keyring: UnlockedKeyring,\n vault: string,\n options: WebAuthnEnrollOptions = {},\n): Promise<WebAuthnEnrollment> {\n if (!isWebAuthnAvailable()) {\n throw new WebAuthnNotAvailableError()\n }\n\n const rpId = options.rp?.id ?? (typeof window !== 'undefined' ? window.location.hostname : 'localhost')\n const rpName = options.rp?.name ?? 'NOYDB'\n const timeout = options.timeout ?? 60_000\n\n const challenge = globalThis.crypto.getRandomValues(new Uint8Array(32))\n const userIdBytes = new TextEncoder().encode(keyring.userId)\n\n const authenticatorSelection: AuthenticatorSelectionCriteria = {\n userVerification: 'required',\n residentKey: 'preferred',\n }\n if (options.preferCrossPlatform === true) {\n authenticatorSelection.authenticatorAttachment = 'cross-platform'\n } else if (options.preferCrossPlatform === false) {\n authenticatorSelection.authenticatorAttachment = 'platform'\n }\n\n // Request PRF extension for deterministic key derivation\n const extensionsInput = {\n prf: { eval: { first: PRF_SALT } },\n } as AuthenticationExtensionsClientInputs\n\n const credential = await navigator.credentials.create({\n publicKey: {\n challenge,\n rp: { id: rpId, name: rpName },\n user: {\n id: userIdBytes,\n name: keyring.userId,\n displayName: keyring.displayName,\n },\n pubKeyCredParams: [\n { type: 'public-key', alg: -7 }, // ES256\n { type: 'public-key', alg: -257 }, // RS256\n { type: 'public-key', alg: -8 }, // EdDSA\n ],\n authenticatorSelection,\n extensions: extensionsInput,\n timeout,\n },\n }) as PublicKeyCredential | null\n\n if (!credential) {\n throw new WebAuthnCancelledError('enrollment')\n }\n\n const authData = (credential.response as AuthenticatorAttestationResponse).getAuthenticatorData()\n const beFlag = extractBEFlag(authData)\n\n if (options.requireSingleDevice && beFlag) {\n throw new WebAuthnMultiDeviceError()\n }\n\n // Try to get PRF output from extensions\n const extensions = credential.getClientExtensionResults() as {\n prf?: { results?: { first?: ArrayBuffer } }\n }\n const prfOutput = extensions.prf?.results?.first\n const prfUsed = !!prfOutput\n\n const wrappingKey = prfOutput\n ? await deriveKeyFromPRF(prfOutput)\n : await deriveKeyFromRawId(credential.rawId)\n\n const { wrappedPayload, wrapIv } = await wrapKeyringSummary(keyring, wrappingKey)\n\n return {\n _noydb_webauthn: 1,\n vault,\n userId: keyring.userId,\n credentialId: bufferToBase64(credential.rawId),\n prfUsed,\n beFlag,\n requireSingleDevice: options.requireSingleDevice ?? false,\n wrappedPayload,\n wrapIv,\n enrolledAt: new Date().toISOString(),\n }\n}\n\n/**\n * Unlock a vault using a previously enrolled WebAuthn credential.\n *\n * Triggers the WebAuthn assertion prompt. On success, decrypts the keyring\n * payload from the enrollment record and returns an `UnlockedKeyring`.\n *\n * The returned keyring has the same DEKs as at enrollment time. If DEKs\n * have been rotated since enrollment, this will return stale DEKs — the\n * caller should detect decryption failures and prompt for re-enrollment.\n *\n * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.\n * @throws `WebAuthnCancelledError` if the user cancels the assertion.\n * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` was set at\n * enrollment and the authenticator data now shows BE=1.\n * @throws `ValidationError` if decryption of the keyring payload fails.\n */\nexport async function unlockWebAuthn(\n enrollment: WebAuthnEnrollment,\n options: WebAuthnUnlockOptions = {},\n): Promise<UnlockedKeyring> {\n if (!isWebAuthnAvailable()) {\n throw new WebAuthnNotAvailableError()\n }\n\n const timeout = options.timeout ?? 60_000\n const credentialId = base64ToBuffer(enrollment.credentialId)\n\n const extensionsInput = (enrollment.prfUsed\n ? { prf: { eval: { first: PRF_SALT } } }\n : {}\n ) as AuthenticationExtensionsClientInputs\n\n const assertion = await navigator.credentials.get({\n publicKey: {\n challenge: globalThis.crypto.getRandomValues(new Uint8Array(32)),\n allowCredentials: [{ type: 'public-key', id: credentialId as BufferSource }],\n userVerification: 'required',\n extensions: extensionsInput,\n timeout,\n },\n }) as PublicKeyCredential | null\n\n if (!assertion) {\n throw new WebAuthnCancelledError('assertion')\n }\n\n // BE-flag guard at assertion time\n const authData = (assertion.response as AuthenticatorAssertionResponse).authenticatorData\n const beFlag = extractBEFlag(authData)\n if (enrollment.requireSingleDevice && beFlag) {\n throw new WebAuthnMultiDeviceError()\n }\n\n // Derive the wrapping key using the same method as enrollment\n let wrappingKey: CryptoKey\n if (enrollment.prfUsed) {\n const extensions = assertion.getClientExtensionResults() as {\n prf?: { results?: { first?: ArrayBuffer } }\n }\n const prfOutput = extensions.prf?.results?.first\n if (!prfOutput) {\n throw new ValidationError(\n 'PRF extension output not available at assertion time. ' +\n 'The authenticator may not support PRF. Re-enroll without PRF support.',\n )\n }\n wrappingKey = await deriveKeyFromPRF(prfOutput)\n } else {\n wrappingKey = await deriveKeyFromRawId(assertion.rawId)\n }\n\n return unwrapKeyringSummary(enrollment, wrappingKey)\n}\n\n/**\n * Check whether a `WebAuthnEnrollment` record looks well-formed.\n * Does not perform any cryptographic verification.\n */\nexport function isValidEnrollment(value: unknown): value is WebAuthnEnrollment {\n if (!value || typeof value !== 'object') return false\n const e = value as Record<string, unknown>\n return (\n e._noydb_webauthn === 1 &&\n typeof e.vault === 'string' &&\n typeof e.userId === 'string' &&\n typeof e.credentialId === 'string' &&\n typeof e.wrappedPayload === 'string' &&\n typeof e.wrapIv === 'string'\n )\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwDA,iBAA+C;AAC/C,IAAAA,cAAgC;AAIhC,IAAAA,cAAgC;AAYzB,IAAM,4BAAN,cAAwC,MAAM;AAAA,EAC1C,OAAO;AAAA,EAChB,cAAc;AACZ,UAAM,0GAA0G;AAChH,SAAK,OAAO;AAAA,EACd;AACF;AAUO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EACvC,OAAO;AAAA,EAChB,YAAY,IAAgC;AAC1C,UAAM,YAAY,EAAE,6BAA6B;AACjD,SAAK,OAAO;AAAA,EACd;AACF;AAUO,IAAM,2BAAN,cAAuC,MAAM;AAAA,EACzC,OAAO;AAAA,EAChB,cAAc;AACZ;AAAA,MACE;AAAA,IAIF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,8BAAN,cAA0C,MAAM;AAAA,EAC5C,OAAO;AAAA,EAChB,cAAc;AACZ;AAAA,MACE;AAAA,IAGF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AA0EO,SAAS,sBAA+B;AAC7C,SACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB,eACtC,OAAO,cAAc,eACrB,OAAO,UAAU,gBAAgB;AAErC;AAIA,IAAM,WAAW,IAAI,YAAY,EAAE,OAAO,2BAA2B;AAQrE,eAAe,iBAAiB,WAA4C;AAC1E,QAAM,cAAc,MAAM,WAAW,OAAO,OAAO;AAAA,IACjD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,WAAW,OAAO,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,IAAI,YAAY,EAAE,OAAO,mBAAmB;AAAA,IACpD;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAMA,eAAe,mBAAmB,OAAwC;AACxE,QAAM,cAAc,MAAM,WAAW,OAAO,OAAO;AAAA,IACjD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,WAAW,OAAO,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,IAAI,YAAY,EAAE,OAAO,+BAA+B;AAAA,MAC9D,MAAM,IAAI,YAAY,EAAE,OAAO,mBAAmB;AAAA,IACpD;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAoBA,SAAS,cAAc,UAAgC;AACrD,QAAM,QAAQ,IAAI,WAAW,QAAQ;AACrC,MAAI,MAAM,SAAS,GAAI,QAAO;AAC9B,QAAM,YAAY,MAAM,EAAE;AAC1B,UAAQ,YAAY,OAAgB;AACtC;AAQA,eAAe,mBACb,SACA,aACqD;AACrD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,QAAI,2BAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,UAAM,2BAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,WAAW,OAAO,OAAO;AAAA,IAC/C,