@thru/passkey 0.2.1

package/dist/index.js

@@ -0,0 +1,850 @@
+// src/register.ts
+import { arrayBufferToBase64Url, bytesToHex } from "@thru/passkey-manager";
+
+// src/capabilities.ts
+var DEBUG = typeof process !== "undefined" && process.env?.NEXT_PUBLIC_PASSKEY_DEBUG === "1";
+var cachedClientCapabilities;
+var clientCapabilitiesPromise = null;
+function isWebAuthnSupported() {
+  const supported = typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator.credentials !== "undefined";
+  if (DEBUG) {
+    console.log("[Passkey] WebAuthn support check:", {
+      window: typeof window !== "undefined",
+      PublicKeyCredential: typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined",
+      credentials: typeof window !== "undefined" && typeof navigator !== "undefined" && typeof navigator.credentials !== "undefined",
+      supported
+    });
+  }
+  return supported;
+}
+async function fetchPasskeyClientCapabilities() {
+  if (typeof window === "undefined" || typeof window.PublicKeyCredential === "undefined") {
+    return null;
+  }
+  const getClientCapabilities = window.PublicKeyCredential.getClientCapabilities;
+  if (typeof getClientCapabilities !== "function") {
+    return null;
+  }
+  try {
+    const capabilities = await getClientCapabilities.call(window.PublicKeyCredential);
+    if (DEBUG) {
+      console.log("[Passkey] WebAuthn client capabilities:", capabilities);
+    }
+    return capabilities ?? null;
+  } catch (error) {
+    if (DEBUG) {
+      console.warn("[Passkey] Failed to read client capabilities:", error);
+    }
+    return null;
+  }
+}
+function preloadPasskeyClientCapabilities() {
+  if (cachedClientCapabilities !== void 0 || clientCapabilitiesPromise) {
+    return;
+  }
+  clientCapabilitiesPromise = fetchPasskeyClientCapabilities().then((capabilities) => {
+    cachedClientCapabilities = capabilities;
+    return capabilities;
+  });
+}
+async function getPasskeyClientCapabilities() {
+  if (cachedClientCapabilities !== void 0) {
+    return cachedClientCapabilities;
+  }
+  if (!clientCapabilitiesPromise) {
+    preloadPasskeyClientCapabilities();
+  }
+  if (!clientCapabilitiesPromise) {
+    cachedClientCapabilities = null;
+    return null;
+  }
+  const capabilities = await clientCapabilitiesPromise;
+  cachedClientCapabilities = capabilities;
+  return capabilities;
+}
+function getCachedPasskeyClientCapabilities() {
+  return cachedClientCapabilities;
+}
+function isInIframe() {
+  if (typeof window === "undefined") {
+    return false;
+  }
+  try {
+    return window.self !== window.top;
+  } catch {
+    return true;
+  }
+}
+async function shouldUsePasskeyPopup(action) {
+  if (!isInIframe()) {
+    return false;
+  }
+  const mode = await getPasskeyPromptMode(action);
+  return mode === "popup";
+}
+function getPermissionsPolicyAllowsFeature(feature) {
+  if (typeof document === "undefined") {
+    return null;
+  }
+  const policy = document.permissionsPolicy;
+  const featurePolicy = document.featurePolicy;
+  const allowsFeature = policy?.allowsFeature || featurePolicy?.allowsFeature;
+  if (typeof allowsFeature !== "function") {
+    return null;
+  }
+  try {
+    return allowsFeature(feature);
+  } catch {
+    return null;
+  }
+}
+function getCachedPromptMode(action) {
+  if (!isInIframe()) {
+    return "inline";
+  }
+  if (cachedClientCapabilities === void 0 && !clientCapabilitiesPromise) {
+    preloadPasskeyClientCapabilities();
+  }
+  const feature = action === "create" ? "publickey-credentials-create" : "publickey-credentials-get";
+  const policyAllows = getPermissionsPolicyAllowsFeature(feature);
+  const capabilities = getCachedPasskeyClientCapabilities();
+  const supportsInline = capabilities?.passkeyPlatformAuthenticator === true || capabilities?.userVerifyingPlatformAuthenticator === true;
