passkey-magic 0.1.0

package/dist/server-BXkm8lU0.mjs

@@ -0,0 +1,823 @@
+import { n as generateToken, r as isValidEmail, t as generateId } from "./crypto-KHRNe6EL.mjs";
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
+//#region src/events.ts
+/** Typed event emitter for auth lifecycle events. */
+var AuthEmitter = class {
+	listeners = /* @__PURE__ */ new Map();
+	/**
+	* Subscribe to an auth event. Returns an unsubscribe function.
+	*
+	* @example
+	* ```ts
+	* const unsub = auth.on('session:created', ({ user, method }) => {
+	*   console.log(`${user.id} logged in via ${method}`)
+	* })
+	* unsub() // stop listening
+	* ```
+	*/
+	on(event, handler) {
+		if (!this.listeners.has(event)) this.listeners.set(event, /* @__PURE__ */ new Set());
+		this.listeners.get(event).add(handler);
+		return () => {
+			this.listeners.get(event)?.delete(handler);
+		};
+	}
+	/** Emit an event to all registered handlers. */
+	emit(event, data) {
+		const handlers = this.listeners.get(event);
+		if (handlers) for (const handler of handlers) handler(data);
+	}
+};
+//#endregion
+//#region src/server/session.ts
+function createSessionManager(storage, opts) {
+	const id = opts.generateId ?? generateId;
+	return {
+		async create(userId, meta) {
+			const session = {
+				id: id(),
+				token: generateToken(),
+				userId,
+				expiresAt: new Date(Date.now() + opts.ttl),
+				createdAt: /* @__PURE__ */ new Date(),
+				userAgent: meta?.userAgent,
+				ipAddress: meta?.ipAddress
+			};
+			return storage.createSession(session);
+		},
+		async validate(token) {
+			const session = await storage.getSessionByToken(token);
+			if (!session) return null;
+			if (/* @__PURE__ */ new Date() > session.expiresAt) {
+				await storage.deleteSession(session.id);
+				return null;
+			}
+			return session;
+		},
+		async listByUser(userId) {
+			return storage.getSessionsByUserId(userId);
+		},
+		async revoke(id) {
+			await storage.deleteSession(id);
+		},
+		async revokeAll(userId) {
+			await storage.deleteSessionsByUserId(userId);
+		}
+	};
+}
+//#endregion
+//#region src/server/passkey.ts
+function createPasskeyManager(storage, config) {
+	const generateId$3 = config.generateId ?? generateId;
+	const challengeTTL = config.challengeTTL ?? 6e4;
+	return {
+		async generateRegistrationOptions(params) {
+			const userId = params.userId ?? generateId$3();
+			const userName = params.userName ?? params.email ?? userId;
+			const existingCreds = await storage.getCredentialsByUserId(userId);
+			const options = await generateRegistrationOptions({
+				rpName: config.rpName,
+				rpID: config.rpID,
+				userName,
+				excludeCredentials: existingCreds.map((c) => ({
+					id: c.id,
+					transports: c.transports
+				})),
+				authenticatorSelection: {
+					residentKey: "preferred",
+					userVerification: "preferred"
+				}
+			});
+			await storage.storeChallenge(`reg:${userId}`, options.challenge, challengeTTL);
+			return {
+				options,
+				userId
+			};
+		},
+		async verifyRegistration({ userId, response }) {
+			const expectedChallenge = await storage.getChallenge(`reg:${userId}`);
+			if (!expectedChallenge) throw new Error("Registration challenge expired or not found");
+			const verification = await verifyRegistrationResponse({
+				response,
+				expectedChallenge,
+				expectedOrigin: Array.isArray(config.origin) ? config.origin : [config.origin],
+				expectedRPID: config.rpID
+			});
+			if (!verification.verified || !verification.registrationInfo) throw new Error("Registration verification failed");
+			await storage.deleteChallenge(`reg:${userId}`);
+			const { credential: regCred, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
+			let user = await storage.getUserById(userId);
+			if (!user) user = await storage.createUser({
+				id: userId,
+				createdAt: /* @__PURE__ */ new Date()
+			});
+			const credential = {
+				id: regCred.id,
+				userId,
+				publicKey: regCred.publicKey,
+				counter: regCred.counter,
