@thru/passkey 0.2.1

package/src/popup.ts

@@ -0,0 +1,192 @@
+import type {
+  PasskeyPopupAction,
+  PasskeyPopupRequestPayload,
+  PasskeyPopupRequest,
+  PasskeyPopupResponse,
+} from './types';
+
+export const PASSKEY_POPUP_PATH = '/passkey/popup';
+export const PASSKEY_POPUP_READY_EVENT = 'thru:passkey-popup-ready';
+export const PASSKEY_POPUP_REQUEST_EVENT = 'thru:passkey-popup-request';
+export const PASSKEY_POPUP_RESPONSE_EVENT = 'thru:passkey-popup-response';
+export const PASSKEY_POPUP_CHANNEL = 'thru:passkey-popup-channel';
+
+const PASSKEY_POPUP_TIMEOUT_MS = 60000;
+
+export function closePopup(popup: Window | null | undefined): void {
+  if (popup && !popup.closed) {
+    popup.close();
+  }
+}
+
+export function openPasskeyPopupWindow(): Window {
+  const popupUrl = new URL(PASSKEY_POPUP_PATH, window.location.origin).toString();
+  const popup = window.open(
+    popupUrl,
+    'thru_passkey_popup',
+    'popup=yes,width=440,height=640'
+  );
+
+  if (!popup) {
+    throw new Error('Passkey popup was blocked');
+  }
+
+  return popup;
+}
+
+function createPopupRequestId(): string {
+  const rand = Math.random().toString(36).slice(2, 10);
+  return `passkey_${Date.now()}_${rand}`;
+}
+
+export async function requestPasskeyPopup<T>(
+  action: PasskeyPopupAction,
+  payload: PasskeyPopupRequestPayload,
+  preopenedPopup?: Window | null
+): Promise<T> {
+  if (typeof window === 'undefined') {
+    throw new Error('Passkey popup is only available in the browser');
+  }
+
+  const requestId = createPopupRequestId();
+  const targetOrigin = window.location.origin;
+  let popup: Window | null = preopenedPopup ?? null;
+  const channel =
+    typeof BroadcastChannel !== 'undefined' ? new BroadcastChannel(PASSKEY_POPUP_CHANNEL) : null;
+
+  return new Promise<T>((resolve, reject) => {
+    let timeout: ReturnType<typeof setTimeout> | null = null;
+    let closePoll: ReturnType<typeof setInterval> | null = null;
+    let requestSent = false;
+
+    const cleanup = () => {
+      if (timeout) {
+        clearTimeout(timeout);
+        timeout = null;
+      }
+      if (closePoll) {
+        clearInterval(closePoll);
+        closePoll = null;
+      }
+      window.removeEventListener('message', handleMessage);
+      if (channel) {
+        channel.removeEventListener('message', handleChannelMessage);
+        channel.close();
+      }
+    };
+
+    const sendRequest = (viaChannel: boolean) => {
+      if (requestSent) {
+        return;
+      }
+      requestSent = true;
+
+      const request: PasskeyPopupRequest = {
+        type: PASSKEY_POPUP_REQUEST_EVENT,
+        requestId,
+        action,
+        payload,
+      };
+
+      if (viaChannel) {
+        channel?.postMessage(request);
+        return;
+      }
+
+      popup?.postMessage(request, targetOrigin);
+    };
+
+    const handleResponse = (data: PasskeyPopupResponse) => {
+      if (data.requestId !== requestId) {
+        return;
+      }
+
+      cleanup();
+      if (popup && !popup.closed) {
+        popup.close();
+      }
+
+      if (data.success) {
+        resolve((data as Extract<PasskeyPopupResponse, { success: true }>).result as T);
+      } else {
+        const err = new Error(data.error?.message || 'Passkey popup failed');
+        if (data.error?.name) {
+          (err as { name?: string }).name = data.error.name;
+        }
+        reject(err);
+      }
+    };
+
+    const handleMessage = (event: MessageEvent) => {
+      if (event.origin !== targetOrigin) {
+        return;
+      }
+
+      const data = event.data as PasskeyPopupResponse | { type?: string };
+      if (!data || typeof data !== 'object') {
+        return;
+      }
+
+      if (data.type === PASSKEY_POPUP_READY_EVENT) {
+        if (popup && event.source !== popup) {
+          return;
+        }
+        sendRequest(false);
+        return;
+      }
+
+      if (data.type === PASSKEY_POPUP_RESPONSE_EVENT && 'requestId' in data) {
+        handleResponse(data as PasskeyPopupResponse);
+      }
+    };
+
+    window.addEventListener('message', handleMessage);
+
