ngx-webauthn 0.0.2

package/fesm2022/ngx-webauthn.mjs

@@ -0,0 +1,1058 @@
+import * as i0 from '@angular/core';
+import { InjectionToken, inject, Injectable } from '@angular/core';
+import { throwError, from } from 'rxjs';
+import { map, catchError } from 'rxjs/operators';
+
+/**
+ * High-level configuration interfaces for WebAuthn operations
+ *
+ * These interfaces provide a convenient, preset-driven API while still allowing
+ * full customization through override properties. They derive from standard WebAuthn
+ * types where possible to reduce duplication and ensure compatibility.
+ */
+/**
+ * Type guard to check if input is a RegisterConfig
+ */
+function isRegisterConfig(input) {
+    return typeof input === 'object' && input !== null && 'username' in input;
+}
+/**
+ * Type guard to check if input is an AuthenticateConfig
+ */
+function isAuthenticateConfig(input) {
+    return (typeof input === 'object' &&
+        input !== null &&
+        ('username' in input || 'preset' in input) &&
+        !('rp' in input) && // WebAuthn options have 'rp'
+        !('user' in input)); // WebAuthn options have 'user'
+}
+/**
+ * Type guard to check if input is WebAuthn creation options
+ */
+function isCreationOptions(input) {
+    return (typeof input === 'object' &&
+        input !== null &&
+        'rp' in input &&
+        'user' in input);
+}
+/**
+ * Type guard to check if input is WebAuthn request options
+ */
+function isRequestOptions(input) {
+    return (typeof input === 'object' &&
+        input !== null &&
+        !('username' in input) &&
+        !('rp' in input) &&
+        !('user' in input));
+}
+
+/**
+ * WebAuthn Preset Configurations
+ *
+ * This file contains predefined configurations for common WebAuthn use cases.
+ * These presets provide sensible defaults while remaining fully customizable.
+ */
+/**
+ * A shared configuration for common, strong, and widely-supported
+ * public key credential algorithms.
+ */
+const COMMON_PUB_KEY_CRED_PARAMS = {
+    pubKeyCredParams: [
+        { type: 'public-key', alg: -7 }, // ES256 (ECDSA w/ SHA-256)
+        { type: 'public-key', alg: -257 }, // RS256 (RSASSA-PKCS1-v1_5 w/ SHA-256)
+    ],
+};
+/**
+ * Preset for modern, passwordless, cross-device credentials.
+ *
+ * Best for: Passkey-based authentication where users can sync credentials
+ * across devices and use them for passwordless login.
+ *
+ * Features:
+ * - Requires resident keys (discoverable credentials)
+ * - Prefers user verification but doesn't require it
+ * - Works with both platform and cross-platform authenticators
+ * - Supports credential syncing across devices
+ */
+const PASSKEY_PRESET = {
+    ...COMMON_PUB_KEY_CRED_PARAMS,
+    authenticatorSelection: {
+        residentKey: 'required',
+        userVerification: 'preferred',
+    },
+};
+/**
+ * Preset for using a security key as a second factor after a password.
+ *
+ * Best for: Traditional 2FA scenarios where users already have a password
+ * and want to add hardware security key as a second factor.
+ *
+ * Features:
+ * - Discourages resident keys (server-side credential storage)
+ * - Prefers user verification
+ * - Favors cross-platform authenticators (USB/NFC security keys)
+ * - Credentials typically not synced between devices
+ */
+const SECOND_FACTOR_PRESET = {
+    ...COMMON_PUB_KEY_CRED_PARAMS,
+    authenticatorSelection: {
+        residentKey: 'discouraged',
+        userVerification: 'preferred',
+        authenticatorAttachment: 'cross-platform',
+    },
+};
+/**
+ * Preset for high-security, non-synced, single-device credentials.
+ *
+ * Best for: High-security scenarios where credentials must stay on a single
+ * device and user verification is mandatory.
+ *
+ * Features:
+ * - Requires platform authenticators (built-in biometrics/PIN)
+ * - Requires resident keys for discoverability
+ * - Requires user verification (biometric/PIN)
+ * - Credentials bound to specific device (no syncing)
+ */
+const DEVICE_BOUND_PRESET = {
+    ...COMMON_PUB_KEY_CRED_PARAMS,
+    authenticatorSelection: {
+        authenticatorAttachment: 'platform',
+        residentKey: 'required',
+        userVerification: 'required',
+    },
+};
+/**
+ * Map of preset names to their configurations
+ * Used internally for preset resolution
+ */
+const PRESET_MAP = {
+    passkey: PASSKEY_PRESET,
+    secondFactor: SECOND_FACTOR_PRESET,
+    deviceBound: DEVICE_BOUND_PRESET,
+};
+
+/**
+ * Utility functions for resolving and merging WebAuthn presets
+ *
+ * These utilities handle the logic of taking a RegisterConfig or AuthenticateConfig,
+ * resolving any preset, and merging it with user overrides to produce final
+ * WebAuthn options ready for the browser API.