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,SAAO,EAAE,oBAAgB,2BAAe,SAAS,GAAG,YAAQ,2BAAe,EAAE,EAAE;AACjF;AAKA,eAAe,qBACb,YACA,aAC0B;AAC1B,QAAM,SAAK,2BAAe,WAAW,MAAM;AAC3C,QAAM,iBAAa,2BAAe,WAAW,cAAc;AAE3D,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,4BAAgB,wGAAmG;AAAA,EAC/H;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS7D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,UACA,2BAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,UAAM,2BAAe,OAAO,IAAI;AAAA,EAClC;AACF;AAmBA,eAAsB,eACpB,SACA,OACA,UAAiC,CAAC,GACL;AAC7B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,0BAA0B;AAAA,EACtC;AAEA,QAAM,OAAO,QAAQ,IAAI,OAAO,OAAO,WAAW,cAAc,OAAO,SAAS,WAAW;AAC3F,QAAM,SAAS,QAAQ,IAAI,QAAQ;AACnC,QAAM,UAAU,QAAQ,WAAW;AAEnC,QAAM,YAAY,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACtE,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,QAAQ,MAAM;AAE3D,QAAM,yBAAyD;AAAA,IAC7D,kBAAkB;AAAA,IAClB,aAAa;AAAA,EACf;AACA,MAAI,QAAQ,wBAAwB,MAAM;AACxC,2BAAuB,0BAA0B;AAAA,EACnD,WAAW,QAAQ,wBAAwB,OAAO;AAChD,2BAAuB,0BAA0B;AAAA,EACnD;AAGA,QAAM,kBAAkB;AAAA,IACtB,KAAK,EAAE,MAAM,EAAE,OAAO,SAAS,EAAE;AAAA,EACnC;AAEA,QAAM,aAAa,MAAM,UAAU,YAAY,OAAO;AAAA,IACpD,WAAW;AAAA,MACT;AAAA,MACA,IAAI,EAAE,IAAI,MAAM,MAAM,OAAO;AAAA,MAC7B,MAAM;AAAA,QACJ,IAAI;AAAA,QACJ,MAAM,QAAQ;AAAA,QACd,aAAa,QAAQ;AAAA,MACvB;AAAA,MACA,kBAAkB;AAAA,QAChB,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA;AAAA,QAC9B,EAAE,MAAM,cAAc,KAAK,KAAK;AAAA;AAAA,QAChC,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA;AAAA,MAChC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ;AAAA,IACF;AAAA,EACF,CAAC;AAED,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,uBAAuB,YAAY;AAAA,EAC/C;AAEA,QAAM,WAAY,WAAW,SAA8C,qBAAqB;AAChG,QAAM,SAAS,cAAc,QAAQ;AAErC,MAAI,QAAQ,uBAAuB,QAAQ;AACzC,UAAM,IAAI,yBAAyB;AAAA,EACrC;AAGA,QAAM,aAAa,WAAW,0BAA0B;AAGxD,QAAM,YAAY,WAAW,KAAK,SAAS;AAC3C,QAAM,UAAU,CAAC,CAAC;AAElB,QAAM,cAAc,YAChB,MAAM,iBAAiB,SAAS,IAChC,MAAM,mBAAmB,WAAW,KAAK;AAE7C,QAAM,EAAE,gBAAgB,OAAO,IAAI,MAAM,mBAAmB,SAAS,WAAW;AAEhF,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB,kBAAc,2BAAe,WAAW,KAAK;AAAA,IAC7C;AAAA,IACA;AAAA,IACA,qBAAqB,QAAQ,uBAAuB;AAAA,IACpD;AAAA,IACA;AAAA,IACA,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,EACrC;AACF;AAkBA,eAAsB,eACpB,YACA,UAAiC,CAAC,GACR;AAC1B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,0BAA0B;AAAA,EACtC;AAEA,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,mBAAe,2BAAe,WAAW,YAAY;AAE3D,QAAM,kBAAmB,WAAW,UAChC,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,SAAS,EAAE,EAAE,IACrC,CAAC;AAGL,QAAM,YAAY,MAAM,UAAU,YAAY,IAAI;AAAA,IAChD,WAAW;AAAA,MACT,WAAW,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAAA,MAC/D,kBAAkB,CAAC,EAAE,MAAM,cAAc,IAAI,aAA6B,CAAC;AAAA,MAC3E,kBAAkB;AAAA,MAClB,YAAY;AAAA,MACZ;AAAA,IACF;AAAA,EACF,CAAC;AAED,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,uBAAuB,WAAW;AAAA,EAC9C;AAGA,QAAM,WAAY,UAAU,SAA4C;AACxE,QAAM,SAAS,cAAc,QAAQ;AACrC,MAAI,WAAW,uBAAuB,QAAQ;AAC5C,UAAM,IAAI,yBAAyB;AAAA,EACrC;AAGA,MAAI;AACJ,MAAI,WAAW,SAAS;AACtB,UAAM,aAAa,UAAU,0BAA0B;AAGvD,UAAM,YAAY,WAAW,KAAK,SAAS;AAC3C,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,kBAAc,MAAM,iBAAiB,SAAS;AAAA,EAChD,OAAO;AACL,kBAAc,MAAM,mBAAmB,UAAU,KAAK;AAAA,EACxD;AAEA,SAAO,qBAAqB,YAAY,WAAW;AACrD;AAMO,SAAS,kBAAkB,OAA6C;AAC7E,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,IAAI;AACV,SACE,EAAE,oBAAoB,KACtB,OAAO,EAAE,UAAU,YACnB,OAAO,EAAE,WAAW,YACpB,OAAO,EAAE,iBAAiB,YAC1B,OAAO,EAAE,mBAAmB,YAC5B,OAAO,EAAE,WAAW;AAExB;","names":["import_hub"]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,219 @@
+import { UnlockedKeyring } from '@noy-db/hub';
+export { ValidationError } from '@noy-db/hub';
+/**
+ * @noy-db/on-webauthn —
+ *
+ * Hardware-key keyring for noy-db using the WebAuthn API.
+ *
+ * Covers every form factor:
+ *   - Platform authenticators: Touch ID, Face ID, Windows Hello, Android biometric
+ *   - Roaming authenticators: YubiKey (5C NFC, Bio), SoloKey, Titan, any FIDO2 key
+ *   - Passkey-capable platform authenticators: iCloud Keychain, Google Password Manager
+ *
+ * Key derivation model
+ * ────────────────────
+ * This package uses the **PRF (Pseudo-Random Function) extension** when
+ * available to derive a deterministic wrapping key from the WebAuthn
+ * credential. The PRF output is consistent across assertions on the same
+ * device/credential, enabling unlock-without-passphrase while keeping the
+ * derived key bound to the physical authenticator.
+ *
+ * When PRF is not supported by the authenticator (common on older hardware),
+ * the package falls back to HKDF-SHA256 over the credential's `rawId` —
+ * the same approach as the pre-existing `@noy-db/core` biometric module.
+ *
+ * The derived key is NEVER persisted. It exists only in memory during the
+ * unlock operation. What IS persisted (in the noy-db adapter, not in browser
+ * storage) is the wrapped KEK: `encrypt(KEK, derivedKey)`.
+ *
+ * BE-flag guards
+ * ──────────────
+ * The backup-eligibility (BE) flag in a WebAuthn authenticator data signals
+ * that the credential is (or can be) synced across devices — e.g. stored in
+ * iCloud Keychain. For single-device security policies (air-gapped USB sticks,
+ * high-security terminals), this is a threat: the credential is available on
+ * any device where the user's iCloud account is signed in.
+ *
+ * The `requireSingleDevice: true` option rejects credentials with the BE flag
+ * set during enrollment. Existing enrollments are checked at assertion time —
+ * if the authenticator data shows BE=1 but `requireSingleDevice` was set at
+ * enrollment, the assertion throws `WebAuthnMultiDeviceError`.
+ *
+ * Enrollment flow
+ * ───────────────
+ * 1. User is already authenticated (passphrase or existing session).
+ * 2. Call `enrollWebAuthn(keyring, options)`.
+ * 3. WebAuthn credential is created; PRF or rawId-derived key wraps the KEK.
+ * 4. Returns a `WebAuthnEnrollment` — persist this to the noy-db adapter
+ *    via `saveEnrollment()`, or store it yourself in any encrypted collection.
+ *
+ * Unlock flow
+ * ───────────
+ * 1. Load the `WebAuthnEnrollment` via `loadEnrollment()`.
+ * 2. Call `unlockWebAuthn(enrollment, keyring)` — triggers the WebAuthn
+ *    assertion prompt.
+ * 3. On success, returns the unwrapped `CryptoKey` (the KEK) — use it to
+ *    re-hydrate the session via `createSession()`.
+ */
+/**
+ * Thrown when the WebAuthn API is not available in the current environment.
+ *
+ * Check `isWebAuthnAvailable()` before calling `enrollWebAuthn()` or
+ * `unlockWebAuthn()` and show a fallback UI (passphrase entry) if this
+ * returns false. Common scenarios: Node.js environments, older browsers,
+ * non-HTTPS origins (WebAuthn requires a Secure Context).
+ */
+declare class WebAuthnNotAvailableError extends Error {
+    readonly code = "WEBAUTHN_NOT_AVAILABLE";
+    constructor();
+}
+/**
+ * Thrown when the user dismisses the WebAuthn prompt without completing it.
+ *
+ * The `op` field distinguishes enrollment cancellation (user chose not to
+ * enroll a hardware key) from assertion cancellation (user dismissed the
+ * unlock prompt). Treat this as a user-initiated action, not an error — show
+ * a "use passphrase instead" option rather than an error message.
+ */
+declare class WebAuthnCancelledError extends Error {
+    readonly code = "WEBAUTHN_CANCELLED";
+    constructor(op: 'enrollment' | 'assertion');
+}
+/**
+ * Thrown when the authenticator has the backup-eligible (BE) flag set but
+ * the vault requires a single-device credential (`requireSingleDevice: true`).