+  if (policyAllows === false) {
+    return "popup";
+  }
+  if (capabilities === void 0) {
+    return "unknown";
+  }
+  if (!supportsInline) {
+    return "popup";
+  }
+  return "inline";
+}
+async function getPasskeyPromptMode(action) {
+  if (!isInIframe()) {
+    return "inline";
+  }
+  const feature = action === "create" ? "publickey-credentials-create" : "publickey-credentials-get";
+  const policyAllows = getPermissionsPolicyAllowsFeature(feature);
+  const capabilities = await getPasskeyClientCapabilities();
+  const supportsInline = capabilities?.passkeyPlatformAuthenticator === true || capabilities?.userVerifyingPlatformAuthenticator === true;
+  if (DEBUG) {
+    console.log("[Passkey] Prompt mode check:", {
+      action,
+      policyAllows,
+      supportsInline,
+      capabilities
+    });
+  }
+  if (!supportsInline) {
+    return "popup";
+  }
+  if (policyAllows === false) {
+    return "popup";
+  }
+  return "inline";
+}
+function maybePreopenPopup(action, openPopupFn) {
+  const cachedMode = getCachedPromptMode(action);
+  if (cachedMode !== "popup") {
+    return null;
+  }
+  try {
+    return openPopupFn();
+  } catch {
+    return null;
+  }
+}
+function shouldFallbackToPopup(error) {
+  if (!isInIframe()) {
+    return false;
+  }
+  const name = error && typeof error === "object" && "name" in error ? String(error.name) : "";
+  const message = error && typeof error === "object" && "message" in error ? String(error.message) : "";
+  const normalized = `${name} ${message}`.toLowerCase();
+  if (normalized.includes("cancel") || normalized.includes("canceled") || normalized.includes("cancelled") || normalized.includes("user canceled") || normalized.includes("user cancelled") || normalized.includes("aborted")) {
+    return false;
+  }
+  if (normalized.includes("securityerror")) {
+    return true;
+  }
+  if (normalized.includes("notallowederror")) {
+    if (normalized.includes("permission") || normalized.includes("policy") || normalized.includes("iframe") || normalized.includes("frame")) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/popup.ts
+var PASSKEY_POPUP_PATH = "/passkey/popup";
+var PASSKEY_POPUP_READY_EVENT = "thru:passkey-popup-ready";
+var PASSKEY_POPUP_REQUEST_EVENT = "thru:passkey-popup-request";
+var PASSKEY_POPUP_RESPONSE_EVENT = "thru:passkey-popup-response";
+var PASSKEY_POPUP_CHANNEL = "thru:passkey-popup-channel";
+var PASSKEY_POPUP_TIMEOUT_MS = 6e4;
+function closePopup(popup) {
+  if (popup && !popup.closed) {
+    popup.close();
+  }
+}
+function openPasskeyPopupWindow() {
+  const popupUrl = new URL(PASSKEY_POPUP_PATH, window.location.origin).toString();
+  const popup = window.open(
+    popupUrl,
+    "thru_passkey_popup",
+    "popup=yes,width=440,height=640"
+  );
+  if (!popup) {
+    throw new Error("Passkey popup was blocked");
+  }
+  return popup;
+}
+function createPopupRequestId() {
+  const rand = Math.random().toString(36).slice(2, 10);
+  return `passkey_${Date.now()}_${rand}`;
+}
+async function requestPasskeyPopup(action, payload, preopenedPopup) {
+  if (typeof window === "undefined") {
+    throw new Error("Passkey popup is only available in the browser");
+  }
+  const requestId = createPopupRequestId();
+  const targetOrigin = window.location.origin;
+  let popup = preopenedPopup ?? null;
+  const channel = typeof BroadcastChannel !== "undefined" ? new BroadcastChannel(PASSKEY_POPUP_CHANNEL) : null;
+  return new Promise((resolve, reject) => {
+    let timeout = null;
+    let closePoll = null;
+    let requestSent = false;
+    const cleanup = () => {
+      if (timeout) {
+        clearTimeout(timeout);
+        timeout = null;
+      }
+      if (closePoll) {
