@vatts/auth 2.1.3-canary.1.0.2 → 2.1.3-canary.1.0.4

package/LICENSE

@@ -1,13 +1,13 @@
-Copyright 2026 mfraz
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
+Copyright 2026 mfraz
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
 limitations under the License.

package/README.md

@@ -1,58 +1,58 @@
-<div align="center">  
-  <picture>  
-      <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/mfrazlab/vatts-docs/master/public/logo.png">  
-      <img alt="Vatts.js logo" src="https://raw.githubusercontent.com/mfrazlab/vatts-docs/master/public/logo.png" width="128">  
-    </picture>  
-  <h1>@vatts/auth</h1>  
-
-[![NPM](https://img.shields.io/npm/v/@vatts/auth.svg?style=for-the-badge&labelColor=000000)](https://www.npmjs.com/package/@vatts/auth)  
-[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge&labelColor=000000)](../../LICENSE)  
-[![GitHub](https://img.shields.io/badge/GitHub-mfrazlab/vatts.js-100000?style=for-the-badge&logo=github&logoColor=white)](https://github.com/mfrazlab/vatts.js)
-</div>
-
-___
-
-## Getting Started
-
-**@vatts/auth** is the official authentication package for the **Vatts.js** framework, providing secure, flexible, and production-ready authentication with JWT, multiple OAuth providers and session management.
-
-- Secure by default — robust JWT implementation
-- Multiple providers — OAuth, credentials, and custom
-- Ready for React and Vue — integrated hooks and components
-- Strong typing — 100% TypeScript
-- Zero configuration — works out-of-the-box
-- Production-ready — CSRF protection, and more
-
-___
-
-## Documentation
-
-Visit [https://vatts.mfraz.ovh](https://vatts.mfraz.ovh) for full documentation of Vatts.js and its official packages.
-
-___
-
-## Community
-
-Join the Vatts.js community on [GitHub Discussions](https://github.com/mfraz/vatts.js) to ask questions, share ideas, and showcase your projects.
-
-___
-
-## Security
-
-Vatts.js uses a security-first hybrid architecture in which Node.js coordinates the application layer and a high-performance Go networking engine manages HTTP connections and transport protocols.
-By delegating network handling to Go, the platform achieves strong isolation, predictable request processing, and native support for modern transports like HTTP/3 under SSL — all while maintaining consistent security enforcement across environments, including local and non-TLS setups.
-
-If you believe you have found a security vulnerability in Vatts.js, we encourage you to **responsibly disclose it and NOT open a public issue**.
-
-To participate in our vulnerability disclosure program, please email [contact@mfraz.ovh](mailto:contact@mfraz.ovh). We will add you to the program and provide further instructions for submitting your report.
-
-___
-
-
-## License
-
-Copyright 2026 mfraz
-
-This project is licensed under the [Apache License 2.0](./LICENSE).
-
-___
+<div align="center">  
+  <picture>  
+      <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/mfrazlab/vatts-docs/master/public/logo.png">  
+      <img alt="Vatts.js logo" src="https://raw.githubusercontent.com/mfrazlab/vatts-docs/master/public/logo.png" width="128">  
+    </picture>  
+  <h1>@vatts/auth</h1>  
+
+[![NPM](https://img.shields.io/npm/v/@vatts/auth.svg?style=for-the-badge&labelColor=000000)](https://www.npmjs.com/package/@vatts/auth)  
+[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge&labelColor=000000)](../../LICENSE)  
+[![GitHub](https://img.shields.io/badge/GitHub-mfrazlab/vatts.js-100000?style=for-the-badge&logo=github&logoColor=white)](https://github.com/mfrazlab/vatts.js)
+</div>
+
+___
+
+## Getting Started
+
+**@vatts/auth** is the official authentication package for the **Vatts.js** framework, providing secure, flexible, and production-ready authentication with JWT, multiple OAuth providers and session management.
+
+- Secure by default — robust JWT implementation
+- Multiple providers — OAuth, credentials, and custom
+- Ready for React and Vue — integrated hooks and components
+- Strong typing — 100% TypeScript
+- Zero configuration — works out-of-the-box
+- Production-ready — CSRF protection, and more
+
+___
+
+## Documentation
+
+Visit [https://vatts.mfraz.ovh](https://vatts.mfraz.ovh) for full documentation of Vatts.js and its official packages.
+
+___
+
+## Community
+
+Join the Vatts.js community on [GitHub Discussions](https://github.com/mfraz/vatts.js) to ask questions, share ideas, and showcase your projects.
+
+___
+
+## Security
+
+Vatts.js uses a security-first hybrid architecture in which Node.js coordinates the application layer and a high-performance Go networking engine manages HTTP connections and transport protocols.
+By delegating network handling to Go, the platform achieves strong isolation, predictable request processing, and native support for modern transports like HTTP/3 under SSL — all while maintaining consistent security enforcement across environments, including local and non-TLS setups.
+
+If you believe you have found a security vulnerability in Vatts.js, we encourage you to **responsibly disclose it and NOT open a public issue**.
+
+To participate in our vulnerability disclosure program, please email [contact@mfraz.ovh](mailto:contact@mfraz.ovh). We will add you to the program and provide further instructions for submitting your report.
+
+___
+
+
+## License
+
+Copyright 2026 mfraz
+
+This project is licensed under the [Apache License 2.0](./LICENSE).
+
+___

package/dist/core.d.ts

@@ -11,7 +11,7 @@ export declare class VattsAuth {
     /**
      * Autentica um usuário usando um provider específico
      */
-    signIn(providerId: string, credentials: Record<string, string>): Promise<{
+    signIn(providerId: string, credentials: Record<string, string>, req: VattsRequest): Promise<{
         session: Session;
         token: string;
     } | {
@@ -44,6 +44,7 @@ export declare class VattsAuth {
         provider: string;
         route: any;
     }>;
+    updateSession(request: VattsRequest, data: any): VattsResponse;
     /**
      * Cria resposta com cookie de autenticação - Secure implementation
      */

