humankey 0.2.0

package/dist/chunk-JI6NIMGK.cjs

@@ -0,0 +1,81 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});// src/hash.ts
+async function hashAction(action) {
+  const canonical = canonicalize(action);
+  const encoded = new TextEncoder().encode(canonical);
+  return crypto.subtle.digest("SHA-256", encoded);
+}
+async function combineAndHash(...buffers) {
+  let totalLength = 0;
+  for (const buf of buffers) {
+    totalLength += buf.byteLength;
+  }
+  const combined = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const buf of buffers) {
+    combined.set(new Uint8Array(buf), offset);
+    offset += buf.byteLength;
+  }
+  return crypto.subtle.digest("SHA-256", combined);
+}
+function deriveConfirmationCode(hashBuffer) {
+  const bytes = new Uint8Array(hashBuffer);
+  const CHARSET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  let code = "";
+  for (let i = 0; i < 4; i++) {
+    const value = bytes[i * 2] << 8 | bytes[i * 2 + 1];
+    code += CHARSET[value % CHARSET.length];
+  }
+  return code;
+}
+function bufferToBase64url(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64urlToBuffer(base64url) {
+  const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+function canonicalize(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map(canonicalize).join(",") + "]";
+  }
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  const pairs = keys.map((key) => JSON.stringify(key) + ":" + canonicalize(obj[key]));
+  return "{" + pairs.join(",") + "}";
+}
+
+// src/errors.ts
+var HumanKeyError = class extends Error {
+  
+  constructor(message, code, cause) {
+    super(message);
+    this.name = "HumanKeyError";
+    this.code = code;
+    if (cause !== void 0) {
+      this.cause = cause;
+    }
+  }
+};
+
+
+
+
+
+
+
+
+exports.hashAction = hashAction; exports.combineAndHash = combineAndHash; exports.deriveConfirmationCode = deriveConfirmationCode; exports.bufferToBase64url = bufferToBase64url; exports.base64urlToBuffer = base64urlToBuffer; exports.HumanKeyError = HumanKeyError;