+ */
+/**
+ * Deep merge utility that properly handles nested objects
+ * Later properties override earlier ones
+ */
+function deepMerge(target, ...sources) {
+    if (!sources.length)
+        return target;
+    const source = sources.shift();
+    if (isObject(target) && isObject(source)) {
+        for (const key in source) {
+            if (isObject(source[key])) {
+                if (!target[key])
+                    Object.assign(target, { [key]: {} });
+                deepMerge(target[key], source[key]);
+            }
+            else {
+                Object.assign(target, { [key]: source[key] });
+            }
+        }
+    }
+    return deepMerge(target, ...sources);
+}
+/**
+ * Check if a value is a plain object
+ */
+function isObject(item) {
+    return item && typeof item === 'object' && !Array.isArray(item);
+}
+/**
+ * Generate a secure random challenge as Uint8Array
+ */
+function generateChallenge$1() {
+    return crypto.getRandomValues(new Uint8Array(32));
+}
+/**
+ * Generate a user ID from username
+ * Uses TextEncoder to convert username to Uint8Array for consistency
+ */
+function generateUserId$1(username) {
+    return new TextEncoder().encode(username);
+}
+/**
+ * Convert challenge to appropriate format
+ * Handles both string (base64url) and Uint8Array inputs
+ */
+function processChallenge(challenge) {
+    if (!challenge) {
+        return generateChallenge$1();
+    }
+    if (typeof challenge === 'string') {
+        // Assume base64url string, convert to Uint8Array
+        return Uint8Array.from(atob(challenge.replace(/-/g, '+').replace(/_/g, '/')), (c) => c.charCodeAt(0));
+    }
+    return challenge;
+}
+/**
+ * Convert user ID to appropriate format
+ * Handles both string (base64url) and Uint8Array inputs
+ */
+function processUserId(userId, username) {
+    if (userId) {
+        if (typeof userId === 'string') {
+            // Assume base64url string, convert to Uint8Array
+            return Uint8Array.from(atob(userId.replace(/-/g, '+').replace(/_/g, '/')), (c) => c.charCodeAt(0));
+        }
+        return userId;
+    }
+    if (username) {
+        return generateUserId$1(username);
+    }
+    // Fallback to random ID
+    return crypto.getRandomValues(new Uint8Array(16));
+}
+/**
+ * Convert string credential IDs to PublicKeyCredentialDescriptor format
+ */
+function processCredentialDescriptors(credentials) {
+    if (!credentials || credentials.length === 0) {
+        return undefined;
+    }
+    // If already in descriptor format, return as-is
+    if (typeof credentials[0] === 'object' && 'type' in credentials[0]) {
+        return credentials;
+    }
+    // Convert string IDs to descriptors
+    return credentials.map((id) => ({
+        type: 'public-key',
+        id: Uint8Array.from(atob(id.replace(/-/g, '+').replace(/_/g, '/')), (c) => c.charCodeAt(0)),
+    }));
+}
+/**
+ * Resolve a preset configuration by name
+ */
+function resolvePreset(presetName) {
+    const preset = PRESET_MAP[presetName];
+    if (!preset) {
+        throw new Error(`Unknown preset: ${presetName}`);
+    }
+    return preset;
+}
+/**
+ * Build complete PublicKeyCredentialCreationOptions from RegisterConfig
+ * Now uses WebAuthnConfig for better defaults and relying party information
+ */
+function buildCreationOptionsFromConfig(config, webAuthnConfig) {
+    // Start with base configuration from WebAuthnConfig
+    let options = {
+        timeout: webAuthnConfig.defaultTimeout || 60000,
+        attestation: webAuthnConfig.defaultAttestation || 'none',
+    };
+    // Apply preset if specified
+    if (config.preset) {
+        const preset = resolvePreset(config.preset);
+        options = deepMerge(options, {
+            authenticatorSelection: preset.authenticatorSelection,
+            pubKeyCredParams: [...preset.pubKeyCredParams], // Convert readonly to mutable
+        });
+    }
+    else {
+        // Apply default authenticator selection from config
+        if (webAuthnConfig.defaultAuthenticatorSelection) {
+            options.authenticatorSelection =
+                webAuthnConfig.defaultAuthenticatorSelection;
+        }
+    }
+    // Apply user overrides
+    if (config.timeout !== undefined) {
+        options.timeout = config.timeout;
+    }
+    if (config.attestation !== undefined) {
+        options.attestation = config.attestation;
+    }
+    if (config.authenticatorSelection !== undefined) {
+        options.authenticatorSelection = deepMerge(options.authenticatorSelection || {}, config.authenticatorSelection);
+    }
+    if (config.pubKeyCredParams !== undefined) {
+        options.pubKeyCredParams = config.pubKeyCredParams;
+    }
+    if (config.extensions !== undefined) {
+        options.extensions = config.extensions;
+    }
+    // Handle required fields