package/dist/core.js

@@ -45,7 +45,7 @@ class VattsAuth {
     /**
      * Autentica um usuário usando um provider específico
      */
-    async signIn(providerId, credentials) {
+    async signIn(providerId, credentials, req) {
         const provider = this.config.providers.find(p => p.id === providerId);
         if (!provider) {
             console.error(`[vatts-auth] Provider not found: ${providerId}`);
@@ -53,7 +53,7 @@ class VattsAuth {
         }
         try {
             // Usa o método handleSignIn do provider
-            const result = await provider.handleSignIn(credentials);
+            const result = await provider.handleSignIn(credentials, req);
             if (!result)
                 return null;
             // Se resultado é string, é URL de redirecionamento OAuth
@@ -61,18 +61,18 @@ class VattsAuth {
                 return { redirectUrl: result };
             }
             // Se resultado é User, cria sessão
-            const user = result;
+            let user = result;
             // Callback de signIn se definido
             if (this.config.callbacks?.signIn) {
                 const allowed = await this.config.callbacks.signIn(user, { provider: providerId }, {});
                 if (!allowed)
                     return null;
             }
-            const sessionResult = this.sessionManager.createSession(user);
-            // Callback de sessão se definido
-            if (this.config.callbacks?.session) {
-                sessionResult.session = await this.config.callbacks.session({ session: sessionResult.session, user, provider: providerId });
+            if (this.config.callbacks?.user) {
+                const updatedUser = await this.config.callbacks.user({ user, provider: providerId });
+                user = updatedUser;
             }
+            const sessionResult = this.sessionManager.createSession(user);
             return sessionResult;
         }
         catch (error) {
@@ -152,6 +152,18 @@ class VattsAuth {
         }
         return routes;
     }
+    updateSession(request, data) {
+        const token = this.getTokenFromRequest(request);
+        if (!token) {
+            return vatts_1.VattsResponse.json({ error: "No session token found" }, { status: 400 });
+        }
+        const session = this.sessionManager.verifySession(token);
+        if (!session) {
+            throw new Error("Session not found");
+        }
+        const update = this.sessionManager.updateUserSession(data);
+        return this.createAuthResponse(update.token, { session: update.session });
+    }
     /**
      * Cria resposta com cookie de autenticação - Secure implementation
      */

package/dist/index.d.ts

@@ -3,5 +3,5 @@ export * from './providers';
 export * from './core';
 export * from './routes';
 export * from './jwt';
-export { CredentialsProvider, DiscordProvider, GoogleProvider } from './providers';
+export { CredentialsProvider, DiscordProvider, GoogleProvider, PasskeyStorage, PasskeysProvider } from './providers';
 export { createAuthRoutes } from './routes';

package/dist/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAuthRoutes = exports.GoogleProvider = exports.DiscordProvider = exports.CredentialsProvider = void 0;
+exports.createAuthRoutes = exports.PasskeysProvider = exports.GoogleProvider = exports.DiscordProvider = exports.CredentialsProvider = void 0;
 /*
  * This file is part of the Vatts.js Project.
  * Copyright (c) 2026 mfraz
@@ -41,5 +41,6 @@ var providers_1 = require("./providers");
 Object.defineProperty(exports, "CredentialsProvider", { enumerable: true, get: function () { return providers_1.CredentialsProvider; } });
 Object.defineProperty(exports, "DiscordProvider", { enumerable: true, get: function () { return providers_1.DiscordProvider; } });
 Object.defineProperty(exports, "GoogleProvider", { enumerable: true, get: function () { return providers_1.GoogleProvider; } });
+Object.defineProperty(exports, "PasskeysProvider", { enumerable: true, get: function () { return providers_1.PasskeysProvider; } });
 var routes_1 = require("./routes");
 Object.defineProperty(exports, "createAuthRoutes", { enumerable: true, get: function () { return routes_1.createAuthRoutes; } });

package/dist/jwt.d.ts

@@ -38,4 +38,8 @@ export declare class SessionManager {
         session: Session;
         token: string;
     } | null;
+    updateUserSession(user: User): {
+        session: Session;
+        token: string;
+    } | null;
 }

package/dist/jwt.js

@@ -223,5 +223,8 @@ class SessionManager {
             return null;
         return this.createSession(currentSession.user);
     }
+    updateUserSession(user) {
+        return this.createSession(user);
+    }
 }
 exports.SessionManager = SessionManager;

