@ovixa/auth-client 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -5,18 +5,30 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.3.0] - 2026-01-30
+
+### Added
+
+- `auth.webauthn.listPasskeys({ accessToken })` - List all passkeys for the authenticated user
+- `auth.webauthn.deletePasskey({ accessToken, credentialId })` - Delete a specific passkey
+
+### Changed
+
+- **BREAKING**: Moved WebAuthn methods to `auth.webauthn` namespace
+  - `auth.getPasskeyRegistrationOptions()` → `auth.webauthn.getRegistrationOptions()`
+  - `auth.verifyPasskeyRegistration()` → `auth.webauthn.verifyRegistration()`
+  - `auth.getPasskeyAuthenticationOptions()` → `auth.webauthn.getAuthenticationOptions()`
+  - `auth.verifyPasskeyAuthentication()` → `auth.webauthn.authenticate()`
+
 ## [0.2.0] - 2026-01-29
 
 ### Added
 
 - **WebAuthn/Passkey authentication support** - Passwordless authentication using FIDO2
-  - `auth.webauthn.getRegistrationOptions(realmId)` - Get options to register a new passkey
-  - `auth.webauthn.verifyRegistration(realmId, registration)` - Complete passkey registration
-  - `auth.webauthn.getAuthenticationOptions(realmId, email?)` - Get options to authenticate with passkey
-  - `auth.webauthn.authenticate(realmId, authentication)` - Authenticate and receive tokens
-  - `auth.webauthn.getCredentials(realmId)` - List user's registered passkeys
-  - `auth.webauthn.deleteCredential(realmId, credentialId)` - Remove a passkey
-  - `auth.webauthn.updateCredentialName(realmId, credentialId, name)` - Rename a passkey
+  - `auth.getPasskeyRegistrationOptions({ accessToken })` - Get options to register a new passkey
+  - `auth.verifyPasskeyRegistration({ accessToken, registration, deviceName? })` - Complete passkey registration
+  - `auth.getPasskeyAuthenticationOptions({ email? })` - Get options to authenticate with passkey
+  - `auth.verifyPasskeyAuthentication({ authentication })` - Authenticate and receive tokens
 
 ## [0.1.3] - 2026-01-29
 

package/dist/{chunk-5ZWKDQQM.js → chunk-5QEKSWV4.js}

@@ -442,284 +442,6 @@ var OvixaAuth = class {
     url.searchParams.set("redirect_uri", options.redirectUri);
     return url.toString();
   }
-  // ============================================================
-  // WebAuthn / Passkey Methods
-  // ============================================================
-  /**
-   * Get registration options for creating a new passkey.
-   *
-   * The user must be logged in to register a passkey. Use the returned options
-   * with navigator.credentials.create() to create the credential.
-   *
-   * @param options - Registration options with access token
-   * @returns Registration options to pass to navigator.credentials.create()
-   * @throws {OvixaAuthError} If request fails
-   *
-   * @example
-   * ```typescript
-   * // User must be logged in
-   * const options = await auth.getPasskeyRegistrationOptions({
-   *   accessToken: session.accessToken,
-   * });
-   *
-   * // Create the credential using the browser API
-   * const credential = await navigator.credentials.create({
-   *   publicKey: {
-   *     ...options,
-   *     challenge: base64UrlToArrayBuffer(options.challenge),
-   *     user: {
-   *       ...options.user,
-   *       id: new TextEncoder().encode(options.user.id),
-   *     },
-   *     excludeCredentials: options.excludeCredentials.map(c => ({
-   *       ...c,
-   *       id: base64UrlToArrayBuffer(c.id),
-   *     })),
-   *   },
-   * });
-   *
-   * // Verify the registration with the server
-   * await auth.verifyPasskeyRegistration({
-   *   accessToken: session.accessToken,
-   *   registration: formatRegistrationResponse(credential),
-   *   deviceName: 'My MacBook',
-   * });
-   * ```
-   */
-  async getPasskeyRegistrationOptions(options) {
-    const url = `${this.config.authUrl}/webauthn/register/options`;
-    try {
-      const response = await fetch(url, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${options.accessToken}`
-        },
-        body: JSON.stringify({
-          realm_id: this.config.realmId
-        })
-      });
-      if (!response.ok) {
-        await this.handleErrorResponse(response);
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof OvixaAuthError) {
-        throw error;
-      }
-      if (error instanceof Error) {
-        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
-      }
-      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
-    }
-  }
-  /**
-   * Verify a passkey registration and store the credential.