+				deviceType: credentialDeviceType,
+				backedUp: credentialBackedUp,
+				transports: regCred.transports,
+				createdAt: /* @__PURE__ */ new Date()
+			};
+			await storage.createCredential(credential);
+			return {
+				user,
+				credential
+			};
+		},
+		async generateAuthenticationOptions(params) {
+			let allowCredentials;
+			if (params?.userId) allowCredentials = (await storage.getCredentialsByUserId(params.userId)).map((c) => ({
+				id: c.id,
+				transports: c.transports
+			}));
+			const options = await generateAuthenticationOptions({
+				rpID: config.rpID,
+				allowCredentials,
+				userVerification: "preferred"
+			});
+			await storage.storeChallenge(`auth:${options.challenge}`, options.challenge, challengeTTL);
+			return { options };
+		},
+		async verifyAuthentication({ response }) {
+			const credential = await storage.getCredentialById(response.id);
+			if (!credential) throw new Error("Credential not found");
+			const clientData = JSON.parse(new TextDecoder().decode(base64urlToBuffer(response.response.clientDataJSON)));
+			const storedChallenge = await storage.getChallenge(`auth:${clientData.challenge}`);
+			if (!storedChallenge) throw new Error("Authentication challenge expired or not found");
+			const verification = await verifyAuthenticationResponse({
+				response,
+				expectedChallenge: storedChallenge,
+				expectedOrigin: Array.isArray(config.origin) ? config.origin : [config.origin],
+				expectedRPID: config.rpID,
+				credential: {
+					id: credential.id,
+					publicKey: new Uint8Array(credential.publicKey),
+					counter: credential.counter,
+					transports: credential.transports
+				}
+			});
+			if (!verification.verified) throw new Error("Authentication verification failed");
+			await storage.deleteChallenge(`auth:${clientData.challenge}`);
+			await storage.updateCredential(credential.id, { counter: verification.authenticationInfo.newCounter });
+			const user = await storage.getUserById(credential.userId);
+			if (!user) throw new Error("User not found for credential");
+			return { user };
+		}
+	};
+}
+function base64urlToBuffer(base64url) {
+	const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+	const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+	const binary = atob(padded);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes.buffer;
+}
+//#endregion
+//#region src/server/magic-link.ts
+function createMagicLinkManager(storage, emailAdapter, opts) {
+	const generateId$2 = opts.generateId ?? generateId;
+	return {
+		async send({ email }) {
+			if (!isValidEmail(email)) throw new Error("Invalid email address");
+			const token = generateToken(32);
+			await storage.storeMagicLink(token, email, opts.ttl);
+			const url = `${opts.magicLinkURL}?token=${encodeURIComponent(token)}`;
+			await emailAdapter.sendMagicLink(email, url, token);
+			return { sent: true };
+		},
+		async verify({ token }) {
+			if (!token || typeof token !== "string") throw new Error("Invalid magic link token");
+			const entry = await storage.getMagicLink(token);
+			if (!entry) throw new Error("Magic link expired or invalid");
+			await storage.deleteMagicLink(token);
+			let user = await storage.getUserByEmail(entry.email);
+			let isNewUser = false;
+			if (!user) {
+				user = await storage.createUser({
+					id: generateId$2(),
+					email: entry.email,
+					createdAt: /* @__PURE__ */ new Date()
+				});
+				isNewUser = true;
+			}
+			return {
+				user,
+				isNewUser
+			};
+		}
+	};
+}
+//#endregion
+//#region src/server/qr-session.ts
+function createQRSessionManager(storage, opts) {
+	const generateId$1 = opts.generateId ?? generateId;
+	return {
+		async create() {
+			const session = {
+				id: generateId$1(),
+				state: "pending",
+				expiresAt: new Date(Date.now() + opts.ttl),
+				createdAt: /* @__PURE__ */ new Date()
+			};
+			await storage.createQRSession(session);
+			return { sessionId: session.id };
+		},
+		async getStatus(sessionId) {
