@yannvr/auth 1.0.0

package/dist/client/auth-context.d.ts

@@ -0,0 +1,18 @@
+import React from 'react';
+import type { AuthUser } from '../types';
+interface AuthContextValue {
+    user: AuthUser | null;
+    isLoggedIn: boolean;
+    /** Call after a successful passkey flow to update client state */
+    setUser: (user: AuthUser | null) => void;
+    logout: () => Promise<void>;
+}
+interface AuthProviderProps {
+    /** Server-rendered initial user — pass from layout.tsx server component */
+    initialUser?: AuthUser | null;
+    children: React.ReactNode;
+}
+export declare function AuthProvider({ initialUser, children }: AuthProviderProps): import("react/jsx-runtime").JSX.Element;
+export declare function useAuth(): AuthContextValue;
+export {};
+//# sourceMappingURL=auth-context.d.ts.map

package/dist/client/auth-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-context.d.ts","sourceRoot":"","sources":["../../src/client/auth-context.tsx"],"names":[],"mappings":"AAEA,OAAO,KAA2D,MAAM,OAAO,CAAA;AAC/E,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AAExC,UAAU,gBAAgB;IACxB,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,UAAU,EAAE,OAAO,CAAA;IACnB,kEAAkE;IAClE,OAAO,EAAE,CAAC,IAAI,EAAE,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAA;IACxC,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC5B;AAID,UAAU,iBAAiB;IACzB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAA;IAC7B,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAA;CAC1B;AAED,wBAAgB,YAAY,CAAC,EAAE,WAAkB,EAAE,QAAQ,EAAE,EAAE,iBAAiB,2CAmB/E;AAED,wBAAgB,OAAO,IAAI,gBAAgB,CAI1C"}

package/dist/client/auth-context.js

@@ -0,0 +1,26 @@
+'use client';
+import { jsx as _jsx } from "react/jsx-runtime";
+import { createContext, useCallback, useContext, useState } from 'react';
+const AuthContext = createContext(null);
+export function AuthProvider({ initialUser = null, children }) {
+    const [user, setUser] = useState(initialUser);
+    const logout = useCallback(async () => {
+        try {
+            await fetch('/api/auth/logout', { method: 'POST' });
+        }
+        catch (_a) {
+            // best effort
+        }
+        setUser(null);
+        // Hard redirect to login — ensures server state is cleared too
+        window.location.href = '/login';
+    }, []);
+    return (_jsx(AuthContext.Provider, { value: { user, isLoggedIn: !!user, setUser, logout }, children: children }));
+}
+export function useAuth() {
+    const ctx = useContext(AuthContext);
+    if (!ctx)
+        throw new Error('useAuth must be used inside <AuthProvider>');
+    return ctx;
+}
+//# sourceMappingURL=auth-context.js.map

package/dist/client/auth-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-context.js","sourceRoot":"","sources":["../../src/client/auth-context.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAA;;AAEZ,OAAc,EAAE,aAAa,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAA;AAW/E,MAAM,WAAW,GAAG,aAAa,CAA0B,IAAI,CAAC,CAAA;AAQhE,MAAM,UAAU,YAAY,CAAC,EAAE,WAAW,GAAG,IAAI,EAAE,QAAQ,EAAqB;IAC9E,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAkB,WAAW,CAAC,CAAA;IAE9D,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,kBAAkB,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QACrD,CAAC;QAAC,WAAM,CAAC;YACP,cAAc;QAChB,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAA;QACb,+DAA+D;QAC/D,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ,CAAA;IACjC,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,OAAO,CACL,KAAC,WAAW,CAAC,QAAQ,IAAC,KAAK,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,YACvE,QAAQ,GACY,CACxB,CAAA;AACH,CAAC;AAED,MAAM,UAAU,OAAO;IACrB,MAAM,GAAG,GAAG,UAAU,CAAC,WAAW,CAAC,CAAA;IACnC,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;IACvE,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/client/index.d.ts

@@ -0,0 +1,4 @@
+export { AuthProvider, useAuth } from './auth-context';
+export { usePasskeyLogin } from './use-passkey-login';
+export type { AuthUser } from '../types';
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AACrD,YAAY,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA"}

package/dist/client/index.js

@@ -0,0 +1,3 @@
+export { AuthProvider, useAuth } from './auth-context';
+export { usePasskeyLogin } from './use-passkey-login';
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA"}

package/dist/client/use-passkey-login.d.ts

@@ -0,0 +1,24 @@
+import type { AuthUser } from '../types';
+type Step = 'idle' | 'loading' | 'success' | 'error';
+interface PasskeyLoginState {
+    step: Step;
+    error: string | null;
+    user: AuthUser | null;
+    isSupported: boolean;
+}
+interface PasskeyLoginActions {
+    register: (email: string, name?: string) => Promise<AuthUser | null>;
+    authenticate: (email: string) => Promise<AuthUser | null>;
+    reset: () => void;
+}
+/**
+ * Headless hook — manages the full WebAuthn state machine.
+ * The server sets an HttpOnly session cookie on success; the hook returns the user
+ * for the caller to update React auth context.
+ *
+ * @example
+ * const { step, error, register, authenticate, isSupported } = usePasskeyLogin()
+ */
+export declare function usePasskeyLogin(): PasskeyLoginState & PasskeyLoginActions;
+export {};
+//# sourceMappingURL=use-passkey-login.d.ts.map

package/dist/client/use-passkey-login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-passkey-login.d.ts","sourceRoot":"","sources":["../../src/client/use-passkey-login.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AAExC,KAAK,IAAI,GAAG,MAAM,GAAG,SAAS,GAAG,SAAS,GAAG,OAAO,CAAA;AAEpD,UAAU,iBAAiB;IACzB,IAAI,EAAE,IAAI,CAAA;IACV,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,WAAW,EAAE,OAAO,CAAA;CACrB;AAED,UAAU,mBAAmB;IAC3B,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IACpE,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IACzD,KAAK,EAAE,MAAM,IAAI,CAAA;CAClB;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,IAAI,iBAAiB,GAAG,mBAAmB,CAmFzE"}

