@passkeykit/server 3.0.0 → 3.1.1

package/dist/esm/express-routes.js

@@ -3,13 +3,50 @@
  *
  * @ai_context This is a convenience wrapper. Apps that don't use Express
  * can use PasskeyServer directly. These routes implement the standard
- * challenge-response pattern with proper error handling.
+ * challenge-response pattern with proper error handling and Zod validation.
  *
  * Usage:
  *   const routes = createExpressRoutes(passkeyServer, { getUserInfo });
  *   app.use('/api/auth/passkey', routes);
  */
 import { Router } from 'express';
+import { z } from 'zod';
+// ============================================================
+// Zod Schemas — strict input validation for every route
+// ============================================================
+const registerOptionsSchema = z.object({
+    userId: z.string().min(1),
+    authenticatorAttachment: z.enum(['platform', 'cross-platform']).optional(),
+    residentKey: z.enum(['required', 'preferred', 'discouraged']).optional(),
+    userVerification: z.enum(['required', 'preferred', 'discouraged']).optional(),
+}).strict();
+const registerVerifySchema = z.object({
+    userId: z.string().min(1),
+    response: z.object({
+        id: z.string(),
+        rawId: z.string(),
+        type: z.literal('public-key'),
+        response: z.record(z.string(), z.unknown()),
+        clientExtensionResults: z.record(z.string(), z.unknown()),
+        authenticatorAttachment: z.string().optional(),
+    }).passthrough(),
+    credentialName: z.string().optional(),
+    challengeToken: z.string().optional(),
+}).strict();
+const authenticateOptionsSchema = z.object({
+    userId: z.string().min(1).optional(),
+    userVerification: z.enum(['required', 'preferred', 'discouraged']).optional(),
+}).strict();
+const authenticateVerifySchema = z.object({
+    sessionKey: z.string().min(1),
+    response: z.object({
+        id: z.string(),
+        rawId: z.string(),
+        type: z.literal('public-key'),
+        response: z.record(z.string(), z.unknown()),
+        clientExtensionResults: z.record(z.string(), z.unknown()),
+    }).passthrough(),
+}).strict();
 /**
  * Create Express router with passkey registration and authentication routes.
  *
@@ -21,18 +58,14 @@ import { Router } from 'express';
  */
 export function createExpressRoutes(server, config) {
     const router = Router();
-    /**
-     * POST /register/options
-     * Body: { userId: string, authenticatorAttachment?: 'platform' | 'cross-platform' }
-     * Response includes `challengeToken` in stateless mode.
-     */
     router.post('/register/options', async (req, res) => {
         try {
-            const { userId, authenticatorAttachment, residentKey, userVerification } = req.body;
-            if (!userId) {
-                res.status(400).json({ error: 'userId is required' });
+            const parsed = registerOptionsSchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
                 return;
             }
+            const { userId, authenticatorAttachment, residentKey, userVerification } = parsed.data;
             const user = await config.getUserInfo(userId);
             if (!user) {
                 res.status(404).json({ error: 'User not found' });
@@ -50,18 +83,14 @@ export function createExpressRoutes(server, config) {
             res.status(500).json({ error: 'Failed to generate registration options' });
         }
     });
-    /**
-     * POST /register/verify
-     * Body: { userId: string, response: RegistrationResponseJSON, credentialName?: string, challengeToken?: string }
-     * `challengeToken` is required in stateless mode.
-     */
     router.post('/register/verify', async (req, res) => {
         try {
-            const { userId, response, credentialName, challengeToken } = req.body;
-            if (!userId || !response) {
-                res.status(400).json({ error: 'userId and response are required' });
+            const parsed = registerVerifySchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
                 return;
             }
+            const { userId, response, credentialName, challengeToken } = parsed.data;
             const result = await server.verifyRegistration(userId, response, credentialName, challengeToken);
             if (config.onRegistrationSuccess) {
                 await config.onRegistrationSuccess(userId, result.credential.credentialId);
@@ -78,14 +107,14 @@ export function createExpressRoutes(server, config) {
             res.status(400).json({ error: message });
         }
     });
-    /**
-     * POST /authenticate/options
-     * Body: { userId?: string }
-     * Response includes `sessionKey` (which IS the challengeToken in stateless mode).
-     */
     router.post('/authenticate/options', async (req, res) => {
         try {
-            const { userId, userVerification } = req.body;
+            const parsed = authenticateOptionsSchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
+                return;
+            }
+            const { userId, userVerification } = parsed.data;
             const { options, sessionKey, challengeToken } = await server.generateAuthenticationOptions(userId, { userVerification });
             res.json({ options, sessionKey, challengeToken });
         }
@@ -94,17 +123,14 @@ export function createExpressRoutes(server, config) {
             res.status(500).json({ error: 'Failed to generate authentication options' });
         }
     });
-    /**
-     * POST /authenticate/verify
-     * Body: { sessionKey: string, response: AuthenticationResponseJSON }
-     */
     router.post('/authenticate/verify', async (req, res) => {
         try {
-            const { sessionKey, response } = req.body;
-            if (!sessionKey || !response) {
-                res.status(400).json({ error: 'sessionKey and response are required' });
+            const parsed = authenticateVerifySchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
                 return;
             }
+            const { sessionKey, response } = parsed.data;
             const result = await server.verifyAuthentication(sessionKey, response);
             let extra = {};
             if (config.onAuthenticationSuccess) {

