ox 0.12.4 → 0.13.1

package/_esm/webauthn/Authentication.js

@@ -0,0 +1,453 @@
+import * as Base64 from '../core/Base64.js';
+import * as Bytes from '../core/Bytes.js';
+import * as Errors from '../core/Errors.js';
+import * as Hash from '../core/Hash.js';
+import * as Hex from '../core/Hex.js';
+import * as internal from '../core/internal/webauthn.js';
+import * as P256 from '../core/P256.js';
+import * as Signature from '../core/Signature.js';
+import { getAuthenticatorData, getClientDataJSON } from './Authenticator.js';
+import { base64UrlOptions, bufferSourceToBytes, bytesToArrayBuffer, deserializeExtensions, responseKeys, serializeExtensions, } from './internal/utils.js';
+/**
+ * Deserializes credential request options that can be passed to
+ * `navigator.credentials.get()`.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authentication } from 'ox/webauthn'
+ *
+ * const options = Authentication.getOptions({
+ *   challenge: '0xdeadbeef',
+ * })
+ * const serialized = Authentication.serializeOptions(options)
+ *
+ * // ... send to server and back ...
+ *
+ * const deserialized = Authentication.deserializeOptions(serialized) // [!code focus]
+ * const credential = await window.navigator.credentials.get(deserialized)
+ * ```
+ *
+ * @param options - The serialized credential request options.
+ * @returns The deserialized credential request options.
+ */
+export function deserializeOptions(options) {
+    const { publicKey, ...rest } = options;
+    if (!publicKey)
+        return { ...rest };
+    const { allowCredentials, challenge, extensions, ...publicKeyRest } = publicKey;
+    return {
+        ...rest,
+        publicKey: {
+            ...publicKeyRest,
+            challenge: Bytes.fromHex(challenge),
+            ...(allowCredentials && {
+                allowCredentials: allowCredentials.map(({ id, ...rest }) => ({
+                    ...rest,
+                    id: Base64.toBytes(id),
+                })),
+            }),
+            ...(extensions && {
+                extensions: deserializeExtensions(extensions),
+            }),
+        },
+    };
+}
+/**
+ * Deserializes a serialized authentication response.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authentication } from 'ox/webauthn'
+ *
+ * const response = Authentication.deserializeResponse({ // [!code focus]
+ *   id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *   metadata: { // [!code focus]
+ *     authenticatorData: '0x49960de5...', // [!code focus]
+ *     clientDataJSON: '{"type":"webauthn.get",...}', // [!code focus]
+ *     challengeIndex: 23, // [!code focus]
+ *     typeIndex: 1, // [!code focus]
+ *     userVerificationRequired: true, // [!code focus]
+ *   }, // [!code focus]
+ *   raw: { // [!code focus]
+ *     id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     type: 'public-key', // [!code focus]
+ *     authenticatorAttachment: 'platform', // [!code focus]
+ *     rawId: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     response: { clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uZ2V0In0' }, // [!code focus]
+ *   }, // [!code focus]
+ *   signature: '0x...', // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param response - The serialized authentication response.
+ * @returns The deserialized authentication response.
+ */
+export function deserializeResponse(response) {
+    const { id, metadata, raw, signature } = response;
+    const rawResponse = {};
+    for (const [key, value] of Object.entries(raw.response))
+        rawResponse[key] = bytesToArrayBuffer(Base64.toBytes(value));
+    return {
+        id,
+        metadata,
+        raw: {
+            id: raw.id,
+            type: raw.type,
+            authenticatorAttachment: raw.authenticatorAttachment,
+            rawId: bytesToArrayBuffer(Base64.toBytes(raw.rawId)),
+            response: rawResponse,
+            getClientExtensionResults: () => ({}),
+        },
+        signature: Signature.from(signature),
+    };
+}
+/**
+ * Returns the request options to sign a challenge with the Web Authentication API.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authentication } from 'ox/webauthn'
+ *
+ * const options = Authentication.getOptions({
+ *   challenge: '0xdeadbeef',
+ * })
+ *
+ * const credential = await window.navigator.credentials.get(options)
+ * ```
+ *
+ * @param options - Options.