+ *
+ * A BE credential is synced across devices (e.g. iCloud Keychain, Google
+ * Password Manager), which violates the single-device security model. The
+ * user must enroll a hardware security key (YubiKey, Titan, SoloKey) instead.
+ */
+declare class WebAuthnMultiDeviceError extends Error {
+    readonly code = "WEBAUTHN_MULTI_DEVICE";
+    constructor();
+}
+/**
+ * Thrown (as a non-fatal warning, caught internally) when the PRF extension
+ * is not supported by the authenticator.
+ *
+ * NOYDB prefers PRF for key derivation because it produces a
+ * credential-bound output that is deterministic and not extractable from
+ * the authenticator. When PRF is unavailable, enrollment falls back to
+ * HKDF over the credential's `rawId` — weaker binding, but still functional.
+ * This error is caught at enrollment time; callers only see it if they
+ * explicitly opt into strict PRF-only mode.
+ */
+declare class WebAuthnPRFUnavailableError extends Error {
+    readonly code = "WEBAUTHN_PRF_UNAVAILABLE";
+    constructor();
+}
+/**
+ * A persisted WebAuthn enrollment record. Store this in a noy-db
+ * collection (encrypted like any other record) or return it from
+ * `saveEnrollment()` / `loadEnrollment()` helpers.
+ */
+interface WebAuthnEnrollment {
+    /** Enrollment format version. */
+    readonly _noydb_webauthn: 1;
+    /** The vault this enrollment was created for. */
+    readonly vault: string;
+    /** The user ID this enrollment belongs to. */
+    readonly userId: string;
+    /** WebAuthn credential ID (base64). Use for allowCredentials in assertions. */
+    readonly credentialId: string;
+    /** Whether PRF was used for key derivation (vs rawId HKDF fallback). */
+    readonly prfUsed: boolean;
+    /** Whether the BE (backup-eligibility) flag was present at enrollment time. */
+    readonly beFlag: boolean;
+    /** Whether single-device was required at enrollment time. */
+    readonly requireSingleDevice: boolean;
+    /** The wrapped KEK: encrypt(exportedDekMap, derivedKey). Base64. */
+    readonly wrappedPayload: string;
+    /** IV used for the wrapping. Base64. */
+    readonly wrapIv: string;
+    /** ISO timestamp of enrollment. */
+    readonly enrolledAt: string;
+}
+/** Options for `enrollWebAuthn()`. */
+interface WebAuthnEnrollOptions {
+    /**
+     * Relying party ID and name for the WebAuthn credential.
+     * Defaults to `{ id: window.location.hostname, name: 'NOYDB' }`.
+     */
+    rp?: {
+        id?: string;
+        name: string;
+    };
+    /**
+     * If `true`, refuse to enroll credentials with the BE flag set
+     * (multi-device / syncable passkeys). Defaults to `false`.
+     *
+     * Set to `true` for high-security deployments where the credential
+     * must be bound to a single physical device (YubiKey, Titan, etc.).
+     */
+    requireSingleDevice?: boolean;
+    /**
+     * WebAuthn timeout in milliseconds. Default: 60_000.
+     */
+    timeout?: number;
+    /**
+     * If `true`, prefer a cross-platform authenticator (roaming security key).
+     * If `false`, prefer a platform authenticator (Touch ID, Face ID).
+     * If undefined, let the browser choose.
+     */
+    preferCrossPlatform?: boolean;
+}
+/** Options for `unlockWebAuthn()`. */
+interface WebAuthnUnlockOptions {
+    /** WebAuthn timeout in milliseconds. Default: 60_000. */
+    timeout?: number;
+}
+/**
+ * Returns `true` if WebAuthn is available and can be used for enrollment or unlock.
+ *
+ * Checks for `navigator.credentials`, `window.PublicKeyCredential`, and a
+ * Secure Context (`window.isSecureContext`). Call this before rendering the
+ * "Register hardware key" button to avoid showing options that will fail.
+ */
+declare function isWebAuthnAvailable(): boolean;
+/**
+ * Enroll a WebAuthn credential for the given keyring.
+ *
+ * The caller must already have an unlocked keyring (from passphrase auth or
+ * an existing session). The WebAuthn credential creation prompt is triggered
+ * by this call.
+ *
+ * Returns a `WebAuthnEnrollment` that should be persisted — typically via
+ * `saveEnrollment()` into a noy-db collection.
+ *
+ * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.
+ * @throws `WebAuthnCancelledError` if the user cancels the credential creation.
+ * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` is true and the
+ *         authenticator returned a credential with the BE flag set.
+ */
+declare function enrollWebAuthn(keyring: UnlockedKeyring, vault: string, options?: WebAuthnEnrollOptions): Promise<WebAuthnEnrollment>;
+/**
+ * Unlock a vault using a previously enrolled WebAuthn credential.
+ *
+ * Triggers the WebAuthn assertion prompt. On success, decrypts the keyring
+ * payload from the enrollment record and returns an `UnlockedKeyring`.
+ *
+ * The returned keyring has the same DEKs as at enrollment time. If DEKs
+ * have been rotated since enrollment, this will return stale DEKs — the
+ * caller should detect decryption failures and prompt for re-enrollment.
+ *
+ * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.
+ * @throws `WebAuthnCancelledError` if the user cancels the assertion.
+ * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` was set at
+ *         enrollment and the authenticator data now shows BE=1.
+ * @throws `ValidationError` if decryption of the keyring payload fails.
+ */
+declare function unlockWebAuthn(enrollment: WebAuthnEnrollment, options?: WebAuthnUnlockOptions): Promise<UnlockedKeyring>;
+/**
+ * Check whether a `WebAuthnEnrollment` record looks well-formed.
+ * Does not perform any cryptographic verification.
+ */
+declare function isValidEnrollment(value: unknown): value is WebAuthnEnrollment;
+export { WebAuthnCancelledError, type WebAuthnEnrollOptions, type WebAuthnEnrollment, WebAuthnMultiDeviceError, WebAuthnNotAvailableError, WebAuthnPRFUnavailableError, type WebAuthnUnlockOptions, enrollWebAuthn, isValidEnrollment, isWebAuthnAvailable, unlockWebAuthn };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,219 @@
+import { UnlockedKeyring } from '@noy-db/hub';
+export { ValidationError } from '@noy-db/hub';
+/**
+ * @noy-db/on-webauthn —
+ *
+ * Hardware-key keyring for noy-db using the WebAuthn API.
+ *
+ * Covers every form factor:
+ *   - Platform authenticators: Touch ID, Face ID, Windows Hello, Android biometric
+ *   - Roaming authenticators: YubiKey (5C NFC, Bio), SoloKey, Titan, any FIDO2 key
+ *   - Passkey-capable platform authenticators: iCloud Keychain, Google Password Manager
+ *
+ * Key derivation model
+ * ────────────────────
+ * This package uses the **PRF (Pseudo-Random Function) extension** when
+ * available to derive a deterministic wrapping key from the WebAuthn
+ * credential. The PRF output is consistent across assertions on the same
+ * device/credential, enabling unlock-without-passphrase while keeping the
+ * derived key bound to the physical authenticator.
+ *
+ * When PRF is not supported by the authenticator (common on older hardware),
+ * the package falls back to HKDF-SHA256 over the credential's `rawId` —
+ * the same approach as the pre-existing `@noy-db/core` biometric module.
+ *
+ * The derived key is NEVER persisted. It exists only in memory during the
+ * unlock operation. What IS persisted (in the noy-db adapter, not in browser
+ * storage) is the wrapped KEK: `encrypt(KEK, derivedKey)`.
+ *
+ * BE-flag guards
+ * ──────────────
+ * The backup-eligibility (BE) flag in a WebAuthn authenticator data signals
+ * that the credential is (or can be) synced across devices — e.g. stored in
+ * iCloud Keychain. For single-device security policies (air-gapped USB sticks,
+ * high-security terminals), this is a threat: the credential is available on
+ * any device where the user's iCloud account is signed in.
+ *
+ * The `requireSingleDevice: true` option rejects credentials with the BE flag
+ * set during enrollment. Existing enrollments are checked at assertion time —
+ * if the authenticator data shows BE=1 but `requireSingleDevice` was set at
+ * enrollment, the assertion throws `WebAuthnMultiDeviceError`.
+ *
+ * Enrollment flow
+ * ───────────────
+ * 1. User is already authenticated (passphrase or existing session).
+ * 2. Call `enrollWebAuthn(keyring, options)`.
+ * 3. WebAuthn credential is created; PRF or rawId-derived key wraps the KEK.
+ * 4. Returns a `WebAuthnEnrollment` — persist this to the noy-db adapter
+ *    via `saveEnrollment()`, or store it yourself in any encrypted collection.
+ *
+ * Unlock flow
+ * ───────────
+ * 1. Load the `WebAuthnEnrollment` via `loadEnrollment()`.
+ * 2. Call `unlockWebAuthn(enrollment, keyring)` — triggers the WebAuthn
+ *    assertion prompt.
+ * 3. On success, returns the unwrapped `CryptoKey` (the KEK) — use it to
+ *    re-hydrate the session via `createSession()`.
+ */
+/**
+ * Thrown when the WebAuthn API is not available in the current environment.
+ *
+ * Check `isWebAuthnAvailable()` before calling `enrollWebAuthn()` or
+ * `unlockWebAuthn()` and show a fallback UI (passphrase entry) if this
+ * returns false. Common scenarios: Node.js environments, older browsers,
+ * non-HTTPS origins (WebAuthn requires a Secure Context).