package/dist/providers/passkey.d.ts

@@ -0,0 +1,59 @@
+import type { AuthProviderClass, AuthRoute, User } from '../types';
+import { VattsRequest } from 'vatts';
+/**
+ * Interface que o desenvolvedor final DEVE implementar para conectar o próprio Banco de Dados.
+ * Como Passkeys exigem guardar "Challenges" temporários e as Chaves Públicas,
+ * abstraímos isso para dar liberdade total.
+ */
+export interface PasskeyStorage {
+    saveChallenge: (username: string, challenge: string) => Promise<void>;
+    getChallenge: (username: string) => Promise<string | null>;
+    deleteChallenge: (username: string) => Promise<void>;
+    saveCredential: (username: string, credential: any) => Promise<void>;
+    getUserCredentials: (username: string) => Promise<any[]>;
+    updateCredentialCounter: (credentialID: string, newCounter: number) => Promise<void>;
+    getUserByUsername: (username: string) => Promise<User | null>;
+}
+export interface PasskeysConfig {
+    id?: string;
+    name?: string;
+    rpName: string;
+    rpID?: string;
+    origin?: string;
+    storage: PasskeyStorage;
+}
+/**
+ * Provider para autenticação sem senha usando Passkeys (WebAuthn / FIDO2)
+ * * Fluxo de Registro:
+ * 1. POST /api/auth/passkeys/register/start -> Gera opções pro dispositivo
+ * 2. POST /api/auth/passkeys/register/finish -> Valida e salva no DB (via Storage)
+ * * Fluxo de Login:
+ * 1. POST /api/auth/passkeys/login/start -> Gera opções de login
+ * 2. POST /api/auth/signin -> O Vatts direciona para o `handleSignIn` deste provider
+ */
+export declare class PasskeysProvider implements AuthProviderClass {
+    readonly id: string;
+    readonly name: string;
+    readonly type: string;
+    private config;
+    private loginChallenges;
+    constructor(config: PasskeysConfig);
+    /**
+     * Função auxiliar para pegar a origem e o RPID dinamicamente pela requisição,
+     * se não foram informados estaticamente na configuração.
+     */
+    private getRequestInfo;
+    /**
+     * O Vatts chama este método quando o front-end envia as credenciais para o endpoint genérico de login.
+     * Para Passkeys, o "credentials" conterá o username e o response JSON gerado pelo navegador.
+     */
+    handleSignIn(credentials: Record<string, string>, req?: VattsRequest): Promise<User | null>;
+    /**
+     * Retorna configuração pública do provider
+     */
+    getConfig(): any;
+    /**
+     * Rotas adicionais para lidar com a geração de chaves (Registro) e inicio de Login
+     */
+    additionalRoutes: AuthRoute[];
+}

