auth-verify 1.5.0 → 1.6.1

package/index.js

@@ -3,6 +3,7 @@ const OTPManager = require("./src/otp");
 const SessionManager = require("./src/session");
 const OAuthManager = require("./src/oauth");
 const TOTPManager = require("./src/totp");
+const PasskeyManager = require("./src/passkey");
 
 class AuthVerify {
   constructor(options = {}) {
@@ -18,7 +19,10 @@ class AuthVerify {
         digits: 6,
         step: 30,
         alg: "SHA1"
-      }
+      },
+      rpName = "auth-verify",
+      saveBy = "id",
+      passExp = "2m"
     } = options;
 
     // ✅ Ensure cookieName and secret always exist
@@ -44,6 +48,8 @@ class AuthVerify {
     this.totp = new TOTPManager(totp);
 
     this.senders = new Map();
+
+    this.passkey = new PasskeyManager({rpName, storeTokens, saveBy, passExp});
   }
 
   // --- Session helpers ---
@@ -59,6 +65,19 @@ class AuthVerify {
     return this.session.destroy(sessionId);
   }
 
+  // --- Passkey helpers ---
+  async registerPasskey(user) {
+    return this.passkey.register(user);
+  }
+
+  async finishPasskey(clientResponse) {
+    return this.passkey.finish(clientResponse);
+  }
+
+  async loginPasskey(user) {
+    return this.passkey.login(user);
+  }
+
   // --- Sender registration ---
   register = {
     sender: (name, fn) => {

package/package.json

@@ -1,17 +1,18 @@
 {
   "dependencies": {
     "axios": "^1.12.2",
+    "base64url": "^3.0.1",
+    "cbor": "^10.0.11",
     "crypto": "^1.0.1",
     "ioredis": "^5.8.1",
     "jsonwebtoken": "^9.0.2",
     "node-telegram-bot-api": "^0.66.0",
     "nodemailer": "^7.0.6",
     "qrcode": "^1.5.4",
-    "redis": "^5.8.3",
     "uuid": "^9.0.1"
   },
   "name": "auth-verify",
-  "version": "1.5.0",
+  "version": "1.6.1",
   "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And generating TOTP codes and QR codes. And handling JWT with Cookies",
   "main": "index.js",
   "scripts": {

package/readme.md

@@ -7,7 +7,7 @@
   - ✅ JWT creation, verification, optional token revocation with memory/Redis storage, and advanced middleware for protecting routes, custom cookie/header handling, role-based guards, and token extraction from custom sources.
   - ✅ Session management (in-memory or Redis).
   - ✅ OAuth 2.0 integration for Google, Facebook, GitHub, X (Twitter), Linkedin, and additional providers like Apple, Discord, Slack, Microsoft, Telegram,and WhatsApp.
-  - ⚙️ Developer extensibility: custom senders via auth.register.sender() and chainable sending via auth.use(name).send(...).
+  - ⚙️ Developer extensibility: custom senders via `auth.register.sender()` and chainable sending via `auth.use(name).send(...)`.
   - ✅ Automatic JWT cookie handling for Express apps, supporting secure, HTTP-only cookies and optional auto-verification.
   - ✅ Fully asynchronous/Promise-based API, with callback support where applicable.
   - ✅ Chainable OTP workflow with cooldowns, max attempts, and resend functionality.
@@ -30,9 +30,10 @@ npm install auth-verify
 - `AuthVerify` (entry): constructs and exposes `.jwt`, `.otp`, (optionally) `.session`, `.totp` and `.oauth` managers.
 - `JWTManager`: sign, verify, decode, revoke tokens. Supports `storeTokens: "memory" | "redis" | "none"` and middleware with custom cookie, header, and token extraction.
 - `OTPManager`: generate, store, send, verify, resend OTPs. Supports `storeTokens: "memory" | "redis" | "none"`. Supports email, SMS helper, Telegram bot, and custom dev senders.
-- `TOTPManager`: generate, verify uri, codes and QR codes
+- `TOTPManager`: generate, verify uri, codes and QR codes.
 - `SessionManager`: simple session creation/verification/destroy with memory or Redis backend.
-- `OAuthManager`: Handle OAuth 2.0 logins for Google, Facebook, GitHub, X, Linkedin, Apple, Discord, Slack, Microsoft, Telegram and WhatsApp
+- `OAuthManager`: Handle OAuth 2.0 logins for Google, Facebook, GitHub, X, Linkedin, Apple, Discord, Slack, Microsoft, Telegram and WhatsApp.
+- `PasskeyManager`: Handle passwordless login and registration using WebAuthn/passkey.
 ---
 