+ */
+declare class WebAuthnNotAvailableError extends Error {
+    readonly code = "WEBAUTHN_NOT_AVAILABLE";
+    constructor();
+}
+/**
+ * Thrown when the user dismisses the WebAuthn prompt without completing it.
+ *
+ * The `op` field distinguishes enrollment cancellation (user chose not to
+ * enroll a hardware key) from assertion cancellation (user dismissed the
+ * unlock prompt). Treat this as a user-initiated action, not an error — show
+ * a "use passphrase instead" option rather than an error message.
+ */
+declare class WebAuthnCancelledError extends Error {
+    readonly code = "WEBAUTHN_CANCELLED";
+    constructor(op: 'enrollment' | 'assertion');
+}
+/**
+ * Thrown when the authenticator has the backup-eligible (BE) flag set but
+ * the vault requires a single-device credential (`requireSingleDevice: true`).
+ *
+ * A BE credential is synced across devices (e.g. iCloud Keychain, Google
+ * Password Manager), which violates the single-device security model. The
+ * user must enroll a hardware security key (YubiKey, Titan, SoloKey) instead.
+ */
+declare class WebAuthnMultiDeviceError extends Error {
+    readonly code = "WEBAUTHN_MULTI_DEVICE";
+    constructor();
+}
+/**
+ * Thrown (as a non-fatal warning, caught internally) when the PRF extension
+ * is not supported by the authenticator.
+ *
+ * NOYDB prefers PRF for key derivation because it produces a
+ * credential-bound output that is deterministic and not extractable from
+ * the authenticator. When PRF is unavailable, enrollment falls back to
+ * HKDF over the credential's `rawId` — weaker binding, but still functional.
+ * This error is caught at enrollment time; callers only see it if they
+ * explicitly opt into strict PRF-only mode.
+ */
+declare class WebAuthnPRFUnavailableError extends Error {
+    readonly code = "WEBAUTHN_PRF_UNAVAILABLE";
+    constructor();
+}
+/**
+ * A persisted WebAuthn enrollment record. Store this in a noy-db
+ * collection (encrypted like any other record) or return it from
+ * `saveEnrollment()` / `loadEnrollment()` helpers.
+ */
+interface WebAuthnEnrollment {
+    /** Enrollment format version. */
+    readonly _noydb_webauthn: 1;
+    /** The vault this enrollment was created for. */
+    readonly vault: string;
+    /** The user ID this enrollment belongs to. */
+    readonly userId: string;
+    /** WebAuthn credential ID (base64). Use for allowCredentials in assertions. */
+    readonly credentialId: string;
+    /** Whether PRF was used for key derivation (vs rawId HKDF fallback). */
+    readonly prfUsed: boolean;
+    /** Whether the BE (backup-eligibility) flag was present at enrollment time. */
+    readonly beFlag: boolean;
+    /** Whether single-device was required at enrollment time. */
+    readonly requireSingleDevice: boolean;
+    /** The wrapped KEK: encrypt(exportedDekMap, derivedKey). Base64. */
+    readonly wrappedPayload: string;
+    /** IV used for the wrapping. Base64. */
+    readonly wrapIv: string;
+    /** ISO timestamp of enrollment. */
+    readonly enrolledAt: string;
+}
+/** Options for `enrollWebAuthn()`. */
+interface WebAuthnEnrollOptions {
+    /**
+     * Relying party ID and name for the WebAuthn credential.
+     * Defaults to `{ id: window.location.hostname, name: 'NOYDB' }`.
+     */
+    rp?: {
+        id?: string;
+        name: string;
+    };
+    /**
+     * If `true`, refuse to enroll credentials with the BE flag set
+     * (multi-device / syncable passkeys). Defaults to `false`.
+     *
+     * Set to `true` for high-security deployments where the credential
+     * must be bound to a single physical device (YubiKey, Titan, etc.).
+     */
+    requireSingleDevice?: boolean;
+    /**
+     * WebAuthn timeout in milliseconds. Default: 60_000.
+     */
+    timeout?: number;
+    /**
+     * If `true`, prefer a cross-platform authenticator (roaming security key).
+     * If `false`, prefer a platform authenticator (Touch ID, Face ID).
+     * If undefined, let the browser choose.
+     */
+    preferCrossPlatform?: boolean;
+}
+/** Options for `unlockWebAuthn()`. */
+interface WebAuthnUnlockOptions {
+    /** WebAuthn timeout in milliseconds. Default: 60_000. */
+    timeout?: number;
+}
+/**
+ * Returns `true` if WebAuthn is available and can be used for enrollment or unlock.
+ *
+ * Checks for `navigator.credentials`, `window.PublicKeyCredential`, and a
+ * Secure Context (`window.isSecureContext`). Call this before rendering the
+ * "Register hardware key" button to avoid showing options that will fail.
+ */
+declare function isWebAuthnAvailable(): boolean;
+/**
+ * Enroll a WebAuthn credential for the given keyring.
+ *
+ * The caller must already have an unlocked keyring (from passphrase auth or
+ * an existing session). The WebAuthn credential creation prompt is triggered
+ * by this call.
+ *
+ * Returns a `WebAuthnEnrollment` that should be persisted — typically via
+ * `saveEnrollment()` into a noy-db collection.
+ *
+ * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.
+ * @throws `WebAuthnCancelledError` if the user cancels the credential creation.
+ * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` is true and the
+ *         authenticator returned a credential with the BE flag set.
+ */
+declare function enrollWebAuthn(keyring: UnlockedKeyring, vault: string, options?: WebAuthnEnrollOptions): Promise<WebAuthnEnrollment>;
+/**
+ * Unlock a vault using a previously enrolled WebAuthn credential.
+ *
+ * Triggers the WebAuthn assertion prompt. On success, decrypts the keyring
+ * payload from the enrollment record and returns an `UnlockedKeyring`.
+ *
+ * The returned keyring has the same DEKs as at enrollment time. If DEKs
+ * have been rotated since enrollment, this will return stale DEKs — the
+ * caller should detect decryption failures and prompt for re-enrollment.
+ *
+ * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.
+ * @throws `WebAuthnCancelledError` if the user cancels the assertion.
+ * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` was set at
+ *         enrollment and the authenticator data now shows BE=1.
+ * @throws `ValidationError` if decryption of the keyring payload fails.
+ */
+declare function unlockWebAuthn(enrollment: WebAuthnEnrollment, options?: WebAuthnUnlockOptions): Promise<UnlockedKeyring>;
+/**
+ * Check whether a `WebAuthnEnrollment` record looks well-formed.
+ * Does not perform any cryptographic verification.
+ */
+declare function isValidEnrollment(value: unknown): value is WebAuthnEnrollment;
+export { WebAuthnCancelledError, type WebAuthnEnrollOptions, type WebAuthnEnrollment, WebAuthnMultiDeviceError, WebAuthnNotAvailableError, WebAuthnPRFUnavailableError, type WebAuthnUnlockOptions, enrollWebAuthn, isValidEnrollment, isWebAuthnAvailable, unlockWebAuthn };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,270 @@
+// src/index.ts
+import { bufferToBase64, base64ToBuffer } from "@noy-db/hub";
+import { ValidationError } from "@noy-db/hub";
+import { ValidationError as ValidationError2 } from "@noy-db/hub";
+var WebAuthnNotAvailableError = class extends Error {
+  code = "WEBAUTHN_NOT_AVAILABLE";
+  constructor() {
+    super("WebAuthn is not available in this environment. A browser with navigator.credentials support is required.");
+    this.name = "WebAuthnNotAvailableError";
+  }
+};
+var WebAuthnCancelledError = class extends Error {
+  code = "WEBAUTHN_CANCELLED";
+  constructor(op) {
+    super(`WebAuthn ${op} was cancelled by the user.`);
+    this.name = "WebAuthnCancelledError";
+  }
+};
+var WebAuthnMultiDeviceError = class extends Error {
+  code = "WEBAUTHN_MULTI_DEVICE";
+  constructor() {
+    super(
+      "This credential is backup-eligible (BE flag set) and may be synced across devices. The vault requires a single-device credential (requireSingleDevice: true). Please use a hardware security key (YubiKey, Titan, SoloKey) or a platform authenticator that does not sync credentials across devices."
+    );
+    this.name = "WebAuthnMultiDeviceError";
+  }
+};
+var WebAuthnPRFUnavailableError = class extends Error {
+  code = "WEBAUTHN_PRF_UNAVAILABLE";
+  constructor() {
+    super(
+      "The PRF extension is not available on this authenticator. Enrollment will fall back to rawId-based key derivation. This provides weaker binding to the specific authenticator."