package/dist/client/use-passkey-login.js

@@ -0,0 +1,92 @@
+'use client';
+import { useState, useCallback } from 'react';
+import { startRegistration, startAuthentication } from '@simplewebauthn/browser';
+/**
+ * Headless hook — manages the full WebAuthn state machine.
+ * The server sets an HttpOnly session cookie on success; the hook returns the user
+ * for the caller to update React auth context.
+ *
+ * @example
+ * const { step, error, register, authenticate, isSupported } = usePasskeyLogin()
+ */
+export function usePasskeyLogin() {
+    const [step, setStep] = useState('idle');
+    const [error, setError] = useState(null);
+    const [user, setUser] = useState(null);
+    const isSupported = typeof window !== 'undefined' &&
+        'credentials' in navigator &&
+        'create' in navigator.credentials;
+    const register = useCallback(async (email, name) => {
+        var _a, _b;
+        setStep('loading');
+        setError(null);
+        try {
+            const optRes = await fetch('/api/auth/passkey/register', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ email, name }),
+            });
+            if (!optRes.ok)
+                throw new Error((_a = (await optRes.json()).error) !== null && _a !== void 0 ? _a : 'Registration failed');
+            const { registrationOptions } = await optRes.json();
+            const credential = await startRegistration(registrationOptions);
+            const verifyRes = await fetch('/api/auth/passkey/verify-registration', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ email, credential }),
+            });
+            if (!verifyRes.ok)
+                throw new Error((_b = (await verifyRes.json()).error) !== null && _b !== void 0 ? _b : 'Verification failed');
+            const { user: loggedInUser } = await verifyRes.json();
+            setUser(loggedInUser);
+            setStep('success');
+            return loggedInUser;
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : 'Registration failed';
+            setError(msg);
+            setStep('error');
+            return null;
+        }
+    }, []);
+    const authenticate = useCallback(async (email) => {
+        var _a, _b;
+        setStep('loading');
+        setError(null);
+        try {
+            const optRes = await fetch('/api/auth/passkey/authenticate', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ email }),
+            });
+            if (!optRes.ok)
+                throw new Error((_a = (await optRes.json()).error) !== null && _a !== void 0 ? _a : 'Authentication failed');
+            const { authenticationOptions } = await optRes.json();
+            const credential = await startAuthentication(authenticationOptions);
+            const verifyRes = await fetch('/api/auth/passkey/verify-authentication', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ email, credential }),
+            });
+            if (!verifyRes.ok)
+                throw new Error((_b = (await verifyRes.json()).error) !== null && _b !== void 0 ? _b : 'Verification failed');
+            const { user: loggedInUser } = await verifyRes.json();
+            setUser(loggedInUser);
+            setStep('success');
+            return loggedInUser;
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : 'Authentication failed';
+            setError(msg);
+            setStep('error');
+            return null;
+        }
+    }, []);
+    const reset = useCallback(() => {
+        setStep('idle');
+        setError(null);
+        setUser(null);
+    }, []);
+    return { step, error, user, isSupported, register, authenticate, reset };
+}
+//# sourceMappingURL=use-passkey-login.js.map

package/dist/client/use-passkey-login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-passkey-login.js","sourceRoot":"","sources":["../../src/client/use-passkey-login.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,OAAO,CAAA;AAC7C,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAA;AAkBhF;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAO,MAAM,CAAC,CAAA;IAC9C,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,GAAG,QAAQ,CAAgB,IAAI,CAAC,CAAA;IACvD,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAkB,IAAI,CAAC,CAAA;IAEvD,MAAM,WAAW,GACf,OAAO,MAAM,KAAK,WAAW;QAC7B,aAAa,IAAI,SAAS;QAC1B,QAAQ,IAAI,SAAS,CAAC,WAAW,CAAA;IAEnC,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,EAAE,KAAa,EAAE,IAAa,EAA4B,EAAE;;QAC5F,OAAO,CAAC,SAAS,CAAC,CAAA;QAClB,QAAQ,CAAC,IAAI,CAAC,CAAA;QACd,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,4BAA4B,EAAE;gBACvD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;aACtC,CAAC,CAAA;YACF,IAAI,CAAC,MAAM,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,MAAA,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,mCAAI,qBAAqB,CAAC,CAAA;YAErF,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAA;YACnD,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,mBAAmB,CAAC,CAAA;YAE/D,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,uCAAuC,EAAE;gBACrE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;aAC5C,CAAC,CAAA;YACF,IAAI,CAAC,SAAS,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,MAAA,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,mCAAI,qBAAqB,CAAC,CAAA;YAE3F,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAA;YACrD,OAAO,CAAC,YAAY,CAAC,CAAA;YACrB,OAAO,CAAC,SAAS,CAAC,CAAA;YAClB,OAAO,YAAY,CAAA;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB,CAAA;YACtE,QAAQ,CAAC,GAAG,CAAC,CAAA;YACb,OAAO,CAAC,OAAO,CAAC,CAAA;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,EAAE,KAAa,EAA4B,EAAE;;QACjF,OAAO,CAAC,SAAS,CAAC,CAAA;QAClB,QAAQ,CAAC,IAAI,CAAC,CAAA;QACd,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,gCAAgC,EAAE;gBAC3D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;aAChC,CAAC,CAAA;YACF,IAAI,CAAC,MAAM,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,MAAA,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,mCAAI,uBAAuB,CAAC,CAAA;YAEvF,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAA;YACrD,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,qBAAqB,CAAC,CAAA;YAEnE,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,yCAAyC,EAAE;gBACvE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;aAC5C,CAAC,CAAA;YACF,IAAI,CAAC,SAAS,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,MAAA,CAAC,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,mCAAI,qBAAqB,CAAC,CAAA;YAE3F,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAA;YACrD,OAAO,CAAC,YAAY,CAAC,CAAA;YACrB,OAAO,CAAC,SAAS,CAAC,CAAA;YAClB,OAAO,YAAY,CAAA;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAA;YACxE,QAAQ,CAAC,GAAG,CAAC,CAAA;YACb,OAAO,CAAC,OAAO,CAAC,CAAA;YAChB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;QAC7B,OAAO,CAAC,MAAM,CAAC,CAAA;QACf,QAAQ,CAAC,IAAI,CAAC,CAAA;QACd,OAAO,CAAC,IAAI,CAAC,CAAA;IACf,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,CAAA;AAC1E,CAAC"}

package/dist/server/challenge-store.d.ts

@@ -0,0 +1,13 @@
+declare class ChallengeStore {
+    private store;
+    private cleanupTimer;
+    constructor();
+    set(key: string, challenge: string, ttlMs?: number): void;
+    get(key: string): string | null;
+    delete(key: string): void;
+    private cleanup;
+    destroy(): void;
+}
+export declare const challengeStore: ChallengeStore;
+export {};
+//# sourceMappingURL=challenge-store.d.ts.map

