electron-webauthn 0.0.12 → 0.0.14

package/README.md

@@ -15,6 +15,9 @@ This package provides JavaScript bindings to Apple's AuthenticationServices fram
 - 🔑 Support for cross-platform authenticators (external security keys)
 - 📦 TypeScript first with complete type definitions
 - 🎨 Seamless integration with Electron's native window system
+- 🔐 PRF (Pseudo-Random Function) support for credential assertions
+- 💾 Large Blob support for storing credential-specific data
+- ⚙️ User verification preference configuration (preferred, required, discouraged)
 
 ## Installation
 
@@ -49,8 +52,9 @@ async function authenticate() {
   const result = await getCredential(
     "example.com", // Relying Party ID
     Buffer.from("your-challenge"), // Challenge from server
-    nativeWindowHandle, // Native window for UI presentation
-    [] // Optional: allowed credential IDs
+    "https://example.com", // Origin
+    [], // Optional: allowed credential IDs
+    "preferred" // Optional: user verification preference
   );
 
   console.log(result);
@@ -61,12 +65,14 @@ async function authenticate() {
   // - authenticatorData: Authenticator data (Buffer)
   // - signature: Assertion signature (Buffer)
   // - userHandle: User handle (Buffer)
+  // - prf: [Buffer | null, Buffer | null] - PRF output (if supported)
+  // - largeBlob: Buffer | null - Large blob data (if supported)
 }
 ```
 
 ## API Reference
 
-### `getCredential(rpid, challenge, nativeWindowHandle, allowedCredentialIds)`
+### `getCredential(rpid, challenge, origin, allowedCredentialIds, userVerificationPreference)`
 
 Performs a WebAuthn assertion (authentication) using available platform and cross-platform authenticators.
 
@@ -74,8 +80,12 @@ Performs a WebAuthn assertion (authentication) using available platform and cros
 
 - **`rpid: string`** - The Relying Party ID (typically your domain)
 - **`challenge: Buffer`** - The challenge from your server (32+ bytes recommended)
-- **`nativeWindowHandle: Buffer`** - The native window handle from Electron
+- **`origin: string`** - The origin where the credential assertion will be used (e.g., "https://example.com")
 - **`allowedCredentialIds: Buffer[]`** - Optional array of credential IDs the user can use (empty = all registered credentials)
+- **`userVerificationPreference?: UserVerificationPreference`** - Optional preference for user verification. Can be:
+  - `"preferred"` - User verification is preferred but not required (default)
+  - `"required"` - User verification is required
+  - `"discouraged"` - User verification should be discouraged
 
 #### Returns
 
@@ -91,49 +101,20 @@ interface GetCredentialResult {
   authenticatorData: Buffer; // Authenticator data from the device
   signature: Buffer; // Digital signature from the authenticator
   userHandle: Buffer; // User handle from the credential
+  prf: [Buffer | null, Buffer | null]; // PRF output (if supported by authenticator)
+  largeBlob: Buffer | null; // Large blob data (if supported by authenticator)
 }
 ```
 
-## Architecture
-
-### Package Structure
+#### User Verification Preference Type
 
+```typescript
+type UserVerificationPreference = "preferred" | "required" | "discouraged";
 ```
-src/
-├── index.ts                           # Main export - getCredential function
-├── helpers.ts                         # Utility functions
-├── objc/
-│   ├── authentication-services/       # AuthenticationServices framework bindings
-│   │   ├── as-authorization-*.ts      # Authorization request/response objects
-│   │   ├── enums/                     # Enumeration values
-│   │   └── index.ts                   # Exports
-│   └── foundation/                    # Foundation framework bindings
-│       ├── nsdata.ts                  # NSData (binary data) bindings
-│       ├── nsstring.ts                # NSString bindings
-│       ├── nsarray.ts                 # NSArray bindings
-│       ├── nserror.ts                 # NSError bindings
-│       ├── nsview.ts                  # NSView bindings
-│       ├── nswindow.ts                # NSWindow bindings
-│       └── index.ts                   # Exports
-└── test/                              # Test utilities
-    ├── index.ts                       # Test script
-    ├── window.ts                      # Test window helpers
-    └── example.ts                     # Example usage
-```
-
-### Dependencies
 
-- **objc-js** - Native Objective-C bindings for JavaScript
-- **TypeScript** - For type checking and compilation
-
-## How It Works
+## Architecture
 
-1. **Request Creation**: The library creates a `ASAuthorizationPlatformPublicKeyCredentialProvider` with your RP ID
-2. **Request Configuration**: Sets up the challenge and optional allowed credentials list
-3. **Controller Setup**: Creates an `ASAuthorizationController` to manage the authentication flow
-4. **Delegation**: Registers delegates to handle success/error responses from the system
-5. **Presentation**: Shows the native authentication UI in your window
-6. **Result Processing**: Converts Objective-C objects to JavaScript Buffers and returns the assertion data
+This library implements the WebAuthn standard using native APIs. Under the hood it handles all the complexity of macOS's authentication system, so you just call `getCredential()` with your challenge and get back the signed assertion.
 
 ## Usage Examples
 
@@ -155,7 +136,7 @@ app.on("ready", () => {
 // In your preload script or main process
 export async function authenticateUser(challenge: Buffer) {
   const nativeHandle = getPointer(mainWindow.getNativeWindowHandle());
-  return getCredential("myapp.com", challenge, nativeHandle, []);
+  return getCredential("myapp.com", challenge, "https://myapp.com", []);
 }
 ```
 
