npm - @passkeykit/server - Versions diffs - 2.0.1 → 2.1.0 - Mend

@passkeykit/server 2.0.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md CHANGED Viewed

@@ -10,9 +10,19 @@ Handles challenge generation, attestation/assertion verification, and includes s
 ## Install
 ```bash
-npm install @passkeykit/server
+npm install @passkeykit/server @simplewebauthn/server
 ```
+> `@simplewebauthn/server` is a **peer dependency** — you control the version. This keeps the package itself lightweight while giving you full WebAuthn verification.
+>
+> **Password-only?** If you only need `hashPassword` / `verifyPassword`, import from the subpath — no WebAuthn dependency required:
+> ```bash
+> npm install @passkeykit/server
+> ```
+> ```typescript
+> import { hashPassword, verifyPassword } from '@passkeykit/server/password';
+> ```
 ## Quick Start
 ### Stateless (Serverless / Vercel / Cloudflare)
@@ -217,11 +227,12 @@ interface PasskeyServerConfig {
 ## Exports
-| Import Path | Contents |
-|-------------|----------|
-| `@passkeykit/server` | `PasskeyServer`, stores, password hashing, types |
-| `@passkeykit/server/express` | `createExpressRoutes()` — ready-made Express router |
-| `@passkeykit/server/argon2` | `hashPassword()`, `verifyPassword()` — native argon2id |
+| Import Path | Contents | Requires |
+|-------------|----------|----------|
+| `@passkeykit/server` | `PasskeyServer`, stores, password hashing, types | `@simplewebauthn/server` |
+| `@passkeykit/server/password` | `hashPassword()`, `verifyPassword()`, `needsRehash()` — scrypt | None (pure JS) |
+| `@passkeykit/server/express` | `createExpressRoutes()` — ready-made Express router | `express` |
+| `@passkeykit/server/argon2` | `hashPassword()`, `verifyPassword()` — native argon2id | `argon2` |
 ## Client Pairing

package/dist/esm/index.js CHANGED Viewed

@@ -4,10 +4,6 @@
  * Server-side WebAuthn passkey verification with challenge-response pattern
  * and scrypt password hashing (pure JS, works everywhere).
  *
- * @ai_context This is the core auth library used across all dnldev apps.
- * Challenge generation and verification MUST happen server-side.
- * Client never sees raw challenges — only attestation/assertion responses.
- *
  * Two modes:
  * - **Stateless** (default): No server-side state. Set `encryptionKey` in config.
  * - **Stateful**: Provide a `challengeStore` (memory, file, Redis, etc).

package/dist/esm/password.js CHANGED Viewed

@@ -12,7 +12,7 @@
  *   $scrypt$ln=17,r=8,p=1$<base64salt>$<base64hash>
  */
 import { scrypt as scryptSync } from '@noble/hashes/scrypt';
-import { randomBytes } from 'crypto';
+import { randomBytes, timingSafeEqual as tse } from 'crypto';
 /** Default scrypt parameters (OWASP recommendations for interactive login) */
 const DEFAULTS = {
     N: 2 ** 17, // 131072 — CPU/memory cost
@@ -76,6 +76,5 @@ function parsePhc(phc) {
 function timingSafeEqual(a, b) {
     if (a.length !== b.length)
         return false;
-    const { timingSafeEqual: tse } = require('crypto');
     return tse(a, b);
 }

package/dist/esm/stores.js CHANGED Viewed

@@ -1,9 +1,8 @@
 /**
  * Built-in store implementations for common backends.
  *
- * @ai_context These are convenience implementations. For production with
- * multiple server instances, use a shared store (Redis, database, Firestore).
- * For single-server apps (like MovieBox, MediaBox), FileStore works great.
+ * For production with multiple server instances, implement the ChallengeStore
+ * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
 import { dirname } from 'path';
@@ -54,7 +53,6 @@ export class MemoryCredentialStore {
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * @ai_context Used by MovieBox/MediaBox which store auth in auth.json.
  * Not suitable for multi-process servers (race conditions on file writes).
  */
 export class FileChallengeStore {

package/dist/esm/types.js CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
  * Type definitions for @passkeykit/server
  *
- * @ai_context These types define the storage interface abstraction.
+ * These types define the storage interface abstraction.
  * Apps provide their own ChallengeStore and CredentialStore implementations
- * so the library works with any backend (Firestore, file JSON, SQLite, etc).
+ * so the library works with any backend (Firestore, file JSON, SQLite, Redis, etc).
  */
 export {};

package/dist/index.d.ts CHANGED Viewed

@@ -4,10 +4,6 @@
  * Server-side WebAuthn passkey verification with challenge-response pattern
  * and scrypt password hashing (pure JS, works everywhere).
  *
- * @ai_context This is the core auth library used across all dnldev apps.
- * Challenge generation and verification MUST happen server-side.
- * Client never sees raw challenges — only attestation/assertion responses.
- *
  * Two modes:
  * - **Stateless** (default): No server-side state. Set `encryptionKey` in config.
  * - **Stateful**: Provide a `challengeStore` (memory, file, Redis, etc).

package/dist/index.js CHANGED Viewed

@@ -5,10 +5,6 @@
  * Server-side WebAuthn passkey verification with challenge-response pattern
  * and scrypt password hashing (pure JS, works everywhere).
  *
- * @ai_context This is the core auth library used across all dnldev apps.
- * Challenge generation and verification MUST happen server-side.
- * Client never sees raw challenges — only attestation/assertion responses.
- *
  * Two modes:
  * - **Stateless** (default): No server-side state. Set `encryptionKey` in config.
  * - **Stateful**: Provide a `challengeStore` (memory, file, Redis, etc).

