isitme 0.0.1

package/README.md

@@ -0,0 +1,104 @@
+# isitme
+
+Passkey authentication for Express. One line of code, no database, no passwords.
+
+```
+npm install isitme
+```
+
+## Quick start
+
+```js
+import express from "express";
+import cookieParser from "cookie-parser";
+import { isitme } from "isitme";
+
+const app = express();
+app.use(cookieParser());
+app.use(isitme());
+
+app.get("/", (req, res) => {
+  res.send("You are authenticated!");
+});
+
+app.listen(3000);
+```
+
+The first visitor registers a passkey with their fingerprint or face. After that, every request requires biometric authentication.
+
+## Options
+
+```js
+app.use(isitme({
+  secret: "your-jwt-secret",       // default: random (sessions lost on restart)
+  storage: "./auth.json",           // default: "./auth.json", false for in-memory
+  publicPaths: ["/", "/about"],     // routes that skip auth
+  prefix: "/auth",                  // auth endpoint prefix
+  sessionExpiryDays: 7,             // session duration
+  page: { title: "My App" },        // customize login page, or false to disable
+}));
+```
+
+## Public paths and conditional auth
+
+The middleware sets `req.isAuthenticated` on every request, even on public paths:
+
+```js
+app.use(isitme({ publicPaths: ["/"] }));
+
+app.get("/", (req, res) => {
+  if (req.isAuthenticated) {
+    res.send("Welcome back!");
+  } else {
+    res.send("Sign in to continue.");
+  }
+});
+```
+
+## Browser client
+
+For custom login pages, import the browser helpers:
+
+```js
+import { register, login, getAuthStatus } from "isitme/browser";
+
+const status = await getAuthStatus();
+
+if (!status.isSetup) {
+  await register();
+} else {
+  await login();
+}
+```
+
+## Custom storage
+
+Implement the `StorageAdapter` interface to use any backend:
+
+```js
+import { isitme } from "isitme";
+
+app.use(isitme({
+  storage: {
+    isSetupComplete() { /* ... */ },
+    getUser() { /* ... */ },
+    getCredentials() { /* ... */ },
+    getCredentialById(id) { /* ... */ },
+    saveUserAndCredential(user, credential) { /* ... */ },
+    updateCredentialCounter(id, counter) { /* ... */ },
+    getAuthDataJson() { /* ... */ },
+  }
+}));
+```
+
+## How it works
+
+1. `isitme()` adds auth routes (`/auth/*`) and a guard middleware to your app
+2. Unauthenticated visitors see a built-in login page
+3. Registration creates a WebAuthn passkey tied to the device's biometrics
+4. Login verifies the passkey and sets a JWT session cookie
+5. `req.isAuthenticated` is available on every request
+
+## License
+
+MIT

package/dist/browser.d.ts

@@ -0,0 +1,23 @@
+interface AuthStatus {
+    setupComplete: boolean;
+    isAuthenticated: boolean;
+}
+interface RegisterResult {
+    verified: boolean;
+    authData?: string;
+}
+interface LoginResult {
+    verified: boolean;
+}
+interface IsitmeBrowserOptions {
+    /** Auth API prefix. Default: `/auth` */
+    prefix?: string;
+}
+
+declare function register(opts?: IsitmeBrowserOptions): Promise<RegisterResult>;
+
+declare function login(opts?: IsitmeBrowserOptions): Promise<LoginResult>;
+
+declare function getAuthStatus(opts?: IsitmeBrowserOptions): Promise<AuthStatus>;
+
+export { type AuthStatus, type IsitmeBrowserOptions, type LoginResult, type RegisterResult, getAuthStatus, login, register };

