authjs-corepass-provider 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 CorePass
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,450 @@
+# authjs-corepass-provider
+
+CorePass provider + server helpers for Auth.js (`@auth/core`) implementing the **pending-by-default** registration flow:
+
+- Browser completes WebAuthn attestation (registration)
+- Server stores a **pending registration** (no Auth.js user/account/authenticator yet)
+- CorePass mobile app finalizes the account by calling **`POST /passkey/data`** with an **Ed448-signed** payload
+
+## What you get
+
+- **Provider**: `CorePass()` (wraps Auth.js WebAuthn with passkey-friendly defaults)
+- **Server helpers**: `createCorePassServer()` exposing handlers:
+  - `startRegistration(req)`
+  - `finishRegistration(req)`
+  - `enrichRegistration(req)` (your `/passkey/data`)
+- **DB extension schema**: `db/corepass-schema.sql`
+
+## Flows
+
+### Registration flow (pending-by-default)
+
+```mermaid
+sequenceDiagram
+  autonumber
+  actor B as Browser
+  participant S as Your backend
+  participant KV as Challenge store
+  participant DB as CorePass store
+  actor A as CorePass app
+
+  B->>S: POST /webauthn/start { email? }
+  Note over B,S: Pending TTL default is 10 minutes (pendingTtlSeconds=600)
+  S->>KV: put reg:sid {challenge,email} ttl
+  S-->>B: 200 CreationOptions + Set-Cookie corepass.sid
+  B->>B: navigator.credentials.create()
+  B->>S: POST /webauthn/finish { attestation, email? }
+  S->>KV: get+delete reg:sid
+  S->>S: verifyRegistrationResponse()
+  S->>DB: createPendingRegistration(credentialId, publicKey, counter, aaguid, email?)
+  S-->>B: 200 { pending:true, enrichToken, credentialId }
+
+  A->>S: POST /passkey/data {coreId, credentialId, timestamp, userData} + X-Signature (Ed448)
+  S->>S: validateCoreIdMainnet + timestamp window
+  S->>S: verify Ed448 signature over canonical JSON
+  S->>DB: load+delete pending by credentialId
+  S->>S: create/link Auth.js user+account+authenticator
+  S->>DB: upsert CorePass identity/profile (provided_till, flags)
+  S->>S: (optional) POST registration webhook { coreId, refId? } (registrationWebhookRetries, default 3)
+  Note over S: If registrationWebhookSecret is set, include HMAC headers:\nX-Webhook-Timestamp + X-Webhook-Signature
+  S-->>A: 200 ok
+```
+
+### Login flow (standard Auth.js WebAuthn authenticate)
+
+CorePass login is normal WebAuthn: it uses the Auth.js WebAuthn callback path (`action=authenticate`), and resolves the user by stored authenticators.
+
+```mermaid
+sequenceDiagram
+  autonumber
+  actor B as Browser
+  participant Auth as Auth.js (@auth/core)
+  participant DB as Adapter DB
+
+  B->>Auth: GET /auth/webauthn-options?action=authenticate (provider=corepass)
+  Auth->>DB: listAuthenticatorsByUserId (optional) / challenge cookie
+  Auth-->>B: 200 RequestOptions + challenge cookie
+  B->>B: navigator.credentials.get()
+  B->>Auth: POST /auth/callback/corepass { action:"authenticate", data }
+  Auth->>DB: getAuthenticator(credentialId) + verifyAuthenticationResponse()
+  Auth->>DB: updateAuthenticatorCounter()
+  Auth-->>B: session established
+  Note over Auth: (optional) POST login webhook { coreId, refId? } (loginWebhookRetries, default 3)
+```
+
+## Install
+
+```bash
+npm install authjs-corepass-provider
+```
+
+You also need:
+
+- `@auth/core` (peer dependency)
+- `@simplewebauthn/browser` in your frontend
+
+## Auth.js configuration
+
+```ts
+import { Auth } from "@auth/core"
+import CorePass from "authjs-corepass-provider/provider"
+
+export const auth = (req: Request) =>
+  Auth(req, {
+    providers: [CorePass()],
+    adapter: /* your Auth.js adapter */,
+  })
+```
+
+## CorePass endpoints
+
+You mount these where you want in your app (framework-specific). The handlers are plain Web API `Request -> Response`.
