electron-webauthn 0.0.15 → 0.0.16

package/README.md

@@ -4,9 +4,9 @@ Add native WebAuthn/FIDO2 support to Electron on macOS using its AuthenticationS
 
 ## Overview
 
-`electron-webauthn` is a TypeScript library that bridges Electron with the native macOS AuthenticationServices framework, enabling WebAuthn/FIDO2 authentication directly through native platform authenticators (Touch ID, Face ID, hardware security keys, etc.).
+`electron-webauthn` allows you to process WebAuthn requests on macOS Electron. Simply plug any `publicKeyOptions` from the standard `navigator.credentials.get()` or `navigator.credentials.create()` directly into this library's functions and they'll work with the native macOS authenticators.
 
-This package provides JavaScript bindings to Apple's AuthenticationServices framework, allowing you to perform WebAuthn assertions (authentication/signing with existing credentials) in your Electron applications using W3C WebAuthn-compliant APIs.
+This package provides JavaScript bindings to Apple's AuthenticationServices framework, allowing you to perform WebAuthn credential creation (registration) and assertions (authentication/signing) in your Electron applications using W3C WebAuthn-compliant APIs.
 
 ## Features
 
@@ -14,7 +14,9 @@ This package provides JavaScript bindings to Apple's AuthenticationServices fram
 - Support for platform authenticators (Touch ID, Face ID)
 - Support for cross-platform authenticators (external security keys)
 - TypeScript first with complete type definitions
-- W3C WebAuthn-compliant API
+- **W3C WebAuthn-compliant API** - drop in any standard `publicKeyOptions` and it just works
+- Credential creation (registration) with attestation
+- Credential authentication (assertions) with existing credentials
 - Seamless integration with Electron's native window system
 - PRF (Pseudo-Random Function) extension support
 - Large Blob extension support for reading/writing credential-specific data
@@ -22,6 +24,7 @@ This package provides JavaScript bindings to Apple's AuthenticationServices fram
 - Proper origin validation with public suffix list support
 - Cross-origin iframe support with `topFrameOrigin`
 - Per-credential PRF evaluation with `evalByCredential`
+- Resident key (discoverable credential) support
 
