passkey-magic 0.1.0

package/dist/client/index.d.mts

@@ -0,0 +1,167 @@
+import { c as Credential, d as QRSessionStatus, h as User, p as Session, s as ClientConfig } from "../types-BjM1f6uu.mjs";
+
+//#region src/client/index.d.ts
+/**
+ * Client-side auth interface. All methods delegate to the server
+ * via the `request` function you provide in config.
+ */
+interface PasskeyMagicClient {
+  /** Check if the browser supports WebAuthn. */
+  supportsPasskeys(): boolean;
+  /** Check if the browser supports WebAuthn conditional UI (autofill). */
+  supportsAutofill(): Promise<boolean>;
+  /** Check if a platform authenticator (Touch ID, Windows Hello) is available. */
+  hasPlatformAuthenticator(): Promise<boolean>;
+  /** Register a new passkey and create an account. */
+  registerPasskey(params?: {
+    userId?: string;
+    email?: string;
+    userName?: string;
+  }): Promise<{
+    method: 'passkey';
+    user: {
+      id: string;
+      email?: string;
+    };
+    session: {
+      token: string;
+      expiresAt: string;
+    };
+    credential: {
+      id: string;
+    };
+  }>;
+  /** Sign in with an existing passkey. */
+  signInWithPasskey(params?: {
+    userId?: string;
+  }): Promise<{
+    method: 'passkey';
+    user: {
+      id: string;
+      email?: string;
+    };
+    session: {
+      token: string;
+      expiresAt: string;
+    };
+  }>;
+  /** Add a passkey to the current account (requires auth). */
+  addPasskey(params?: {
+    userName?: string;
+  }): Promise<{
+    credential: {
+      id: string;
+    };
+  }>;
+  /** Update a passkey label. */
+  updateCredential(params: {
+    credentialId: string;
+    label: string;
+  }): Promise<void>;
+  /** Remove a passkey. */
+  removeCredential(credentialId: string): Promise<void>;
+  /** List all passkeys for the current user. */
+  listCredentials(): Promise<{
+    credentials: Credential[];
+  }>;
+  /** Create a new QR login session on the server. */
+  createQRSession(): Promise<{
+    sessionId: string;
+  }>;
+  /** Render a URL as an SVG QR code using uqr. */
+  renderQR(url: string, opts?: {
+    border?: number;
+  }): string;
+  /** Render a URL as a text QR code using uqr. */
+  renderQRText(url: string, opts?: {
+    border?: number;
+  }): string;
+  /**
+   * Poll a QR session for status changes.
+   * Yields status updates until `authenticated` or `expired`.
+   */
+  pollQRSession(sessionId: string, opts?: {
+    interval?: number;
+    signal?: AbortSignal;
+  }): AsyncIterable<QRSessionStatus>;
+  /** Complete a QR session from the scanning device (authenticates with passkey). */
+  completeQRSession(params: {
+    sessionId: string;
+  }): Promise<void>;
+  /** Request a magic link email. */
+  requestMagicLink(params: {
+    email: string;
+  }): Promise<{
+    sent: true;
+  }>;
+  /** Verify a magic link token and create a session. */
+  verifyMagicLink(params: {
+    token: string;
+  }): Promise<{
+    method: 'magic-link';
+    user: {
+      id: string;
+      email?: string;
+    };
+    session: {
+      token: string;
+      expiresAt: string;
+    };
+    isNewUser: boolean;
+  }>;
+  /** Validate the current session. Returns null if invalid/expired. */
+  getSession(token: string): Promise<{
+    user: User;
+    session: Session;
+  } | null>;
+  /** List all active sessions. */
+  listSessions(): Promise<{
+    sessions: Session[];
+  }>;
+  /** Revoke the current session (logout). */
+  revokeSession(): Promise<void>;
+  /** Revoke a specific session by ID. */
+  revokeSessionById(sessionId: string): Promise<void>;
+  /** Revoke all sessions (logout everywhere). */
+  revokeAllSessions(): Promise<void>;
+  /** Get the current user profile. */
+  getAccount(): Promise<{
+    user: User;
+  }>;
+  /** Check if an email is available. */
+  isEmailAvailable(email: string): Promise<boolean>;
+  /** Link an email to the current account. */
+  linkEmail(email: string): Promise<{
+    user: User;
+  }>;
+  /** Unlink the email from the current account. */
+  unlinkEmail(): Promise<{
+    user: User;
+  }>;
+  /** Delete the current account and all data. */
+  deleteAccount(): Promise<void>;
+}
+/**
+ * Create a passkey-magic client.
+ *
+ * @example
+ * ```ts
+ * const client = createClient({
+ *   request: async (endpoint, body) => {
+ *     const res = await fetch(`/api/auth${endpoint}`, {
+ *       method: body ? 'POST' : 'GET',
+ *       headers: {
+ *         'Content-Type': 'application/json',
+ *         'Authorization': `Bearer ${sessionToken}`,
+ *       },
+ *       body: body ? JSON.stringify(body) : undefined,
+ *     })
+ *     if (!res.ok) throw new Error((await res.json()).error)
+ *     return res.json()
+ *   }
+ * })
+ * ```
+ */
+declare function createClient(config: ClientConfig): PasskeyMagicClient;
+//#endregion
+export { type ClientConfig, PasskeyMagicClient, type QRSessionStatus, createClient };