 ## 🚀 Example: Initialize library (CommonJS)
@@ -53,7 +54,7 @@ const auth = new AuthVerify({
 
 ## 🔐 JWT Usage
 
-### JWT Middleware (`protect`) (New in v1.5.0) 
+### JWT Middleware (`protect`) (v1.5.0+) 
 
 auth-verify comes with a fully customizable JWT middleware, making it easy to **protect routes**, **attach decoded data to the request**, and **check user roles**.
 
@@ -355,6 +356,152 @@ auth.otp.verify({ check: 'user@example.com', code: '123456' }, (err, isValid)=>{
 
 ---
 
+## 🗝️ Passkey (WebAuthn) (New in v1.6.1)
+
+`AuthVerify` includes a `PasskeyManager` class to handle passwordless login using WebAuthn / passkeys. You can **register** users, **verify login**, and manage **challenges** safely.
+
+### Setup
+```js
+const AuthVerify = require("auth-verify");
+
+const auth = new AuthVerify({
+  passExp: "2m", // passkey challenge TTL
+  rpName: "MyApp",
+  storeTokens: "memory" // or "redis"
+});
+
+const user = {
+  id: "user1",
+  username: "john_doe",
+  credentials: [] // will store registered credentials
+};
+```
+### 1️⃣ Register a new Passkey
+The registration process consists of **two steps**:
+  **1.** Generate a registration challenge
+  **2.** Complete attestation after client responds
+
+#### Step 1: Generate challenge
+```js
+// register user
+await auth.passkey.register(user);
+
+// get WebAuthn options for the client
+const options = auth.passkey.getOptions();
+console.log(options);
+
+/* Example output:
+{
+  challenge: "base64url-challenge",
+  rp: { name: "MyApp" },
+  user: { id: "dXNlcjE", name: "john_doe", displayName: "john_doe" },
+  pubKeyCredParams: [{ alg: -7, type: "public-key" }]
+}
+*/
+```
+> Send options to the browser to call:
+> ```js
+> navigator.credentials.create({ publicKey: options })
+> ```
+
+#### Step 2: Finish attestation
+Once the client returns the attestation response:
+```js
+const clientResponse = {
+  id: "...", // credentialId from browser
+  response: {
+    clientDataJSON: "...",
+    attestationObject: "..."
+  }
+};
+
+const result = await auth.passkey.finish(clientResponse);
+console.log(result);
+/* Example result:
+{
+  status: "ok",
+  user: {
+    id: "user1",
+    username: "john_doe",
+    credentials: [
+      { id: "credentialId", publicKey: "pem-key" }
+    ]
+  },
+  challengeVerified: true,
+  rawAuthData: <Buffer ...>
+}
+*/
+```
+> After this, the user now has a **registered passkey**.
+
+### 2️⃣ Login with Passkey
+Login also consists of **two steps**:
+  **1.** Generate assertion challenge
+  **2.** Complete verification
+#### Step 1: Generate login challenge
+```js
+await auth.passkey.login(user);
+
+const options = auth.passkey.getOptions();
+console.log(options);
+
+/* Example output:
+{
+  challenge: "base64url-challenge",
+  allowCredentials: [
+    { id: <Buffer...>, type: "public-key" }
+  ],
+  timeout: 60000
+}
+*/
+```
+> Send this `options` to the browser for `navigator.credentials.get({ publicKey: options })`.
+
+#### Step 2: Finish login assertion
+```js
+const clientLoginResponse = {
+  id: "credentialId",
+  response: {
+    clientDataJSON: "...",
+    authenticatorData: "...",
+    signature: "..."
+  }
+};
+
+const loginResult = await auth.passkey.finish(clientLoginResponse);
+console.log(loginResult);
+/* Example output:
+{
+  status: "ok",
+  user: {
+    id: "user1",
+    username: "john_doe",
+    credentials: [...]
+  }
+}
+*/
+```
+> If `status === "ok"`, the login is successful.
+
+### 3️⃣ Notes
+
+ - `auth.passkey.register()` and `auth.passkey.login()` return this so you can chain:
+```js
+await auth.passkey
+  .register(user)
+  .getOptions(); // get WebAuthn options
+```
+ - `finish()` **must be called after `register()` or `login()`** with the client’s response.
+ - TTL (`passExp`) ensures challenges **expire automatically** (memory or Redis store).
+ 
+### 4️⃣ Summary of Methods
+| Method                   | Purpose                         | Returns            |
+| ------------------------ | ------------------------------- | ------------------ |
+| `register(user)`         | Start passkey registration      | `this` (chainable) |
+| `login(user)`            | Start passkey login             | `this` (chainable) |
+| `getOptions()`           | Get WebAuthn options for client | Object             |
+| `finish(clientResponse)` | Complete attestation/assertion  | Result object      |