+ * @returns The credential request options.
+ */
+export function getOptions(options) {
+    const { credentialId, challenge, extensions, rpId = window.location.hostname, userVerification = 'required', } = options;
+    return {
+        publicKey: {
+            ...(credentialId
+                ? {
+                    allowCredentials: Array.isArray(credentialId)
+                        ? credentialId.map((id) => ({
+                            id: Base64.toBytes(id),
+                            type: 'public-key',
+                        }))
+                        : [
+                            {
+                                id: Base64.toBytes(credentialId),
+                                type: 'public-key',
+                            },
+                        ],
+                }
+                : {}),
+            challenge: Bytes.fromHex(challenge),
+            ...(extensions && { extensions }),
+            rpId,
+            userVerification,
+        },
+    };
+}
+/**
+ * Constructs the final digest that was signed and computed by the authenticator. This payload includes
+ * the cryptographic `challenge`, as well as authenticator metadata (`authenticatorData` + `clientDataJSON`).
+ * This value can be also used with raw P256 verification (such as `P256.verify` or
+ * `WebCryptoP256.verify`).
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes or for manually constructing
+ * signing payloads. In most cases you will not need this function and
+ * instead use `Authentication.sign`.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authentication } from 'ox/webauthn'
+ * import { WebCryptoP256 } from 'ox'
+ *
+ * const { metadata, payload } = Authentication.getSignPayload({ // [!code focus]
+ *   challenge: '0xdeadbeef', // [!code focus]
+ * }) // [!code focus]
+ *
+ * const { publicKey, privateKey } = await WebCryptoP256.createKeyPair()
+ *
+ * const signature = await WebCryptoP256.sign({
+ *   payload,
+ *   privateKey,
+ * })
+ * ```
+ *
+ * @param options - Options to construct the signing payload.
+ * @returns The signing payload.
+ */
+export function getSignPayload(options) {
+    const { challenge, crossOrigin, extraClientData, flag, origin, rpId, signCount, userVerification = 'required', } = options;
+    const authenticatorData = getAuthenticatorData({
+        flag,
+        rpId,
+        signCount,
+    });
+    const clientDataJSON = getClientDataJSON({
+        challenge,
+        crossOrigin,
+        extraClientData,
+        origin,
+    });
+    const clientDataJSONHash = Hash.sha256(Hex.fromString(clientDataJSON));
+    const challengeIndex = clientDataJSON.indexOf('"challenge"');
+    const typeIndex = clientDataJSON.indexOf('"type"');
+    const metadata = {
+        authenticatorData,
+        clientDataJSON,
+        challengeIndex,
+        typeIndex,
+        userVerificationRequired: userVerification === 'required',
+    };
+    const payload = Hex.concat(authenticatorData, clientDataJSONHash);
+    return { metadata, payload };
+}
+/**
+ * Serializes credential request options into a JSON-serializable
+ * format, converting `BufferSource` fields to base64url strings.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authentication } from 'ox/webauthn'
+ *
+ * const options = Authentication.getOptions({
+ *   challenge: '0xdeadbeef',
+ * })
+ *
+ * const serialized = Authentication.serializeOptions(options) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param options - The credential request options to serialize.
+ * @returns The serialized credential request options.
+ */
+export function serializeOptions(options) {
+    const { publicKey, signal: _, ...rest } = options;
+    if (!publicKey)
+        return { ...rest };
+    const { allowCredentials, challenge, extensions, ...publicKeyRest } = publicKey;
+    return {
+        ...rest,
+        publicKey: {
+            ...publicKeyRest,
+            challenge: Hex.fromBytes(bufferSourceToBytes(challenge)),
+            ...(allowCredentials && {
+                allowCredentials: allowCredentials.map(({ id, ...rest }) => ({
+                    ...rest,
+                    id: Base64.fromBytes(bufferSourceToBytes(id), base64UrlOptions),
+                })),
+            }),
+            ...(extensions && {
+                extensions: serializeExtensions(extensions),
+            }),
+        },
+    };
+}
+/**
+ * Serializes an authentication response into a JSON-serializable
+ * format, converting `BufferSource` fields to base64url strings
+ * and the signature to a hex string.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authentication } from 'ox/webauthn'
+ *
+ * const response = await Authentication.sign({
+ *   challenge: '0xdeadbeef',
+ * })
+ *
+ * const serialized = Authentication.serializeResponse(response) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param response - The authentication response to serialize.
