@veridex/sdk 1.0.0-beta.9 → 1.1.0

package/dist/passkey.js

@@ -0,0 +1,914 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/passkey.ts
+var passkey_exports = {};
+__export(passkey_exports, {
+  PasskeyManager: () => PasskeyManager,
+  VERIDEX_RP_ID: () => VERIDEX_RP_ID,
+  detectRpId: () => detectRpId,
+  supportsRelatedOrigins: () => supportsRelatedOrigins
+});
+module.exports = __toCommonJS(passkey_exports);
+
+// src/core/PasskeyManager.ts
+var import_browser = require("@simplewebauthn/browser");
+var import_ethers2 = require("ethers");
+
+// src/utils.ts
+var import_ethers = require("ethers");
+function base64URLEncode(buffer) {
+  const bytes = Array.from(buffer);
+  const binary = String.fromCharCode(...bytes);
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64URLDecode(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function parseDERSignature(signature) {
+  let offset = 0;
+  if (signature[offset++] !== 48) {
+    throw new Error("Invalid signature format");
+  }
+  offset++;
+  if (signature[offset++] !== 2) {
+    throw new Error("Invalid signature format");
+  }
+  const rLength = signature[offset++];
+  if (rLength === void 0) {
+    throw new Error("Invalid signature format: missing r length");
+  }
+  let r = signature.slice(offset, offset + rLength);
+  offset += rLength;
+  if (r[0] === 0 && r.length > 32) {
+    r = r.slice(1);
+  }
+  if (r.length < 32) {
+    const padded = new Uint8Array(32);
+    padded.set(r, 32 - r.length);
+    r = padded;
+  }
+  if (signature[offset++] !== 2) {
+    throw new Error("Invalid signature format");
+  }
+  const sLength = signature[offset++];
+  if (sLength === void 0) {
+    throw new Error("Invalid signature format: missing s length");
+  }
+  let s = signature.slice(offset, offset + sLength);
+  if (s[0] === 0 && s.length > 32) {
+    s = s.slice(1);
+  }
+  if (s.length < 32) {
+    const padded = new Uint8Array(32);
+    padded.set(s, 32 - s.length);
+    s = padded;
+  }
+  return { r, s };
+}
+function computeKeyHash(publicKeyX, publicKeyY) {
+  return import_ethers.ethers.keccak256(
+    import_ethers.ethers.solidityPacked(["uint256", "uint256"], [publicKeyX, publicKeyY])
+  );
+}
+
+// src/core/PasskeyManager.ts
+var VERIDEX_RP_ID = "veridex.network";
+function detectRpId(forceLocal) {
+  if (typeof window === "undefined") return "localhost";
+  const hostname = window.location.hostname;
+  if (hostname === "localhost" || hostname === "127.0.0.1" || /^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+    return hostname;
+  }
+  if (forceLocal) {
+    const parts = hostname.split(".");
+    if (parts.length <= 2) {
+      return hostname;
+    }
+    return parts.slice(-2).join(".");
+  }
+  return VERIDEX_RP_ID;
+}
+async function supportsRelatedOrigins() {
+  if (typeof window === "undefined" || !window.PublicKeyCredential) {
+    return false;
+  }
+  if ("getClientCapabilities" in PublicKeyCredential) {
+    try {
+      const getCapabilities = PublicKeyCredential.getClientCapabilities;
+      const capabilities = await getCapabilities();
+      return capabilities?.relatedOrigins === true;
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+var PasskeyManager = class _PasskeyManager {
+  config;
+  credential = null;
+  constructor(config = {}) {
+    this.config = {
+      rpName: config.rpName ?? "Veridex Protocol",
+      rpId: config.rpId ?? detectRpId(),
+      timeout: config.timeout ?? 6e4,
+      userVerification: config.userVerification ?? "required",
+      authenticatorAttachment: config.authenticatorAttachment ?? "platform",
+      relayerUrl: config.relayerUrl ?? ""
+    };
+  }
+  static isSupported() {
+    return (0, import_browser.browserSupportsWebAuthn)();
+  }
+  static async isPlatformAuthenticatorAvailable() {
+    if (typeof window === "undefined" || !window.PublicKeyCredential) {
+      return false;
+    }
+    return await window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+  }
+  async register(username, displayName) {
+    if (!_PasskeyManager.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const challenge = import_ethers2.ethers.randomBytes(32);