 ## Installation
 
@@ -41,17 +44,75 @@ yarn add electron-webauthn
 
 ## Quick Start
 
+> **💡 Drop-in Compatibility:** Simply plug any `publicKeyOptions` from the standard `navigator.credentials.create()` or `navigator.credentials.get()` APIs directly into these functions. They follow the W3C WebAuthn specification exactly.
+
+### Creating a Credential (Registration)
+
+```typescript
+import { createCredential } from "electron-webauthn";
+import { BrowserWindow } from "electron";
+
+// In your Electron main process or preload script
+async function register(window: BrowserWindow, challenge: ArrayBuffer) {
+  // Get the native window handle from your BrowserWindow
+  const nativeWindowHandle = window.getNativeWindowHandle();
+
+  // Call createCredential with W3C WebAuthn-compliant options
+  // You can plug any publicKeyOptions from navigator.credentials.create() here
+  const result = await createCredential(
+    {
+      challenge: challenge,
+      rp: {
+        name: "Example App",
+        id: "example.com",
+      },
+      user: {
+        id: new Uint8Array(16), // Random user ID
+        name: "user@example.com",
+        displayName: "User Name",
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 }, // ES256
+        { type: "public-key", alg: -257 }, // RS256
+      ],
+      timeout: 60000, // Optional: 60 seconds
+      attestation: "none", // Optional: "none" | "indirect" | "direct"
+      authenticatorSelection: {
+        userVerification: "preferred", // Optional: "preferred" | "required" | "discouraged"
+        residentKey: "preferred", // Optional: "discouraged" | "preferred" | "required"
+      },
+    },
+    {
+      currentOrigin: "https://example.com",
+      topFrameOrigin: "https://example.com",
+      nativeWindowHandle: nativeWindowHandle,
+    }
+  );
+
+  if (result.success) {
+    console.log("Registration successful!");
+    console.log("Credential ID:", result.data.credentialId);
+    console.log("Public Key:", result.data.publicKey);
+    // Result contains base64url-encoded strings ready to send to server
+  } else {
+    console.error("Registration failed:", result.error);
+  }
+}
+```
+
+### Authenticating with a Credential
+
 ```typescript
 import { getCredential } from "electron-webauthn";
-import { getPointer } from "objc-js";
 import { BrowserWindow } from "electron";
 
 // In your Electron main process or preload script
 async function authenticate(window: BrowserWindow, challenge: ArrayBuffer) {
   // Get the native window handle from your BrowserWindow
-  const nativeWindowHandle = getPointer(window.getNativeWindowHandle());
+  const nativeWindowHandle = window.getNativeWindowHandle();
 
   // Call getCredential with W3C WebAuthn-compliant options
+  // You can plug any publicKeyOptions from navigator.credentials.get() here
   const result = await getCredential(
     {
       challenge: challenge,
@@ -59,17 +120,6 @@ async function authenticate(window: BrowserWindow, challenge: ArrayBuffer) {
       timeout: 60000, // Optional: 60 seconds
       userVerification: "preferred", // Optional: "preferred" | "required" | "discouraged"
       allowCredentials: [], // Optional: restrict to specific credentials
-      extensions: {
-        // Optional extensions
-        prf: {
-          eval: {
-            first: new Uint8Array(32), // 32 bytes
-          },
-        },
-        largeBlob: {
-          read: true,
-        },
-      },
     },
     {
       currentOrigin: "https://example.com",
@@ -91,55 +141,88 @@ async function authenticate(window: BrowserWindow, challenge: ArrayBuffer) {
 
 ## API Reference
 
-### `getCredential(publicKeyOptions, additionalOptions)`
+### `createCredential(publicKeyOptions, additionalOptions)`
+
+Creates and registers a new WebAuthn credential using available platform and cross-platform authenticators.
 
-Performs a WebAuthn assertion (authentication) using available platform and cross-platform authenticators. This function follows the W3C WebAuthn specification.
+**Note:** You can plug any `publicKeyOptions` from the standard `navigator.credentials.create({ publicKey: ... })` directly into this function.
 
 #### Parameters
 
-##### `publicKeyOptions: PublicKeyCredentialRequestOptions`
+##### `publicKeyOptions: PublicKeyCredentialCreationOptions`
 
-You can plug the `publicKeyOptions` from `navigator.credentials.get()` directly onto this function.
+Standard W3C WebAuthn credential creation options. See the [MDN documentation](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions) for more details.
 
-Standard W3C WebAuthn credential request options:
+##### `additionalOptions: WebauthnCreateRequestOptions`
 
-- **`challenge: BufferSource`** (required) - The challenge from your server (32+ bytes recommended)
-- **`rpId: string`** (required) - The Relying Party ID (typically your domain, e.g., "example.com")
-- **`timeout?: number`** - Timeout in milliseconds (default: 10 minutes, max: 1 hour)
-- **`userVerification?: string`** - User verification preference:
-  - `"preferred"` - User verification is preferred but not required (default)
-  - `"required"` - User verification is required (e.g., biometric or PIN)
-  - `"discouraged"` - User verification should be discouraged
-- **`allowCredentials?: PublicKeyCredentialDescriptor[]`** - Optional array to restrict allowed credentials:
-  ```typescript
-  {
-    type: "public-key",
-    id: BufferSource, // Credential ID from registration
-  }
-  ```
-- **`extensions?: AuthenticationExtensionsClientInputs`** - Optional WebAuthn extensions:
-  - **`prf`** - Pseudo-Random Function extension:
-    ```typescript
-    {
-      eval?: {
-        first: BufferSource,  // 32+ bytes
-        second?: BufferSource // 32+ bytes (optional)
-      },
-      evalByCredential?: {
-        [base64UrlCredentialId: string]: {
-          first: BufferSource,
-          second?: BufferSource
-        }
-      }
-    }
-    ```
-  - **`largeBlob`** - Large Blob extension:
-    ```typescript
-    {
-      read?: boolean,        // Read existing blob
-      write?: BufferSource   // Write new blob data
-    }
-    ```
+Additional options specific to the Electron environment:
+
+- **`currentOrigin: string`** (required) - The origin of the requesting document (e.g., "https://example.com")
+- **`topFrameOrigin: string | undefined`** - The origin of the top frame (for iframe support). Set to `currentOrigin` if not in an iframe
+- **`nativeWindowHandle: Buffer`** (required) - Native window handle from `BrowserWindow.getNativeWindowHandle()`, or a pointer to a NSView object
+- **`isPublicSuffix?: (domain: string) => boolean`** - Optional function to check if a domain is a public suffix (e.g., "com", "co.uk"). Strongly recommended for security
+
+#### Returns
+
+`Promise<CreateCredentialResult>` - Resolves with the registration result (that you can transform into a `PublicKeyCredential` object) or error
+
+#### Result Types
+
+```typescript
+type CreateCredentialResult =
+  | CreateCredentialSuccessResult
+  | CreateCredentialErrorResult;
+
+interface CreateCredentialSuccessResult {
+  success: true;
+  data: {
+    credentialId: string; // Base64url-encoded credential ID
+    clientDataJSON: string; // Base64url-encoded client data
+    attestationObject: string; // Base64url-encoded attestation object
+    authData: string; // Base64url-encoded authenticator data
+    publicKey: string; // Base64url-encoded public key (COSE format)
+    publicKeyAlgorithm: number; // COSE algorithm identifier (e.g., -7 for ES256)
+    transports: string[]; // Available transports (e.g., ["internal", "usb"])
+    extensions: {
+      credProps?: {
+        rk: boolean; // True if credential is a resident key
+      };
+      prf?: {
+        enabled?: boolean; // True if PRF is supported
+        results?: {
+          first?: string; // Base64url-encoded PRF output
+          second?: string; // Base64url-encoded PRF output (if provided)
+        };
+      };
+      largeBlob?: {
+        supported?: boolean; // True if large blob is supported
+      };
+    };
+  };
+}
+
+interface CreateCredentialErrorResult {
+  success: false;
+  error:
+    | "TypeError"
+    | "AbortError"
+    | "NotAllowedError"
+    | "SecurityError"
+    | "InvalidStateError";
+}
+```
+
+### `getCredential(publicKeyOptions, additionalOptions)`
+
+Performs a WebAuthn assertion (authentication) using available platform and cross-platform authenticators.
+
+**Note:** You can plug any `publicKeyOptions` from the standard `navigator.credentials.get({ publicKey: ... })` directly into this function.
+
+#### Parameters
+
+##### `publicKeyOptions: PublicKeyCredentialRequestOptions`
+
+Standard W3C WebAuthn credential request options. See the [MDN documentation](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions) for more details.
 
 ##### `additionalOptions: WebauthnGetRequestOptions`
 
@@ -147,12 +230,12 @@ Additional options specific to the Electron environment:
 
 - **`currentOrigin: string`** (required) - The origin of the requesting document (e.g., "https://example.com")
 - **`topFrameOrigin: string | undefined`** - The origin of the top frame (for iframe support). Set to `currentOrigin` if not in an iframe
-- **`nativeWindowHandle: Buffer`** (required) - Native window handle from `BrowserWindow.getNativeWindowHandle()` wrapped with `getPointer()` from `objc-js`
+- **`nativeWindowHandle: Buffer`** (required) - Native window handle from `BrowserWindow.getNativeWindowHandle()`, or a pointer to a NSView object
 - **`isPublicSuffix?: (domain: string) => boolean`** - Optional function to check if a domain is a public suffix (e.g., "com", "co.uk"). Strongly recommended for security. Use a library like `tldts` for implementation
 
 #### Returns
 
-`Promise<GetCredentialResult>` - Resolves with the assertion result or error
+`Promise<GetCredentialResult>` - Resolves with the assertion result (that you can transform into a `PublicKeyCredential` object) or error
 
 #### Result Types
 
@@ -202,11 +285,71 @@ This library implements the W3C WebAuthn standard using Apple's native Authentic
 
 ## Usage Examples
 
+### Basic Registration
+
+```typescript
+import { createCredential } from "electron-webauthn";
+import { app, BrowserWindow } from "electron";
+
+let mainWindow: BrowserWindow;
+
+app.on("ready", () => {
+  mainWindow = new BrowserWindow({
+    width: 800,
+    height: 600,
+    webPreferences: {
+      nodeIntegration: false,
+      contextIsolation: true,
+      preload: "./preload.js",
+    },
+  });
+  mainWindow.loadURL("https://myapp.com");
+});
+
+// In your preload script or main process
+export async function registerUser(
+  challenge: ArrayBuffer,
+  userId: ArrayBuffer,
+  userName: string,
+  userDisplayName: string
+) {
+  const nativeHandle = mainWindow.getNativeWindowHandle();
+
+  const result = await createCredential(
+    {
+      challenge: challenge,
+      rp: {
+        name: "My App",
+        id: "myapp.com",
+      },
+      user: {
+        id: userId,
+        name: userName,
+        displayName: userDisplayName,
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 }, // ES256
+        { type: "public-key", alg: -257 }, // RS256
+      ],
+      authenticatorSelection: {
+        userVerification: "preferred",
+      },
+    },
+    {
+      currentOrigin: "https://myapp.com",
+      topFrameOrigin: "https://myapp.com",
+      nativeWindowHandle: nativeHandle,
+    }
+  );
+
+  return result;
+}
+```
+
 ### Basic Authentication
 
