ox 0.12.4 → 0.13.1

package/_types/webauthn/Authenticator.d.ts

@@ -0,0 +1,182 @@
+import * as Bytes from '../core/Bytes.js';
+import * as Cbor from '../core/Cbor.js';
+import type * as Errors from '../core/Errors.js';
+import * as Hex from '../core/Hex.js';
+import type * as PublicKey from '../core/PublicKey.js';
+import type * as Types from './Types.js';
+/**
+ * Gets the authenticator data which contains information about the
+ * processing of an authenticator request (ie. from `Authentication.sign`).
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes or for manually constructing
+ * autenticator data. In most cases you will not need this function.
+ * `authenticatorData` is typically returned as part of the
+ * authenticator response.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const authenticatorData = Authenticator.getAuthenticatorData({
+ *   rpId: 'example.com',
+ *   signCount: 420,
+ * })
+ * // @log: "0xa379a6f6eeafb9a55e378c118034e2751e682fab9f2d30ab13d2125586ce194705000001a4"
+ * ```
+ *
+ * @example
+ * ### With Attested Credential Data
+ *
+ * Include a credential ID and public key in the authenticator data (for registration responses):
+ *
+ * ```ts twoslash
+ * import { P256 } from 'ox'
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const { publicKey } = P256.createKeyPair()
+ *
+ * const authenticatorData = Authenticator.getAuthenticatorData({
+ *   rpId: 'example.com',
+ *   flag: 0x41, // UP + AT
+ *   credential: {
+ *     id: new Uint8Array(32),
+ *     publicKey,
+ *   },
+ * })
+ * ```
+ *
+ * @param options - Options to construct the authenticator data.
+ * @returns The authenticator data.
+ */
+export declare function getAuthenticatorData(options?: getAuthenticatorData.Options): Hex.Hex;
+export declare namespace getAuthenticatorData {
+    type Options = {
+        /** Attested credential data to include (credential ID + public key). When set, the AT flag (0x40) should also be set. */
+        credential?: {
+            /** The credential ID as raw bytes. */
+            id: Uint8Array;
+            /** The P256 public key associated with the credential. */
+            publicKey: PublicKey.PublicKey;
+        } | undefined;
+        /** A bitfield that indicates various attributes that were asserted by the authenticator. [Read more](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Authenticator_data#flags) */
+        flag?: number | undefined;
+        /** The [Relying Party ID](https://w3c.github.io/webauthn/#relying-party-identifier) that the credential is scoped to. */
+        rpId?: Types.PublicKeyCredentialRequestOptions['rpId'] | undefined;
+        /** A signature counter, if supported by the authenticator (set to 0 otherwise). */
+        signCount?: number | undefined;
+    };
+    type ErrorType = Errors.GlobalErrorType;
+}
+/**
+ * Extracts the signature counter from the authenticator data.
+ * The counter is a 4-byte big-endian unsigned integer at bytes 33–36.
+ *
+ * Useful for detecting cloned authenticators: if the counter is non-zero and
+ * does not monotonically increase between assertions, it may indicate a cloned key.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const signCount = Authenticator.getSignCount(
+ *   '0x49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d97630500000001',
+ * )
+ * // @log: 1
+ * ```
+ *
+ * @param authenticatorData - The authenticator data hex string.
+ * @returns The signature counter.
+ */
+export declare function getSignCount(authenticatorData: Hex.Hex): number;
+export declare namespace getSignCount {
+    type ErrorType = Bytes.fromHex.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Constructs the Client Data in stringified JSON format which represents client data that
+ * was passed to `credentials.get()` or `credentials.create()`.
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes or for manually constructing
+ * client data. In most cases you will not need this function.
+ * `clientDataJSON` is typically returned as part of the authenticator response.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const clientDataJSON = Authenticator.getClientDataJSON({
+ *   challenge: '0xdeadbeef',
+ *   origin: 'https://example.com',
+ * })
+ * // @log: "{"type":"webauthn.get","challenge":"3q2-7w","origin":"https://example.com","crossOrigin":false}"
+ * ```
+ *
+ * @param options - Options to construct the client data.
+ * @returns The client data.
