electron-webauthn 0.0.17 → 1.0.1

package/README.md

@@ -28,11 +28,21 @@ This package provides JavaScript bindings to Apple's AuthenticationServices fram
 
 ## Installation
 
+### Prerequisites
+
+- Node.js / Bun
+- Xcode Command Line Tools (Run `xcode-select --install` to install)
+- `pkg-config` from Homebrew (Run `brew install pkgconf` to install)
+
+### Install using npm, bun, pnpm, or yarn
+
 ```bash
 npm install electron-webauthn
 # or
 bun add electron-webauthn
 # or
+pnpm add electron-webauthn
+# or
 yarn add electron-webauthn
 ```
 
@@ -44,234 +54,15 @@ yarn add electron-webauthn
 
 ## Quick Start
 
-> **💡 Drop-in Compatibility:** Simply plug any `publicKeyOptions` from the standard `navigator.credentials.create()` or `navigator.credentials.get()` APIs directly into these functions. They follow the W3C WebAuthn specification exactly.
-
-### Creating a Credential (Registration)
-
-```typescript
-import { createCredential } from "electron-webauthn";
-import { BrowserWindow } from "electron";
-
-// In your Electron main process or preload script
-async function register(window: BrowserWindow, challenge: ArrayBuffer) {
-  // Get the native window handle from your BrowserWindow
-  const nativeWindowHandle = window.getNativeWindowHandle();
-
-  // Call createCredential with W3C WebAuthn-compliant options
-  // You can plug any publicKeyOptions from navigator.credentials.create() here
-  const result = await createCredential(
-    {
-      challenge: challenge,
-      rp: {
-        name: "Example App",
-        id: "example.com",
-      },
-      user: {
-        id: new Uint8Array(16), // Random user ID
-        name: "user@example.com",
-        displayName: "User Name",
-      },
-      pubKeyCredParams: [
-        { type: "public-key", alg: -7 }, // ES256
-        { type: "public-key", alg: -257 }, // RS256
-      ],
-      timeout: 60000, // Optional: 60 seconds
-      attestation: "none", // Optional: "none" | "indirect" | "direct"
-      authenticatorSelection: {
-        userVerification: "preferred", // Optional: "preferred" | "required" | "discouraged"
-        residentKey: "preferred", // Optional: "discouraged" | "preferred" | "required"
-      },
-    },
-    {
-      currentOrigin: "https://example.com",
-      topFrameOrigin: "https://example.com",
-      nativeWindowHandle: nativeWindowHandle,
-    }
-  );
-
-  if (result.success) {
-    console.log("Registration successful!");
-    console.log("Credential ID:", result.data.credentialId);
-    console.log("Public Key:", result.data.publicKey);
-    // Result contains base64url-encoded strings ready to send to server
-  } else {
-    console.error("Registration failed:", result.error);
-  }
-}
-```
-
-### Authenticating with a Credential
-
-```typescript
-import { getCredential } from "electron-webauthn";
-import { BrowserWindow } from "electron";
-
-// In your Electron main process or preload script
-async function authenticate(window: BrowserWindow, challenge: ArrayBuffer) {
-  // Get the native window handle from your BrowserWindow
-  const nativeWindowHandle = window.getNativeWindowHandle();
-
-  // Call getCredential with W3C WebAuthn-compliant options
-  // You can plug any publicKeyOptions from navigator.credentials.get() here
-  const result = await getCredential(
-    {
-      challenge: challenge,
-      rpId: "example.com",
-      timeout: 60000, // Optional: 60 seconds
-      userVerification: "preferred", // Optional: "preferred" | "required" | "discouraged"
-      allowCredentials: [], // Optional: restrict to specific credentials
-    },
-    {
-      currentOrigin: "https://example.com",
-      topFrameOrigin: "https://example.com", // Use for iframe support
-      nativeWindowHandle: nativeWindowHandle,
-    }
-  );
-
-  if (result.success) {
-    console.log("Authentication successful!");
-    console.log("Credential ID:", result.data.credentialId);
-    console.log("Signature:", result.data.signature);
-    // Result contains base64url-encoded strings ready to send to server
-  } else {
-    console.error("Authentication failed:", result.error);
-  }
-}
-```
+See the [Quick Start Guide](./docs/quick-start.md) for detailed examples on credential creation and authentication.
 
 ## API Reference
 
-### `createCredential(publicKeyOptions, additionalOptions)`
-
-Creates and registers a new WebAuthn credential using available platform and cross-platform authenticators.
-
-**Note:** You can plug any `publicKeyOptions` from the standard `navigator.credentials.create({ publicKey: ... })` directly into this function.
-
-#### Parameters
-
-##### `publicKeyOptions: PublicKeyCredentialCreationOptions`
-
-Standard W3C WebAuthn credential creation options. See the [MDN documentation](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions) for more details.
-
-##### `additionalOptions: WebauthnCreateRequestOptions`
-
-Additional options specific to the Electron environment:
-
-- **`currentOrigin: string`** (required) - The origin of the requesting document (e.g., "https://example.com")
-- **`topFrameOrigin: string | undefined`** - The origin of the top frame (for iframe support). Set to `currentOrigin` if not in an iframe
-- **`nativeWindowHandle: Buffer`** (required) - Native window handle from `BrowserWindow.getNativeWindowHandle()`, or a pointer to a NSView object
-- **`isPublicSuffix?: (domain: string) => boolean`** - Optional function to check if a domain is a public suffix (e.g., "com", "co.uk"). Strongly recommended for security
-
-#### Returns
-
-`Promise<CreateCredentialResult>` - Resolves with the registration result (that you can transform into a `PublicKeyCredential` object) or error
-
-#### Result Types
-
-```typescript
-type CreateCredentialResult =
-  | CreateCredentialSuccessResult
-  | CreateCredentialErrorResult;
-
-interface CreateCredentialSuccessResult {
-  success: true;
-  data: {
-    credentialId: string; // Base64url-encoded credential ID
-    clientDataJSON: string; // Base64url-encoded client data
-    attestationObject: string; // Base64url-encoded attestation object
-    authData: string; // Base64url-encoded authenticator data
-    publicKey: string; // Base64url-encoded public key (COSE format)
-    publicKeyAlgorithm: number; // COSE algorithm identifier (e.g., -7 for ES256)
-    transports: string[]; // Available transports (e.g., ["internal", "usb"])
-    extensions: {
-      credProps?: {
-        rk: boolean; // True if credential is a resident key
-      };
-      prf?: {
-        enabled?: boolean; // True if PRF is supported
-        results?: {
-          first?: string; // Base64url-encoded PRF output
-          second?: string; // Base64url-encoded PRF output (if provided)
-        };
-      };
-      largeBlob?: {
-        supported?: boolean; // True if large blob is supported
-      };
-    };
-  };
-}
-
-interface CreateCredentialErrorResult {
-  success: false;
-  error:
-    | "TypeError"
-    | "AbortError"
-    | "NotAllowedError"
-    | "SecurityError"
-    | "InvalidStateError";
-}
-```
-
-### `getCredential(publicKeyOptions, additionalOptions)`
+See the [API Reference](./docs/api-reference.md) for detailed documentation on all available functions and types.
 