package/dist/providers/passkey.js

@@ -0,0 +1,379 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeysProvider = void 0;
+const vatts_1 = require("vatts");
+const server_1 = require("@simplewebauthn/server");
+/**
+ * Funções auxiliares para serializar/desserializar Buffer
+ */
+function bufferToBase64(buffer) {
+    if (typeof buffer === 'string')
+        return buffer; // Já é string
+    if (buffer instanceof Uint8Array || Buffer.isBuffer(buffer)) {
+        return Buffer.from(buffer).toString('base64');
+    }
+    return String(buffer);
+}
+function toUint8Array(input) {
+    if (input == null)
+        throw new TypeError("toUint8Array: input is null/undefined");
+    // Uint8Array / Buffer
+    if (input instanceof Uint8Array) {
+        const ab = input.buffer.slice(input.byteOffset, input.byteOffset + input.byteLength);
+        return new Uint8Array(ab);
+    }
+    // ArrayBuffer
+    if (input instanceof ArrayBuffer) {
+        return new Uint8Array(input);
+    }
+    // number[]
+    if (Array.isArray(input) && input.every(n => typeof n === "number")) {
+        const u8 = Uint8Array.from(input);
+        const ab = u8.buffer.slice(u8.byteOffset, u8.byteOffset + u8.byteLength);
+        return new Uint8Array(ab);
+    }
+    // base64/base64url string
+    if (typeof input === "string") {
+        const b64 = input.replace(/-/g, "+").replace(/_/g, "/");
+        const pad = b64.length % 4 ? "=".repeat(4 - (b64.length % 4)) : "";
+        const buf = Buffer.from(b64 + pad, "base64");
+        const ab = buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+        return new Uint8Array(ab);
+    }
+    // object cases
+    if (typeof input === "object") {
+        const obj = input;
+        // { type:"Buffer", data:[...] }
+        if (obj.type === "Buffer" && Array.isArray(obj.data)) {
+            return toUint8Array(obj.data);
+        }
+        // { data:[...] }
+        if (Array.isArray(obj.data)) {
+            return toUint8Array(obj.data);
+        }
+        // { bytes:[...] }
+        if (Array.isArray(obj.bytes)) {
+            return toUint8Array(obj.bytes);
+        }
+        // { buffer: ... } wrapper
+        if (obj.buffer != null) {
+            // às vezes vem { buffer: { type:"Buffer", data:[...] } }
+            return toUint8Array(obj.buffer);
+        }
+        // array-like: {0:12,1:34,length:2}
+        if (typeof obj.length === "number") {
+            const arr = Array.from({ length: obj.length }, (_, i) => obj[i]);
+            if (arr.every(n => typeof n === "number")) {
+                return toUint8Array(arr);
+            }
+        }
+        // numeric-key object without length: {"0":165,"1":1,...}
+        const numericKeys = Object.keys(obj).filter(key => /^\d+$/.test(key));
+        if (numericKeys.length > 0) {
+            const arr = numericKeys
+                .sort((a, b) => Number(a) - Number(b))
+                .map(key => obj[key]);
+            if (arr.every(n => typeof n === "number")) {
+                return toUint8Array(arr);
+            }
+        }
+    }
+    throw new TypeError(`toUint8Array: unsupported input type: ${Object.prototype.toString.call(input)}`);
+}
+/**
+ * Provider para autenticação sem senha usando Passkeys (WebAuthn / FIDO2)
+ * * Fluxo de Registro:
+ * 1. POST /api/auth/passkeys/register/start -> Gera opções pro dispositivo
+ * 2. POST /api/auth/passkeys/register/finish -> Valida e salva no DB (via Storage)
+ * * Fluxo de Login:
+ * 1. POST /api/auth/passkeys/login/start -> Gera opções de login
+ * 2. POST /api/auth/signin -> O Vatts direciona para o `handleSignIn` deste provider
+ */
+class PasskeysProvider {
+    constructor(config) {
+        this.type = 'passkeys';
+        // Map para armazenar challenges temporários de login (não-persistentes)
+        this.loginChallenges = new Map();
+        /**
+         * Rotas adicionais para lidar com a geração de chaves (Registro) e inicio de Login
+         */
+        this.additionalRoutes = [
+            // ==========================================
+            // REGISTRO - PASSO 1 (START)
+            // ==========================================
+            {
+                method: 'POST',
+                path: '/api/auth/passkeys/register/start',
+                handler: async (req) => {
+                    try {
+                        const body = await req.json();
+                        const { username } = body;
+                        const { rpID } = this.getRequestInfo(req);
+                        if (!username)
+                            return vatts_1.VattsResponse.json({ error: 'Username required' }, { status: 400 });
+                        // Usando buffer corretamente para V13+
+                        const options = await (0, server_1.generateRegistrationOptions)({
+                            rpName: this.config.rpName,
+                            rpID,
+                            userID: new Uint8Array(Buffer.from(username)),
+                            userName: username,
+                            attestationType: 'none',
+                            authenticatorSelection: {
+                                residentKey: 'required', // Obrigatório para discoverable credentials
+                                userVerification: 'preferred',
+                            },
+                        });
+                        // Salva desafio no banco de dados customizado do usuário
+                        await this.config.storage.saveChallenge(username, options.challenge);
+                        return vatts_1.VattsResponse.json(options);
+                    }
+                    catch (error) {
+                        return vatts_1.VattsResponse.json({ error: error.message }, { status: 500 });
+                    }
+                }
+            },
+            // ==========================================
+            // REGISTRO - PASSO 2 (FINISH)
+            // ==========================================
+            {
+                method: 'POST',
+                path: '/api/auth/passkeys/register/finish',
+                handler: async (req) => {
+                    try {
+                        const body = await req.json();
+                        const { origin, rpID } = this.getRequestInfo(req);
+                        // Agora aceitamos um "name" opcional no body (Ex: "PC do Trabalho")
+                        const { username, response, name } = body;
+                        const expectedChallenge = await this.config.storage.getChallenge(username);
+                        if (!expectedChallenge)
+                            return vatts_1.VattsResponse.json({ error: 'Challenge expired/not found' }, { status: 400 });
+                        const verification = await (0, server_1.verifyRegistrationResponse)({
+                            response,
+                            expectedChallenge,
+                            expectedOrigin: origin,
+                            expectedRPID: rpID,
+                        });
+                        if (verification.verified && verification.registrationInfo) {
+                            const { credential } = verification.registrationInfo;
+                            // Formata a credencial e salva no DB do dev
+                            await this.config.storage.saveCredential(username, {
+                                credentialID: credential.id,
+                                credentialPublicKey: bufferToBase64(credential.publicKey),
+                                counter: credential.counter,
+                                transports: response.response.transports,
+                                name: name || 'Chave de Acesso', // Salva o nome ou um padrão
+                            });
+                            await this.config.storage.deleteChallenge(username);
+                            return vatts_1.VattsResponse.json({ success: true });
+                        }
+                        return vatts_1.VattsResponse.json({ success: false }, { status: 400 });
+                    }
+                    catch (error) {
+                        return vatts_1.VattsResponse.json({ error: error.message }, { status: 500 });
+                    }
+                }
+            },
+            // ==========================================
+            // LOGIN - PASSO 1 (START)
+            // ==========================================
+            {
+                method: 'POST',
+                path: '/api/auth/passkeys/login/start',
+                handler: async (req) => {
+                    try {
+                        const { rpID } = this.getRequestInfo(req);
+                        // Não precisa de username - usa discoverable credentials
+                        // O navegador mostrará as keys disponíveis automaticamente
+                        const options = await (0, server_1.generateAuthenticationOptions)({
+                            rpID,
+                            userVerification: 'preferred',
+                            // Omitindo allowCredentials para permitir discoverable credentials
+                        });
+                        // Gera um sessionId único para esta tentativa de login
+                        const sessionId = typeof crypto !== 'undefined' && crypto.randomUUID
+                            ? crypto.randomUUID()
+                            : Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+                        // Salva o challenge no Map temporário (não usa storage)
+                        this.loginChallenges.set(`passkey:${sessionId}`, {
+                            challenge: options.challenge,
+                            timestamp: Date.now()
+                        });
+                        return vatts_1.VattsResponse.json({ options, sessionId });
+                    }
+                    catch (error) {
+                        return vatts_1.VattsResponse.json({ error: error.message }, { status: 500 });
+                    }
+                }
+            },
+            // ==========================================
+            // LISTAR CREDENCIAIS (Para mostrar na UI)
+            // ==========================================
+            {
+                method: 'POST', // Usando POST para facilitar o envio do username no body
+                path: '/api/auth/passkeys/list',
+                handler: async (req) => {
+                    try {
+                        const body = await req.json();
+                        const { username } = body;
+                        if (!username)
+                            return vatts_1.VattsResponse.json({ error: 'Username required' }, { status: 400 });
+                        const credentials = await this.config.storage.getUserCredentials(username);
+                        // Retorna as credenciais limpando a chave pública (boa prática de segurança para o Front-end)
+                        const safeCredentials = credentials.map(cred => ({
+                            id: cred.credentialID,
+                            name: cred.name || 'Chave de Acesso',
+                            transports: cred.transports,
+                            createdAt: cred.createdAt // Caso o dev salve a data no banco dele
+                        }));
+                        return vatts_1.VattsResponse.json({ success: true, credentials: safeCredentials });
+                    }
+                    catch (error) {
+                        return vatts_1.VattsResponse.json({ error: error.message }, { status: 500 });
+                    }
+                }
+            }
+        ];
+        this.config = config;
+        this.id = config.id || 'passkeys';
+        this.name = config.name || 'Passkeys';
+        // Limpa challenges expirados a cada 5 minutos (TTL de 10 minutos)
+        setInterval(() => {
+            const now = Date.now();
+            for (const [key, value] of this.loginChallenges.entries()) {
+                if (now - value.timestamp > 10 * 60 * 1000) {
+                    this.loginChallenges.delete(key);
+                }
+            }
+        }, 5 * 60 * 1000);
+    }
+    /**
+     * Função auxiliar para pegar a origem e o RPID dinamicamente pela requisição,
+     * se não foram informados estaticamente na configuração.
+     */
+    getRequestInfo(req) {
+        let origin = this.config.origin;
+        if (!origin && req) {
+            // Lida tanto com API Fetch nativa (headers.get) quanto Node.js plain (headers.origin)
+            if (typeof req.headers?.get === 'function') {
+                const originHeader = req.headers['origin'] || req.headers['host'];
+                origin = Array.isArray(originHeader) ? originHeader[0] : originHeader;
+                if (!origin) {
+                    const hostHeader = req.headers['host'];
+                    const host = Array.isArray(hostHeader) ? hostHeader[0] : hostHeader;
+                    if (host)
+                        origin = `http://${host}`; // Fallback para host
+                }
+            }
+            else if (req.headers) {
+                // @ts-ignore
+                origin = req.headers.origin || (req.headers.host ? `http://${req.headers.host}` : undefined);
+            }
+        }
+        // Fallback final
+        origin = origin || 'http://localhost:3000';
+        let rpID = this.config.rpID;
+        if (!rpID) {
+            try {
+                rpID = new URL(origin).hostname;
+            }
+            catch (e) {
+                rpID = 'localhost';
+            }
+        }
+        return { origin, rpID };
+    }
+    /**
+     * O Vatts chama este método quando o front-end envia as credenciais para o endpoint genérico de login.
+     * Para Passkeys, o "credentials" conterá o username e o response JSON gerado pelo navegador.
+     */
+    async handleSignIn(credentials, req) {
+        try {
+            const { response: responseString, sessionId } = credentials;
+            if (!responseString || !sessionId) {
+                console.error(`[${this.id} Provider] Missing response payload or sessionId`);
+                return null;
+            }
+            const { origin, rpID } = this.getRequestInfo(req);
+            const response = JSON.parse(responseString);
+            // Recupera o challenge do Map de login (temporário, não do storage)
+            const challengeData = this.loginChallenges.get(`passkey:${sessionId}`);
+            const expectedChallenge = challengeData?.challenge || null;
+            if (!expectedChallenge) {
+                console.error(`[${this.id} Provider] No active challenge found`);
+                return null;
+            }
+            // O response.id é a credentialID. Precisamos encontrar qual usuário possui essa chave
+            // Como não sabemos o username, a implementação do storage deve permitir buscar por credentialID
+            // Para isso, você pode adicionar um método como findUsernameByCredentialID
+            // 
+            // Alternativa: Como o userHandle é enviado no response da discoverable credential,
+            // podemos decodificá-lo para obter o username original
+            let username = null;
+            // Tenta extrair username do userHandle (armazenado durante registro)
+            if (response.response.userHandle) {
+                try {
+                    username = Buffer.from(response.response.userHandle, 'base64').toString('utf-8');
+                }
+                catch (e) {
+                    console.error(`[${this.id} Provider] Could not decode userHandle`);
+                }
+            }
+            if (!username) {
+                console.error(`[${this.id} Provider] Could not determine username from credential`);
+                return null;
+            }
+            // Agora que temos o username, busca a chave específica
+            const userPasskeys = await this.config.storage.getUserCredentials(username);
+            const passkey = userPasskeys.find(key => key.credentialID === response.id);
+            if (!passkey) {
+                console.error(`[${this.id} Provider] Credential not found for user`);
+                return null;
+            }
+            // Valida a resposta com a biblioteca (V13+)
+            const verification = await (0, server_1.verifyAuthenticationResponse)({
+                response,
+                expectedChallenge,
+                expectedOrigin: origin,
+                expectedRPID: rpID,
+                credential: {
+                    id: passkey.credentialID,
+                    publicKey: toUint8Array(passkey.credentialPublicKey),
+                    counter: passkey.counter,
+                    transports: passkey.transports,
+                },
+            });
+            if (verification.verified) {
+                // Atualiza o contador de segurança e deleta o challenge do Map
+                await this.config.storage.updateCredentialCounter(passkey.credentialID, verification.authenticationInfo.newCounter);
+                this.loginChallenges.delete(`passkey:${sessionId}`);
+                // Busca o objeto completo do usuário no banco para o Vatts.js iniciar a sessão
+                const user = await this.config.storage.getUserByUsername(username);
+                if (!user)
+                    return null;
+                return {
+                    ...user,
+                    provider: this.id,
+                    providerId: username
+                };
+            }
+            return null;
+        }
+        catch (error) {
+            console.error(`[${this.id} Provider] Error during sign in (WebAuthn):`, error);
+            return null;
+        }
+    }
+    /**
+     * Retorna configuração pública do provider
+     */
+    getConfig() {
+        return {
+            id: this.id,
+            name: this.name,
+            type: this.type,
+            rpName: this.config.rpName,
+            rpID: this.config.rpID, // Se omitido, continuará extraindo on-the-fly
+        };
+    }
+}
+exports.PasskeysProvider = PasskeysProvider;