+ */
+export declare function getClientDataJSON(options: getClientDataJSON.Options): string;
+export declare namespace getClientDataJSON {
+    type Options = {
+        /** The challenge to sign. */
+        challenge: Hex.Hex;
+        /** If set to `true`, it means that the calling context is an `<iframe>` that is not same origin with its ancestor frames. */
+        crossOrigin?: boolean | undefined;
+        /** Additional client data to include in the client data JSON. */
+        extraClientData?: Record<string, unknown> | undefined;
+        /** The fully qualified origin of the relying party which has been given by the client/browser to the authenticator. */
+        origin?: string | undefined;
+        /** The WebAuthn ceremony type. @default 'webauthn.get' */
+        type?: 'webauthn.create' | 'webauthn.get' | undefined;
+    };
+    type ErrorType = Errors.GlobalErrorType;
+}
+/**
+ * Constructs a CBOR-encoded attestation object for testing WebAuthn registration
+ * verification. Combines the authenticator data with an attestation statement.
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes. In production, the attestation
+ * object is returned by the authenticator during `navigator.credentials.create()`.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { P256 } from 'ox'
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const { publicKey } = P256.createKeyPair()
+ *
+ * const attestationObject = Authenticator.getAttestationObject({
+ *   authData: Authenticator.getAuthenticatorData({
+ *     rpId: 'example.com',
+ *     flag: 0x41,
+ *     credential: { id: new Uint8Array(32), publicKey },
+ *   }),
+ * })
+ * ```
+ *
+ * @param options - Options to construct the attestation object.
+ * @returns The CBOR-encoded attestation object as a Hex string.
+ */
+export declare function getAttestationObject(options: getAttestationObject.Options): Hex.Hex;
+export declare namespace getAttestationObject {
+    type Options = {
+        /** Attestation statement. */
+        attStmt?: Record<string, unknown> | undefined;
+        /** Authenticator data as a Hex string (from `Authenticator.getAuthenticatorData`). */
+        authData: Hex.Hex;
+        /** Attestation format. @default 'none' */
+        fmt?: string | undefined;
+    };
+    type ErrorType = Cbor.encode.ErrorType | Errors.GlobalErrorType;
+}
+//# sourceMappingURL=Authenticator.d.ts.map

package/_types/webauthn/Authenticator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authenticator.d.ts","sourceRoot":"","sources":["../../webauthn/Authenticator.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAA;AACzC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AAEvC,OAAO,KAAK,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAEhD,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAA;AACrC,OAAO,KAAK,KAAK,SAAS,MAAM,sBAAsB,CAAA;AACtD,OAAO,KAAK,KAAK,KAAK,MAAM,YAAY,CAAA;AAExC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,oBAAoB,CAAC,OAAY,GACzC,GAAG,CAAC,GAAG,CAyBT;AAED,MAAM,CAAC,OAAO,WAAW,oBAAoB,CAAC;IAC5C,KAAK,OAAO,GAAG;QACb,yHAAyH;QACzH,UAAU,CAAC,EACP;YACE,sCAAsC;YACtC,EAAE,EAAE,UAAU,CAAA;YACd,0DAA0D;YAC1D,SAAS,EAAE,SAAS,CAAC,SAAS,CAAA;SAC/B,GACD,SAAS,CAAA;QACb,0MAA0M;QAC1M,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QACzB,yHAAyH;QACzH,IAAI,CAAC,EAAE,KAAK,CAAC,iCAAiC,CAAC,MAAM,CAAC,GAAG,SAAS,CAAA;QAClE,mFAAmF;QACnF,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;KAC/B,CAAA;IAED,KAAK,SAAS,GAAG,MAAM,CAAC,eAAe,CAAA;CACxC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,YAAY,CAAC,iBAAiB,EAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAU/D;AAED,MAAM,CAAC,OAAO,WAAW,YAAY,CAAC;IACpC,KAAK,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,MAAM,CAAC,eAAe,CAAA;CAClE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