+
+```ts
+import { createCorePassServer } from "authjs-corepass-provider"
+
+const corepass = createCorePassServer({
+  adapter: /* Auth.js adapter (must implement WebAuthn + user methods) */,
+  // store must implement CorePassStore:
+  // - pending registrations (default flow)
+  // - coreId <-> userId identity mapping
+  // - profile metadata (o18y/o21y/kyc/provided_till)
+  //
+  // Built-ins:
+  // - d1CorePassStore(db) for Cloudflare D1
+  // - postgresCorePassStore(pg) for Postgres (node-postgres, etc)
+  // - supabaseCorePassStore(supabase) for Supabase client
+  store: /* CorePassStore implementation */,
+  challengeStore: /* CorePassChallengeStore implementation (KV/Redis/etc) */,
+  rpID: "example.com",
+  rpName: "Example",
+  expectedOrigin: "https://example.com",
+
+  // default: pending registrations are required
+  allowImmediateFinalize: false,
+})
+
+// Optional: login webhook (call from Auth.js events.signIn)
+// events: {
+//   async signIn({ user, account }) {
+//     if (account?.provider === "corepass" && account?.type === "webauthn" && user?.id) {
+//       await corepass.postLoginWebhook({ userId: user.id })
+//     }
+//   }
+// }
+//
+// Optional: logout webhook (call from Auth.js events.signOut)
+// events: {
+//   async signOut({ session }) {
+//     // You must be able to map the logout event to a userId.
+//     // How you obtain userId depends on your Auth.js setup/session strategy.
+//     // If you have it:
+//     // await corepass.postLogoutWebhook({ userId })
+//   }
+// }
+
+export async function POST(req: Request) {
+  const url = new URL(req.url)
+  if (url.pathname === "/webauthn/start") return corepass.startRegistration(req)
+  if (url.pathname === "/webauthn/finish") return corepass.finishRegistration(req)
+  if (url.pathname === "/passkey/data") return corepass.enrichRegistration(req)
+  return new Response("Not found", { status: 404 })
+}
+```
+
+### “Unified” server factory helpers (same DB client)
+
+If you want to avoid manually wiring `store: d1CorePassStore(...)` etc, you can use the factories:
+
+- `createCorePassServerD1({ db, ... })`
+- `createCorePassServerPostgres({ pg, ... })`
+- `createCorePassServerSupabase({ supabase, ... })`
+- `createCorePassServerCloudflareD1Kv({ db, kv, ... })`
+- `createCorePassServerPostgresRedis({ pg, redis, ... })`
+- `createCorePassServerSupabaseUpstash({ supabase, redis, ... })`
+- `createCorePassServerSupabaseVercelKv({ supabase, kv, ... })`
+
+This does **not** create an Auth.js adapter for you (adapters are separate packages), but it ensures the CorePass
+store uses the same DB client you pass in.
+
+## `challengeStore` (what it is, and what it supports)
+
+`challengeStore` is **not an Auth.js provider** and it is **not tied to WebAuthn/Passkey provider IDs**.
+It’s a minimal storage interface used by this package’s custom endpoints to persist the WebAuthn challenge
+between:
+
+- `POST /webauthn/start` (generate challenge)
+- `POST /webauthn/finish` (verify attestation against expected challenge)
+
+It must support **TTL** (seconds) and **delete on use**.
+
+### How to wire it to real systems
+
+You create/access your KV/Redis client *in your runtime* and pass it into the helper:
+
+- Cloudflare Workers: use an **`env` binding**
+- Node/Next.js/etc: create a **Redis client** using URL/token from env vars
+
+### Example: in-memory (development only)
+
+```ts
+import { memoryChallengeStore } from "authjs-corepass-provider"
+```
+
+### Example: Redis / Upstash
+
+```ts
+import { redisChallengeStore } from "authjs-corepass-provider"
+import { Redis } from "ioredis"
+
+const redis = new Redis(process.env.REDIS_URL!)