+        clearInterval(closePoll);
+        closePoll = null;
+      }
+      window.removeEventListener("message", handleMessage);
+      if (channel) {
+        channel.removeEventListener("message", handleChannelMessage);
+        channel.close();
+      }
+    };
+    const sendRequest = (viaChannel) => {
+      if (requestSent) {
+        return;
+      }
+      requestSent = true;
+      const request = {
+        type: PASSKEY_POPUP_REQUEST_EVENT,
+        requestId,
+        action,
+        payload
+      };
+      if (viaChannel) {
+        channel?.postMessage(request);
+        return;
+      }
+      popup?.postMessage(request, targetOrigin);
+    };
+    const handleResponse = (data) => {
+      if (data.requestId !== requestId) {
+        return;
+      }
+      cleanup();
+      if (popup && !popup.closed) {
+        popup.close();
+      }
+      if (data.success) {
+        resolve(data.result);
+      } else {
+        const err = new Error(data.error?.message || "Passkey popup failed");
+        if (data.error?.name) {
+          err.name = data.error.name;
+        }
+        reject(err);
+      }
+    };
+    const handleMessage = (event) => {
+      if (event.origin !== targetOrigin) {
+        return;
+      }
+      const data = event.data;
+      if (!data || typeof data !== "object") {
+        return;
+      }
+      if (data.type === PASSKEY_POPUP_READY_EVENT) {
+        if (popup && event.source !== popup) {
+          return;
+        }
+        sendRequest(false);
+        return;
+      }
+      if (data.type === PASSKEY_POPUP_RESPONSE_EVENT && "requestId" in data) {
+        handleResponse(data);
+      }
+    };
+    window.addEventListener("message", handleMessage);
+    const handleChannelMessage = (event) => {
+      const data = event.data;
+      if (!data || typeof data !== "object") {
+        return;
+      }
+      if (data.type === PASSKEY_POPUP_READY_EVENT) {
+        sendRequest(true);
+        return;
+      }
+      if (data.type === PASSKEY_POPUP_RESPONSE_EVENT && "requestId" in data) {
+        handleResponse(data);
+      }
+    };
+    if (channel) {
+      channel.addEventListener("message", handleChannelMessage);
+    }
+    if (!popup) {
+      try {
+        popup = openPasskeyPopupWindow();
+      } catch (error) {
+        cleanup();
+        reject(error);
+        return;
+      }
+    }
+    timeout = setTimeout(() => {
+      cleanup();
+      try {
+        popup?.close();
+      } catch {
+      }
+      reject(new Error("Passkey popup timed out"));
+    }, PASSKEY_POPUP_TIMEOUT_MS);
+    closePoll = setInterval(() => {
+      if (popup && popup.closed) {
+        cleanup();
+        reject(new Error("Passkey popup was closed"));
+      }
+    }, 250);
+  });
+}
+
+// src/register.ts
+async function registerPasskey(alias, userId, rpId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  return runWithPromptMode(
+    "create",
+    () => registerPasskeyInline(alias, userId, rpId),
+    (preopenedPopup) => registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup)
+  );
+}
+async function runWithPromptMode(action, inlineFn, popupFn) {
+  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode(action);
+  if (promptMode === "popup") {
+    return popupFn(preopenedPopup);
+  }
+  closePopup(preopenedPopup);
+  try {
+    return await inlineFn();
+  } catch (error) {
+    if (shouldFallbackToPopup(error)) {
+      return popupFn();
+    }
+    throw error;
+  }
+}
+async function registerPasskeyInline(alias, userId, rpId) {
+  const rpName = "Thru Wallet";
+  const userIdBytes = new TextEncoder().encode(userId);
+  const userIdBuffer = userIdBytes.slice(0, 64);
+  const challenge = crypto.getRandomValues(new Uint8Array(32));
+  const createOptions = {