+    const challengeBase64 = base64URLEncode(challenge);
+    const options = {
+      challenge: challengeBase64,
+      rp: {
+        name: this.config.rpName,
+        id: this.config.rpId
+      },
+      user: {
+        id: base64URLEncode(import_ethers2.ethers.toUtf8Bytes(username)),
+        name: username,
+        displayName
+      },
+      pubKeyCredParams: [
+        { alg: -7, type: "public-key" },
+        // ES256 (P-256) - WebAuthn default
+        { alg: -257, type: "public-key" },
+        // RS256 - Widely supported
+        { alg: -8, type: "public-key" },
+        // EdDSA - Modern, efficient
+        { alg: -35, type: "public-key" },
+        // ES384 (P-384)
+        { alg: -36, type: "public-key" },
+        // ES512 (P-521)
+        { alg: -37, type: "public-key" }
+        // PS256 - RSA PSS
+      ],
+      authenticatorSelection: {
+        authenticatorAttachment: this.config.authenticatorAttachment,
+        userVerification: this.config.userVerification,
+        residentKey: "required",
+        requireResidentKey: true
+      },
+      timeout: this.config.timeout,
+      attestation: "none"
+    };
+    const response = await (0, import_browser.startRegistration)(options);
+    const publicKey = this.extractPublicKeyFromAttestation(response);
+    const keyHash = computeKeyHash(publicKey.x, publicKey.y);
+    this.credential = {
+      credentialId: response.id,
+      publicKeyX: publicKey.x,
+      publicKeyY: publicKey.y,
+      keyHash
+    };
+    return this.credential;
+  }
+  async sign(challenge) {
+    if (!this.credential) {
+      throw new Error("No credential set. Call register() or setCredential() first.");
+    }
+    const challengeBase64 = base64URLEncode(challenge);
+    const options = {
+      challenge: challengeBase64,
+      rpId: this.config.rpId,
+      allowCredentials: [
+        {
+          id: this.credential.credentialId,
+          type: "public-key",
+          transports: ["internal"]
+        }
+      ],
+      userVerification: this.config.userVerification,
+      timeout: this.config.timeout
+    };
+    const response = await (0, import_browser.startAuthentication)(options);
+    return this.parseAuthenticationResponse(response);
+  }
+  /**
+   * Authenticate using a discoverable credential (passkey)
+   * This allows sign-in without knowing the credential ID ahead of time.
+   * The authenticator will show all available passkeys for this RP.
+   * 
+   * @param challenge - Optional challenge bytes. If not provided, a random challenge is used.
+   * @returns The credential that was used to authenticate, along with the signature
+   */
+  async authenticate(challenge) {
+    if (!_PasskeyManager.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const actualChallenge = challenge ?? import_ethers2.ethers.randomBytes(32);
+    const challengeBase64 = base64URLEncode(actualChallenge);
+    const options = {
+      challenge: challengeBase64,
+      rpId: this.config.rpId,
+      userVerification: this.config.userVerification,
+      timeout: this.config.timeout
+    };
+    const response = await (0, import_browser.startAuthentication)(options);
+    const credentialId = response.id;
+    const signature = this.parseAuthenticationResponse(response);
+    let storedCredential = this.findCredentialById(credentialId);
+    if (storedCredential) {
+      this.credential = storedCredential;
+      return { credential: storedCredential, signature };
+    }
+    if (this.config.relayerUrl) {
+      storedCredential = await this.loadCredentialFromRelayer(credentialId);
+      if (storedCredential) {
+        this.credential = storedCredential;
+        this.addCredentialToStorage(storedCredential);
+        return { credential: storedCredential, signature };
+      }
+    }
+    const hasRelayer = !!this.config.relayerUrl;
+    throw new Error(
+      "Credential not found. This passkey was registered on a different device or the data was cleared. " + (hasRelayer ? "The credential was not found. Please register a new passkey." : "Please register a new passkey or ensure the relayer URL is configured.")