-   *
-   * Call this after navigator.credentials.create() succeeds to complete the
-   * registration on the server.
-   *
-   * @param options - Verification options with registration response
-   * @returns Registration response with credential ID
-   * @throws {OvixaAuthError} If verification fails
-   *
-   * @example
-   * ```typescript
-   * const result = await auth.verifyPasskeyRegistration({
-   *   accessToken: session.accessToken,
-   *   registration: {
-   *     id: credential.id,
-   *     rawId: arrayBufferToBase64Url(credential.rawId),
-   *     type: 'public-key',
-   *     response: {
-   *       clientDataJSON: arrayBufferToBase64Url(credential.response.clientDataJSON),
-   *       attestationObject: arrayBufferToBase64Url(credential.response.attestationObject),
-   *       transports: credential.response.getTransports?.(),
-   *     },
-   *   },
-   *   deviceName: 'My MacBook',
-   * });
-   *
-   * console.log('Passkey registered:', result.credential_id);
-   * ```
-   */
-  async verifyPasskeyRegistration(options) {
-    const url = `${this.config.authUrl}/webauthn/register/verify`;
-    const body = {
-      realm_id: this.config.realmId,
-      registration: options.registration
-    };
-    if (options.deviceName) {
-      body.device_name = options.deviceName;
-    }
-    try {
-      const response = await fetch(url, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${options.accessToken}`
-        },
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        await this.handleErrorResponse(response);
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof OvixaAuthError) {
-        throw error;
-      }
-      if (error instanceof Error) {
-        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
-      }
-      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
-    }
-  }
-  /**
-   * Get authentication options for signing in with a passkey.
-   *
-   * Use the returned options with navigator.credentials.get() to authenticate.
-   *
-   * @param options - Optional email for allowCredentials hint
-   * @returns Authentication options to pass to navigator.credentials.get()
-   * @throws {OvixaAuthError} If request fails
-   *
-   * @example
-   * ```typescript
-   * // Option 1: Discoverable credentials (no email needed)
-   * const options = await auth.getPasskeyAuthenticationOptions();
-   *
-   * // Option 2: Provide email for allowCredentials hint
-   * const options = await auth.getPasskeyAuthenticationOptions({
-   *   email: 'user@example.com',
-   * });
-   *
-   * // Authenticate using the browser API
-   * const credential = await navigator.credentials.get({
-   *   publicKey: {
-   *     ...options,
-   *     challenge: base64UrlToArrayBuffer(options.challenge),
-   *     allowCredentials: options.allowCredentials.map(c => ({
-   *       ...c,
-   *       id: base64UrlToArrayBuffer(c.id),
-   *     })),
-   *   },
-   * });
-   *
-   * // Verify and get tokens
-   * const tokens = await auth.verifyPasskeyAuthentication({
-   *   authentication: formatAuthenticationResponse(credential),
-   * });
-   * ```
-   */
-  async getPasskeyAuthenticationOptions(options) {
-    const url = `${this.config.authUrl}/webauthn/authenticate/options`;
-    const body = {
-      realm_id: this.config.realmId
-    };
-    if (options?.email) {
-      body.email = options.email;
-    }
-    try {
-      const response = await fetch(url, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        await this.handleErrorResponse(response);
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof OvixaAuthError) {
-        throw error;
-      }
-      if (error instanceof Error) {
-        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
-      }
-      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
-    }
-  }
-  /**
-   * Verify a passkey authentication and get tokens.
-   *
-   * Call this after navigator.credentials.get() succeeds to complete the
-   * authentication and receive access/refresh tokens.