+ * @returns The serialized authentication response.
+ */
+export function serializeResponse(response) {
+    const { id, metadata, raw, signature } = response;
+    const rawResponse = {};
+    for (const key of responseKeys) {
+        const value = raw.response[key];
+        if (value instanceof ArrayBuffer)
+            rawResponse[key] = Base64.fromBytes(new Uint8Array(value), base64UrlOptions);
+    }
+    return {
+        id,
+        metadata,
+        raw: {
+            id: raw.id,
+            type: raw.type,
+            authenticatorAttachment: raw.authenticatorAttachment,
+            rawId: Base64.fromBytes(bufferSourceToBytes(raw.rawId), base64UrlOptions),
+            response: rawResponse,
+        },
+        signature: Signature.toHex(signature),
+    };
+}
+/**
+ * Signs a challenge using a stored WebAuthn P256 Credential. If no Credential is provided,
+ * a prompt will be displayed for the user to select an existing Credential
+ * that was previously registered.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration, Authentication } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({
+ *   name: 'Example',
+ * })
+ *
+ * const { metadata, signature } = await Authentication.sign({ // [!code focus]
+ *   credentialId: credential.id, // [!code focus]
+ *   challenge: '0xdeadbeef', // [!code focus]
+ * }) // [!code focus]
+ * // @log: {
+ * // @log:   metadata: {
+ * // @log:     authenticatorData: '0x49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d97630500000000',
+ * // @log:     clientDataJSON: '{"type":"webauthn.get","challenge":"9jEFijuhEWrM4SOW-tChJbUEHEP44VcjcJ-Bqo1fTM8","origin":"http://localhost:5173","crossOrigin":false}',
+ * // @log:     challengeIndex: 23,
+ * // @log:     typeIndex: 1,
+ * // @log:     userVerificationRequired: true,
+ * // @log:   },
+ * // @log:   signature: { r: 51231...4215n, s: 12345...6789n },
+ * // @log: }
+ * ```
+ *
+ * @param options - Options.
+ * @returns The signature.
+ */
+export async function sign(options) {
+    const { getFn = window.navigator.credentials.get.bind(window.navigator.credentials), ...rest } = options;
+    const requestOptions = 'publicKey' in rest
+        ? rest
+        : getOptions(rest);
+    try {
+        const credential = (await getFn(requestOptions));
+        if (!credential)
+            throw new SignFailedError();
+        const response = credential.response;
+        const clientDataJSON = String.fromCharCode(...new Uint8Array(response.clientDataJSON));
+        const challengeIndex = clientDataJSON.indexOf('"challenge"');
+        const typeIndex = clientDataJSON.indexOf('"type"');
+        const signature = internal.parseAsn1Signature(new Uint8Array(response.signature));
+        return {
+            id: credential.id,
+            metadata: {
+                authenticatorData: Hex.fromBytes(new Uint8Array(response.authenticatorData)),
+                clientDataJSON,
+                challengeIndex,
+                typeIndex,
+                userVerificationRequired: requestOptions.publicKey.userVerification === 'required',
+            },
+            signature,
+            raw: credential,
+        };
+    }
+    catch (error) {
+        throw new SignFailedError({
+            cause: error,
+        });
+    }
+}
+/** Thrown when a WebAuthn P256 credential request fails. */
+export class SignFailedError extends Errors.BaseError {
+    constructor({ cause } = {}) {
+        super('Failed to request credential.', {
+            cause,
+        });
+        Object.defineProperty(this, "name", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: 'Authentication.SignFailedError'
+        });
+    }
+}
+/**
+ * Verifies a signature using the Credential's public key and the challenge which was signed.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration, Authentication } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({
+ *   name: 'Example',
+ * })
+ *
+ * const { metadata, signature } = await Authentication.sign({
+ *   credentialId: credential.id,
+ *   challenge: '0xdeadbeef',
+ * })
+ *
+ * const result = Authentication.verify({ // [!code focus]
+ *   metadata, // [!code focus]
+ *   challenge: '0xdeadbeef', // [!code focus]
+ *   publicKey: credential.publicKey, // [!code focus]
+ *   signature, // [!code focus]
+ * }) // [!code focus]
+ * // @log: true
+ * ```
+ *
+ * @param options - Options.