package/dist/server/challenge-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge-store.d.ts","sourceRoot":"","sources":["../../src/server/challenge-store.ts"],"names":[],"mappings":"AAKA,cAAM,cAAc;IAClB,OAAO,CAAC,KAAK,CAAoC;IACjD,OAAO,CAAC,YAAY,CAAgB;;IAMpC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,SAAS,GAAG,IAAI;IAIzD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAU/B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAIzB,OAAO,CAAC,OAAO;IAOf,OAAO,IAAI,IAAI;CAIhB;AAGD,eAAO,MAAM,cAAc,gBAAuB,CAAA"}

package/dist/server/challenge-store.js

@@ -0,0 +1,36 @@
+class ChallengeStore {
+    constructor() {
+        this.store = new Map();
+        this.cleanupTimer = setInterval(() => this.cleanup(), 5 * 60 * 1000);
+    }
+    set(key, challenge, ttlMs = 60000) {
+        this.store.set(key, { challenge, expiresAt: Date.now() + ttlMs });
+    }
+    get(key) {
+        const entry = this.store.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() > entry.expiresAt) {
+            this.store.delete(key);
+            return null;
+        }
+        return entry.challenge;
+    }
+    delete(key) {
+        this.store.delete(key);
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [key, entry] of this.store.entries()) {
+            if (now > entry.expiresAt)
+                this.store.delete(key);
+        }
+    }
+    destroy() {
+        clearInterval(this.cleanupTimer);
+        this.store.clear();
+    }
+}
+// Module-level singleton — one instance per Node.js process
+export const challengeStore = new ChallengeStore();
+//# sourceMappingURL=challenge-store.js.map

package/dist/server/challenge-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge-store.js","sourceRoot":"","sources":["../../src/server/challenge-store.ts"],"names":[],"mappings":"AAKA,MAAM,cAAc;IAIlB;QAHQ,UAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;QAI/C,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACtE,CAAC;IAED,GAAG,CAAC,GAAW,EAAE,SAAiB,EAAE,KAAK,GAAG,KAAM;QAChD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAA;IACnE,CAAC;IAED,GAAG,CAAC,GAAW;QACb,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YACtB,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,KAAK,CAAC,SAAS,CAAA;IACxB,CAAC;IAED,MAAM,CAAC,GAAW;QAChB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC;IAEO,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAChD,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS;gBAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACnD,CAAC;IACH,CAAC;IAED,OAAO;QACL,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAChC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAA;IACpB,CAAC;CACF;AAED,4DAA4D;AAC5D,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAA"}

package/dist/server/cookie.d.ts

@@ -0,0 +1,4 @@
+import { NextResponse } from 'next/server';
+export declare function setSessionCookie(response: NextResponse, token: string): void;
+export declare function clearSessionCookie(response: NextResponse): void;
+//# sourceMappingURL=cookie.d.ts.map

package/dist/server/cookie.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/server/cookie.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAG1C,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAQ5E;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,YAAY,GAAG,IAAI,CAQ/D"}

package/dist/server/cookie.js

@@ -0,0 +1,20 @@
+import { SESSION_COOKIE, SESSION_MAX_AGE_SECONDS } from '../types';
+export function setSessionCookie(response, token) {
+    response.cookies.set(SESSION_COOKIE, token, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'lax',
+        maxAge: SESSION_MAX_AGE_SECONDS,
+        path: '/',
+    });
+}
+export function clearSessionCookie(response) {
+    response.cookies.set(SESSION_COOKIE, '', {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'lax',
+        maxAge: 0,
+        path: '/',
+    });
+}
+//# sourceMappingURL=cookie.js.map

package/dist/server/cookie.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie.js","sourceRoot":"","sources":["../../src/server/cookie.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAElE,MAAM,UAAU,gBAAgB,CAAC,QAAsB,EAAE,KAAa;IACpE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,EAAE;QAC1C,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAC7C,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,uBAAuB;QAC/B,IAAI,EAAE,GAAG;KACV,CAAC,CAAA;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,QAAsB;IACvD,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,EAAE;QACvC,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAC7C,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,CAAC;QACT,IAAI,EAAE,GAAG;KACV,CAAC,CAAA;AACJ,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1,9 @@
+export { signToken, verifyToken } from './jwt';
+export { setSessionCookie, clearSessionCookie } from './cookie';
+export { challengeStore } from './challenge-store';
+export { createWebAuthnConfig } from './webauthn';
+export { handlePasskeyRegister, handlePasskeyVerifyRegistration, handlePasskeyAuthenticate, handlePasskeyVerifyAuthentication, } from './webauthn';
+export { createAuthMiddleware } from './middleware';
+export { requireAuth, getServerUser, unauthorized } from './require-auth';
+export type { WebAuthnConfig, AuthUser, JWTPayload, AuthPrismaClient } from '../types';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,OAAO,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AACjD,OAAO,EACL,qBAAqB,EACrB,+BAA+B,EAC/B,yBAAyB,EACzB,iCAAiC,GAClC,MAAM,YAAY,CAAA;AACnB,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AACzE,YAAY,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA"}

package/dist/server/index.js

@@ -0,0 +1,8 @@
+export { signToken, verifyToken } from './jwt';
+export { setSessionCookie, clearSessionCookie } from './cookie';
+export { challengeStore } from './challenge-store';
+export { createWebAuthnConfig } from './webauthn';
+export { handlePasskeyRegister, handlePasskeyVerifyRegistration, handlePasskeyAuthenticate, handlePasskeyVerifyAuthentication, } from './webauthn';
+export { createAuthMiddleware } from './middleware';
+export { requireAuth, getServerUser, unauthorized } from './require-auth';
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,OAAO,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAA;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AACjD,OAAO,EACL,qBAAqB,EACrB,+BAA+B,EAC/B,yBAAyB,EACzB,iCAAiC,GAClC,MAAM,YAAY,CAAA;AACnB,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/server/jwt.d.ts