@@ -166,11 +147,43 @@ export async function authenticateUser(challenge: Buffer) {
 const result = await getCredential(
   "myapp.com",
   challenge,
-  nativeWindowHandle,
+  "https://myapp.com",
   [credentialId1, credentialId2] // User can only use these credentials
 );
 ```
 
+### With User Verification Requirement
+
+```typescript
+// Require user verification (e.g., for sensitive operations)
+const result = await getCredential(
+  "myapp.com",
+  challenge,
+  "https://myapp.com",
+  [], // No credential restrictions
+  "required" // Require user verification (biometric or PIN)
+);
+```
+
+### Using PRF Output
+
+```typescript
+// Get credential with PRF support
+const result = await getCredential(
+  "myapp.com",
+  challenge,
+  "https://myapp.com",
+  []
+);
+
+// PRF output is available in the result
+const [prfFirst, prfSecond] = result.prf;
+if (prfFirst) {
+  // Use PRF output for additional cryptographic operations
+  console.log("PRF first output:", prfFirst);
+}
+```
+
 ### Server-Side Verification
 
 After getting the assertion result, verify it on your server:
@@ -197,7 +210,7 @@ try {
   const result = await getCredential(
     "example.com",
     challenge,
-    nativeWindowHandle,
+    "https://example.com",
     []
   );
 } catch (error) {
@@ -206,51 +219,25 @@ try {
 }
 ```
 
-## Platform Support
-
-| Platform  | Support          |
-| --------- | ---------------- |
-| macOS 12+ | ✅ Full support  |
-| Windows   | ❌ Not supported |
-| Linux     | ❌ Not supported |
-| iOS       | ❌ Not supported |
-
-## WebAuthn Spec Compliance
-
-This library implements the WebAuthn Level 2 specification for the assertion (authentication) operation:
-
-- ✅ Public Key Credential (assertions)
-- ✅ Platform authenticators (built-in)
-- ✅ Cross-platform authenticators (external)
-- ❌ Credential registration (create)
-- ℹ️ See [WebAuthn Specification](https://www.w3.org/TR/webauthn-2/)
-
-## Development
-
-### Building
-
-```bash
-bun run build
-```
-
-This compiles TypeScript to JavaScript in the `dist/` directory.
+**Supported:**
 
-## Contributing
+- ✅ WebAuthn assertions (authentication with existing credentials)
+- ✅ Cross-platform authenticators (external security keys)
+- ✅ Platform authenticators (Touch ID, Face ID)
+- ✅ PRF (Pseudo-Random Function) output
+- ✅ Large Blob support
 
-Contributions are welcome! Please ensure:
+**Not Supported:**
 
-1. Code is properly typed with TypeScript
-2. New features include appropriate documentation
-3. Tests pass with `bun run test`
-4. Code builds successfully with `bun run build`
+- ❌ Credential registration (attestation)
+- ❌ Discoverable credentials
 
 ## License
 
 See [LICENSE](./LICENSE) file for details.
 
