electron-webauthn 1.1.0 → 1.2.0

package/dist/helpers/client-data.js

@@ -1,36 +0,0 @@
-import { createHash } from "crypto";
-import { isSameOrigin, serializeOrigin } from "./origin.js";
-import { bufferToBase64Url } from "./index.js";
-export function generateWebauthnClientData(type, origin, challenge, topFrameOrigin) {
-    const serializedOrigin = serializeOrigin(origin);
-    const clientData = {
-        type,
-        challenge: bufferToBase64Url(challenge),
-        origin: serializedOrigin,
-        crossOrigin: false,
-    };
-    if (topFrameOrigin) {
-        const sameOrigin = isSameOrigin(origin, topFrameOrigin);
-        if (!sameOrigin) {
-            const serializedTopFrameOrigin = serializeOrigin(topFrameOrigin);
-            clientData.topOrigin = serializedTopFrameOrigin;
-            clientData.crossOrigin = true;
-        }
-    }
-    return clientData;
-}
-function clientDataJsonBufferToHash(clientDataJSON) {
-    if (!Buffer.isBuffer(clientDataJSON)) {
-        throw new TypeError("clientDataJsonBufferToHash: clientDataJSON must be a Buffer");
-    }
-    if (clientDataJSON.length === 0) {
-        throw new RangeError("clientDataJsonBufferToHash: clientDataJSON is empty");
-    }
-    return createHash("sha256").update(clientDataJSON).digest();
-}
-export function generateClientDataInfo(clientData) {
-    const clientDataJSON = JSON.stringify(clientData);
-    const clientDataBuffer = Buffer.from(clientDataJSON, "utf-8");
-    const clientDataHash = clientDataJsonBufferToHash(clientDataBuffer);
-    return { clientDataJSON, clientDataBuffer, clientDataHash };
-}

package/dist/helpers/index.d.ts

@@ -1,8 +0,0 @@
-export declare function PromiseWithResolvers<T = void>(): {
-    promise: Promise<T>;
-    resolve: (value: T | PromiseLike<T>) => void;
-    reject: (reason?: unknown) => void;
-};
-export declare function bufferToBase64Url(buffer: Buffer): string;
-export declare function base64UrlToBuffer(b64url: string): Buffer;
-export declare function bufferSourceToBuffer(src: BufferSource): Buffer | null;

package/dist/helpers/index.js

@@ -1,48 +0,0 @@
-export function PromiseWithResolvers() {
-    let resolve;
-    let reject;
-    const promise = new Promise((res, rej) => {
-        resolve = res;
-        reject = rej;
-    });
-    return { promise, resolve: resolve, reject: reject };
-}
-export function bufferToBase64Url(buffer) {
-    const bytes = new Uint8Array(buffer);
-    let binary = "";
-    for (let i = 0; i < bytes.length; i++) {
-        binary += String.fromCharCode(bytes[i]);
-    }
-    return btoa(binary)
-        .replace(/\+/g, "-")
-        .replace(/\//g, "_")
-        .replace(/=+$/, "");
-}
-export function base64UrlToBuffer(b64url) {
-    if (typeof b64url !== "string")
-        throw new TypeError("base64Url must be a string");
-    let b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
-    const pad = b64.length % 4;
-    if (pad === 2)
-        b64 += "==";
-    else if (pad === 3)
-        b64 += "=";
-    else if (pad !== 0)
-        throw new Error("Invalid base64url length");
-    return Buffer.from(b64, "base64");
-}
-export function bufferSourceToBuffer(src) {
-    if (!src)
-        return null;
-    if (Buffer.isBuffer(src))
-        return src;
-    if (src instanceof ArrayBuffer ||
-        (typeof SharedArrayBuffer !== "undefined" &&
-            src instanceof SharedArrayBuffer)) {
-        return Buffer.from(src);
-    }
-    if (ArrayBuffer.isView(src)) {
-        return Buffer.from(src.buffer, src.byteOffset, src.byteLength);
-    }
-    return null;
-}

package/dist/helpers/objc.d.ts

@@ -1,5 +0,0 @@
-export declare function enumFromValue<T extends Record<string, number>>(enumObj: T, value: number): keyof T | undefined;
-export declare function makePromise<T, Args extends unknown[]>(...argsAndFunc: [
-    ...args: Args,
-    func: (...args: [...Args, callback: (result: T) => void]) => void
-]): Promise<T>;