@@ -0,0 +1,4 @@
+import type { JWTPayload } from '../types';
+export declare function signToken(payload: Omit<JWTPayload, 'iat' | 'exp'>, secret: string): string;
+export declare function verifyToken(token: string, secret: string): JWTPayload | null;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/server/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/server/jwt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAE1C,wBAAgB,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAE1F;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAM5E"}

package/dist/server/jwt.js

@@ -0,0 +1,13 @@
+import jwt from 'jsonwebtoken';
+export function signToken(payload, secret) {
+    return jwt.sign(payload, secret, { expiresIn: '7d' });
+}
+export function verifyToken(token, secret) {
+    try {
+        return jwt.verify(token, secret);
+    }
+    catch (_a) {
+        return null;
+    }
+}
+//# sourceMappingURL=jwt.js.map

package/dist/server/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/server/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAA;AAG9B,MAAM,UAAU,SAAS,CAAC,OAAwC,EAAE,MAAc;IAChF,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;AACvD,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAa,EAAE,MAAc;IACvD,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAe,CAAA;IAChD,CAAC;IAAC,WAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/server/middleware.d.ts

@@ -0,0 +1,12 @@
+import { NextRequest, NextResponse } from 'next/server';
+interface AuthMiddlewareConfig {
+    /** Path prefixes that skip auth. Defaults to ['/login', '/api/auth', '/_next', '/favicon.ico'] */
+    publicPaths?: string[];
+    /** Where to redirect unauthenticated requests. Defaults to '/login' */
+    loginPath?: string;
+    /** JWT secret. Defaults to process.env.JWT_SECRET */
+    jwtSecret?: string;
+}
+export declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse>;
+export {};
+//# sourceMappingURL=middleware.d.ts.map

package/dist/server/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAIvD,UAAU,oBAAoB;IAC5B,kGAAkG;IAClG,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,wBAAgB,oBAAoB,CAAC,MAAM,GAAE,oBAAyB,IAOnC,SAAS,WAAW,KAAG,OAAO,CAAC,YAAY,CAAC,CAkC9E"}

package/dist/server/middleware.js

@@ -0,0 +1,34 @@
+import { NextResponse } from 'next/server';
+import { SESSION_COOKIE } from '../types';
+import { verifyToken } from './jwt';
+export function createAuthMiddleware(config = {}) {
+    const { publicPaths = ['/login', '/api/auth', '/_next', '/favicon.ico'], loginPath = '/login', jwtSecret, } = config;
+    return async function middleware(request) {
+        var _a;
+        const { pathname } = request.nextUrl;
+        if (publicPaths.some((p) => pathname.startsWith(p))) {
+            return NextResponse.next();
+        }
+        const secret = jwtSecret !== null && jwtSecret !== void 0 ? jwtSecret : process.env.JWT_SECRET;
+        if (!secret) {
+            console.error('[auth] JWT_SECRET is not set');
+            return NextResponse.redirect(new URL(loginPath, request.url));
+        }
+        const token = (_a = request.cookies.get(SESSION_COOKIE)) === null || _a === void 0 ? void 0 : _a.value;
+        if (!token) {
+            return NextResponse.redirect(new URL(loginPath, request.url));
+        }
+        const payload = verifyToken(token, secret);
+        if (!payload) {
+            const response = NextResponse.redirect(new URL(loginPath, request.url));
+            response.cookies.delete(SESSION_COOKIE);
+            return response;
+        }
+        // Forward user identity to server components and API routes via headers
+        const headers = new Headers(request.headers);
+        headers.set('x-user-id', payload.userId);
+        headers.set('x-user-email', payload.email);
+        return NextResponse.next({ request: { headers } });
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/server/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/server/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,YAAY,EAAE,MAAM,aAAa,CAAA;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAA;AAWnC,MAAM,UAAU,oBAAoB,CAAC,SAA+B,EAAE;IACpE,MAAM,EACJ,WAAW,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,CAAC,EAC/D,SAAS,GAAG,QAAQ,EACpB,SAAS,GACV,GAAG,MAAM,CAAA;IAEV,OAAO,KAAK,UAAU,UAAU,CAAC,OAAoB;;QACnD,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,OAAO,CAAA;QAEpC,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO,YAAY,CAAC,IAAI,EAAE,CAAA;QAC5B,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;QAClD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAA;YAC7C,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAA;QAC/D,CAAC;QAED,MAAM,KAAK,GAAG,MAAA,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,0CAAE,KAAK,CAAA;QAExD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAA;QAC/D,CAAC;QAED,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QAE1C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAA;YACvE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;YACvC,OAAO,QAAQ,CAAA;QACjB,CAAC;QAED,wEAAwE;QACxE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QAC5C,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;QACxC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;QAE1C,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAA;IACpD,CAAC,CAAA;AACH,CAAC"}

package/dist/server/require-auth.d.ts

@@ -0,0 +1,25 @@
+import { NextResponse } from 'next/server';
+import type { JWTPayload } from '../types';
+/**
+ * For use in API route handlers (POST/PUT/DELETE etc.)
+ * Reads the session cookie and verifies the JWT.
+ * Returns the payload or null if unauthenticated.
+ *
+ * @example
+ * export async function POST(req: Request) {
+ *   const user = await requireAuth()
+ *   if (!user) return unauthorized()
+ *   // ...
+ * }
+ */
+export declare function requireAuth(jwtSecret?: string): Promise<JWTPayload | null>;
+/**
+ * For use in Server Components — reads the user injected by middleware headers.
+ * Faster than requireAuth() as it skips JWT verification (middleware already did it).
+ */
+export declare function getServerUser(): Promise<{
+    userId: string;
+    email: string;
+} | null>;
+export declare function unauthorized(): NextResponse;
+//# sourceMappingURL=require-auth.d.ts.map

package/dist/server/require-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-auth.d.ts","sourceRoot":"","sources":["../../src/server/require-auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAG1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAE1C;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAShF;AAED;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAMvF;AAED,wBAAgB,YAAY,IAAI,YAAY,CAE3C"}