+    challenge,
+    rp: {
+      id: rpId,
+      name: rpName
+    },
+    user: {
+      id: userIdBuffer,
+      name: alias,
+      displayName: alias
+    },
+    pubKeyCredParams: [
+      { type: "public-key", alg: -7 }
+    ],
+    authenticatorSelection: {
+      authenticatorAttachment: "platform",
+      userVerification: "required",
+      residentKey: "required",
+      requireResidentKey: true
+    },
+    attestation: "none",
+    timeout: 6e4
+  };
+  const credential = await navigator.credentials.create({
+    publicKey: createOptions
+  });
+  if (!credential) {
+    throw new Error("Passkey registration was cancelled");
+  }
+  const response = credential.response;
+  const { x, y } = extractP256PublicKey(response);
+  return {
+    credentialId: arrayBufferToBase64Url(credential.rawId),
+    publicKeyX: bytesToHex(x),
+    publicKeyY: bytesToHex(y),
+    rpId
+  };
+}
+async function registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup) {
+  const result = await requestPasskeyPopup(
+    "create",
+    { alias, userId, rpId },
+    preopenedPopup
+  );
+  return result;
+}
+function extractP256PublicKey(response) {
+  if (typeof response.getPublicKey === "function") {
+    const spkiKey = response.getPublicKey();
+    if (spkiKey) {
+      return extractFromSpki(new Uint8Array(spkiKey));
+    }
+  }
+  if (typeof response.getAuthenticatorData === "function") {
+    const authData = new Uint8Array(response.getAuthenticatorData());
+    return extractFromAuthenticatorData(authData);
+  }
+  throw new Error("Unable to extract public key: browser does not support required WebAuthn methods");
+}
+function extractFromSpki(spki) {
+  const pointStart = spki.length - 65;
+  if (spki[pointStart] !== 4) {
+    throw new Error("Invalid SPKI format: expected uncompressed point");
+  }
+  const x = spki.slice(pointStart + 1, pointStart + 33);
+  const y = spki.slice(pointStart + 33, pointStart + 65);
+  if (x.length !== 32 || y.length !== 32) {
+    throw new Error("Invalid SPKI format: incorrect coordinate length");
+  }
+  return { x, y };
+}
+function extractFromAuthenticatorData(authData) {
+  const rpIdHashLength = 32;
+  const flagsLength = 1;
+  const counterLength = 4;
+  const offset = rpIdHashLength + flagsLength + counterLength;
+  const aaguidLength = 16;
+  const credIdLenOffset = offset + aaguidLength;
+  const credIdLength = authData[credIdLenOffset] << 8 | authData[credIdLenOffset + 1];
+  const coseKeyOffset = credIdLenOffset + 2 + credIdLength;
+  const coseKey = authData.slice(coseKeyOffset);
+  return extractFromCoseKey(coseKey);
+}
+function extractFromCoseKey(coseKey) {
+  const mapStart = coseKey[0];
+  if (mapStart !== 165 && mapStart !== 164) {
+    throw new Error("Invalid COSE key format");
+  }
+  let offset = 1;
+  let x = null;
+  let y = null;
+  while (offset < coseKey.length) {
+    const key = coseKey[offset++];
+    const valueType = coseKey[offset++];
+    if (key === 33) {
+      const length = valueType & 31;
+      x = coseKey.slice(offset, offset + length);
+      offset += length;
+      continue;
+    }
+    if (key === 34) {
+      const length = valueType & 31;
+      y = coseKey.slice(offset, offset + length);
+      offset += length;
+      continue;
+    }
+    if (valueType >= 64 && valueType <= 95) {
+      const length = valueType & 31;
+      offset += length;
+      continue;
+    }
+    if (valueType === 1 || valueType === 2 || valueType === 3) {
+      continue;
+    }
+    if (valueType >= 24 && valueType <= 27) {
+      const size = 1 << valueType - 24;
+      offset += size;
+      continue;
+    }
+  }
+  if (!x || !y) {
+    throw new Error("Failed to extract P-256 public key from COSE data");
+  }
+  if (x.length !== 32 || y.length !== 32) {