-Performs a WebAuthn assertion (authentication) using available platform and cross-platform authenticators.
+## Advanced Examples
 
-**Note:** You can plug any `publicKeyOptions` from the standard `navigator.credentials.get({ publicKey: ... })` directly into this function.
-
-#### Parameters
-
-##### `publicKeyOptions: PublicKeyCredentialRequestOptions`
-
-Standard W3C WebAuthn credential request options. See the [MDN documentation](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions) for more details.
-
-##### `additionalOptions: WebauthnGetRequestOptions`
-
-Additional options specific to the Electron environment:
-
-- **`currentOrigin: string`** (required) - The origin of the requesting document (e.g., "https://example.com")
-- **`topFrameOrigin: string | undefined`** - The origin of the top frame (for iframe support). Set to `currentOrigin` if not in an iframe
-- **`nativeWindowHandle: Buffer`** (required) - Native window handle from `BrowserWindow.getNativeWindowHandle()`, or a pointer to a NSView object
-- **`isPublicSuffix?: (domain: string) => boolean`** - Optional function to check if a domain is a public suffix (e.g., "com", "co.uk"). Strongly recommended for security. Use a library like `tldts` for implementation
-
-#### Returns
-
-`Promise<GetCredentialResult>` - Resolves with the assertion result (that you can transform into a `PublicKeyCredential` object) or error
-
-#### Result Types
-
-```typescript
-type GetCredentialResult =
-  | GetCredentialSuccessResult
-  | GetCredentialErrorResult;
-
-interface GetCredentialSuccessResult {
-  success: true;
-  data: {
-    credentialId: string; // Base64url-encoded credential ID
-    clientDataJSON: string; // Base64url-encoded client data
-    authenticatorData: string; // Base64url-encoded authenticator data
-    signature: string; // Base64url-encoded signature
-    userHandle: string; // Base64url-encoded user handle
-    extensions?: {
-      prf?: {
-        results?: {
-          first: string; // Base64url-encoded PRF output
-          second?: string; // Base64url-encoded PRF output (if provided)
-        };
-      };
-      largeBlob?: {
-        blob?: string; // Base64url-encoded blob data (if read)
-        written?: boolean; // True if write succeeded (if write was requested)
-      };
-    };
-  };
-}
-
-interface GetCredentialErrorResult {
-  success: false;
-  error: "TypeError" | "AbortError" | "NotAllowedError" | "SecurityError";
-}
-```
+See the [Advanced Examples](./docs/advanced-examples.md) for detailed examples on how to use the library with more complex use cases.
 
 ## Architecture
 
@@ -283,417 +74,6 @@ This library implements the W3C WebAuthn standard using Apple's native Authentic
 - Properly manages WebAuthn extensions (PRF, Large Blob)
 - Returns base64url-encoded values ready to send to your server for verification
 