package/dist/helpers/objc.js

@@ -1,10 +0,0 @@
-export function enumFromValue(enumObj, value) {
-    return Object.keys(enumObj).find((key) => enumObj[key] === value);
-}
-export function makePromise(...argsAndFunc) {
-    const func = argsAndFunc[argsAndFunc.length - 1];
-    const args = argsAndFunc.slice(0, -1);
-    return new Promise((resolve) => {
-        func(...args, resolve);
-    });
-}

package/dist/helpers/origin.d.ts

@@ -1,19 +0,0 @@
-export declare function serializeOrigin(origin: string): string | null;
-type TupleOrigin = {
-    type: "tuple";
-    scheme: string;
-    host: string;
-    port: number | null;
-};
-type OpaqueOrigin = {
-    type: "opaque";
-    reason?: string;
-};
-type Origin = TupleOrigin | OpaqueOrigin;
-export type OriginCompareOptions = {
-    allowOpaqueStringEquality?: boolean;
-};
-export declare function computeOrigin(input: string | URL): Origin;
-export declare function isSameOrigin(a: string | URL, b: string | URL, opts?: OriginCompareOptions): boolean;
-export declare function isCrossOrigin(a: string | URL, b: string | URL, opts?: OriginCompareOptions): boolean;
-export {};

package/dist/helpers/origin.js

@@ -1,106 +0,0 @@
-export function serializeOrigin(origin) {
-    if (origin === "null" || !origin) {
-        return null;
-    }
-    try {
-        const url = new URL(origin);
-        let result = url.protocol;
-        if (!result.endsWith("://")) {
-            result = result.replace(/:$/, "") + "://";
-        }
-        result += url.hostname;
-        if (url.port) {
-            result += ":" + url.port;
-        }
-        return result;
-    }
-    catch (error) {
-        return null;
-    }
-}
-const DEFAULT_PORT = {
-    http: 80,
-    https: 443,
-    ws: 80,
-    wss: 443,
-    ftp: 21,
-};
-const TUPLE_SCHEMES = new Set(["http", "https", "ws", "wss", "ftp"]);
-export function computeOrigin(input) {
-    if (typeof input === "string" && input.trim().toLowerCase() === "null") {
-        return { type: "opaque", reason: "explicit 'null' origin string" };
-    }
-    const url = toURL(input);
-    if (!url)
-        return { type: "opaque", reason: "unparseable URL/origin string" };
-    const scheme = url.protocol.replace(/:$/, "").toLowerCase();
-    if (scheme === "blob") {
-        const embedded = url.href.slice("blob:".length);
-        const embeddedUrl = toURL(embedded);
-        return embeddedUrl
-            ? computeOrigin(embeddedUrl)
-            : { type: "opaque", reason: "blob: with unparseable embedded URL" };
-    }
-    if (!TUPLE_SCHEMES.has(scheme)) {
-        return { type: "opaque", reason: `non-tuple scheme '${scheme}'` };
-    }
-    const host = url.hostname;
-    if (!host)
-        return { type: "opaque", reason: "missing hostname" };
-    const rawPort = url.port ? safeParsePort(url.port) : null;
-    const port = normalizePort(scheme, rawPort);
-    return { type: "tuple", scheme, host, port };
-}
-function normalizePort(scheme, port) {
-    if (port == null)
-        return null;
-    const def = DEFAULT_PORT[scheme];
-    if (def != null && port === def)
-        return null;
-    return port;
-}
-function safeParsePort(portStr) {
-    const n = Number(portStr);
-    if (!Number.isInteger(n) || n < 0 || n > 65535)
-        return null;
-    return n;
-}
-function toURL(input) {
-    if (input instanceof URL)
-        return input;
-    try {
-        return new URL(input);
-    }
-    catch {
-        return null;
-    }
-}
-export function isSameOrigin(a, b, opts = {}) {
-    const oa = computeOrigin(a);
-    const ob = computeOrigin(b);
-    if (oa.type === "tuple" && ob.type === "tuple") {
-        return (oa.scheme === ob.scheme && oa.host === ob.host && oa.port === ob.port);
-    }
-    if (opts.allowOpaqueStringEquality) {
-        const sa = originString(a);
-        const sb = originString(b);
-        return sa != null && sb != null && sa === sb;
-    }
-    return false;
-}
-export function isCrossOrigin(a, b, opts) {
-    return !isSameOrigin(a, b, opts);
-}
-function originString(x) {
-    if (typeof x === "string") {
-        return serializeOrigin(x);
-    }
-    const url = toURL(x);
-    if (!url) {
-        return null;
-    }
-    const o = computeOrigin(url);
-    if (o.type === "opaque")
-        return null;
-    return `${o.scheme}://${o.host}${o.port == null ? "" : `:${o.port}`}`;
-}