+    throw new Error("Invalid COSE key: incorrect coordinate length");
+  }
+  return { x, y };
+}
+
+// src/sign.ts
+import {
+  arrayBufferToBase64Url as arrayBufferToBase64Url2,
+  base64UrlToArrayBuffer,
+  bytesToBase64Url,
+  base64UrlToBytes,
+  parseDerSignature,
+  normalizeLowS
+} from "@thru/passkey-manager";
+async function signWithPasskey(credentialId, challenge, rpId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  return runWithPromptMode2(
+    "get",
+    () => signWithPasskeyInline(credentialId, challenge, rpId),
+    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)
+  );
+}
+async function signWithStoredPasskey(challenge, rpId, preferredPasskey, allPasskeys, context) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const preopenedPopup = maybePreopenPopup("get", openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode("get");
+  const storedPasskey = preferredPasskey;
+  const canUsePopup = isInIframe();
+  if (promptMode === "popup" || canUsePopup && !storedPasskey) {
+    return requestStoredPasskeyPopup(challenge, preopenedPopup, context);
+  }
+  closePopup(preopenedPopup);
+  try {
+    if (storedPasskey) {
+      const result = await signWithPasskeyInline(
+        storedPasskey.credentialId,
+        challenge,
+        storedPasskey.rpId
+      );
+      return {
+        ...result,
+        passkey: storedPasskey
+      };
+    }
+    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);
+    const matchingPasskey = allPasskeys.find((p) => p.credentialId === discoverable.credentialId) ?? null;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const passkey = matchingPasskey ?? {
+      credentialId: discoverable.credentialId,
+      publicKeyX: "",
+      publicKeyY: "",
+      rpId: discoverable.rpId,
+      createdAt: now,
+      lastUsedAt: now
+    };
+    return {
+      signature: discoverable.signature,
+      authenticatorData: discoverable.authenticatorData,
+      clientDataJSON: discoverable.clientDataJSON,
+      signatureR: discoverable.signatureR,
+      signatureS: discoverable.signatureS,
+      passkey
+    };
+  } catch (error) {
+    if (canUsePopup && shouldFallbackToPopup(error)) {
+      return requestStoredPasskeyPopup(challenge, void 0, context);
+    }
+    throw error;
+  }
+}
+async function signWithDiscoverablePasskey(challenge, rpId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const resolvedRpId = rpId;
+  const result = await signWithPasskeyAssertion(challenge, resolvedRpId);
+  return {
+    signature: result.signature,
+    authenticatorData: result.authenticatorData,
+    clientDataJSON: result.clientDataJSON,
+    signatureR: result.signatureR,
+    signatureS: result.signatureS,
+    credentialId: result.credentialId,
+    rpId: resolvedRpId
+  };
+}
+async function runWithPromptMode2(action, inlineFn, popupFn) {
+  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode(action);
+  if (promptMode === "popup") {
+    return popupFn(preopenedPopup);
+  }
+  closePopup(preopenedPopup);
+  try {
+    return await inlineFn();
+  } catch (error) {
+    if (shouldFallbackToPopup(error)) {
+      return popupFn();
+    }
+    throw error;
+  }
+}
+async function signWithPasskeyInline(credentialId, challenge, rpId) {
+  const result = await signWithPasskeyAssertion(challenge, rpId, credentialId);
+  return {
+    signature: result.signature,
+    authenticatorData: result.authenticatorData,
+    clientDataJSON: result.clientDataJSON,
+    signatureR: result.signatureR,
+    signatureS: result.signatureS
+  };
+}
+async function signWithPasskeyAssertion(challenge, rpId, credentialId) {
+  const challengeBytes = new Uint8Array(challenge);
+  const getOptions = {
+    challenge: challengeBytes,
+    rpId,