+ * @returns Whether the signature is valid.
+ */
+export function verify(options) {
+    const { challenge, metadata, origin, publicKey, rpId, signature } = options;
+    const { authenticatorData, clientDataJSON, userVerificationRequired } = metadata;
+    const authenticatorDataBytes = Bytes.fromHex(authenticatorData);
+    // Check length of `authenticatorData`.
+    if (authenticatorDataBytes.length < 37)
+        return false;
+    // If rpId is provided, validate the rpIdHash in authenticatorData.
+    if (rpId !== undefined) {
+        const rpIdHash = authenticatorDataBytes.slice(0, 32);
+        const expectedRpIdHash = Hash.sha256(Hex.fromString(rpId), { as: 'Bytes' });
+        if (!Bytes.isEqual(rpIdHash, expectedRpIdHash))
+            return false;
+    }
+    const flag = authenticatorDataBytes[32];
+    // Verify that the UP bit of the flags in authData is set.
+    if ((flag & 0x01) !== 0x01)
+        return false;
+    // If user verification was determined to be required, verify that
+    // the UV bit of the flags in authData is set. Otherwise, ignore the
+    // value of the UV flag.
+    if (userVerificationRequired && (flag & 0x04) !== 0x04)
+        return false;
+    // If the BE bit of the flags in authData is not set, verify that
+    // the BS bit is not set.
+    if ((flag & 0x08) !== 0x08 && (flag & 0x10) === 0x10)
+        return false;
+    // Parse clientDataJSON for validation.
+    const clientData = JSON.parse(clientDataJSON);
+    // Verify that response is for an authentication assertion.
+    if (clientData.type !== 'webauthn.get')
+        return false;
+    // Validate the challenge in the clientDataJSON.
+    if (!clientData.challenge ||
+        Hex.fromBytes(Base64.toBytes(clientData.challenge)) !== challenge)
+        return false;
+    // If origin is provided, validate origin.
+    if (origin !== undefined) {
+        const origins = Array.isArray(origin) ? origin : [origin];
+        if (!origins.includes(clientData.origin))
+            return false;
+    }
+    const clientDataJSONHash = Hash.sha256(Bytes.fromString(clientDataJSON), {
+        as: 'Bytes',
+    });
+    const payload = Bytes.concat(authenticatorDataBytes, clientDataJSONHash);
+    return P256.verify({
+        hash: true,
+        payload,
+        publicKey,
+        signature,
+    });
+}
+//# sourceMappingURL=Authentication.js.map

package/_esm/webauthn/Authentication.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authentication.js","sourceRoot":"","sources":["../../webauthn/Authentication.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAA;AACzC,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAA;AAErC,OAAO,KAAK,QAAQ,MAAM,8BAA8B,CAAA;AACxD,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AAEvC,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAE5E,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,YAAY,EACZ,mBAAmB,GACpB,MAAM,qBAAqB,CAAA;AAW5B;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAA6C;IAE7C,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IACtC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,GAAG,IAAI,EAAE,CAAA;IAElC,MAAM,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,aAAa,EAAE,GACjE,SAAS,CAAA;IAEX,OAAO;QACL,GAAG,IAAI;QACP,SAAS,EAAE;YACT,GAAG,aAAa;YAChB,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YACnC,GAAG,CAAC,gBAAgB,IAAI;gBACtB,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;oBAC3D,GAAG,IAAI;oBACP,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;iBACvB,CAAC,CAAC;aACJ,CAAC;YACF,GAAG,CAAC,UAAU,IAAI;gBAChB,UAAU,EAAE,qBAAqB,CAAC,UAAU,CAAC;aAC9C,CAAC;SACH;KACF,CAAA;AACH,