package/dist/chunk-XXJAJHNP.mjs

@@ -0,0 +1,174 @@
+import {
+  HumanKeyError,
+  base64urlToBuffer,
+  bufferToBase64url,
+  combineAndHash,
+  deriveConfirmationCode,
+  hashAction
+} from "./chunk-CLQSCDXC.mjs";
+
+// src/verify.ts
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+
+// src/challenge.ts
+function createChallenge(byteLength = 32) {
+  const bytes = crypto.getRandomValues(new Uint8Array(byteLength));
+  return bufferToBase64url(bytes.buffer);
+}
+
+// src/registration-verify.ts
+import { verifyRegistrationResponse } from "@simplewebauthn/server";
+async function verifyRegistration(request) {
+  const {
+    response,
+    expectedChallenge,
+    expectedOrigin,
+    expectedRPID,
+    requireUserVerification = true,
+    allowedAAGUIDs
+  } = request;
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin,
+      expectedRPID,
+      requireUserVerification
+    });
+  } catch (error) {
+    throw new HumanKeyError(
+      `Registration verification failed: ${error instanceof Error ? error.message : "Unknown error"}`,
+      "REGISTRATION_FAILED",
+      error
+    );
+  }
+  if (!verification.verified || !verification.registrationInfo) {
+    throw new HumanKeyError(
+      "Registration verification failed",
+      "REGISTRATION_FAILED"
+    );
+  }
+  const { registrationInfo } = verification;
+  if (allowedAAGUIDs && allowedAAGUIDs.length > 0) {
+    if (!allowedAAGUIDs.includes(registrationInfo.aaguid)) {
+      throw new HumanKeyError(
+        `Authenticator model (AAGUID ${registrationInfo.aaguid}) is not in the allowed list`,
+        "AAGUID_NOT_ALLOWED"
+      );
+    }
+  }
+  const credential = {
+    id: registrationInfo.credential.id,
+    publicKey: registrationInfo.credential.publicKey,
+    counter: registrationInfo.credential.counter,
+    transports: registrationInfo.credential.transports,
+    deviceType: registrationInfo.credentialDeviceType,
+    backedUp: registrationInfo.credentialBackedUp,
+    aaguid: registrationInfo.aaguid
+  };
+  return { credential, verified: true };
+}
+
+// src/verify.ts
+async function verifyTapProof(request) {
+  const {
+    proof,
+    credential,
+    expectedChallenge,
+    expectedAction,
+    expectedOrigin,
+    expectedRPID,
+    requireUserVerification = true
+  } = request;
+  const actionHashBuffer = await hashAction(expectedAction);
+  const expectedActionHash = bufferToBase64url(actionHashBuffer);
+  if (proof.actionHash !== expectedActionHash) {
+    throw new HumanKeyError(
+      "Action hash mismatch \u2014 the client may have signed a different action than expected",
+      "ACTION_HASH_MISMATCH"
+    );
+  }
+  const expectedCode = deriveConfirmationCode(actionHashBuffer);
+  const confirmationValid = proof.userInput.toUpperCase().trim() === expectedCode.toUpperCase();
+  const confirmationInput = `${expectedCode}:${proof.userInput.toUpperCase().trim()}`;
+  const confirmationHashBuffer = await crypto.subtle.digest(
+    "SHA-256",
+    new TextEncoder().encode(confirmationInput)
+  );
+  const challengeBuffer = base64urlToBuffer(expectedChallenge);
+  const expectedFinalChallenge = await combineAndHash(
+    challengeBuffer,
+    actionHashBuffer,
+    confirmationHashBuffer
+  );
+  const expectedFinalChallengeB64 = bufferToBase64url(expectedFinalChallenge);
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: proof.response,
+      expectedChallenge: expectedFinalChallengeB64,
+      expectedOrigin,
+      expectedRPID,
+      credential: {
+        id: credential.id,
+        publicKey: credential.publicKey,
+        counter: credential.counter,
+        transports: credential.transports
+      },
+      requireUserVerification
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    if (message.includes("counter") && message.includes("lower than expected")) {
+      throw new HumanKeyError(
+        `Signature counter replay detected \u2014 ${message}`,
+        "COUNTER_REPLAY",
+        error
+      );
+    }
+    throw new HumanKeyError(
+      `WebAuthn verification failed: ${message}`,
+      "VERIFICATION_FAILED",
+      error
+    );
+  }
+  if (!verification.verified) {
+    throw new HumanKeyError(
+      "WebAuthn signature verification failed",
+      "VERIFICATION_FAILED"
+    );
+  }
+  const { authenticationInfo } = verification;
+  if (requireUserVerification && !authenticationInfo.userVerified) {
+    throw new HumanKeyError(
+      "User verification was required but not performed \u2014 the authenticator did not verify the user (possible Safari clamshell mode issue)",
+      "USER_VERIFICATION_MISSING"
+    );
+  }
+  const requireConfirmation = request.requireConfirmation ?? true;
+  if (requireConfirmation && !confirmationValid) {
+    throw new HumanKeyError(
+      "Confirmation code mismatch",
+      "CONFIRMATION_MISMATCH"
+    );
+  }
+  if (authenticationInfo.newCounter <= credential.counter && credential.counter !== 0) {
+    throw new HumanKeyError(
+      `Signature counter did not increase (got ${authenticationInfo.newCounter}, expected > ${credential.counter}) \u2014 possible cloned key`,
+      "COUNTER_REPLAY"
+    );
+  }
+  return {
+    verified: true,
+    userVerified: authenticationInfo.userVerified,
+    confirmationValid,
+    newCounter: authenticationInfo.newCounter
+  };
+}
+
+export {
+  createChallenge,
+  verifyRegistration,
+  verifyTapProof
+};

package/dist/errors-BmtCXo7w.d.cts

@@ -0,0 +1,7 @@
+type HumanKeyErrorCode = 'CONFIRMATION_MISMATCH' | 'VERIFICATION_FAILED' | 'USER_VERIFICATION_MISSING' | 'COUNTER_REPLAY' | 'CHALLENGE_MISMATCH' | 'ACTION_HASH_MISMATCH' | 'WEBAUTHN_NOT_SUPPORTED' | 'USER_CANCELLED' | 'REGISTRATION_FAILED' | 'AAGUID_NOT_ALLOWED';
+declare class HumanKeyError extends Error {
+    readonly code: HumanKeyErrorCode;
+    constructor(message: string, code: HumanKeyErrorCode, cause?: unknown);
+}
+
+export { HumanKeyError as H, type HumanKeyErrorCode as a };