package/dist/helpers/presentation.d.ts

@@ -1 +0,0 @@
-export declare function createPresentationContextProviderFromNativeWindowHandle(nativeWindowHandle: Buffer): import("objc-js").NobjcObject;

package/dist/helpers/presentation.js

@@ -1,11 +0,0 @@
-import { fromPointer } from "objc-js";
-import { createDelegate } from "objcjs-types";
-export function createPresentationContextProviderFromNativeWindowHandle(nativeWindowHandle) {
-    return createDelegate("ASAuthorizationControllerPresentationContextProviding", {
-        presentationAnchorForAuthorizationController$: () => {
-            const nsView = fromPointer(nativeWindowHandle);
-            const nsWindow = nsView.window();
-            return nsWindow;
-        },
-    });
-}

package/dist/helpers/prf.d.ts

@@ -1,5 +0,0 @@
-export interface PRFInput {
-    first: Buffer;
-    second?: Buffer;
-}
-export declare function createPRFInput(prf: PRFInput): import("objcjs-types/AuthenticationServices")._ASAuthorizationPublicKeyCredentialPRFAssertionInputValues;

package/dist/helpers/prf.js

@@ -1,5 +0,0 @@
-import { ASAuthorizationPublicKeyCredentialPRFAssertionInputValues } from "objcjs-types/AuthenticationServices";
-import { NSDataFromBuffer } from "objcjs-types/nsdata";
-export function createPRFInput(prf) {
-    return ASAuthorizationPublicKeyCredentialPRFAssertionInputValues.alloc().initWithSaltInput1$saltInput2$(NSDataFromBuffer(prf.first), prf.second ? NSDataFromBuffer(prf.second) : null);
-}

package/dist/helpers/public-key.d.ts

@@ -1 +0,0 @@
-export declare function encodeEC2PublicKeyToSPKI(x: bigint, y: bigint): Buffer;

package/dist/helpers/public-key.js

@@ -1,49 +0,0 @@
-function encodeBigIntToBuffer(value, byteLength) {
-    const hex = value.toString(16).padStart(byteLength * 2, "0");
-    return Buffer.from(hex, "hex");
-}
-export function encodeEC2PublicKeyToSPKI(x, y) {
-    const xBuffer = encodeBigIntToBuffer(x, 32);
-    const yBuffer = encodeBigIntToBuffer(y, 32);
-    const uncompressedPoint = Buffer.concat([
-        Buffer.from([0x04]),
-        xBuffer,
-        yBuffer,
-    ]);
-    const bitString = Buffer.concat([
-        Buffer.from([0x03]),
-        Buffer.from([0x42]),
-        Buffer.from([0x00]),
-        uncompressedPoint,
-    ]);
-    const algorithmIdentifier = Buffer.from([
-        0x30,
-        0x13,
-        0x06,
-        0x07,
-        0x2a,
-        0x86,
-        0x48,
-        0xce,
-        0x3d,
-        0x02,
-        0x01,
-        0x06,
-        0x08,
-        0x2a,
-        0x86,
-        0x48,
-        0xce,
-        0x3d,
-        0x03,
-        0x01,
-        0x07,
-    ]);
-    const spki = Buffer.concat([
-        Buffer.from([0x30]),
-        Buffer.from([0x59]),
-        algorithmIdentifier,
-        bitString,
-    ]);
-    return spki;
-}

