@technomoron/api-server-base 2.0.0-beta.6 → 2.0.0-beta.9

package/README.txt

@@ -122,7 +122,7 @@ Request Lifecycle
 -----------------
 1. Express middlewares (express.json, cookie-parser, optional multer) run before your handler.
 2. ApiServer wraps the route inside handle_request, setting currReq and logging when debug is enabled.
-3. authenticate enforces the ApiRoute auth type: `none`, `maybe`, `yes`, `strict`, or `apikey`. Bearer JWTs and the `dat` cookie are accepted for `yes`/`strict`, while API key tokens prefixed with `apikey-` always delegate to `getApiKey`. The optional `strict` type (or server-wide `validateTokens` flag) requires the signed JWT to exist in storage; when it does, the persisted row is attached to `apiReq.authToken`. The dedicated `apikey` type simply means “an API key is required”; otherwise API keys are still accepted by `yes`/`strict` routes alongside JWTs, and `apiReq.apiKey` is populated when present.
+3. authenticate enforces the ApiRoute auth type: `none`, `maybe`, `yes`, `strict`, or `apikey`. Bearer JWTs and the access cookie (`accessCookie`, default `dat`) are accepted for `yes`/`strict`, while API key tokens prefixed with `apikey-` always delegate to `getApiKey`. The optional `strict` type (or server-wide `validateTokens` flag) requires the signed JWT to exist in storage; when it does, the persisted row is attached to `apiReq.authToken`. The dedicated `apikey` type simply means “an API key is required”; otherwise API keys are still accepted by `yes`/`strict` routes alongside JWTs, and `apiReq.apiKey` is populated when present.
 4. authorize runs with the requested auth class (any or admin in the base implementation). Override to connect to your role system.
 5. The handler executes and returns its tuple. Responses are normalized to { code, message, data } JSON.
 6. Errors bubble into the wrapper. ApiError instances respect the provided status codes; other exceptions result in a 500 with text derived from guessExceptionText.
@@ -140,6 +140,28 @@ Use your storage adapter's filterUser helper to trim sensitive data before retur
 Provide your own authorize method to enforce role based access control using the ApiAuthClass enum.
 Create feature modules by extending ApiModule. Use the optional checkConfig hook to validate prerequisites before routes mount.
 
+Custom Express Endpoints
+------------------------
+ApiModule routes run inside the tuple wrapper (always responding with a standardized JSON envelope). For endpoints that need raw Express control (streaming, webhooks, tus uploads, etc.), mount your own handlers directly.
+
+- `server.useExpress(...)` mounts middleware/routes and keeps the built-in `/api` 404 handler ordered last, so mounts under `apiBasePath` are not intercepted.
+- Protect endpoints by inserting `server.expressAuth({ type, req })` as middleware. It authenticates using the same JWT/cookie/API-key logic as ApiModule routes and then runs `authorize`.
+- On success, `expressAuth` attaches the computed ApiRequest to both `req.apiReq` and `res.locals.apiReq`.
+- If you want the same JSON error envelope for custom endpoints, mount `server.expressErrorHandler()` after your custom routes.
+
+Example:
+
+	server
+		.useExpress(
+			'/api/custom/optional',
+			server.expressAuth({ type: 'maybe', req: 'any' }),
+			(req, res) => {
+				const apiReq = (req as any).apiReq;
+				res.status(200).json({ uid: apiReq.tokenData?.uid ?? null });
+			}
+		)
+		.useExpress(server.expressErrorHandler());
+
 