package/dist/errors-BmtCXo7w.d.ts

@@ -0,0 +1,7 @@
+type HumanKeyErrorCode = 'CONFIRMATION_MISMATCH' | 'VERIFICATION_FAILED' | 'USER_VERIFICATION_MISSING' | 'COUNTER_REPLAY' | 'CHALLENGE_MISMATCH' | 'ACTION_HASH_MISMATCH' | 'WEBAUTHN_NOT_SUPPORTED' | 'USER_CANCELLED' | 'REGISTRATION_FAILED' | 'AAGUID_NOT_ALLOWED';
+declare class HumanKeyError extends Error {
+    readonly code: HumanKeyErrorCode;
+    constructor(message: string, code: HumanKeyErrorCode, cause?: unknown);
+}
+
+export { HumanKeyError as H, type HumanKeyErrorCode as a };

package/dist/express.cjs

@@ -0,0 +1,124 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; } var _class;
+
+
+
+var _chunkFW3YUVJCcjs = require('./chunk-FW3YUVJC.cjs');
+
+
+var _chunkJI6NIMGKcjs = require('./chunk-JI6NIMGK.cjs');
+
+// src/express.ts
+var _express = require('express');
+var MemoryChallengeStore = (_class = class {constructor() { _class.prototype.__init.call(this); }
+  __init() {this.store = /* @__PURE__ */ new Map()}
+  async set(id, challenge, ttlMs) {
+    this.store.set(id, { challenge, expiresAt: Date.now() + ttlMs });
+    this.cleanup();
+  }
+  async get(id) {
+    const entry = this.store.get(id);
+    if (!entry) return null;
+    this.store.delete(id);
+    if (Date.now() > entry.expiresAt) return null;
+    return entry.challenge;
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [id, entry] of this.store) {
+      if (now > entry.expiresAt) this.store.delete(id);
+    }
+  }
+}, _class);
+function createHumanKeyRouter(config) {
+  const {
+    rpID,
+    origin,
+    challengeTTL = 6e4,
+    challengeStore = new MemoryChallengeStore(),
+    getCredential,
+    onRegister,
+    onVerify,
+    requireUserVerification = true,
+    allowedAAGUIDs
+  } = config;
+  const router = _express.Router.call(void 0, );
+  router.post("/challenge", async (_req, res) => {
+    try {
+      const challenge = _chunkFW3YUVJCcjs.createChallenge.call(void 0, );
+      const challengeId = crypto.randomUUID();
+      await challengeStore.set(challengeId, challenge, challengeTTL);
+      res.json({ challengeId, challenge });
+    } catch (error) {
+      handleError(res, error);
+    }
+  });
+  router.post("/register", async (req, res) => {
+    try {
+      const { response, challengeId } = req.body;
+      const challenge = await challengeStore.get(challengeId);
+      if (!challenge) {
+        res.status(400).json({ error: "Challenge not found or expired" });
+        return;
+      }
+      const result = await _chunkFW3YUVJCcjs.verifyRegistration.call(void 0, {
+        response,
+        expectedChallenge: challenge,
+        expectedOrigin: origin,
+        expectedRPID: rpID,
+        requireUserVerification,
+        allowedAAGUIDs
+      });
+      await onRegister(result.credential);
+      res.json({ ok: true, credentialId: result.credential.id });
+    } catch (error) {
+      handleError(res, error);
+    }
+  });
+  router.post("/verify", async (req, res) => {
+    try {
+      const { proof, challengeId, action } = req.body;
+      const challenge = await challengeStore.get(challengeId);
+      if (!challenge) {
+        res.status(400).json({ error: "Challenge not found or expired" });
+        return;
+      }
+      const credential = await getCredential(_optionalChain([proof, 'access', _ => _.response, 'optionalAccess', _2 => _2.id]));
+      if (!credential) {
+        res.status(400).json({ error: "Credential not found" });
+        return;
+      }
+      const result = await _chunkFW3YUVJCcjs.verifyTapProof.call(void 0, {
+        proof,
+        credential,
+        expectedChallenge: challenge,
+        expectedAction: action,
+        expectedOrigin: origin,
+        expectedRPID: rpID,
+        requireUserVerification
+      });
+      credential.counter = result.newCounter;
+      if (onVerify) {
+        await onVerify(result, action);
+      }
+      res.json({
+        verified: result.verified,
+        confirmationValid: result.confirmationValid,
+        userVerified: result.userVerified
+      });
+    } catch (error) {
+      handleError(res, error);
+    }
+  });
+  return router;
+}
+function handleError(res, error) {
+  if (error instanceof _chunkJI6NIMGKcjs.HumanKeyError) {
+    res.status(400).json({ error: error.message, code: error.code });
+  } else {
+    res.status(500).json({ error: "Internal server error" });
+  }
+}
+
+
+
+exports.MemoryChallengeStore = MemoryChallengeStore; exports.createHumanKeyRouter = createHumanKeyRouter;