package/dist/helpers/rpid.d.ts

@@ -1,13 +0,0 @@
-export type RpIdCheckOptions = {
-    allowInsecureLocalhost?: boolean;
-    isPublicSuffix?: (domain: string) => boolean;
-};
-export type RpIdCheckResult = {
-    ok: true;
-    rpId: string;
-} | {
-    ok: false;
-    rpId: string;
-    reason: string;
-};
-export declare function isRpIdAllowedForOrigin(origin: string, rpIdInput?: string, opts?: RpIdCheckOptions): RpIdCheckResult;

package/dist/helpers/rpid.js

@@ -1,59 +0,0 @@
-import net from "node:net";
-import { domainToASCII } from "node:url";
-export function isRpIdAllowedForOrigin(origin, rpIdInput, opts = {}) {
-    const allowInsecureLocalhost = opts.allowInsecureLocalhost ?? true;
-    let url;
-    try {
-        url = new URL(origin);
-    }
-    catch {
-        return { ok: false, rpId: normalizeRpId(rpIdInput ?? ""), reason: "Invalid origin URL" };
-    }
-    const scheme = url.protocol.toLowerCase();
-    const originHost = normalizeHost(url.hostname);
-    if (!originHost)
-        return { ok: false, rpId: normalizeRpId(rpIdInput ?? ""), reason: "Origin has no hostname" };
-    const originIsIP = net.isIP(originHost) !== 0;
-    const originIsLocalhost = originHost === "localhost" || originIsIP;
-    const secureEnough = scheme === "https:" || scheme === "wss:" || (allowInsecureLocalhost && scheme === "http:" && originIsLocalhost);
-    if (!secureEnough) {
-        return { ok: false, rpId: normalizeRpId(rpIdInput ?? originHost), reason: "Origin is not a secure context" };
-    }
-    const rpId = normalizeRpId(rpIdInput ?? originHost);
-    if (!rpId)
-        return { ok: false, rpId, reason: "rpId is empty" };
-    if (/[/:@]/.test(rpId)) {
-        return { ok: false, rpId, reason: "rpId must be a hostname only (no scheme/port/path/userinfo)" };
-    }
-    const rpIdIsIP = net.isIP(rpId) !== 0;
-    if (originIsIP) {
-        if (rpId !== originHost) {
-            return { ok: false, rpId, reason: "For IP origins, rpId must exactly match the IP" };
-        }
-        return { ok: true, rpId };
-    }
-    if (rpIdIsIP) {
-        return { ok: false, rpId, reason: "rpId cannot be an IP if origin host is a domain" };
-    }
-    if (!(rpId === originHost || originHost.endsWith("." + rpId))) {
-        return { ok: false, rpId, reason: "rpId is not equal to or a suffix of the origin hostname" };
-    }
-    if (opts.isPublicSuffix) {
-        if (opts.isPublicSuffix(rpId)) {
-            return { ok: false, rpId, reason: "rpId is a public suffix (eTLD), which is not allowed" };
-        }
-    }
-    else {
-        if (!rpId.includes(".") && rpId !== "localhost") {
-            return { ok: false, rpId, reason: "rpId looks like a public suffix/single-label domain (no PSL check provided)" };
-        }
-    }
-    return { ok: true, rpId };
-}
-function normalizeHost(hostname) {
-    const h = (hostname ?? "").trim().toLowerCase().replace(/\.$/, "");
-    return domainToASCII(h) || "";
-}
-function normalizeRpId(rpId) {
-    return normalizeHost(rpId);
-}

package/dist/helpers/types.d.ts

@@ -1 +0,0 @@
-export type AuthenticatorAttachment = "platform" | "cross-platform";

package/dist/helpers/types.js

@@ -1 +0,0 @@
-export {};

package/dist/helpers/validation.d.ts

@@ -1,3 +0,0 @@
-export declare function isString(value: unknown): value is string;
-export declare function isNumber(value: unknown): value is number;
-export declare function isObject(value: unknown): boolean;

package/dist/helpers/validation.js

@@ -1,9 +0,0 @@
-export function isString(value) {
-    return value && typeof value === "string";
-}
-export function isNumber(value) {
-    return value && typeof value === "number";
-}
-export function isObject(value) {
-    return value && typeof value === "object";
-}