+    userVerification: "required",
+    timeout: 6e4
+  };
+  if (credentialId) {
+    const credentialIdBuffer = base64UrlToArrayBuffer(credentialId);
+    getOptions.allowCredentials = [
+      {
+        type: "public-key",
+        id: credentialIdBuffer,
+        transports: ["internal", "hybrid", "usb", "ble", "nfc"]
+      }
+    ];
+  }
+  const assertion = await navigator.credentials.get({
+    publicKey: getOptions
+  });
+  if (!assertion) {
+    throw new Error("Passkey authentication was cancelled");
+  }
+  const response = assertion.response;
+  const signature = new Uint8Array(response.signature);
+  let { r, s } = parseDerSignature(signature);
+  s = normalizeLowS(s);
+  return {
+    signature: new Uint8Array([...r, ...s]),
+    authenticatorData: new Uint8Array(response.authenticatorData),
+    clientDataJSON: new Uint8Array(response.clientDataJSON),
+    signatureR: r,
+    signatureS: s,
+    credentialId: arrayBufferToBase64Url2(assertion.rawId)
+  };
+}
+async function signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup) {
+  const result = await requestPasskeyPopup(
+    "get",
+    {
+      credentialId,
+      challengeBase64Url: bytesToBase64Url(challenge),
+      rpId
+    },
+    preopenedPopup
+  );
+  return decodePopupSigningResult(result);
+}
+async function requestStoredPasskeyPopup(challenge, preopenedPopup, context) {
+  const result = await requestPasskeyPopup(
+    "getStored",
+    {
+      challengeBase64Url: bytesToBase64Url(challenge),
+      context
+    },
+    preopenedPopup
+  );
+  return decodePopupStoredSigningResult(result);
+}
+function decodePopupSigningResult(result) {
+  return {
+    signature: base64UrlToBytes(result.signatureBase64Url),
+    authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),
+    clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),
+    signatureR: base64UrlToBytes(result.signatureRBase64Url),
+    signatureS: base64UrlToBytes(result.signatureSBase64Url)
+  };
+}
+function decodePopupStoredSigningResult(result) {
+  return {
+    ...decodePopupSigningResult(result),
+    passkey: result.passkey,
+    accounts: result.accounts
+  };
+}
+
+// src/index.ts
+import {
+  parseDerSignature as parseDerSignature2,
+  normalizeLowS as normalizeLowS2,
+  normalizeSignatureComponent,
+  P256_N,
+  P256_HALF_N,
+  bytesToBigIntBE,
+  bigIntToBytesBE
+} from "@thru/passkey-manager";
+import {
+  arrayBufferToBase64Url as arrayBufferToBase64Url3,
+  base64UrlToArrayBuffer as base64UrlToArrayBuffer2,
+  bytesToBase64Url as bytesToBase64Url3,
+  base64UrlToBytes as base64UrlToBytes3,
+  bytesToHex as bytesToHex2,
+  hexToBytes,
+  bytesEqual,
+  compareBytes,
+  uniqueAccounts
+} from "@thru/passkey-manager";
+
+// src/popup-service.ts
+import { bytesToBase64Url as bytesToBase64Url2, base64UrlToBytes as base64UrlToBytes2 } from "@thru/passkey-manager";
+function toPopupSigningResult(result) {
+  return {
+    signatureBase64Url: bytesToBase64Url2(result.signature),
+    authenticatorDataBase64Url: bytesToBase64Url2(result.authenticatorData),
+    clientDataJSONBase64Url: bytesToBase64Url2(result.clientDataJSON),
+    signatureRBase64Url: bytesToBase64Url2(result.signatureR),
+    signatureSBase64Url: bytesToBase64Url2(result.signatureS)
+  };
+}
+function buildSuccessResponse(requestId, action, result) {
+  return {
+    type: PASSKEY_POPUP_RESPONSE_EVENT,
+    requestId,
+    action,
+    success: true,
+    result
+  };
+}
+function decodeChallenge(base64Url) {
+  return base64UrlToBytes2(base64Url);
+}
+function getPopupDisplayInfo(context) {
+  const name = context?.appName || context?.origin || "A dApp";
+  const url = context?.appUrl || context?.origin;
+  const logoText = name.charAt(0).toUpperCase() || "A";
+  return {