+    const handleChannelMessage = (event: MessageEvent) => {
+      const data = event.data as PasskeyPopupResponse | { type?: string };
+      if (!data || typeof data !== 'object') {
+        return;
+      }
+
+      if (data.type === PASSKEY_POPUP_READY_EVENT) {
+        sendRequest(true);
+        return;
+      }
+
+      if (data.type === PASSKEY_POPUP_RESPONSE_EVENT && 'requestId' in data) {
+        handleResponse(data as PasskeyPopupResponse);
+      }
+    };
+
+    if (channel) {
+      channel.addEventListener('message', handleChannelMessage);
+    }
+
+    if (!popup) {
+      try {
+        popup = openPasskeyPopupWindow();
+      } catch (error) {
+        cleanup();
+        reject(error);
+        return;
+      }
+    }
+
+    timeout = setTimeout(() => {
+      cleanup();
+      try {
+        popup?.close();
+      } catch {
+        /* ignore */
+      }
+      reject(new Error('Passkey popup timed out'));
+    }, PASSKEY_POPUP_TIMEOUT_MS);
+
+    closePoll = setInterval(() => {
+      if (popup && popup.closed) {
+        cleanup();
+        reject(new Error('Passkey popup was closed'));
+      }
+    }, 250);
+  });
+}

package/src/register.ts

@@ -0,0 +1,228 @@
+import type { PasskeyRegistrationResult, PasskeyPopupRegistrationResult } from './types';
+import { arrayBufferToBase64Url, bytesToHex } from '@thru/passkey-manager';
+import {
+  isWebAuthnSupported,
+  getPasskeyPromptMode,
+  maybePreopenPopup,
+  shouldFallbackToPopup,
+  type PasskeyPromptAction,
+} from './capabilities';
+import { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';
+
+/**
+ * Register a new passkey for a profile.
+ */
+export async function registerPasskey(
+  alias: string,
+  userId: string,
+  rpId: string
+): Promise<PasskeyRegistrationResult> {
+  if (!isWebAuthnSupported()) {
+    throw new Error('WebAuthn is not supported in this browser');
+  }
+
+  return runWithPromptMode(
+    'create',
+    () => registerPasskeyInline(alias, userId, rpId),
+    (preopenedPopup) => registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup)
+  );
+}
+
+async function runWithPromptMode<T>(
+  action: PasskeyPromptAction,
+  inlineFn: () => Promise<T>,
+  popupFn: (preopenedPopup?: Window | null) => Promise<T>
+): Promise<T> {
+  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode(action);
+  if (promptMode === 'popup') {
+    return popupFn(preopenedPopup);
+  }
+
+  closePopup(preopenedPopup);
+
+  try {
+    return await inlineFn();
+  } catch (error) {
+    if (shouldFallbackToPopup(error)) {
+      return popupFn();
+    }
+    throw error;
+  }
+}
+
+async function registerPasskeyInline(
+  alias: string,
+  userId: string,
+  rpId: string
+): Promise<PasskeyRegistrationResult> {
+  const rpName = 'Thru Wallet';
+
+  const userIdBytes = new TextEncoder().encode(userId);
+  const userIdBuffer = userIdBytes.slice(0, 64);
+
+  const challenge = crypto.getRandomValues(new Uint8Array(32));
+
+  const createOptions: PublicKeyCredentialCreationOptions = {
+    challenge,
+    rp: {
+      id: rpId,
+      name: rpName,
+    },
+    user: {
+      id: userIdBuffer,
+      name: alias,
+      displayName: alias,
+    },
+    pubKeyCredParams: [
+      { type: 'public-key', alg: -7 },
+    ],
+    authenticatorSelection: {
+      authenticatorAttachment: 'platform',
+      userVerification: 'required',
+      residentKey: 'required',
+      requireResidentKey: true,
+    },
+    attestation: 'none',
+    timeout: 60000,
+  };
+
+  const credential = (await navigator.credentials.create({
+    publicKey: createOptions,
+  })) as PublicKeyCredential | null;
+
+  if (!credential) {
+    throw new Error('Passkey registration was cancelled');
+  }
+
+  const response = credential.response as AuthenticatorAttestationResponse;
+  const { x, y } = extractP256PublicKey(response);
+
+  return {
+    credentialId: arrayBufferToBase64Url(credential.rawId),
+    publicKeyX: bytesToHex(x),
+    publicKeyY: bytesToHex(y),
+    rpId,
+  };
+}
+
+async function registerPasskeyViaPopup(
+  alias: string,
+  userId: string,
+  rpId: string,
+  preopenedPopup?: Window | null