+    const challenge = processChallenge(config.challenge);
+    const userId = processUserId(config.userId, config.username);
+    // Use relying party from config, with user override capability
+    const relyingParty = config.rp || webAuthnConfig.relyingParty;
+    // Build final options
+    const finalOptions = {
+        ...options,
+        rp: relyingParty,
+        user: {
+            id: userId,
+            name: config.username,
+            displayName: config.displayName || config.username,
+        },
+        challenge,
+        pubKeyCredParams: options.pubKeyCredParams ||
+            webAuthnConfig.defaultAlgorithms || [
+            { type: 'public-key', alg: -7 }, // ES256
+            { type: 'public-key', alg: -257 }, // RS256
+        ],
+        excludeCredentials: processCredentialDescriptors(config.excludeCredentials),
+    };
+    return finalOptions;
+}
+/**
+ * Build complete PublicKeyCredentialRequestOptions from AuthenticateConfig
+ * Now uses WebAuthnConfig for better defaults
+ */
+function buildRequestOptionsFromConfig(config, webAuthnConfig) {
+    // Start with base configuration from WebAuthnConfig
+    const options = {
+        timeout: webAuthnConfig.defaultTimeout || 60000,
+        userVerification: webAuthnConfig.enforceUserVerification
+            ? 'required'
+            : 'preferred',
+    };
+    // Apply preset if specified
+    if (config.preset) {
+        const preset = resolvePreset(config.preset);
+        // Extract relevant parts for authentication (userVerification from authenticatorSelection)
+        if (preset.authenticatorSelection?.userVerification) {
+            options.userVerification = preset.authenticatorSelection.userVerification;
+        }
+    }
+    // Apply user overrides
+    if (config.timeout !== undefined) {
+        options.timeout = config.timeout;
+    }
+    if (config.userVerification !== undefined) {
+        options.userVerification = config.userVerification;
+    }
+    if (config.extensions !== undefined) {
+        options.extensions = config.extensions;
+    }
+    // Handle required fields
+    const challenge = processChallenge(config.challenge);
+    // Build final options
+    const finalOptions = {
+        ...options,
+        challenge,
+        allowCredentials: processCredentialDescriptors(config.allowCredentials),
+    };
+    return finalOptions;
+}
+/**
+ * Validate that a RegisterConfig has all required fields
+ */
+function validateRegisterConfig(config) {
+    if (!config.username || typeof config.username !== 'string') {
+        throw new Error('RegisterConfig must have a valid username');
+    }
+    if (config.preset && !PRESET_MAP[config.preset]) {
+        throw new Error(`Invalid preset: ${config.preset}. Valid presets are: ${Object.keys(PRESET_MAP).join(', ')}`);
+    }
+}
+/**
+ * Validate that an AuthenticateConfig has all required fields
+ */
+function validateAuthenticateConfig(config) {
+    if (config.preset && !PRESET_MAP[config.preset]) {
+        throw new Error(`Invalid preset: ${config.preset}. Valid presets are: ${Object.keys(PRESET_MAP).join(', ')}`);
+    }
+}
+
+/**
+ * Enhanced WebAuthn Error Classes
+ * Provides specific, actionable error types for better developer experience
+ */
+var WebAuthnErrorType;
+(function (WebAuthnErrorType) {
+    WebAuthnErrorType["NOT_SUPPORTED"] = "NOT_SUPPORTED";
+    WebAuthnErrorType["USER_CANCELLED"] = "USER_CANCELLED";
+    WebAuthnErrorType["AUTHENTICATOR_ERROR"] = "AUTHENTICATOR_ERROR";
+    WebAuthnErrorType["INVALID_OPTIONS"] = "INVALID_OPTIONS";
+    WebAuthnErrorType["UNSUPPORTED_OPERATION"] = "UNSUPPORTED_OPERATION";
+    WebAuthnErrorType["NETWORK_ERROR"] = "NETWORK_ERROR";
+    WebAuthnErrorType["SECURITY_ERROR"] = "SECURITY_ERROR";
+    WebAuthnErrorType["TIMEOUT_ERROR"] = "TIMEOUT_ERROR";
+    WebAuthnErrorType["UNKNOWN"] = "UNKNOWN";
+})(WebAuthnErrorType || (WebAuthnErrorType = {}));
+/**
+ * Base WebAuthn error class with additional context
+ */
+class WebAuthnError extends Error {
+    type;
+    originalError;
+    constructor(type, message, originalError) {
+        super(message);
+        this.type = type;
+        this.originalError = originalError;
+        this.name = 'WebAuthnError';
+    }
+    static fromDOMException(error) {
+        const type = WebAuthnError.mapDOMExceptionToType(error.name);
+        return new WebAuthnError(type, error.message, error);
+    }
+    static mapDOMExceptionToType(name) {
+        switch (name) {
+            case 'NotSupportedError':
+                return WebAuthnErrorType.NOT_SUPPORTED;
+            case 'NotAllowedError':
+                return WebAuthnErrorType.USER_CANCELLED;
+            case 'InvalidStateError':
+                return WebAuthnErrorType.AUTHENTICATOR_ERROR;
+            case 'SecurityError':