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAwB;IAC1D,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAA;IAEjD,MAAM,WAAW,GAAgC,EAAE,CAAA;IACnD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QACrD,WAAW,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IAE9D,OAAO;QACL,EAAE;QACF,QAAQ;QACR,GAAG,EAAE;YACH,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,uBAAuB,EAAE,GAAG,CAAC,uBAAuB;YACpD,KAAK,EAAE,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACpD,QAAQ,EAAE,WAAqD;YAC/D,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;SACtC;QACD,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;KACrC,CAAA;AACH,CAAC;AASD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,UAAU,CACxB,OAA2B;IAE3B,MAAM,EACJ,YAAY,EACZ,SAAS,EACT,UAAU,EACV,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAC/B,gBAAgB,GAAG,UAAU,GAC9B,GAAG,OAAO,CAAA;IACX,OAAO;QACL,SAAS,EAAE;YACT,GAAG,CAAC,YAAY;gBACd,CAAC,CAAC;oBACE,gBAAgB,EAAE,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;wBAC3C,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;4BACxB,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;4BACtB,IAAI,EAAE,YAAY;yBACnB,CAAC,CAAC;wBACL,CAAC,CAAC;4BACE;gCACE,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC;gCAChC,IAAI,EAAE,YAAY;6BACnB;yBACF;iBACN;gBACH,CAAC,CAAC,EAAE,CAAC;YACP,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YACnC,GAAG,CAAC,UAAU,IAAI,EAAE,UAAU,EAAE,CAAC;YACjC,IAAI;YACJ,gBAAgB;SACjB;KACF,CAAA;AACH,CAAC;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,MAAM,UAAU,cAAc,CAC5B,OAA+B;IAE/B,MAAM,EACJ,SAAS,EACT,WAAW,EACX,eAAe,EACf,IAAI,EACJ,MAAM,EACN,IAAI,EACJ,SAAS,EACT,gBAAgB,GAAG,UAAU,GAC9B,GAAG,OAAO,CAAA;IAEX,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;QAC7C,IAAI;QACJ,IAAI;QACJ,SAAS;KACV,CAAC,CAAA;IACF,MAAM,cAAc,GAAG,iBAAiB,CAAC;QACvC,SAAS;QACT,WAAW;QACX,eAAe;QACf,MAAM;KACP,CAAC,CAAA;IACF,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAA;IAEtE,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;IAC5D,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAElD,MAAM,QAAQ,GAAG;QACf,iBAAiB;QACjB,cAAc;QACd,cAAc;QACd,SAAS;QACT,wBAAwB,EAAE,gBAAgB,KAAK,UAAU;KAC1D,CAAA;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,kBAAkB,CAAC,CAAA;IAEjE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;AAC9B,CAAC;AAsCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAuC;IAEvC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IACjD,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,GAAG,IAAI,EAAE,CAAA;IAElC,MAAM,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,aAAa,EAAE,GACjE,SAAS,CAAA;IAEX,OAAO;QACL,GAAG,IAAI;QACP,SAAS,EAAE;YACT,GAAG,aAAa;YAChB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACxD,GAAG,CAAC,gBAAgB,IAAI;gBACtB,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;oBAC3D,GAAG,IAAI;oBACP,EAAE,EAAE,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC;iBAChE,CAAC,CAAC;aACJ,CAAC;YACF,GAAG,CAAC,UAAU,IAAI;gBAChB,UAAU,EAAE,mBAAmB,CAAC,UAAU,CAAC;aAC5C,CAAC;SACH;KACF,CAAA;AACH,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAA;IAEjD,MAAM,WAAW,GAAG,EAA4B,CAAA;IAChD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAI,GAAG,CAAC,QAA+C,CAAC,GAAG,CAAC,CAAA;QACvE,IAAI,KAAK,YAAY,WAAW;YAC9B,WAAW,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,SAAS,CACjC,IAAI,UAAU,CAAC,KAAK,CAAC,EACrB,gBAAgB,CACjB,CAAA;IACL,CAAC;IAED,OAAO;QACL,EAAE;QACF,QAAQ;QACR,GAAG,EAAE;YACH,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,uBAAuB,EAAE,GAAG,CAAC,uBAAuB;YACpD,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;YACzE,QAAQ,EAAE,WAA2D;SACtE;QACD,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;KACtC,CAAA;AACH,CAAC;AASD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAAqB;IAC9C,MAAM,EACJ,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,EAC3E,GAAG,IAAI,EACR,GAAG,OAAO,CAAA;IACX,MAAM,cAAc,GAClB,WAAW,IAAI,IAAI;QACjB,CAAC,CAAE,IAAuC;QAC1C,CAAC,CAAC,UAAU,CAAC,IAAa,CAAC,CAAA;IAC/B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,CAAC,MAAM,KAAK,CAC7B,cAAuB,CACxB,CAA8B,CAAA;QAC/B,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,eAAe,EAAE,CAAA;QAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,QAA0C,CAAA;QAEtE,MAAM,cAAc,GAAG,MAAM,CAAC,YAAY,CACxC,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC,CAC3C,CAAA;QACD,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAC5D,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QAElD,MAAM,SAAS,GAAG,QAAQ,CAAC,kBAAkB,CAC3C,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CACnC,CAAA;QAED,OAAO;YACL,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,QAAQ,EAAE;gBACR,iBAAiB,EAAE,GAAG,CAAC,SAAS,CAC9B,IAAI,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAC3C;gBACD,cAAc;gBACd,cAAc;gBACd,SAAS;gBACT,wBAAwB,EACtB,cAAc,CAAC,SAAU,CAAC,gBAAgB,KAAK,UAAU;aAC5D;YACD,SAAS;YACT,GAAG,EAAE,UAAU;SAChB,CAAA;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,eAAe,CAAC;YACxB,KAAK,EAAE,KAAc;SACtB,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AA4BD,4DAA4D;AAC5D,MAAM,OAAO,eAAgB,SAAQ,MAAM,CAAC,SAAgB;IAG1D,YAAY,EAAE,KAAK,KAAoC,EAAE;QACvD,KAAK,CAAC,+BAA+B,EAAE;YACrC,KAAK;SACN,CAAC,CAAA;QALc;;;;mBAAO,gCAAgC;WAAA;IAMzD,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,MAAM,CAAC,OAAuB;IAC5C,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,OAAO,CAAA;IAC3E,MAAM,EAAE,iBAAiB,EAAE,cAAc,EAAE,wBAAwB,EAAE,GACnE,QAAQ,CAAA;IAEV,MAAM,sBAAsB,GAAG,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAE/D,uCAAuC;IACvC,IAAI,sBAAsB,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAA;IAEpD,mEAAmE;IACnE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;QACpD,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAA;QAC3E,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,gBAAgB,CAAC;YAAE,OAAO,KAAK,CAAA;IAC9D,CAAC;IAED,MAAM,IAAI,GAAG,sBAAsB,CAAC,EAAE,CAAE,CAAA;IAExC,0DAA0D;IAC1D,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,KAAK,CAAA;IAExC,kEAAkE;IAClE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,wBAAwB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,KAAK,CAAA;IAEpE,iEAAiE;IACjE,yBAAyB;IACzB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,KAAK,CAAA;IAElE,uCAAuC;IACvC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;IAE7C,2DAA2D;IAC3D,IAAI,UAAU,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,KAAK,CAAA;IAEpD,gDAAgD;IAChD,IACE,CAAC,UAAU,CAAC,SAAS;QACrB,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,KAAK,SAAS;QAEjE,OAAO,KAAK,CAAA;IAEd,0CAA0C;IAC1C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;QACzD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAA;IACxD,CAAC;IAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE;QACvE,EAAE,EAAE,OAAO;KACZ,CAAC,CAAA;IACF,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,sBAAsB,EAAE,kBAAkB,CAAC,CAAA;IAExE,OAAO,IAAI,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,IAAI;QACV,OAAO;QACP,SAAS;QACT,SAAS;KACV,CAAC,CAAA;AACJ,CAAC"}

package/_esm/webauthn/Authenticator.js

@@ -0,0 +1,176 @@
+import * as Base64 from '../core/Base64.js';
+import * as Bytes from '../core/Bytes.js';
+import * as Cbor from '../core/Cbor.js';
+import * as CoseKey from '../core/CoseKey.js';
+import * as Hash from '../core/Hash.js';
+import * as Hex from '../core/Hex.js';
+/**
+ * Gets the authenticator data which contains information about the
+ * processing of an authenticator request (ie. from `Authentication.sign`).