package/dist/browser.js

@@ -0,0 +1,400 @@
+// ../../node_modules/.pnpm/@simplewebauthn+browser@11.0.0/node_modules/@simplewebauthn/browser/dist/bundle/index.js
+function bufferToBase64URLString(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let str = "";
+  for (const charCode of bytes) {
+    str += String.fromCharCode(charCode);
+  }
+  const base64String = btoa(str);
+  return base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64URLStringToBuffer(base64URLString) {
+  const base64 = base64URLString.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  const padded = base64.padEnd(base64.length + padLength, "=");
+  const binary = atob(padded);
+  const buffer = new ArrayBuffer(binary.length);
+  const bytes = new Uint8Array(buffer);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return buffer;
+}
+function browserSupportsWebAuthn() {
+  return window?.PublicKeyCredential !== void 0 && typeof window.PublicKeyCredential === "function";
+}
+function toPublicKeyCredentialDescriptor(descriptor) {
+  const { id } = descriptor;
+  return {
+    ...descriptor,
+    id: base64URLStringToBuffer(id),
+    transports: descriptor.transports
+  };
+}
+function isValidDomain(hostname) {
+  return hostname === "localhost" || /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname);
+}
+var WebAuthnError = class extends Error {
+  constructor({ message, code, cause, name }) {
+    super(message, { cause });
+    this.name = name ?? cause.name;
+    this.code = code;
+  }
+};
+function identifyRegistrationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Registration ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "ConstraintError") {
+    if (publicKey.authenticatorSelection?.requireResidentKey === true) {
+      return new WebAuthnError({
+        message: "Discoverable credentials were required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",
+        cause: error
+      });
+    } else if (options.mediation === "conditional" && publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required during automatic registration but it could not be performed",
+        code: "ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",
+        cause: error
+      });
+    } else if (publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",
+        cause: error
+      });
+    }
+  } else if (error.name === "InvalidStateError") {
+    return new WebAuthnError({
+      message: "The authenticator was previously registered",
+      code: "ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",
+      cause: error
+    });
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "NotSupportedError") {
+    const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === "public-key");
+    if (validPubKeyCredParams.length === 0) {
+      return new WebAuthnError({
+        message: 'No entry in pubKeyCredParams was of type "public-key"',
+        code: "ERROR_MALFORMED_PUBKEYCREDPARAMS",
+        cause: error
+      });
+    }
+    return new WebAuthnError({
+      message: "No available authenticator supported any of the specified pubKeyCredParams algorithms",
+      code: "ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rp.id !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "TypeError") {
+    if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
+      return new WebAuthnError({
+        message: "User ID was not between 1 and 64 characters",
+        code: "ERROR_INVALID_USER_ID_LENGTH",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new credential",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+var BaseWebAuthnAbortService = class {
+  createNewAbortSignal() {
+    if (this.controller) {
+      const abortError = new Error("Cancelling existing WebAuthn API call for new one");
+      abortError.name = "AbortError";
+      this.controller.abort(abortError);
+    }
+    const newController = new AbortController();
+    this.controller = newController;
+    return newController.signal;
+  }
+  cancelCeremony() {
+    if (this.controller) {
+      const abortError = new Error("Manually cancelling existing WebAuthn API call");
+      abortError.name = "AbortError";
+      this.controller.abort(abortError);
+      this.controller = void 0;
+    }
+  }
+};
+var WebAuthnAbortService = new BaseWebAuthnAbortService();
+var attachments = ["cross-platform", "platform"];
+function toAuthenticatorAttachment(attachment) {
+  if (!attachment) {
+    return;
+  }
+  if (attachments.indexOf(attachment) < 0) {
+    return;
+  }
+  return attachment;
+}
+async function startRegistration(options) {
+  const { optionsJSON, useAutoRegister = false } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    user: {
+      ...optionsJSON.user,
+      id: base64URLStringToBuffer(optionsJSON.user.id)
+    },
+    excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor)
+  };
+  const createOptions = {};
+  if (useAutoRegister) {
+    createOptions.mediation = "conditional";
+  }
+  createOptions.publicKey = publicKey;
+  createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.create(createOptions);
+  } catch (err) {
+    throw identifyRegistrationError({ error: err, options: createOptions });
+  }
+  if (!credential) {
+    throw new Error("Registration was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let transports = void 0;