+    );
+    this.name = "WebAuthnPRFUnavailableError";
+  }
+};
+function isWebAuthnAvailable() {
+  return typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator !== "undefined" && typeof navigator.credentials !== "undefined";
+}
+var PRF_SALT = new TextEncoder().encode("noydb-webauthn-kek-derive");
+async function deriveKeyFromPRF(prfOutput) {
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    prfOutput,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: PRF_SALT,
+      info: new TextEncoder().encode("noydb-kek-wrap-v1")
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function deriveKeyFromRawId(rawId) {
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    rawId,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new TextEncoder().encode("noydb-webauthn-rawid-fallback"),
+      info: new TextEncoder().encode("noydb-kek-wrap-v1")
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+function extractBEFlag(authData) {
+  const bytes = new Uint8Array(authData);
+  if (bytes.length < 33) return false;
+  const flagsByte = bytes[32];
+  return (flagsByte & 8) !== 0;
+}
+async function wrapKeyringSummary(keyring, wrappingKey) {
+  const dekMap = {};
+  for (const [collName, dek] of keyring.deks) {
+    const raw = await globalThis.crypto.subtle.exportKey("raw", dek);
+    dekMap[collName] = bufferToBase64(raw);
+  }
+  const payload = JSON.stringify({
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: dekMap,
+    salt: bufferToBase64(keyring.salt)
+  });
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    wrappingKey,
+    new TextEncoder().encode(payload)
+  );
+  return { wrappedPayload: bufferToBase64(encrypted), wrapIv: bufferToBase64(iv) };
+}
+async function unwrapKeyringSummary(enrollment, wrappingKey) {
+  const iv = base64ToBuffer(enrollment.wrapIv);
+  const ciphertext = base64ToBuffer(enrollment.wrappedPayload);
+  let plaintext;
+  try {
+    plaintext = await globalThis.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      wrappingKey,
+      ciphertext
+    );
+  } catch {
+    throw new ValidationError("WebAuthn decryption failed \u2014 the authenticator may have changed or the enrollment may be corrupt.");
+  }
+  const parsed = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {
+    const dek = await globalThis.crypto.subtle.importKey(
+      "raw",
+      base64ToBuffer(rawBase64),
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(collName, dek);
+  }
+  return {
+    userId: parsed.userId,
+    displayName: parsed.displayName,
+    role: parsed.role,
+    permissions: parsed.permissions,
+    deks,
+    kek: null,
+    salt: base64ToBuffer(parsed.salt)
+  };
+}
+async function enrollWebAuthn(keyring, vault, options = {}) {
+  if (!isWebAuthnAvailable()) {
+    throw new WebAuthnNotAvailableError();
+  }
+  const rpId = options.rp?.id ?? (typeof window !== "undefined" ? window.location.hostname : "localhost");
+  const rpName = options.rp?.name ?? "NOYDB";
+  const timeout = options.timeout ?? 6e4;
+  const challenge = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const userIdBytes = new TextEncoder().encode(keyring.userId);
+  const authenticatorSelection = {
+    userVerification: "required",
+    residentKey: "preferred"
+  };
+  if (options.preferCrossPlatform === true) {
+    authenticatorSelection.authenticatorAttachment = "cross-platform";
+  } else if (options.preferCrossPlatform === false) {
+    authenticatorSelection.authenticatorAttachment = "platform";
+  }
+  const extensionsInput = {
+    prf: { eval: { first: PRF_SALT } }
+  };
+  const credential = await navigator.credentials.create({
+    publicKey: {
+      challenge,
+      rp: { id: rpId, name: rpName },
+      user: {
+        id: userIdBytes,
+        name: keyring.userId,
+        displayName: keyring.displayName
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 },
+        // ES256
+        { type: "public-key", alg: -257 },
+        // RS256
+        { type: "public-key", alg: -8 }
+        // EdDSA
+      ],
+      authenticatorSelection,
+      extensions: extensionsInput,
+      timeout
+    }
+  });
+  if (!credential) {
+    throw new WebAuthnCancelledError("enrollment");
+  }
+  const authData = credential.response.getAuthenticatorData();
+  const beFlag = extractBEFlag(authData);
+  if (options.requireSingleDevice && beFlag) {
+    throw new WebAuthnMultiDeviceError();
+  }
+  const extensions = credential.getClientExtensionResults();
+  const prfOutput = extensions.prf?.results?.first;
+  const prfUsed = !!prfOutput;
+  const wrappingKey = prfOutput ? await deriveKeyFromPRF(prfOutput) : await deriveKeyFromRawId(credential.rawId);
+  const { wrappedPayload, wrapIv } = await wrapKeyringSummary(keyring, wrappingKey);
+  return {
+    _noydb_webauthn: 1,
+    vault,
+    userId: keyring.userId,
+    credentialId: bufferToBase64(credential.rawId),
+    prfUsed,
+    beFlag,
+    requireSingleDevice: options.requireSingleDevice ?? false,
+    wrappedPayload,
+    wrapIv,
+    enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function unlockWebAuthn(enrollment, options = {}) {
+  if (!isWebAuthnAvailable()) {
+    throw new WebAuthnNotAvailableError();
+  }
+  const timeout = options.timeout ?? 6e4;
+  const credentialId = base64ToBuffer(enrollment.credentialId);
+  const extensionsInput = enrollment.prfUsed ? { prf: { eval: { first: PRF_SALT } } } : {};
+  const assertion = await navigator.credentials.get({
+    publicKey: {
+      challenge: globalThis.crypto.getRandomValues(new Uint8Array(32)),
+      allowCredentials: [{ type: "public-key", id: credentialId }],
+      userVerification: "required",
+      extensions: extensionsInput,
+      timeout
+    }
+  });
+  if (!assertion) {
+    throw new WebAuthnCancelledError("assertion");
+  }
+  const authData = assertion.response.authenticatorData;
+  const beFlag = extractBEFlag(authData);
+  if (enrollment.requireSingleDevice && beFlag) {
+    throw new WebAuthnMultiDeviceError();
+  }
+  let wrappingKey;
+  if (enrollment.prfUsed) {
+    const extensions = assertion.getClientExtensionResults();
+    const prfOutput = extensions.prf?.results?.first;
+    if (!prfOutput) {
+      throw new ValidationError(
+        "PRF extension output not available at assertion time. The authenticator may not support PRF. Re-enroll without PRF support."
+      );
+    }
+    wrappingKey = await deriveKeyFromPRF(prfOutput);
+  } else {
+    wrappingKey = await deriveKeyFromRawId(assertion.rawId);
+  }
+  return unwrapKeyringSummary(enrollment, wrappingKey);
+}
+function isValidEnrollment(value) {
+  if (!value || typeof value !== "object") return false;
+  const e = value;
+  return e._noydb_webauthn === 1 && typeof e.vault === "string" && typeof e.userId === "string" && typeof e.credentialId === "string" && typeof e.wrappedPayload === "string" && typeof e.wrapIv === "string";
+}
+export {
+  ValidationError2 as ValidationError,
+  WebAuthnCancelledError,
+  WebAuthnMultiDeviceError,
+  WebAuthnNotAvailableError,
+  WebAuthnPRFUnavailableError,
+  enrollWebAuthn,
+  isValidEnrollment,
+  isWebAuthnAvailable,
+  unlockWebAuthn