+    );
+  }
+  /**
+   * Find a credential by ID in the list of stored credentials
+   */
+  findCredentialById(credentialId) {
+    if (typeof window === "undefined") return null;
+    const stored = this.getAllStoredCredentials();
+    return stored.find((c) => c.credentialId === credentialId) || null;
+  }
+  /**
+   * Get all credentials stored in localStorage
+   */
+  getAllStoredCredentials(key = "veridex_credentials") {
+    if (typeof window === "undefined") return [];
+    const stored = localStorage.getItem(key);
+    if (!stored) {
+      const legacy = localStorage.getItem("veridex_credential");
+      if (legacy) {
+        try {
+          const data = JSON.parse(legacy);
+          const cred = this.parseStoredCredential(data);
+          if (cred) {
+            this.saveCredentials([cred], key);
+            localStorage.removeItem("veridex_credential");
+            return [cred];
+          }
+        } catch (e) {
+        }
+      }
+      return [];
+    }
+    try {
+      const data = JSON.parse(stored);
+      if (Array.isArray(data)) {
+        return data.map((item) => this.parseStoredCredential(item)).filter((c) => c !== null);
+      }
+      return [];
+    } catch (error) {
+      console.error("Failed to load credentials:", error);
+      return [];
+    }
+  }
+  parseStoredCredential(data) {
+    try {
+      return {
+        credentialId: data.credentialId,
+        publicKeyX: BigInt(data.publicKeyX),
+        publicKeyY: BigInt(data.publicKeyY),
+        keyHash: data.keyHash
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Save a list of credentials to localStorage
+   */
+  saveCredentials(credentials, key = "veridex_credentials") {
+    if (typeof window === "undefined") return;
+    const data = credentials.map((c) => ({
+      credentialId: c.credentialId,
+      publicKeyX: c.publicKeyX.toString(),
+      publicKeyY: c.publicKeyY.toString(),
+      keyHash: c.keyHash
+    }));
+    localStorage.setItem(key, JSON.stringify(data));
+  }
+  /**
+   * Add a single credential to storage (append or update)
+   */
+  addCredentialToStorage(credential, key = "veridex_credentials") {
+    const stored = this.getAllStoredCredentials(key);
+    const existingIndex = stored.findIndex((c) => c.credentialId === credential.credentialId);
+    if (existingIndex >= 0) {
+      stored[existingIndex] = credential;
+    } else {
+      stored.push(credential);
+    }
+    this.saveCredentials(stored, key);
+  }
+  /**
+   * Check if there's ANY stored credential for this RP
+   */
+  hasStoredCredential() {
+    return this.getAllStoredCredentials().length > 0;
+  }
+  getCredential() {
+    return this.credential;
+  }
+  setCredential(credential) {
+    this.credential = credential;
+  }
+  createCredentialFromPublicKey(credentialId, publicKeyX, publicKeyY) {
+    const keyHash = computeKeyHash(publicKeyX, publicKeyY);
+    this.credential = {
+      credentialId,
+      publicKeyX,
+      publicKeyY,
+      keyHash
+    };
+    return this.credential;
+  }
+  clearCredential() {
+    this.credential = null;
+  }
+  /**
+   * Save the current credential to localStorage (appends to list)
+   */
+  saveToLocalStorage(key = "veridex_credentials") {
+    if (!this.credential) {
+      throw new Error("No credential to save");
+    }
+    this.addCredentialToStorage(this.credential, key);
+  }
+  loadFromLocalStorage(key = "veridex_credentials") {
+    if (typeof window === "undefined") {
+      return null;
+    }
+    const stored = this.getAllStoredCredentials(key);
+    if (stored.length > 0) {
+      this.credential = stored[stored.length - 1];
+      return this.credential;
+    }
+    return null;
+  }
+  removeFromLocalStorage(key = "veridex_credentials") {
+    if (typeof window !== "undefined") {
+      localStorage.removeItem(key);
+      localStorage.removeItem("veridex_credential");
+    }
+  }
+  // =========================================================================
+  // Relayer-based Credential Storage (Cross-Device Recovery)
+  // =========================================================================
+  /**
+   * Save the current credential to the relayer for cross-device recovery.