-## Related Resources
+## Resources
 
 - [WebAuthn Specification](https://www.w3.org/TR/webauthn-2/)
-- [Apple AuthenticationServices Documentation](https://developer.apple.com/documentation/authenticationservices)
 - [Electron Documentation](https://www.electronjs.org/docs)
 - [objc-js Library](https://github.com/iamEvanYT/objc-js)

package/dist/create/handler.d.ts

@@ -0,0 +1,4 @@
+export interface CreateCredentialResult {
+}
+declare function createCredential(rpid: string): Promise<CreateCredentialResult>;
+export { createCredential };

package/dist/create/handler.js

@@ -0,0 +1,6 @@
+import { PromiseWithResolvers } from "../helpers/index.js";
+function createCredential(rpid) {
+    const { promise, resolve, reject } = PromiseWithResolvers();
+    return promise;
+}
+export { createCredential };

package/dist/{get-authorization-controller.d.ts → get/authorization-controller.d.ts}

@@ -2,4 +2,3 @@ import { NobjcObject } from "objc-js";
 export declare function setClientDataHash(self: NobjcObject, clientDataHash: Buffer): void;
 export declare function removeClientDataHash(self: NobjcObject): void;
 export declare const WebauthnGetController: NobjcObject;
-//# sourceMappingURL=get-authorization-controller.d.ts.map

package/dist/{get-authorization-controller.js → get/authorization-controller.js}

@@ -1,5 +1,5 @@
 import { NobjcClass, NobjcObject, getPointer } from "objc-js";
-import { NSDataFromBuffer } from "./objc/foundation/nsdata.js";
+import { NSDataFromBuffer } from "../objc/foundation/nsdata.js";
 const getControllerState = new Map();
 function getObjectPointerString(self) {
     return getPointer(self).toBase64();
@@ -16,12 +16,10 @@ export const WebauthnGetController = NobjcClass.define({
     name: "WebauthnGetController",
     superclass: "ASAuthorizationController",
     methods: {
-        // This overrides the default implementation of _requestContextWithRequests$error$ to allow us to set the clientDataHash on the assertion options
         _requestContextWithRequests$error$: {
             types: "@@:@^@",
             implementation: (self, requests, outError) => {
                 const context = NobjcClass.super(self, "_requestContextWithRequests$error$", requests, outError);
-                // Grab the assertion options, set the client data hash, and set a copy of the assertion options back on the context
                 const selfPointer = getObjectPointerString(self);
                 if (getControllerState.has(selfPointer)) {
                     const assertionOptions = context.platformKeyCredentialAssertionOptions();
@@ -34,4 +32,3 @@ export const WebauthnGetController = NobjcClass.define({
         },
     },
 });
-//# sourceMappingURL=get-authorization-controller.js.map

package/dist/get/handler.d.ts

@@ -0,0 +1,24 @@
+import { type PRFInput } from "../helpers/prf.js";
+type AuthenticatorAttachment = "platform" | "cross-platform";
+export type UserVerificationPreference = "preferred" | "required" | "discouraged";
+declare const VALID_EXTENSIONS: readonly ["largeBlobRead", "largeBlobWrite", "prf"];
+export type CredentialAssertionExtensions = (typeof VALID_EXTENSIONS)[number];
+export interface GetCredentialResult {
+    id: Buffer;
+    authenticatorAttachment: AuthenticatorAttachment;
+    clientDataJSON: Buffer;
+    authenticatorData: Buffer;
+    signature: Buffer;
+    userHandle: Buffer;
+    prf: [Buffer | null, Buffer | null];
+    largeBlob: Buffer | null;
+    largeBlobWritten: boolean | null;
+}
+export interface GetCredentialAdditionalOptions {
+    largeBlobDataToWrite?: Buffer;
+    prf?: PRFInput;
+    prfByCredential?: Record<string, PRFInput>;
+    topFrameOrigin?: string;
+}
+declare function getCredential(rpid: string, challenge: Buffer, nativeWindowHandle: Buffer, origin: string, enabledExtensions: CredentialAssertionExtensions[], allowedCredentialIds: Buffer[], userVerificationPreference?: UserVerificationPreference, additionalOptions?: GetCredentialAdditionalOptions): Promise<GetCredentialResult>;
+export { getCredential };