,OAAO,GAAG,MAAM,CAgB5E;AAED,MAAM,CAAC,OAAO,WAAW,iBAAiB,CAAC;IACzC,KAAK,OAAO,GAAG;QACb,6BAA6B;QAC7B,SAAS,EAAE,GAAG,CAAC,GAAG,CAAA;QAClB,6HAA6H;QAC7H,WAAW,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;QACjC,iEAAiE;QACjE,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAA;QACrD,uHAAuH;QACvH,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QAC3B,0DAA0D;QAC1D,IAAI,CAAC,EAAE,iBAAiB,GAAG,cAAc,GAAG,SAAS,CAAA;KACtD,CAAA;IAED,KAAK,SAAS,GAAG,MAAM,CAAC,eAAe,CAAA;CACxC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,oBAAoB,CAAC,OAAO,GACpC,GAAG,CAAC,GAAG,CAOT;AAED,MAAM,CAAC,OAAO,WAAW,oBAAoB,CAAC;IAC5C,KAAK,OAAO,GAAG;QACb,6BAA6B;QAC7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAA;QAC7C,sFAAsF;QACtF,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAA;QACjB,0CAA0C;QAC1C,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;KACzB,CAAA;IAED,KAAK,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,eAAe,CAAA;CAChE"}

package/_types/webauthn/Credential.d.ts

@@ -0,0 +1,77 @@
+import * as Base64 from '../core/Base64.js';
+import type * as Errors from '../core/Errors.js';
+import type * as Hex from '../core/Hex.js';
+import type { Compute } from '../core/internal/types.js';
+import * as PublicKey from '../core/PublicKey.js';
+import type * as Types from './Types.js';
+/** A WebAuthn-flavored P256 credential. */
+export type Credential<serialized extends boolean = false> = {
+    attestationObject: serialized extends true ? string : ArrayBuffer;
+    clientDataJSON: serialized extends true ? string : ArrayBuffer;
+    id: string;
+    publicKey: serialized extends true ? Hex.Hex : PublicKey.PublicKey;
+    raw: Types.PublicKeyCredential<serialized>;
+};
+/** Metadata for a WebAuthn P256 signature. */
+export type SignMetadata = Compute<{
+    authenticatorData: Hex.Hex;
+    challengeIndex?: number | undefined;
+    clientDataJSON: string;
+    typeIndex?: number | undefined;
+    userVerificationRequired?: boolean | undefined;
+}>;
+/**
+ * Serializes a credential into a JSON-serializable
+ * format.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration, Credential } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' })
+ *
+ * const serialized = Credential.serialize(credential) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param credential - The credential to serialize.
+ * @returns The serialized credential.
+ */
+export declare function serialize(credential: Credential): Credential<true>;
+export declare namespace serialize {
+    type ErrorType = Base64.fromBytes.ErrorType | PublicKey.toHex.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Deserializes a serialized credential.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Credential } from 'ox/webauthn'
+ *
+ * const credential = Credential.deserialize({ // [!code focus]
+ *   attestationObject: 'o2NmbXRkbm9uZQ...', // [!code focus]
+ *   clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0', // [!code focus]
+ *   id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *   publicKey: '0x04ab891400140fc4f8e941ce0ff90e419de9470acaca613bbd717a4775435031a7d884318e919fd3b3e5a631d866d8a380b44063e70f0c381ee16e0652f7f97554', // [!code focus]
+ *   raw: { // [!code focus]
+ *     id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     type: 'public-key', // [!code focus]
+ *     authenticatorAttachment: 'platform', // [!code focus]
+ *     rawId: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     response: { // [!code focus]
+ *       clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0', // [!code focus]
+ *     }, // [!code focus]
+ *   }, // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param credential - The serialized credential.
+ * @returns The deserialized credential.