+   * This should be called after registration.
+   */
+  async saveCredentialToRelayer() {
+    if (!this.credential) {
+      throw new Error("No credential to save");
+    }
+    if (!this.config.relayerUrl) {
+      console.warn("Relayer URL not configured; skipping remote credential storage");
+      return false;
+    }
+    try {
+      const response = await fetch(`${this.config.relayerUrl}/api/v1/credential`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          keyHash: this.credential.keyHash,
+          credentialId: this.credential.credentialId,
+          publicKeyX: this.credential.publicKeyX.toString(),
+          publicKeyY: this.credential.publicKeyY.toString()
+        })
+      });
+      if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        console.error("Failed to save credential to relayer:", errorData);
+        return false;
+      }
+      console.log("Credential saved to relayer for cross-device recovery");
+      return true;
+    } catch (error) {
+      console.error("Failed to save credential to relayer:", error);
+      return false;
+    }
+  }
+  /**
+   * Load a credential from the relayer by credential ID.
+   * Used during discoverable credential authentication when localStorage is empty.
+   */
+  async loadCredentialFromRelayer(credentialId) {
+    if (!this.config.relayerUrl) {
+      return null;
+    }
+    try {
+      const response = await fetch(
+        `${this.config.relayerUrl}/api/v1/credential/by-id/${encodeURIComponent(credentialId)}`
+      );
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (!data.exists) {
+        return null;
+      }
+      if (!data.credentialId || !data.publicKeyX || !data.publicKeyY || !data.keyHash) {
+        console.warn("Relayer returned incomplete credential data:", {
+          hasCredentialId: !!data.credentialId,
+          hasPublicKeyX: !!data.publicKeyX,
+          hasPublicKeyY: !!data.publicKeyY,
+          hasKeyHash: !!data.keyHash
+        });
+        return null;
+      }
+      return {
+        credentialId: data.credentialId,
+        publicKeyX: BigInt(data.publicKeyX),
+        publicKeyY: BigInt(data.publicKeyY),
+        keyHash: data.keyHash
+      };
+    } catch (error) {
+      console.error("Failed to load credential from relayer:", error);
+      return null;
+    }
+  }
+  /**
+   * Load a credential from the relayer by keyHash.
+   * Useful when you know the user's keyHash but not their credential ID.
+   */
+  async loadCredentialFromRelayerByKeyHash(keyHash) {
+    if (!this.config.relayerUrl) {
+      return null;
+    }
+    try {
+      const response = await fetch(
+        `${this.config.relayerUrl}/api/v1/credential/${encodeURIComponent(keyHash)}`
+      );
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (!data.exists) {
+        return null;
+      }
+      if (!data.credentialId || !data.publicKeyX || !data.publicKeyY || !data.keyHash) {
+        console.warn("Relayer returned incomplete credential data for keyHash:", {
+          hasCredentialId: !!data.credentialId,
+          hasPublicKeyX: !!data.publicKeyX,
+          hasPublicKeyY: !!data.publicKeyY,
+          hasKeyHash: !!data.keyHash
+        });
+        return null;
+      }
+      return {
+        credentialId: data.credentialId,
+        publicKeyX: BigInt(data.publicKeyX),
+        publicKeyY: BigInt(data.publicKeyY),
+        keyHash: data.keyHash
+      };
+    } catch (error) {
+      console.error("Failed to load credential from relayer:", error);
+      return null;
+    }
+  }
+  // =========================================================================
+  // Backup Passkey & Device Migration (Phase 3)
+  // =========================================================================
+  /**
+   * Register a backup passkey for the current identity.