package/dist/providers.d.ts

@@ -2,3 +2,4 @@ export { CredentialsProvider } from './providers/credentials';
 export { DiscordProvider } from './providers/discord';
 export { GoogleProvider } from './providers/google';
 export { GithubProvider } from "./providers/github";
+export { PasskeyStorage, PasskeysProvider } from "./providers/passkey";

package/dist/providers.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.GithubProvider = exports.GoogleProvider = exports.DiscordProvider = exports.CredentialsProvider = void 0;
+exports.PasskeysProvider = exports.GithubProvider = exports.GoogleProvider = exports.DiscordProvider = exports.CredentialsProvider = void 0;
 /*
  * This file is part of the Vatts.js Project.
  * Copyright (c) 2026 mfraz
@@ -26,3 +26,5 @@ var google_1 = require("./providers/google");
 Object.defineProperty(exports, "GoogleProvider", { enumerable: true, get: function () { return google_1.GoogleProvider; } });
 var github_1 = require("./providers/github");
 Object.defineProperty(exports, "GithubProvider", { enumerable: true, get: function () { return github_1.GithubProvider; } });
+var passkey_1 = require("./providers/passkey");
+Object.defineProperty(exports, "PasskeysProvider", { enumerable: true, get: function () { return passkey_1.PasskeysProvider; } });