+
 ## ✅ TOTP (Time-based One Time Passwords) — Google Authenticator support (v1.4.0+)
 ```js
 const AuthVerify = require("auth-verify");
@@ -425,7 +572,22 @@ if (auth.totp.verify({ secret, token })) {
 ```
 ---
 ## 🌍 OAuth 2.0 Integration (v1.2.0+)
-`auth.oauth` supports login via Google, Facebook, GitHub, X (Twitter) and Linkedin.
+`auth.oauth` supports login via Google, Facebook, GitHub, X (Twitter), Linkedin, Microsoft, Telegram, Slack, WhatsApp, Apple and Discord.
+### Providers & Routes table
+| Provider    | Redirect URL      | Callback URL               | Scopes / Notes                         |
+| ----------- | ----------------- | -------------------------- | -------------------------------------- |
+| Google      | `/auth/google`    | `/auth/google/callback`    | `openid email profile`                 |
+| Facebook    | `/auth/facebook`  | `/auth/facebook/callback`  | `email,public_profile`                 |
+| GitHub      | `/auth/github`    | `/auth/github/callback`    | `user:email`                           |
+| X (Twitter) | `/auth/x`         | `/auth/x/callback`         | `tweet.read users.read offline.access` |
+| LinkedIn    | `/auth/linkedin`  | `/auth/linkedin/callback`  | `r_liteprofile r_emailaddress`         |
+| Microsoft   | `/auth/microsoft` | `/auth/microsoft/callback` | `User.Read`                            |
+| Telegram    | `/auth/telegram`  | `/auth/telegram/callback`  | Bot deep-link                          |
+| Slack       | `/auth/slack`     | `/auth/slack/callback`     | `identity.basic identity.email`        |
+| WhatsApp    | `/auth/whatsapp`  | `/auth/whatsapp/callback`  | QR / deep-link                         |
+| Apple       | `/auth/apple`     | `/auth/apple/callback`     | `name email`                           |
+| Discord     | `/auth/discord`   | `/auth/discord/callback`   | `identify email`                       |
+
 ### Example (Google Login with Express)
 ```js
 const express = require('express');
@@ -506,6 +668,79 @@ const linkedin = auth.oauth.linkedin({
   redirectUri: "http://localhost:3000/auth/linkedin/callback"
 });
 
+// --- MICROSOFT ---
+const microsoft = auth.oauth.microsoft({
+  clientId: "YOUR_MICROSOFT_CLIENT_ID",
+  clientSecret: "YOUR_MICROSOFT_CLIENT_SECRET",
+  redirectUri: "http://localhost:3000/auth/microsoft/callback"
+});
+
+app.get("/auth/microsoft", (req, res) => microsoft.redirect(res));
+
+app.get("/auth/microsoft/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const user = await microsoft.callback(code);
+    res.json({ success: true, provider: "microsoft", user });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+
+// --- TELEGRAM ---
+const telegram = auth.oauth.telegram({
+  botId: "YOUR_BOT_ID",
+  redirectUri: "http://localhost:3000/auth/telegram/callback"
+});
+
+app.get("/auth/telegram", (req, res) => telegram.redirect(res));
+
+app.get("/auth/telegram/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const result = await telegram.callback(code);
+    res.json({ success: true, provider: "telegram", ...result });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+
+// --- SLACK ---
+const slack = auth.oauth.slack({
+  clientId: "YOUR_SLACK_CLIENT_ID",
+  clientSecret: "YOUR_SLACK_CLIENT_SECRET",
+  redirectUri: "http://localhost:3000/auth/slack/callback"
+});
+
+app.get("/auth/slack", (req, res) => slack.redirect(res));
+
+app.get("/auth/slack/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const user = await slack.callback(code);
+    res.json({ success: true, provider: "slack", user });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+
+// --- WHATSAPP ---
+const whatsapp = auth.oauth.whatsapp({
+  phoneNumberId: "YOUR_PHONE_ID",
+  redirectUri: "http://localhost:3000/auth/whatsapp/callback"
+});
+
+app.get("/auth/whatsapp", (req, res) => whatsapp.redirect(res));
+
+app.get("/auth/whatsapp/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const result = await whatsapp.callback(code);
+    res.json({ success: true, provider: "whatsapp", ...result });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
 
 // ===== FACEBOOK ROUTES =====
 app.get("/auth/facebook", (req, res) => facebook.redirect(res));
@@ -565,6 +800,21 @@ app.get("/auth/linkedin/callback", async (req, res)=>{
 app.listen(PORT, () => console.log(`🚀 Server running at http://localhost:${PORT}`));
 
