@revealui/auth 0.2.1 → 0.3.2

package/dist/server/oauth.js

@@ -24,9 +24,14 @@ import * as vercel from './providers/vercel.js';
  * Cookie value is `<state>.<hmac>` — the HMAC is over the state string
  * using REVEALUI_SECRET, providing CSRF protection without a DB table.
  */
-export function generateOAuthState(provider, redirectTo) {
+export function generateOAuthState(provider, redirectTo, options) {
     const nonce = crypto.randomBytes(16).toString('hex');
-    const payload = JSON.stringify({ provider, redirectTo, nonce });
+    const payload = JSON.stringify({
+        provider,
+        redirectTo,
+        nonce,
+        ...(options?.linkConsent ? { linkConsent: true } : {}),
+    });
     const state = Buffer.from(payload).toString('base64url');
     const secret = process.env.REVEALUI_SECRET;
     if (!secret) {
@@ -49,9 +54,11 @@ export function verifyOAuthState(state, cookieValue) {
         return null;
     const storedState = cookieValue.substring(0, dotIdx);
     const storedHmac = cookieValue.substring(dotIdx + 1);
-    // State from query param must match what's in the cookie
-    if (storedState !== state)
+    // State from query param must match what's in the cookie (timing-safe)
+    if (storedState.length !== state.length ||
+        !crypto.timingSafeEqual(Buffer.from(storedState), Buffer.from(state))) {
         return null;
+    }
     const secret = process.env.REVEALUI_SECRET;
     if (!secret) {
         throw new Error('REVEALUI_SECRET is required for OAuth state verification. ' +
@@ -73,7 +80,11 @@ export function verifyOAuthState(state, cookieValue) {
     }
     try {
         const parsed = JSON.parse(Buffer.from(state, 'base64url').toString());
-        return { provider: parsed.provider, redirectTo: parsed.redirectTo };
+        return {
+            provider: parsed.provider,
+            redirectTo: parsed.redirectTo,
+            ...(parsed.linkConsent ? { linkConsent: true } : {}),
+        };
     }
     catch {
         return null;
@@ -128,20 +139,17 @@ export async function fetchProviderUser(provider, accessToken) {
     };
     return fetchers[provider](accessToken);
 }
-// =============================================================================
-// User Upsert
-// =============================================================================
 /**
  * Find or create a local user for the given OAuth identity.
  *
  * Flow:
  * 1. Look up oauth_accounts by (provider, providerUserId) → get userId
  * 2. If found: refresh metadata + return user
- * 3. If not found: check users by email → link if match
- * 4. If no match: create new user (role: 'admin', no password)
+ * 3. If not found: check users by email → link if match (with consent) or throw
+ * 4. If no match: create new user (role: 'user', no password)
  * 5. Insert oauth_accounts row
  */
-export async function upsertOAuthUser(provider, providerUser) {
+export async function upsertOAuthUser(provider, providerUser, options) {
     const db = getClient();
     // 1. Check for existing linked account
     const [existingAccount] = await db
@@ -171,11 +179,11 @@ export async function upsertOAuthUser(provider, providerUser) {
         }
         return user;
     }
-    // 2. Check for existing user by email — BLOCK auto-linking
+    // 2. Check for existing user by email
     // If an account with this email already exists but was not linked via OAuth,
-    // reject the login. Auto-linking is an account takeover vector: an attacker
-    // who controls a provider email instantly owns the existing account.
-    // Explicit linking (from an authenticated session) is a future feature.
+    // either link it (when the user has given explicit consent) or reject the
+    // login. Auto-linking without consent is an account takeover vector: an
+    // attacker who controls a provider email instantly owns the existing account.
     let userId;
     let isNewUser = false;
     if (providerUser.email) {
@@ -185,10 +193,20 @@ export async function upsertOAuthUser(provider, providerUser) {
             .where(eq(users.email, providerUser.email))
             .limit(1);
         if (existingUser) {
-            throw new OAuthAccountConflictError(providerUser.email);
+            if (options?.linkConsent) {
+                // User explicitly consented to link — use the existing account
+                userId = existingUser.id;
+                isNewUser = false;
+                logger.info(`Linking ${provider} account to existing user ${userId} (consent-based)`);
+            }
+            else {
+                throw new OAuthAccountConflictError(providerUser.email);
+            }
+        }
+        else {
+            isNewUser = true;
+            userId = crypto.randomUUID();
         }
-        isNewUser = true;
-        userId = crypto.randomUUID();
     }
     else {
         isNewUser = true;
@@ -221,3 +239,132 @@ export async function upsertOAuthUser(provider, providerUser) {
         throw new Error('Failed to fetch upserted OAuth user');
     return user;
 }
+// =============================================================================
+// Explicit Account Linking
+// =============================================================================
+/**
+ * Link an OAuth provider to an existing authenticated user.