package/dist/list/handler.d.ts

@@ -1,2 +0,0 @@
-import type { ListPasskeysResult, ListPasskeysError } from "./types.js";
-export declare function listPasskeys(relyingPartyId: string): Promise<ListPasskeysResult | ListPasskeysError>;

package/dist/list/handler.js

@@ -1,65 +0,0 @@
-import { bufferToBase64Url, PromiseWithResolvers } from "../helpers/index.js";
-import { bufferFromNSDataDirect } from "objcjs-types/nsdata";
-import { NSStringFromString } from "objcjs-types/helpers";
-import { ASAuthorizationWebBrowserPublicKeyCredentialManager, ASAuthorizationWebBrowserPublicKeyCredentialManagerAuthorizationState, } from "objcjs-types/AuthenticationServices";
-import { isAtLeast, version, formatVersion, getOSVersion, } from "objcjs-types/osversion";
-import { makePromise, enumFromValue } from "../helpers/objc.js";
-export async function listPasskeys(relyingPartyId) {
-    try {
-        const minVersion = version(13, 3);
-        if (!isAtLeast(minVersion)) {
-            const currentVersion = getOSVersion();
-            throw new Error(`Passkey listing requires macOS 13.3 or later (current: ${formatVersion(currentVersion)})`);
-        }
-        const manager = ASAuthorizationWebBrowserPublicKeyCredentialManager.alloc().init();
-        const authState = manager.authorizationStateForPlatformCredentials();
-        console.log(`[listPasskeys] Authorization state: ${authState}`);
-        if (authState ===
-            ASAuthorizationWebBrowserPublicKeyCredentialManagerAuthorizationState.NotDetermined) {
-            console.log("[listPasskeys] Authorization not determined, requesting...");
-            const newStateValue = await makePromise(manager.requestAuthorizationForPublicKeyCredentials$);
-            const newState = enumFromValue(ASAuthorizationWebBrowserPublicKeyCredentialManagerAuthorizationState, newStateValue);
-            console.log(`[listPasskeys] Authorization request completed, new state: ${newState}`);
-        }
-        else if (authState ===
-            ASAuthorizationWebBrowserPublicKeyCredentialManagerAuthorizationState.Denied) {
-            throw new Error("Authorization DENIED - user must grant permission in System Settings > Privacy & Security");
-        }
-        else {
-            console.log("[listPasskeys] Authorization already granted");
-        }
-        const rpIdString = NSStringFromString(relyingPartyId);
-        console.log(`[listPasskeys] Calling platformCredentialsForRelyingParty: ${relyingPartyId}`);
-        const credentialsArray = await makePromise(rpIdString, manager.platformCredentialsForRelyingParty$completionHandler$);
-        const count = credentialsArray.count();
-        console.log(`[listPasskeys] platformCredentials returned ${count} entries`);
-        const credentials = [];
-        for (let i = 0; i < count; i++) {
-            const cred = credentialsArray.objectAtIndex$(i);
-            const credentialIdData = cred.credentialID();
-            const userName = cred.name().UTF8String();
-            const userHandleData = cred.userHandle();
-            const credentialId = bufferToBase64Url(bufferFromNSDataDirect(credentialIdData));
-            const userHandle = bufferToBase64Url(bufferFromNSDataDirect(userHandleData));
-            console.log(`[listPasskeys] Found credential: name=${userName}, id=${credentialId.substring(0, 20)}...`);
-            credentials.push({
-                id: credentialId,
-                rpId: relyingPartyId,
-                userName,
-                userHandle,
-            });
-        }
-        console.log(`[listPasskeys] Returning ${credentials.length} results`);
-        return {
-            success: true,
-            credentials,
-        };
-    }
-    catch (error) {
-        console.error("[listPasskeys] Error:", error);
-        return {
-            success: false,
-            error: error instanceof Error ? error : new Error(String(error)),
-        };
-    }
-}

package/dist/list/types.d.ts

@@ -1,14 +0,0 @@
-export interface PasskeyCredential {
-    id: string;
-    rpId: string;
-    userName: string;
-    userHandle: string;
-}
-export interface ListPasskeysResult {
-    success: true;
-    credentials: PasskeyCredential[];
-}
-export interface ListPasskeysError {
-    success: false;
-    error: Error;
-}

package/dist/list/types.js

@@ -1 +0,0 @@
-export {};