-## Usage Examples
-
-### Basic Registration
-
-```typescript
-import { createCredential } from "electron-webauthn";
-import { app, BrowserWindow } from "electron";
-
-let mainWindow: BrowserWindow;
-
-app.on("ready", () => {
-  mainWindow = new BrowserWindow({
-    width: 800,
-    height: 600,
-    webPreferences: {
-      nodeIntegration: false,
-      contextIsolation: true,
-      preload: "./preload.js",
-    },
-  });
-  mainWindow.loadURL("https://myapp.com");
-});
-
-// In your preload script or main process
-export async function registerUser(
-  challenge: ArrayBuffer,
-  userId: ArrayBuffer,
-  userName: string,
-  userDisplayName: string
-) {
-  const nativeHandle = mainWindow.getNativeWindowHandle();
-
-  const result = await createCredential(
-    {
-      challenge: challenge,
-      rp: {
-        name: "My App",
-        id: "myapp.com",
-      },
-      user: {
-        id: userId,
-        name: userName,
-        displayName: userDisplayName,
-      },
-      pubKeyCredParams: [
-        { type: "public-key", alg: -7 }, // ES256
-        { type: "public-key", alg: -257 }, // RS256
-      ],
-      authenticatorSelection: {
-        userVerification: "preferred",
-      },
-    },
-    {
-      currentOrigin: "https://myapp.com",
-      topFrameOrigin: "https://myapp.com",
-      nativeWindowHandle: nativeHandle,
-    }
-  );
-
-  return result;
-}
-```
-
-### Basic Authentication
-
-```typescript
-import { getCredential } from "electron-webauthn";
-import { app, BrowserWindow } from "electron";
-
-let mainWindow: BrowserWindow;
-
-app.on("ready", () => {
-  mainWindow = new BrowserWindow({
-    width: 800,
-    height: 600,
-    webPreferences: {
-      nodeIntegration: false,
-      contextIsolation: true,
-      preload: "./preload.js",
-    },
-  });
-  mainWindow.loadURL("https://myapp.com");
-});
-
-// In your preload script or main process
-export async function authenticateUser(challenge: ArrayBuffer) {
-  const nativeHandle = mainWindow.getNativeWindowHandle();
-
-  const result = await getCredential(
-    {
-      challenge: challenge,
-      rpId: "myapp.com",
-      userVerification: "preferred",
-    },
-    {
-      currentOrigin: "https://myapp.com",
-      topFrameOrigin: "https://myapp.com",
-      nativeWindowHandle: nativeHandle,
-    }
-  );
-
-  return result;
-}
-```
-
-### Restricting to Specific Credentials
-
-```typescript
-// Only allow specific registered credentials
-const result = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-    allowCredentials: [
-      { type: "public-key", id: credentialId1 },
-      { type: "public-key", id: credentialId2 },
-    ],
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-```
-
-### With Required User Verification
-
-```typescript
-// Require user verification (e.g., for sensitive operations)
-const result = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-    userVerification: "required", // Force biometric or PIN
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-```
-
-### Creating Resident Keys (Discoverable Credentials)
-
-```typescript
-// Create a discoverable credential that can be used without specifying allowCredentials
-const result = await createCredential(
-  {
-    challenge: challenge,
-    rp: { name: "My App", id: "myapp.com" },
-    user: {
-      id: userId,
-      name: userName,
-      displayName: userDisplayName,
-    },
-    pubKeyCredParams: [
-      { type: "public-key", alg: -7 },
-      { type: "public-key", alg: -257 },
-    ],
-    authenticatorSelection: {
-      residentKey: "required", // Require resident key
-      userVerification: "required", // Usually combined with resident keys
-    },
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-```
-
-### Preventing Duplicate Registrations
-
-```typescript
-// Prevent user from registering the same authenticator multiple times
-const result = await createCredential(
-  {
-    challenge: challenge,
-    rp: { name: "My App", id: "myapp.com" },
-    user: {
-      id: userId,
-      name: userName,
-      displayName: userDisplayName,
-    },
-    pubKeyCredParams: [
-      { type: "public-key", alg: -7 },
-      { type: "public-key", alg: -257 },
-    ],
-    excludeCredentials: [
-      // List of credentials already registered for this user
-      { type: "public-key", id: existingCredentialId1 },
-      { type: "public-key", id: existingCredentialId2 },
-    ],
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-
-// If user tries to use an excluded authenticator, you'll get:
-// { success: false, error: "InvalidStateError" }
-```
-
-### Creating Credentials with PRF Extension
-
-```typescript
-// Register a credential with PRF support and immediately evaluate it
-const prfSalt = crypto.getRandomValues(new Uint8Array(32));
-
-const result = await createCredential(
-  {
-    challenge: challenge,
-    rp: { name: "My App", id: "myapp.com" },
-    user: {
-      id: userId,
-      name: userName,
-      displayName: userDisplayName,
-    },
-    pubKeyCredParams: [
-      { type: "public-key", alg: -7 },
-      { type: "public-key", alg: -257 },
-    ],
-    extensions: {
-      prf: {
-        eval: {
-          first: prfSalt,
-        },
-      },
-    },
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-
-if (result.success && result.data.extensions?.prf?.results?.first) {
-  console.log(
-    "PRF is supported and evaluated:",
-    result.data.extensions.prf.results.first
-  );
-  // Use this PRF output as an encryption key
-}
-```
-
-### Using PRF Extension (Authentication)
-
-The PRF (Pseudo-Random Function) extension allows you to derive cryptographic secrets from credentials:
-
-```typescript
-// Generate a random salt for PRF
-const prfSalt = crypto.getRandomValues(new Uint8Array(32));
-
-const result = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-    extensions: {
-      prf: {
-        eval: {
-          first: prfSalt,
-          // second: optionalSecondSalt, // Optional second output
-        },
-      },
-    },
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-
-if (result.success && result.data.extensions?.prf?.results) {
-  const prfOutput = result.data.extensions.prf.results.first;
-  // Use prfOutput as a cryptographic key for encryption, etc.
-  console.log("PRF output:", prfOutput);
-}
-```
-
-### Using PRF with Per-Credential Evaluation
-
-```typescript
-import { bufferToBase64Url } from "./helpers"; // You'll need to implement this
-
-const result = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-    allowCredentials: [
-      { type: "public-key", id: credentialId1 },
-      { type: "public-key", id: credentialId2 },
-    ],
-    extensions: {
-      prf: {
-        evalByCredential: {
-          [bufferToBase64Url(credentialId1)]: {
-            first: new Uint8Array(32), // Different salt for credential 1
-          },
-          [bufferToBase64Url(credentialId2)]: {
-            first: new Uint8Array(32), // Different salt for credential 2
-          },
-        },
-      },
-    },
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-```
-
-### Reading and Writing Large Blobs
-
-```typescript
-// Reading a large blob
-const readResult = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-    extensions: {
-      largeBlob: {
-        read: true,
-      },
-    },
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-
-if (readResult.success && readResult.data.extensions?.largeBlob?.blob) {
-  console.log("Large blob data:", readResult.data.extensions.largeBlob.blob);
-}
-
-// Writing a large blob
-const dataToWrite = new TextEncoder().encode("Secret data");
-const writeResult = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-    extensions: {
-      largeBlob: {
-        write: dataToWrite,
-      },
-    },
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-  }
-);
-
-if (writeResult.success && writeResult.data.extensions?.largeBlob?.written) {
-  console.log("Large blob written successfully");
-}
-```
-
-### With Public Suffix List Validation
-
-For enhanced security, use a public suffix list library like `tldts`:
-
-```typescript
-import { getPublicSuffix } from "tldts";
-
-const result = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-  },
-  {
-    currentOrigin: "https://myapp.com",
-    topFrameOrigin: "https://myapp.com",
-    nativeWindowHandle: nativeHandle,
-    isPublicSuffix: (domain) => {
-      const suffix = getPublicSuffix(domain);
-      return suffix === domain;
-    },
-  }
-);
-```
-
-### Supporting Cross-Origin Iframes
-
-If your app loads WebAuthn requests from an iframe:
-
-```typescript
-const result = await getCredential(
-  {
-    challenge: challenge,
-    rpId: "myapp.com",
-  },
-  {
-    currentOrigin: "https://auth.myapp.com", // The iframe's origin
-    topFrameOrigin: "https://myapp.com", // The parent page's origin
-    nativeWindowHandle: nativeHandle,
-  }
-);
-```
-
 ## Error Handling
 
 Both `createCredential` and `getCredential` functions return a result object with a `success` field. Always check this field:
@@ -778,54 +158,9 @@ console.log("Credential ID:", result.data.credentialId);
 - ❌ Conditional UI (autofill/conditional mediation)
 - ❌ Other WebAuthn extensions (credProtect, minPinLength, hmac-secret, etc.)
 