 ```   
+
+### ✅ Notes for Devs
+  1. Each provider has **redirect** and **callback** URLs.
+  2. Scopes can be customized per provider.
+  3. **Telegram & WhatsApp** use deep-link / QR-style flows.
+  4. The result of `callback()` is a JSON object containing the user info and `access_token` (except deep-link flows, which return code/messages).
+  5. You can **register custom providers** via:
+  ```js
+  auth.oauth.register("myCustom", (options) => {
+    return {
+      redirect(res) { /* redirect user */ },
+      callback: async (code) => { /* handle callback */ }
+    };
+  });
+  ```
 ---
 
 ## Telegram integration
@@ -665,6 +915,7 @@ auth-verify/
 │  ├─ otpmanager.test.js
 │  ├─ oauth.test.js
 │  ├─ totpmanager.test.js
+│  ├─ passkeymanager.test.js
 ├─ babel.config.js
 ```
 

package/src/passkey/index.js

@@ -0,0 +1,195 @@
+const base64url = require('base64url');
+const crypto = require("crypto");
+const Redis = require('ioredis');
+const cbor = require("cbor");
+
+class PasskeyManager {
+  constructor(options = {}) {
+    this.rpName = options.rpName || "auth-verify";
+    this.storeType = options.storeTokens || "memory";
+    this.saveByToMemory = options.saveBy || "id"; 
+    this.ttl = options.passExp || "2m";
+
+    if (this.storeType === "memory") {
+      this.tokenStore = new Map();
+    } else if (this.storeType === 'redis') {
+      this.redis = new Redis(options.redisUrl || "redis://localhost:6379");
+    }
+  }
+
+  _generateChallenge() {
+    return base64url(crypto.randomBytes(32));
+  }
+
+  _encode(buffer) {
+    return base64url(buffer);
+  }
+
+  _decode(str) {
+    return Buffer.from(base64url.toBuffer(str));
+  }
+
+  _parseTTL() {
+    if (typeof this.ttl !== 'string') return this.ttl;
+    const ttlValue = parseInt(this.ttl);
+    if (this.ttl.endsWith('m')) return ttlValue * 60 * 1000;
+    if (this.ttl.endsWith('s')) return ttlValue * 1000;
+    throw new Error("TTL must end with 's' or 'm'");
+  }
+
+  _setWithTTL(key, challengeValue, ttlMs = 2 * 60 * 1000) {
+    this.tokenStore.set(key, {
+      value: challengeValue,
+      expiresAt: Date.now() + ttlMs
+    });
+    setTimeout(() => this.tokenStore.delete(key), ttlMs);
+  }
+
+  _coseToPEM(coseKey) {
+    const x = coseKey.get(-2);
+    const y = coseKey.get(-3);
+    const pubKeyBuffer = Buffer.concat([Buffer.from([0x04]), x, y]);
+    const pubKeyDER = Buffer.concat([
+      Buffer.from("3059301306072A8648CE3D020106082A8648CE3D030107034200", "hex"),
+      pubKeyBuffer
+    ]);
+    return "-----BEGIN PUBLIC KEY-----\n" +
+      pubKeyDER.toString("base64").match(/.{1,64}/g).join("\n") +
+      "\n-----END PUBLIC KEY-----\n";
+  }
+
+  async _finishAttestation(clientResponse) {
+    const { user, challenge } = this._pending;
+
+    const clientDataJSON = JSON.parse(
+      Buffer.from(clientResponse.response.clientDataJSON, 'base64').toString()
+    );
+
+    if (clientDataJSON.challenge !== challenge)
+      throw new Error("Challenge mismatch");
+
+    const attestationBuffer = Buffer.from(clientResponse.response.attestationObject, 'base64');
+    const attestationStruct = await cbor.decodeFirst(attestationBuffer);
+
+    // Parse authData
+    const authData = attestationStruct.authData;
+    const rpIdHash = authData.slice(0, 32);
+    const flags = authData[32];
+    const signCount = authData.readUInt32BE(33);
+
+    const credIdLen = authData.readUInt16BE(37);
+    const credentialId = authData.slice(39, 39 + credIdLen);
+
+    const coseKeyBytes = authData.slice(39 + credIdLen);
+    const coseKey = await cbor.decodeFirst(coseKeyBytes);
+    const publicKeyPEM = this._coseToPEM(coseKey);
+
+    // Save credential in user object