 ```typescript
 import { getCredential } from "electron-webauthn";
-import { getPointer } from "objc-js";
 import { app, BrowserWindow } from "electron";
 
 let mainWindow: BrowserWindow;
@@ -226,7 +369,7 @@ app.on("ready", () => {
 
 // In your preload script or main process
 export async function authenticateUser(challenge: ArrayBuffer) {
-  const nativeHandle = getPointer(mainWindow.getNativeWindowHandle());
+  const nativeHandle = mainWindow.getNativeWindowHandle();
 
   const result = await getCredential(
     {
@@ -284,7 +427,114 @@ const result = await getCredential(
 );
 ```
 
-### Using PRF Extension
+### Creating Resident Keys (Discoverable Credentials)
+
+```typescript
+// Create a discoverable credential that can be used without specifying allowCredentials
+const result = await createCredential(
+  {
+    challenge: challenge,
+    rp: { name: "My App", id: "myapp.com" },
+    user: {
+      id: userId,
+      name: userName,
+      displayName: userDisplayName,
+    },
+    pubKeyCredParams: [
+      { type: "public-key", alg: -7 },
+      { type: "public-key", alg: -257 },
+    ],
+    authenticatorSelection: {
+      residentKey: "required", // Require resident key
+      userVerification: "required", // Usually combined with resident keys
+    },
+  },
+  {
+    currentOrigin: "https://myapp.com",
+    topFrameOrigin: "https://myapp.com",
+    nativeWindowHandle: nativeHandle,
+  }
+);
+```
+
+### Preventing Duplicate Registrations
+
+```typescript
+// Prevent user from registering the same authenticator multiple times
+const result = await createCredential(
+  {
+    challenge: challenge,
+    rp: { name: "My App", id: "myapp.com" },
+    user: {
+      id: userId,
+      name: userName,
+      displayName: userDisplayName,
+    },
+    pubKeyCredParams: [
+      { type: "public-key", alg: -7 },
+      { type: "public-key", alg: -257 },
+    ],
+    excludeCredentials: [
+      // List of credentials already registered for this user
+      { type: "public-key", id: existingCredentialId1 },
+      { type: "public-key", id: existingCredentialId2 },
+    ],
+  },
+  {
+    currentOrigin: "https://myapp.com",
+    topFrameOrigin: "https://myapp.com",
+    nativeWindowHandle: nativeHandle,
+  }
+);
+
+// If user tries to use an excluded authenticator, you'll get:
+// { success: false, error: "InvalidStateError" }
+```
+
+### Creating Credentials with PRF Extension
+
+```typescript
+// Register a credential with PRF support and immediately evaluate it
+const prfSalt = crypto.getRandomValues(new Uint8Array(32));
+
+const result = await createCredential(
+  {
+    challenge: challenge,
+    rp: { name: "My App", id: "myapp.com" },
+    user: {
+      id: userId,
+      name: userName,
+      displayName: userDisplayName,
+    },
+    pubKeyCredParams: [
+      { type: "public-key", alg: -7 },
+      { type: "public-key", alg: -257 },
+    ],
+    extensions: {
+      prf: {
+        eval: {
+          first: prfSalt,
+        },
+      },
+    },
+  },
+  {
+    currentOrigin: "https://myapp.com",
+    topFrameOrigin: "https://myapp.com",
+    nativeWindowHandle: nativeHandle,
+  }
+);
+
+if (result.success && result.data.extensions?.prf?.results?.first) {
+  console.log(
+    "PRF is supported and evaluated:",
+    result.data.extensions.prf.results.first
+  );
+  // Use this PRF output as an encryption key
+}
+```
+
+### Using PRF Extension (Authentication)
 
 The PRF (Pseudo-Random Function) extension allows you to derive cryptographic secrets from credentials:
 
@@ -444,47 +694,13 @@ const result = await getCredential(
 );
 ```
 
-### Server-Side Verification
-
-After getting the assertion result, verify it on your server using any WebAuthn library:
-
-```typescript
-// Example with @simplewebauthn/server (Node.js)
-import { verifyAuthenticationResponse } from "@simplewebauthn/server";
-
-// The result.data object contains base64url-encoded values
-const verification = await verifyAuthenticationResponse({
-  response: {
-    id: result.data.credentialId,
-    rawId: result.data.credentialId,
-    response: {
-      clientDataJSON: result.data.clientDataJSON,
-      authenticatorData: result.data.authenticatorData,
-      signature: result.data.signature,
-      userHandle: result.data.userHandle,
-    },
-    type: "public-key",
-  },
-  expectedChallenge: "expected-challenge-from-session",
-  expectedOrigin: "https://myapp.com",
-  expectedRPID: "myapp.com",
-  authenticator: {
-    credentialID: savedCredentialId,
-    credentialPublicKey: savedPublicKey,
-    counter: savedCounter,
-  },
-});
-
-if (verification.verified) {
-  console.log("Authentication successful!");
-}
-```
-
 ## Error Handling
 
-The `getCredential` function returns a result object with a `success` field. Always check this field:
+Both `createCredential` and `getCredential` functions return a result object with a `success` field. Always check this field:
 
 ```typescript
+const result = await createCredential(publicKeyOptions, additionalOptions);
+// or
 const result = await getCredential(publicKeyOptions, additionalOptions);
 
 if (!result.success) {
@@ -494,7 +710,7 @@ if (!result.success) {
       console.error("Invalid parameters provided");
       break;
     case "NotAllowedError":
-      console.error("User cancelled or no credentials available");
+      console.error("User cancelled or operation not allowed");
       break;
     case "SecurityError":
       console.error("Origin or rpId validation failed");
@@ -502,6 +718,11 @@ if (!result.success) {
     case "AbortError":
       console.error("Operation was aborted");
       break;
+    case "InvalidStateError":
+      console.error(
+        "Authenticator is in invalid state (e.g., credential already registered)"
+      );
+      break;
   }
   return;
 }
@@ -512,25 +733,41 @@ console.log("Credential ID:", result.data.credentialId);
 
 ### Common Error Scenarios
 
-- **NotAllowedError**: User cancelled the prompt, no valid credentials available, or the authenticator failed
-- **SecurityError**: Origin doesn't match rpId, invalid origin format, or rpId is a public suffix
+#### For Both Registration and Authentication
+
 - **TypeError**: Invalid parameter types (missing required fields, wrong data types)
+- **NotAllowedError**: User cancelled the prompt or the authenticator failed
+- **SecurityError**: Origin doesn't match rpId, invalid origin format, or rpId is a public suffix
 - **AbortError**: Operation timeout or explicitly aborted
 
+#### Registration-Specific (`createCredential`)
+
+- **InvalidStateError**: The authenticator attempted to register a credential that matches one in the `excludeCredentials` list (prevents duplicate registrations)
+
+#### Authentication-Specific (`getCredential`)
+
+- **NotAllowedError**: No valid credentials available for the specified rpId
+
 ## Feature Support
 
 **Currently Supported:**
 
+- ✅ WebAuthn credential creation (registration/attestation)
 - ✅ WebAuthn assertions (authentication with existing credentials)
 - ✅ Cross-platform authenticators (external security keys like YubiKey)
 - ✅ Platform authenticators (Touch ID, Face ID)
+- ✅ Discoverable credentials (resident keys)
+- ✅ Attestation formats (none, indirect, direct)
+- ✅ Duplicate credential prevention with `excludeCredentials`
 - ✅ PRF (Pseudo-Random Function) extension
-  - ✅ Global evaluation (`eval`)
-  - ✅ Per-credential evaluation (`evalByCredential`)
+  - ✅ Global evaluation (`eval`) for both registration and authentication
+  - ✅ Per-credential evaluation (`evalByCredential`) for authentication
 - ✅ Large Blob extension
-  - ✅ Reading blobs
-  - ✅ Writing blobs
-- ✅ User verification preferences
+  - ✅ Support indication during registration
+  - ✅ Reading blobs during authentication
+  - ✅ Writing blobs during authentication
+- ✅ credProps extension (credential properties)
+- ✅ User verification preferences (required, preferred, discouraged)
 - ✅ Credential filtering with `allowCredentials`
 - ✅ Proper origin and rpId validation
 - ✅ Cross-origin iframe support
@@ -538,10 +775,8 @@ console.log("Credential ID:", result.data.credentialId);
 
 **Not Yet Supported:**
 
-- ❌ Credential registration (attestation) - coming soon
-- ❌ Discoverable credentials (resident keys)
-- ❌ Conditional UI
-- ❌ Other WebAuthn extensions (credProtect, minPinLength, etc.)
+- ❌ Conditional UI (autofill/conditional mediation)
+- ❌ Other WebAuthn extensions (credProtect, minPinLength, hmac-secret, etc.)
 
 ## Best Practices
 
@@ -568,9 +803,17 @@ This library exports all necessary TypeScript types. Import them for type safety
 