+                return WebAuthnErrorType.SECURITY_ERROR;
+            case 'TimeoutError':
+                return WebAuthnErrorType.TIMEOUT_ERROR;
+            case 'NetworkError':
+                return WebAuthnErrorType.NETWORK_ERROR;
+            case 'EncodingError':
+                return WebAuthnErrorType.INVALID_OPTIONS;
+            default:
+                return WebAuthnErrorType.UNKNOWN;
+        }
+    }
+}
+/**
+ * Error thrown when user cancels the WebAuthn operation
+ */
+class UserCancelledError extends WebAuthnError {
+    constructor(originalError) {
+        super(WebAuthnErrorType.USER_CANCELLED, 'User cancelled the WebAuthn operation', originalError);
+        this.name = 'UserCancelledError';
+    }
+}
+/**
+ * Error thrown when there's an issue with the authenticator
+ */
+class AuthenticatorError extends WebAuthnError {
+    constructor(message, originalError) {
+        super(WebAuthnErrorType.AUTHENTICATOR_ERROR, `Authenticator error: ${message}`, originalError);
+        this.name = 'AuthenticatorError';
+    }
+}
+/**
+ * Error thrown when the provided options are invalid
+ */
+class InvalidOptionsError extends WebAuthnError {
+    constructor(message, originalError) {
+        super(WebAuthnErrorType.INVALID_OPTIONS, `Invalid options: ${message}`, originalError);
+        this.name = 'InvalidOptionsError';
+    }
+}
+/**
+ * Error thrown when the requested operation is not supported
+ */
+class UnsupportedOperationError extends WebAuthnError {
+    constructor(message, originalError) {
+        super(WebAuthnErrorType.UNSUPPORTED_OPERATION, `Unsupported operation: ${message}`, originalError);
+        this.name = 'UnsupportedOperationError';
+    }
+}
+/**
+ * Error thrown when there's a network-related issue
+ */
+class NetworkError extends WebAuthnError {
+    constructor(message, originalError) {
+        super(WebAuthnErrorType.NETWORK_ERROR, `Network error: ${message}`, originalError);
+        this.name = 'NetworkError';
+    }
+}
+/**
+ * Error thrown when there's a security-related issue
+ */
+class SecurityError extends WebAuthnError {
+    constructor(message, originalError) {
+        super(WebAuthnErrorType.SECURITY_ERROR, `Security error: ${message}`, originalError);
+        this.name = 'SecurityError';
+    }
+}
+/**
+ * Error thrown when the operation times out
+ */
+class TimeoutError extends WebAuthnError {
+    constructor(message, originalError) {
+        super(WebAuthnErrorType.TIMEOUT_ERROR, `Timeout error: ${message}`, originalError);
+        this.name = 'TimeoutError';
+    }
+}
+
+/**
+ * WebAuthn Configuration
+ * Provides configuration interfaces and injection token for WebAuthn service
+ */
+/**
+ * Default configuration for WebAuthn service
+ * Note: relyingParty must be provided by the application
+ */
+const DEFAULT_WEBAUTHN_CONFIG = {
+    defaultTimeout: 60000,
+    defaultAlgorithms: [
+        { type: 'public-key', alg: -7 }, // ES256 (ECDSA w/ SHA-256)
+        { type: 'public-key', alg: -257 }, // RS256 (RSASSA-PKCS1-v1_5 w/ SHA-256)
+    ],
+    enforceUserVerification: false,
+    defaultAttestation: 'none',
+    defaultAuthenticatorSelection: {
+        userVerification: 'preferred',
+    },
+};
+/**
+ * Injection token for WebAuthn configuration
+ */
+const WEBAUTHN_CONFIG = new InjectionToken('WEBAUTHN_CONFIG');
+/**
+ * Creates a complete WebAuthn configuration with required relying party information
+ * @param relyingParty Required relying party configuration
+ * @param overrides Optional configuration overrides
+ */
+function createWebAuthnConfig(relyingParty, overrides) {
+    return {
+        relyingParty,
+        ...DEFAULT_WEBAUTHN_CONFIG,
+        ...overrides,
+    };
+}
+
+/**
+ * WebAuthn Utility Functions
+ * Centralized utilities for ArrayBuffer conversions and WebAuthn-specific operations
+ * This is the single source of truth for data transformation functions
+ */
+/**
+ * Converts a string to ArrayBuffer
+ */
+function stringToArrayBuffer(str) {
+    const encoder = new TextEncoder();
+    return encoder.encode(str);
+}
+/**
+ * Converts ArrayBuffer to string
+ */
+function arrayBufferToString(buffer) {
+    const decoder = new TextDecoder();
+    return decoder.decode(buffer);
+}
+/**
+ * Converts ArrayBuffer to base64 string
+ */
+function arrayBufferToBase64(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.byteLength; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+/**
+ * Converts base64 string to ArrayBuffer
+ */
+function base64ToArrayBuffer(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+}
+/**
+ * Converts base64url string to ArrayBuffer
+ */
+function base64urlToArrayBuffer(base64url) {
+    // Convert base64url to base64
+    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+    // Add padding if necessary
+    const padded = base64 + '==='.slice(0, (4 - (base64.length % 4)) % 4);