+ */
+export declare function deserialize(credential: Credential<true>): Credential;
+export declare namespace deserialize {
+    type ErrorType = Base64.toBytes.ErrorType | PublicKey.from.ErrorType | Errors.GlobalErrorType;
+}
+//# sourceMappingURL=Credential.d.ts.map

package/_types/webauthn/Credential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Credential.d.ts","sourceRoot":"","sources":["../../webauthn/Credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAChD,OAAO,KAAK,KAAK,GAAG,MAAM,gBAAgB,CAAA;AAC1C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AAOjD,OAAO,KAAK,KAAK,KAAK,MAAM,YAAY,CAAA;AAExC,2CAA2C;AAC3C,MAAM,MAAM,UAAU,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IAC3D,iBAAiB,EAAE,UAAU,SAAS,IAAI,GAAG,MAAM,GAAG,WAAW,CAAA;IACjE,cAAc,EAAE,UAAU,SAAS,IAAI,GAAG,MAAM,GAAG,WAAW,CAAA;IAC9D,EAAE,EAAE,MAAM,CAAA;IACV,SAAS,EAAE,UAAU,SAAS,IAAI,GAAG,GAAG,CAAC,GAAG,GAAG,SAAS,CAAC,SAAS,CAAA;IAClE,GAAG,EAAE,KAAK,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAA;CAC3C,CAAA;AAED,8CAA8C;AAC9C,MAAM,MAAM,YAAY,GAAG,OAAO,CAAC;IACjC,iBAAiB,EAAE,GAAG,CAAC,GAAG,CAAA;IAC1B,cAAc,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IACnC,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAC9B,wBAAwB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;CAC/C,CAAC,CAAA;AAEF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,SAAS,CAAC,UAAU,EAAE,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,CA6BlE;AAED,MAAM,CAAC,OAAO,WAAW,SAAS,CAAC;IACjC,KAAK,SAAS,GACV,MAAM,CAAC,SAAS,CAAC,SAAS,GAC1B,SAAS,CAAC,KAAK,CAAC,SAAS,GACzB,MAAM,CAAC,eAAe,CAAA;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,UAAU,CAuBpE;AAED,MAAM,CAAC,OAAO,WAAW,WAAW,CAAC;IACnC,KAAK,SAAS,GACV,MAAM,CAAC,OAAO,CAAC,SAAS,GACxB,SAAS,CAAC,IAAI,CAAC,SAAS,GACxB,MAAM,CAAC,eAAe,CAAA;CAC3B"}

package/_types/webauthn/Registration.d.ts

@@ -0,0 +1,308 @@
+import * as Base64 from '../core/Base64.js';
+import * as Bytes from '../core/Bytes.js';
+import * as Cbor from '../core/Cbor.js';
+import * as CoseKey from '../core/CoseKey.js';
+import * as Errors from '../core/Errors.js';
+import * as Hash from '../core/Hash.js';
+import * as Hex from '../core/Hex.js';
+import type { OneOf } from '../core/internal/types.js';
+import * as internal from '../core/internal/webauthn.js';
+import * as P256 from '../core/P256.js';
+import * as PublicKey from '../core/PublicKey.js';
+import * as Signature from '../core/Signature.js';
+import type * as Credential_ from './Credential.js';
+import type * as Types from './Types.js';
+export declare const createChallenge: Uint8Array;
+/** Response from a WebAuthn registration ceremony. */
+export type Response<serialized extends boolean = false> = {
+    credential: Credential_.Credential<serialized>;
+    counter: number;
+    userVerified?: true | undefined;
+    backedUp?: boolean | undefined;
+    deviceType?: 'multiDevice' | 'singleDevice' | undefined;
+};
+/**
+ * Creates a new WebAuthn P256 Credential, which can be stored and later used for signing.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' }) // [!code focus]
+ * // @log: {
+ * // @log:   id: 'oZ48...',
+ * // @log:   publicKey: { x: 51421...5123n, y: 12345...6789n },
+ * // @log:   raw: PublicKeyCredential {},
+ * // @log: }
+ * ```
+ *
+ * @param options - Credential creation options.
+ * @returns A WebAuthn P256 credential.
+ */
+export declare function create(options: create.Options): Promise<Credential_.Credential>;
+export declare namespace create {
+    type Options = OneOf<(getOptions.Options & {
+        /**
+         * Credential creation function. Useful for environments that do not support
+         * the WebAuthn API natively (i.e. React Native or testing environments).
+         *
+         * @default window.navigator.credentials.create
+         */
+        createFn?: ((options?: Types.CredentialCreationOptions | undefined) => Promise<Types.Credential | null>) | undefined;
+    }) | Types.CredentialCreationOptions>;
+    type ErrorType = getOptions.ErrorType | internal.parseCredentialPublicKey.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Returns the creation options for a P256 WebAuthn Credential to be used with
+ * the Web Authentication API.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const options = Registration.getOptions({ name: 'Example' })
+ *
+ * const credential = await window.navigator.credentials.create(options)
+ * ```
+ *
+ * @param options - Options.
+ * @returns The credential creation options.
+ */
+export declare function getOptions(options: getOptions.Options): Types.CredentialCreationOptions;
+export declare namespace getOptions {
+    type Options = {
+        /**
+         * A string specifying the relying party's preference for how the attestation statement
+         * (i.e., provision of verifiable evidence of the authenticity of the authenticator and its data)
+         * is conveyed during credential creation.