-## Best Practices
-
 ### Security Recommendations
 
-1. **Always use HTTPS origins** in production (unless testing on `localhost`)
-2. **Implement public suffix list validation** using `tldts` or similar library
-3. **Validate rpId carefully** - it should match your domain
-4. **Generate strong challenges** - use at least 32 random bytes from a CSPRNG
-5. **Verify assertions on your server** - never trust client-side validation alone
-6. **Store credential public keys securely** - needed for signature verification
-7. **Implement proper timeout handling** - don't leave prompts open indefinitely
-
-### Performance Tips
-
-1. **Cache native window handles** - no need to get them on every call
-2. **Reuse challenge buffers** when possible
-3. **Set appropriate timeouts** - shorter for better UX, longer for hardware keys
-4. **Handle user cancellation gracefully** - don't retry automatically
-
-### TypeScript Types
-
-This library exports all necessary TypeScript types. Import them for type safety:
-
-```typescript
-import type {
-  // Registration types
-  CreateCredentialResult,
-  CreateCredentialSuccessData,
-  PublicKeyCredentialCreationOptions,
-
-  // Authentication types
-  GetCredentialResult,
-  GetCredentialSuccessData,
-  PublicKeyCredentialRequestOptions,
-
-  // Shared types
-  AuthenticationExtensionsClientInputs,
-  PRFInput,
-} from "electron-webauthn";
-```
-
-## Debugging
-
-Enable detailed logging by checking the console output. The library logs warnings for:
-
-- PRF extension enabled but no input values provided
-- Large blob write enabled but no data provided
-- Authorization errors with native error messages
+- **Implement public suffix list validation** using `tldts` or similar library
 
 ## Known Limitations
 

package/dist/create/authorization-controller.js

@@ -4,7 +4,6 @@ import { NSArrayFromObjects } from "../objc/foundation/nsarray.js";
 import { NSStringFromString } from "../objc/foundation/nsstring.js";
 import { createASCPublicKeyCredentialDescriptor } from "../objc/authentication-services/as-authorization-c-public-key-credential-descriptor.js";
 import { NSNumberFromInteger } from "../objc/foundation/nsinteger.js";
-import { isNumber, isObject } from "../helpers/validation.js";
 const createControllerState = new Map();
 function getObjectPointerString(self) {
     return getPointer(self).toBase64();
@@ -32,7 +31,13 @@ export const WebauthnCreateController = NobjcClass.define({
                 const context = NobjcClass.super(self, "_requestContextWithRequests$error$", requests, outError);
                 const selfPointer = getObjectPointerString(self);
                 if (context && createControllerState.has(selfPointer)) {
-                    const registrationOptions = context.platformKeyCredentialCreationOptions();
+                    let isSecurityKey = false;
+                    let registrationOptions = context.platformKeyCredentialCreationOptions();
+                    if (!registrationOptions) {
+                        registrationOptions =
+                            context.securityKeyCredentialCreationOptions();
+                        isSecurityKey = true;
+                    }
                     const [clientDataHash, pubKeyCredParams, residentKeyRequired, excludeCredentials,] = createControllerState.get(selfPointer);
                     registrationOptions.setClientDataHash$(NSDataFromBuffer(clientDataHash));
                     registrationOptions.setChallenge$(null);
@@ -45,7 +50,9 @@ export const WebauthnCreateController = NobjcClass.define({
                     if (supportedAlgos.length > 0) {
                         registrationOptions.setSupportedAlgorithmIdentifiers$(NSArrayFromObjects(supportedAlgos));
                     }
-                    registrationOptions.setShouldRequireResidentKey$(residentKeyRequired);
+                    if (!isSecurityKey) {
+                        registrationOptions.setShouldRequireResidentKey$(residentKeyRequired);
+                    }
                     const excludeList = [];
                     for (const cred of excludeCredentials) {
                         const transports = [];

package/dist/create/handler.d.ts

@@ -1,3 +1,4 @@
+export type CreateCredentialErrorCodes = "TypeError" | "AbortError" | "NotAllowedError" | "SecurityError" | "InvalidStateError";
 export interface CreateCredentialSuccessData {
     credentialId: string;
     clientDataJSON: string;
@@ -34,7 +35,8 @@ interface CreateCredentialSuccessResult {
 }
 interface CreateCredentialErrorResult {
     success: false;
-    error: "TypeError" | "AbortError" | "NotAllowedError" | "SecurityError" | "InvalidStateError";
+    error: CreateCredentialErrorCodes;
+    errorObject?: Error;
 }
 export type CreateCredentialResult = CreateCredentialSuccessResult | CreateCredentialErrorResult;
 export declare function createCredential(publicKeyOptions: PublicKeyCredentialCreationOptions | undefined, additionalOptions: WebauthnCreateRequestOptions): Promise<CreateCredentialResult>;