+
+const challengeStore = redisChallengeStore({
+    set: (key, value, { ex }) => redis.set(key, value, "EX", ex),
+    get: (key) => redis.get(key),
+    del: (key) => redis.del(key),
+})
+```
+
+### Example: Cloudflare KV
+
+```ts
+import { kvChallengeStore } from "authjs-corepass-provider"
+
+// wrangler.jsonc:
+// {
+//     "kv_namespaces": [
+//         { "binding": "COREPASS_KV", "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }
+//     ]
+// }
+//
+// Worker handler: env.COREPASS_KV is a KVNamespace binding.
+//
+// const challengeStore = kvChallengeStore(env.COREPASS_KV)
+```
+
+### Example: Vercel KV (Redis)
+
+```ts
+import { vercelKvChallengeStore } from "authjs-corepass-provider"
+import { kv } from "@vercel/kv"
+
+// Vercel manages connection details via environment variables.
+// See Vercel KV setup for the required env vars.
+
+const challengeStore = vercelKvChallengeStore({
+    set: (key, value, { ex }) => kv.set(key, value, { ex }),
+    get: (key) => kv.get<string>(key),
+    del: (key) => kv.del(key),
+})
+```
+
+### Example: Upstash Redis REST (`@upstash/redis`)
+
+```ts
+import { upstashRedisChallengeStore } from "authjs-corepass-provider"
+import { Redis } from "@upstash/redis"
+
+const redis = new Redis({
+    url: process.env.UPSTASH_REDIS_REST_URL!,
+    token: process.env.UPSTASH_REDIS_REST_TOKEN!,
+})
+
+const challengeStore = upstashRedisChallengeStore({
+    set: (key, value, { ex }) => redis.set(key, value, { ex }),
+    get: (key) => redis.get<string>(key),
+    del: (key) => redis.del(key),
+})
+```
+
+### Example: Cloudflare Durable Objects
+
+Durable Objects are a good fit if you want low-latency ephemeral state close to your Worker.
+
+```ts
+import { durableObjectChallengeStore } from "authjs-corepass-provider"
+
+// Your Durable Object must implement these routes:
+// - POST /challenge/put { key, value, ttlSeconds }
+// - GET  /challenge/get?key=...
+// - POST /challenge/delete { key }
+//
+// Then:
+// const challengeStore = durableObjectChallengeStore(env.COREPASS_DO.get(id))
+```
+
+### Example: DynamoDB (AWS SDK v3)
+
+If you already run on AWS and want a managed KV with TTL:
+
+```ts
+import { dynamoChallengeStore } from "authjs-corepass-provider"
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb"
+import { DynamoDBDocumentClient, PutCommand, GetCommand, DeleteCommand } from "@aws-sdk/lib-dynamodb"
+
+const TableName = process.env.COREPASS_CHALLENGE_TABLE!