package/dist/get/handler.js

@@ -0,0 +1,179 @@
+import { fromPointer } from "objc-js";
+import { createAuthorizationControllerDelegate } from "../objc/authentication-services/as-authorization-controller-delegate.js";
+import { ASAuthorizationController } from "../objc/authentication-services/as-authorization-controller.js";
+import { createPresentationContextProvider } from "../objc/authentication-services/as-authorization-controller-presentation-context-providing.js";
+import { createPlatformPublicKeyCredentialProvider } from "../objc/authentication-services/as-authorization-platform-public-key-credential-provider.js";
+import { createPlatformPublicKeyCredentialDescriptor } from "../objc/authentication-services/as-authorization-platform-public-key-credential-descriptor.js";
+import { NSArrayFromObjects } from "../objc/foundation/nsarray.js";
+import { bufferFromNSDataDirect, NSDataFromBuffer, } from "../objc/foundation/nsdata.js";
+import { NSStringFromString } from "../objc/foundation/nsstring.js";
+import { base64UrlToBuffer, bufferToBase64Url, clientDataJsonBufferToHash, PromiseWithResolvers, } from "../helpers/index.js";
+import { isSameOrigin, serializeOrigin } from "../helpers/origin.js";
+import { ASAuthorizationPublicKeyCredentialAttachment } from "../objc/authentication-services/enums/as-authorization-public-key-credential-attachment.js";
+import { removeClientDataHash, setClientDataHash, WebauthnGetController, } from "../get/authorization-controller.js";
+import { createSecurityKeyPublicKeyCredentialProvider } from "../objc/authentication-services/as-authorization-security-key-public-key-credential-provider.js";
+import { createASAuthorizationPublicKeyCredentialLargeBlobAssertionInput } from "../objc/authentication-services/as-authorization-public-key-credential-large-blob-assertion-input.js";
+import { ASAuthorizationPublicKeyCredentialLargeBlobAssertionOperation } from "../objc/authentication-services/enums/as-authorization-public-key-credential-large-blob-assertion-operation.js";
+import { createASAuthorizationPublicKeyCredentialPRFAssertionInput } from "../objc/authentication-services/as-authorization-public-key-credential-prf-assertion-input.js";
+import {} from "../objc/authentication-services/as-authorization-public-key-credential-prf-assertion-input-valuesas-authorization-public-key-credential-prf-assertion-input-values.js";
+import { createPRFInput } from "../helpers/prf.js";
+import { NSDictionaryFromKeysAndValues, } from "../objc/foundation/nsdictionary.js";
+const VALID_EXTENSIONS = ["largeBlobRead", "largeBlobWrite", "prf"];
+function setupPublicKeyCredentialRequest(type, keyRequest, userVerificationPreference, enabledExtensions, allowedCredentialIds, additionalOptions) {
+    if (userVerificationPreference === "preferred") {
+        keyRequest.setUserVerificationPreference$(NSStringFromString("preferred"));
+    }
+    else if (userVerificationPreference === "required") {
+        keyRequest.setUserVerificationPreference$(NSStringFromString("required"));
+    }
+    else if (userVerificationPreference === "discouraged") {
+        keyRequest.setUserVerificationPreference$(NSStringFromString("discouraged"));
+    }
+    if (type === "platform") {
+        const largeBlobRead = enabledExtensions.includes("largeBlobRead");
+        const largeBlobWrite = enabledExtensions.includes("largeBlobWrite");
+        if (largeBlobRead) {
+            const operation = ASAuthorizationPublicKeyCredentialLargeBlobAssertionOperation.Read;
+            const largeBlobInput = createASAuthorizationPublicKeyCredentialLargeBlobAssertionInput(operation);
+            keyRequest.setLargeBlob$(largeBlobInput);
+        }
+        else if (largeBlobWrite) {
+            if (additionalOptions.largeBlobDataToWrite) {
+                const operation = ASAuthorizationPublicKeyCredentialLargeBlobAssertionOperation.Write;
+                const largeBlobInput = createASAuthorizationPublicKeyCredentialLargeBlobAssertionInput(operation);
+                largeBlobInput.setDataToWrite$(NSDataFromBuffer(additionalOptions.largeBlobDataToWrite));
+                keyRequest.setLargeBlob$(largeBlobInput);
+            }
+            else {
+                console.warn("[electron-webauthn] largeBlobWrite is enabled but largeBlobDataToWrite is not provided, skipping large blob write");
+            }
+        }
+    }
+    if (type === "platform" && enabledExtensions.includes("prf")) {
+        if (additionalOptions.prf || additionalOptions.prfByCredential) {
+            let inputValues = null;
+            if (additionalOptions.prf) {
+                inputValues = createPRFInput(additionalOptions.prf);
+            }
+            let perCredentialInputValues = null;
+            if (additionalOptions.prfByCredential &&
+                allowedCredentialIds.length > 0) {
+                const keys = [];
+                const values = [];
+                for (const [credentialId, prfInput] of Object.entries(additionalOptions.prfByCredential)) {
+                    const credentialIdBuffer = base64UrlToBuffer(credentialId);
+                    const credentialIdData = NSDataFromBuffer(credentialIdBuffer);
+                    keys.push(credentialIdData);
+                    values.push(createPRFInput(prfInput));
+                }
+                perCredentialInputValues = NSDictionaryFromKeysAndValues(keys, values);
+            }
+            const prfInput = createASAuthorizationPublicKeyCredentialPRFAssertionInput(inputValues, perCredentialInputValues);