 Tooling and Scripts
 -------------------

package/dist/cjs/api-server-base.cjs

@@ -733,7 +733,7 @@ class ApiServer {
             token = authHeader.slice(7).trim();
         }
         if (!token) {
-            const access = apiReq.req.cookies?.dat;
+            const access = apiReq.req.cookies?.[this.config.accessCookie];
             if (access) {
                 token = access;
             }
@@ -839,32 +839,98 @@ class ApiServer {
         }
         return rawReal;
     }
-    handle_request(handler, auth) {
+    useExpress(pathOrHandler, ...handlers) {
+        if (typeof pathOrHandler === 'string') {
+            this.app.use(pathOrHandler, ...handlers);
+        }
+        else {
+            this.app.use(pathOrHandler, ...handlers);
+        }
+        this.ensureApiNotFoundOrdering();
+        return this;
+    }
+    createApiRequest(req, res) {
+        const apiReq = {
+            server: this,
+            req,
+            res,
+            token: '',
+            tokenData: null,
+            realUid: null,
+            getClientInfo: () => ensureClientInfo(apiReq),
+            getClientIp: () => ensureClientInfo(apiReq).ip,
+            getClientIpChain: () => ensureClientInfo(apiReq).ipchain,
+            getRealUid: () => apiReq.realUid ?? null,
+            isImpersonating: () => {
+                const realUid = apiReq.realUid;
+                const tokenUid = apiReq.tokenData?.uid;
+                if (realUid === null || realUid === undefined) {
+                    return false;
+                }
+                if (tokenUid === null || tokenUid === undefined) {
+                    return false;
+                }
+                return realUid !== tokenUid;
+            }
+        };
+        return apiReq;
+    }
+    expressAuth(auth) {
         return async (req, res, next) => {
-            void next;
-            const apiReq = {
-                server: this,
-                req,
-                res,
-                token: '',
-                tokenData: null,
-                realUid: null,
-                getClientInfo: () => ensureClientInfo(apiReq),
-                getClientIp: () => ensureClientInfo(apiReq).ip,
-                getClientIpChain: () => ensureClientInfo(apiReq).ipchain,
-                getRealUid: () => apiReq.realUid ?? null,
-                isImpersonating: () => {
-                    const realUid = apiReq.realUid;
-                    const tokenUid = apiReq.tokenData?.uid;
-                    if (realUid === null || realUid === undefined) {
-                        return false;
-                    }
-                    if (tokenUid === null || tokenUid === undefined) {
-                        return false;
-                    }
-                    return realUid !== tokenUid;
+            const apiReq = this.createApiRequest(req, res);
+            req.apiReq = apiReq;
+            res.locals.apiReq = apiReq;
+            this.currReq = apiReq;
+            try {
+                if (this.config.hydrateGetBody) {
+                    hydrateGetBody(req);
+                }
+                if (this.config.debug) {
+                    this.dumpRequest(apiReq);
                 }
+                apiReq.tokenData = await this.authenticate(apiReq, auth.type);
+                await this.authorize(apiReq, auth.req);
+                next();
+            }
+            catch (error) {
+                next(error);
+            }
+        };
+    }
+    expressErrorHandler() {
+        return (error, _req, res, next) => {
+            void _req;
+            if (res.headersSent) {
+                next(error);
+                return;
+            }
+            if (error instanceof ApiError || isApiErrorLike(error)) {
+                const apiError = error;
+                const normalizedErrors = apiError.errors && typeof apiError.errors === 'object' && !Array.isArray(apiError.errors)
+                    ? apiError.errors
+                    : {};
+                const errorPayload = {
+                    code: apiError.code,
+                    message: apiError.message,
+                    data: apiError.data ?? null,
+                    errors: normalizedErrors
+                };
+                res.status(apiError.code).json(errorPayload);
+                return;
+            }
+            const errorPayload = {
+                code: 500,
+                message: this.guessExceptionText(error),
+                data: null,
+                errors: {}
             };
+            res.status(500).json(errorPayload);
+        };
+    }
+    handle_request(handler, auth) {
+        return async (req, res, next) => {
+            void next;
+            const apiReq = this.createApiRequest(req, res);
             this.currReq = apiReq;
             try {
                 if (this.config.hydrateGetBody) {