+const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({}))
+const nowSec = () => Math.floor(Date.now() / 1000)
+
+// This library doesn't hard-depend on AWS SDK; you provide a small adapter:
+const challengeStore = dynamoChallengeStore({
+    put: ({ key, value, expiresAt }) =>
+        ddb.send(new PutCommand({ TableName, Item: { pk: key, value, expiresAt } })),
+    get: async (key) => {
+        const res = await ddb.send(new GetCommand({ TableName, Key: { pk: key } }))
+        const item = res.Item as { value?: string; expiresAt?: number } | undefined
+        if (!item?.value || typeof item.expiresAt !== "number") return null
+        if (item.expiresAt < nowSec()) return null
+        return { value: item.value, expiresAt: item.expiresAt }
+    },
+    delete: (key) => ddb.send(new DeleteCommand({ TableName, Key: { pk: key } })),
+})
+```
+
+### Example: SQL / D1
+
+Use a table like:
+
+```sql
+CREATE TABLE IF NOT EXISTS corepass_challenges (
+  key TEXT PRIMARY KEY,
+  value TEXT NOT NULL,
+  expires_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_corepass_challenges_expires_at ON corepass_challenges(expires_at);
+```
+
+Then implement:
+
+```ts
+import type { CorePassChallengeStore } from "authjs-corepass-provider"
+
+export function sqlChallengeStore(db: {
+  exec: (sql: string, params?: unknown[]) => Promise<unknown>
+  get: (sql: string, params?: unknown[]) => Promise<{ value: string; expires_at: number } | null>
+}): CorePassChallengeStore {
+  const nowSec = () => Math.floor(Date.now() / 1000)
+
+  return {
+    async put(key, value, ttlSeconds) {
+      const expiresAt = nowSec() + ttlSeconds
+      await db.exec(
+        "INSERT OR REPLACE INTO corepass_challenges (key, value, expires_at) VALUES (?1, ?2, ?3)",
+        [key, value, expiresAt]
+      )
+    },
+    async get(key) {
+      const row = await db.get(
+        "SELECT value, expires_at FROM corepass_challenges WHERE key = ?1",
+        [key]
+      )
+      if (!row) return null
+      if (row.expires_at < nowSec()) {
+        await db.exec("DELETE FROM corepass_challenges WHERE key = ?1", [key])
+        return null
+      }
+      return row.value
+    },
+    async delete(key) {
+      await db.exec("DELETE FROM corepass_challenges WHERE key = ?1", [key])
+    },
+  }
+}
+```
+
+## Database
+
+Apply your adapter’s default Auth.js schema, then apply:
+
+- `db/corepass-schema.sql` (SQLite/D1)
+- `db/corepass-schema.postgres.sql` (PostgreSQL/Supabase)
+
+This adds:
+
+- `corepass_pending_registrations`
+- `corepass_identities` (CoreID → Auth.js `userId` mapping)
+- `corepass_profiles` (CorePass metadata like `o18y`, `kyc`, `provided_till`)
+
+## Options
+
+- **`allowedAaguids`**: defaults to CorePass AAGUID `636f7265-7061-7373-6964-656e74696679`. Set to `false` to allow any authenticator.
+- **`pubKeyCredAlgs`**: defaults to `[-257, -7, -8]` (RS256, ES256, Ed25519).
+- **`allowImmediateFinalize`**: if enabled, `finishRegistration` may finalize immediately if `coreId` is provided in the browser payload. This is **disabled by default** because it weakens the CoreID ownership guarantee (the default flow requires the Ed448-signed `/passkey/data` request).
+- **`emailRequired`**: defaults to `false` (email can arrive later via `/passkey/data`). If no email is ever provided, the library creates the Auth.js user with a deterministic synthetic email and updates it once a real email is received.
+- **`requireO18y`**: defaults to `false`. If enabled, `/passkey/data` must include `userData.o18y=true` or finalization is rejected. Not enforced for immediate-finalize.
+- **`requireO21y`**: defaults to `false`. If enabled, `/passkey/data` must include `userData.o21y=true` or finalization is rejected. Not enforced for immediate-finalize.
+- **`requireKyc`**: defaults to `false`. If enabled, `/passkey/data` must include `userData.kyc=true` or finalization is rejected. Not enforced for immediate-finalize.
+- **`enableRefId`**: defaults to `false`. When enabled, the server generates and stores a `refId` (UUIDv4) for the CoreID identity and can include it in webhooks. When disabled, no `refId` is generated or stored.
+- **Registration webhook options**:
+  - **`postRegistrationWebhooks`**: defaults to `false`.
+  - **`registrationWebhookUrl`**: required if `postRegistrationWebhooks: true`.
+  - **`registrationWebhookSecret`**: optional. If set, requests are HMAC-signed (SHA-256) using `timestamp + "\\n" + body` and include `X-Webhook-Timestamp` (unix seconds) and `X-Webhook-Signature` (`sha256=<hex>`).
+  - **`registrationWebhookRetries`**: defaults to `3` (range `1-10`). Retries happen on non-2xx responses or network errors.