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @noy-db/on-webauthn —\n *\n * Hardware-key keyring for noy-db using the WebAuthn API.\n *\n * Covers every form factor:\n * - Platform authenticators: Touch ID, Face ID, Windows Hello, Android biometric\n * - Roaming authenticators: YubiKey (5C NFC, Bio), SoloKey, Titan, any FIDO2 key\n * - Passkey-capable platform authenticators: iCloud Keychain, Google Password Manager\n *\n * Key derivation model\n * ────────────────────\n * This package uses the **PRF (Pseudo-Random Function) extension** when\n * available to derive a deterministic wrapping key from the WebAuthn\n * credential. The PRF output is consistent across assertions on the same\n * device/credential, enabling unlock-without-passphrase while keeping the\n * derived key bound to the physical authenticator.\n *\n * When PRF is not supported by the authenticator (common on older hardware),\n * the package falls back to HKDF-SHA256 over the credential's `rawId` —\n * the same approach as the pre-existing `@noy-db/core` biometric module.\n *\n * The derived key is NEVER persisted. It exists only in memory during the\n * unlock operation. What IS persisted (in the noy-db adapter, not in browser\n * storage) is the wrapped KEK: `encrypt(KEK, derivedKey)`.\n *\n * BE-flag guards\n * ──────────────\n * The backup-eligibility (BE) flag in a WebAuthn authenticator data signals\n * that the credential is (or can be) synced across devices — e.g. stored in\n * iCloud Keychain. For single-device security policies (air-gapped USB sticks,\n * high-security terminals), this is a threat: the credential is available on\n * any device where the user's iCloud account is signed in.\n *\n * The `requireSingleDevice: true` option rejects credentials with the BE flag\n * set during enrollment. Existing enrollments are checked at assertion time —\n * if the authenticator data shows BE=1 but `requireSingleDevice` was set at\n * enrollment, the assertion throws `WebAuthnMultiDeviceError`.\n *\n * Enrollment flow\n * ───────────────\n * 1. User is already authenticated (passphrase or existing session).\n * 2. Call `enrollWebAuthn(keyring, options)`.\n * 3. WebAuthn credential is created; PRF or rawId-derived key wraps the KEK.\n * 4. Returns a `WebAuthnEnrollment` — persist this to the noy-db adapter\n * via `saveEnrollment()`, or store it yourself in any encrypted collection.\n *\n * Unlock flow\n * ───────────\n * 1. Load the `WebAuthnEnrollment` via `loadEnrollment()`.\n * 2. Call `unlockWebAuthn(enrollment, keyring)` — triggers the WebAuthn\n * assertion prompt.\n * 3. On success, returns the unwrapped `CryptoKey` (the KEK) — use it to\n * re-hydrate the session via `createSession()`.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '@noy-db/hub'\nimport { ValidationError } from '@noy-db/hub'\nimport type { UnlockedKeyring, Role } from '@noy-db/hub'\n\n// Re-export from core for convenience\nexport { ValidationError } from '@noy-db/hub'\n\n// ─── Error types ──────────────────────────────────────────────────────\n\n/**\n * Thrown when the WebAuthn API is not available in the current environment.\n *\n * Check `isWebAuthnAvailable()` before calling `enrollWebAuthn()` or\n * `unlockWebAuthn()` and show a fallback UI (passphrase entry) if this\n * returns false. Common scenarios: Node.js environments, older browsers,\n * non-HTTPS origins (WebAuthn requires a Secure Context).\n */\nexport class WebAuthnNotAvailableError extends Error {\n readonly code = 'WEBAUTHN_NOT_AVAILABLE'\n constructor() {\n super('WebAuthn is not available in this environment. A browser with navigator.credentials support is required.')\n this.name = 'WebAuthnNotAvailableError'\n }\n}\n\n/**\n * Thrown when the user dismisses the WebAuthn prompt without completing it.\n *\n * The `op` field distinguishes enrollment cancellation (user chose not to\n * enroll a hardware key) from assertion cancellation (user dismissed the\n * unlock prompt). Treat this as a user-initiated action, not an error — show\n * a \"use passphrase instead\" option rather than an error message.\n */\nexport class WebAuthnCancelledError extends Error {\n readonly code = 'WEBAUTHN_CANCELLED'\n constructor(op: 'enrollment' | 'assertion') {\n super(`WebAuthn ${op} was cancelled by the user.`)\n this.name = 'WebAuthnCancelledError'\n }\n}\n\n/**\n * Thrown when the authenticator has the backup-eligible (BE) flag set but\n * the vault requires a single-device credential (`requireSingleDevice: true`).\n *\n * A BE credential is synced across devices (e.g. iCloud Keychain, Google\n * Password Manager), which violates the single-device security model. The\n * user must enroll a hardware security key (YubiKey, Titan, SoloKey) instead.\n */\nexport class WebAuthnMultiDeviceError extends Error {\n readonly code = 'WEBAUTHN_MULTI_DEVICE'\n constructor() {\n super(\n 'This credential is backup-eligible (BE flag set) and may be synced across devices. ' +\n 'The vault requires a single-device credential (requireSingleDevice: true). ' +\n 'Please use a hardware security key (YubiKey, Titan, SoloKey) or a platform ' +\n 'authenticator that does not sync credentials across devices.',\n )\n this.name = 'WebAuthnMultiDeviceError'\n }\n}\n\n/**\n * Thrown (as a non-fatal warning, caught internally) when the PRF extension\n * is not supported by the authenticator.\n *\n * NOYDB prefers PRF for key derivation because it produces a\n * credential-bound output that is deterministic and not extractable from\n * the authenticator. When PRF is unavailable, enrollment falls back to\n * HKDF over the credential's `rawId` — weaker binding, but still functional.\n * This error is caught at enrollment time; callers only see it if they\n * explicitly opt into strict PRF-only mode.\n */\nexport class WebAuthnPRFUnavailableError extends Error {\n readonly code = 'WEBAUTHN_PRF_UNAVAILABLE'\n constructor() {\n super(\n 'The PRF extension is not available on this authenticator. ' +\n 'Enrollment will fall back to rawId-based key derivation. ' +\n 'This provides weaker binding to the specific authenticator.',\n )\n this.name = 'WebAuthnPRFUnavailableError'\n }\n}\n\n// ─── Types ────────────────────────────────────────────────────────────\n\n/**\n * A persisted WebAuthn enrollment record. Store this in a noy-db\n * collection (encrypted like any other record) or return it from\n * `saveEnrollment()` / `loadEnrollment()` helpers.\n */\nexport interface WebAuthnEnrollment {\n /** Enrollment format version. */\n readonly _noydb_webauthn: 1\n /** The vault this enrollment was created for. */\n readonly vault: string\n /** The user ID this enrollment belongs to. */\n readonly userId: string\n /** WebAuthn credential ID (base64). Use for allowCredentials in assertions. */\n readonly credentialId: string\n /** Whether PRF was used for key derivation (vs rawId HKDF fallback). */\n readonly prfUsed: boolean\n /** Whether the BE (backup-eligibility) flag was present at enrollment time. */\n readonly beFlag: boolean\n /** Whether single-device was required at enrollment time. */\n readonly requireSingleDevice: boolean\n /** The wrapped KEK: encrypt(exportedDekMap, derivedKey). Base64. */\n readonly wrappedPayload: string\n /** IV used for the wrapping. Base64. */\n readonly wrapIv: string\n /** ISO timestamp of enrollment. */\n readonly enrolledAt: string\n}\n\n/** Options for `enrollWebAuthn()`. */\nexport interface WebAuthnEnrollOptions {\n /**\n * Relying party ID and name for the WebAuthn credential.\n * Defaults to `{ id: window.location.hostname, name: 'NOYDB' }`.\n */\n rp?: { id?: string; name: string }\n /**\n * If `true`, refuse to enroll credentials with the BE flag set\n * (multi-device / syncable passkeys). Defaults to `false`.\n *\n * Set to `true` for high-security deployments where the credential\n * must be bound to a single physical device (YubiKey, Titan, etc.).\n */\n requireSingleDevice?: boolean\n /**\n * WebAuthn timeout in milliseconds. Default: 60_000.\n */\n timeout?: number\n /**\n * If `true`, prefer a cross-platform authenticator (roaming security key).\n * If `false`, prefer a platform authenticator (Touch ID, Face ID).\n * If undefined, let the browser choose.\n */\n preferCrossPlatform?: boolean\n}\n\n/** Options for `unlockWebAuthn()`. */\nexport interface WebAuthnUnlockOptions {\n /** WebAuthn timeout in milliseconds. Default: 60_000. */\n timeout?: number\n}\n\n// ─── Environment check ─────────────────────────────────────────────────\n\n/**\n * Returns `true` if WebAuthn is available and can be used for enrollment or unlock.\n *\n * Checks for `navigator.credentials`, `window.PublicKeyCredential`, and a\n * Secure Context (`window.isSecureContext`). Call this before rendering the\n * \"Register hardware key\" button to avoid showing options that will fail.\n */\nexport function isWebAuthnAvailable(): boolean {\n return (\n typeof window !== 'undefined' &&\n typeof window.PublicKeyCredential !== 'undefined' &&\n typeof navigator !== 'undefined' &&\n typeof navigator.credentials !== 'undefined'\n )\n}\n\n// ─── PRF salt ─────────────────────────────────────────────────────────\n\nconst PRF_SALT = new TextEncoder().encode('noydb-webauthn-kek-derive')\n\n// ─── Key derivation helpers ────────────────────────────────────────────\n\n/**\n * Derive a wrapping key from PRF output.\n * PRF output is 32 bytes of authenticator-bound pseudo-random data.