+   *
+   * This creates a new WebAuthn credential on this device/platform that becomes
+   * an additional authorized key for the same Veridex identity. The caller
+   * must submit the returned credential to VeridexHub.addKey() for on-chain registration.
+   *
+   * Use cases:
+   * - "Add this device" flow when signing in on a new machine
+   * - Proactive backup creation on a separate authenticator
+   * - Cross-ecosystem redundancy (iCloud + Google Password Manager)
+   *
+   * @param username - Username for the new credential (typically same as primary)
+   * @param displayName - Display name for the backup (e.g., "MacBook Pro Backup")
+   * @param excludeCredentialIds - Credential IDs to exclude (prevents re-registering same authenticator)
+   * @returns The newly registered backup credential
+   */
+  async registerBackupPasskey(username, displayName, excludeCredentialIds) {
+    if (!_PasskeyManager.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const challenge = import_ethers2.ethers.randomBytes(32);
+    const challengeBase64 = base64URLEncode(challenge);
+    const excludeList = excludeCredentialIds ?? this.getAllStoredCredentials().map((c) => c.credentialId);
+    const options = {
+      challenge: challengeBase64,
+      rp: {
+        name: this.config.rpName,
+        id: this.config.rpId
+      },
+      user: {
+        id: base64URLEncode(import_ethers2.ethers.toUtf8Bytes(username)),
+        name: username,
+        displayName
+      },
+      pubKeyCredParams: [
+        { alg: -7, type: "public-key" },
+        // ES256 (P-256)
+        { alg: -257, type: "public-key" },
+        // RS256
+        { alg: -8, type: "public-key" }
+        // EdDSA
+      ],
+      excludeCredentials: excludeList.map((id) => ({
+        id,
+        type: "public-key",
+        transports: ["internal", "hybrid"]
+      })),
+      authenticatorSelection: {
+        // Allow cross-platform for backup on security keys
+        userVerification: this.config.userVerification,
+        residentKey: "required",
+        requireResidentKey: true
+      },
+      timeout: this.config.timeout,
+      attestation: "none"
+    };
+    const response = await (0, import_browser.startRegistration)(options);
+    const publicKey = this.extractPublicKeyFromAttestation(response);
+    const keyHash = computeKeyHash(publicKey.x, publicKey.y);
+    const backupCredential = {
+      credentialId: response.id,
+      publicKeyX: publicKey.x,
+      publicKeyY: publicKey.y,
+      keyHash
+    };
+    this.addCredentialToStorage(backupCredential);
+    return backupCredential;
+  }
+  /**
+   * Get registration info for backup state from a registration response.
+   *
+   * This extracts the backup eligibility (BE) and backup state (BS) flags
+   * from the authenticator data, which indicate whether the credential
+   * is eligible for cloud sync and whether it is currently synced.
+   *
+   * @param authenticatorData - Hex-encoded authenticator data from registration
+   * @returns Backup flags, or null if not determinable
+   */
+  static parseBackupFlags(authenticatorData) {
+    try {
+      const data = import_ethers2.ethers.getBytes(authenticatorData);
+      if (data.length < 37) return null;
+      const flags = data[32];
+      return {
+        backupEligible: (flags & 8) !== 0,
+        backupState: (flags & 16) !== 0
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Get the number of credentials stored locally.