+			const session = await storage.getQRSession(sessionId);
+			if (!session) throw new Error("QR session not found");
+			if (/* @__PURE__ */ new Date() > session.expiresAt && session.state === "pending") {
+				await storage.updateQRSession(sessionId, { state: "expired" });
+				return { state: "expired" };
+			}
+			const status = { state: session.state };
+			if (session.state === "authenticated" && session.sessionToken) status.session = {
+				token: session.sessionToken,
+				expiresAt: session.expiresAt.toISOString()
+			};
+			return status;
+		},
+		async markScanned(sessionId) {
+			const session = await storage.getQRSession(sessionId);
+			if (!session) throw new Error("QR session not found");
+			if (session.state !== "pending") throw new Error(`QR session is ${session.state}, expected pending`);
+			await storage.updateQRSession(sessionId, { state: "scanned" });
+		},
+		async complete(sessionId, userId) {
+			const session = await storage.getQRSession(sessionId);
+			if (!session) throw new Error("QR session not found");
+			if (session.state !== "pending" && session.state !== "scanned") throw new Error(`QR session is ${session.state}, cannot complete`);
+			await storage.updateQRSession(sessionId, {
+				state: "authenticated",
+				userId
+			});
+		}
+	};
+}
+//#endregion
+//#region src/server/handler.ts
+/**
+* Create a Web Standard `Request → Response` handler for all auth routes.
+*
+* Routes:
+* ```
+* POST /passkey/register/options     — Start passkey registration
+* POST /passkey/register/verify      — Complete passkey registration
+* POST /passkey/authenticate/options — Start passkey authentication
+* POST /passkey/authenticate/verify  — Complete passkey authentication
+* POST /passkey/add/options          — Start adding passkey (authed)
+* POST /passkey/add/verify           — Complete adding passkey (authed)
+* POST /magic-link/send              — Send magic link email
+* POST /magic-link/verify            — Verify magic link token
+* POST /qr/create                    — Create QR login session
+* GET  /qr/:id/status                — Poll QR session status
+* POST /qr/:id/scanned              — Mark QR session scanned
+* POST /qr/:id/complete             — Complete QR session
+* GET  /session                      — Validate current session (Bearer token)
+* DELETE /session                    — Revoke current session (Bearer token)
+* GET  /account                      — Get current user (authed)
+* GET  /account/sessions             — List user sessions (authed)
+* DELETE /account/sessions/:id       — Revoke specific session (authed)
+* DELETE /account/sessions           — Revoke all sessions (authed)
+* GET  /account/credentials          — List user passkeys (authed)
+* PATCH /account/credentials/:id     — Update passkey label (authed)
+* DELETE /account/credentials/:id    — Remove passkey (authed)
+* POST /account/link-email           — Link email to account (authed)
+* POST /account/unlink-email         — Unlink email from account (authed)
+* POST /account/email-available      — Check email availability
+* DELETE /account                    — Delete account (authed)
+* ```
+*/
+function createHandler(auth, opts = {}) {
+	const prefix = (opts.pathPrefix ?? "/auth").replace(/\/$/, "");
+	async function authenticate(request) {
+		const token = extractBearerToken(request);
+		if (!token) return null;
+		return auth.validateSession(token);
+	}
+	async function requireAuth(request) {
+		const result = await authenticate(request);
+		if (!result) throw new HttpError(401, "Authentication required");
+		return result;
+	}
+	return async (request) => {
+		const url = new URL(request.url, "http://localhost");
+		const path = url.pathname.startsWith(prefix) ? url.pathname.slice(prefix.length) : null;
+		if (path === null) return json({ error: "Not found" }, 404);
+		try {
+			if (path === "/passkey/register/options" && request.method === "POST") {
+				const body = await readJSON(request);
+				return json(await auth.generateRegistrationOptions({