package/dist/esm/stores.js

@@ -4,9 +4,45 @@
  * For production with multiple server instances, implement the ChallengeStore
  * and CredentialStore interfaces with a shared backend (Redis, database, etc).
  */
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { readFile, writeFile } from 'fs/promises';
+import { mkdirSync, existsSync } from 'fs';
 import { dirname } from 'path';
 // ============================================================
+// Async Mutex — serializes read-modify-write file operations
+// ============================================================
+/**
+ * @ai_context Prevents async interleaving of read-modify-write file operations
+ * without blocking the Node.js event loop.
+ *
+ * Each file store instance owns its own AsyncMutex. When a method acquires the
+ * lock, all other callers queue behind it until the holder releases. This turns
+ * concurrent `load() → mutate → persist()` sequences into a serial pipeline,
+ * eliminating the lost-update race condition.
+ */
+class AsyncMutex {
+    queue = [];
+    locked = false;
+    acquire() {
+        if (!this.locked) {
+            this.locked = true;
+            return Promise.resolve();
+        }
+        return new Promise((resolve) => {
+            this.queue.push(resolve);
+        });
+    }
+    release() {
+        const next = this.queue.shift();
+        if (next) {
+            // Hand the lock directly to the next waiter (stays locked)
+            next();
+        }
+        else {
+            this.locked = false;
+        }
+    }
+}
+// ============================================================
 // In-Memory Stores (good for development and single-process)
 // ============================================================
 export class MemoryChallengeStore {
@@ -53,93 +89,150 @@ export class MemoryCredentialStore {
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * Not suitable for multi-process servers (race conditions on file writes).
+ * Uses an internal async mutex to serialize concurrent read-modify-write
+ * operations within the same process. Not suitable for multi-process servers.
  */
 export class FileChallengeStore {
     filePath;
+    mutex = new AsyncMutex();
     constructor(filePath) {
         this.filePath = filePath;
         const dir = dirname(filePath);
         if (!existsSync(dir))
             mkdirSync(dir, { recursive: true });
     }
-    load() {
+    async load() {
         try {
-            return JSON.parse(readFileSync(this.filePath, 'utf-8'));
+            const raw = await readFile(this.filePath, 'utf-8');
+            return JSON.parse(raw);
         }
-        catch {
-            return {};
+        catch (err) {
+            // File not yet created — valid initial state
+            if (err?.code === 'ENOENT')
+                return {};
+            // Anything else (permission denied, corrupted JSON) must surface
+            throw err;
         }
     }
-    persist(data) {
-        // Clean expired
+    async persist(data) {
         const now = Date.now();
         for (const [key, val] of Object.entries(data)) {
             if (now > val.expiresAt)
                 delete data[key];
         }
-        writeFileSync(this.filePath, JSON.stringify(data, null, 2));
+        await writeFile(this.filePath, JSON.stringify(data, null, 2));
     }
     async save(key, challenge) {
-        const data = this.load();
-        data[key] = challenge;
-        this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            data[key] = challenge;
+            await this.persist(data);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async consume(key) {
-        const data = this.load();
-        const challenge = data[key];
-        if (!challenge)
-            return null;
-        delete data[key];
-        this.persist(data);
-        if (Date.now() > challenge.expiresAt)
-            return null;
-        return challenge;
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            const challenge = data[key];
+            if (!challenge)
+                return null;
+            delete data[key];
+            await this.persist(data);
+            if (Date.now() > challenge.expiresAt)
+                return null;
+            return challenge;
+        }
+        finally {
+            this.mutex.release();
+        }
     }
 }
 /**
  * File-based credential store. Credentials stored in a JSON array file.
+ *
+ * Uses an internal async mutex to serialize concurrent read-modify-write
+ * operations within the same process. Read-only operations (getByUserId,
+ * getByCredentialId) also acquire the lock to prevent reading a
+ * partially-written file from a concurrent persist().
  */
 export class FileCredentialStore {
     filePath;
+    mutex = new AsyncMutex();
     constructor(filePath) {
         this.filePath = filePath;
         const dir = dirname(filePath);
         if (!existsSync(dir))
             mkdirSync(dir, { recursive: true });
     }
-    load() {
+    async load() {
         try {
-            return JSON.parse(readFileSync(this.filePath, 'utf-8'));
+            const raw = await readFile(this.filePath, 'utf-8');
+            return JSON.parse(raw);
         }
-        catch {
-            return [];
+        catch (err) {
+            if (err?.code === 'ENOENT')
+                return [];
+            throw err;
         }
     }
-    persist(data) {
-        writeFileSync(this.filePath, JSON.stringify(data, null, 2));
+    async persist(data) {
+        await writeFile(this.filePath, JSON.stringify(data, null, 2));
     }
     async save(credential) {
-        const data = this.load();
-        data.push(credential);
-        this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            data.push(credential);
+            await this.persist(data);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async getByUserId(userId) {
-        return this.load().filter(c => c.userId === userId);
+        await this.mutex.acquire();
+        try {
+            return (await this.load()).filter(c => c.userId === userId);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async getByCredentialId(credentialId) {
-        return this.load().find(c => c.credentialId === credentialId) ?? null;
+        await this.mutex.acquire();
+        try {
+            return (await this.load()).find(c => c.credentialId === credentialId) ?? null;
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async updateCounter(credentialId, newCounter) {
-        const data = this.load();
-        const cred = data.find(c => c.credentialId === credentialId);
-        if (cred) {
-            cred.counter = newCounter;
-            this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            const cred = data.find(c => c.credentialId === credentialId);
+            if (cred) {
+                cred.counter = newCounter;
+                await this.persist(data);
+            }
+        }
+        finally {
+            this.mutex.release();
         }
     }
     async delete(credentialId) {
-        const data = this.load().filter(c => c.credentialId !== credentialId);
-        this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = (await this.load()).filter(c => c.credentialId !== credentialId);
+            await this.persist(data);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
 }