+   */
+  getStoredCredentialCount() {
+    return this.getAllStoredCredentials().length;
+  }
+  /**
+   * Get all credential IDs stored locally (for exclude lists).
+   */
+  getStoredCredentialIds() {
+    return this.getAllStoredCredentials().map((c) => c.credentialId);
+  }
+  extractPublicKeyFromAttestation(response) {
+    const attestationObject = base64URLDecode(response.response.attestationObject);
+    let offset = 0;
+    if (attestationObject[offset] >= 160 && attestationObject[offset] <= 191) {
+      offset++;
+    }
+    while (offset < attestationObject.length - 37) {
+      if (attestationObject[offset] === 104 && // text string, 8 bytes
+      attestationObject[offset + 1] === 97 && // 'a'
+      attestationObject[offset + 2] === 117 && // 'u'
+      attestationObject[offset + 3] === 116 && // 't'
+      attestationObject[offset + 4] === 104 && // 'h'
+      attestationObject[offset + 5] === 68 && // 'D'
+      attestationObject[offset + 6] === 97 && // 'a'
+      attestationObject[offset + 7] === 116 && // 't'
+      attestationObject[offset + 8] === 97) {
+        offset += 9;
+        break;
+      }
+      offset++;
+    }
+    if (attestationObject[offset] === 88 || attestationObject[offset] === 89) {
+      const lengthBytes = attestationObject[offset] === 88 ? 1 : 2;
+      offset += 1 + lengthBytes;
+    }
+    offset += 32;
+    offset += 1;
+    offset += 4;
+    offset += 16;
+    const credIdLen = attestationObject[offset] << 8 | attestationObject[offset + 1];
+    offset += 2;
+    offset += credIdLen;
+    const coseKey = attestationObject.slice(offset);
+    console.log("COSE key length:", coseKey.length);
+    console.log("COSE key hex:", this.bytesToHex(coseKey.slice(0, Math.min(100, coseKey.length))));
+    const { x, y } = this.parseCOSEKey(coseKey);
+    return { x, y };
+  }
+  parseCOSEKey(coseKey) {
+    console.log("COSE key length:", coseKey.length);
+    console.log("COSE key hex:", this.bytesToHex(coseKey));
+    const parsed = this.tryParseCOSEKeyStrategies(coseKey);
+    if (parsed) {
+      return parsed;
+    }
+    return this.parseCOSEKeyWithCBORStructure(coseKey);
+  }
+  tryParseCOSEKeyStrategies(coseKey) {
+    const keyBytes = new Uint8Array(coseKey);
+    for (let i = 0; i < keyBytes.length - 40; i++) {
+      if (keyBytes[i] === 88 && keyBytes[i + 1] === 32) {
+        const potentialX = keyBytes.slice(i + 2, i + 34);
+        for (let j = i + 34; j < keyBytes.length - 34; j++) {
+          if (keyBytes[j] === 88 && keyBytes[j + 1] === 32) {
+            const potentialY = keyBytes.slice(j + 2, j + 34);
+            if (this.isValidCoordinate(potentialX) && this.isValidCoordinate(potentialY)) {
+              console.log("Found coordinates via pattern matching");
+              return {
+                x: this.bytesToBigInt(potentialX),
+                y: this.bytesToBigInt(potentialY)
+              };
+            }
+          }
+        }
+      }
+    }
+    return this.tryParseASN1Structure(keyBytes);
+  }
+  parseCOSEKeyWithCBORStructure(coseKey) {
+    const bytes = new Uint8Array(coseKey);
+    let xBytes = null;
+    let yBytes = null;
+    let i = 0;
+    while (i < bytes.length) {
+      if (bytes[i] === 88) {
+        const length = bytes[i + 1];
+        if (length === 32) {
+          const start = i + 2;
+          const end = start + 32;
+          if (end <= bytes.length) {
+            const coordinate = bytes.slice(start, end);
+            if (!xBytes) {
+              xBytes = coordinate;
+              console.log("Found x at offset", i);
+            } else if (!yBytes) {