+ *
+ * Unlike upsertOAuthUser(), this function requires the caller to be
+ * authenticated and explicitly requests the link. This is safe because
+ * the user has already proven ownership of the local account via their
+ * session.
+ *
+ * @param userId - The authenticated user's ID (from session)
+ * @param provider - OAuth provider name
+ * @param providerUser - Profile returned by the OAuth provider
+ * @returns The linked user
+ * @throws Error if the provider account is already linked to a different user
+ */
+export async function linkOAuthAccount(userId, provider, providerUser) {
+    const db = getClient();
+    // 1. Check if this provider identity is already linked to ANY user
+    const [existingLink] = await db
+        .select()
+        .from(oauthAccounts)
+        .where(and(eq(oauthAccounts.provider, provider), eq(oauthAccounts.providerUserId, providerUser.id)))
+        .limit(1);
+    if (existingLink) {
+        if (existingLink.userId === userId) {
+            // Already linked to this user — refresh metadata and return
+            await db
+                .update(oauthAccounts)
+                .set({
+                providerEmail: providerUser.email,
+                providerName: providerUser.name,
+                providerAvatarUrl: providerUser.avatarUrl,
+                updatedAt: new Date(),
+            })
+                .where(eq(oauthAccounts.id, existingLink.id));
+            const [user] = await db.select().from(users).where(eq(users.id, userId)).limit(1);
+            if (!user)
+                throw new Error('Authenticated user not found in database');
+            return user;
+        }
+        // Linked to a different user — cannot steal the identity
+        throw new Error('This provider account is already linked to another user. Unlink it from the other account first.');
+    }
+    // 2. Check the authenticated user exists
+    const [user] = await db.select().from(users).where(eq(users.id, userId)).limit(1);
+    if (!user)
+        throw new Error('Authenticated user not found in database');
+    // 3. Check if this user already has a link for this provider (different provider account)
+    const [existingProviderLink] = await db
+        .select()
+        .from(oauthAccounts)
+        .where(and(eq(oauthAccounts.userId, userId), eq(oauthAccounts.provider, provider)))
+        .limit(1);
+    if (existingProviderLink) {
+        throw new Error(`You already have a ${provider} account linked. Unlink it first to connect a different one.`);
+    }
+    // 4. Create the link
+    await db.insert(oauthAccounts).values({
+        id: crypto.randomUUID(),
+        userId,
+        provider,
+        providerUserId: providerUser.id,
+        providerEmail: providerUser.email,
+        providerName: providerUser.name,
+        providerAvatarUrl: providerUser.avatarUrl,
+    });
+    logger.info(`Linked ${provider} account to user ${userId}`);
+    return user;
+}
+/**
+ * Unlink an OAuth provider from a user's account.
+ *
+ * Safety: refuses to unlink the last auth method (if user has no password
+ * and this is their only OAuth link, unlinking would lock them out).
+ *
+ * @param userId - The authenticated user's ID
+ * @param provider - The provider to unlink
+ * @throws Error if unlinking would leave the user with no authentication method
+ */
+export async function unlinkOAuthAccount(userId, provider) {
+    const db = getClient();
+    // 1. Find the link to remove
+    const [link] = await db
+        .select()
+        .from(oauthAccounts)
+        .where(and(eq(oauthAccounts.userId, userId), eq(oauthAccounts.provider, provider)))
+        .limit(1);
+    if (!link) {
+        throw new Error(`No ${provider} account is linked to your account`);
+    }
+    // 2. Safety check: ensure user won't be locked out
+    const [user] = await db.select().from(users).where(eq(users.id, userId)).limit(1);
+    if (!user)
+        throw new Error('User not found');
+    const allLinks = await db
+        .select({ id: oauthAccounts.id })
+        .from(oauthAccounts)
+        .where(eq(oauthAccounts.userId, userId));
+    const hasPassword = !!user.password;
+    const otherLinksCount = allLinks.length - 1;
+    if (!hasPassword && otherLinksCount === 0) {
+        throw new Error('Cannot unlink your only sign-in method. Set a password first, or link another provider.');
+    }
+    // 3. Delete the link
+    await db
+        .delete(oauthAccounts)
+        .where(and(eq(oauthAccounts.userId, userId), eq(oauthAccounts.provider, provider)));
+    logger.info(`Unlinked ${provider} account from user ${userId}`);
+}
+/**
+ * Get all linked OAuth providers for a user.