+): Promise<PasskeyRegistrationResult> {
+  const result = await requestPasskeyPopup<PasskeyPopupRegistrationResult>(
+    'create',
+    { alias, userId, rpId },
+    preopenedPopup
+  );
+  return result;
+}
+
+// Key extraction helpers
+
+function extractP256PublicKey(
+  response: AuthenticatorAttestationResponse
+): { x: Uint8Array; y: Uint8Array } {
+  if (typeof response.getPublicKey === 'function') {
+    const spkiKey = response.getPublicKey();
+    if (spkiKey) {
+      return extractFromSpki(new Uint8Array(spkiKey));
+    }
+  }
+
+  if (typeof response.getAuthenticatorData === 'function') {
+    const authData = new Uint8Array(response.getAuthenticatorData());
+    return extractFromAuthenticatorData(authData);
+  }
+
+  throw new Error('Unable to extract public key: browser does not support required WebAuthn methods');
+}
+
+function extractFromSpki(spki: Uint8Array): { x: Uint8Array; y: Uint8Array } {
+  const pointStart = spki.length - 65;
+
+  if (spki[pointStart] !== 0x04) {
+    throw new Error('Invalid SPKI format: expected uncompressed point');
+  }
+
+  const x = spki.slice(pointStart + 1, pointStart + 33);
+  const y = spki.slice(pointStart + 33, pointStart + 65);
+
+  if (x.length !== 32 || y.length !== 32) {
+    throw new Error('Invalid SPKI format: incorrect coordinate length');
+  }
+
+  return { x, y };
+}
+
+function extractFromAuthenticatorData(authData: Uint8Array): { x: Uint8Array; y: Uint8Array } {
+  const rpIdHashLength = 32;
+  const flagsLength = 1;
+  const counterLength = 4;
+  const offset = rpIdHashLength + flagsLength + counterLength;
+  const aaguidLength = 16;
+  const credIdLenOffset = offset + aaguidLength;
+  const credIdLength = (authData[credIdLenOffset] << 8) | authData[credIdLenOffset + 1];
+  const coseKeyOffset = credIdLenOffset + 2 + credIdLength;
+  const coseKey = authData.slice(coseKeyOffset);
+
+  return extractFromCoseKey(coseKey);
+}
+
+function extractFromCoseKey(coseKey: Uint8Array): { x: Uint8Array; y: Uint8Array } {
+  const mapStart = coseKey[0];
+  if (mapStart !== 0xa5 && mapStart !== 0xa4) {
+    throw new Error('Invalid COSE key format');
+  }
+
+  let offset = 1;
+  let x: Uint8Array | null = null;
+  let y: Uint8Array | null = null;
+
+  while (offset < coseKey.length) {
+    const key = coseKey[offset++];
+    const valueType = coseKey[offset++];
+
+    if (key === 0x21) {
+      const length = valueType & 0x1f;
+      x = coseKey.slice(offset, offset + length);
+      offset += length;
+      continue;
+    }
+
+    if (key === 0x22) {
+      const length = valueType & 0x1f;
+      y = coseKey.slice(offset, offset + length);
+      offset += length;
+      continue;
+    }
+
+    if (valueType >= 0x40 && valueType <= 0x5f) {
+      const length = valueType & 0x1f;
+      offset += length;
+      continue;
+    }
+
+    if (valueType === 0x01 || valueType === 0x02 || valueType === 0x03) {
+      continue;
+    }
+
+    if (valueType >= 0x18 && valueType <= 0x1b) {
+      const size = 1 << (valueType - 0x18);
+      offset += size;
+      continue;
+    }
+  }
+
+  if (!x || !y) {
+    throw new Error('Failed to extract P-256 public key from COSE data');
+  }
+
+  if (x.length !== 32 || y.length !== 32) {
+    throw new Error('Invalid COSE key: incorrect coordinate length');
+  }
+
+  return { x, y };
+}

package/src/sign.ts

@@ -0,0 +1,280 @@
+import type {
+  PasskeySigningResult,
+  PasskeyStoredSigningResult,
+  PasskeyDiscoverableSigningResult,
+  PasskeyMetadata,
+  PasskeyPopupContext,
+  PasskeyPopupSigningResult,
+  PasskeyPopupStoredSigningResult,
+} from './types';
+import {
+  arrayBufferToBase64Url,
+  base64UrlToArrayBuffer,
+  bytesToBase64Url,
+  base64UrlToBytes,
+  parseDerSignature,
+  normalizeLowS,
+} from '@thru/passkey-manager';
+import {
+  isWebAuthnSupported,
+  getPasskeyPromptMode,
+  isInIframe,
+  maybePreopenPopup,
+  shouldFallbackToPopup,
+  type PasskeyPromptAction,
+} from './capabilities';
+import { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';
+
+/**
+ * Sign a challenge with an existing passkey (by credential ID).