package/dist/server/require-auth.js

@@ -0,0 +1,43 @@
+import { cookies, headers } from 'next/headers';
+import { NextResponse } from 'next/server';
+import { SESSION_COOKIE } from '../types';
+import { verifyToken } from './jwt';
+/**
+ * For use in API route handlers (POST/PUT/DELETE etc.)
+ * Reads the session cookie and verifies the JWT.
+ * Returns the payload or null if unauthenticated.
+ *
+ * @example
+ * export async function POST(req: Request) {
+ *   const user = await requireAuth()
+ *   if (!user) return unauthorized()
+ *   // ...
+ * }
+ */
+export async function requireAuth(jwtSecret) {
+    var _a;
+    const secret = jwtSecret !== null && jwtSecret !== void 0 ? jwtSecret : process.env.JWT_SECRET;
+    if (!secret)
+        return null;
+    const cookieStore = await cookies();
+    const token = (_a = cookieStore.get(SESSION_COOKIE)) === null || _a === void 0 ? void 0 : _a.value;
+    if (!token)
+        return null;
+    return verifyToken(token, secret);
+}
+/**
+ * For use in Server Components — reads the user injected by middleware headers.
+ * Faster than requireAuth() as it skips JWT verification (middleware already did it).
+ */
+export async function getServerUser() {
+    const headerStore = await headers();
+    const userId = headerStore.get('x-user-id');
+    const email = headerStore.get('x-user-email');
+    if (!userId || !email)
+        return null;
+    return { userId, email };
+}
+export function unauthorized() {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+}
+//# sourceMappingURL=require-auth.js.map

package/dist/server/require-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-auth.js","sourceRoot":"","sources":["../../src/server/require-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,OAAO,CAAA;AAGnC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,SAAkB;;IAClD,MAAM,MAAM,GAAG,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;IAClD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAExB,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAA;IACnC,MAAM,KAAK,GAAG,MAAA,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,0CAAE,KAAK,CAAA;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IAEvB,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;AACnC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,WAAW,GAAG,MAAM,OAAO,EAAE,CAAA;IACnC,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAC3C,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IAClC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAA;AAC1B,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;AACtE,CAAC"}

package/dist/server/webauthn.d.ts

@@ -0,0 +1,21 @@
+import { NextRequest, NextResponse } from 'next/server';
+import type { WebAuthnConfig, AuthPrismaClient } from '../types';
+export declare function createWebAuthnConfig(config: {
+    rpName: string;
+    rpID: string;
+    /** Full origin URL e.g. https://intel.hyperdrift.io or http://localhost:3000 */
+    origin: string;
+}): WebAuthnConfig;
+interface HandlerConfig {
+    webAuthnConfig: WebAuthnConfig;
+    prisma: AuthPrismaClient;
+}
+interface VerifyConfig extends HandlerConfig {
+    jwtSecret?: string;
+}
+export declare function handlePasskeyRegister(request: NextRequest, { webAuthnConfig, prisma }: HandlerConfig): Promise<NextResponse>;
+export declare function handlePasskeyVerifyRegistration(request: NextRequest, { webAuthnConfig, prisma, jwtSecret }: VerifyConfig): Promise<NextResponse>;
+export declare function handlePasskeyAuthenticate(request: NextRequest, { webAuthnConfig, prisma }: HandlerConfig): Promise<NextResponse>;
+export declare function handlePasskeyVerifyAuthentication(request: NextRequest, { webAuthnConfig, prisma, jwtSecret }: VerifyConfig): Promise<NextResponse>;
+export {};
+//# sourceMappingURL=webauthn.d.ts.map

package/dist/server/webauthn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webauthn.d.ts","sourceRoot":"","sources":["../../src/server/webauthn.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AACvD,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AAMhE,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAA;CACf,GAAG,cAAc,CAOjB;AAED,UAAU,aAAa;IACrB,cAAc,EAAE,cAAc,CAAA;IAC9B,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAED,UAAU,YAAa,SAAQ,aAAa;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAID,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,WAAW,EACpB,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,GACxC,OAAO,CAAC,YAAY,CAAC,CA0CvB;AAID,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,WAAW,EACpB,EAAE,cAAc,EAAE,MAAM,EAAE,SAAmC,EAAE,EAAE,YAAY,GAC5E,OAAO,CAAC,YAAY,CAAC,CA6DvB;AAID,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,WAAW,EACpB,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,GACxC,OAAO,CAAC,YAAY,CAAC,CA+BvB;AAID,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,WAAW,EACpB,EAAE,cAAc,EAAE,MAAM,EAAE,SAAmC,EAAE,EAAE,YAAY,GAC5E,OAAO,CAAC,YAAY,CAAC,CA+DvB"}