+    return base64ToArrayBuffer(padded);
+}
+/**
+ * Converts ArrayBuffer to base64url string
+ * This is the canonical implementation used throughout the library
+ */
+function arrayBufferToBase64url(buffer) {
+    const base64 = arrayBufferToBase64(buffer);
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/**
+ * Generates a random challenge as ArrayBuffer
+ */
+function generateChallenge(length = 32) {
+    const array = new Uint8Array(length);
+    crypto.getRandomValues(array);
+    return array.buffer;
+}
+/**
+ * Generates a random user ID as ArrayBuffer
+ */
+function generateUserId(length = 32) {
+    const array = new Uint8Array(length);
+    crypto.getRandomValues(array);
+    return array.buffer;
+}
+/**
+ * Converts credential ID string to ArrayBuffer for WebAuthn API
+ */
+function credentialIdToArrayBuffer(credentialId) {
+    return base64urlToArrayBuffer(credentialId);
+}
+/**
+ * Converts ArrayBuffer credential ID to string
+ */
+function arrayBufferToCredentialId(buffer) {
+    return arrayBufferToBase64url(buffer);
+}
+/**
+ * Checks if the current environment supports WebAuthn
+ */
+function isWebAuthnSupported() {
+    return !!(typeof window !== 'undefined' &&
+        window.PublicKeyCredential &&
+        typeof navigator !== 'undefined' &&
+        navigator.credentials &&
+        typeof navigator.credentials.create === 'function' &&
+        typeof navigator.credentials.get === 'function');
+}
+/**
+ * Checks if platform authenticator is available
+ */
+async function isPlatformAuthenticatorAvailable() {
+    if (!isWebAuthnSupported()) {
+        return false;
+    }
+    try {
+        return await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Gets supported authenticator transports for this platform
+ * Enhanced detection with better browser compatibility
+ */
+function getSupportedTransports() {
+    const transports = ['usb', 'internal'];
+    // Add NFC support for Android devices
+    if (typeof navigator !== 'undefined' &&
+        /Android/i.test(navigator.userAgent)) {
+        transports.push('nfc');
+    }
+    // Add BLE support for modern browsers with Web Bluetooth API
+    if (typeof navigator !== 'undefined' && navigator.bluetooth) {
+        transports.push('ble');
+    }
+    return transports;
+}
+/**
+ * Validates that required WebAuthn options are present
+ */
+function validateRegistrationOptions(options) {
+    if (!options.user) {
+        throw new Error('User information is required for registration');
+    }
+    if (!options.user.id) {
+        throw new Error('User ID is required for registration');
+    }
+    if (!options.user.name) {
+        throw new Error('User name is required for registration');
+    }
+    if (!options.user.displayName) {
+        throw new Error('User display name is required for registration');
+    }
+    if (!options.rp) {
+        throw new Error('Relying party information is required for registration');
+    }
+    if (!options.rp.name) {
+        throw new Error('Relying party name is required for registration');
+    }
+}
+/**
+ * Creates default public key credential parameters
+ */
+function getDefaultPubKeyCredParams() {
+    return [
+        {
+            type: 'public-key',
+            alg: -7, // ES256
+        },
+        {
+            type: 'public-key',
+            alg: -257, // RS256
+        },
+    ];
+}
+/**
+ * Enhanced type guard to detect JSON-formatted WebAuthn options
+ * More robust than simple challenge type checking
+ */
+function isJSONOptions(options) {
+    if (!options || typeof options !== 'object') {
+        return false;
+    }
+    // Check multiple indicators that this is JSON format (base64url strings)
+    return (typeof options.challenge === 'string' ||
+        (options.user && typeof options.user.id === 'string') ||
+        (options.allowCredentials?.length > 0 &&
+            typeof options.allowCredentials[0]?.id === 'string') ||
+        (options.excludeCredentials?.length > 0 &&
+            typeof options.excludeCredentials[0]?.id === 'string'));
+}
+/**
+ * Type guard to check if input is a PublicKeyCredential
+ */
+function isPublicKeyCredential(credential) {
+    return credential !== null && credential.type === 'public-key';
+}
+
+/**
+ * Enhanced WebAuthn Service
+ *
+ * Provides a clean, high-level API for WebAuthn operations with:
+ * - Modern inject() pattern instead of constructor DI
+ * - Flexible options (JSON base64url strings OR native ArrayBuffers)
+ * - Enhanced error handling with specific error types
+ * - Native browser parsing functions for optimal performance
+ * - Clean, developer-friendly response objects
+ */
+/**
+ * Enhanced Angular service for WebAuthn operations
+ * Provides a clean abstraction over the WebAuthn API with RxJS observables