-   *
-   * @param options - Verification options with authentication response
-   * @returns Token response with access and refresh tokens
-   * @throws {OvixaAuthError} If verification fails
-   *
-   * @example
-   * ```typescript
-   * const tokens = await auth.verifyPasskeyAuthentication({
-   *   authentication: {
-   *     id: credential.id,
-   *     rawId: arrayBufferToBase64Url(credential.rawId),
-   *     type: 'public-key',
-   *     response: {
-   *       clientDataJSON: arrayBufferToBase64Url(credential.response.clientDataJSON),
-   *       authenticatorData: arrayBufferToBase64Url(credential.response.authenticatorData),
-   *       signature: arrayBufferToBase64Url(credential.response.signature),
-   *       userHandle: credential.response.userHandle
-   *         ? arrayBufferToBase64Url(credential.response.userHandle)
-   *         : null,
-   *     },
-   *   },
-   * });
-   *
-   * // Use the tokens
-   * console.log('Logged in!', tokens.access_token);
-   * ```
-   */
-  async verifyPasskeyAuthentication(options) {
-    const url = `${this.config.authUrl}/webauthn/authenticate/verify`;
-    const body = {
-      realm_id: this.config.realmId,
-      authentication: options.authentication
-    };
-    try {
-      const response = await fetch(url, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        await this.handleErrorResponse(response);
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof OvixaAuthError) {
-        throw error;
-      }
-      if (error instanceof Error) {
-        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
-      }
-      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
-    }
-  }
-  /**
-   * Handle error response from the server.
-   * @throws {OvixaAuthError} Always throws with appropriate error details
-   */
-  async handleErrorResponse(response) {
-    const errorBody = await response.json().catch(() => ({}));
-    const errorData = errorBody;
-    let errorCode;
-    let errorMessage;
-    if (typeof errorData.error === "object" && errorData.error) {
-      errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);
-      errorMessage = errorData.error.message || "Request failed";
-    } else {
-      errorCode = this.mapHttpStatusToErrorCode(response.status);
-      errorMessage = typeof errorData.error === "string" ? errorData.error : "Request failed";
-    }
-    throw new OvixaAuthError(errorMessage, errorCode, response.status);
-  }
   /**
    * Exchange an OAuth authorization code for tokens.
    *
@@ -961,6 +683,37 @@ var OvixaAuth = class {
     }
     return new OvixaAuthAdmin(this.config);
   }
+  /**
+   * Get the WebAuthn API interface for passkey operations.
+   *
+   * The WebAuthn namespace provides methods for registering and authenticating
+   * with passkeys, as well as managing existing passkeys.
+   *
+   * @returns OvixaAuthWebAuthn interface for passkey operations
+   *
+   * @example
+   * ```typescript
+   * const auth = new OvixaAuth({
+   *   authUrl: 'https://auth.ovixa.io',
+   *   realmId: 'your-realm',
+   * });
+   *
+   * // Register a passkey
+   * const options = await auth.webauthn.getRegistrationOptions({ accessToken });
+   *
+   * // Authenticate with passkey
+   * const authOptions = await auth.webauthn.getAuthenticationOptions();
+   *
+   * // List passkeys
+   * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });
+   *
+   * // Delete a passkey
+   * await auth.webauthn.deletePasskey({ accessToken, credentialId });
+   * ```
+   */
+  get webauthn() {
+    return new OvixaAuthWebAuthn(this.config);
+  }
 };
 var OvixaAuthAdmin = class {
   config;
@@ -1051,6 +804,293 @@ var OvixaAuthAdmin = class {
     }
   }
 };
+var OvixaAuthWebAuthn = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Get registration options for creating a new passkey.
+   *
+   * The user must be logged in to register a passkey. Use the returned options
+   * with navigator.credentials.create() to create the credential.
+   *
+   * @param options - Registration options with access token
+   * @returns Registration options to pass to navigator.credentials.create()
+   * @throws {OvixaAuthError} If request fails
+   */
+  async getRegistrationOptions(options) {
+    const url = `${this.config.authUrl}/webauthn/register/options`;
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${options.accessToken}`
+        },
+        body: JSON.stringify({
+          realm_id: this.config.realmId
+        })
+      });
+      if (!response.ok) {
+        await this.handleErrorResponse(response);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Verify a passkey registration and store the credential.
+   *
+   * Call this after navigator.credentials.create() succeeds to complete the
+   * registration on the server.
+   *
+   * @param options - Verification options with registration response
+   * @returns Registration response with credential ID
+   * @throws {OvixaAuthError} If verification fails
+   */
+  async verifyRegistration(options) {
+    const url = `${this.config.authUrl}/webauthn/register/verify`;
+    const body = {
+      realm_id: this.config.realmId,
+      registration: options.registration
+    };
+    if (options.deviceName) {
+      body.device_name = options.deviceName;
+    }
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${options.accessToken}`
+        },
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        await this.handleErrorResponse(response);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Get authentication options for signing in with a passkey.