+         */
+        attestation?: Types.PublicKeyCredentialCreationOptions['attestation'] | undefined;
+        /**
+         * An object whose properties are criteria used to filter out the potential authenticators
+         * for the credential creation operation.
+         */
+        authenticatorSelection?: Types.PublicKeyCredentialCreationOptions['authenticatorSelection'] | undefined;
+        /**
+         * An `ArrayBuffer`, `TypedArray`, or `DataView` used as a cryptographic challenge.
+         */
+        challenge?: Hex.Hex | Types.PublicKeyCredentialCreationOptions['challenge'] | undefined;
+        /**
+         * List of credential IDs to exclude from the creation. This property can be used
+         * to prevent creation of a credential if it already exists.
+         */
+        excludeCredentialIds?: readonly string[] | undefined;
+        /**
+         * List of Web Authentication API credentials to use during creation or authentication.
+         */
+        extensions?: Types.PublicKeyCredentialCreationOptions['extensions'] | undefined;
+        /**
+         * An object describing the relying party that requested the credential creation
+         */
+        rp?: {
+            id: string;
+            name: string;
+        } | undefined;
+        /**
+         * A numerical hint, in milliseconds, which indicates the time the calling web app is willing to wait for the creation operation to complete.
+         */
+        timeout?: Types.PublicKeyCredentialCreationOptions['timeout'] | undefined;
+    } & OneOf<{
+        /** Name for the credential (user.name). */
+        name: string;
+        user?: {
+            displayName?: string;
+            id?: Types.BufferSource;
+            name: string;
+        } | undefined;
+    } | {
+        name?: string | undefined;
+        /**
+         * An object describing the user account for which the credential is generated.
+         */
+        user: {
+            displayName?: string;
+            id?: Types.BufferSource;
+            name: string;
+        };
+    }>;
+    type ErrorType = Base64.toBytes.ErrorType | Hash.keccak256.ErrorType | Bytes.fromString.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Serializes a registration response into a JSON-serializable
+ * format, converting `ArrayBuffer` fields to base64url strings
+ * and the public key to a hex string.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' })
+ * const response = Registration.verify({
+ *   credential,
+ *   challenge: '0x...',
+ *   origin: 'https://example.com',
+ *   rpId: 'example.com',
+ * })
+ *
+ * const serialized = Registration.serializeResponse(response) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param response - The registration response to serialize.
+ * @returns The serialized registration response.
+ */
+export declare function serializeResponse(response: Response): Response<true>;
+export declare namespace serializeResponse {
+    type ErrorType = Base64.fromBytes.ErrorType | PublicKey.toHex.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Serializes credential creation options into a JSON-serializable
+ * format, converting `BufferSource` fields to base64url strings.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const options = Registration.getOptions({ name: 'Example' })
+ *
+ * const serialized = Registration.serializeOptions(options) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param options - The credential creation options to serialize.
+ * @returns The serialized credential creation options.
+ */
+export declare function serializeOptions(options: Types.CredentialCreationOptions): Types.CredentialCreationOptions<true>;
+export declare namespace serializeOptions {
+    type ErrorType = Base64.fromBytes.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Deserializes credential creation options that can be passed to
+ * `navigator.credentials.create()`.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const options = Registration.getOptions({ name: 'Example' })
+ * const serialized = Registration.serializeOptions(options)
+ *
+ * // ... send to server and back ...
+ *
+ * const deserialized = Registration.deserializeOptions(serialized) // [!code focus]
+ * const credential = await window.navigator.credentials.create(deserialized)
+ * ```
+ *
+ * @param options - The serialized credential creation options.
+ * @returns The deserialized credential creation options.
+ */
+export declare function deserializeOptions(options: Types.CredentialCreationOptions<true>): Types.CredentialCreationOptions;
+export declare namespace deserializeOptions {
+    type ErrorType = Base64.toBytes.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Deserializes a serialized registration response.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const response = Registration.deserializeResponse({ // [!code focus]
+ *   credential: { // [!code focus]
+ *     attestationObject: 'o2NmbXRkbm9uZQ...', // [!code focus]
+ *     clientDataJSON: 'eyJ0eXBlIjoid2Vi...', // [!code focus]
+ *     id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     publicKey: '0x04ab891400...', // [!code focus]
+ *     raw: { id: '...', type: 'public-key', authenticatorAttachment: 'platform', rawId: '...', response: { clientDataJSON: 'eyJ0eXBlIjoid2Vi...' } }, // [!code focus]
+ *   }, // [!code focus]
+ *   counter: 0, // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param response - The serialized registration response.