package/dist/cjs/api-server-base.d.ts

@@ -4,10 +4,10 @@
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-import { Application, Request, Response } from 'express';
+import { Application, Request, Response, type ErrorRequestHandler, type RequestHandler } from 'express';
 import { ApiModule } from './api-module.js';
 import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
-import type { ApiAuthClass, ApiKey } from './api-module.js';
+import type { ApiAuthClass, ApiAuthType, ApiKey } from './api-module.js';
 import type { AuthProviderModule } from './auth-api/module.js';
 import type { AuthAdapter, AuthIdentifier } from './auth-api/types.js';
 import type { OAuthStore } from './oauth/base.js';
@@ -47,6 +47,12 @@ export interface ApiRequest {
     getRealUid: () => AuthIdentifier | null;
     isImpersonating: () => boolean;
 }
+export interface ExpressApiRequest extends ExtendedReq {
+    apiReq?: ApiRequest;
+}
+export interface ExpressApiLocals {
+    apiReq?: ApiRequest;
+}
 export interface ClientAgentProfile {
     ua: string;
     browser: string;
@@ -197,6 +203,14 @@ export declare class ApiServer {
     private normalizeAuthIdentifier;
     private extractTokenUserId;
     private resolveRealUserId;
+    useExpress(path: string, ...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    useExpress(...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    private createApiRequest;
+    expressAuth(auth: {
+        type: ApiAuthType;
+        req: ApiAuthClass;
+    }): RequestHandler;
+    expressErrorHandler(): ErrorRequestHandler;
     private handle_request;
     api<T extends ApiModule<any>>(module: T): this;
     dumpRequest(apiReq: ApiRequest): void;

package/dist/cjs/index.d.ts

@@ -1,7 +1,7 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
 export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';

package/dist/cjs/passkey/service.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PasskeyService = void 0;
 const server_1 = require("@simplewebauthn/server");
@@ -54,6 +87,32 @@ function toBufferOrNull(value) {
     }
     return null;
 }
+async function spkiToCosePublicKey(spki) {
+    try {
+        const subtle = globalThis.crypto?.subtle ?? (await Promise.resolve().then(() => __importStar(require('crypto')))).webcrypto?.subtle;
+        if (!subtle) {
+            return null;
+        }
+        const key = await subtle.importKey('spki', spki, { name: 'ECDSA', namedCurve: 'P-256' }, true, ['verify']);
+        const raw = Buffer.from(await subtle.exportKey('raw', key));
+        if (raw.length !== 65 || raw[0] !== 0x04) {
+            return null;
+        }
+        const x = raw.slice(1, 33);
+        const y = raw.slice(33, 65);
+        const coseMap = new Map([
+            [1, 2], // kty: EC2
+            [3, -7], // alg: ES256
+            [-1, 1], // crv: P-256
+            [-2, x],
+            [-3, y]
+        ]);
+        return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
+    }
+    catch {
+        return null;
+    }
+}
 class PasskeyService {
     constructor(config, adapter, logger = console) {
         this.config = config;
@@ -195,18 +254,44 @@ class PasskeyService {
         const credentialIdFallback = toBufferOrNull(params.response?.id);
         const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0 ? credentialIdPrimary : credentialIdFallback;
         const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
-        const publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
+            try {
+                const attObj = (0, helpers_1.decodeAttestationObject)(helpers_1.isoBase64URL.toBuffer(attestationResponse.attestationObject));
+                const parsedAuth = (0, helpers_1.parseAuthenticatorData)(attObj.get('authData'));
+                publicKeyFallback = toBufferOrNull(parsedAuth.credentialPublicKey) ?? publicKeyFallback;
+            }
+            catch (error) {
+                this.logger.warn?.('Passkey registration: failed to parse attestationObject', error);
+            }
+        }
         const publicKey = publicKeyPrimary && publicKeyPrimary.length > 0 ? publicKeyPrimary : publicKeyFallback;
+        if (this.logger?.warn) {
+            const pkPrimaryHex = publicKeyPrimary ? publicKeyPrimary.slice(0, 4).toString('hex') : 'null';
+            const pkFallbackHex = publicKeyFallback ? publicKeyFallback.slice(0, 4).toString('hex') : 'null';
+            this.logger.warn(`Passkey registration: pkPrimary len=${publicKeyPrimary?.length ?? 0} head=${pkPrimaryHex}, pkFallback len=${publicKeyFallback?.length ?? 0} head=${pkFallbackHex}`);
+        }
         if (!credentialId || credentialId.length === 0) {
             return { verified: false, message: 'Missing credential id in registration response' };
         }
         if (!publicKey || publicKey.length === 0) {
             return { verified: false, message: 'Missing public key in registration response' };
         }
+        let storedPublicKey = Buffer.isBuffer(publicKey) ? publicKey : toBuffer(publicKey);
+        // If fallback is an SPKI key (DER, starts with 0x30) convert to COSE so verification succeeds.
+        if (storedPublicKey[0] === 0x30) {
+            const converted = await spkiToCosePublicKey(storedPublicKey);
+            if (converted) {
+                storedPublicKey = converted;
+            }
+            else {
+                this.logger.warn?.('Passkey registration: failed to convert SPKI public key to COSE');
+            }
+        }
         await this.adapter.saveCredential({
             userId: user.id,
             credentialId,
-            publicKey,
+            publicKey: storedPublicKey,
             counter: registrationInfo.counter ?? 0,
             transports: sanitizeTransports(params.response.transports),
             backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
@@ -227,19 +312,22 @@ class PasskeyService {
         }
         const user = await this.requireUser({ userId: credential.userId, login: record.login });
         const storedAuthData = {
-            credentialID: credential.credentialId,
+            id: credential.credentialId,
+            publicKey: toBuffer(credential.publicKey),
+            credentialPublicKey: toBuffer(credential.publicKey),
             counter: credential.counter,
+            transports: credential.transports ?? undefined,
             credentialBackedUp: credential.backedUp,
-            credentialDeviceType: credential.deviceType,
-            credentialPublicKey: credential.publicKey,
-            transports: credential.transports ?? undefined
+            credentialDeviceType: credential.deviceType
+            // simplewebauthn accepts either Uint8Array or Buffer; ensure Buffer
+            // see https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/server/src/authentication/verifyAuthenticationResponse.ts
         };
         const result = await (0, server_1.verifyAuthenticationResponse)({
             response,
             expectedChallenge: record.challenge,
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
-            authenticator: storedAuthData,
+            credential: storedAuthData,
             requireUserVerification: true
         });
         if (!result.verified) {