+ * and enhanced error handling
+ */
+class WebAuthnService {
+    config = inject(WEBAUTHN_CONFIG);
+    /**
+     * Checks if WebAuthn is supported in the current browser
+     */
+    isSupported() {
+        return isWebAuthnSupported();
+    }
+    /**
+     * Gets comprehensive WebAuthn support information
+     */
+    getSupport() {
+        if (!this.isSupported()) {
+            return throwError(() => new UnsupportedOperationError('WebAuthn is not supported in this browser'));
+        }
+        return from(PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()).pipe(map((isPlatformAvailable) => ({
+            isSupported: true,
+            isPlatformAuthenticatorAvailable: isPlatformAvailable,
+            supportedTransports: getSupportedTransports(),
+        })), catchError((error) => throwError(() => new WebAuthnError(WebAuthnErrorType.UNKNOWN, 'Failed to check WebAuthn support', error))));
+    }
+    /**
+     * Registers a new WebAuthn credential with flexible configuration support
+     *
+     * @param input Either a high-level RegisterConfig with presets, or direct WebAuthn creation options
+     * @returns Observable of RegistrationResponse with clean, developer-friendly format
+     *
+     * @example
+     * ```typescript
+     * // Simple preset usage
+     * this.webAuthnService.register({ username: 'john.doe', preset: 'passkey' });
+     *
+     * // Preset with overrides
+     * this.webAuthnService.register({
+     *   username: 'john.doe',
+     *   preset: 'passkey',
+     *   authenticatorSelection: { userVerification: 'required' }
+     * });
+     *
+     * // Direct WebAuthn options (native)
+     * const nativeOptions: PublicKeyCredentialCreationOptions = {
+     *   challenge: new Uint8Array([...]),
+     *   rp: { name: "My App" },
+     *   user: { id: new Uint8Array([...]), name: "user@example.com", displayName: "User" },
+     *   pubKeyCredParams: [{ type: "public-key", alg: -7 }]
+     * };
+     * this.webAuthnService.register(nativeOptions);
+     *
+     * // Direct WebAuthn options (JSON)
+     * const jsonOptions: PublicKeyCredentialCreationOptionsJSON = {
+     *   challenge: "Y2hhbGxlbmdl",
+     *   rp: { name: "My App" },
+     *   user: { id: "dXNlcklk", name: "user@example.com", displayName: "User" },
+     *   pubKeyCredParams: [{ type: "public-key", alg: -7 }]
+     * };
+     * this.webAuthnService.register(jsonOptions);
+     * ```
+     */
+    register(input) {
+        if (!this.isSupported()) {
+            return throwError(() => new UnsupportedOperationError('WebAuthn is not supported in this browser'));
+        }
+        try {
+            let creationOptions;
+            if (isRegisterConfig(input)) {
+                // High-level config path: validate, resolve preset, build options
+                validateRegisterConfig(input);
+                creationOptions = buildCreationOptionsFromConfig(input, this.config);
+            }
+            else {
+                // Direct options path: use provided options
+                creationOptions = input;
+            }
+            const parsedOptions = this.parseRegistrationOptions(creationOptions);
+            return from(navigator.credentials.create({ publicKey: parsedOptions })).pipe(map((credential) => this.processRegistrationResult(credential)), catchError((error) => this.handleWebAuthnError(error)));
+        }
+        catch (error) {
+            return throwError(() => new InvalidOptionsError('Failed to process registration input', error));
+        }
+    }
+    /**
+     * Authenticates using an existing WebAuthn credential with flexible configuration support
+     *
+     * @param input Either a high-level AuthenticateConfig with presets, or direct WebAuthn request options
+     * @returns Observable of AuthenticationResponse with clean, developer-friendly format
+     *
+     * @example
+     * ```typescript
+     * // Simple preset usage
+     * this.webAuthnService.authenticate({ preset: 'passkey' });
+     *
+     * // Config with credential filtering
+     * this.webAuthnService.authenticate({
+     *   username: 'john.doe',
+     *   preset: 'secondFactor',
+     *   allowCredentials: ['credential-id-1', 'credential-id-2']
+     * });
+     *
+     * // Direct WebAuthn options (JSON)
+     * const jsonOptions: PublicKeyCredentialRequestOptionsJSON = {
+     *   challenge: "Y2hhbGxlbmdl",
+     *   allowCredentials: [{
+     *     type: "public-key",
+     *     id: "Y3JlZElk"
+     *   }]
+     * };
+     * this.webAuthnService.authenticate(jsonOptions);
+     *
+     * // Direct WebAuthn options (native)
+     * const nativeOptions: PublicKeyCredentialRequestOptions = {
+     *   challenge: new Uint8Array([...]),
+     *   allowCredentials: [{
+     *     type: "public-key",
+     *     id: new Uint8Array([...])