+- **Login webhook options**:
+  - **`postLoginWebhooks`**: defaults to `false`.
+  - **`loginWebhookUrl`**: required if `postLoginWebhooks: true`.
+  - **`loginWebhookSecret`**: optional. Same signing format/headers as registration.
+  - **`loginWebhookRetries`**: defaults to `3` (range `1-10`). Retries happen on non-2xx responses or network errors.
+- **Logout webhook options**:
+  - **`postLogoutWebhooks`**: defaults to `false`.
+  - **`logoutWebhookUrl`**: required if `postLogoutWebhooks: true`.
+  - **`logoutWebhookSecret`**: optional. Same signing format/headers as registration.
+  - **`logoutWebhookRetries`**: defaults to `3` (range `1-10`). Retries happen on non-2xx responses or network errors.
+- **`pendingTtlSeconds`**: defaults to `600` (10 minutes). Pending registrations expire after this and are dropped.
+- **`timestampWindowMs`**: defaults to `600000` (10 minutes). Enrichment `timestamp` must be within this window.
+
+## Enrichment payload (`/passkey/data`)
+
+The CorePass app sends:
+
+- **Body**: `{ coreId, credentialId, timestamp, userData }`
+- **Header**: `X-Signature` (Ed448 signature)
+
+### Canonical payload + signature input
+
+For signature verification, the server **does not** use the raw request body bytes. Instead it:
+
+- **Canonicalizes JSON**: recursively sorts object keys alphabetically and serializes with `JSON.stringify(...)` (so it is **minified**, no whitespace).
+- **Builds signature input** as:
+
+```text
+signatureInput = "POST\n" + signaturePath + "\n" + canonicalJsonBody
+```
+
+Then it verifies `X-Signature` (Ed448) over `UTF-8(signatureInput)`.
+
+This means the CorePass signer must sign the **same canonical JSON string** (alphabetically ordered + minified) and the same `signaturePath` (defaults to `/passkey/data`, configurable via `signaturePath`).
+
+### Timestamp units
+
+`timestamp` is required and must be a **Unix timestamp in microseconds**.
+
+`userData` fields:
+
+| Field | Type | Example | Notes |
+| - | - | - | - |
+| `email` | `string` | `user@example.com` | Optional. If provided later, Auth.js user email is updated. |
+| `o18y` | `boolean (or 0/1)` | `true` | Stored in `corepass_profiles.o18y`. |
+| `o21y` | `boolean (or 0/1)` | `false` | Stored in `corepass_profiles.o21y`. |
+| `kyc` | `boolean (or 0/1)` | `true` | Stored in `corepass_profiles.kyc`. |
+| `kycDoc` | `string` | `PASSPORT` | Stored in `corepass_profiles.kyc_doc`. |
+| `dataExp` | `number` | `43829` | Minutes. Converted to `provided_till`. |
+
+`refId` is **not part of CorePass `/passkey/data`**. If you need an external correlation id, enable `enableRefId` and deliver it via your webhooks.
+
+### `provided_till` calculation
+
+`provided_till` is stored as a **Unix timestamp in seconds**:
+
+```text
+provided_till = floor(now_sec) + dataExpMinutes * 60
+```
+
+## Notes on Auth.js internals
+
+Auth.js’ built-in WebAuthn flow normally creates the user/account/authenticator during the WebAuthn callback. CorePass intentionally delays this until enrichment, so it uses custom endpoints instead of Auth.js’ built-in “register” callback path.
+
+## Upstream references
+
+- Auth.js contributing guide: `https://raw.githubusercontent.com/nextauthjs/.github/main/CONTRIBUTING.md`
+- Auth.js built-in Passkey provider: `https://raw.githubusercontent.com/nextauthjs/next-auth/main/packages/core/src/providers/passkey.ts`

package/db/corepass-schema.postgres.sql

@@ -0,0 +1,46 @@
+-- CorePass extension tables for Auth.js (PostgreSQL)
+--
+-- Apply this *in addition to* your adapter's default schema.