+            keyRequest.setPrf$(prfInput);
+        }
+        else {
+            console.warn("[electron-webauthn] prf is enabled but prf or prfByCredential is not provided, skipping PRF");
+        }
+    }
+}
+function getCredential(rpid, challenge, nativeWindowHandle, origin, enabledExtensions = [], allowedCredentialIds, userVerificationPreference, additionalOptions = {}) {
+    const { promise, resolve, reject } = PromiseWithResolvers();
+    const NS_rpID = NSStringFromString(rpid);
+    const NS_challenge = NSDataFromBuffer(challenge);
+    const platformProvider = createPlatformPublicKeyCredentialProvider(NS_rpID);
+    const platformKeyRequest = platformProvider.createCredentialAssertionRequestWithChallenge$(NS_challenge);
+    setupPublicKeyCredentialRequest("platform", platformKeyRequest, userVerificationPreference, enabledExtensions, allowedCredentialIds, additionalOptions);
+    const securityKeyProvider = createSecurityKeyPublicKeyCredentialProvider(NS_rpID);
+    const securityKeyRequest = securityKeyProvider.createCredentialAssertionRequestWithChallenge$(NS_challenge);
+    setupPublicKeyCredentialRequest("security-key", securityKeyRequest, userVerificationPreference, enabledExtensions, allowedCredentialIds, additionalOptions);
+    const requestsArray = NSArrayFromObjects([
+        platformKeyRequest,
+        securityKeyRequest,
+    ]);
+    const authController = WebauthnGetController.alloc().initWithAuthorizationRequests$(requestsArray);
+    const serializedOrigin = serializeOrigin(origin);
+    const clientData = {
+        type: "webauthn.get",
+        challenge: bufferToBase64Url(challenge),
+        origin: serializedOrigin,
+        crossOrigin: false,
+    };
+    if (additionalOptions.topFrameOrigin) {
+        const sameOrigin = isSameOrigin(origin, additionalOptions.topFrameOrigin);
+        if (!sameOrigin) {
+            const serializedTopFrameOrigin = serializeOrigin(additionalOptions.topFrameOrigin);
+            clientData.topOrigin = serializedTopFrameOrigin;
+            clientData.crossOrigin = true;
+        }
+    }
+    const clientDataJSON = JSON.stringify(clientData);
+    const clientDataBuffer = Buffer.from(clientDataJSON, "utf-8");
+    const clientDataHash = clientDataJsonBufferToHash(clientDataBuffer);
+    setClientDataHash(authController, clientDataHash);
+    const finished = (_success) => {
+        removeClientDataHash(authController);
+    };
+    if (allowedCredentialIds.length > 0) {
+        const allowedCredentials = NSArrayFromObjects(allowedCredentialIds.map((id) => createPlatformPublicKeyCredentialDescriptor(NSDataFromBuffer(id))));
+        platformKeyRequest.setAllowedCredentials$(allowedCredentials);
+    }
+    const delegate = createAuthorizationControllerDelegate({
+        didCompleteWithAuthorization: (_, authorization) => {
+            const credential = authorization.credential();
+            const id_data = credential.credentialID();
+            const id = bufferFromNSDataDirect(id_data);
+            let authenticatorAttachment = "platform";
+            if (credential.attachment() ===
+                ASAuthorizationPublicKeyCredentialAttachment.ASAuthorizationPublicKeyCredentialAttachmentCrossPlatform) {
+                authenticatorAttachment = "cross-platform";
+            }
+            const prf = credential.prf();
+            const prfFirst = prf?.first ? prf.first() : null;
+            const prfSecond = prf?.second ? prf.second() : null;
+            let largeBlobBuffer = null;
+            let largeBlobWritten = null;
+            if (credential.largeBlob()) {
+                const largeBlobData = credential.largeBlob().readData();
+                if (largeBlobData) {
+                    largeBlobBuffer = bufferFromNSDataDirect(largeBlobData);
+                }
+                else {
+                    largeBlobWritten = credential.largeBlob().didWrite();
+                }
+            }
+            resolve({
+                id,
+                authenticatorAttachment,
+                clientDataJSON: clientDataBuffer,
+                authenticatorData: bufferFromNSDataDirect(credential.rawAuthenticatorData()),
+                signature: bufferFromNSDataDirect(credential.signature()),
+                userHandle: bufferFromNSDataDirect(credential.userID()),
+                prf: [
+                    prfFirst ? bufferFromNSDataDirect(prfFirst) : null,
+                    prfSecond ? bufferFromNSDataDirect(prfSecond) : null,
+                ],
+                largeBlob: largeBlobBuffer,
+                largeBlobWritten,
+            });
+            finished(true);
+        },
+        didCompleteWithError: (_, error) => {
+            const parsedError = error;
+            const errorMessage = parsedError.localizedDescription().UTF8String();
+            reject(new Error(errorMessage));
+            finished(false);
+        },
+    });
+    authController.setDelegate$(delegate);
+    const presentationContextProvider = createPresentationContextProvider({
+        presentationAnchorForAuthorizationController: () => {
+            const nsView = fromPointer(nativeWindowHandle);
+            const nsWindow = nsView.window();
+            return nsWindow;
+        },
+    });
+    authController.setPresentationContextProvider$(presentationContextProvider);
+    authController.performRequests();
+    return promise;
+}
+export { getCredential };