+ *
+ * @param userId - The user's ID
+ * @returns Array of linked provider info (provider name, email, avatar)
+ */
+export async function getLinkedProviders(userId) {
+    const db = getClient();
+    const links = await db
+        .select({
+        provider: oauthAccounts.provider,
+        providerEmail: oauthAccounts.providerEmail,
+        providerName: oauthAccounts.providerName,
+    })
+        .from(oauthAccounts)
+        .where(eq(oauthAccounts.userId, userId));
+    return links;
+}

package/dist/server/passkey.d.ts

@@ -0,0 +1,132 @@
+/**
+ * WebAuthn Passkey Module
+ *
+ * Implements passkey registration, authentication, and management using
+ * @simplewebauthn/server v13. Passkeys enable passwordless authentication
+ * via biometrics, security keys, or platform authenticators.
+ *
+ * @see https://simplewebauthn.dev/
+ */
+import type { AuthenticationResponseJSON, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, VerifiedRegistrationResponse, WebAuthnCredential } from '@simplewebauthn/server';
+export interface PasskeyConfig {
+    /** Maximum passkeys per user (default: 10) */
+    maxPasskeysPerUser: number;
+    /** Challenge TTL in ms (default: 5 minutes) */
+    challengeTtlMs: number;
+    /** Relying Party ID — domain name (default: 'localhost') */
+    rpId: string;
+    /** Relying Party name — user-visible (default: 'RevealUI') */
+    rpName: string;
+    /** Expected origin(s) for verification (default: 'http://localhost:4000') */
+    origin: string | string[];
+}
+export declare function configurePasskey(overrides: Partial<PasskeyConfig>): void;
+export declare function resetPasskeyConfig(): void;
+/**
+ * Generate WebAuthn registration options for a user.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.create().
+ * The challenge is embedded in the options and should be stored server-side
+ * for verification.
+ *
+ * @param userId - User's database ID
+ * @param userEmail - User's email (used as userName in WebAuthn)
+ * @param existingCredentialIds - Credential IDs to exclude (prevent re-registration)
+ */
+export declare function generateRegistrationChallenge(userId: string, userEmail: string, existingCredentialIds?: string[]): Promise<PublicKeyCredentialCreationOptionsJSON>;
+/**
+ * Verify a WebAuthn registration response from the browser.
+ *
+ * @param response - The RegistrationResponseJSON from the browser
+ * @param expectedChallenge - The challenge from generateRegistrationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verified registration data including credential info
+ * @throws If verification fails
+ */
+export declare function verifyRegistration(response: RegistrationResponseJSON, expectedChallenge: string, expectedOrigin?: string | string[]): Promise<VerifiedRegistrationResponse>;
+/**
+ * Store a verified passkey credential in the database.
+ *
+ * Enforces the per-user passkey limit before insertion.
+ *
+ * @param userId - User's database ID
+ * @param credential - Verified credential from verifyRegistration
+ * @param deviceName - Optional user-friendly name (e.g., "MacBook Pro Touch ID")
+ * @returns The stored passkey record
+ */
+export declare function storePasskey(userId: string, credential: {
+    id: string;
+    publicKey: Uint8Array;
+    counter: number;
+    transports?: string[];
+    aaguid?: string;
+    backedUp?: boolean;
+}, deviceName?: string): Promise<{
+    id: string;
+    userId: string;
+    credentialId: string;
+    deviceName: string | null;
+    createdAt: Date;
+}>;
+/**
+ * Generate WebAuthn authentication options.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.get().