+ * @returns The deserialized registration response.
+ */
+export declare function deserializeResponse(response: Response<true>): Response;
+export declare namespace deserializeResponse {
+    type ErrorType = Base64.toBytes.ErrorType | PublicKey.from.ErrorType | Errors.GlobalErrorType;
+}
+/**
+ * Verifies a WebAuthn registration (credential creation) response. Validates the
+ * `clientDataJSON`, `attestationObject`, authenticator flags, challenge, origin, and
+ * relying party ID, then extracts the credential ID and public key.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' })
+ *
+ * const result = Registration.verify({ // [!code focus]
+ *   credential, // [!code focus]
+ *   challenge: '0x69abb4b5a0de4bc62a2a201f8d25bae9', // [!code focus]
+ *   origin: 'https://example.com', // [!code focus]
+ *   rpId: 'example.com', // [!code focus]
+ * }) // [!code focus]
+ * // @log: {
+ * // @log:   credential: {
+ * // @log:     id: 'oZ48...',
+ * // @log:     publicKey: { prefix: 4, x: 51421...5123n, y: 12345...6789n },
+ * // @log:   },
+ * // @log:   counter: 0,
+ * // @log:   userVerified: true,
+ * // @log: }
+ * ```
+ *
+ * @param options - Verification options.
+ * @returns The verified registration result.
+ */
+export declare function verify(options: verify.Options): verify.ReturnType;
+export declare namespace verify {
+    type Options = {
+        /**
+         * Attestation verification mode.
+         * - `'required'` (default): attestation signature must be present and valid (`packed` self-attestation).
+         * - `'none'`: accept `fmt: "none"` attestation (no cryptographic binding of authData to clientDataJSON).
+         *
+         * @default 'required'
+         */
+        attestation?: 'required' | 'none' | undefined;
+        /** The credential response from `Registration.create()`. */
+        credential: {
+            attestationObject: Credential_.Credential['attestationObject'];
+            clientDataJSON: Credential_.Credential['clientDataJSON'];
+            id?: Credential_.Credential['id'] | undefined;
+            raw?: Credential_.Credential['raw'] | undefined;
+        };
+        /**
+         * Challenge to verify. Either the raw hex/bytes originally generated, or a
+         * function that receives the base64url challenge string and returns whether
+         * it is valid (for async/DB lookups).
+         */
+        challenge: Hex.Hex | Uint8Array | ((challenge: string) => boolean);
+        /** Expected origin(s) (e.g. `"https://example.com"`). */
+        origin: string | string[];
+        /** Relying party ID (e.g. `"example.com"`). */
+        rpId: string;
+        /** The user verification requirement. @default 'required' */
+        userVerification?: Types.UserVerificationRequirement | undefined;
+    };
+    type ReturnType = Response;