package/dist/helpers/index.d.ts

@@ -0,0 +1,8 @@
+export declare function PromiseWithResolvers<T = void>(): {
+    promise: Promise<T>;
+    resolve: (value: T | PromiseLike<T>) => void;
+    reject: (reason?: unknown) => void;
+};
+export declare function clientDataJsonBufferToHash(clientDataJSON: Buffer): Buffer;
+export declare function bufferToBase64Url(buffer: Buffer): string;
+export declare function base64UrlToBuffer(b64url: string): Buffer;

package/dist/helpers/index.js

@@ -0,0 +1,43 @@
+import { createHash } from "crypto";
+export function PromiseWithResolvers() {
+    let resolve;
+    let reject;
+    const promise = new Promise((res, rej) => {
+        resolve = res;
+        reject = rej;
+    });
+    return { promise, resolve: resolve, reject: reject };
+}
+export function clientDataJsonBufferToHash(clientDataJSON) {
+    if (!Buffer.isBuffer(clientDataJSON)) {
+        throw new TypeError("clientDataJsonBufferToHash: clientDataJSON must be a Buffer");
+    }
+    if (clientDataJSON.length === 0) {
+        throw new RangeError("clientDataJsonBufferToHash: clientDataJSON is empty");
+    }
+    return createHash("sha256").update(clientDataJSON).digest();
+}
+export function bufferToBase64Url(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary)
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+export function base64UrlToBuffer(b64url) {
+    if (typeof b64url !== "string")
+        throw new TypeError("base64Url must be a string");
+    let b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = b64.length % 4;
+    if (pad === 2)
+        b64 += "==";
+    else if (pad === 3)
+        b64 += "=";
+    else if (pad !== 0)
+        throw new Error("Invalid base64url length");
+    return Buffer.from(b64, "base64");
+}

package/dist/helpers/origin.d.ts

@@ -0,0 +1,19 @@
+export declare function serializeOrigin(origin: string): string | null;
+type TupleOrigin = {
+    type: "tuple";
+    scheme: string;
+    host: string;
+    port: number | null;
+};
+type OpaqueOrigin = {
+    type: "opaque";
+    reason?: string;
+};
+type Origin = TupleOrigin | OpaqueOrigin;
+export type OriginCompareOptions = {
+    allowOpaqueStringEquality?: boolean;
+};
+export declare function computeOrigin(input: string | URL): Origin;
+export declare function isSameOrigin(a: string | URL, b: string | URL, opts?: OriginCompareOptions): boolean;
+export declare function isCrossOrigin(a: string | URL, b: string | URL, opts?: OriginCompareOptions): boolean;
+export {};