package/dist/create/handler.js

@@ -108,6 +108,16 @@ export async function createCredential(publicKeyOptions, additionalOptions) {
             return { success: false, error: "TypeError" };
         }
     }
+    if (supportedAlgorithmIdentifiers.length === 0) {
+        supportedAlgorithmIdentifiers.push({
+            type: "public-key",
+            algorithm: -7,
+        });
+        supportedAlgorithmIdentifiers.push({
+            type: "public-key",
+            algorithm: -257,
+        });
+    }
     const excludeCredentials = [];
     if (publicKeyOptions.excludeCredentials &&
         Array.isArray(publicKeyOptions.excludeCredentials)) {
@@ -128,6 +138,7 @@ export async function createCredential(publicKeyOptions, additionalOptions) {
     const { extensions, largeBlobSupport, prf } = getExtensionsConfiguration(publicKeyOptions.extensions);
     let residentKeyRequired = false;
     let userVerificationPreference = "preferred";
+    let preferredAuthenticatorAttachment = "all";
     if (publicKeyOptions.authenticatorSelection) {
         if (publicKeyOptions.authenticatorSelection.residentKey === "required") {
             residentKeyRequired = true;
@@ -145,6 +156,13 @@ export async function createCredential(publicKeyOptions, additionalOptions) {
         else {
             userVerificationPreference = "preferred";
         }
+        const attachment = publicKeyOptions.authenticatorSelection.authenticatorAttachment;
+        if (attachment === "cross-platform") {
+            preferredAuthenticatorAttachment = "cross-platform";
+        }
+        else if (attachment === "platform") {
+            preferredAuthenticatorAttachment = "platform";
+        }
     }
     const { currentOrigin, topFrameOrigin, isPublicSuffix, nativeWindowHandle } = additionalOptions;
     const isRpIdAllowed = isRpIdAllowedForOrigin(currentOrigin, rpId, {
@@ -153,13 +171,13 @@ export async function createCredential(publicKeyOptions, additionalOptions) {
     if (!isRpIdAllowed.ok) {
         return { success: false, error: "NotAllowedError" };
     }
-    const result = await createCredentialInternal(rpId, challenge, userName, userID, nativeWindowHandle, currentOrigin, extensions, attestationPreference, supportedAlgorithmIdentifiers, excludeCredentials, residentKeyRequired, userVerificationPreference, {
+    let errorResult = null;
+    const result = await createCredentialInternal(rpId, challenge, userName, userID, nativeWindowHandle, currentOrigin, timeout, extensions, attestationPreference, supportedAlgorithmIdentifiers, excludeCredentials, residentKeyRequired, preferredAuthenticatorAttachment, userVerificationPreference, {
         topFrameOrigin,
         largeBlobSupport,
         prf,
     }).catch((error) => {
-        console.error("Error creating credential", error);
-        console.log("error.message", error.message);
+        errorResult = error;
         if (error.message.includes("(com.apple.AuthenticationServices.AuthorizationError error 1006.)")) {
             return "InvalidStateError";
         }
@@ -169,7 +187,7 @@ export async function createCredential(publicKeyOptions, additionalOptions) {
         return null;
     });
     if (typeof result === "string") {
-        return { success: false, error: result };
+        return { success: false, error: result, errorObject: errorResult };
     }
     const data = {
         credentialId: bufferToBase64Url(result.credentialId),

package/dist/create/internal-handler.d.ts

@@ -1,5 +1,6 @@
 import { type PRFInput } from "../helpers/prf.js";
 import { type PublicKeyCredentialParams } from "./authorization-controller.js";
+export type AuthenticatorAttachmentWithExtra = AuthenticatorAttachment | "all";
 export interface CreateCredentialResult {
     credentialId: Buffer;
     clientDataJSON: Buffer;
@@ -30,5 +31,5 @@ export interface ExcludeCredential {
     id: Buffer;
     transports?: string[];
 }
-declare function createCredentialInternal(rpid: string, challenge: Buffer, username: string, userID: Buffer, nativeWindowHandle: Buffer, origin: string, enabledExtensions: CredentialCreationExtensions[], attestation: CredentialAttestationPreference, supportedAlgorithmIdentifiers: PublicKeyCredentialParams[], excludeCredentials: ExcludeCredential[], residentKeyRequired?: boolean, userVerification?: CredentialUserVerificationPreference, additionalOptions?: CreateCredentialAdditionalOptions): Promise<CreateCredentialResult>;
+declare function createCredentialInternal(rpid: string, challenge: Buffer, username: string, userID: Buffer, nativeWindowHandle: Buffer, origin: string, timeout: number, enabledExtensions: CredentialCreationExtensions[], attestation: CredentialAttestationPreference, supportedAlgorithmIdentifiers: PublicKeyCredentialParams[], excludeCredentials: ExcludeCredential[], residentKeyRequired?: boolean, preferredAuthenticatorAttachment?: AuthenticatorAttachmentWithExtra, userVerification?: CredentialUserVerificationPreference, additionalOptions?: CreateCredentialAdditionalOptions): Promise<CreateCredentialResult>;
 export { createCredentialInternal };