package/dist/esm/api-server-base.d.ts

@@ -4,10 +4,10 @@
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-import { Application, Request, Response } from 'express';
+import { Application, Request, Response, type ErrorRequestHandler, type RequestHandler } from 'express';
 import { ApiModule } from './api-module.js';
 import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
-import type { ApiAuthClass, ApiKey } from './api-module.js';
+import type { ApiAuthClass, ApiAuthType, ApiKey } from './api-module.js';
 import type { AuthProviderModule } from './auth-api/module.js';
 import type { AuthAdapter, AuthIdentifier } from './auth-api/types.js';
 import type { OAuthStore } from './oauth/base.js';
@@ -47,6 +47,12 @@ export interface ApiRequest {
     getRealUid: () => AuthIdentifier | null;
     isImpersonating: () => boolean;
 }
+export interface ExpressApiRequest extends ExtendedReq {
+    apiReq?: ApiRequest;
+}
+export interface ExpressApiLocals {
+    apiReq?: ApiRequest;
+}
 export interface ClientAgentProfile {
     ua: string;
     browser: string;
@@ -197,6 +203,14 @@ export declare class ApiServer {
     private normalizeAuthIdentifier;
     private extractTokenUserId;
     private resolveRealUserId;
+    useExpress(path: string, ...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    useExpress(...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    private createApiRequest;
+    expressAuth(auth: {
+        type: ApiAuthType;
+        req: ApiAuthClass;
+    }): RequestHandler;
+    expressErrorHandler(): ErrorRequestHandler;
     private handle_request;
     api<T extends ApiModule<any>>(module: T): this;
     dumpRequest(apiReq: ApiRequest): void;