 ```typescript
 import type {
+  // Registration types
+  CreateCredentialResult,
+  CreateCredentialSuccessData,
+  PublicKeyCredentialCreationOptions,
+
+  // Authentication types
   GetCredentialResult,
   GetCredentialSuccessData,
   PublicKeyCredentialRequestOptions,
+
+  // Shared types
   AuthenticationExtensionsClientInputs,
   PRFInput,
 } from "electron-webauthn";
@@ -586,7 +829,8 @@ Enable detailed logging by checking the console output. The library logs warning
 
 ## Known Limitations
 
-- **PRF and Large Blob**: Only supported on platform authenticators (Touch ID/Face ID), not security keys on macOS
+- **PRF and Large Blob extensions**: Only supported on platform authenticators (Touch ID/Face ID), not security keys on macOS
+- **Attestation formats**: macOS typically returns "none" attestation even when "direct" or "indirect" is requested, unless the authenticator specifically supports it
 
 ## License
 

package/dist/create/authorization-controller.d.ts

@@ -1,5 +1,5 @@
 import { NobjcObject } from "objc-js";
-import type { ExcludeCredential } from "./handler.js";
+import type { ExcludeCredential } from "./internal-handler.js";
 export interface PublicKeyCredentialParams {
     type: "public-key";
     algorithm: number;

package/dist/create/authorization-controller.js

@@ -4,6 +4,7 @@ import { NSArrayFromObjects } from "../objc/foundation/nsarray.js";
 import { NSStringFromString } from "../objc/foundation/nsstring.js";
 import { createASCPublicKeyCredentialDescriptor } from "../objc/authentication-services/as-authorization-c-public-key-credential-descriptor.js";
 import { NSNumberFromInteger } from "../objc/foundation/nsinteger.js";
+import { isNumber, isObject } from "../helpers/validation.js";
 const createControllerState = new Map();
 function getObjectPointerString(self) {
     return getPointer(self).toBase64();

package/dist/create/handler.d.ts

@@ -1,33 +1,41 @@
-import { type PRFInput } from "../helpers/prf.js";
-import { type PublicKeyCredentialParams } from "./authorization-controller.js";
-export interface CreateCredentialResult {
-    credentialId: Buffer;
-    clientDataJSON: Buffer;
-    attestationObject: Buffer;
-    authenticatorData: Buffer;
-    attachment: AuthenticatorAttachment;
-    transports: string[];
-    isResidentKey: boolean;
+export interface CreateCredentialSuccessData {
+    credentialId: string;
+    clientDataJSON: string;
+    attestationObject: string;
+    authData: string;
+    publicKey: string;
     publicKeyAlgorithm: number;
-    publicKey: Buffer;
-    isLargeBlobSupported: boolean | null;
-    isPRFSupported: boolean | null;
-    prfFirst: Buffer | null;
-    prfSecond: Buffer | null;
+    transports: string[];
+    extensions: {
+        credProps?: {
+            rk: boolean;
+        };
+        prf?: {
+            enabled?: boolean;
+            results: {
+                first?: string;
+                second?: string;
+            };
+        };
+        largeBlob?: {
+            supported?: boolean;
+        };
+    };
+}
+interface WebauthnCreateRequestOptions {
+    currentOrigin: string;
+    topFrameOrigin: string | undefined;
+    isPublicSuffix?: (domain: string) => boolean;
+    nativeWindowHandle: Buffer;
 }
-type CredentialUserVerificationPreference = "required" | "preferred" | "discouraged";
-type CredentialAttestationPreference = "direct" | "enterprise" | "indirect" | "none";
-declare const VALID_EXTENSIONS: readonly ["largeBlob", "prf"];
-export type CredentialCreationExtensions = (typeof VALID_EXTENSIONS)[number];
-interface CreateCredentialAdditionalOptions {
-    topFrameOrigin?: string;
-    userDisplayName?: string;
-    largeBlobSupport?: "required" | "preferred" | "unspecified";
-    prf?: PRFInput;
+interface CreateCredentialSuccessResult {
+    success: true;
+    data: CreateCredentialSuccessData;
 }
-export interface ExcludeCredential {
-    id: Buffer;
-    transports?: string[];
+interface CreateCredentialErrorResult {
+    success: false;
+    error: "TypeError" | "AbortError" | "NotAllowedError" | "SecurityError" | "InvalidStateError";
 }
-declare function createCredential(rpid: string, challenge: Buffer, username: string, userID: Buffer, nativeWindowHandle: Buffer, origin: string, enabledExtensions: CredentialCreationExtensions[], attestation: CredentialAttestationPreference, supportedAlgorithmIdentifiers: PublicKeyCredentialParams[], excludeCredentials: ExcludeCredential[], residentKeyRequired?: boolean, userVerification?: CredentialUserVerificationPreference, additionalOptions?: CreateCredentialAdditionalOptions): Promise<CreateCredentialResult>;
-export { createCredential };
+export type CreateCredentialResult = CreateCredentialSuccessResult | CreateCredentialErrorResult;
+export declare function createCredential(publicKeyOptions: PublicKeyCredentialCreationOptions | undefined, additionalOptions: WebauthnCreateRequestOptions): Promise<CreateCredentialResult>;
+export {};