+--
+-- Tables added:
+-- - corepass_identities: maps CoreID to your Auth.js userId
+-- - corepass_profiles: stores CorePass-specific user metadata
+-- - corepass_pending_registrations: stores passkey registrations until /passkey/data enrichment finalizes them
+
+CREATE TABLE IF NOT EXISTS corepass_identities (
+    core_id TEXT PRIMARY KEY,
+    user_id TEXT NOT NULL UNIQUE,
+    ref_id UUID,
+    created_at BIGINT NOT NULL DEFAULT (EXTRACT(EPOCH FROM NOW())::BIGINT),
+    updated_at BIGINT NOT NULL DEFAULT (EXTRACT(EPOCH FROM NOW())::BIGINT)
+);
+
+CREATE TABLE IF NOT EXISTS corepass_profiles (
+    user_id TEXT PRIMARY KEY,
+    core_id TEXT NOT NULL UNIQUE,
+    o18y BOOLEAN,
+    o21y BOOLEAN,
+    kyc BOOLEAN,
+    kyc_doc TEXT,
+    provided_till BIGINT,
+    created_at BIGINT NOT NULL DEFAULT (EXTRACT(EPOCH FROM NOW())::BIGINT),
+    updated_at BIGINT NOT NULL DEFAULT (EXTRACT(EPOCH FROM NOW())::BIGINT)
+);
+
+CREATE TABLE IF NOT EXISTS corepass_pending_registrations (
+    token UUID PRIMARY KEY,
+    credential_id TEXT NOT NULL UNIQUE,
+    credential_public_key TEXT NOT NULL,
+    counter BIGINT NOT NULL DEFAULT 0,
+    credential_device_type TEXT NOT NULL,
+    credential_backed_up BOOLEAN NOT NULL DEFAULT FALSE,
+    transports TEXT,
+    email TEXT,
+    ref_id UUID,
+    aaguid UUID,
+    created_at BIGINT NOT NULL DEFAULT (EXTRACT(EPOCH FROM NOW())::BIGINT),
+    expires_at BIGINT NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_corepass_pending_expires_at
+    ON corepass_pending_registrations(expires_at);

package/db/corepass-schema.sql

@@ -0,0 +1,50 @@
+-- CorePass extension tables for Auth.js
+--
+-- This file intentionally does NOT include the Auth.js default tables.
+-- Apply this *in addition to* your adapter's default schema.
+--
+-- Tables added:
+-- - corepass_identities: maps CoreID to your Auth.js userId (adapter-generated or otherwise)
+-- - corepass_profiles: stores CorePass-specific user metadata
+-- - corepass_pending_registrations: stores passkey registrations until /passkey/data enrichment finalizes them
+
+-- CoreID -> userId mapping
+CREATE TABLE IF NOT EXISTS corepass_identities (
+  core_id    TEXT PRIMARY KEY,
+  user_id    TEXT NOT NULL UNIQUE,
+  ref_id     TEXT,
+  created_at INTEGER NOT NULL DEFAULT (strftime('%s','now')),
+  updated_at INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+);
+
+-- CorePass user metadata (optional)
+CREATE TABLE IF NOT EXISTS corepass_profiles (
+  user_id       TEXT PRIMARY KEY,
+  core_id       TEXT NOT NULL UNIQUE,
+  o18y          INTEGER,
+  o21y          INTEGER,
+  kyc           INTEGER,
+  kyc_doc       TEXT,
+  provided_till INTEGER,
+  created_at    INTEGER NOT NULL DEFAULT (strftime('%s','now')),
+  updated_at    INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+);
+
+-- Pending registrations (default CorePass flow)
+CREATE TABLE IF NOT EXISTS corepass_pending_registrations (
+  token                  TEXT PRIMARY KEY,
+  credential_id          TEXT NOT NULL UNIQUE, -- base64 credential id