package/dist/express-routes.d.ts

@@ -3,7 +3,7 @@
  *
  * @ai_context This is a convenience wrapper. Apps that don't use Express
  * can use PasskeyServer directly. These routes implement the standard
- * challenge-response pattern with proper error handling.
+ * challenge-response pattern with proper error handling and Zod validation.
  *
  * Usage:
  *   const routes = createExpressRoutes(passkeyServer, { getUserInfo });

package/dist/express-routes.js

@@ -4,7 +4,7 @@
  *
  * @ai_context This is a convenience wrapper. Apps that don't use Express
  * can use PasskeyServer directly. These routes implement the standard
- * challenge-response pattern with proper error handling.
+ * challenge-response pattern with proper error handling and Zod validation.
  *
  * Usage:
  *   const routes = createExpressRoutes(passkeyServer, { getUserInfo });
@@ -13,6 +13,43 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createExpressRoutes = createExpressRoutes;
 const express_1 = require("express");
+const zod_1 = require("zod");
+// ============================================================
+// Zod Schemas — strict input validation for every route
+// ============================================================
+const registerOptionsSchema = zod_1.z.object({
+    userId: zod_1.z.string().min(1),
+    authenticatorAttachment: zod_1.z.enum(['platform', 'cross-platform']).optional(),
+    residentKey: zod_1.z.enum(['required', 'preferred', 'discouraged']).optional(),
+    userVerification: zod_1.z.enum(['required', 'preferred', 'discouraged']).optional(),
+}).strict();
+const registerVerifySchema = zod_1.z.object({
+    userId: zod_1.z.string().min(1),
+    response: zod_1.z.object({
+        id: zod_1.z.string(),
+        rawId: zod_1.z.string(),
+        type: zod_1.z.literal('public-key'),
+        response: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+        clientExtensionResults: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+        authenticatorAttachment: zod_1.z.string().optional(),
+    }).passthrough(),
+    credentialName: zod_1.z.string().optional(),
+    challengeToken: zod_1.z.string().optional(),
+}).strict();
+const authenticateOptionsSchema = zod_1.z.object({
+    userId: zod_1.z.string().min(1).optional(),
+    userVerification: zod_1.z.enum(['required', 'preferred', 'discouraged']).optional(),
+}).strict();
+const authenticateVerifySchema = zod_1.z.object({
+    sessionKey: zod_1.z.string().min(1),
+    response: zod_1.z.object({
+        id: zod_1.z.string(),
+        rawId: zod_1.z.string(),
+        type: zod_1.z.literal('public-key'),
+        response: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+        clientExtensionResults: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+    }).passthrough(),
+}).strict();
 /**
  * Create Express router with passkey registration and authentication routes.
  *
@@ -24,18 +61,14 @@ const express_1 = require("express");
  */
 function createExpressRoutes(server, config) {
     const router = (0, express_1.Router)();
-    /**
-     * POST /register/options
-     * Body: { userId: string, authenticatorAttachment?: 'platform' | 'cross-platform' }
-     * Response includes `challengeToken` in stateless mode.
-     */
     router.post('/register/options', async (req, res) => {
         try {
-            const { userId, authenticatorAttachment, residentKey, userVerification } = req.body;
-            if (!userId) {
-                res.status(400).json({ error: 'userId is required' });