\n */\nasync function deriveKeyFromPRF(prfOutput: ArrayBuffer): Promise<CryptoKey> {\n const keyMaterial = await globalThis.crypto.subtle.importKey(\n 'raw',\n prfOutput,\n 'HKDF',\n false,\n ['deriveKey'],\n )\n return globalThis.crypto.subtle.deriveKey(\n {\n name: 'HKDF',\n hash: 'SHA-256',\n salt: PRF_SALT,\n info: new TextEncoder().encode('noydb-kek-wrap-v1'),\n },\n keyMaterial,\n { name: 'AES-GCM', length: 256 },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n/**\n * Derive a wrapping key from the credential's rawId (fallback when PRF unavailable).\n * Weaker than PRF (rawId may be observable to the server) but universally supported.\n */\nasync function deriveKeyFromRawId(rawId: ArrayBuffer): Promise<CryptoKey> {\n const keyMaterial = await globalThis.crypto.subtle.importKey(\n 'raw',\n rawId,\n 'HKDF',\n false,\n ['deriveKey'],\n )\n return globalThis.crypto.subtle.deriveKey(\n {\n name: 'HKDF',\n hash: 'SHA-256',\n salt: new TextEncoder().encode('noydb-webauthn-rawid-fallback'),\n info: new TextEncoder().encode('noydb-kek-wrap-v1'),\n },\n keyMaterial,\n { name: 'AES-GCM', length: 256 },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── BE flag extraction ────────────────────────────────────────────────\n\n/**\n * Extract the BE (backup-eligibility) flag from WebAuthn authenticator data.\n * Authenticator data byte layout (CTAP2 spec):\n * bytes 0-31: rpIdHash\n * byte 32: flags byte\n * bytes 33-36: signCount\n * ...\n *\n * Flags byte bit layout (bit 0 = LSB):\n * bit 0 (UP): user presence\n * bit 2 (UV): user verification\n * bit 3 (BE): backup eligibility\n * bit 4 (BS): backup state\n * bit 6 (AT): attested credential data present\n * bit 7 (ED): extension data present\n */\nfunction extractBEFlag(authData: ArrayBuffer): boolean {\n const bytes = new Uint8Array(authData)\n if (bytes.length < 33) return false\n const flagsByte = bytes[32]!\n return (flagsByte & 0b00001000) !== 0 // bit 3\n}\n\n// ─── Payload wrap/unwrap ───────────────────────────────────────────────\n\n/**\n * Serialize and encrypt the DEK map from `keyring` using `wrappingKey`.\n * The wrapped payload is what gets stored in the enrollment record.\n */\nasync function wrapKeyringSummary(\n keyring: UnlockedKeyring,\n wrappingKey: CryptoKey,\n): Promise<{ wrappedPayload: string; wrapIv: string }> {\n const dekMap: Record<string, string> = {}\n for (const [collName, dek] of keyring.deks) {\n const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n dekMap[collName] = bufferToBase64(raw)\n }\n\n const payload = JSON.stringify({\n userId: keyring.userId,\n displayName: keyring.displayName,\n role: keyring.role,\n permissions: keyring.permissions,\n deks: dekMap,\n salt: bufferToBase64(keyring.salt),\n })\n\n const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n const encrypted = await globalThis.crypto.subtle.encrypt(\n { name: 'AES-GCM', iv },\n wrappingKey,\n new TextEncoder().encode(payload),\n )\n\n return { wrappedPayload: bufferToBase64(encrypted), wrapIv: bufferToBase64(iv) }\n}\n\n/**\n * Decrypt and deserialize the keyring payload using `wrappingKey`.\n */\nasync function unwrapKeyringSummary(\n enrollment: WebAuthnEnrollment,\n wrappingKey: CryptoKey,\n): Promise<UnlockedKeyring> {\n const iv = base64ToBuffer(enrollment.wrapIv)\n const ciphertext = base64ToBuffer(enrollment.wrappedPayload)\n\n let plaintext: ArrayBuffer\n try {\n plaintext = await globalThis.crypto.subtle.decrypt(\n { name: 'AES-GCM', iv },\n wrappingKey,\n ciphertext,\n )\n } catch {\n throw new ValidationError('WebAuthn decryption failed — the authenticator may have changed or the enrollment may be corrupt.')\n }\n\n const parsed = JSON.parse(new TextDecoder().decode(plaintext)) as {\n userId: string\n displayName: string\n role: Role\n permissions: Record<string, 'rw' | 'ro'>\n deks: Record<string, string>\n salt: string\n }\n\n const deks = new Map<string, CryptoKey>()\n for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n const dek = await globalThis.crypto.subtle.importKey(\n 'raw',\n base64ToBuffer(rawBase64),\n { name: 'AES-GCM', length: 256 },\n true,\n ['encrypt', 'decrypt'],\n )\n deks.set(collName, dek)\n }\n\n return {\n userId: parsed.userId,\n displayName: parsed.displayName,\n role: parsed.role,\n permissions: parsed.permissions,\n deks,\n kek: null as unknown as CryptoKey,\n salt: base64ToBuffer(parsed.salt),\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Enroll a WebAuthn credential for the given keyring.\n *\n * The caller must already have an unlocked keyring (from passphrase auth or\n * an existing session). The WebAuthn credential creation prompt is triggered\n * by this call.\n *\n * Returns a `WebAuthnEnrollment` that should be persisted — typically via\n * `saveEnrollment()` into a noy-db collection.\n *\n * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.\n * @throws `WebAuthnCancelledError` if the user cancels the credential creation.\n * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` is true and the\n * authenticator returned a credential with the BE flag set.\n */\nexport async function enrollWebAuthn(\n keyring: UnlockedKeyring,\n vault: string,\n options: WebAuthnEnrollOptions = {},\n): Promise<WebAuthnEnrollment> {\n if (!isWebAuthnAvailable()) {\n throw new WebAuthnNotAvailableError()\n }\n\n const rpId = options.rp?.id ?? (typeof window !== 'undefined' ? window.location.hostname : 'localhost')\n const rpName = options.rp?.name ?? 'NOYDB'\n const timeout = options.timeout ?? 60_000\n\n const challenge = globalThis.crypto.getRandomValues(new Uint8Array(32))\n const userIdBytes = new TextEncoder().encode(keyring.userId)\n\n const authenticatorSelection: AuthenticatorSelectionCriteria = {\n userVerification: 'required',\n residentKey: 'preferred',\n }\n if (options.preferCrossPlatform === true) {\n authenticatorSelection.authenticatorAttachment = 'cross-platform'\n } else if (options.preferCrossPlatform === false) {\n authenticatorSelection.authenticatorAttachment = 'platform'\n }\n\n // Request PRF extension for deterministic key derivation\n const extensionsInput = {\n prf: { eval: { first: PRF_SALT } },\n } as AuthenticationExtensionsClientInputs\n\n const credential = await navigator.credentials.create({\n publicKey: {\n challenge,\n rp: { id: rpId, name: rpName },\n user: {\n id: userIdBytes,\n name: keyring.userId,\n displayName: keyring.displayName,\n },\n pubKeyCredParams: [\n { type: 'public-key', alg: -7 }, // ES256\n { type: 'public-key', alg: -257 }, // RS256\n { type: 'public-key', alg: -8 }, // EdDSA\n ],\n authenticatorSelection,\n extensions: extensionsInput,\n timeout,\n },\n }) as PublicKeyCredential | null\n\n if (!credential) {\n throw new WebAuthnCancelledError('enrollment')\n }\n\n const authData = (credential.response as AuthenticatorAttestationResponse).getAuthenticatorData()\n const beFlag = extractBEFlag(authData)\n\n if (options.requireSingleDevice && beFlag) {\n throw new WebAuthnMultiDeviceError()\n }\n\n // Try to get PRF output from extensions\n const extensions = credential.getClientExtensionResults() as {\n prf?: { results?: { first?: ArrayBuffer } }\n }\n const prfOutput = extensions.prf?.results?.first\n const prfUsed = !!prfOutput\n\n const wrappingKey = prfOutput\n ? await deriveKeyFromPRF(prfOutput)\n : await deriveKeyFromRawId(credential.rawId)\n\n const { wrappedPayload, wrapIv } = await wrapKeyringSummary(keyring, wrappingKey)\n\n return {\n _noydb_webauthn: 1,\n vault,\n userId: keyring.userId,\n credentialId: bufferToBase64(credential.rawId),\n prfUsed,\n beFlag,\n requireSingleDevice: options.requireSingleDevice ?? false,\n wrappedPayload,\n wrapIv,\n enrolledAt: new Date().toISOString(),\n }\n}\n\n/**\n * Unlock a vault using a previously enrolled WebAuthn credential.\n *\n * Triggers the WebAuthn assertion prompt. On success, decrypts the keyring\n * payload from the enrollment record and returns an `UnlockedKeyring`.\n *\n * The returned keyring has the same DEKs as at enrollment time. If DEKs\n * have been rotated since enrollment, this will return stale DEKs — the\n * caller should detect decryption failures and prompt for re-enrollment.\n *\n * @throws `WebAuthnNotAvailableError` if the environment doesn't support WebAuthn.\n * @throws `WebAuthnCancelledError` if the user cancels the assertion.\n * @throws `WebAuthnMultiDeviceError` if `requireSingleDevice` was set at\n * enrollment and the authenticator data now shows BE=1.\n * @throws `ValidationError` if decryption of the keyring payload fails.