+    name,
+    url,
+    imageUrl: context?.imageUrl,
+    logoText
+  };
+}
+function getResponseError(action, error) {
+  const { name, message } = normalizeError(error);
+  const actionLabel = `Popup ${action}`;
+  const messageText = message || "Passkey popup failed";
+  const detailedMessage = messageText.includes("Popup") ? messageText : `${actionLabel}: ${messageText}`;
+  return {
+    name,
+    message: detailedMessage
+  };
+}
+async function signWithPreferredPasskey(preferredPasskey, challenge, log) {
+  const resolvedRpId = preferredPasskey?.rpId ?? window.location.hostname;
+  if (preferredPasskey?.credentialId && preferredPasskey.rpId) {
+    try {
+      const storedResult = await signWithPasskey(
+        preferredPasskey.credentialId,
+        challenge,
+        preferredPasskey.rpId
+      );
+      return {
+        result: storedResult,
+        credentialId: preferredPasskey.credentialId,
+        rpId: preferredPasskey.rpId
+      };
+    } catch (error) {
+      if (!shouldFallbackToDiscoverable(error)) {
+        throw error;
+      }
+      if (log) {
+        log("stored passkey failed; falling back to discoverable prompt");
+      }
+    }
+  }
+  const discovered = await signWithDiscoverablePasskey(challenge, resolvedRpId);
+  return {
+    result: discovered,
+    credentialId: discovered.credentialId,
+    rpId: resolvedRpId
+  };
+}
+function buildStoredPasskeyResult(signed, preferredPasskey, profiles, accounts) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const matchingPasskey = profiles.find((profile) => profile.passkey?.credentialId === signed.credentialId)?.passkey ?? null;
+  const passkey = matchingPasskey ?? {
+    credentialId: signed.credentialId,
+    publicKeyX: "",
+    publicKeyY: "",
+    rpId: signed.rpId,
+    label: preferredPasskey?.label,
+    createdAt: now,
+    lastUsedAt: now
+  };
+  return {
+    ...toPopupSigningResult(signed.result),
+    passkey: matchingPasskey ? { ...passkey, lastUsedAt: now } : passkey,
+    accounts
+  };
+}
+function normalizeError(error) {
+  const name = error && typeof error === "object" && "name" in error ? String(error.name) : "";
+  const message = error && typeof error === "object" && "message" in error ? String(error.message) : "";
+  return {
+    name,
+    message,
+    normalized: `${name} ${message}`.toLowerCase()
+  };
+}
+function shouldFallbackToDiscoverable(error) {
+  const normalized = normalizeError(error).normalized;
+  return normalized.includes("notfounderror") || normalized.includes("notallowederror") || normalized.includes("securityerror");
+}
+export {
+  P256_HALF_N,
+  P256_N,
+  PASSKEY_POPUP_CHANNEL,
+  PASSKEY_POPUP_PATH,
+  PASSKEY_POPUP_READY_EVENT,
+  PASSKEY_POPUP_REQUEST_EVENT,
+  PASSKEY_POPUP_RESPONSE_EVENT,
+  arrayBufferToBase64Url3 as arrayBufferToBase64Url,
+  base64UrlToArrayBuffer2 as base64UrlToArrayBuffer,
+  base64UrlToBytes3 as base64UrlToBytes,
+  bigIntToBytesBE,
+  buildStoredPasskeyResult,
+  buildSuccessResponse,
+  bytesEqual,
+  bytesToBase64Url3 as bytesToBase64Url,
+  bytesToBigIntBE,
+  bytesToHex2 as bytesToHex,
+  closePopup,
+  compareBytes,
+  decodeChallenge,
+  getCachedPasskeyClientCapabilities,
+  getPasskeyClientCapabilities,
+  getPopupDisplayInfo,
+  getResponseError,
+  hexToBytes,
+  isInIframe,
+  isWebAuthnSupported,
+  normalizeLowS2 as normalizeLowS,
+  normalizeSignatureComponent,
+  openPasskeyPopupWindow,
+  parseDerSignature2 as parseDerSignature,
+  preloadPasskeyClientCapabilities,
+  registerPasskey,
+  requestPasskeyPopup,
+  shouldUsePasskeyPopup,
+  signWithDiscoverablePasskey,
+  signWithPasskey,
+  signWithPreferredPasskey,
+  signWithStoredPasskey,
+  toPopupSigningResult,
+  uniqueAccounts
+};
+//# sourceMappingURL=index.js.map