package/dist/react/react.d.ts

@@ -19,4 +19,12 @@ export declare function useAuth(): {
     isAuthenticated: boolean;
     isLoading: boolean;
 };
+/**
+ * Função utilitária para registrar uma nova Passkey (WebAuthn).
+ * Pode ser usada em painéis de "Configurações de Conta" pelo desenvolvedor.
+ */
+export declare function registerPasskey(username: string, name?: string, basePath?: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
 export {};

package/dist/react/react.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SessionProvider = SessionProvider;
 exports.useSession = useSession;
 exports.useAuth = useAuth;
+exports.registerPasskey = registerPasskey;
 const jsx_runtime_1 = require("react/jsx-runtime");
 /*
  * This file is part of the Vatts.js Project.
@@ -121,6 +122,38 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
     const signIn = (0, react_1.useCallback)(async (provider = 'credentials', options = {}) => {
         try {
             const { redirect = true, callbackUrl, popup = false, ...credentials } = options;
+            // --- INÍCIO DA INTERCEPTAÇÃO PASSKEYS ---
+            if (provider === 'passkeys') {
+                try {
+                    // 1. Pede ao backend as opções de desafio para login (SEM username)
+                    // Com discoverable credentials, o navegador mostra as keys disponíveis
+                    const startRes = await fetch(`${basePath}/passkeys/login/start`, {
+                        method: 'POST',
+                        headers: { 'Content-Type': 'application/json' },
+                        body: JSON.stringify({})
+                    });
+                    if (!startRes.ok) {
+                        const errData = await startRes.json().catch(() => ({}));
+                        return { error: errData.error || 'Failed to start passkey login', status: startRes.status, ok: false };
+                    }
+                    const { options, sessionId } = await startRes.json();
+                    if (!sessionId) {
+                        return { error: 'No session ID received from server', status: 500, ok: false };
+                    }
+                    // 2. Importa dinamicamente para não quebrar em SSR e chama o navegador (FaceID, TouchID, etc)
+                    // O navegador mostrará as credenciais disponíveis automaticamente
+                    const { startAuthentication } = await import('@simplewebauthn/browser');
+                    const asseResp = await startAuthentication(options);
+                    // 3. Injeta a resposta assinada e o sessionId no credentials para seguir o fluxo normal do signIn
+                    credentials.response = JSON.stringify(asseResp);
+                    credentials.sessionId = sessionId;
+                }
+                catch (error) {
+                    console.error('[vatts-auth] Error during passkey login flow:', error);
+                    return { error: error.message || 'Passkey authentication failed', status: 400, ok: false };
+                }
+            }
+            // --- FIM DA INTERCEPTAÇÃO PASSKEYS ---
             const response = await fetch(`${basePath}/signin`, {
                 method: 'POST',
                 headers: {
@@ -150,7 +183,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
                         url: data.redirectUrl
                     };
                 }
-                // Se é sessão (credentials), atualiza e redireciona
+                // Se é sessão (credentials/passkeys), atualiza e redireciona
                 await fetchSession();
                 if (data.type === 'session') {
                     if (redirect && typeof window !== 'undefined') {
@@ -263,3 +296,42 @@ function useAuth() {
         isLoading: status === 'loading'
     };
 }
+/**
+ * Função utilitária para registrar uma nova Passkey (WebAuthn).
+ * Pode ser usada em painéis de "Configurações de Conta" pelo desenvolvedor.
+ */
+async function registerPasskey(username, name, basePath = '/api/auth') {
+    try {
+        const { startRegistration } = await import('@simplewebauthn/browser');
+        // 1. Pega as opções do servidor
+        const startRes = await fetch(`${basePath}/passkeys/register/start`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username })
+        });
+        if (!startRes.ok) {
+            const errData = await startRes.json().catch(() => ({}));
+            throw new Error(errData.error || 'Failed to start passkey registration');
+        }
+        const options = await startRes.json();
+        // 2. Chama a biometria/PIN do dispositivo
+        const attResp = await startRegistration(options);
+        // 3. Envia o resultado de volta pro servidor validar e salvar
+        const finishRes = await fetch(`${basePath}/passkeys/register/finish`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username, response: attResp, name })
+        });
+        const result = await finishRes.json();
+        if (result.success) {
+            return { success: true };
+        }
+        else {
+            return { success: false, error: result.error || 'Verification failed on server' };
+        }
+    }
+    catch (error) {
+        console.error('[vatts-auth] Error during passkey registration:', error);
+        return { success: false, error: error.message || 'Passkey registration failed' };
+    }
+}