package/dist/create/internal-handler.js

@@ -17,16 +17,11 @@ import { NSStringFromString } from "../objc/foundation/nsstring.js";
 import { removeControllerState, setControllerState, WebauthnCreateController, } from "./authorization-controller.js";
 import { parseAttestationObject } from "@oslojs/webauthn";
 import { ASAuthorizationPublicKeyCredentialAttachment } from "../objc/authentication-services/enums/as-authorization-public-key-credential-attachment.js";
+import { createSecurityKeyPublicKeyCredentialProvider } from "../objc/authentication-services/as-authorization-security-key-public-key-credential-provider.js";
+import { createASAuthorizationPublicKeyCredentialParameters, } from "../objc/authentication-services/as-authorization-public-key-credential-parameters.js";
 const VALID_EXTENSIONS = ["largeBlob", "prf"];
-function createCredentialInternal(rpid, challenge, username, userID, nativeWindowHandle, origin, enabledExtensions, attestation = "none", supportedAlgorithmIdentifiers = [], excludeCredentials, residentKeyRequired = false, userVerification = "preferred", additionalOptions = {}) {
-    const { promise, resolve, reject } = PromiseWithResolvers();
-    const NS_rpID = NSStringFromString(rpid);
-    const NS_challenge = NSDataFromBuffer(challenge);
-    const NS_username = NSStringFromString(username);
-    const NS_userID = NSDataFromBuffer(userID);
-    const platformProvider = createPlatformPublicKeyCredentialProvider(NS_rpID);
-    const platformKeyRequest = platformProvider.createCredentialRegistrationRequestWithChallenge$name$userID$(NS_challenge, NS_username, NS_userID);
-    if (enabledExtensions.includes("largeBlob")) {
+function setupPublicKeyCredentialRegistrationRequest(type, keyRequest, attestation, enabledExtensions, userVerification, pubKeyCredParams, additionalOptions) {
+    if (type === "platform" && enabledExtensions.includes("largeBlob")) {
         let supportMode;
         const largeBlobSupport = additionalOptions.largeBlobSupport;
         if (largeBlobSupport === "required") {
@@ -42,11 +37,25 @@ function createCredentialInternal(rpid, challenge, username, userID, nativeWindo
         }
         if (supportMode) {
             const largeBlobInput = createASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput(supportMode);
-            platformKeyRequest.setLargeBlob$(largeBlobInput);
+            keyRequest.setLargeBlob$(largeBlobInput);
         }
     }
     let attestationPreference = ASAuthorizationPublicKeyCredentialAttestationKind.None;
-    platformKeyRequest.setAttestationPreference$(NSStringFromString(attestationPreference));
+    if (type === "security-key") {
+        if (attestation === "direct") {
+            attestationPreference =
+                ASAuthorizationPublicKeyCredentialAttestationKind.Direct;
+        }
+        else if (attestation === "enterprise") {
+            attestationPreference =
+                ASAuthorizationPublicKeyCredentialAttestationKind.Enterprise;
+        }
+        else if (attestation === "indirect") {
+            attestationPreference =
+                ASAuthorizationPublicKeyCredentialAttestationKind.Indirect;
+        }
+    }
+    keyRequest.setAttestationPreference$(NSStringFromString(attestationPreference));
     let userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference.Preferred;
     if (userVerification === "required") {
         userVerificationPreference =
@@ -56,28 +65,67 @@ function createCredentialInternal(rpid, challenge, username, userID, nativeWindo
         userVerificationPreference =
             ASAuthorizationPublicKeyCredentialUserVerificationPreference.Discouraged;
     }
-    platformKeyRequest.setUserVerificationPreference$(NSStringFromString(userVerificationPreference));
-    if (additionalOptions.userDisplayName) {
+    keyRequest.setUserVerificationPreference$(NSStringFromString(userVerificationPreference));
+    if (type === "platform" && additionalOptions.userDisplayName) {
         const userDisplayName = NSStringFromString(additionalOptions.userDisplayName);
-        platformKeyRequest.setDisplayName$(userDisplayName);
+        keyRequest.setDisplayName$(userDisplayName);
     }
-    if (enabledExtensions.includes("prf")) {
+    if (type === "security-key") {
+        const credentialParameters = [];
+        for (const param of pubKeyCredParams) {
+            if (param.type === "public-key") {
+                credentialParameters.push(createASAuthorizationPublicKeyCredentialParameters(param.algorithm));
+            }
+        }
+        const nsCredentialParameters = NSArrayFromObjects(credentialParameters);
+        keyRequest.setCredentialParameters$(nsCredentialParameters);
+    }
+    if (type === "platform" && enabledExtensions.includes("prf")) {
         if (additionalOptions.prf) {
             const inputValues = createPRFInput(additionalOptions.prf);
             const prfInput = createASAuthorizationPublicKeyCredentialPRFRegistrationInput(inputValues);
-            platformKeyRequest.setPrf$(prfInput);
+            keyRequest.setPrf$(prfInput);
         }
         else {
-            platformKeyRequest.setPrf$(ASAuthorizationPublicKeyCredentialPRFRegistrationInput.checkForSupport());
+            keyRequest.setPrf$(ASAuthorizationPublicKeyCredentialPRFRegistrationInput.checkForSupport());
         }
     }
-    const requestsArray = NSArrayFromObjects([platformKeyRequest]);
+}
+function createCredentialInternal(rpid, challenge, username, userID, nativeWindowHandle, origin, timeout, enabledExtensions, attestation = "none", supportedAlgorithmIdentifiers = [], excludeCredentials, residentKeyRequired = false, preferredAuthenticatorAttachment = "all", userVerification = "preferred", additionalOptions = {}) {
+    const { promise, resolve, reject } = PromiseWithResolvers();
+    const NS_rpID = NSStringFromString(rpid);
+    const NS_challenge = NSDataFromBuffer(challenge);
+    const NS_username = NSStringFromString(username);
+    const NS_userID = NSDataFromBuffer(userID);
+    const requestArrayInput = [];
+    if (preferredAuthenticatorAttachment === "all" ||
+        preferredAuthenticatorAttachment === "platform") {
+        const platformProvider = createPlatformPublicKeyCredentialProvider(NS_rpID);
+        const platformKeyRequest = platformProvider.createCredentialRegistrationRequestWithChallenge$name$userID$(NS_challenge, NS_username, NS_userID);
+        setupPublicKeyCredentialRegistrationRequest("platform", platformKeyRequest, attestation, enabledExtensions, userVerification, supportedAlgorithmIdentifiers, additionalOptions);
+        requestArrayInput.push(platformKeyRequest);
+    }
+    if (preferredAuthenticatorAttachment === "all" ||
+        preferredAuthenticatorAttachment === "cross-platform") {
+        const securityKeyProvider = createSecurityKeyPublicKeyCredentialProvider(NS_rpID);
+        const securityKeyRequest = securityKeyProvider.createCredentialRegistrationRequestWithChallenge$displayName$name$userID$(NS_challenge, NSStringFromString(additionalOptions.userDisplayName || username), NS_username, NS_userID);
+        setupPublicKeyCredentialRegistrationRequest("security-key", securityKeyRequest, attestation, enabledExtensions, userVerification, supportedAlgorithmIdentifiers, additionalOptions);
+        requestArrayInput.push(securityKeyRequest);
+    }
+    const requestsArray = NSArrayFromObjects(requestArrayInput);
     const authController = WebauthnCreateController.alloc().initWithAuthorizationRequests$(requestsArray);
     const clientData = generateWebauthnClientData("webauthn.create", origin, challenge, additionalOptions.topFrameOrigin);
     const { clientDataHash, clientDataBuffer } = generateClientDataInfo(clientData);
     setControllerState(authController, clientDataHash, supportedAlgorithmIdentifiers, residentKeyRequired, excludeCredentials);
+    let isFinished = false;
+    let timeoutHandlerId = null;
     const finished = (_success) => {
+        isFinished = true;
         removeControllerState(authController);
+        if (timeoutHandlerId) {
+            clearTimeout(timeoutHandlerId);
+            timeoutHandlerId = null;
+        }
     };
     const delegate = createAuthorizationControllerDelegate({
         didCompleteWithAuthorization: (_, authorization) => {
@@ -140,7 +188,6 @@ function createCredentialInternal(rpid, challenge, username, userID, nativeWindo
         didCompleteWithError: (_, error) => {
             const parsedError = error;
             const errorMessage = parsedError.localizedDescription().UTF8String();
-            console.error("Authorization failed:", errorMessage);
             reject(new Error(errorMessage));
             finished(false);
         },
@@ -149,6 +196,11 @@ function createCredentialInternal(rpid, challenge, username, userID, nativeWindo
     const presentationContextProvider = createPresentationContextProviderFromNativeWindowHandle(nativeWindowHandle);
     authController.setPresentationContextProvider$(presentationContextProvider);
     authController.performRequests();
+    timeoutHandlerId = setTimeout(() => {
+        if (isFinished)
+            return;
+        authController.cancel();
+    }, timeout);
     return promise;
 }
 export { createCredentialInternal };