+ *
+ * @param allowCredentials - Optional list of credential IDs to allow
+ */
+export declare function generateAuthenticationChallenge(allowCredentials?: {
+    id: string;
+    transports?: string[];
+}[]): Promise<PublicKeyCredentialRequestOptionsJSON>;
+/**
+ * Verify a WebAuthn authentication response and update the credential counter.
+ *
+ * @param response - The AuthenticationResponseJSON from the browser
+ * @param credential - The stored credential (id, publicKey, counter)
+ * @param expectedChallenge - The challenge from generateAuthenticationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verification result with new counter value
+ */
+export declare function verifyAuthentication(response: AuthenticationResponseJSON, credential: WebAuthnCredential, expectedChallenge: string, expectedOrigin?: string | string[]): Promise<{
+    verified: boolean;
+    newCounter: number;
+}>;
+/**
+ * List all passkeys for a user (safe for client — excludes publicKey and counter).
+ */
+export declare function listPasskeys(userId: string): Promise<{
+    id: string;
+    credentialId: string;
+    deviceName: string | null;
+    backedUp: boolean;
+    createdAt: Date;
+    lastUsedAt: Date | null;
+}[]>;
+/**
+ * Delete a passkey. Blocks deletion if it's the user's last sign-in method.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to delete
+ * @throws If this is the user's only sign-in method
+ */
+export declare function deletePasskey(userId: string, passkeyId: string): Promise<void>;
+/**
+ * Rename a passkey's device name.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to rename
+ * @param name - New friendly name
+ */
+export declare function renamePasskey(userId: string, passkeyId: string, name: string): Promise<void>;
+/**
+ * Count a user's sign-in credentials (passkeys + password).
+ *
+ * @param userId - User's database ID
+ * @returns Passkey count and whether user has a password set
+ */
+export declare function countUserCredentials(userId: string): Promise<{
+    passkeyCount: number;
+    hasPassword: boolean;
+}>;
+//# sourceMappingURL=passkey.d.ts.map

package/dist/server/passkey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey.d.ts","sourceRoot":"","sources":["../../src/server/passkey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EACV,0BAA0B,EAC1B,sCAAsC,EACtC,qCAAqC,EACrC,wBAAwB,EACxB,4BAA4B,EAC5B,kBAAkB,EACnB,MAAM,wBAAwB,CAAC;AAahC,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,kBAAkB,EAAE,MAAM,CAAC;IAC3B,+CAA+C;IAC/C,cAAc,EAAE,MAAM,CAAC;IACvB,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,8DAA8D;IAC9D,MAAM,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC3B;AAYD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,IAAI,CAExE;AAED,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,6BAA6B,CACjD,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,GAC/B,OAAO,CAAC,sCAAsC,CAAC,CAuBjD;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,wBAAwB,EAClC,iBAAiB,EAAE,MAAM,EACzB,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACjC,OAAO,CAAC,4BAA4B,CAAC,CAavC;AAMD;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE;IACV,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,UAAU,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,EACD,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC;IACT,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,IAAI,CAAC;CACjB,CAAC,CAqCD;AAMD;;;;;;GAMG;AACH,wBAAsB,+BAA+B,CACnD,gBAAgB,CAAC,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,EAAE,GACzD,OAAO,CAAC,qCAAqC,CAAC,CAoBhD;AAED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,0BAA0B,EACpC,UAAU,EAAE,kBAAkB,EAC9B,iBAAiB,EAAE,MAAM,EACzB,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACjC,OAAO,CAAC;IACT,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAyBD;AAMD;;GAEG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CACzD;IACE,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB,EAAE,CACJ,CAgBA;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CASpF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAMf;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,OAAO,CAAA;CAAE,CAAC,CAkBzD"}

package/dist/server/passkey.js

@@ -0,0 +1,257 @@
+/**
+ * WebAuthn Passkey Module
+ *
+ * Implements passkey registration, authentication, and management using
+ * @simplewebauthn/server v13. Passkeys enable passwordless authentication
+ * via biometrics, security keys, or platform authenticators.