+  if (typeof response.getTransports === "function") {
+    transports = response.getTransports();
+  }
+  let responsePublicKeyAlgorithm = void 0;
+  if (typeof response.getPublicKeyAlgorithm === "function") {
+    try {
+      responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKeyAlgorithm()", error);
+    }
+  }
+  let responsePublicKey = void 0;
+  if (typeof response.getPublicKey === "function") {
+    try {
+      const _publicKey = response.getPublicKey();
+      if (_publicKey !== null) {
+        responsePublicKey = bufferToBase64URLString(_publicKey);
+      }
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKey()", error);
+    }
+  }
+  let responseAuthenticatorData;
+  if (typeof response.getAuthenticatorData === "function") {
+    try {
+      responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
+    } catch (error) {
+      warnOnBrokenImplementation("getAuthenticatorData()", error);
+    }
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      attestationObject: bufferToBase64URLString(response.attestationObject),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      transports,
+      publicKeyAlgorithm: responsePublicKeyAlgorithm,
+      publicKey: responsePublicKey,
+      authenticatorData: responseAuthenticatorData
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function warnOnBrokenImplementation(methodName, cause) {
+  console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.
+`, cause);
+}
+function browserSupportsWebAuthnAutofill() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  const globalPublicKeyCredential = window.PublicKeyCredential;
+  if (globalPublicKeyCredential.isConditionalMediationAvailable === void 0) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return globalPublicKeyCredential.isConditionalMediationAvailable();
+}
+function identifyAuthenticationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Authentication ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rpId !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new assertion signature",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+async function startAuthentication(options) {
+  const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  let allowCredentials;
+  if (optionsJSON.allowCredentials?.length !== 0) {
+    allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    allowCredentials
+  };
+  const getOptions = {};
+  if (useBrowserAutofill) {
+    if (!await browserSupportsWebAuthnAutofill()) {
+      throw Error("Browser does not support WebAuthn autofill");
+    }
+    const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
+    if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
+      throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
+    }
+    getOptions.mediation = "conditional";
+    publicKey.allowCredentials = [];
+  }
+  getOptions.publicKey = publicKey;
+  getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.get(getOptions);
+  } catch (err) {
+    throw identifyAuthenticationError({ error: err, options: getOptions });
+  }
+  if (!credential) {
+    throw new Error("Authentication was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let userHandle = void 0;
+  if (response.userHandle) {
+    userHandle = bufferToBase64URLString(response.userHandle);
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      authenticatorData: bufferToBase64URLString(response.authenticatorData),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      signature: bufferToBase64URLString(response.signature),
+      userHandle
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+
+// ../browser/dist/index.js
+async function register(opts = {}) {
+  const prefix = opts.prefix || "/auth";
+  const optRes = await fetch(`${prefix}/register/options`, { method: "POST" });
+  if (!optRes.ok) throw new Error("Failed to get registration options");
+  const { options, nonce, userId } = await optRes.json();
+  const registration = await startRegistration({ optionsJSON: options });
+  const verifyRes = await fetch(`${prefix}/register/verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ nonce, userId, response: registration })
+  });
+  const result = await verifyRes.json();
+  if (!verifyRes.ok) throw new Error(result.error || "Registration failed");
+  return result;
+}
+async function login(opts = {}) {
+  const prefix = opts.prefix || "/auth";
+  const optRes = await fetch(`${prefix}/login/options`, { method: "POST" });
+  if (!optRes.ok) throw new Error("Failed to get login options");
+  const { options, nonce } = await optRes.json();
+  const authentication = await startAuthentication({ optionsJSON: options });
+  const verifyRes = await fetch(`${prefix}/login/verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ nonce, response: authentication })
+  });
+  if (!verifyRes.ok) {
+    const data = await verifyRes.json();
+    throw new Error(data.error || "Authentication failed");
+  }
+  return verifyRes.json();
+}
+async function getAuthStatus(opts = {}) {
+  const prefix = opts.prefix || "/auth";
+  const res = await fetch(`${prefix}/status`);
+  if (!res.ok) throw new Error("Failed to fetch auth status");
+  return res.json();
+}
+export {
+  getAuthStatus,
+  login,
+  register
+};