\n */\nexport async function unlockWebAuthn(\n enrollment: WebAuthnEnrollment,\n options: WebAuthnUnlockOptions = {},\n): Promise<UnlockedKeyring> {\n if (!isWebAuthnAvailable()) {\n throw new WebAuthnNotAvailableError()\n }\n\n const timeout = options.timeout ?? 60_000\n const credentialId = base64ToBuffer(enrollment.credentialId)\n\n const extensionsInput = (enrollment.prfUsed\n ? { prf: { eval: { first: PRF_SALT } } }\n : {}\n ) as AuthenticationExtensionsClientInputs\n\n const assertion = await navigator.credentials.get({\n publicKey: {\n challenge: globalThis.crypto.getRandomValues(new Uint8Array(32)),\n allowCredentials: [{ type: 'public-key', id: credentialId as BufferSource }],\n userVerification: 'required',\n extensions: extensionsInput,\n timeout,\n },\n }) as PublicKeyCredential | null\n\n if (!assertion) {\n throw new WebAuthnCancelledError('assertion')\n }\n\n // BE-flag guard at assertion time\n const authData = (assertion.response as AuthenticatorAssertionResponse).authenticatorData\n const beFlag = extractBEFlag(authData)\n if (enrollment.requireSingleDevice && beFlag) {\n throw new WebAuthnMultiDeviceError()\n }\n\n // Derive the wrapping key using the same method as enrollment\n let wrappingKey: CryptoKey\n if (enrollment.prfUsed) {\n const extensions = assertion.getClientExtensionResults() as {\n prf?: { results?: { first?: ArrayBuffer } }\n }\n const prfOutput = extensions.prf?.results?.first\n if (!prfOutput) {\n throw new ValidationError(\n 'PRF extension output not available at assertion time. ' +\n 'The authenticator may not support PRF. Re-enroll without PRF support.',\n )\n }\n wrappingKey = await deriveKeyFromPRF(prfOutput)\n } else {\n wrappingKey = await deriveKeyFromRawId(assertion.rawId)\n }\n\n return unwrapKeyringSummary(enrollment, wrappingKey)\n}\n\n/**\n * Check whether a `WebAuthnEnrollment` record looks well-formed.\n * Does not perform any cryptographic verification.\n */\nexport function isValidEnrollment(value: unknown): value is WebAuthnEnrollment {\n if (!value || typeof value !== 'object') return false\n const e = value as Record<string, unknown>\n return (\n e._noydb_webauthn === 1 &&\n typeof e.vault === 'string' &&\n typeof e.userId === 'string' &&\n typeof e.credentialId === 'string' &&\n typeof e.wrappedPayload === 'string' &&\n typeof e.wrapIv === 'string'\n )\n}\n"],"mappings":";AAwDA,SAAS,gBAAgB,sBAAsB;AAC/C,SAAS,uBAAuB;AAIhC,SAAS,mBAAAA,wBAAuB;AAYzB,IAAM,4BAAN,cAAwC,MAAM;AAAA,EAC1C,OAAO;AAAA,EAChB,cAAc;AACZ,UAAM,0GAA0G;AAChH,SAAK,OAAO;AAAA,EACd;AACF;AAUO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EACvC,OAAO;AAAA,EAChB,YAAY,IAAgC;AAC1C,UAAM,YAAY,EAAE,6BAA6B;AACjD,SAAK,OAAO;AAAA,EACd;AACF;AAUO,IAAM,2BAAN,cAAuC,MAAM;AAAA,EACzC,OAAO;AAAA,EAChB,cAAc;AACZ;AAAA,MACE;AAAA,IAIF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,8BAAN,cAA0C,MAAM;AAAA,EAC5C,OAAO;AAAA,EAChB,cAAc;AACZ;AAAA,MACE;AAAA,IAGF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AA0EO,SAAS,sBAA+B;AAC7C,SACE,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB,eACtC,OAAO,cAAc,eACrB,OAAO,UAAU,gBAAgB;AAErC;AAIA,IAAM,WAAW,IAAI,YAAY,EAAE,OAAO,2BAA2B;AAQrE,eAAe,iBAAiB,WAA4C;AAC1E,QAAM,cAAc,MAAM,WAAW,OAAO,OAAO;AAAA,IACjD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,WAAW,OAAO,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,IAAI,YAAY,EAAE,OAAO,mBAAmB;AAAA,IACpD;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAMA,eAAe,mBAAmB,OAAwC;AACxE,QAAM,cAAc,MAAM,WAAW,OAAO,OAAO;AAAA,IACjD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,WAAW,OAAO,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,IAAI,YAAY,EAAE,OAAO,+BAA+B;AAAA,MAC9D,MAAM,IAAI,YAAY,EAAE,OAAO,mBAAmB;AAAA,IACpD;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAoBA,SAAS,cAAc,UAAgC;AACrD,QAAM,QAAQ,IAAI,WAAW,QAAQ;AACrC,MAAI,MAAM,SAAS,GAAI,QAAO;AAC9B,QAAM,YAAY,MAAM,EAAE;AAC1B,UAAQ,YAAY,OAAgB;AACtC;AAQA,eAAe,mBACb,SACA,aACqD;AACrD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,WAAW,OAAO,OAAO;AAAA,IAC/C,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,SAAO,EAAE,gBAAgB,eAAe,SAAS,GAAG,QAAQ,eAAe,EAAE,EAAE;AACjF;AAKA,eAAe,qBACb,YACA,aAC0B;AAC1B,QAAM,KAAK,eAAe,WAAW,MAAM;AAC3C,QAAM,aAAa,eAAe,WAAW,cAAc;AAE3D,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,gBAAgB,wGAAmG;AAAA,EAC/H;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS7D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,EAClC;AACF;AAmBA,eAAsB,eACpB,SACA,OACA,UAAiC,CAAC,GACL;AAC7B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,0BAA0B;AAAA,EACtC;AAEA,QAAM,OAAO,QAAQ,IAAI,OAAO,OAAO,WAAW,cAAc,OAAO,SAAS,WAAW;AAC3F,QAAM,SAAS,QAAQ,IAAI,QAAQ;AACnC,QAAM,UAAU,QAAQ,WAAW;AAEnC,QAAM,YAAY,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACtE,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,QAAQ,MAAM;AAE3D,QAAM,yBAAyD;AAAA,IAC7D,kBAAkB;AAAA,IAClB,aAAa;AAAA,EACf;AACA,MAAI,QAAQ,wBAAwB,MAAM;AACxC,2BAAuB,0BAA0B;AAAA,EACnD,WAAW,QAAQ,wBAAwB,OAAO;AAChD,2BAAuB,0BAA0B;AAAA,EACnD;AAGA,QAAM,kBAAkB;AAAA,IACtB,KAAK,EAAE,MAAM,EAAE,OAAO,SAAS,EAAE;AAAA,EACnC;AAEA,QAAM,aAAa,MAAM,UAAU,YAAY,OAAO;AAAA,IACpD,WAAW;AAAA,MACT;AAAA,MACA,IAAI,EAAE,IAAI,MAAM,MAAM,OAAO;AAAA,MAC7B,MAAM;AAAA,QACJ,IAAI;AAAA,QACJ,MAAM,QAAQ;AAAA,QACd,aAAa,QAAQ;AAAA,MACvB;AAAA,MACA,kBAAkB;AAAA,QAChB,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA;AAAA,QAC9B,EAAE,MAAM,cAAc,KAAK,KAAK;AAAA;AAAA,QAChC,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA;AAAA,MAChC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ;AAAA,IACF;AAAA,EACF,CAAC;AAED,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,uBAAuB,YAAY;AAAA,EAC/C;AAEA,QAAM,WAAY,WAAW,SAA8C,qBAAqB;AAChG,QAAM,SAAS,cAAc,QAAQ;AAErC,MAAI,QAAQ,uBAAuB,QAAQ;AACzC,UAAM,IAAI,yBAAyB;AAAA,EACrC;AAGA,QAAM,aAAa,WAAW,0BAA0B;AAGxD,QAAM,YAAY,WAAW,KAAK,SAAS;AAC3C,QAAM,UAAU,CAAC,CAAC;AAElB,QAAM,cAAc,YAChB,MAAM,iBAAiB,SAAS,IAChC,MAAM,mBAAmB,WAAW,KAAK;AAE7C,QAAM,EAAE,gBAAgB,OAAO,IAAI,MAAM,mBAAmB,SAAS,WAAW;AAEhF,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB,cAAc,eAAe,WAAW,KAAK;AAAA,IAC7C;AAAA,IACA;AAAA,IACA,qBAAqB,QAAQ,uBAAuB;AAAA,IACpD;AAAA,IACA;AAAA,IACA,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,EACrC;AACF;AAkBA,eAAsB,eACpB,YACA,UAAiC,CAAC,GACR;AAC1B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,0BAA0B;AAAA,EACtC;AAEA,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,eAAe,eAAe,WAAW,YAAY;AAE3D,QAAM,kBAAmB,WAAW,UAChC,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,SAAS,EAAE,EAAE,IACrC,CAAC;AAGL,QAAM,YAAY,MAAM,UAAU,YAAY,IAAI;AAAA,IAChD,WAAW;AAAA,MACT,WAAW,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAAA,MAC/D,kBAAkB,CAAC,EAAE,MAAM,cAAc,IAAI,aAA6B,CAAC;AAAA,MAC3E,kBAAkB;AAAA,MAClB,YAAY;AAAA,MACZ;AAAA,IACF;AAAA,EACF,CAAC;AAED,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,uBAAuB,WAAW;AAAA,EAC9C;AAGA,QAAM,WAAY,UAAU,SAA4C;AACxE,QAAM,SAAS,cAAc,QAAQ;AACrC,MAAI,WAAW,uBAAuB,QAAQ;AAC5C,UAAM,IAAI,yBAAyB;AAAA,EACrC;AAGA,MAAI;AACJ,MAAI,WAAW,SAAS;AACtB,UAAM,aAAa,UAAU,0BAA0B;AAGvD,UAAM,YAAY,WAAW,KAAK,SAAS;AAC3C,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,kBAAc,MAAM,iBAAiB,SAAS;AAAA,EAChD,OAAO;AACL,kBAAc,MAAM,mBAAmB,UAAU,KAAK;AAAA,EACxD;AAEA,SAAO,qBAAqB,YAAY,WAAW;AACrD;AAMO,SAAS,kBAAkB,OAA6C;AAC7E,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,IAAI;AACV,SACE,EAAE,oBAAoB,KACtB,OAAO,EAAE,UAAU,YACnB,OAAO,EAAE,WAAW,YACpB,OAAO,EAAE,iBAAiB,YAC1B,OAAO,EAAE,mBAAmB,YAC5B,OAAO,EAAE,WAAW;AAExB;","names":["ValidationError"]}

package/package.json ADDED Viewed

@@ -0,0 +1,72 @@
+{
+  "name": "@noy-db/on-webauthn",
+  "version": "0.1.0-pre.3",
+  "description": "WebAuthn hardware-key keyrings for noy-db — Touch ID, Face ID, Windows Hello, YubiKey, FIDO2 passkeys",
+  "license": "MIT",
+  "author": "vLannaAi <vicio@lanna.ai>",
+  "homepage": "https://github.com/vLannaAi/noy-db/tree/main/packages/on-webauthn#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vLannaAi/noy-db.git",
+    "directory": "packages/on-webauthn"
+  },
+  "bugs": {
+    "url": "https://github.com/vLannaAi/noy-db/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "@noy-db/hub": "0.1.0-pre.3"
+  },
+  "devDependencies": {
+    "@noy-db/hub": "0.1.0-pre.3"
+  },
+  "keywords": [
+    "noy-db",
+    "auth",
+    "webauthn",
+    "passkey",
+    "biometric",
+    "fido2",
+    "yubikey",
+    "touch-id",
+    "face-id",
+    "windows-hello",
+    "hardware-key",
+    "zero-knowledge",
+    "encryption"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "lint": "eslint src/",
+    "typecheck": "tsc --noEmit"
+  }
+}