package/dist/server/webauthn.js

@@ -0,0 +1,199 @@
+import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, } from '@simplewebauthn/server';
+import { NextResponse } from 'next/server';
+import { SESSION_MAX_AGE_SECONDS } from '../types';
+import { signToken } from './jwt';
+import { setSessionCookie } from './cookie';
+import { challengeStore } from './challenge-store';
+export function createWebAuthnConfig(config) {
+    return {
+        rpName: config.rpName,
+        rpID: config.rpID,
+        origin: config.origin,
+        expectedOrigin: config.origin,
+    };
+}
+// ── POST /api/auth/passkey/register ───────────────────────────────────────────
+export async function handlePasskeyRegister(request, { webAuthnConfig, prisma }) {
+    var _a, _b;
+    try {
+        const { email, name } = await request.json();
+        if (!email)
+            return NextResponse.json({ error: 'Email is required' }, { status: 400 });
+        let user = await prisma.user.findUnique({ where: { email }, include: { passkeys: true } });
+        if (!user) {
+            user = await prisma.user.create({
+                data: { email, name: name !== null && name !== void 0 ? name : email.split('@')[0] },
+                include: { passkeys: true },
+            });
+        }
+        const passkeys = (_a = user.passkeys) !== null && _a !== void 0 ? _a : [];
+        const options = await generateRegistrationOptions({
+            rpName: webAuthnConfig.rpName,
+            rpID: webAuthnConfig.rpID,
+            userID: new TextEncoder().encode(user.id),
+            userName: user.email,
+            userDisplayName: (_b = user.name) !== null && _b !== void 0 ? _b : user.email,
+            attestationType: 'none',
+            excludeCredentials: passkeys.map((pk) => ({
+                id: pk.credentialId,
+                type: 'public-key',
+                transports: pk.transports,
+            })),
+            authenticatorSelection: {
+                residentKey: 'preferred',
+                userVerification: 'preferred',
+                authenticatorAttachment: 'platform',
+            },
+        });
+        challengeStore.set(email, options.challenge);
+        return NextResponse.json({ registrationOptions: options, userId: user.id });
+    }
+    catch (err) {
+        console.error('[auth] passkey register error:', err);
+        return NextResponse.json({ error: 'Failed to initiate passkey registration' }, { status: 500 });
+    }
+}
+// ── POST /api/auth/passkey/verify-registration ────────────────────────────────
+export async function handlePasskeyVerifyRegistration(request, { webAuthnConfig, prisma, jwtSecret = process.env.JWT_SECRET }) {
+    var _a, _b;
+    try {
+        const { email, credential } = await request.json();
+        if (!email || !credential) {
+            return NextResponse.json({ error: 'Email and credential are required' }, { status: 400 });
+        }
+        const expectedChallenge = challengeStore.get(email);
+        if (!expectedChallenge) {
+            return NextResponse.json({ error: 'Challenge expired — please try again' }, { status: 400 });
+        }
+        const user = await prisma.user.findUnique({ where: { email } });
+        if (!user)
+            return NextResponse.json({ error: 'User not found' }, { status: 404 });
+        const verification = await verifyRegistrationResponse({
+            response: credential,
+            expectedChallenge,
+            expectedOrigin: webAuthnConfig.expectedOrigin,
+            expectedRPID: webAuthnConfig.rpID,
+            requireUserVerification: true,
+        });
+        if (!verification.verified || !verification.registrationInfo) {
+            return NextResponse.json({ error: 'Passkey verification failed' }, { status: 400 });
+        }
+        const { credential: cred, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
+        await prisma.passkey.create({
+            data: {
+                userId: user.id,
+                credentialId: Buffer.from(cred.id).toString('base64url'),
+                publicKey: Buffer.from(cred.publicKey),
+                counter: BigInt((_a = cred.counter) !== null && _a !== void 0 ? _a : 0),
+                deviceType: credentialDeviceType !== null && credentialDeviceType !== void 0 ? credentialDeviceType : 'unknown',
+                backedUp: credentialBackedUp !== null && credentialBackedUp !== void 0 ? credentialBackedUp : false,
+                transports: (_b = cred.transports) !== null && _b !== void 0 ? _b : [],
+            },
+        });
+        challengeStore.delete(email);
+        const token = signToken({ userId: user.id, email: user.email }, jwtSecret);
+        await prisma.session.create({
+            data: {
+                userId: user.id,
+                token,
+                expiresAt: new Date(Date.now() + SESSION_MAX_AGE_SECONDS * 1000),
+            },
+        });
+        const safeUser = { id: user.id, email: user.email, name: user.name, createdAt: user.createdAt, updatedAt: user.updatedAt };
+        const response = NextResponse.json({ success: true, user: safeUser });
+        setSessionCookie(response, token);
+        return response;
+    }
+    catch (err) {
+        console.error('[auth] passkey verify-registration error:', err);
+        return NextResponse.json({ error: 'Failed to verify passkey registration' }, { status: 500 });
+    }
+}
+// ── POST /api/auth/passkey/authenticate ──────────────────────────────────────
+export async function handlePasskeyAuthenticate(request, { webAuthnConfig, prisma }) {
+    var _a;
+    try {
+        const { email } = await request.json();
+        if (!email)
+            return NextResponse.json({ error: 'Email is required' }, { status: 400 });
+        const user = await prisma.user.findUnique({ where: { email }, include: { passkeys: true } });
+        if (!user || !((_a = user.passkeys) === null || _a === void 0 ? void 0 : _a.length)) {
+            return NextResponse.json({ error: 'No passkeys found for this email. Please register first.' }, { status: 404 });
+        }
+        const options = await generateAuthenticationOptions({
+            rpID: webAuthnConfig.rpID,
+            allowCredentials: user.passkeys.map((pk) => ({
+                id: pk.credentialId,
+                type: 'public-key',
+                transports: pk.transports,
+            })),
+            userVerification: 'preferred',
+        });
+        challengeStore.set(email, options.challenge);
+        return NextResponse.json({ authenticationOptions: options, userId: user.id });
+    }
+    catch (err) {
+        console.error('[auth] passkey authenticate error:', err);
+        return NextResponse.json({ error: 'Failed to initiate passkey authentication' }, { status: 500 });
+    }
+}
+// ── POST /api/auth/passkey/verify-authentication ─────────────────────────────
+export async function handlePasskeyVerifyAuthentication(request, { webAuthnConfig, prisma, jwtSecret = process.env.JWT_SECRET }) {
+    var _a;
+    try {
+        const { email, credential } = await request.json();
+        if (!email || !credential) {
+            return NextResponse.json({ error: 'Email and credential are required' }, { status: 400 });
+        }
+        const expectedChallenge = challengeStore.get(email);
+        if (!expectedChallenge) {
+            return NextResponse.json({ error: 'Challenge expired — please try again' }, { status: 400 });
+        }
+        const user = await prisma.user.findUnique({ where: { email }, include: { passkeys: true } });
+        if (!user)
+            return NextResponse.json({ error: 'User not found' }, { status: 404 });
+        const credentialId = Buffer.from(credential.id, 'base64url').toString('base64url');
+        const passkey = (_a = user.passkeys) === null || _a === void 0 ? void 0 : _a.find((pk) => pk.credentialId === credentialId);
+        if (!passkey)
+            return NextResponse.json({ error: 'Passkey not found' }, { status: 404 });
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const verification = await verifyAuthenticationResponse({
+            response: credential,
+            expectedChallenge,
+            expectedOrigin: webAuthnConfig.expectedOrigin,
+            expectedRPID: webAuthnConfig.rpID,
+            authenticator: {
+                credentialID: Buffer.from(passkey.credentialId, 'base64url'),
+                credentialPublicKey: passkey.publicKey,
+                counter: Number(passkey.counter),
+                transports: passkey.transports,
+            },
+            requireUserVerification: true,
+        });
+        if (!verification.verified) {
+            return NextResponse.json({ error: 'Passkey authentication failed' }, { status: 400 });
+        }
+        await prisma.passkey.update({
+            where: { id: passkey.id },
+            data: { counter: BigInt(verification.authenticationInfo.newCounter), lastUsed: new Date() },
+        });
+        challengeStore.delete(email);
+        const token = signToken({ userId: user.id, email: user.email }, jwtSecret);
+        await prisma.session.create({
+            data: {
+                userId: user.id,
+                token,
+                expiresAt: new Date(Date.now() + SESSION_MAX_AGE_SECONDS * 1000),
+            },
+        });
+        const safeUser = { id: user.id, email: user.email, name: user.name, createdAt: user.createdAt, updatedAt: user.updatedAt };
+        const response = NextResponse.json({ success: true, user: safeUser });
+        setSessionCookie(response, token);
+        return response;
+    }
+    catch (err) {
+        console.error('[auth] passkey verify-authentication error:', err);
+        return NextResponse.json({ error: 'Failed to verify passkey authentication' }, { status: 500 });
+    }
+}
+//# sourceMappingURL=webauthn.js.map