+    user.credentials = user.credentials || [];
+    user.credentials.push({
+      id: this._encode(credentialId),
+      publicKey: publicKeyPEM,
+      signCount
+    });
+
+    return { status: "ok", user, credentialId: this._encode(credentialId) };
+  }
+
+  async _finishAssertion(clientResponse) {
+    const { user, challenge } = this._pending;
+
+    const clientDataJSON = JSON.parse(
+      Buffer.from(clientResponse.response.clientDataJSON, 'base64').toString()
+    );
+
+    if (clientDataJSON.challenge !== challenge)
+      throw new Error("Challenge mismatch");
+
+    const credentialId = this._encode(Buffer.from(clientResponse.id, 'base64'));
+    const credential = user.credentials?.find(c => c.id === credentialId);
+    if (!credential) throw new Error("Unknown credential");
+
+    const signature = Buffer.from(clientResponse.response.signature, 'base64');
+    const authData = Buffer.from(clientResponse.response.authenticatorData, 'base64');
+
+    const verify = crypto.createVerify('SHA256');
+    const clientHash = crypto.createHash('sha256').update(Buffer.from(clientResponse.response.clientDataJSON, 'base64')).digest();
+    verify.update(Buffer.concat([authData, clientHash]));
+
+    const verified = verify.verify(credential.publicKey, signature);
+
+    return { status: verified ? "ok" : "failed", user };
+  }
+
+  async register(user) {
+    const challenge = this._generateChallenge();
+
+    if (this.storeType === "memory") {
+      this._setWithTTL(user[this.saveByToMemory], challenge, this._parseTTL());
+    } else if (this.storeType === "redis") {
+      await this.redis.set(user[this.saveByToMemory], challenge, "PX", this._parseTTL());
+    }
+
+    this._pending = { type: "register", user, challenge };
+    return this;
+  }
+
+  async login(user) {
+    const challenge = this._generateChallenge();
+
+    if (this.storeType === "memory") {
+      this._setWithTTL(user[this.saveByToMemory], challenge, this._parseTTL());
+    } else if (this.storeType === "redis") {
+      await this.redis.set(user[this.saveByToMemory], challenge, "PX", this._parseTTL());
+    }
+
+    this._pending = { type: "login", user, challenge };
+    return this;
+  }
+
+  getOptions() {
+    if (!this._pending) throw new Error("No pending operation");
+
+    const { type, user, challenge } = this._pending;
+
+    if (type === "register") {
+      return {
+        challenge,
+        rp: { name: this.rpName },
+        user: {
+          id: this._encode(Buffer.from(user.id)),
+          name: user.username,
+          displayName: user.username
+        },
+        pubKeyCredParams: [{ alg: -7, type: "public-key" }]
+      };
+    } else if (type === "login") {
+      return {
+        challenge,
+        allowCredentials: user.credentials?.map(c => ({
+          id: this._decode(c.id),
+          type: "public-key"
+        })) || [],
+        timeout: 60000
+      };
+    }
+  }
+
+  async finish(clientResponse) {
+    if (!this._pending) throw new Error("No pending operation");
+
+    let result;
+    if (this._pending.type === "register") {
+      result = await this._finishAttestation(clientResponse);
+    } else if (this._pending.type === "login") {
+      result = await this._finishAssertion(clientResponse);
+    } else {
+      throw new Error("Unknown pending operation");
+    }
+
+    this._pending = null;
+    return result;
+  }
+}
+
+module.exports = PasskeyManager;

package/tests/passkeymanager.test.js

@@ -0,0 +1,114 @@
+const AuthVerify = require("../index");
+const base64url = require("base64url");
+
+describe("AuthVerify Passkey Flow (mocked for Jest)", () => {
+  let auth;
+  const user = { id: "123", username: "testuser", credentials: [] };