+ *
+ * @see https://simplewebauthn.dev/
+ */
+import crypto from 'node:crypto';
+import { getClient } from '@revealui/db/client';
+import { passkeys, users } from '@revealui/db/schema';
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse, } from '@simplewebauthn/server';
+import { and, count, eq } from 'drizzle-orm';
+const DEFAULT_CONFIG = {
+    maxPasskeysPerUser: 10,
+    challengeTtlMs: 5 * 60 * 1000,
+    rpId: 'localhost',
+    rpName: 'RevealUI',
+    origin: 'http://localhost:4000',
+};
+let config = { ...DEFAULT_CONFIG };
+export function configurePasskey(overrides) {
+    config = { ...DEFAULT_CONFIG, ...overrides };
+}
+export function resetPasskeyConfig() {
+    config = { ...DEFAULT_CONFIG };
+}
+// =============================================================================
+// Registration
+// =============================================================================
+/**
+ * Generate WebAuthn registration options for a user.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.create().
+ * The challenge is embedded in the options and should be stored server-side
+ * for verification.
+ *
+ * @param userId - User's database ID
+ * @param userEmail - User's email (used as userName in WebAuthn)
+ * @param existingCredentialIds - Credential IDs to exclude (prevent re-registration)
+ */
+export async function generateRegistrationChallenge(userId, userEmail, existingCredentialIds) {
+    const excludeCredentials = existingCredentialIds?.map((id) => ({
+        id,
+    }));
+    // Encode userId as Uint8Array for WebAuthn userID field
+    const userIdBytes = new TextEncoder().encode(userId);
+    const options = await generateRegistrationOptions({
+        rpName: config.rpName,
+        rpID: config.rpId,
+        userName: userEmail,
+        userID: userIdBytes,
+        userDisplayName: userEmail,
+        excludeCredentials,
+        authenticatorSelection: {
+            residentKey: 'preferred',
+            userVerification: 'preferred',
+        },
+        timeout: config.challengeTtlMs,
+    });
+    return options;
+}
+/**
+ * Verify a WebAuthn registration response from the browser.
+ *
+ * @param response - The RegistrationResponseJSON from the browser
+ * @param expectedChallenge - The challenge from generateRegistrationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verified registration data including credential info
+ * @throws If verification fails
+ */
+export async function verifyRegistration(response, expectedChallenge, expectedOrigin) {
+    const verification = await verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: expectedOrigin ?? config.origin,
+        expectedRPID: config.rpId,
+    });
+    if (!(verification.verified && verification.registrationInfo)) {
+        throw new Error('Passkey registration verification failed');
+    }
+    return verification;
+}
+// =============================================================================
+// Credential Storage
+// =============================================================================
+/**
+ * Store a verified passkey credential in the database.
+ *
+ * Enforces the per-user passkey limit before insertion.
+ *
+ * @param userId - User's database ID
+ * @param credential - Verified credential from verifyRegistration
+ * @param deviceName - Optional user-friendly name (e.g., "MacBook Pro Touch ID")
+ * @returns The stored passkey record
+ */
+export async function storePasskey(userId, credential, deviceName) {
+    const db = getClient();
+    // Enforce per-user passkey limit
+    const [result] = await db
+        .select({ total: count() })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    const currentCount = result?.total ?? 0;
+    if (currentCount >= config.maxPasskeysPerUser) {
+        throw new Error(`Maximum of ${config.maxPasskeysPerUser} passkeys per user reached`);
+    }
+    const id = crypto.randomUUID();
+    const now = new Date();
+    await db.insert(passkeys).values({
+        id,
+        userId,
+        credentialId: credential.id,
+        publicKey: Buffer.from(credential.publicKey),
+        counter: credential.counter,
+        transports: credential.transports ?? null,
+        aaguid: credential.aaguid ?? null,
+        deviceName: deviceName ?? null,
+        backedUp: credential.backedUp ?? false,
+        createdAt: now,
+    });
+    return {
+        id,
+        userId,
+        credentialId: credential.id,
+        deviceName: deviceName ?? null,
+        createdAt: now,
+    };
+}
+// =============================================================================
+// Authentication
+// =============================================================================
+/**
+ * Generate WebAuthn authentication options.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.get().