package/dist/client/index.mjs

@@ -0,0 +1,166 @@
+import { browserSupportsWebAuthn, browserSupportsWebAuthnAutofill, platformAuthenticatorIsAvailable, startAuthentication, startRegistration } from "@simplewebauthn/browser";
+import { renderSVG, renderUnicodeCompact } from "uqr";
+//#region src/client/passkey.ts
+function createClientPasskeyManager(config) {
+	return {
+		supportsPasskeys() {
+			return browserSupportsWebAuthn();
+		},
+		supportsAutofill() {
+			return browserSupportsWebAuthnAutofill();
+		},
+		hasPlatformAuthenticator() {
+			return platformAuthenticatorIsAvailable();
+		},
+		async register(params) {
+			const { options, userId } = await config.request("/passkey/register/options", params ?? {});
+			const response = await startRegistration({ optionsJSON: options });
+			return config.request("/passkey/register/verify", {
+				userId,
+				response
+			});
+		},
+		async authenticate(params) {
+			const { options } = await config.request("/passkey/authenticate/options", params ?? {});
+			const response = await startAuthentication({ optionsJSON: options });
+			return config.request("/passkey/authenticate/verify", { response });
+		}
+	};
+}
+//#endregion
+//#region src/client/qr.ts
+function createClientQRManager(config) {
+	return {
+		async createSession() {
+			return config.request("/qr/create", {});
+		},
+		renderSVG(url, opts) {
+			return renderSVG(url, { border: opts?.border ?? 2 });
+		},
+		renderText(url, opts) {
+			return renderUnicodeCompact(url, { border: opts?.border ?? 1 });
+		},
+		async *pollSession(sessionId, opts) {
+			const interval = opts?.interval ?? 2e3;
+			const signal = opts?.signal;
+			while (!signal?.aborted) {
+				const status = await config.request(`/qr/${sessionId}/status`);
+				yield status;
+				if (status.state === "authenticated" || status.state === "expired") return;
+				await new Promise((resolve, reject) => {
+					const timer = setTimeout(resolve, interval);
+					signal?.addEventListener("abort", () => {
+						clearTimeout(timer);
+						reject(signal.reason);
+					}, { once: true });
+				});
+			}
+		},
+		async completeSession({ sessionId }) {
+			await config.request(`/qr/${sessionId}/scanned`, {});
+			const { startAuthentication } = await import("@simplewebauthn/browser");
+			const { options } = await config.request("/passkey/authenticate/options", {});
+			const response = await startAuthentication({ optionsJSON: options });
+			await config.request(`/qr/${sessionId}/complete`, { response });
+		}
+	};
+}
+//#endregion
+//#region src/client/magic-link.ts
+function createClientMagicLinkManager(config) {
+	return {
+		async send({ email }) {
+			return config.request("/magic-link/send", { email });
+		},
+		async verify({ token }) {
+			return config.request("/magic-link/verify", { token });
+		}
+	};
+}
+//#endregion
+//#region src/client/index.ts
+/**
+* Create a passkey-magic client.
+*
+* @example
+* ```ts
+* const client = createClient({
+*   request: async (endpoint, body) => {
+*     const res = await fetch(`/api/auth${endpoint}`, {
+*       method: body ? 'POST' : 'GET',
+*       headers: {
+*         'Content-Type': 'application/json',
+*         'Authorization': `Bearer ${sessionToken}`,
+*       },
+*       body: body ? JSON.stringify(body) : undefined,
+*     })
+*     if (!res.ok) throw new Error((await res.json()).error)
+*     return res.json()
+*   }
+* })
+* ```
+*/
+function createClient(config) {
+	const passkey = createClientPasskeyManager(config);
+	const qr = createClientQRManager(config);
+	const magicLink = createClientMagicLinkManager(config);
+	return {
+		supportsPasskeys: () => passkey.supportsPasskeys(),
+		supportsAutofill: () => passkey.supportsAutofill(),
+		hasPlatformAuthenticator: () => passkey.hasPlatformAuthenticator(),
+		registerPasskey: (params) => passkey.register(params),
+		signInWithPasskey: (params) => passkey.authenticate(params),
+		async addPasskey(params) {
+			const { options } = await config.request("/passkey/add/options", params ?? {});
+			const { startRegistration } = await import("@simplewebauthn/browser");
+			const response = await startRegistration({ optionsJSON: options });
+			return config.request("/passkey/add/verify", { response });
+		},
+		async updateCredential({ credentialId, label }) {
+			await config.request(`/account/credentials/${credentialId}`, { label });
+		},
+		async removeCredential(credentialId) {
+			await config.request(`/account/credentials/${credentialId}/delete`, {});
+		},
+		listCredentials: () => config.request("/account/credentials"),
+		createQRSession: () => qr.createSession(),
+		renderQR: (url, opts) => qr.renderSVG(url, opts),
+		renderQRText: (url, opts) => qr.renderText(url, opts),
+		pollQRSession: (id, opts) => qr.pollSession(id, opts),
+		completeQRSession: (params) => qr.completeSession(params),
+		requestMagicLink: (params) => magicLink.send(params),
+		verifyMagicLink: (params) => magicLink.verify(params),
+		async getSession(token) {
+			try {
+				return await config.request("/session");
+			} catch {
+				return null;
+			}
+		},
+		listSessions: () => config.request("/account/sessions"),
+		async revokeSession() {
+			await config.request("/session/revoke", {});
+		},
+		async revokeSessionById(sessionId) {
+			await config.request(`/account/sessions/${sessionId}/delete`, {});
+		},
+		async revokeAllSessions() {
+			await config.request("/account/sessions/delete-all", {});
+		},
+		getAccount: () => config.request("/account"),
+		async isEmailAvailable(email) {
+			return (await config.request("/account/email-available", { email })).available;
+		},
+		async linkEmail(email) {
+			return config.request("/account/link-email", { email });
+		},
+		async unlinkEmail() {
+			return config.request("/account/unlink-email", {});
+		},
+		async deleteAccount() {
+			await config.request("/account/delete", {});
+		}
+	};
+}
+//#endregion
+export { createClient };