package/dist/helpers/origin.js

@@ -0,0 +1,106 @@
+export function serializeOrigin(origin) {
+    if (origin === "null" || !origin) {
+        return null;
+    }
+    try {
+        const url = new URL(origin);
+        let result = url.protocol;
+        if (!result.endsWith("://")) {
+            result = result.replace(/:$/, "") + "://";
+        }
+        result += url.hostname;
+        if (url.port) {
+            result += ":" + url.port;
+        }
+        return result;
+    }
+    catch (error) {
+        return null;
+    }
+}
+const DEFAULT_PORT = {
+    http: 80,
+    https: 443,
+    ws: 80,
+    wss: 443,
+    ftp: 21,
+};
+const TUPLE_SCHEMES = new Set(["http", "https", "ws", "wss", "ftp"]);
+export function computeOrigin(input) {
+    if (typeof input === "string" && input.trim().toLowerCase() === "null") {
+        return { type: "opaque", reason: "explicit 'null' origin string" };
+    }
+    const url = toURL(input);
+    if (!url)
+        return { type: "opaque", reason: "unparseable URL/origin string" };
+    const scheme = url.protocol.replace(/:$/, "").toLowerCase();
+    if (scheme === "blob") {
+        const embedded = url.href.slice("blob:".length);
+        const embeddedUrl = toURL(embedded);
+        return embeddedUrl
+            ? computeOrigin(embeddedUrl)
+            : { type: "opaque", reason: "blob: with unparseable embedded URL" };
+    }
+    if (!TUPLE_SCHEMES.has(scheme)) {
+        return { type: "opaque", reason: `non-tuple scheme '${scheme}'` };
+    }
+    const host = url.hostname;
+    if (!host)
+        return { type: "opaque", reason: "missing hostname" };
+    const rawPort = url.port ? safeParsePort(url.port) : null;
+    const port = normalizePort(scheme, rawPort);
+    return { type: "tuple", scheme, host, port };
+}
+function normalizePort(scheme, port) {
+    if (port == null)
+        return null;
+    const def = DEFAULT_PORT[scheme];
+    if (def != null && port === def)
+        return null;
+    return port;
+}
+function safeParsePort(portStr) {
+    const n = Number(portStr);
+    if (!Number.isInteger(n) || n < 0 || n > 65535)
+        return null;
+    return n;
+}
+function toURL(input) {
+    if (input instanceof URL)
+        return input;
+    try {
+        return new URL(input);
+    }
+    catch {
+        return null;
+    }
+}
+export function isSameOrigin(a, b, opts = {}) {
+    const oa = computeOrigin(a);
+    const ob = computeOrigin(b);
+    if (oa.type === "tuple" && ob.type === "tuple") {
+        return (oa.scheme === ob.scheme && oa.host === ob.host && oa.port === ob.port);
+    }
+    if (opts.allowOpaqueStringEquality) {
+        const sa = originString(a);
+        const sb = originString(b);
+        return sa != null && sb != null && sa === sb;
+    }
+    return false;
+}
+export function isCrossOrigin(a, b, opts) {
+    return !isSameOrigin(a, b, opts);
+}
+function originString(x) {
+    if (typeof x === "string") {
+        return serializeOrigin(x);
+    }
+    const url = toURL(x);
+    if (!url) {
+        return null;
+    }
+    const o = computeOrigin(url);
+    if (o.type === "opaque")
+        return "null";
+    return `${o.scheme}://${o.host}${o.port == null ? "" : `:${o.port}`}`;
+}

package/dist/helpers/prf.d.ts

@@ -0,0 +1,5 @@
+export interface PRFInput {
+    first: Buffer;
+    second?: Buffer;
+}
+export declare function createPRFInput(prf: PRFInput): import("../objc/authentication-services/as-authorization-public-key-credential-prf-assertion-input-valuesas-authorization-public-key-credential-prf-assertion-input-values.js")._ASAuthorizationPublicKeyCredentialPRFAssertionInputValues;