+  credential_public_key  TEXT NOT NULL,        -- base64 public key
+  counter                INTEGER NOT NULL DEFAULT 0,
+  credential_device_type TEXT NOT NULL,
+  credential_backed_up   INTEGER NOT NULL DEFAULT 0,
+  transports             TEXT,
+  email                  TEXT,
+  ref_id                 TEXT,
+  aaguid                 TEXT,
+  created_at             INTEGER NOT NULL DEFAULT (strftime('%s','now')),
+  expires_at             INTEGER NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_corepass_pending_expires_at
+  ON corepass_pending_registrations(expires_at);

package/dist/chunk-72ZEQHQO.js

@@ -0,0 +1,33 @@
+// src/provider.ts
+import WebAuthn, {
+  DEFAULT_WEBAUTHN_TIMEOUT
+} from "@auth/core/providers/webauthn";
+function CorePass(config = {}) {
+  return WebAuthn({
+    id: "corepass",
+    name: "CorePass",
+    authenticationOptions: {
+      timeout: DEFAULT_WEBAUTHN_TIMEOUT,
+      userVerification: "required"
+    },
+    registrationOptions: {
+      timeout: DEFAULT_WEBAUTHN_TIMEOUT,
+      authenticatorSelection: {
+        residentKey: "required",
+        userVerification: "required"
+      }
+    },
+    verifyAuthenticationOptions: {
+      requireUserVerification: true
+    },
+    verifyRegistrationOptions: {
+      requireUserVerification: true
+    },
+    ...config
+  });
+}
+
+export {
+  CorePass
+};
+//# sourceMappingURL=chunk-72ZEQHQO.js.map

package/dist/chunk-72ZEQHQO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/provider.ts"],"sourcesContent":["import WebAuthn, {\n\tDEFAULT_WEBAUTHN_TIMEOUT,\n\ttype WebAuthnConfig,\n} from \"@auth/core/providers/webauthn\"\n\n/**\n * CorePass Auth.js provider.\n *\n * This provider is a thin wrapper around Auth.js' built-in WebAuthn provider with\n * Passkey-friendly defaults. CorePass' pending-registration + enrichment flow is\n * implemented via the server helpers exported from this package (see `createCorePassServer`).\n */\nexport default function CorePass(\n\tconfig: Partial<WebAuthnConfig> = {}\n): WebAuthnConfig {\n\treturn WebAuthn({\n\t\tid: \"corepass\",\n\t\tname: \"CorePass\",\n\t\tauthenticationOptions: {\n\t\t\ttimeout: DEFAULT_WEBAUTHN_TIMEOUT,\n\t\t\tuserVerification: \"required\",\n\t\t},\n\t\tregistrationOptions: {\n\t\t\ttimeout: DEFAULT_WEBAUTHN_TIMEOUT,\n\t\t\tauthenticatorSelection: {\n\t\t\t\tresidentKey: \"required\",\n\t\t\t\tuserVerification: \"required\",\n\t\t\t},\n\t\t},\n\t\tverifyAuthenticationOptions: {\n\t\t\trequireUserVerification: true,\n\t\t},\n\t\tverifyRegistrationOptions: {\n\t\t\trequireUserVerification: true,\n\t\t},\n\t\t...config,\n\t})\n}\n"],"mappings":";AAAA,OAAO;AAAA,EACN;AAAA,OAEM;AASQ,SAAR,SACN,SAAkC,CAAC,GAClB;AACjB,SAAO,SAAS;AAAA,IACf,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,uBAAuB;AAAA,MACtB,SAAS;AAAA,MACT,kBAAkB;AAAA,IACnB;AAAA,IACA,qBAAqB;AAAA,MACpB,SAAS;AAAA,MACT,wBAAwB;AAAA,QACvB,aAAa;AAAA,QACb,kBAAkB;AAAA,MACnB;AAAA,IACD;AAAA,IACA,6BAA6B;AAAA,MAC5B,yBAAyB;AAAA,IAC1B;AAAA,IACA,2BAA2B;AAAA,MAC1B,yBAAyB;AAAA,IAC1B;AAAA,IACA,GAAG;AAAA,EACJ,CAAC;AACF;","names":[]}