package/dist/crypto-KHRNe6EL.mjs

@@ -0,0 +1,45 @@
+//#region src/crypto.ts
+const encoder = new TextEncoder();
+/** Generate a random UUID v4 using Web Crypto. */
+function generateId() {
+	return crypto.randomUUID();
+}
+/**
+* Generate a cryptographically random URL-safe token.
+* @param bytes - Number of random bytes (default 32 = 256 bits of entropy).
+*/
+function generateToken(bytes = 32) {
+	const buf = new Uint8Array(bytes);
+	crypto.getRandomValues(buf);
+	return base64url(buf);
+}
+/** Encode a Uint8Array to a base64url string (no padding). */
+function base64url(buffer) {
+	let binary = "";
+	for (let i = 0; i < buffer.length; i++) binary += String.fromCharCode(buffer[i]);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/** SHA-256 hash a string and return the digest as base64url. */
+async function hashToken(token) {
+	const data = encoder.encode(token);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64url(new Uint8Array(hash));
+}
+/**
+* Constant-time string comparison to prevent timing attacks.
+* Returns `true` if both strings are equal. Both strings are
+* hashed first so length differences don't leak timing info.
+*/
+async function timingSafeEqual(a, b) {
+	const [hashA, hashB] = await Promise.all([hashToken(a), hashToken(b)]);
+	if (hashA.length !== hashB.length) return false;
+	let result = 0;
+	for (let i = 0; i < hashA.length; i++) result |= hashA.charCodeAt(i) ^ hashB.charCodeAt(i);
+	return result === 0;
+}
+/** Basic email format validation. */
+function isValidEmail(email) {
+	return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email) && email.length <= 254;
+}
+//#endregion
+export { timingSafeEqual as i, generateToken as n, isValidEmail as r, generateId as t };