package/dist/password.js CHANGED Viewed

@@ -81,6 +81,5 @@ function parsePhc(phc) {
 function timingSafeEqual(a, b) {
     if (a.length !== b.length)
         return false;
-    const { timingSafeEqual: tse } = require('crypto');
-    return tse(a, b);
+    return (0, crypto_1.timingSafeEqual)(a, b);
 }

package/dist/stores.d.ts CHANGED Viewed

@@ -1,9 +1,8 @@
 /**
  * Built-in store implementations for common backends.
  *
- * @ai_context These are convenience implementations. For production with
- * multiple server instances, use a shared store (Redis, database, Firestore).
- * For single-server apps (like MovieBox, MediaBox), FileStore works great.
+ * For production with multiple server instances, implement the ChallengeStore
+ * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
 import type { ChallengeStore, CredentialStore, StoredChallenge, StoredCredential } from './types.js';
 export declare class MemoryChallengeStore implements ChallengeStore {
@@ -23,7 +22,6 @@ export declare class MemoryCredentialStore implements CredentialStore {
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * @ai_context Used by MovieBox/MediaBox which store auth in auth.json.
  * Not suitable for multi-process servers (race conditions on file writes).
  */
 export declare class FileChallengeStore implements ChallengeStore {

package/dist/stores.js CHANGED Viewed

@@ -2,9 +2,8 @@
 /**
  * Built-in store implementations for common backends.
  *
- * @ai_context These are convenience implementations. For production with
- * multiple server instances, use a shared store (Redis, database, Firestore).
- * For single-server apps (like MovieBox, MediaBox), FileStore works great.
+ * For production with multiple server instances, implement the ChallengeStore
+ * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.FileCredentialStore = exports.FileChallengeStore = exports.MemoryCredentialStore = exports.MemoryChallengeStore = void 0;
@@ -59,7 +58,6 @@ exports.MemoryCredentialStore = MemoryCredentialStore;
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * @ai_context Used by MovieBox/MediaBox which store auth in auth.json.
  * Not suitable for multi-process servers (race conditions on file writes).
  */
 class FileChallengeStore {

package/dist/types.d.ts CHANGED Viewed

@@ -1,18 +1,18 @@
 /**
  * Type definitions for @passkeykit/server
  *
- * @ai_context These types define the storage interface abstraction.
+ * These types define the storage interface abstraction.
  * Apps provide their own ChallengeStore and CredentialStore implementations
- * so the library works with any backend (Firestore, file JSON, SQLite, etc).
+ * so the library works with any backend (Firestore, file JSON, SQLite, Redis, etc).
  */
 import type { AuthenticatorTransportFuture } from '@simplewebauthn/server';
 /** Configuration for PasskeyServer */
 export interface PasskeyServerConfig {
-    /** Relying Party name shown to users (e.g. "MovieBox", "SafeHarbor") */
+    /** Relying Party name shown to users (e.g. "My App") */
     rpName: string;
-    /** Relying Party ID — must be a valid domain (e.g. "movies.danieltech.dev") */
+    /** Relying Party ID — must be a valid domain (e.g. "auth.example.com") */
     rpId: string;
-    /** Allowed origins for WebAuthn (e.g. ["https://movies.danieltech.dev"]) */
+    /** Allowed origins for WebAuthn (e.g. ["https://example.com"]) */
     allowedOrigins: string[];
     /**
      * Challenge store implementation (stateful mode).

package/dist/types.js CHANGED Viewed

@@ -2,8 +2,8 @@
 /**
  * Type definitions for @passkeykit/server
  *
- * @ai_context These types define the storage interface abstraction.
+ * These types define the storage interface abstraction.
  * Apps provide their own ChallengeStore and CredentialStore implementations
- * so the library works with any backend (Firestore, file JSON, SQLite, etc).
+ * so the library works with any backend (Firestore, file JSON, SQLite, Redis, etc).
  */
 Object.defineProperty(exports, "__esModule", { value: true });

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@passkeykit/server",
-  "version": "2.0.1",
-  "description": "Server-side WebAuthn passkey verification \u2014 stateless or stateful, pure JS, works on serverless",
+  "version": "2.1.0",
+  "description": "Server-side WebAuthn passkey verification — stateless or stateful, pure JS, works on serverless",
   "main": "dist/index.js",
   "module": "dist/esm/index.js",
   "types": "dist/index.d.ts",
@@ -11,6 +11,11 @@
       "require": "./dist/index.js",
       "types": "./dist/index.d.ts"
     },
+    "./password": {
+      "import": "./dist/esm/password.js",
+      "require": "./dist/password.js",
+      "types": "./dist/password.d.ts"
+    },
     "./express": {
       "import": "./dist/esm/express-routes.js",
       "require": "./dist/express-routes.js",
@@ -49,14 +54,17 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@simplewebauthn/server": "^13.1.1",
     "@noble/hashes": "^1.7.0"
   },
   "peerDependencies": {
+    "@simplewebauthn/server": "^13.0.0",
     "express": "^4.0.0 || ^5.0.0",
     "argon2": "^0.41.0"
   },
   "peerDependenciesMeta": {
+    "@simplewebauthn/server": {
+      "optional": false
+    },
     "express": {
       "optional": true
     },