+              yBytes = coordinate;
+              console.log("Found y at offset", i);
+              break;
+            }
+          }
+          i = end;
+        } else {
+          i += length + 2;
+        }
+      } else if (bytes[i] === 66) {
+        if (i + 3 < bytes.length) {
+          const length = bytes[i + 1] << 8 | bytes[i + 2];
+          if (length === 32) {
+            const start = i + 3;
+            const end = start + 32;
+            if (end <= bytes.length) {
+              const coordinate = bytes.slice(start, end);
+              if (!xBytes) {
+                xBytes = coordinate;
+                console.log("Found x at offset", i);
+              } else if (!yBytes) {
+                yBytes = coordinate;
+                console.log("Found y at offset", i);
+                break;
+              }
+            }
+            i = end;
+          } else {
+            i += length + 3;
+          }
+        } else {
+          i++;
+        }
+      } else if (bytes[i] === 64) {
+        i++;
+        while (i < bytes.length && bytes[i] !== 255) {
+          if (bytes[i] === 4 && i + 65 <= bytes.length) {
+            const x = bytes.slice(i + 1, i + 33);
+            const y = bytes.slice(i + 33, i + 65);
+            if (this.isValidCoordinate(x) && this.isValidCoordinate(y)) {
+              xBytes = x;
+              yBytes = y;
+              console.log("Found coordinates in uncompressed point format");
+              break;
+            }
+          }
+          i++;
+        }
+        if (xBytes && yBytes) break;
+      } else {
+        i++;
+      }
+    }
+    if (!xBytes || !yBytes) {
+      const potentialCoords = this.find32ByteSequences(bytes);
+      if (potentialCoords.length >= 2) {
+        xBytes = potentialCoords[0];
+        yBytes = potentialCoords[1];
+        console.log("Fallback: Using first two 32-byte sequences as coordinates");
+      }
+    }
+    if (!xBytes || !yBytes) {
+      console.error("Failed to find coordinates in COSE key. Full dump:");
+      console.error("Hex:", this.bytesToHex(bytes));
+      console.error("Structure analysis:");
+      this.analyzeCOSEStructure(bytes);
+      throw new Error("Failed to extract public key coordinates from COSE key. Check console for details.");
+    }
+    return {
+      x: this.bytesToBigInt(xBytes),
+      y: this.bytesToBigInt(yBytes)
+    };
+  }
+  tryParseASN1Structure(bytes) {
+    if (bytes[0] === 48) {
+      let offset = 2;
+      if (bytes[offset] === 3) {
+        offset += 2;
+        if (bytes[offset] === 48) {
+          offset += 2;
+          offset += 12;
+          if (bytes[offset] === 3 && bytes[offset + 2] === 4) {
+            offset += 3;
+            const x = bytes.slice(offset, offset + 32);
+            const y = bytes.slice(offset + 32, offset + 64);
+            if (x.length === 32 && y.length === 32) {
+              console.log("Found coordinates via ASN.1 parsing");
+              return {
+                x: this.bytesToBigInt(x),
+                y: this.bytesToBigInt(y)
+              };
+            }
+          }
+        }
+      }
+    }
+    return null;
+  }
+  find32ByteSequences(bytes) {
+    const sequences = [];
+    for (let i = 0; i <= bytes.length - 32; i++) {
+      const sequence = bytes.slice(i, i + 32);
+      if (this.isValidCoordinate(sequence)) {
+        sequences.push(sequence);
+      }
+    }
+    return sequences;
+  }
+  isValidCoordinate(bytes) {
+    if (bytes.length !== 32) return false;
+    let allZeros = true;
+    let allOnes = true;
+    for (const byte of bytes) {