package/dist/create/handler.js

@@ -1,154 +1,206 @@
-import { generateClientDataInfo } from "../helpers/client-data.js";
-import { generateWebauthnClientData } from "../helpers/client-data.js";
-import { PromiseWithResolvers } from "../helpers/index.js";
-import { encodeEC2PublicKeyToSPKI } from "../helpers/public-key.js";
-import { createPresentationContextProviderFromNativeWindowHandle } from "../helpers/presentation.js";
-import { createPRFInput } from "../helpers/prf.js";
-import { createAuthorizationControllerDelegate } from "../objc/authentication-services/as-authorization-controller-delegate.js";
-import { createPlatformPublicKeyCredentialProvider } from "../objc/authentication-services/as-authorization-platform-public-key-credential-provider.js";
-import { createASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput } from "../objc/authentication-services/as-authorization-public-key-credential-large-blob-registration-input.js";
-import { ASAuthorizationPublicKeyCredentialPRFRegistrationInput, createASAuthorizationPublicKeyCredentialPRFRegistrationInput, } from "../objc/authentication-services/as-authorization-public-key-credential-prf-registration-input.js";
-import { ASAuthorizationPublicKeyCredentialAttestationKind } from "../objc/authentication-services/enums/as-authorization-public-key-credential-attestation-kind.js";
-import { ASAuthorizationPublicKeyCredentialLargeBlobSupportRequirement } from "../objc/authentication-services/enums/as-authorization-public-key-credential-large-blob-support-requirement.js";
-import { ASAuthorizationPublicKeyCredentialUserVerificationPreference } from "../objc/authentication-services/enums/as-authorization-public-key-credential-user-verification-preference.js";
-import { NSArrayFromObjects } from "../objc/foundation/nsarray.js";
-import { bufferFromNSDataDirect, NSDataFromBuffer, } from "../objc/foundation/nsdata.js";
-import { NSStringFromString } from "../objc/foundation/nsstring.js";
-import { removeControllerState, setControllerState, WebauthnCreateController, } from "./authorization-controller.js";
-import { parseAttestationObject } from "@oslojs/webauthn";
-import { ASAuthorizationPublicKeyCredentialAttachment } from "../objc/authentication-services/enums/as-authorization-public-key-credential-attachment.js";
-const VALID_EXTENSIONS = ["largeBlob", "prf"];
-function createCredential(rpid, challenge, username, userID, nativeWindowHandle, origin, enabledExtensions, attestation = "none", supportedAlgorithmIdentifiers, excludeCredentials, residentKeyRequired = false, userVerification = "preferred", additionalOptions = {}) {
-    const { promise, resolve, reject } = PromiseWithResolvers();
-    const NS_rpID = NSStringFromString(rpid);
-    const NS_challenge = NSDataFromBuffer(challenge);
-    const NS_username = NSStringFromString(username);
-    const NS_userID = NSDataFromBuffer(userID);
-    const platformProvider = createPlatformPublicKeyCredentialProvider(NS_rpID);
-    const platformKeyRequest = platformProvider.createCredentialRegistrationRequestWithChallenge$name$userID$(NS_challenge, NS_username, NS_userID);
-    if (enabledExtensions.includes("largeBlob")) {
-        let supportMode;
-        const largeBlobSupport = additionalOptions.largeBlobSupport;
-        if (largeBlobSupport === "required") {
-            supportMode =
-                ASAuthorizationPublicKeyCredentialLargeBlobSupportRequirement.Required;
+import { bufferSourceToBuffer, bufferToBase64Url } from "../helpers/index.js";
+import { isRpIdAllowedForOrigin } from "../helpers/rpid.js";
+import { isNumber, isObject, isString } from "../helpers/validation.js";
+import { createCredentialInternal, } from "./internal-handler.js";
+function getExtensionsConfiguration(extensionsData) {
+    if (!(extensionsData && typeof extensionsData === "object")) {
+        return {
+            extensions: [],
+        };
+    }
+    const extensions = [];
+    let largeBlobSupport;
+    if (isObject(extensionsData.largeBlob)) {
+        extensions.push("largeBlob");
+        const largeBlobConfig = extensionsData.largeBlob;
+        if (largeBlobConfig.support === "required") {
+            largeBlobSupport = "required";
+        }
+        else if (largeBlobConfig.support === "preferred") {
+            largeBlobSupport = "preferred";
+        }
+    }
+    let prf;
+    if (isObject(extensionsData.prf)) {
+        const prfEval = extensionsData.prf.eval;
+        if (prfEval) {
+            const first = bufferSourceToBuffer(prfEval.first);
+            const second = bufferSourceToBuffer(prfEval.second);
+            if (first) {
+                prf = {
+                    first: first ? first : null,
+                    second: second ? second : undefined,
+                };
+            }
+            else {
+                console.warn("[electron-webauthn] prf is enabled but prf.first is not valid, skipping PRF evaluation");
+            }
         }
-        else if (largeBlobSupport === "preferred") {
-            supportMode =
-                ASAuthorizationPublicKeyCredentialLargeBlobSupportRequirement.Preferred;
+    }
+    return {
+        extensions,
+        largeBlobSupport,
+        prf,
+    };
+}
+export async function createCredential(publicKeyOptions, additionalOptions) {
+    if (!publicKeyOptions) {
+        return null;
+    }
+    const rpInfo = publicKeyOptions.rp;
+    if (!isObject(rpInfo)) {
+        return { success: false, error: "TypeError" };
+    }
+    let rpId = rpInfo.id;
+    if (!rpId) {
+        try {
+            const url = new URL(additionalOptions.currentOrigin);
+            rpId = url.hostname;
+        }
+        catch { }
+    }
+    if (!isString(rpId)) {
+        return { success: false, error: "TypeError" };
+    }
+    let timeout = publicKeyOptions.timeout;
+    if (!isNumber(timeout) || timeout <= 0) {
+        timeout = 10 * 60 * 1000;
+    }
+    else if (timeout > 60 * 60 * 1000) {
+        timeout = 60 * 60 * 1000;
+    }
+    const challenge = bufferSourceToBuffer(publicKeyOptions.challenge);
+    if (!challenge) {
+        return { success: false, error: "TypeError" };
+    }
+    if (!isObject(publicKeyOptions.user)) {
+        return { success: false, error: "TypeError" };
+    }
+    const userName = publicKeyOptions.user.name;
+    const userDisplayName = publicKeyOptions.user.displayName;
+    if (!isString(userName) || !isString(userDisplayName)) {
+        return { success: false, error: "TypeError" };
+    }
+    const userID = bufferSourceToBuffer(publicKeyOptions.user.id);
+    if (!userID) {
+        return { success: false, error: "TypeError" };
+    }
+    const attestationPreference = publicKeyOptions.attestation;
+    if (attestationPreference && !isString(attestationPreference)) {
+        return { success: false, error: "TypeError" };
+    }
+    const pubKeyCredParams = publicKeyOptions.pubKeyCredParams;
+    const supportedAlgorithmIdentifiers = [];
+    if (pubKeyCredParams) {
+        if (Array.isArray(pubKeyCredParams)) {
+            for (const param of pubKeyCredParams) {
+                if (!isObject(param))
+                    continue;
+                if (!isNumber(param.alg))
+                    continue;
+                supportedAlgorithmIdentifiers.push({
+                    type: "public-key",
+                    algorithm: param.alg,
+                });
+            }
         }
         else {
-            console.warn("[electron-webauthn] largeBlobSupport is enabled but largeBlobSupport is not provided, skipping large blob support");
+            return { success: false, error: "TypeError" };
         }
-        if (supportMode) {
-            const largeBlobInput = createASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput(supportMode);
-            platformKeyRequest.setLargeBlob$(largeBlobInput);
+    }
+    const excludeCredentials = [];
+    if (publicKeyOptions.excludeCredentials &&
+        Array.isArray(publicKeyOptions.excludeCredentials)) {
+        for (const excludeCredential of publicKeyOptions.excludeCredentials) {
+            if (!isObject(excludeCredential))
+                continue;
+            if (excludeCredential.type !== "public-key")
+                continue;
+            const idBuffer = bufferSourceToBuffer(excludeCredential.id);
+            if (!idBuffer)
+                continue;
+            excludeCredentials.push({
+                id: idBuffer,
+                transports: excludeCredential.transports,
+            });
         }
     }
-    let attestationPreference = ASAuthorizationPublicKeyCredentialAttestationKind.None;
-    platformKeyRequest.setAttestationPreference$(NSStringFromString(attestationPreference));