+ *
+ * @param allowCredentials - Optional list of credential IDs to allow
+ */
+export async function generateAuthenticationChallenge(allowCredentials) {
+    const options = await generateAuthenticationOptions({
+        rpID: config.rpId,
+        allowCredentials: allowCredentials?.map((cred) => ({
+            id: cred.id,
+            transports: cred.transports,
+        })),
+        timeout: config.challengeTtlMs,
+        userVerification: 'preferred',
+    });
+    return options;
+}
+/**
+ * Verify a WebAuthn authentication response and update the credential counter.
+ *
+ * @param response - The AuthenticationResponseJSON from the browser
+ * @param credential - The stored credential (id, publicKey, counter)
+ * @param expectedChallenge - The challenge from generateAuthenticationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verification result with new counter value
+ */
+export async function verifyAuthentication(response, credential, expectedChallenge, expectedOrigin) {
+    const verification = await verifyAuthenticationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: expectedOrigin ?? config.origin,
+        expectedRPID: [config.rpId],
+        credential,
+    });
+    if (verification.verified) {
+        // Update counter and lastUsedAt in the database
+        const db = getClient();
+        await db
+            .update(passkeys)
+            .set({
+            counter: verification.authenticationInfo.newCounter,
+            lastUsedAt: new Date(),
+        })
+            .where(eq(passkeys.credentialId, credential.id));
+    }
+    return {
+        verified: verification.verified,
+        newCounter: verification.authenticationInfo.newCounter,
+    };
+}
+// =============================================================================
+// Management
+// =============================================================================
+/**
+ * List all passkeys for a user (safe for client — excludes publicKey and counter).
+ */
+export async function listPasskeys(userId) {
+    const db = getClient();
+    const rows = await db
+        .select({
+        id: passkeys.id,
+        credentialId: passkeys.credentialId,
+        deviceName: passkeys.deviceName,
+        backedUp: passkeys.backedUp,
+        createdAt: passkeys.createdAt,
+        lastUsedAt: passkeys.lastUsedAt,
+    })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    return rows;
+}
+/**
+ * Delete a passkey. Blocks deletion if it's the user's last sign-in method.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to delete
+ * @throws If this is the user's only sign-in method
+ */
+export async function deletePasskey(userId, passkeyId) {
+    const { passkeyCount, hasPassword } = await countUserCredentials(userId);
+    if (passkeyCount <= 1 && !hasPassword) {
+        throw new Error('Cannot delete last sign-in method');
+    }
+    const db = getClient();
+    await db.delete(passkeys).where(and(eq(passkeys.id, passkeyId), eq(passkeys.userId, userId)));
+}
+/**
+ * Rename a passkey's device name.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to rename
+ * @param name - New friendly name
+ */
+export async function renamePasskey(userId, passkeyId, name) {
+    const db = getClient();
+    await db
+        .update(passkeys)
+        .set({ deviceName: name })
+        .where(and(eq(passkeys.id, passkeyId), eq(passkeys.userId, userId)));
+}
+/**
+ * Count a user's sign-in credentials (passkeys + password).
+ *
+ * @param userId - User's database ID
+ * @returns Passkey count and whether user has a password set
+ */
+export async function countUserCredentials(userId) {
+    const db = getClient();
+    const [passkeyResult] = await db
+        .select({ total: count() })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    const [userResult] = await db
+        .select({ password: users.password })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    return {
+        passkeyCount: passkeyResult?.total ?? 0,
+        hasPassword: userResult?.password != null,
+    };
+}

package/dist/server/password-reset.d.ts

@@ -43,6 +43,21 @@ export declare function validatePasswordResetToken(tokenId: string, token: strin
  * @returns Success result
  */
 export declare function resetPasswordWithToken(tokenId: string, token: string, newPassword: string): Promise<PasswordResetResult>;
+export interface ChangePasswordResult {
+    success: boolean;
+    error?: string;
+}
+/**
+ * Change password for an authenticated user.
+ *
+ * Verifies the current password before updating. Does not touch sessions —
+ * the caller is responsible for revoking other sessions if desired.
+ *
+ * @param userId - Authenticated user ID
+ * @param currentPassword - Plain-text current password to verify
+ * @param newPassword - Plain-text new password to hash and store
+ */
+export declare function changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
 /**
  * Invalidates a password reset token
  *

package/dist/server/password-reset.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAqE5F;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqCxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA4E9B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqChG"}
+{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAwE5F;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqCxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA4E9B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,CAAC,CAqC/B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqChG"}