@passkeykit/server 2.0.2 → 2.1.0

package/README.md

@@ -10,9 +10,19 @@ Handles challenge generation, attestation/assertion verification, and includes s
 ## Install
 
 ```bash
-npm install @passkeykit/server
+npm install @passkeykit/server @simplewebauthn/server
 ```
 
+> `@simplewebauthn/server` is a **peer dependency** — you control the version. This keeps the package itself lightweight while giving you full WebAuthn verification.
+>
+> **Password-only?** If you only need `hashPassword` / `verifyPassword`, import from the subpath — no WebAuthn dependency required:
+> ```bash
+> npm install @passkeykit/server
+> ```
+> ```typescript
+> import { hashPassword, verifyPassword } from '@passkeykit/server/password';
+> ```
+
 ## Quick Start
 
 ### Stateless (Serverless / Vercel / Cloudflare)
@@ -217,11 +227,12 @@ interface PasskeyServerConfig {
 
 ## Exports
 
-| Import Path | Contents |
-|-------------|----------|
-| `@passkeykit/server` | `PasskeyServer`, stores, password hashing, types |
-| `@passkeykit/server/express` | `createExpressRoutes()` — ready-made Express router |
-| `@passkeykit/server/argon2` | `hashPassword()`, `verifyPassword()` — native argon2id |
+| Import Path | Contents | Requires |
+|-------------|----------|----------|
+| `@passkeykit/server` | `PasskeyServer`, stores, password hashing, types | `@simplewebauthn/server` |
+| `@passkeykit/server/password` | `hashPassword()`, `verifyPassword()`, `needsRehash()` — scrypt | None (pure JS) |
+| `@passkeykit/server/express` | `createExpressRoutes()` — ready-made Express router | `express` |
+| `@passkeykit/server/argon2` | `hashPassword()`, `verifyPassword()` — native argon2id | `argon2` |
 
 ## Client Pairing
 

package/dist/esm/index.js

@@ -4,10 +4,6 @@
  * Server-side WebAuthn passkey verification with challenge-response pattern
  * and scrypt password hashing (pure JS, works everywhere).
  *
- * @ai_context This is the core auth library used across all dnldev apps.
- * Challenge generation and verification MUST happen server-side.
- * Client never sees raw challenges — only attestation/assertion responses.
- *
  * Two modes:
  * - **Stateless** (default): No server-side state. Set `encryptionKey` in config.
  * - **Stateful**: Provide a `challengeStore` (memory, file, Redis, etc).

package/dist/esm/stores.js

@@ -1,9 +1,8 @@
 /**
  * Built-in store implementations for common backends.
  *
- * @ai_context These are convenience implementations. For production with
- * multiple server instances, use a shared store (Redis, database, Firestore).
- * For single-server apps (like MovieBox, MediaBox), FileStore works great.
+ * For production with multiple server instances, implement the ChallengeStore
+ * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
 import { dirname } from 'path';
@@ -54,7 +53,6 @@ export class MemoryCredentialStore {
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * @ai_context Used by MovieBox/MediaBox which store auth in auth.json.
  * Not suitable for multi-process servers (race conditions on file writes).
  */
 export class FileChallengeStore {

package/dist/esm/types.js

@@ -1,8 +1,8 @@
 /**
  * Type definitions for @passkeykit/server
  *
- * @ai_context These types define the storage interface abstraction.
+ * These types define the storage interface abstraction.
  * Apps provide their own ChallengeStore and CredentialStore implementations
- * so the library works with any backend (Firestore, file JSON, SQLite, etc).
+ * so the library works with any backend (Firestore, file JSON, SQLite, Redis, etc).
  */
 export {};

package/dist/index.d.ts

@@ -4,10 +4,6 @@
  * Server-side WebAuthn passkey verification with challenge-response pattern
  * and scrypt password hashing (pure JS, works everywhere).
  *
- * @ai_context This is the core auth library used across all dnldev apps.
- * Challenge generation and verification MUST happen server-side.
- * Client never sees raw challenges — only attestation/assertion responses.
- *
  * Two modes:
  * - **Stateless** (default): No server-side state. Set `encryptionKey` in config.
  * - **Stateful**: Provide a `challengeStore` (memory, file, Redis, etc).

package/dist/index.js

@@ -5,10 +5,6 @@
  * Server-side WebAuthn passkey verification with challenge-response pattern
  * and scrypt password hashing (pure JS, works everywhere).
  *
- * @ai_context This is the core auth library used across all dnldev apps.
- * Challenge generation and verification MUST happen server-side.
- * Client never sees raw challenges — only attestation/assertion responses.
- *
  * Two modes:
  * - **Stateless** (default): No server-side state. Set `encryptionKey` in config.
  * - **Stateful**: Provide a `challengeStore` (memory, file, Redis, etc).