+            const parsed = registerOptionsSchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
                 return;
             }
+            const { userId, authenticatorAttachment, residentKey, userVerification } = parsed.data;
             const user = await config.getUserInfo(userId);
             if (!user) {
                 res.status(404).json({ error: 'User not found' });
@@ -53,18 +86,14 @@ function createExpressRoutes(server, config) {
             res.status(500).json({ error: 'Failed to generate registration options' });
         }
     });
-    /**
-     * POST /register/verify
-     * Body: { userId: string, response: RegistrationResponseJSON, credentialName?: string, challengeToken?: string }
-     * `challengeToken` is required in stateless mode.
-     */
     router.post('/register/verify', async (req, res) => {
         try {
-            const { userId, response, credentialName, challengeToken } = req.body;
-            if (!userId || !response) {
-                res.status(400).json({ error: 'userId and response are required' });
+            const parsed = registerVerifySchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
                 return;
             }
+            const { userId, response, credentialName, challengeToken } = parsed.data;
             const result = await server.verifyRegistration(userId, response, credentialName, challengeToken);
             if (config.onRegistrationSuccess) {
                 await config.onRegistrationSuccess(userId, result.credential.credentialId);
@@ -81,14 +110,14 @@ function createExpressRoutes(server, config) {
             res.status(400).json({ error: message });
         }
     });
-    /**
-     * POST /authenticate/options
-     * Body: { userId?: string }
-     * Response includes `sessionKey` (which IS the challengeToken in stateless mode).
-     */
     router.post('/authenticate/options', async (req, res) => {
         try {
-            const { userId, userVerification } = req.body;
+            const parsed = authenticateOptionsSchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
+                return;
+            }
+            const { userId, userVerification } = parsed.data;
             const { options, sessionKey, challengeToken } = await server.generateAuthenticationOptions(userId, { userVerification });
             res.json({ options, sessionKey, challengeToken });
         }
@@ -97,17 +126,14 @@ function createExpressRoutes(server, config) {
             res.status(500).json({ error: 'Failed to generate authentication options' });
         }
     });
-    /**
-     * POST /authenticate/verify
-     * Body: { sessionKey: string, response: AuthenticationResponseJSON }
-     */
     router.post('/authenticate/verify', async (req, res) => {
         try {
-            const { sessionKey, response } = req.body;
-            if (!sessionKey || !response) {
-                res.status(400).json({ error: 'sessionKey and response are required' });
+            const parsed = authenticateVerifySchema.safeParse(req.body);
+            if (!parsed.success) {
+                res.status(400).json({ error: 'Invalid request body', details: parsed.error.flatten().fieldErrors });
                 return;
             }
+            const { sessionKey, response } = parsed.data;
             const result = await server.verifyAuthentication(sessionKey, response);
             let extra = {};
             if (config.onAuthenticationSuccess) {