+
+  beforeEach(() => {
+    auth = new AuthVerify({
+      storeTokens: "memory",
+      passExp: "1m",
+      rpName: "TestApp",
+    });
+
+    // Mock _finishAttestation to bypass CBOR decoding
+    auth.passkey._finishAttestation = async (clientResponse) => ({
+      status: "ok",
+      user,
+      challengeVerified: true,
+      rawAuthData: "FAKE_AUTHDATA",
+    });
+
+    // Mock _finishAssertion to bypass signature verification
+    auth.passkey._finishAssertion = async (clientResponse) => {
+      const { user, challenge } = auth.passkey._pending;
+      const clientDataJSON = JSON.parse(
+        Buffer.from(clientResponse.response.clientDataJSON, "base64").toString()
+      );
+      if (clientDataJSON.challenge !== challenge)
+        throw new Error("Challenge mismatch");
+
+      // Find credential by exact id
+      const credentialId = clientResponse.id;
+      const credential = user.credentials?.find(c => c.id === credentialId);
+      if (!credential) throw new Error("Unknown credential");
+
+      return { status: "ok", user };
+    };
+  });
+
+  test("register() should store challenge and be chainable", async () => {
+    const chainable = await auth.passkey.register(user);
+    expect(chainable).toBe(auth.passkey);
+    expect(auth.passkey._pending.type).toBe("register");
+    expect(auth.passkey._pending.user).toEqual(user);
+  });
+
+  test("getOptions() after register() returns correct options", async () => {
+    await auth.passkey.register(user);
+    const options = auth.passkey.getOptions();
+    expect(options.rp.name).toBe("TestApp");
+    expect(options.user.id).toBe(base64url(Buffer.from(user.id)));
+    expect(options.pubKeyCredParams[0].type).toBe("public-key");
+  });
+
+  test("finish() after register() verifies attestation", async () => {
+    await auth.passkey.register(user);
+    const pendingChallenge = auth.passkey._pending.challenge;
+
+    const clientResponse = {
+      response: {
+        clientDataJSON: Buffer.from(
+          JSON.stringify({ challenge: pendingChallenge })
+        ).toString("base64"),
+        attestationObject: "FAKE_CBOR",
+      },
+    };
+
+    const result = await auth.passkey.finish(clientResponse);
+    expect(result.status).toBe("ok");
+    expect(result.challengeVerified).toBe(true);
+    expect(result.user).toEqual(user);
+  });
+
+  test("login() should store challenge and allow credentials", async () => {
+    // Add a fake credential
+    user.credentials.push({
+      id: base64url(Buffer.from("cred1")),
+      publicKey: "FAKE_KEY",
+    });
+
+    await auth.passkey.login(user);
+    const options = auth.passkey.getOptions();
+
+    expect(auth.passkey._pending.type).toBe("login");
+    expect(options.allowCredentials.length).toBe(1);
+    expect(Buffer.isBuffer(options.allowCredentials[0].id)).toBe(true);
+  });
+
+  test("finish() after login() verifies assertion challenge", async () => {
+    user.credentials.push({
+      id: base64url(Buffer.from("cred1")),
+      publicKey: "FAKE_KEY",
+    });
+
+    await auth.passkey.login(user);
+    const challenge = auth.passkey._pending.challenge;
+
+    const clientResponse = {
+      id: user.credentials[0].id,
+      response: {
+        clientDataJSON: Buffer.from(JSON.stringify({ challenge })).toString(
+          "base64"
+        ),
+        authenticatorData: Buffer.from("rawAuthData").toString("base64"),
+        signature: Buffer.from("signature").toString("base64"),
+      },
+    };
+
+    const result = await auth.passkey.finish(clientResponse);
+    expect(result.status).toBe("ok"); // mocked result
+    expect(result.user).toEqual(user);
+  });
+});