package/dist/get/authorization-controller.js

@@ -22,7 +22,10 @@ export const WebauthnGetController = NobjcClass.define({
                 const context = NobjcClass.super(self, "_requestContextWithRequests$error$", requests, outError);
                 const selfPointer = getObjectPointerString(self);
                 if (getControllerState.has(selfPointer)) {
-                    const assertionOptions = context.platformKeyCredentialAssertionOptions();
+                    let assertionOptions = context.platformKeyCredentialAssertionOptions();
+                    if (!assertionOptions) {
+                        assertionOptions = context.securityKeyCredentialAssertionOptions();
+                    }
                     const clientDataHash = getControllerState.get(selfPointer);
                     assertionOptions.setClientDataHash$(NSDataFromBuffer(clientDataHash));
                     context.setPlatformKeyCredentialAssertionOptions$(assertionOptions.copyWithZone$(null));

package/dist/get/handler.d.ts

@@ -1,3 +1,4 @@
+export type GetCredentialErrorCodes = "TypeError" | "AbortError" | "NotAllowedError" | "SecurityError";
 export interface GetCredentialSuccessData {
     credentialId: string;
     clientDataJSON: string;
@@ -29,7 +30,8 @@ interface GetCredentialSuccessResult {
 }
 interface GetCredentialErrorResult {
     success: false;
-    error: "TypeError" | "AbortError" | "NotAllowedError" | "SecurityError";
+    error: GetCredentialErrorCodes;
+    errorObject?: Error;
 }
 export type GetCredentialResult = GetCredentialSuccessResult | GetCredentialErrorResult;
 export declare function getCredential(publicKeyOptions: PublicKeyCredentialRequestOptions | undefined, additionalOptions: WebauthnGetRequestOptions): Promise<GetCredentialResult>;

package/dist/get/handler.js

@@ -95,23 +95,21 @@ export async function getCredential(publicKeyOptions, additionalOptions) {
     if (!isRpIdAllowed.ok) {
         return { success: false, error: "NotAllowedError" };
     }
-    const result = await getCredentialInternal(rpId, challenge, nativeWindowHandle, currentOrigin, enabledExtensions, allowedCredentialsArray, userVerification, {
+    let errorResult = null;
+    const result = await getCredentialInternal(rpId, challenge, nativeWindowHandle, currentOrigin, timeout, enabledExtensions, allowedCredentialsArray, userVerification, {
         topFrameOrigin,
         largeBlobDataToWrite: largeBlobWriteBuffer,
         prf,
         prfByCredential,
     }).catch((error) => {
-        console.error("Error getting credential", error);
+        errorResult = error;
         if (error.message.startsWith("The operation couldn’t be completed.")) {
             return "NotAllowedError";
         }
         return "NotAllowedError";
     });
     if (typeof result === "string") {
-        if (result === "NotAllowedError") {
-            return { success: false, error: "NotAllowedError" };
-        }
-        return { success: false, error: "NotAllowedError" };
+        return { success: false, error: result, errorObject: errorResult };
     }
     const data = {
         credentialId: bufferToBase64Url(result.id),

package/dist/get/internal-handler.d.ts

@@ -1,5 +1,5 @@
 import { type PRFInput } from "../helpers/prf.js";
-type AuthenticatorAttachment = "platform" | "cross-platform";
+import type { AuthenticatorAttachment } from "../helpers/types.js";
 export type UserVerificationPreference = "preferred" | "required" | "discouraged";
 declare const VALID_EXTENSIONS: readonly ["largeBlobRead", "largeBlobWrite", "prf"];
 export type CredentialAssertionExtensions = (typeof VALID_EXTENSIONS)[number];
@@ -20,5 +20,5 @@ export interface GetCredentialAdditionalOptions {
     prfByCredential?: Record<string, PRFInput>;
     topFrameOrigin?: string;
 }
-declare function getCredentialInternal(rpid: string, challenge: Buffer, nativeWindowHandle: Buffer, origin: string, enabledExtensions: CredentialAssertionExtensions[], allowedCredentialIds: Buffer[], userVerificationPreference?: UserVerificationPreference, additionalOptions?: GetCredentialAdditionalOptions): Promise<GetCredentialResult>;
+declare function getCredentialInternal(rpid: string, challenge: Buffer, nativeWindowHandle: Buffer, origin: string, timeout: number, enabledExtensions: CredentialAssertionExtensions[], allowedCredentialIds: Buffer[], userVerificationPreference?: UserVerificationPreference, additionalOptions?: GetCredentialAdditionalOptions): Promise<GetCredentialResult>;
 export { getCredentialInternal };