package/dist/stores.d.ts

@@ -22,10 +22,12 @@ export declare class MemoryCredentialStore implements CredentialStore {
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * Not suitable for multi-process servers (race conditions on file writes).
+ * Uses an internal async mutex to serialize concurrent read-modify-write
+ * operations within the same process. Not suitable for multi-process servers.
  */
 export declare class FileChallengeStore implements ChallengeStore {
     private filePath;
+    private mutex;
     constructor(filePath: string);
     private load;
     private persist;
@@ -34,9 +36,15 @@ export declare class FileChallengeStore implements ChallengeStore {
 }
 /**
  * File-based credential store. Credentials stored in a JSON array file.
+ *
+ * Uses an internal async mutex to serialize concurrent read-modify-write
+ * operations within the same process. Read-only operations (getByUserId,
+ * getByCredentialId) also acquire the lock to prevent reading a
+ * partially-written file from a concurrent persist().
  */
 export declare class FileCredentialStore implements CredentialStore {
     private filePath;
+    private mutex;
     constructor(filePath: string);
     private load;
     private persist;

package/dist/stores.js

@@ -7,9 +7,45 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.FileCredentialStore = exports.FileChallengeStore = exports.MemoryCredentialStore = exports.MemoryChallengeStore = void 0;
+const promises_1 = require("fs/promises");
 const fs_1 = require("fs");
 const path_1 = require("path");
 // ============================================================
+// Async Mutex — serializes read-modify-write file operations
+// ============================================================
+/**
+ * @ai_context Prevents async interleaving of read-modify-write file operations
+ * without blocking the Node.js event loop.
+ *
+ * Each file store instance owns its own AsyncMutex. When a method acquires the
+ * lock, all other callers queue behind it until the holder releases. This turns
+ * concurrent `load() → mutate → persist()` sequences into a serial pipeline,
+ * eliminating the lost-update race condition.
+ */
+class AsyncMutex {
+    queue = [];
+    locked = false;
+    acquire() {
+        if (!this.locked) {
+            this.locked = true;
+            return Promise.resolve();
+        }
+        return new Promise((resolve) => {
+            this.queue.push(resolve);
+        });
+    }
+    release() {
+        const next = this.queue.shift();
+        if (next) {
+            // Hand the lock directly to the next waiter (stays locked)
+            next();
+        }
+        else {
+            this.locked = false;
+        }
+    }
+}
+// ============================================================
 // In-Memory Stores (good for development and single-process)
 // ============================================================
 class MemoryChallengeStore {
@@ -58,95 +94,152 @@ exports.MemoryCredentialStore = MemoryCredentialStore;
  * File-based challenge store. Challenges are stored in a JSON file.
  * Auto-cleans expired challenges on every operation.
  *
- * Not suitable for multi-process servers (race conditions on file writes).
+ * Uses an internal async mutex to serialize concurrent read-modify-write
+ * operations within the same process. Not suitable for multi-process servers.
  */
 class FileChallengeStore {
     filePath;
+    mutex = new AsyncMutex();
     constructor(filePath) {
         this.filePath = filePath;
         const dir = (0, path_1.dirname)(filePath);
         if (!(0, fs_1.existsSync)(dir))
             (0, fs_1.mkdirSync)(dir, { recursive: true });
     }
-    load() {
+    async load() {
         try {
-            return JSON.parse((0, fs_1.readFileSync)(this.filePath, 'utf-8'));
+            const raw = await (0, promises_1.readFile)(this.filePath, 'utf-8');
+            return JSON.parse(raw);
         }
-        catch {
-            return {};
+        catch (err) {
+            // File not yet created — valid initial state
+            if (err?.code === 'ENOENT')
+                return {};
+            // Anything else (permission denied, corrupted JSON) must surface
+            throw err;
         }
     }
-    persist(data) {
-        // Clean expired
+    async persist(data) {
         const now = Date.now();
         for (const [key, val] of Object.entries(data)) {
             if (now > val.expiresAt)
                 delete data[key];
         }
-        (0, fs_1.writeFileSync)(this.filePath, JSON.stringify(data, null, 2));
+        await (0, promises_1.writeFile)(this.filePath, JSON.stringify(data, null, 2));
     }
     async save(key, challenge) {
-        const data = this.load();
-        data[key] = challenge;
-        this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            data[key] = challenge;