+    type ErrorType = Base64.toBytes.ErrorType | Base64.fromBytes.ErrorType | Bytes.fromHex.ErrorType | Bytes.isEqual.ErrorType | Cbor.decode.ErrorType | CoseKey.toPublicKey.ErrorType | Hash.sha256.ErrorType | P256.verify.ErrorType | Signature.fromDerBytes.ErrorType | VerifyError | Errors.GlobalErrorType;
+}
+/** Thrown when WebAuthn registration verification fails. */
+export declare class VerifyError extends Errors.BaseError {
+    readonly name = "Registration.VerifyError";
+}
+/** Thrown when a WebAuthn P256 credential creation fails. */
+export declare class CreateFailedError extends Errors.BaseError<Error> {
+    readonly name = "Registration.CreateFailedError";
+    constructor({ cause }?: {
+        cause?: Error | undefined;
+    });
+}
+//# sourceMappingURL=Registration.d.ts.map

package/_types/webauthn/Registration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Registration.d.ts","sourceRoot":"","sources":["../../webauthn/Registration.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAA;AACzC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,OAAO,MAAM,oBAAoB,CAAA;AAC7C,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAA;AACrC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,KAAK,QAAQ,MAAM,8BAA8B,CAAA;AACxD,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AACjD,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AACjD,OAAO,KAAK,KAAK,WAAW,MAAM,iBAAiB,CAAA;AASnD,OAAO,KAAK,KAAK,KAAK,MAAM,YAAY,CAAA;AAExC,eAAO,MAAM,eAAe,YAE1B,CAAA;AAEF,sDAAsD;AACtD,MAAM,MAAM,QAAQ,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IACzD,UAAU,EAAE,WAAW,CAAC,UAAU,CAAC,UAAU,CAAC,CAAA;IAC9C,OAAO,EAAE,MAAM,CAAA;IACf,YAAY,CAAC,EAAE,IAAI,GAAG,SAAS,CAAA;IAC/B,QAAQ,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IAC9B,UAAU,CAAC,EAAE,aAAa,GAAG,cAAc,GAAG,SAAS,CAAA;CACxD,CAAA;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,MAAM,CAC1B,OAAO,EAAE,MAAM,CAAC,OAAO,GACtB,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAiCjC;AAED,MAAM,CAAC,OAAO,WAAW,MAAM,CAAC;IAC9B,KAAK,OAAO,GAAG,KAAK,CAChB,CAAC,UAAU,CAAC,OAAO,GAAG;QACpB;;;;;WAKG;QACH,QAAQ,CAAC,EACL,CAAC,CACC,OAAO,CAAC,EAAE,KAAK,CAAC,yBAAyB,GAAG,SAAS,KAClD,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,GACtC,SAAS,CAAA;KACd,CAAC,GACF,KAAK,CAAC,yBAAyB,CAClC,CAAA;IAED,KAAK,SAAS,GACV,UAAU,CAAC,SAAS,GACpB,QAAQ,CAAC,wBAAwB,CAAC,SAAS,GAC3C,MAAM,CAAC,eAAe,CAAA;CAC3B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,UAAU,CAAC,OAAO,GAC1B,KAAK,CAAC,yBAAyB,CAgDjC;AAED,MAAM,CAAC,OAAO,WAAW,UAAU,CAAC;IAClC,KAAK,OAAO,GAAG;QACb;;;;WAIG;QACH,WAAW,CAAC,EACR,KAAK,CAAC,kCAAkC,CAAC,aAAa,CAAC,GACvD,SAAS,CAAA;QACb;;;WAGG;QACH,sBAAsB,CAAC,EACnB,KAAK,CAAC,kCAAkC,CAAC,wBAAwB,CAAC,GAClE,SAAS,CAAA;QACb;;WAEG;QACH,SAAS,CAAC,EACN,GAAG,CAAC,GAAG,GACP,KAAK,CAAC,kCAAkC,CAAC,WAAW,CAAC,GACrD,SAAS,CAAA;QACb;;;WAGG;QACH,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,CAAA;QACpD;;WAEG;QACH,UAAU,CAAC,EACP,KAAK,CAAC,kCAAkC,CAAC,YAAY,CAAC,GACtD,SAAS,CAAA;QACb;;WAEG;QACH,EAAE,CAAC,EACC;YACE,EAAE,EAAE,MAAM,CAAA;YACV,IAAI,EAAE,MAAM,CAAA;SACb,GACD,SAAS,CAAA;QACb;;WAEG;QACH,OAAO,CAAC,EAAE,KAAK,CAAC,kCAAkC,CAAC,SAAS,CAAC,GAAG,SAAS,CAAA;KAC1E,GAAG,KAAK,CACL;QACE,2CAA2C;QAC3C,IAAI,EAAE,MAAM,CAAA;QACZ,IAAI,CAAC,EACD;YACE,WAAW,CAAC,EAAE,MAAM,CAAA;YACpB,EAAE,CAAC,EAAE,KAAK,CAAC,YAAY,CAAA;YACvB,IAAI,EAAE,MAAM,CAAA;SACb,GACD,SAAS,CAAA;KACd,GACD;QACE,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QACzB;;WAEG;QACH,IAAI,EAAE;YACJ,WAAW,CAAC,EAAE,MAAM,CAAA;YACpB,EAAE,CAAC,EAAE,KAAK,CAAC,YAAY,CAAA;YACvB,IAAI,EAAE,MAAM,CAAA;SACb,CAAA;KACF,CACJ,CAAA;IAED,KAAK,SAAS,GACV,MAAM,CAAC,OAAO,CAAC,SAAS,GACxB,IAAI,CAAC,SAAS,CAAC,SAAS,GACxB,KAAK,CAAC,UAAU,CAAC,SAAS,GAC1B,MAAM,CAAC,eAAe,CAAA;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAwCpE;AAED,MAAM,CAAC,OAAO,WAAW,iBAAiB,CAAC;IACzC,KAAK,SAAS,GACV,MAAM,CAAC,SAAS,CAAC,SAAS,GAC1B,SAAS,CAAC,KAAK,CAAC,SAAS,GACzB,MAAM,CAAC,eAAe,CAAA;CAC3B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,KAAK,CAAC,yBAAyB,GACvC,KAAK,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAyBvC;AAED,MAAM,CAAC,OAAO,WAAW,gBAAgB,CAAC;IACxC,KAAK,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,GAAG,MAAM,CAAC,eAAe,CAAA;CACrE;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,KAAK,CAAC,yBAAyB,CAAC,IAAI,CAAC,GAC7C,KAAK,CAAC,yBAAyB,CAyBjC;AAED,MAAM,CAAC,OAAO,WAAW,kBAAkB,CAAC;IAC1C,KAAK,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,MAAM,CAAC,eAAe,CAAA;CACnE;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CA4BtE;AAED,MAAM,CAAC,OAAO,WAAW,mBAAmB,CAAC;IAC3C,KAAK,SAAS,GACV,MAAM,CAAC,OAAO,CAAC,SAAS,GACxB,SAAS,CAAC,IAAI,CAAC,SAAS,GACxB,MAAM,CAAC,eAAe,CAAA;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,UAAU,CAiNjE;AAED,MAAM,CAAC,OAAO,WAAW,MAAM,CAAC;IAC9B,KAAK,OAAO,GAAG;QACb;;;;;;WAMG;QACH,WAAW,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS,CAAA;QAC7C,4DAA4D;QAC5D,UAAU,EAAE;YACV,iBAAiB,EAAE,WAAW,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAA;YAC9D,cAAc,EAAE,WAAW,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAA;YACxD,EAAE,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,SAAS,CAAA;YAC7C,GAAG,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,SAAS,CAAA;SAChD,CAAA;QACD;;;;WAIG;QACH,SAAS,EAAE,GAAG,CAAC,GAAG,GAAG,UAAU,GAAG,CAAC,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,CAAA;QAClE,yDAAyD;QACzD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;QACzB,+CAA+C;QAC/C,IAAI,EAAE,MAAM,CAAA;QACZ,6DAA6D;QAC7D,gBAAgB,CAAC,EAAE,KAAK,CAAC,2BAA2B,GAAG,SAAS,CAAA;KACjE,CAAA;IAED,KAAK,UAAU,GAAG,QAAQ,CAAA;IAE1B,KAAK,SAAS,GACV,MAAM,CAAC,OAAO,CAAC,SAAS,GACxB,MAAM,CAAC,SAAS,CAAC,SAAS,GAC1B,KAAK,CAAC,OAAO,CAAC,SAAS,GACvB,KAAK,CAAC,OAAO,CAAC,SAAS,GACvB,IAAI,CAAC,MAAM,CAAC,SAAS,GACrB,OAAO,CAAC,WAAW,CAAC,SAAS,GAC7B,IAAI,CAAC,MAAM,CAAC,SAAS,GACrB,IAAI,CAAC,MAAM,CAAC,SAAS,GACrB,SAAS,CAAC,YAAY,CAAC,SAAS,GAChC,WAAW,GACX,MAAM,CAAC,eAAe,CAAA;CAC3B;AAED,4DAA4D;AAC5D,qBAAa,WAAY,SAAQ,MAAM,CAAC,SAAS;IAC/C,SAAkB,IAAI,8BAA6B;CACpD;AAED,6DAA6D;AAC7D,qBAAa,iBAAkB,SAAQ,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;IAC5D,SAAkB,IAAI,oCAAmC;gBAE7C,EAAE,KAAK,EAAE,GAAE;QAAE,KAAK,CAAC,EAAE,KAAK,GAAG,SAAS,CAAA;KAAO;CAK1D"}