-    let userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference.Preferred;
-    if (userVerification === "required") {
-        userVerificationPreference =
-            ASAuthorizationPublicKeyCredentialUserVerificationPreference.Required;
-    }
-    else if (userVerification === "discouraged") {
-        userVerificationPreference =
-            ASAuthorizationPublicKeyCredentialUserVerificationPreference.Discouraged;
-    }
-    platformKeyRequest.setUserVerificationPreference$(NSStringFromString(userVerificationPreference));
-    if (additionalOptions.userDisplayName) {
-        const userDisplayName = NSStringFromString(additionalOptions.userDisplayName);
-        platformKeyRequest.setDisplayName$(userDisplayName);
-    }
-    if (enabledExtensions.includes("prf")) {
-        if (additionalOptions.prf) {
-            const inputValues = createPRFInput(additionalOptions.prf);
-            const prfInput = createASAuthorizationPublicKeyCredentialPRFRegistrationInput(inputValues);
-            platformKeyRequest.setPrf$(prfInput);
+    const { extensions, largeBlobSupport, prf } = getExtensionsConfiguration(publicKeyOptions.extensions);
+    let residentKeyRequired = false;
+    let userVerificationPreference = "preferred";
+    if (publicKeyOptions.authenticatorSelection) {
+        if (publicKeyOptions.authenticatorSelection.residentKey === "required") {
+            residentKeyRequired = true;
+        }
+        else if (publicKeyOptions.authenticatorSelection.requireResidentKey) {
+            residentKeyRequired = true;
+        }
+        const userVerifyParam = publicKeyOptions.authenticatorSelection.userVerification;
+        if (userVerifyParam === "required") {
+            userVerificationPreference = "required";
+        }
+        else if (userVerifyParam === "discouraged") {
+            userVerificationPreference = "discouraged";
         }
         else {
-            platformKeyRequest.setPrf$(ASAuthorizationPublicKeyCredentialPRFRegistrationInput.checkForSupport());
+            userVerificationPreference = "preferred";
         }
     }
-    const requestsArray = NSArrayFromObjects([platformKeyRequest]);
-    const authController = WebauthnCreateController.alloc().initWithAuthorizationRequests$(requestsArray);
-    const clientData = generateWebauthnClientData("webauthn.create", origin, challenge, additionalOptions.topFrameOrigin);
-    const { clientDataHash, clientDataBuffer } = generateClientDataInfo(clientData);
-    setControllerState(authController, clientDataHash, supportedAlgorithmIdentifiers, residentKeyRequired, excludeCredentials);
-    const finished = (_success) => {
-        removeControllerState(authController);
-    };
-    const delegate = createAuthorizationControllerDelegate({
-        didCompleteWithAuthorization: (_, authorization) => {
-            const credential = authorization.credential();
-            console.log("Authorization succeeded:", credential);
-            const credentialIdBuffer = bufferFromNSDataDirect(credential.credentialID());
-            const attestationObjectBuffer = bufferFromNSDataDirect(credential.rawAttestationObject());
-            const attestation = parseAttestationObject(attestationObjectBuffer);
-            const publicKey = attestation.authenticatorData.credential.publicKey;
-            const ec2Key = publicKey.ec2();
-            const publicKeySPKI = encodeEC2PublicKeyToSPKI(ec2Key.x, ec2Key.y);
-            const authenticatorData = Buffer.from(JSON.stringify(attestation.authenticatorData));
-            let authenticatorAttachment = "platform";
-            if (credential.attachment() ===
-                ASAuthorizationPublicKeyCredentialAttachment.ASAuthorizationPublicKeyCredentialAttachmentCrossPlatform) {
-                authenticatorAttachment = "cross-platform";
-            }
-            let isLargeBlobSupported = null;
-            if (enabledExtensions.includes("largeBlob")) {
-                const largeBlobOutput = credential.largeBlob();
-                if (largeBlobOutput) {
-                    isLargeBlobSupported = largeBlobOutput.isSupported();
-                }
-            }
-            let prfFirst = null;
-            let prfSecond = null;
-            let isPRFSupported = null;
-            if (enabledExtensions.includes("prf")) {
-                const prfOutput = credential.prf();
-                if (prfOutput) {
-                    const prfFirstData = prfOutput.first();
-                    const prfSecondData = prfOutput.second();
-                    if (prfFirstData) {
-                        prfFirst = bufferFromNSDataDirect(prfFirstData);
-                    }
-                    if (prfSecondData) {
-                        prfSecond = bufferFromNSDataDirect(prfSecondData);
-                    }
-                    isPRFSupported = prfOutput.isSupported();
-                }
-            }
-            const data = {
-                credentialId: credentialIdBuffer,
-                clientDataJSON: clientDataBuffer,
-                attestationObject: attestationObjectBuffer,
-                authenticatorData,
-                attachment: authenticatorAttachment,
-                transports: ["hybrid", "internal"],
-                isResidentKey: true,
-                publicKeyAlgorithm: publicKey.algorithm(),
-                publicKey: publicKeySPKI,
-                isLargeBlobSupported,
-                isPRFSupported,
-                prfFirst,
-                prfSecond,
-            };
-            resolve(data);
-            finished(true);
-        },
-        didCompleteWithError: (_, error) => {
-            const parsedError = error;
-            const errorMessage = parsedError.localizedDescription().UTF8String();
-            console.error("Authorization failed:", errorMessage);
-            reject(new Error(errorMessage));
-            finished(false);
-        },
+    const { currentOrigin, topFrameOrigin, isPublicSuffix, nativeWindowHandle } = additionalOptions;
+    const isRpIdAllowed = isRpIdAllowedForOrigin(currentOrigin, rpId, {
+        isPublicSuffix,
     });
-    authController.setDelegate$(delegate);
-    const presentationContextProvider = createPresentationContextProviderFromNativeWindowHandle(nativeWindowHandle);
-    authController.setPresentationContextProvider$(presentationContextProvider);
-    authController.performRequests();
-    return promise;
+    if (!isRpIdAllowed.ok) {
+        return { success: false, error: "NotAllowedError" };
+    }
+    const result = await createCredentialInternal(rpId, challenge, userName, userID, nativeWindowHandle, currentOrigin, extensions, attestationPreference, supportedAlgorithmIdentifiers, excludeCredentials, residentKeyRequired, userVerificationPreference, {
+        topFrameOrigin,
+        largeBlobSupport,
+        prf,
+    }).catch((error) => {
+        console.error("Error creating credential", error);
+        console.log("error.message", error.message);
+        if (error.message.includes("(com.apple.AuthenticationServices.AuthorizationError error 1006.)")) {
+            return "InvalidStateError";
+        }
+        if (error.message.startsWith("The operation couldn’t be completed.")) {
+            return "NotAllowedError";
+        }
+        return null;
+    });
+    if (typeof result === "string") {
+        return { success: false, error: result };
+    }
+    const data = {
+        credentialId: bufferToBase64Url(result.credentialId),
+        clientDataJSON: bufferToBase64Url(result.clientDataJSON),
+        attestationObject: bufferToBase64Url(result.attestationObject),
+        authData: bufferToBase64Url(result.authenticatorData),
+        publicKey: bufferToBase64Url(result.publicKey),
+        publicKeyAlgorithm: result.publicKeyAlgorithm,
+        transports: result.transports,
+        extensions: {},
+    };
+    if (publicKeyOptions.extensions?.credProps) {
+        data.extensions.credProps = {
+            rk: result.isResidentKey,
+        };
+    }
+    if (result.isLargeBlobSupported !== null) {
+        data.extensions.largeBlob = {
+            supported: result.isLargeBlobSupported,
+        };
+    }
+    if (result.isPRFSupported !== null) {
+        const prfFirst = result.prfFirst;
+        const prfSecond = result.prfSecond;
+        data.extensions.prf = {
+            enabled: result.isPRFSupported,
+            results: {
+                first: prfFirst ? bufferToBase64Url(prfFirst) : undefined,
+                second: prfSecond ? bufferToBase64Url(prfSecond) : undefined,
+            },
+        };
+    }
+    return { success: true, data };
 }
-export { createCredential };