package/dist/server/webauthn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webauthn.js","sourceRoot":"","sources":["../../src/server/webauthn.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,GAE7B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EAAe,YAAY,EAAE,MAAM,aAAa,CAAA;AAEvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AACjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAElD,MAAM,UAAU,oBAAoB,CAAC,MAKpC;IACC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,cAAc,EAAE,MAAM,CAAC,MAAM;KAC9B,CAAA;AACH,CAAC;AAWD,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,OAAoB,EACpB,EAAE,cAAc,EAAE,MAAM,EAAiB;;IAEzC,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAA;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAErF,IAAI,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;QAE1F,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;gBAC9B,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,aAAJ,IAAI,cAAJ,IAAI,GAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;gBAClD,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;aAC5B,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAA,IAAI,CAAC,QAAQ,mCAAI,EAAE,CAAA;QAEpC,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAAC;YAChD,MAAM,EAAE,cAAc,CAAC,MAAM;YAC7B,IAAI,EAAE,cAAc,CAAC,IAAI;YACzB,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,QAAQ,EAAE,IAAI,CAAC,KAAK;YACpB,eAAe,EAAE,MAAA,IAAI,CAAC,IAAI,mCAAI,IAAI,CAAC,KAAK;YACxC,eAAe,EAAE,MAAM;YACvB,kBAAkB,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;gBACxC,EAAE,EAAE,EAAE,CAAC,YAAY;gBACnB,IAAI,EAAE,YAAqB;gBAC3B,UAAU,EAAE,EAAE,CAAC,UAA4C;aAC5D,CAAC,CAAC;YACH,sBAAsB,EAAE;gBACtB,WAAW,EAAE,WAAW;gBACxB,gBAAgB,EAAE,WAAW;gBAC7B,uBAAuB,EAAE,UAAU;aACpC;SACF,CAAC,CAAA;QAEF,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAA;QAE5C,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAA;IAC7E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAA;QACpD,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACjG,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAoB,EACpB,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAW,EAAgB;;IAE7E,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAA;QAClD,IAAI,CAAC,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1B,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mCAAmC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC3F,CAAC;QAED,MAAM,iBAAiB,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACnD,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sCAAsC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC9F,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI;YAAE,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAEjF,MAAM,YAAY,GAAG,MAAM,0BAA0B,CAAC;YACpD,QAAQ,EAAE,UAAU;YACpB,iBAAiB;YACjB,cAAc,EAAE,cAAc,CAAC,cAAc;YAC7C,YAAY,EAAE,cAAc,CAAC,IAAI;YACjC,uBAAuB,EAAE,IAAI;SAC9B,CAAC,CAAA;QAEF,IAAI,CAAC,YAAY,CAAC,QAAQ,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;YAC7D,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACrF,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,GAAG,YAAY,CAAC,gBAAgB,CAAA;QAEpG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACxD,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gBACtC,OAAO,EAAE,MAAM,CAAC,MAAA,IAAI,CAAC,OAAO,mCAAI,CAAC,CAAC;gBAClC,UAAU,EAAE,oBAAoB,aAApB,oBAAoB,cAApB,oBAAoB,GAAI,SAAS;gBAC7C,QAAQ,EAAE,kBAAkB,aAAlB,kBAAkB,cAAlB,kBAAkB,GAAI,KAAK;gBACrC,UAAU,EAAE,MAAA,IAAI,CAAC,UAAU,mCAAI,EAAE;aAClC;SACF,CAAC,CAAA;QAEF,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAE5B,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAA;QAE1E,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,KAAK;gBACL,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB,GAAG,IAAI,CAAC;aACjE;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAA;QAC1H,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;QACrE,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;QACjC,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAA;QAC/D,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAC/F,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,OAAoB,EACpB,EAAE,cAAc,EAAE,MAAM,EAAiB;;IAEzC,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAA;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAErF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;QAE5F,IAAI,CAAC,IAAI,IAAI,CAAC,CAAA,MAAA,IAAI,CAAC,QAAQ,0CAAE,MAAM,CAAA,EAAE,CAAC;YACpC,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,0DAA0D,EAAE,EACrE,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAA;QACH,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,6BAA6B,CAAC;YAClD,IAAI,EAAE,cAAc,CAAC,IAAI;YACzB,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC3C,EAAE,EAAE,EAAE,CAAC,YAAY;gBACnB,IAAI,EAAE,YAAqB;gBAC3B,UAAU,EAAE,EAAE,CAAC,UAA4C;aAC5D,CAAC,CAAC;YACH,gBAAgB,EAAE,WAAW;SAC9B,CAAC,CAAA;QAEF,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAA;QAE5C,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,qBAAqB,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAA;IAC/E,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,GAAG,CAAC,CAAA;QACxD,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACnG,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,OAAoB,EACpB,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAW,EAAgB;;IAE7E,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAA;QAClD,IAAI,CAAC,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1B,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mCAAmC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC3F,CAAC;QAED,MAAM,iBAAiB,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACnD,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sCAAsC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC9F,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAA;QAC5F,IAAI,CAAC,IAAI;YAAE,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAEjF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAClF,MAAM,OAAO,GAAG,MAAA,IAAI,CAAC,QAAQ,0CAAE,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,KAAK,YAAY,CAAC,CAAA;QAC7E,IAAI,CAAC,OAAO;YAAE,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAEvF,8DAA8D;QAC9D,MAAM,YAAY,GAAG,MAAO,4BAAoC,CAAC;YAC/D,QAAQ,EAAE,UAAU;YACpB,iBAAiB;YACjB,cAAc,EAAE,cAAc,CAAC,cAAc;YAC7C,YAAY,EAAE,cAAc,CAAC,IAAI;YACjC,aAAa,EAAE;gBACb,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,WAAW,CAAC;gBAC5D,mBAAmB,EAAE,OAAO,CAAC,SAAS;gBACtC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B;YACD,uBAAuB,EAAE,IAAI;SAC9B,CAAC,CAAA;QAEF,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC3B,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACvF,CAAC;QAED,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAC1B,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE;YACzB,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,IAAI,EAAE,EAAE;SAC5F,CAAC,CAAA;QAEF,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAE5B,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAA;QAE1E,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,KAAK;gBACL,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB,GAAG,IAAI,CAAC;aACjE;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAA;QAC1H,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAA;QACrE,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;QACjC,OAAO,QAAQ,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAA;QACjE,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACjG,CAAC;AACH,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,98 @@
+export interface AuthUser {
+    id: string;
+    email: string;
+    name?: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface JWTPayload {
+    userId: string;
+    email: string;
+    iat?: number;
+    exp?: number;
+}
+export interface WebAuthnConfig {
+    rpName: string;
+    rpID: string;
+    origin: string;
+    expectedOrigin: string;
+}
+export interface AuthPrismaClient {
+    user: {
+        findUnique: (args: {
+            where: {
+                email?: string;
+                id?: string;
+            };
+            include?: {
+                passkeys?: boolean;
+            };
+        }) => Promise<(AuthUser & {
+            passkeys?: PasskeyRecord[];
+            passwordHash?: string | null;
+        }) | null>;
+        create: (args: {
+            data: {
+                email: string;
+                name?: string;
+            };
+            include?: {
+                passkeys?: boolean;
+            };
+        }) => Promise<AuthUser & {
+            passkeys: PasskeyRecord[];
+        }>;
+    };
+    passkey: {
+        create: (args: {
+            data: Record<string, unknown>;
+        }) => Promise<PasskeyRecord>;
+        update: (args: {
+            where: {
+                id: string;
+            };
+            data: Record<string, unknown>;
+        }) => Promise<PasskeyRecord>;
+    };
+    session: {
+        create: (args: {
+            data: {
+                userId: string;
+                token: string;
+                expiresAt: Date;
+            };
+        }) => Promise<SessionRecord>;
+        delete: (args: {
+            where: {
+                token: string;
+            };
+        }) => Promise<SessionRecord>;
+        findUnique: (args: {
+            where: {
+                token: string;
+            };
+        }) => Promise<SessionRecord | null>;
+    };
+}
+export interface PasskeyRecord {
+    id: string;
+    userId: string;
+    credentialId: string;
+    publicKey: Buffer | Uint8Array;
+    counter: bigint | number;
+    deviceType: string;
+    backedUp: boolean;
+    transports: string[];
+    createdAt: Date;
+    lastUsed: Date;
+}
+export interface SessionRecord {
+    id: string;
+    userId: string;
+    token: string;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export declare const SESSION_COOKIE = "session";
+export declare const SESSION_MAX_AGE_SECONDS: number;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;CACvB;AAID,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,IAAI,EAAE;YACjB,KAAK,EAAE;gBAAE,KAAK,CAAC,EAAE,MAAM,CAAC;gBAAC,EAAE,CAAC,EAAE,MAAM,CAAA;aAAE,CAAA;YACtC,OAAO,CAAC,EAAE;gBAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;aAAE,CAAA;SACjC,KAAK,OAAO,CAAC,CAAC,QAAQ,GAAG;YAAE,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;YAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;SAAE,CAAC,GAAG,IAAI,CAAC,CAAA;QAC/F,MAAM,EAAE,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,IAAI,CAAC,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,OAAO,CAAC,EAAE;gBAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC,QAAQ,GAAG;YAAE,QAAQ,EAAE,aAAa,EAAE,CAAA;SAAE,CAAC,CAAA;KAClJ,CAAA;IACD,OAAO,EAAE;QACP,MAAM,EAAE,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;SAAE,KAAK,OAAO,CAAC,aAAa,CAAC,CAAA;QAC3E,MAAM,EAAE,CAAC,IAAI,EAAE;YAAE,KAAK,EAAE;gBAAE,EAAE,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;SAAE,KAAK,OAAO,CAAC,aAAa,CAAC,CAAA;KACnG,CAAA;IACD,OAAO,EAAE;QACP,MAAM,EAAE,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE;gBAAE,MAAM,EAAE,MAAM,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAC;gBAAC,SAAS,EAAE,IAAI,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC,aAAa,CAAC,CAAA;QACtG,MAAM,EAAE,CAAC,IAAI,EAAE;YAAE,KAAK,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC,aAAa,CAAC,CAAA;QACtE,UAAU,EAAE,CAAC,IAAI,EAAE;YAAE,KAAK,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,KAAK,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAA;KAClF,CAAA;CACF;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,MAAM,EAAE,MAAM,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,GAAG,UAAU,CAAA;IAC9B,OAAO,EAAE,MAAM,GAAG,MAAM,CAAA;IACxB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,OAAO,CAAA;IACjB,UAAU,EAAE,MAAM,EAAE,CAAA;IACpB,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,IAAI,CAAA;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,eAAO,MAAM,cAAc,YAAY,CAAA;AACvC,eAAO,MAAM,uBAAuB,QAAmB,CAAA"}