+ */
+export async function signWithPasskey(
+  credentialId: string,
+  challenge: Uint8Array,
+  rpId: string
+): Promise<PasskeySigningResult> {
+  if (!isWebAuthnSupported()) {
+    throw new Error('WebAuthn is not supported in this browser');
+  }
+
+  return runWithPromptMode(
+    'get',
+    () => signWithPasskeyInline(credentialId, challenge, rpId),
+    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)
+  );
+}
+
+/**
+ * Sign with stored passkey (for embedded/popup contexts).
+ */
+export async function signWithStoredPasskey(
+  challenge: Uint8Array,
+  rpId: string,
+  preferredPasskey: PasskeyMetadata | null,
+  allPasskeys: PasskeyMetadata[],
+  context?: PasskeyPopupContext
+): Promise<PasskeyStoredSigningResult> {
+  if (!isWebAuthnSupported()) {
+    throw new Error('WebAuthn is not supported in this browser');
+  }
+
+  const preopenedPopup = maybePreopenPopup('get', openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode('get');
+  const storedPasskey = preferredPasskey;
+  const canUsePopup = isInIframe();
+
+  if (promptMode === 'popup' || (canUsePopup && !storedPasskey)) {
+    return requestStoredPasskeyPopup(challenge, preopenedPopup, context);
+  }
+
+  closePopup(preopenedPopup);
+
+  try {
+    if (storedPasskey) {
+      const result = await signWithPasskeyInline(
+        storedPasskey.credentialId,
+        challenge,
+        storedPasskey.rpId
+      );
+      return {
+        ...result,
+        passkey: storedPasskey,
+      };
+    }
+
+    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);
+    const matchingPasskey = allPasskeys.find(p => p.credentialId === discoverable.credentialId) ?? null;
+    const now = new Date().toISOString();
+    const passkey = matchingPasskey ?? {
+      credentialId: discoverable.credentialId,
+      publicKeyX: '',
+      publicKeyY: '',
+      rpId: discoverable.rpId,
+      createdAt: now,
+      lastUsedAt: now,
+    };
+
+    return {
+      signature: discoverable.signature,
+      authenticatorData: discoverable.authenticatorData,
+      clientDataJSON: discoverable.clientDataJSON,
+      signatureR: discoverable.signatureR,
+      signatureS: discoverable.signatureS,
+      passkey,
+    };
+  } catch (error) {
+    if (canUsePopup && shouldFallbackToPopup(error)) {
+      return requestStoredPasskeyPopup(challenge, undefined, context);
+    }
+
+    throw error;
+  }
+}
+
+/**
+ * Sign with a discoverable passkey (no credential ID - browser prompts user to select).