package/dist/create/internal-handler.d.ts

@@ -0,0 +1,34 @@
+import { type PRFInput } from "../helpers/prf.js";
+import { type PublicKeyCredentialParams } from "./authorization-controller.js";
+export interface CreateCredentialResult {
+    credentialId: Buffer;
+    clientDataJSON: Buffer;
+    attestationObject: Buffer;
+    authenticatorData: Buffer;
+    attachment: AuthenticatorAttachment;
+    transports: string[];
+    isResidentKey: boolean;
+    publicKeyAlgorithm: number;
+    publicKey: Buffer;
+    isLargeBlobSupported: boolean | null;
+    isPRFSupported: boolean | null;
+    prfFirst: Buffer | null;
+    prfSecond: Buffer | null;
+}
+type CredentialUserVerificationPreference = "required" | "preferred" | "discouraged";
+type CredentialAttestationPreference = "direct" | "enterprise" | "indirect" | "none";
+declare const VALID_EXTENSIONS: readonly ["largeBlob", "prf"];
+export type CredentialCreationExtensions = (typeof VALID_EXTENSIONS)[number];
+export type LargeBlobSupport = "required" | "preferred" | "unspecified";
+interface CreateCredentialAdditionalOptions {
+    topFrameOrigin?: string;
+    userDisplayName?: string;
+    largeBlobSupport?: LargeBlobSupport;
+    prf?: PRFInput;
+}
+export interface ExcludeCredential {
+    id: Buffer;
+    transports?: string[];
+}
+declare function createCredentialInternal(rpid: string, challenge: Buffer, username: string, userID: Buffer, nativeWindowHandle: Buffer, origin: string, enabledExtensions: CredentialCreationExtensions[], attestation: CredentialAttestationPreference, supportedAlgorithmIdentifiers: PublicKeyCredentialParams[], excludeCredentials: ExcludeCredential[], residentKeyRequired?: boolean, userVerification?: CredentialUserVerificationPreference, additionalOptions?: CreateCredentialAdditionalOptions): Promise<CreateCredentialResult>;
+export { createCredentialInternal };