+      if (byte !== 0) allZeros = false;
+      if (byte !== 255) allOnes = false;
+    }
+    return !allZeros && !allOnes;
+  }
+  bytesToBigInt(bytes) {
+    return BigInt("0x" + this.bytesToHex(bytes));
+  }
+  bytesToHex(bytes) {
+    return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  analyzeCOSEStructure(bytes) {
+    console.log("COSE Structure Analysis:");
+    console.log("First 20 bytes:", this.bytesToHex(bytes.slice(0, 20)));
+    const firstByte = bytes[0];
+    console.log("First byte (0x" + firstByte.toString(16) + "):");
+    if (firstByte >= 160 && firstByte <= 191) {
+      console.log("- Definite length map with", firstByte & 31, "pairs");
+    } else if (firstByte === 191) {
+      console.log("- Indefinite length map");
+    } else if (firstByte === 4) {
+      console.log("- Byte string");
+    } else if (firstByte === 2) {
+      console.log("- Negative integer");
+    }
+    let count32 = 0;
+    for (let i = 0; i <= bytes.length - 32; i++) {
+      const chunk = bytes.slice(i, i + 32);
+      if (this.isValidCoordinate(chunk)) {
+        console.log(
+          `Found valid 32-byte sequence at offset ${i}:`,
+          this.bytesToHex(chunk.slice(0, 8)) + "..."
+        );
+        count32++;
+      }
+    }
+    console.log(`Total valid 32-byte sequences: ${count32}`);
+    console.log("Looking for known markers:");
+    const markers = [
+      { byte: 4, name: "Uncompressed point marker" },
+      { byte: 3, name: "BIT STRING" },
+      { byte: 48, name: "SEQUENCE" },
+      { byte: 2, name: "INTEGER" },
+      { byte: 6, name: "OBJECT IDENTIFIER" },
+      { byte: 88, name: "Byte string with length byte" },
+      { byte: 66, name: "Byte string with 2-byte length" },
+      { byte: 64, name: "Byte string indefinite length" },
+      { byte: 160, name: "Map start" },
+      { byte: 191, name: "Indefinite map start" }
+    ];
+    for (const marker of markers) {
+      const indices = [];
+      for (let i = 0; i < bytes.length; i++) {
+        if (bytes[i] === marker.byte) {
+          indices.push(i);
+        }
+      }
+      if (indices.length > 0) {
+        console.log(`  ${marker.name} (0x${marker.byte.toString(16)}) at positions:`, indices.slice(0, 5).join(", "));
+      }
+    }
+  }
+  parseAuthenticationResponse(response) {
+    const authenticatorData = base64URLDecode(response.response.authenticatorData);
+    const clientDataJSON = response.response.clientDataJSON;
+    const signature = base64URLDecode(response.response.signature);
+    const { r, s } = parseDERSignature(signature);
+    const P256_N = BigInt("0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551");
+    const P256_N_DIV_2 = BigInt(
+      "0x7FFFFFFF800000007FFFFFFFFFFFFFFFDE737D56D38BCF4279DCE5617E3192A8"
+    );
+    const clientDataStr = new TextDecoder().decode(base64URLDecode(clientDataJSON));
+    const challengeIndex = clientDataStr.indexOf('"challenge"');
+    const typeIndex = clientDataStr.indexOf('"type"');
+    if (challengeIndex === -1 || typeIndex === -1) {
+      throw new Error("Invalid clientDataJSON format");
+    }
+    return {
+      authenticatorData: import_ethers2.ethers.hexlify(authenticatorData),
+      clientDataJSON: clientDataStr,
+      challengeIndex,
+      typeIndex,
+      r: this.bytesToBigInt(r),
+      s: (() => {
+        const sBig = this.bytesToBigInt(s);
+        return sBig > P256_N_DIV_2 ? P256_N - sBig : sBig;
+      })()
+    };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PasskeyManager,
+  VERIDEX_RP_ID,
+  detectRpId,
+  supportsRelatedOrigins
+});
+//# sourceMappingURL=passkey.js.map