package/dist/get/internal-handler.js

@@ -76,7 +76,7 @@ function setupPublicKeyCredentialRequest(type, keyRequest, userVerificationPrefe
         }
     }
 }
-function getCredentialInternal(rpid, challenge, nativeWindowHandle, origin, enabledExtensions = [], allowedCredentialIds, userVerificationPreference, additionalOptions = {}) {
+function getCredentialInternal(rpid, challenge, nativeWindowHandle, origin, timeout, enabledExtensions = [], allowedCredentialIds, userVerificationPreference, additionalOptions = {}) {
     const { promise, resolve, reject } = PromiseWithResolvers();
     const NS_rpID = NSStringFromString(rpid);
     const NS_challenge = NSDataFromBuffer(challenge);
@@ -94,8 +94,15 @@ function getCredentialInternal(rpid, challenge, nativeWindowHandle, origin, enab
     const clientData = generateWebauthnClientData("webauthn.get", origin, challenge, additionalOptions.topFrameOrigin);
     const { clientDataHash, clientDataBuffer } = generateClientDataInfo(clientData);
     setClientDataHash(authController, clientDataHash);
+    let isFinished = false;
+    let timeoutHandlerId = null;
     const finished = (_success) => {
+        isFinished = true;
         removeClientDataHash(authController);
+        if (timeoutHandlerId) {
+            clearTimeout(timeoutHandlerId);
+            timeoutHandlerId = null;
+        }
     };
     if (allowedCredentialIds.length > 0) {
         const allowedCredentials = NSArrayFromObjects(allowedCredentialIds.map((id) => createPlatformPublicKeyCredentialDescriptor(NSDataFromBuffer(id))));
@@ -152,6 +159,11 @@ function getCredentialInternal(rpid, challenge, nativeWindowHandle, origin, enab
     const presentationContextProvider = createPresentationContextProviderFromNativeWindowHandle(nativeWindowHandle);
     authController.setPresentationContextProvider$(presentationContextProvider);
     authController.performRequests();
+    timeoutHandlerId = setTimeout(() => {
+        if (isFinished)
+            return;
+        authController.cancel();
+    }, timeout);
     return promise;
 }
 export { getCredentialInternal };

package/dist/helpers/types.d.ts

@@ -0,0 +1 @@
+export type AuthenticatorAttachment = "platform" | "cross-platform";

package/dist/helpers/types.js

@@ -0,0 +1 @@
+export {};

package/dist/objc/authentication-services/as-authorization-public-key-credential-parameters.d.ts

@@ -0,0 +1,8 @@
+import type { NobjcObject } from "objc-js";
+declare class _ASAuthorizationPublicKeyCredentialParameters extends NobjcObject {
+    initWithAlgorithm$(algorithm: number): _ASAuthorizationPublicKeyCredentialParameters;
+    algorithm(): number;
+}
+export declare const ASAuthorizationPublicKeyCredentialParameters: typeof _ASAuthorizationPublicKeyCredentialParameters;
+export type { _ASAuthorizationPublicKeyCredentialParameters };
+export declare function createASAuthorizationPublicKeyCredentialParameters(algorithm: number): _ASAuthorizationPublicKeyCredentialParameters;

package/dist/objc/authentication-services/as-authorization-public-key-credential-parameters.js

@@ -0,0 +1,6 @@
+import { AuthenticationServices } from "./index.js";
+export const ASAuthorizationPublicKeyCredentialParameters = AuthenticationServices.ASAuthorizationPublicKeyCredentialParameters;
+export function createASAuthorizationPublicKeyCredentialParameters(algorithm) {
+    const instance = ASAuthorizationPublicKeyCredentialParameters.alloc();
+    return instance.initWithAlgorithm$(algorithm);
+}

package/dist/objc/authentication-services/as-authorization-security-key-public-key-credential-provider.d.ts

@@ -1,7 +1,9 @@
+import type { _NSData } from "../foundation/nsdata.js";
+import type { _NSString } from "../foundation/nsstring.js";
 import type { NobjcObject } from "objc-js";
 declare class _ASAuthorizationSecurityKeyPublicKeyCredentialProvider extends NobjcObject {
     initWithRelyingPartyIdentifier$(relyingPartyIdentifier: NobjcObject): _ASAuthorizationSecurityKeyPublicKeyCredentialProvider;
-    createCredentialRegistrationRequestWithChallenge$name$userID$(challenge: NobjcObject, name: NobjcObject, userID: NobjcObject): NobjcObject;
+    createCredentialRegistrationRequestWithChallenge$displayName$name$userID$(challenge: _NSData, displayName: _NSString, name: _NSString, userID: _NSData): NobjcObject;
     createCredentialAssertionRequestWithChallenge$(challenge: NobjcObject): NobjcObject;
 }
 export declare const ASAuthorizationSecurityKeyPublicKeyCredentialProvider: typeof _ASAuthorizationSecurityKeyPublicKeyCredentialProvider;

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "electron-webauthn",
-  "version": "0.0.17",
+  "version": "1.0.1",
   "repository": "https://github.com/iamEvanYT/electron-webauthn.git",
+  "homepage": "https://github.com/iamEvanYT/electron-webauthn#readme",
   "description": "Add support for WebAuthn for Electron.",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -18,7 +19,7 @@
   ],
   "type": "module",
   "scripts": {
-    "build": "tsc && rm -rf dist/test",
+    "build": "rm -rf dist && tsc && rm -rf dist/test",
     "test": "bun run src/test/index.ts"
   },
   "devDependencies": {
@@ -29,7 +30,7 @@
   },
   "dependencies": {
     "@oslojs/webauthn": "^1.0.0",
-    "objc-js": "^0.0.15"
+    "objc-js": "^1.0.0"
   },
   "trustedDependencies": [
     "objc-js"