+            await this.persist(data);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async consume(key) {
-        const data = this.load();
-        const challenge = data[key];
-        if (!challenge)
-            return null;
-        delete data[key];
-        this.persist(data);
-        if (Date.now() > challenge.expiresAt)
-            return null;
-        return challenge;
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            const challenge = data[key];
+            if (!challenge)
+                return null;
+            delete data[key];
+            await this.persist(data);
+            if (Date.now() > challenge.expiresAt)
+                return null;
+            return challenge;
+        }
+        finally {
+            this.mutex.release();
+        }
     }
 }
 exports.FileChallengeStore = FileChallengeStore;
 /**
  * File-based credential store. Credentials stored in a JSON array file.
+ *
+ * Uses an internal async mutex to serialize concurrent read-modify-write
+ * operations within the same process. Read-only operations (getByUserId,
+ * getByCredentialId) also acquire the lock to prevent reading a
+ * partially-written file from a concurrent persist().
  */
 class FileCredentialStore {
     filePath;
+    mutex = new AsyncMutex();
     constructor(filePath) {
         this.filePath = filePath;
         const dir = (0, path_1.dirname)(filePath);
         if (!(0, fs_1.existsSync)(dir))
             (0, fs_1.mkdirSync)(dir, { recursive: true });
     }
-    load() {
+    async load() {
         try {
-            return JSON.parse((0, fs_1.readFileSync)(this.filePath, 'utf-8'));
+            const raw = await (0, promises_1.readFile)(this.filePath, 'utf-8');
+            return JSON.parse(raw);
         }
-        catch {
-            return [];
+        catch (err) {
+            if (err?.code === 'ENOENT')
+                return [];
+            throw err;
         }
     }
-    persist(data) {
-        (0, fs_1.writeFileSync)(this.filePath, JSON.stringify(data, null, 2));
+    async persist(data) {
+        await (0, promises_1.writeFile)(this.filePath, JSON.stringify(data, null, 2));
     }
     async save(credential) {
-        const data = this.load();
-        data.push(credential);
-        this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            data.push(credential);
+            await this.persist(data);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async getByUserId(userId) {
-        return this.load().filter(c => c.userId === userId);
+        await this.mutex.acquire();
+        try {
+            return (await this.load()).filter(c => c.userId === userId);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async getByCredentialId(credentialId) {
-        return this.load().find(c => c.credentialId === credentialId) ?? null;
+        await this.mutex.acquire();
+        try {
+            return (await this.load()).find(c => c.credentialId === credentialId) ?? null;
+        }
+        finally {
+            this.mutex.release();
+        }
     }
     async updateCounter(credentialId, newCounter) {
-        const data = this.load();
-        const cred = data.find(c => c.credentialId === credentialId);
-        if (cred) {
-            cred.counter = newCounter;
-            this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = await this.load();
+            const cred = data.find(c => c.credentialId === credentialId);
+            if (cred) {
+                cred.counter = newCounter;
+                await this.persist(data);
+            }
+        }
+        finally {
+            this.mutex.release();
         }
     }
     async delete(credentialId) {
-        const data = this.load().filter(c => c.credentialId !== credentialId);
-        this.persist(data);
+        await this.mutex.acquire();
+        try {
+            const data = (await this.load()).filter(c => c.credentialId !== credentialId);
+            await this.persist(data);
+        }
+        finally {
+            this.mutex.release();
+        }
     }
 }
 exports.FileCredentialStore = FileCredentialStore;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@passkeykit/server",
-  "version": "3.0.0",
+  "version": "3.1.1",
   "description": "Server-side WebAuthn passkey verification — stateless or stateful, pure JS, works on serverless",
   "main": "dist/index.js",
   "module": "dist/esm/index.js",
@@ -54,12 +54,13 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@noble/hashes": "^1.7.0"
+    "@noble/hashes": "^1.7.0",
+    "zod": "^4.3.6"
   },
   "peerDependencies": {
     "@simplewebauthn/server": "^13.0.0",
-    "express": "^4.0.0 || ^5.0.0",
-    "argon2": "^0.41.0"
+    "argon2": "^0.41.0",
+    "express": "^4.0.0 || ^5.0.0"
   },
   "peerDependenciesMeta": {
     "@simplewebauthn/server": {