package/dist/express.d.cts

@@ -0,0 +1,52 @@
+import { Router } from 'express';
+import { c as TapCredential, V as VerifyResult, A as ActionPayload } from './types-By44RNIt.cjs';
+import '@simplewebauthn/server';
+
+/** Abstraction for challenge storage with TTL and single-use semantics. */
+interface ChallengeStore {
+    /** Store a challenge with a TTL. */
+    set(id: string, challenge: string, ttlMs: number): Promise<void>;
+    /** Retrieve and delete a challenge (single-use). Returns null if expired or not found. */
+    get(id: string): Promise<string | null>;
+}
+/** In-memory challenge store with TTL enforcement. Use a database or Redis in production. */
+declare class MemoryChallengeStore implements ChallengeStore {
+    private store;
+    set(id: string, challenge: string, ttlMs: number): Promise<void>;
+    get(id: string): Promise<string | null>;
+    private cleanup;
+}
+/** Configuration for the humankey Express router. */
+interface HumanKeyExpressConfig {
+    /** Relying party ID, e.g. "example.com" */
+    rpID: string;
+    /** Relying party display name */
+    rpName: string;
+    /** Expected origin(s), e.g. "https://example.com" */
+    origin: string | string[];
+    /** Challenge TTL in ms (default: 60000) */
+    challengeTTL?: number;
+    /** Custom challenge store (default: MemoryChallengeStore) */
+    challengeStore?: ChallengeStore;
+    /** Look up a stored credential by ID */
+    getCredential: (credentialId: string) => Promise<TapCredential | null>;
+    /** Called after successful registration — store the credential */
+    onRegister: (credential: TapCredential) => Promise<void>;
+    /** Called after successful tap verification */
+    onVerify?: (result: VerifyResult, action: ActionPayload) => Promise<void>;
+    /** Require user verification (default: true) */
+    requireUserVerification?: boolean;
+    /** Restrict to specific authenticator models by AAGUID */
+    allowedAAGUIDs?: string[];
+}
+/**
+ * Create an Express Router with pre-built humankey routes.
+ *
+ * Routes:
+ * - POST /challenge — generate and store a challenge
+ * - POST /register — verify registration and store credential
+ * - POST /verify — verify a tap proof
+ */
+declare function createHumanKeyRouter(config: HumanKeyExpressConfig): Router;
+
+export { ActionPayload, type ChallengeStore, type HumanKeyExpressConfig, MemoryChallengeStore, TapCredential, VerifyResult, createHumanKeyRouter };

package/dist/express.d.ts

@@ -0,0 +1,52 @@
+import { Router } from 'express';
+import { c as TapCredential, V as VerifyResult, A as ActionPayload } from './types-By44RNIt.js';
+import '@simplewebauthn/server';
+
+/** Abstraction for challenge storage with TTL and single-use semantics. */
+interface ChallengeStore {
+    /** Store a challenge with a TTL. */
+    set(id: string, challenge: string, ttlMs: number): Promise<void>;
+    /** Retrieve and delete a challenge (single-use). Returns null if expired or not found. */
+    get(id: string): Promise<string | null>;
+}
+/** In-memory challenge store with TTL enforcement. Use a database or Redis in production. */
+declare class MemoryChallengeStore implements ChallengeStore {
+    private store;
+    set(id: string, challenge: string, ttlMs: number): Promise<void>;
+    get(id: string): Promise<string | null>;
+    private cleanup;
+}
+/** Configuration for the humankey Express router. */
+interface HumanKeyExpressConfig {
+    /** Relying party ID, e.g. "example.com" */
+    rpID: string;
+    /** Relying party display name */
+    rpName: string;
+    /** Expected origin(s), e.g. "https://example.com" */
+    origin: string | string[];
+    /** Challenge TTL in ms (default: 60000) */
+    challengeTTL?: number;
+    /** Custom challenge store (default: MemoryChallengeStore) */
+    challengeStore?: ChallengeStore;
+    /** Look up a stored credential by ID */
+    getCredential: (credentialId: string) => Promise<TapCredential | null>;
+    /** Called after successful registration — store the credential */
+    onRegister: (credential: TapCredential) => Promise<void>;
+    /** Called after successful tap verification */
+    onVerify?: (result: VerifyResult, action: ActionPayload) => Promise<void>;
+    /** Require user verification (default: true) */
+    requireUserVerification?: boolean;
+    /** Restrict to specific authenticator models by AAGUID */
+    allowedAAGUIDs?: string[];
+}
+/**
+ * Create an Express Router with pre-built humankey routes.
+ *
+ * Routes:
+ * - POST /challenge — generate and store a challenge
+ * - POST /register — verify registration and store credential
+ * - POST /verify — verify a tap proof
+ */
+declare function createHumanKeyRouter(config: HumanKeyExpressConfig): Router;
+
+export { ActionPayload, type ChallengeStore, type HumanKeyExpressConfig, MemoryChallengeStore, TapCredential, VerifyResult, createHumanKeyRouter };