package/dist/routes.js

@@ -127,7 +127,7 @@ async function handleSignIn(req, auth) {
         const credentialsWithPopup = popup !== undefined
             ? { ...credentials, popup: String(popup) }
             : credentials;
-        const result = await auth.signIn(provider, credentialsWithPopup);
+        const result = await auth.signIn(provider, credentialsWithPopup, req);
         if (!result) {
             return vatts_1.VattsResponse.json({ error: 'Invalid credentials' }, { status: 401 });
         }
@@ -139,6 +139,7 @@ async function handleSignIn(req, auth) {
                 type: 'oauth'
             });
         }
+        console.log('result:', result);
         // Se tem session, é credentials - retorna sessão
         return auth.createAuthResponse(result.token, {
             success: true,
@@ -161,76 +162,76 @@ function handlePopupCallback(req) {
     const error = url.searchParams.get('error');
     const provider = url.searchParams.get('provider') || 'unknown';
     const callbackUrl = url.searchParams.get('callbackUrl') || '/';
-    const html = `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <title>Authenticating...</title>
-    <style>
-        body {
-            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            height: 100vh;
-            margin: 0;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-            color: white;
-        }
-        .container {
-            text-align: center;
-        }
-        .spinner {
-            border: 4px solid rgba(255,255,255,0.3);
-            border-radius: 50%;
-            border-top: 4px solid white;
-            width: 40px;
-            height: 40px;
-            animation: spin 1s linear infinite;
-            margin: 0 auto 20px;
-        }
-        @keyframes spin {
-            0% { transform: rotate(0deg); }
-            100% { transform: rotate(360deg); }
-        }
-        h2 {
-            margin: 0;
-            font-size: 24px;
-        }
-        p {
-            margin: 10px 0 0;
-            opacity: 0.9;
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="spinner"></div>
-        <h2>${success ? '✓ Autenticação bem-sucedida' : '✗ Erro na autenticação'}</h2>
-        <p>${success ? 'Fechando janela...' : (error || 'Algo deu errado')}</p>
-    </div>
-    <script>
-        (function() {
-            try {
-                if (window.opener) {
-                    console.log('Enviando mensagem para janela pai:')
-                    window.opener.postMessage({
-                        type: ${success ? "'oauth-success'" : "'oauth-error'"},
-                        provider: "${provider}",
-                        ${success ? `callbackUrl: "${callbackUrl}"` : `error: "${error || 'Authentication failed'}"`}
-                    }, window.location.origin);
-                }
-                setTimeout(() => {
-                    window.close();
-                }, 1000);
-            } catch (e) {
-                console.error('Error communicating with parent window:', e);
-            }
-        })();
-    </script>
-</body>
-</html>
+    const html = `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Authenticating...</title>
+    <style>
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+            margin: 0;
+            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            color: white;
+        }
+        .container {
+            text-align: center;
+        }
+        .spinner {
+            border: 4px solid rgba(255,255,255,0.3);
+            border-radius: 50%;
+            border-top: 4px solid white;
+            width: 40px;
+            height: 40px;
+            animation: spin 1s linear infinite;
+            margin: 0 auto 20px;
+        }
+        @keyframes spin {
+            0% { transform: rotate(0deg); }
+            100% { transform: rotate(360deg); }
+        }
+        h2 {
+            margin: 0;
+            font-size: 24px;
+        }
+        p {
+            margin: 10px 0 0;
+            opacity: 0.9;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="spinner"></div>
+        <h2>${success ? '✓ Autenticação bem-sucedida' : '✗ Erro na autenticação'}</h2>
+        <p>${success ? 'Fechando janela...' : (error || 'Algo deu errado')}</p>
+    </div>
+    <script>
+        (function() {
+            try {
+                if (window.opener) {
+                    console.log('Enviando mensagem para janela pai:')
+                    window.opener.postMessage({
+                        type: ${success ? "'oauth-success'" : "'oauth-error'"},
+                        provider: "${provider}",
+                        ${success ? `callbackUrl: "${callbackUrl}"` : `error: "${error || 'Authentication failed'}"`}
+                    }, window.location.origin);
+                }
+                setTimeout(() => {
+                    window.close();
+                }, 1000);
+            } catch (e) {
+                console.error('Error communicating with parent window:', e);
+            }
+        })();
+    </script>
+</body>
+</html>
     `;
     return vatts_1.VattsResponse.html(html);
 }

package/dist/types.d.ts

@@ -1,3 +1,4 @@
+import { VattsRequest } from "vatts";
 export type User = Record<string, any>;
 export interface Session {
     user: User;
@@ -35,7 +36,7 @@ export interface AuthProviderClass {
     name: string;
     type: string;
     handleOauth?(credentials: Record<string, string>): Promise<string> | string;
-    handleSignIn(credentials: Record<string, string>): Promise<User | string | null>;
+    handleSignIn(credentials: Record<string, string>, _req?: VattsRequest): Promise<User | string | null>;
     handleSignOut?(): Promise<void>;
     additionalRoutes?: AuthRoute[];
     getConfig?(): any;
@@ -49,11 +50,10 @@ export interface AuthConfig {
     };
     callbacks?: {
         signIn?: (user: User, account: any, profile: any) => boolean | Promise<boolean>;
-        session?: ({ session, user, provider }: {
-            session: Session;
+        user?: ({ user, provider }: {
             user: User;
             provider: string;
-        }) => Session | Promise<Session>;
+        }) => User | Promise<User>;
         jwt?: (token: any, user: User, account: any, profile: any) => any | Promise<any>;
     };
     session?: {

package/dist/vue/component.vue

@@ -1,30 +1,30 @@
-<script setup>
-/**
- * This file is part of the Vatts.js Project.
- * Copyright (c) 2026 mfraz
- */
-import { useSessionProviderLogic } from './session';
-
-// Definição das props com valores padrão (Sintaxe JavaScript)
-const props = defineProps({
-  basePath: {
-    type: String,
-    default: '/api/auth'
-  },
-  refetchInterval: {
-    type: Number,
-    default: 0
-  },
-  refetchOnWindowFocus: {
-    type: Boolean,
-    default: true
-  }
-});
-
-// Inicializa a lógica do provider passando as props reativas
-useSessionProviderLogic(props);
-</script>
-
-<template>
-  <slot />
+<script setup>
+/**
+ * This file is part of the Vatts.js Project.
+ * Copyright (c) 2026 mfraz
+ */
+import { useSessionProviderLogic } from './session';
+
+// Definição das props com valores padrão (Sintaxe JavaScript)
+const props = defineProps({
+  basePath: {
+    type: String,
+    default: '/api/auth'
+  },
+  refetchInterval: {
+    type: Number,
+    default: 0
+  },
+  refetchOnWindowFocus: {
+    type: Boolean,
+    default: true
+  }
+});
+
+// Inicializa a lógica do provider passando as props reativas
+useSessionProviderLogic(props);
+</script>
+
+<template>
+  <slot />
 </template>