package/dist/esm/api-server-base.js

@@ -725,7 +725,7 @@ export class ApiServer {
             token = authHeader.slice(7).trim();
         }
         if (!token) {
-            const access = apiReq.req.cookies?.dat;
+            const access = apiReq.req.cookies?.[this.config.accessCookie];
             if (access) {
                 token = access;
             }
@@ -831,32 +831,98 @@ export class ApiServer {
         }
         return rawReal;
     }
-    handle_request(handler, auth) {
+    useExpress(pathOrHandler, ...handlers) {
+        if (typeof pathOrHandler === 'string') {
+            this.app.use(pathOrHandler, ...handlers);
+        }
+        else {
+            this.app.use(pathOrHandler, ...handlers);
+        }
+        this.ensureApiNotFoundOrdering();
+        return this;
+    }
+    createApiRequest(req, res) {
+        const apiReq = {
+            server: this,
+            req,
+            res,
+            token: '',
+            tokenData: null,
+            realUid: null,
+            getClientInfo: () => ensureClientInfo(apiReq),
+            getClientIp: () => ensureClientInfo(apiReq).ip,
+            getClientIpChain: () => ensureClientInfo(apiReq).ipchain,
+            getRealUid: () => apiReq.realUid ?? null,
+            isImpersonating: () => {
+                const realUid = apiReq.realUid;
+                const tokenUid = apiReq.tokenData?.uid;
+                if (realUid === null || realUid === undefined) {
+                    return false;
+                }
+                if (tokenUid === null || tokenUid === undefined) {
+                    return false;
+                }
+                return realUid !== tokenUid;
+            }
+        };
+        return apiReq;
+    }
+    expressAuth(auth) {
         return async (req, res, next) => {
-            void next;
-            const apiReq = {
-                server: this,
-                req,
-                res,
-                token: '',
-                tokenData: null,
-                realUid: null,
-                getClientInfo: () => ensureClientInfo(apiReq),
-                getClientIp: () => ensureClientInfo(apiReq).ip,
-                getClientIpChain: () => ensureClientInfo(apiReq).ipchain,
-                getRealUid: () => apiReq.realUid ?? null,
-                isImpersonating: () => {
-                    const realUid = apiReq.realUid;
-                    const tokenUid = apiReq.tokenData?.uid;
-                    if (realUid === null || realUid === undefined) {
-                        return false;
-                    }
-                    if (tokenUid === null || tokenUid === undefined) {
-                        return false;
-                    }
-                    return realUid !== tokenUid;
+            const apiReq = this.createApiRequest(req, res);
+            req.apiReq = apiReq;
+            res.locals.apiReq = apiReq;
+            this.currReq = apiReq;
+            try {
+                if (this.config.hydrateGetBody) {
+                    hydrateGetBody(req);
+                }
+                if (this.config.debug) {
+                    this.dumpRequest(apiReq);
                 }
+                apiReq.tokenData = await this.authenticate(apiReq, auth.type);
+                await this.authorize(apiReq, auth.req);
+                next();
+            }
+            catch (error) {
+                next(error);
+            }
+        };
+    }
+    expressErrorHandler() {
+        return (error, _req, res, next) => {
+            void _req;
+            if (res.headersSent) {
+                next(error);
+                return;
+            }
+            if (error instanceof ApiError || isApiErrorLike(error)) {
+                const apiError = error;
+                const normalizedErrors = apiError.errors && typeof apiError.errors === 'object' && !Array.isArray(apiError.errors)
+                    ? apiError.errors
+                    : {};
+                const errorPayload = {
+                    code: apiError.code,
+                    message: apiError.message,
+                    data: apiError.data ?? null,
+                    errors: normalizedErrors
+                };
+                res.status(apiError.code).json(errorPayload);
+                return;
+            }
+            const errorPayload = {
+                code: 500,
+                message: this.guessExceptionText(error),
+                data: null,
+                errors: {}
             };
+            res.status(500).json(errorPayload);
+        };
+    }
+    handle_request(handler, auth) {
+        return async (req, res, next) => {
+            void next;
+            const apiReq = this.createApiRequest(req, res);
             this.currReq = apiReq;
             try {
                 if (this.config.hydrateGetBody) {

package/dist/esm/index.d.ts

@@ -1,7 +1,7 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
 export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';