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes or for manually constructing
+ * autenticator data. In most cases you will not need this function.
+ * `authenticatorData` is typically returned as part of the
+ * authenticator response.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const authenticatorData = Authenticator.getAuthenticatorData({
+ *   rpId: 'example.com',
+ *   signCount: 420,
+ * })
+ * // @log: "0xa379a6f6eeafb9a55e378c118034e2751e682fab9f2d30ab13d2125586ce194705000001a4"
+ * ```
+ *
+ * @example
+ * ### With Attested Credential Data
+ *
+ * Include a credential ID and public key in the authenticator data (for registration responses):
+ *
+ * ```ts twoslash
+ * import { P256 } from 'ox'
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const { publicKey } = P256.createKeyPair()
+ *
+ * const authenticatorData = Authenticator.getAuthenticatorData({
+ *   rpId: 'example.com',
+ *   flag: 0x41, // UP + AT
+ *   credential: {
+ *     id: new Uint8Array(32),
+ *     publicKey,
+ *   },
+ * })
+ * ```
+ *
+ * @param options - Options to construct the authenticator data.
+ * @returns The authenticator data.
+ */
+export function getAuthenticatorData(options = {}) {
+    const { credential, flag = 5, rpId = window.location.hostname, signCount = 0, } = options;
+    const rpIdHash = Hash.sha256(Hex.fromString(rpId));
+    const flag_bytes = Hex.fromNumber(flag, { size: 1 });
+    const signCount_bytes = Hex.fromNumber(signCount, { size: 4 });
+    const base = Hex.concat(rpIdHash, flag_bytes, signCount_bytes);
+    if (!credential)
+        return base;
+    // AAGUID (16 bytes of zeros)
+    const aaguid = Hex.fromBytes(new Uint8Array(16));
+    // Credential ID
+    const credentialId = Hex.fromBytes(credential.id);
+    const credIdLen = Hex.fromNumber(credential.id.length, { size: 2 });
+    // COSE public key
+    const coseKey = CoseKey.fromPublicKey(credential.publicKey);
+    return Hex.concat(base, aaguid, credIdLen, credentialId, coseKey);
+}
+/**
+ * Extracts the signature counter from the authenticator data.
+ * The counter is a 4-byte big-endian unsigned integer at bytes 33–36.
+ *
+ * Useful for detecting cloned authenticators: if the counter is non-zero and
+ * does not monotonically increase between assertions, it may indicate a cloned key.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const signCount = Authenticator.getSignCount(
+ *   '0x49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d97630500000001',
+ * )
+ * // @log: 1
+ * ```
+ *
+ * @param authenticatorData - The authenticator data hex string.
+ * @returns The signature counter.
+ */
+export function getSignCount(authenticatorData) {
+    const bytes = Bytes.fromHex(authenticatorData);
+    if (bytes.length < 37)
+        return 0;
+    return (((bytes[33] << 24) |
+        (bytes[34] << 16) |
+        (bytes[35] << 8) |
+        bytes[36]) >>>
+        0);
+}
+/**
+ * Constructs the Client Data in stringified JSON format which represents client data that
+ * was passed to `credentials.get()` or `credentials.create()`.
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes or for manually constructing
+ * client data. In most cases you will not need this function.
+ * `clientDataJSON` is typically returned as part of the authenticator response.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const clientDataJSON = Authenticator.getClientDataJSON({
+ *   challenge: '0xdeadbeef',
+ *   origin: 'https://example.com',
+ * })
+ * // @log: "{"type":"webauthn.get","challenge":"3q2-7w","origin":"https://example.com","crossOrigin":false}"
+ * ```
+ *
+ * @param options - Options to construct the client data.