package/dist/stores.d.ts

@@ -1,9 +1,8 @@
 /**
  * Built-in store implementations for common backends.
  *
- * @ai_context These are convenience implementations. For production with
- * multiple server instances, use a shared store (Redis, database, Firestore).
- * For single-server apps (like MovieBox, MediaBox), FileStore works great.
+ * For production with multiple server instances, implement the ChallengeStore
+ * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
 import type { ChallengeStore, CredentialStore, StoredChallenge, StoredCredential } from './types.js';
 export declare class MemoryChallengeStore implements ChallengeStore {
@@ -23,7 +22,6 @@ export declare class MemoryCredentialStore implements CredentialStore {
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * @ai_context Used by MovieBox/MediaBox which store auth in auth.json.
  * Not suitable for multi-process servers (race conditions on file writes).
  */
 export declare class FileChallengeStore implements ChallengeStore {

package/dist/stores.js

@@ -2,9 +2,8 @@
 /**
  * Built-in store implementations for common backends.
  *
- * @ai_context These are convenience implementations. For production with
- * multiple server instances, use a shared store (Redis, database, Firestore).
- * For single-server apps (like MovieBox, MediaBox), FileStore works great.
+ * For production with multiple server instances, implement the ChallengeStore
+ * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.FileCredentialStore = exports.FileChallengeStore = exports.MemoryCredentialStore = exports.MemoryChallengeStore = void 0;
@@ -59,7 +58,6 @@ exports.MemoryCredentialStore = MemoryCredentialStore;
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * @ai_context Used by MovieBox/MediaBox which store auth in auth.json.
  * Not suitable for multi-process servers (race conditions on file writes).
  */
 class FileChallengeStore {

package/dist/types.d.ts

@@ -1,18 +1,18 @@
 /**
  * Type definitions for @passkeykit/server
  *
- * @ai_context These types define the storage interface abstraction.
+ * These types define the storage interface abstraction.
  * Apps provide their own ChallengeStore and CredentialStore implementations
- * so the library works with any backend (Firestore, file JSON, SQLite, etc).
+ * so the library works with any backend (Firestore, file JSON, SQLite, Redis, etc).
  */
 import type { AuthenticatorTransportFuture } from '@simplewebauthn/server';
 /** Configuration for PasskeyServer */
 export interface PasskeyServerConfig {
-    /** Relying Party name shown to users (e.g. "MovieBox", "SafeHarbor") */
+    /** Relying Party name shown to users (e.g. "My App") */
     rpName: string;
-    /** Relying Party ID — must be a valid domain (e.g. "movies.danieltech.dev") */
+    /** Relying Party ID — must be a valid domain (e.g. "auth.example.com") */
     rpId: string;
-    /** Allowed origins for WebAuthn (e.g. ["https://movies.danieltech.dev"]) */
+    /** Allowed origins for WebAuthn (e.g. ["https://example.com"]) */
     allowedOrigins: string[];
     /**
      * Challenge store implementation (stateful mode).

package/dist/types.js

@@ -2,8 +2,8 @@
 /**
  * Type definitions for @passkeykit/server
  *
- * @ai_context These types define the storage interface abstraction.
+ * These types define the storage interface abstraction.
  * Apps provide their own ChallengeStore and CredentialStore implementations
- * so the library works with any backend (Firestore, file JSON, SQLite, etc).
+ * so the library works with any backend (Firestore, file JSON, SQLite, Redis, etc).
  */
 Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@passkeykit/server",
-  "version": "2.0.2",
+  "version": "2.1.0",
   "description": "Server-side WebAuthn passkey verification — stateless or stateful, pure JS, works on serverless",
   "main": "dist/index.js",
   "module": "dist/esm/index.js",
@@ -11,6 +11,11 @@
       "require": "./dist/index.js",
       "types": "./dist/index.d.ts"
     },
+    "./password": {
+      "import": "./dist/esm/password.js",
+      "require": "./dist/password.js",
+      "types": "./dist/password.d.ts"
+    },
     "./express": {
       "import": "./dist/esm/express-routes.js",
       "require": "./dist/express-routes.js",
@@ -49,14 +54,17 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@simplewebauthn/server": "^13.1.1",
     "@noble/hashes": "^1.7.0"
   },
   "peerDependencies": {
+    "@simplewebauthn/server": "^13.0.0",
     "express": "^4.0.0 || ^5.0.0",
     "argon2": "^0.41.0"
   },
   "peerDependenciesMeta": {
+    "@simplewebauthn/server": {
+      "optional": false
+    },
     "express": {
       "optional": true
     },