+ */
+export async function signWithDiscoverablePasskey(
+  challenge: Uint8Array,
+  rpId: string
+): Promise<PasskeyDiscoverableSigningResult> {
+  if (!isWebAuthnSupported()) {
+    throw new Error('WebAuthn is not supported in this browser');
+  }
+
+  const resolvedRpId = rpId;
+  const result = await signWithPasskeyAssertion(challenge, resolvedRpId);
+
+  return {
+    signature: result.signature,
+    authenticatorData: result.authenticatorData,
+    clientDataJSON: result.clientDataJSON,
+    signatureR: result.signatureR,
+    signatureS: result.signatureS,
+    credentialId: result.credentialId,
+    rpId: resolvedRpId,
+  };
+}
+
+// Internal helpers
+
+async function runWithPromptMode<T>(
+  action: PasskeyPromptAction,
+  inlineFn: () => Promise<T>,
+  popupFn: (preopenedPopup?: Window | null) => Promise<T>
+): Promise<T> {
+  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode(action);
+  if (promptMode === 'popup') {
+    return popupFn(preopenedPopup);
+  }
+
+  closePopup(preopenedPopup);
+
+  try {
+    return await inlineFn();
+  } catch (error) {
+    if (shouldFallbackToPopup(error)) {
+      return popupFn();
+    }
+    throw error;
+  }
+}
+
+async function signWithPasskeyInline(
+  credentialId: string,
+  challenge: Uint8Array,
+  rpId: string
+): Promise<PasskeySigningResult> {
+  const result = await signWithPasskeyAssertion(challenge, rpId, credentialId);
+  return {
+    signature: result.signature,
+    authenticatorData: result.authenticatorData,
+    clientDataJSON: result.clientDataJSON,
+    signatureR: result.signatureR,
+    signatureS: result.signatureS,
+  };
+}
+
+async function signWithPasskeyAssertion(
+  challenge: Uint8Array,
+  rpId: string,
+  credentialId?: string
+): Promise<PasskeySigningResult & { credentialId: string }> {
+  const challengeBytes = new Uint8Array(challenge);
+  const getOptions: PublicKeyCredentialRequestOptions = {
+    challenge: challengeBytes,
+    rpId,
+    userVerification: 'required',
+    timeout: 60000,
+  };
+
+  if (credentialId) {
+    const credentialIdBuffer = base64UrlToArrayBuffer(credentialId);
+    getOptions.allowCredentials = [
+      {
+        type: 'public-key',
+        id: credentialIdBuffer,
+        transports: ['internal', 'hybrid', 'usb', 'ble', 'nfc'],
+      },
+    ];
+  }
+
+  const assertion = (await navigator.credentials.get({
+    publicKey: getOptions,
+  })) as PublicKeyCredential | null;
+
+  if (!assertion) {
+    throw new Error('Passkey authentication was cancelled');
+  }
+
+  const response = assertion.response as AuthenticatorAssertionResponse;
+
+  const signature = new Uint8Array(response.signature);
+  let { r, s } = parseDerSignature(signature);
+  s = normalizeLowS(s);
+
+  return {
+    signature: new Uint8Array([...r, ...s]),
+    authenticatorData: new Uint8Array(response.authenticatorData),
+    clientDataJSON: new Uint8Array(response.clientDataJSON),
+    signatureR: r,
+    signatureS: s,
+    credentialId: arrayBufferToBase64Url(assertion.rawId),
+  };
+}
+
+async function signWithPasskeyViaPopup(
+  credentialId: string,
+  challenge: Uint8Array,
+  rpId: string,
+  preopenedPopup?: Window | null
+): Promise<PasskeySigningResult> {
+  const result = await requestPasskeyPopup<PasskeyPopupSigningResult>(
+    'get',
+    {
+      credentialId,
+      challengeBase64Url: bytesToBase64Url(challenge),
+      rpId,
+    },
+    preopenedPopup
+  );
+
+  return decodePopupSigningResult(result);
+}
+
+async function requestStoredPasskeyPopup(
+  challenge: Uint8Array,
+  preopenedPopup?: Window | null,
+  context?: PasskeyPopupContext
+): Promise<PasskeyStoredSigningResult> {
+  const result = await requestPasskeyPopup<PasskeyPopupStoredSigningResult>(
+    'getStored',
+    {
+      challengeBase64Url: bytesToBase64Url(challenge),
+      context,
+    },
+    preopenedPopup
+  );
+  return decodePopupStoredSigningResult(result);
+}
+
+function decodePopupSigningResult(result: PasskeyPopupSigningResult): PasskeySigningResult {
+  return {
+    signature: base64UrlToBytes(result.signatureBase64Url),
+    authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),
+    clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),
+    signatureR: base64UrlToBytes(result.signatureRBase64Url),
+    signatureS: base64UrlToBytes(result.signatureSBase64Url),
+  };
+}
+
+function decodePopupStoredSigningResult(
+  result: PasskeyPopupStoredSigningResult
+): PasskeyStoredSigningResult {
+  return {
+    ...decodePopupSigningResult(result),
+    passkey: result.passkey,
+    accounts: result.accounts,
+  };
+}