+     *   }]
+     * };
+     * this.webAuthnService.authenticate(nativeOptions);
+     * ```
+     */
+    authenticate(input) {
+        if (!this.isSupported()) {
+            return throwError(() => new UnsupportedOperationError('WebAuthn is not supported in this browser'));
+        }
+        try {
+            let requestOptions;
+            if (isAuthenticateConfig(input)) {
+                // High-level config path: validate, resolve preset, build options
+                validateAuthenticateConfig(input);
+                requestOptions = buildRequestOptionsFromConfig(input, this.config);
+            }
+            else {
+                // Direct options path: use provided options
+                requestOptions = input;
+            }
+            const parsedOptions = this.parseAuthenticationOptions(requestOptions);
+            return from(navigator.credentials.get({ publicKey: parsedOptions })).pipe(map((credential) => this.processAuthenticationResult(credential)), catchError((error) => this.handleWebAuthnError(error)));
+        }
+        catch (error) {
+            return throwError(() => new InvalidOptionsError('Failed to process authentication input', error));
+        }
+    }
+    /**
+     * Parses registration options, handling both JSON and native formats
+     */
+    parseRegistrationOptions(options) {
+        if (isJSONOptions(options)) {
+            // Use native browser function for JSON options
+            return PublicKeyCredential.parseCreationOptionsFromJSON(options);
+        }
+        else {
+            // Options are already in native format
+            return options;
+        }
+    }
+    /**
+     * Parses authentication options, handling both JSON and native formats
+     */
+    parseAuthenticationOptions(options) {
+        if (isJSONOptions(options)) {
+            // Use native browser function for JSON options
+            return PublicKeyCredential.parseRequestOptionsFromJSON(options);
+        }
+        else {
+            // Options are already in native format
+            return options;
+        }
+    }
+    /**
+     * Processes the raw credential result into a clean RegistrationResponse
+     */
+    processRegistrationResult(credential) {
+        if (!isPublicKeyCredential(credential)) {
+            throw new AuthenticatorError('No credential returned from authenticator');
+        }
+        const response = credential.response;
+        // Extract data using the response methods
+        const credentialId = arrayBufferToBase64url(credential.rawId);
+        const transports = (response.getTransports?.() ||
+            []);
+        let publicKey;
+        try {
+            const publicKeyBuffer = response.getPublicKey?.();
+            if (publicKeyBuffer) {
+                publicKey = arrayBufferToBase64url(publicKeyBuffer);
+            }
+        }
+        catch {
+            // Public key extraction failed - this is okay, not all algorithms are supported
+        }
+        // Create the raw response for backward compatibility
+        const rawResponse = {
+            credentialId,
+            publicKey: publicKey ||
+                arrayBufferToBase64url(response.getPublicKey?.() || new ArrayBuffer(0)),
+            attestationObject: arrayBufferToBase64url(response.attestationObject),
+            clientDataJSON: arrayBufferToBase64url(response.clientDataJSON),
+            transports: transports,
+        };
+        return {
+            success: true,
+            credentialId,
+            publicKey,
+            transports,
+            rawResponse,
+        };
+    }
+    /**
+     * Processes the raw credential result into a clean AuthenticationResponse
+     */
+    processAuthenticationResult(credential) {
+        if (!isPublicKeyCredential(credential)) {
+            throw new AuthenticatorError('No credential returned from authenticator');
+        }
+        const response = credential.response;
+        const credentialId = arrayBufferToBase64url(credential.rawId);
+        let userHandle;
+        if (response.userHandle) {
+            userHandle = arrayBufferToBase64url(response.userHandle);
+        }
+        // Create the raw response for backward compatibility
+        const rawResponse = {
+            credentialId,
+            authenticatorData: arrayBufferToBase64url(response.authenticatorData),
+            clientDataJSON: arrayBufferToBase64url(response.clientDataJSON),
+            signature: arrayBufferToBase64url(response.signature),
+            userHandle,