package/dist/esm/passkey/service.js

@@ -1,5 +1,5 @@
 import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from '@simplewebauthn/server';
-import { isoBase64URL } from '@simplewebauthn/server/helpers';
+import { isoBase64URL, isoCBOR, decodeAttestationObject, parseAuthenticatorData } from '@simplewebauthn/server/helpers';
 const ALLOWED_TRANSPORTS = [
     'ble',
     'cable',
@@ -51,6 +51,32 @@ function toBufferOrNull(value) {
     }
     return null;
 }
+async function spkiToCosePublicKey(spki) {
+    try {
+        const subtle = globalThis.crypto?.subtle ?? (await import('crypto')).webcrypto?.subtle;
+        if (!subtle) {
+            return null;
+        }
+        const key = await subtle.importKey('spki', spki, { name: 'ECDSA', namedCurve: 'P-256' }, true, ['verify']);
+        const raw = Buffer.from(await subtle.exportKey('raw', key));
+        if (raw.length !== 65 || raw[0] !== 0x04) {
+            return null;
+        }
+        const x = raw.slice(1, 33);
+        const y = raw.slice(33, 65);
+        const coseMap = new Map([
+            [1, 2], // kty: EC2
+            [3, -7], // alg: ES256
+            [-1, 1], // crv: P-256
+            [-2, x],
+            [-3, y]
+        ]);
+        return Buffer.from(isoCBOR.encode(coseMap));
+    }
+    catch {
+        return null;
+    }
+}
 export class PasskeyService {
     constructor(config, adapter, logger = console) {
         this.config = config;
@@ -192,18 +218,44 @@ export class PasskeyService {
         const credentialIdFallback = toBufferOrNull(params.response?.id);
         const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0 ? credentialIdPrimary : credentialIdFallback;
         const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
-        const publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
+            try {
+                const attObj = decodeAttestationObject(isoBase64URL.toBuffer(attestationResponse.attestationObject));
+                const parsedAuth = parseAuthenticatorData(attObj.get('authData'));
+                publicKeyFallback = toBufferOrNull(parsedAuth.credentialPublicKey) ?? publicKeyFallback;
+            }
+            catch (error) {
+                this.logger.warn?.('Passkey registration: failed to parse attestationObject', error);
+            }
+        }
         const publicKey = publicKeyPrimary && publicKeyPrimary.length > 0 ? publicKeyPrimary : publicKeyFallback;
+        if (this.logger?.warn) {
+            const pkPrimaryHex = publicKeyPrimary ? publicKeyPrimary.slice(0, 4).toString('hex') : 'null';
+            const pkFallbackHex = publicKeyFallback ? publicKeyFallback.slice(0, 4).toString('hex') : 'null';
+            this.logger.warn(`Passkey registration: pkPrimary len=${publicKeyPrimary?.length ?? 0} head=${pkPrimaryHex}, pkFallback len=${publicKeyFallback?.length ?? 0} head=${pkFallbackHex}`);
+        }
         if (!credentialId || credentialId.length === 0) {
             return { verified: false, message: 'Missing credential id in registration response' };
         }
         if (!publicKey || publicKey.length === 0) {
             return { verified: false, message: 'Missing public key in registration response' };
         }
+        let storedPublicKey = Buffer.isBuffer(publicKey) ? publicKey : toBuffer(publicKey);
+        // If fallback is an SPKI key (DER, starts with 0x30) convert to COSE so verification succeeds.
+        if (storedPublicKey[0] === 0x30) {
+            const converted = await spkiToCosePublicKey(storedPublicKey);
+            if (converted) {
+                storedPublicKey = converted;
+            }
+            else {
+                this.logger.warn?.('Passkey registration: failed to convert SPKI public key to COSE');
+            }
+        }
         await this.adapter.saveCredential({
             userId: user.id,
             credentialId,
-            publicKey,
+            publicKey: storedPublicKey,
             counter: registrationInfo.counter ?? 0,
             transports: sanitizeTransports(params.response.transports),
             backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
@@ -224,19 +276,22 @@ export class PasskeyService {
         }
         const user = await this.requireUser({ userId: credential.userId, login: record.login });
         const storedAuthData = {
-            credentialID: credential.credentialId,
+            id: credential.credentialId,
+            publicKey: toBuffer(credential.publicKey),
+            credentialPublicKey: toBuffer(credential.publicKey),
             counter: credential.counter,
+            transports: credential.transports ?? undefined,
             credentialBackedUp: credential.backedUp,
-            credentialDeviceType: credential.deviceType,
-            credentialPublicKey: credential.publicKey,
-            transports: credential.transports ?? undefined
+            credentialDeviceType: credential.deviceType
+            // simplewebauthn accepts either Uint8Array or Buffer; ensure Buffer
+            // see https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/server/src/authentication/verifyAuthenticationResponse.ts
         };
         const result = await verifyAuthenticationResponse({
             response,
             expectedChallenge: record.challenge,
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
-            authenticator: storedAuthData,
+            credential: storedAuthData,
             requireUserVerification: true
         });
         if (!result.verified) {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/api-server-base",
-	"version": "2.0.0-beta.6",
+	"version": "2.0.0-beta.9",
 	"description": "Api Server Skeleton / Base Class",
 	"type": "module",
 	"main": "./dist/cjs/index.cjs",