package/dist/types.js

@@ -0,0 +1,3 @@
+export const SESSION_COOKIE = 'session';
+export const SESSION_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAgEA,MAAM,CAAC,MAAM,cAAc,GAAG,SAAS,CAAA;AACvC,MAAM,CAAC,MAAM,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA,CAAC,SAAS"}

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@yannvr/auth",
+  "version": "1.0.0",
+  "description": "Shared passkey auth (WebAuthn + HttpOnly cookies) for Next.js apps",
+  "license": "MIT",
+  "exports": {
+    "./server": {
+      "types": "./dist/server/index.d.ts",
+      "default": "./dist/server/index.js"
+    },
+    "./client": {
+      "types": "./dist/client/index.d.ts",
+      "default": "./dist/client/index.js"
+    }
+  },
+  "files": ["dist"],
+  "scripts": {
+    "build": "tsc --project tsconfig.build.json"
+  },
+  "peerDependencies": {
+    "@simplewebauthn/browser": ">=13",
+    "@simplewebauthn/server": ">=13",
+    "jsonwebtoken": ">=9",
+    "next": ">=14",
+    "react": ">=18"
+  },
+  "devDependencies": {
+    "@simplewebauthn/browser": "^13",
+    "@simplewebauthn/server": "^13",
+    "@types/jsonwebtoken": "^9",
+    "@types/node": "^20",
+    "@types/react": "^19",
+    "jsonwebtoken": "^9",
+    "next": "^15",
+    "react": "^18",
+    "typescript": "^5"
+  }
+}