+ * @returns The client data.
+ */
+export function getClientDataJSON(options) {
+    const { challenge, crossOrigin = false, extraClientData, origin = window.location.origin, type = 'webauthn.get', } = options;
+    return JSON.stringify({
+        type,
+        challenge: Base64.fromHex(challenge, { url: true, pad: false }),
+        origin,
+        crossOrigin,
+        ...extraClientData,
+    });
+}
+/**
+ * Constructs a CBOR-encoded attestation object for testing WebAuthn registration
+ * verification. Combines the authenticator data with an attestation statement.
+ *
+ * :::warning
+ *
+ * This function is mainly for testing purposes. In production, the attestation
+ * object is returned by the authenticator during `navigator.credentials.create()`.
+ *
+ * :::
+ *
+ * @example
+ * ```ts twoslash
+ * import { P256 } from 'ox'
+ * import { Authenticator } from 'ox/webauthn'
+ *
+ * const { publicKey } = P256.createKeyPair()
+ *
+ * const attestationObject = Authenticator.getAttestationObject({
+ *   authData: Authenticator.getAuthenticatorData({
+ *     rpId: 'example.com',
+ *     flag: 0x41,
+ *     credential: { id: new Uint8Array(32), publicKey },
+ *   }),
+ * })
+ * ```
+ *
+ * @param options - Options to construct the attestation object.
+ * @returns The CBOR-encoded attestation object as a Hex string.
+ */
+export function getAttestationObject(options) {
+    const { attStmt = {}, authData, fmt = 'none' } = options;
+    return Cbor.encode({
+        fmt,
+        attStmt,
+        authData: Hex.toBytes(authData),
+    });
+}
+//# sourceMappingURL=Authenticator.js.map

package/_esm/webauthn/Authenticator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authenticator.js","sourceRoot":"","sources":["../../webauthn/Authenticator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAA;AACzC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,OAAO,MAAM,oBAAoB,CAAA;AAE7C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAA;AAIrC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAwC,EAAE;IAE1C,MAAM,EACJ,UAAU,EACV,IAAI,GAAG,CAAC,EACR,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAC/B,SAAS,GAAG,CAAC,GACd,GAAG,OAAO,CAAA;IACX,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAA;IAClD,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAA;IACpD,MAAM,eAAe,GAAG,GAAG,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAA;IAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,eAAe,CAAC,CAAA;IAE9D,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAE5B,6BAA6B;IAC7B,MAAM,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IAEhD,gBAAgB;IAChB,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC,CAAA;IACjD,MAAM,SAAS,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAA;IAEnE,kBAAkB;IAClB,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC,CAAA;IAE3D,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;AACnE,CAAC;AAwBD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,YAAY,CAAC,iBAA0B;IACrD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAC9C,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,CAAC,CAAA;IAC/B,OAAO,CACL,CAAC,CAAC,KAAK,CAAC,EAAE,CAAE,IAAI,EAAE,CAAC;QACjB,CAAC,KAAK,CAAC,EAAE,CAAE,IAAI,EAAE,CAAC;QAClB,CAAC,KAAK,CAAC,EAAE,CAAE,IAAI,CAAC,CAAC;QACjB,KAAK,CAAC,EAAE,CAAE,CAAC;QACb,CAAC,CACF,CAAA;AACH,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAkC;IAClE,MAAM,EACJ,SAAS,EACT,WAAW,GAAG,KAAK,EACnB,eAAe,EACf,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,EAC/B,IAAI,GAAG,cAAc,GACtB,GAAG,OAAO,CAAA;IAEX,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,IAAI;QACJ,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC/D,MAAM;QACN,WAAW;QACX,GAAG,eAAe;KACnB,CAAC,CAAA;AACJ,CAAC;AAmBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAqC;IAErC,MAAM,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,EAAE,GAAG,GAAG,MAAM,EAAE,GAAG,OAAO,CAAA;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC;QACjB,GAAG;QACH,OAAO;QACP,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC;KAChC,CAAC,CAAA;AACJ,CAAC"}