package/dist/create/internal-handler.js

@@ -0,0 +1,154 @@
+import { generateClientDataInfo } from "../helpers/client-data.js";
+import { generateWebauthnClientData } from "../helpers/client-data.js";
+import { PromiseWithResolvers } from "../helpers/index.js";
+import { encodeEC2PublicKeyToSPKI } from "../helpers/public-key.js";
+import { createPresentationContextProviderFromNativeWindowHandle } from "../helpers/presentation.js";
+import { createPRFInput } from "../helpers/prf.js";
+import { createAuthorizationControllerDelegate } from "../objc/authentication-services/as-authorization-controller-delegate.js";
+import { createPlatformPublicKeyCredentialProvider } from "../objc/authentication-services/as-authorization-platform-public-key-credential-provider.js";
+import { createASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput } from "../objc/authentication-services/as-authorization-public-key-credential-large-blob-registration-input.js";
+import { ASAuthorizationPublicKeyCredentialPRFRegistrationInput, createASAuthorizationPublicKeyCredentialPRFRegistrationInput, } from "../objc/authentication-services/as-authorization-public-key-credential-prf-registration-input.js";
+import { ASAuthorizationPublicKeyCredentialAttestationKind } from "../objc/authentication-services/enums/as-authorization-public-key-credential-attestation-kind.js";
+import { ASAuthorizationPublicKeyCredentialLargeBlobSupportRequirement } from "../objc/authentication-services/enums/as-authorization-public-key-credential-large-blob-support-requirement.js";
+import { ASAuthorizationPublicKeyCredentialUserVerificationPreference } from "../objc/authentication-services/enums/as-authorization-public-key-credential-user-verification-preference.js";
+import { NSArrayFromObjects } from "../objc/foundation/nsarray.js";
+import { bufferFromNSDataDirect, NSDataFromBuffer, } from "../objc/foundation/nsdata.js";
+import { NSStringFromString } from "../objc/foundation/nsstring.js";
+import { removeControllerState, setControllerState, WebauthnCreateController, } from "./authorization-controller.js";
+import { parseAttestationObject } from "@oslojs/webauthn";
+import { ASAuthorizationPublicKeyCredentialAttachment } from "../objc/authentication-services/enums/as-authorization-public-key-credential-attachment.js";
+const VALID_EXTENSIONS = ["largeBlob", "prf"];
+function createCredentialInternal(rpid, challenge, username, userID, nativeWindowHandle, origin, enabledExtensions, attestation = "none", supportedAlgorithmIdentifiers = [], excludeCredentials, residentKeyRequired = false, userVerification = "preferred", additionalOptions = {}) {
+    const { promise, resolve, reject } = PromiseWithResolvers();
+    const NS_rpID = NSStringFromString(rpid);
+    const NS_challenge = NSDataFromBuffer(challenge);
+    const NS_username = NSStringFromString(username);
+    const NS_userID = NSDataFromBuffer(userID);
+    const platformProvider = createPlatformPublicKeyCredentialProvider(NS_rpID);
+    const platformKeyRequest = platformProvider.createCredentialRegistrationRequestWithChallenge$name$userID$(NS_challenge, NS_username, NS_userID);
+    if (enabledExtensions.includes("largeBlob")) {
+        let supportMode;
+        const largeBlobSupport = additionalOptions.largeBlobSupport;
+        if (largeBlobSupport === "required") {
+            supportMode =
+                ASAuthorizationPublicKeyCredentialLargeBlobSupportRequirement.Required;
+        }
+        else if (largeBlobSupport === "preferred") {
+            supportMode =
+                ASAuthorizationPublicKeyCredentialLargeBlobSupportRequirement.Preferred;
+        }
+        else {
+            console.warn("[electron-webauthn] largeBlobSupport is enabled but largeBlobSupport is not provided, skipping large blob support");
+        }
+        if (supportMode) {
+            const largeBlobInput = createASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput(supportMode);
+            platformKeyRequest.setLargeBlob$(largeBlobInput);
+        }
+    }
+    let attestationPreference = ASAuthorizationPublicKeyCredentialAttestationKind.None;
+    platformKeyRequest.setAttestationPreference$(NSStringFromString(attestationPreference));
+    let userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference.Preferred;
+    if (userVerification === "required") {
+        userVerificationPreference =
+            ASAuthorizationPublicKeyCredentialUserVerificationPreference.Required;
+    }
+    else if (userVerification === "discouraged") {
+        userVerificationPreference =
+            ASAuthorizationPublicKeyCredentialUserVerificationPreference.Discouraged;
+    }
+    platformKeyRequest.setUserVerificationPreference$(NSStringFromString(userVerificationPreference));
+    if (additionalOptions.userDisplayName) {
+        const userDisplayName = NSStringFromString(additionalOptions.userDisplayName);
+        platformKeyRequest.setDisplayName$(userDisplayName);
+    }
+    if (enabledExtensions.includes("prf")) {
+        if (additionalOptions.prf) {
+            const inputValues = createPRFInput(additionalOptions.prf);
+            const prfInput = createASAuthorizationPublicKeyCredentialPRFRegistrationInput(inputValues);
+            platformKeyRequest.setPrf$(prfInput);
+        }
+        else {
+            platformKeyRequest.setPrf$(ASAuthorizationPublicKeyCredentialPRFRegistrationInput.checkForSupport());
+        }
+    }
+    const requestsArray = NSArrayFromObjects([platformKeyRequest]);
+    const authController = WebauthnCreateController.alloc().initWithAuthorizationRequests$(requestsArray);
+    const clientData = generateWebauthnClientData("webauthn.create", origin, challenge, additionalOptions.topFrameOrigin);
+    const { clientDataHash, clientDataBuffer } = generateClientDataInfo(clientData);
+    setControllerState(authController, clientDataHash, supportedAlgorithmIdentifiers, residentKeyRequired, excludeCredentials);
+    const finished = (_success) => {
+        removeControllerState(authController);
+    };
+    const delegate = createAuthorizationControllerDelegate({
+        didCompleteWithAuthorization: (_, authorization) => {
+            const credential = authorization.credential();
+            console.log("Authorization succeeded:", credential);
+            const credentialIdBuffer = bufferFromNSDataDirect(credential.credentialID());
+            const attestationObjectBuffer = bufferFromNSDataDirect(credential.rawAttestationObject());
+            const attestation = parseAttestationObject(attestationObjectBuffer);
+            const publicKey = attestation.authenticatorData.credential.publicKey;
+            const ec2Key = publicKey.ec2();
+            const publicKeySPKI = encodeEC2PublicKeyToSPKI(ec2Key.x, ec2Key.y);
+            const authenticatorData = Buffer.from(JSON.stringify(attestation.authenticatorData));
+            let authenticatorAttachment = "platform";
+            if (credential.attachment() ===
+                ASAuthorizationPublicKeyCredentialAttachment.ASAuthorizationPublicKeyCredentialAttachmentCrossPlatform) {
+                authenticatorAttachment = "cross-platform";
+            }
+            let isLargeBlobSupported = null;
+            if (enabledExtensions.includes("largeBlob")) {
+                const largeBlobOutput = credential.largeBlob();
+                if (largeBlobOutput) {
+                    isLargeBlobSupported = largeBlobOutput.isSupported();
+                }
+            }
+            let prfFirst = null;
+            let prfSecond = null;
+            let isPRFSupported = null;
+            if (enabledExtensions.includes("prf")) {
+                const prfOutput = credential.prf();
+                if (prfOutput) {
+                    const prfFirstData = prfOutput.first();
+                    const prfSecondData = prfOutput.second();
+                    if (prfFirstData) {
+                        prfFirst = bufferFromNSDataDirect(prfFirstData);
+                    }
+                    if (prfSecondData) {
+                        prfSecond = bufferFromNSDataDirect(prfSecondData);
+                    }
+                    isPRFSupported = prfOutput.isSupported();
+                }
+            }
+            const data = {
+                credentialId: credentialIdBuffer,
+                clientDataJSON: clientDataBuffer,
+                attestationObject: attestationObjectBuffer,
+                authenticatorData,
+                attachment: authenticatorAttachment,
+                transports: ["hybrid", "internal"],
+                isResidentKey: true,
+                publicKeyAlgorithm: publicKey.algorithm(),
+                publicKey: publicKeySPKI,
+                isLargeBlobSupported,
+                isPRFSupported,
+                prfFirst,
+                prfSecond,
+            };
+            resolve(data);
+            finished(true);
+        },
+        didCompleteWithError: (_, error) => {
+            const parsedError = error;
+            const errorMessage = parsedError.localizedDescription().UTF8String();
+            console.error("Authorization failed:", errorMessage);
+            reject(new Error(errorMessage));
+            finished(false);
+        },
+    });
+    authController.setDelegate$(delegate);
+    const presentationContextProvider = createPresentationContextProviderFromNativeWindowHandle(nativeWindowHandle);
+    authController.setPresentationContextProvider$(presentationContextProvider);
+    authController.performRequests();
+    return promise;
+}
+export { createCredentialInternal };

package/dist/helpers/index.js

@@ -32,6 +32,8 @@ export function base64UrlToBuffer(b64url) {
     return Buffer.from(b64, "base64");
 }
 export function bufferSourceToBuffer(src) {
+    if (!src)
+        return null;
     if (Buffer.isBuffer(src))
         return src;
     if (src instanceof ArrayBuffer ||

package/dist/helpers/origin.js

@@ -101,6 +101,6 @@ function originString(x) {
     }
     const o = computeOrigin(url);
     if (o.type === "opaque")
-        return "null";
+        return null;
     return `${o.scheme}://${o.host}${o.port == null ? "" : `:${o.port}`}`;
 }

package/dist/helpers/validation.d.ts

@@ -1,3 +1,3 @@
 export declare function isString(value: unknown): value is string;
 export declare function isNumber(value: unknown): value is number;
-export declare function isObject(value: unknown): value is Record<string, unknown>;
+export declare function isObject(value: unknown): boolean;

package/dist/index.d.ts

@@ -1,3 +1,2 @@
 export * from "./get/handler.js";
 export * from "./create/handler.js";
-export type { PRFInput } from "./helpers/prf.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "electron-webauthn",
-  "version": "0.0.15",
+  "version": "0.0.16",
   "repository": "https://github.com/iamEvanYT/electron-webauthn",
   "description": "Add support for WebAuthn for Electron.",
   "main": "dist/index.js",