package/dist/vue/session.d.ts

@@ -34,3 +34,11 @@ export declare function useAuth(): {
     isAuthenticated: boolean;
     isLoading: boolean;
 };
+/**
+ * Função utilitária para registrar uma nova Passkey (WebAuthn).
+ * Pode ser usada em painéis de "Configurações de Conta" pelo desenvolvedor.
+ */
+export declare function registerPasskey(username: string, name?: string, basePath?: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;

package/dist/vue/session.js

@@ -4,6 +4,7 @@ exports.SessionKey = void 0;
 exports.useSessionProviderLogic = useSessionProviderLogic;
 exports.useSession = useSession;
 exports.useAuth = useAuth;
+exports.registerPasskey = registerPasskey;
 /*
  * This file is part of the Vatts.js Project.
  * Copyright (c) 2026 mfraz
@@ -128,6 +129,38 @@ function useSessionProviderLogic(props) {
     const signIn = async (provider = 'credentials', options = {}) => {
         try {
             const { redirect = true, callbackUrl, popup = false, ...credentials } = options;
+            // --- INÍCIO DA INTERCEPTAÇÃO PASSKEYS ---
+            if (provider === 'passkeys') {
+                try {
+                    // 1. Pede ao backend as opções de desafio para login (SEM username)
+                    // Com discoverable credentials, o navegador mostra as keys disponíveis
+                    const startRes = await fetch(`${props.basePath}/passkeys/login/start`, {
+                        method: 'POST',
+                        headers: { 'Content-Type': 'application/json' },
+                        body: JSON.stringify({})
+                    });
+                    if (!startRes.ok) {
+                        const errData = await startRes.json().catch(() => ({}));
+                        return { error: errData.error || 'Failed to start passkey login', status: startRes.status, ok: false };
+                    }
+                    const { options, sessionId } = await startRes.json();
+                    if (!sessionId) {
+                        return { error: 'No session ID received from server', status: 500, ok: false };
+                    }
+                    // 2. Importa dinamicamente para não quebrar em SSR e chama o navegador (FaceID, TouchID, etc)
+                    // O navegador mostrará as credenciais disponíveis automaticamente
+                    const { startAuthentication } = await import('@simplewebauthn/browser');
+                    const asseResp = await startAuthentication(options);
+                    // 3. Injeta a resposta assinada e o sessionId no credentials para seguir o fluxo normal do signIn
+                    credentials.response = JSON.stringify(asseResp);
+                    credentials.sessionId = sessionId;
+                }
+                catch (error) {
+                    console.error('[vatts-auth] Error during passkey login flow:', error);
+                    return { error: error.message || 'Passkey authentication failed', status: 400, ok: false };
+                }
+            }
+            // --- FIM DA INTERCEPTAÇÃO PASSKEYS ---
             const response = await fetch(`${props.basePath}/signin`, {
                 method: 'POST',
                 headers: {
@@ -151,7 +184,7 @@ function useSessionProviderLogic(props) {
                     }
                     return { ok: true, status: 200, url: data.redirectUrl };
                 }
-                // Se é sessão (credentials), atualiza e redireciona
+                // Se é sessão (credentials/passkeys), atualiza e redireciona
                 await fetchSession();
                 if (data.type === 'session') {
                     const finalUrl = callbackUrl || '/';
@@ -276,3 +309,42 @@ function useAuth() {
         isLoading: statusVal === 'loading'
     };
 }
+/**
+ * Função utilitária para registrar uma nova Passkey (WebAuthn).
+ * Pode ser usada em painéis de "Configurações de Conta" pelo desenvolvedor.
+ */
+async function registerPasskey(username, name, basePath = '/api/auth') {
+    try {
+        const { startRegistration } = await import('@simplewebauthn/browser');
+        // 1. Pega as opções do servidor
+        const startRes = await fetch(`${basePath}/passkeys/register/start`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username })
+        });
+        if (!startRes.ok) {
+            const errData = await startRes.json().catch(() => ({}));
+            throw new Error(errData.error || 'Failed to start passkey registration');
+        }
+        const options = await startRes.json();
+        // 2. Chama a biometria/PIN do dispositivo
+        const attResp = await startRegistration(options);
+        // 3. Envia o resultado de volta pro servidor validar e salvar
+        const finishRes = await fetch(`${basePath}/passkeys/register/finish`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username, response: attResp, name })
+        });
+        const result = await finishRes.json();
+        if (result.success) {
+            return { success: true };
+        }
+        else {
+            return { success: false, error: result.error || 'Verification failed on server' };
+        }
+    }
+    catch (error) {
+        console.error('[vatts-auth] Error during passkey registration:', error);
+        return { success: false, error: error.message || 'Passkey registration failed' };
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vatts/auth",
-  "version": "2.1.3-canary.1.0.2",
+  "version": "2.1.3-canary.1.0.4",
   "description": "Authentication package for Vatts.js framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -50,13 +50,17 @@
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
     "vue": "^3.5.27",
-    "vatts": "^2.1.3-canary.1.0.2"
+    "vatts": "^2.1.3-canary.1.0.4"
   },
   "peerDependenciesMeta": {
     "react-dom": {
       "optional": true
     }
   },
+  "dependencies": {
+    "@simplewebauthn/browser": "^13.2.2",
+    "@simplewebauthn/server": "^13.2.3"
+  },
   "scripts": {
     "build": "tsc && copyfiles -u 1 \"src/**/*.vue\" dist",
     "build:watch": "tsc --watch",