+        };
+        return {
+            success: true,
+            credentialId,
+            userHandle,
+            rawResponse,
+        };
+    }
+    /**
+     * Enhanced error handling that maps DOMExceptions to specific error types
+     */
+    handleWebAuthnError(error) {
+        // Handle DOMExceptions from WebAuthn API
+        if (error instanceof DOMException) {
+            switch (error.name) {
+                case 'NotAllowedError':
+                    return throwError(() => new UserCancelledError(error));
+                case 'InvalidStateError':
+                    return throwError(() => new AuthenticatorError('Invalid authenticator state', error));
+                case 'NotSupportedError':
+                    return throwError(() => new UnsupportedOperationError('Operation not supported', error));
+                case 'SecurityError':
+                    return throwError(() => new SecurityError('Security error occurred', error));
+                case 'TimeoutError':
+                    return throwError(() => new TimeoutError('Operation timed out', error));
+                case 'EncodingError':
+                    return throwError(() => new InvalidOptionsError('Encoding error in options', error));
+                default:
+                    return throwError(() => new WebAuthnError(WebAuthnErrorType.UNKNOWN, `Unknown WebAuthn error: ${error.message}`, error));
+            }
+        }
+        // Handle JSON parsing errors
+        if (error instanceof TypeError &&
+            (error.message.includes('parseCreationOptionsFromJSON') ||
+                error.message.includes('parseRequestOptionsFromJSON'))) {
+            return throwError(() => new InvalidOptionsError('Invalid JSON options format', error));
+        }
+        // Handle other errors
+        return throwError(() => new WebAuthnError(WebAuthnErrorType.UNKNOWN, `Unexpected error: ${error.message}`, error));
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.0.3", ngImport: i0, type: WebAuthnService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.0.3", ngImport: i0, type: WebAuthnService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.0.3", ngImport: i0, type: WebAuthnService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
+
+/**
+ * WebAuthn Providers
+ * Modern Angular standalone provider function for WebAuthn service
+ */
+/**
+ * Provides WebAuthn service with required relying party configuration
+ *
+ * @param relyingParty Required relying party configuration
+ * @param config Optional configuration overrides
+ * @returns Array of providers for WebAuthn functionality
+ *
+ * @example
+ * ```typescript
+ * // main.ts
+ * bootstrapApplication(AppComponent, {
+ *   providers: [
+ *     provideWebAuthn(
+ *       { name: 'My App', id: 'myapp.com' },
+ *       { defaultTimeout: 30000 }
+ *     )
+ *   ]
+ * });
+ * ```
+ */
+function provideWebAuthn(relyingParty, config = {}) {
+    return [
+        {
+            provide: WEBAUTHN_CONFIG,
+            useValue: createWebAuthnConfig(relyingParty, config),
+        },
+        WebAuthnService,
+    ];
+}
+/**
+ * @deprecated Use provideWebAuthn(relyingParty, config) instead.
+ * This version is kept for backward compatibility but requires relying party information.
+ */
+function provideWebAuthnLegacy(config) {
+    if (!config.relyingParty) {
+        throw new Error('WebAuthn configuration must include relying party information. Use provideWebAuthn(relyingParty, config) instead.');
+    }
+    return [
+        {
+            provide: WEBAUTHN_CONFIG,
+            useValue: config,
+        },
+        WebAuthnService,
+    ];
+}
+
+// Core service
+
+/**
+ * Generated bundle index. Do not edit.
+ */
+
+export { AuthenticatorError, DEFAULT_WEBAUTHN_CONFIG, DEVICE_BOUND_PRESET, InvalidOptionsError, NetworkError, PASSKEY_PRESET, PRESET_MAP, SECOND_FACTOR_PRESET, SecurityError, TimeoutError, UnsupportedOperationError, UserCancelledError, WEBAUTHN_CONFIG, WebAuthnError, WebAuthnErrorType, WebAuthnService, arrayBufferToBase64, arrayBufferToBase64url, arrayBufferToCredentialId, arrayBufferToString, base64ToArrayBuffer, base64urlToArrayBuffer, createWebAuthnConfig, credentialIdToArrayBuffer, generateChallenge, generateUserId, getDefaultPubKeyCredParams, getSupportedTransports, isJSONOptions, isPlatformAuthenticatorAvailable, isPublicKeyCredential, isWebAuthnSupported, provideWebAuthn, provideWebAuthnLegacy, stringToArrayBuffer, validateRegistrationOptions };
+//# sourceMappingURL=ngx-webauthn.mjs.map