+   *
+   * Use the returned options with navigator.credentials.get() to authenticate.
+   *
+   * @param options - Optional email for allowCredentials hint
+   * @returns Authentication options to pass to navigator.credentials.get()
+   * @throws {OvixaAuthError} If request fails
+   */
+  async getAuthenticationOptions(options) {
+    const url = `${this.config.authUrl}/webauthn/authenticate/options`;
+    const body = {
+      realm_id: this.config.realmId
+    };
+    if (options?.email) {
+      body.email = options.email;
+    }
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        await this.handleErrorResponse(response);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Verify a passkey authentication and get tokens.
+   *
+   * Call this after navigator.credentials.get() succeeds to complete the
+   * authentication and receive access/refresh tokens.
+   *
+   * @param options - Verification options with authentication response
+   * @returns Token response with access and refresh tokens
+   * @throws {OvixaAuthError} If verification fails
+   */
+  async authenticate(options) {
+    const url = `${this.config.authUrl}/webauthn/authenticate/verify`;
+    const body = {
+      realm_id: this.config.realmId,
+      authentication: options.authentication
+    };
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        await this.handleErrorResponse(response);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * List all passkeys for the authenticated user.
+   *
+   * @param options - Options with access token
+   * @returns List of passkeys
+   * @throws {OvixaAuthError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });
+   * for (const passkey of passkeys) {
+   *   console.log(passkey.device_name, passkey.created_at);
+   * }
+   * ```
+   */
+  async listPasskeys(options) {
+    const url = `${this.config.authUrl}/webauthn/passkeys`;
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${options.accessToken}`
+        },
+        body: JSON.stringify({
+          realm_id: this.config.realmId
+        })
+      });
+      if (!response.ok) {
+        await this.handleErrorResponse(response);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Delete a passkey for the authenticated user.
+   *
+   * @param options - Options with access token and credential ID
+   * @returns Success response
+   * @throws {OvixaAuthError} If deletion fails
+   *
+   * @example
+   * ```typescript
+   * await auth.webauthn.deletePasskey({
+   *   accessToken,
+   *   credentialId: 'credential-id-to-delete',
+   * });
+   * ```
+   */
+  async deletePasskey(options) {
+    const url = `${this.config.authUrl}/webauthn/passkeys/${encodeURIComponent(options.credentialId)}`;
+    try {
+      const response = await fetch(url, {
+        method: "DELETE",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${options.accessToken}`
+        },
+        body: JSON.stringify({
+          realm_id: this.config.realmId
+        })
+      });
+      if (!response.ok) {
+        await this.handleErrorResponse(response);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Handle error response from the server.
+   * @throws {OvixaAuthError} Always throws with appropriate error details
+   */
+  async handleErrorResponse(response) {
+    const errorBody = await response.json().catch(() => ({}));
+    const errorData = errorBody;
+    let errorCode;
+    let errorMessage;
+    if (typeof errorData.error === "object" && errorData.error) {
+      errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);
+      errorMessage = errorData.error.message || "Request failed";
+    } else {
+      errorCode = this.mapHttpStatusToErrorCode(response.status);
+      errorMessage = typeof errorData.error === "string" ? errorData.error : "Request failed";
+    }
+    throw new OvixaAuthError(errorMessage, errorCode, response.status);
+  }
+  /**
+   * Map HTTP status codes to error codes.
+   */
+  mapHttpStatusToErrorCode(status) {
+    switch (status) {
+      case 400:
+        return "BAD_REQUEST";
+      case 401:
+        return "UNAUTHORIZED";
+      case 403:
+        return "FORBIDDEN";
+      case 404:
+        return "NOT_FOUND";
+      case 429:
+        return "RATE_LIMITED";
+      case 500:
+      case 502:
+      case 503:
+        return "SERVER_ERROR";
+      default:
+        return "UNKNOWN_ERROR";
+    }
+  }
+};
 function arrayBufferToBase64Url(buffer) {
   const bytes = new Uint8Array(buffer);
   let binary = "";
@@ -1142,4 +1182,4 @@ export {
   formatRegistrationResponse,
   formatAuthenticationResponse
 };
-//# sourceMappingURL=chunk-5ZWKDQQM.js.map
+//# sourceMappingURL=chunk-5QEKSWV4.js.map