package/dist/express.mjs

@@ -0,0 +1,124 @@
+import {
+  createChallenge,
+  verifyRegistration,
+  verifyTapProof
+} from "./chunk-XXJAJHNP.mjs";
+import {
+  HumanKeyError
+} from "./chunk-CLQSCDXC.mjs";
+
+// src/express.ts
+import { Router } from "express";
+var MemoryChallengeStore = class {
+  store = /* @__PURE__ */ new Map();
+  async set(id, challenge, ttlMs) {
+    this.store.set(id, { challenge, expiresAt: Date.now() + ttlMs });
+    this.cleanup();
+  }
+  async get(id) {
+    const entry = this.store.get(id);
+    if (!entry) return null;
+    this.store.delete(id);
+    if (Date.now() > entry.expiresAt) return null;
+    return entry.challenge;
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [id, entry] of this.store) {
+      if (now > entry.expiresAt) this.store.delete(id);
+    }
+  }
+};
+function createHumanKeyRouter(config) {
+  const {
+    rpID,
+    origin,
+    challengeTTL = 6e4,
+    challengeStore = new MemoryChallengeStore(),
+    getCredential,
+    onRegister,
+    onVerify,
+    requireUserVerification = true,
+    allowedAAGUIDs
+  } = config;
+  const router = Router();
+  router.post("/challenge", async (_req, res) => {
+    try {
+      const challenge = createChallenge();
+      const challengeId = crypto.randomUUID();
+      await challengeStore.set(challengeId, challenge, challengeTTL);
+      res.json({ challengeId, challenge });
+    } catch (error) {
+      handleError(res, error);
+    }
+  });
+  router.post("/register", async (req, res) => {
+    try {
+      const { response, challengeId } = req.body;
+      const challenge = await challengeStore.get(challengeId);
+      if (!challenge) {
+        res.status(400).json({ error: "Challenge not found or expired" });
+        return;
+      }
+      const result = await verifyRegistration({
+        response,
+        expectedChallenge: challenge,
+        expectedOrigin: origin,
+        expectedRPID: rpID,
+        requireUserVerification,
+        allowedAAGUIDs
+      });
+      await onRegister(result.credential);
+      res.json({ ok: true, credentialId: result.credential.id });
+    } catch (error) {
+      handleError(res, error);
+    }
+  });
+  router.post("/verify", async (req, res) => {
+    try {
+      const { proof, challengeId, action } = req.body;
+      const challenge = await challengeStore.get(challengeId);
+      if (!challenge) {
+        res.status(400).json({ error: "Challenge not found or expired" });
+        return;
+      }
+      const credential = await getCredential(proof.response?.id);
+      if (!credential) {
+        res.status(400).json({ error: "Credential not found" });
+        return;
+      }
+      const result = await verifyTapProof({
+        proof,
+        credential,
+        expectedChallenge: challenge,
+        expectedAction: action,
+        expectedOrigin: origin,
+        expectedRPID: rpID,
+        requireUserVerification
+      });
+      credential.counter = result.newCounter;
+      if (onVerify) {
+        await onVerify(result, action);
+      }
+      res.json({
+        verified: result.verified,
+        confirmationValid: result.confirmationValid,
+        userVerified: result.userVerified
+      });
+    } catch (error) {
+      handleError(res, error);
+    }
+  });
+  return router;
+}
+function handleError(res, error) {
+  if (error instanceof HumanKeyError) {
+    res.status(400).json({ error: error.message, code: error.code });
+  } else {
+    res.status(500).json({ error: "Internal server error" });
+  }
+}
+export {
+  MemoryChallengeStore,
+  createHumanKeyRouter
+};