+					userId: expectOptionalString(body, "userId"),
+					email: expectOptionalString(body, "email"),
+					userName: expectOptionalString(body, "userName")
+				}));
+			}
+			if (path === "/passkey/register/verify" && request.method === "POST") {
+				const body = await readJSON(request);
+				return json(await auth.verifyRegistration({
+					userId: expectString(body, "userId"),
+					response: expectObject(body, "response")
+				}));
+			}
+			if (path === "/passkey/authenticate/options" && request.method === "POST") {
+				const body = await readJSON(request);
+				return json(await auth.generateAuthenticationOptions({ userId: expectOptionalString(body, "userId") }));
+			}
+			if (path === "/passkey/authenticate/verify" && request.method === "POST") {
+				const body = await readJSON(request);
+				return json(await auth.verifyAuthentication({ response: expectObject(body, "response") }));
+			}
+			if (path === "/passkey/add/options" && request.method === "POST") {
+				const { user } = await requireAuth(request);
+				const body = await readJSON(request);
+				return json(await auth.addPasskey({
+					userId: user.id,
+					userName: expectOptionalString(body, "userName")
+				}));
+			}
+			if (path === "/passkey/add/verify" && request.method === "POST") {
+				const { user } = await requireAuth(request);
+				const body = await readJSON(request);
+				return json(await auth.verifyAddPasskey({
+					userId: user.id,
+					response: expectObject(body, "response")
+				}));
+			}
+			if (path === "/magic-link/send" && request.method === "POST") {
+				if (!("sendMagicLink" in auth)) return json({ error: "Magic link not configured" }, 400);
+				const body = await readJSON(request);
+				return json(await auth.sendMagicLink({ email: expectString(body, "email") }));
+			}
+			if (path === "/magic-link/verify" && request.method === "POST") {
+				if (!("verifyMagicLink" in auth)) return json({ error: "Magic link not configured" }, 400);
+				const body = await readJSON(request);
+				return json(await auth.verifyMagicLink({ token: expectString(body, "token") }));
+			}
+			if (path === "/qr/create" && request.method === "POST") return json(await auth.createQRSession());
+			const qrStatusMatch = path.match(/^\/qr\/([^/]+)\/status$/);
+			if (qrStatusMatch && request.method === "GET") return json(await auth.getQRSessionStatus(qrStatusMatch[1]));
+			const qrScannedMatch = path.match(/^\/qr\/([^/]+)\/scanned$/);
+			if (qrScannedMatch && request.method === "POST") {
+				await auth.markQRSessionScanned(qrScannedMatch[1]);
+				return json({ ok: true });
+			}
+			const qrCompleteMatch = path.match(/^\/qr\/([^/]+)\/complete$/);
+			if (qrCompleteMatch && request.method === "POST") {
+				const body = await readJSON(request);
+				return json(await auth.completeQRSession({
+					sessionId: qrCompleteMatch[1],
+					response: expectObject(body, "response")
+				}));
+			}
+			if (path === "/session" && request.method === "GET") return json(await requireAuth(request));
+			if (path === "/session" && request.method === "DELETE") {
+				const token = extractBearerToken(request);
+				if (!token) return json({ error: "No session token" }, 401);
+				await auth.revokeSession(token);
+				return json({ ok: true });
+			}
+			if (path === "/account" && request.method === "GET") {
+				const { user } = await requireAuth(request);
+				return json({ user });
+			}
+			if (path === "/account" && request.method === "DELETE") {
+				const { user } = await requireAuth(request);
+				await auth.deleteAccount(user.id);
+				return json({ ok: true });
+			}
+			if (path === "/account/sessions" && request.method === "GET") {
+				const { user } = await requireAuth(request);
+				return json({ sessions: await auth.getUserSessions(user.id) });
+			}
+			if (path === "/account/sessions" && request.method === "DELETE") {
+				const { user } = await requireAuth(request);
+				await auth.revokeAllSessions(user.id);
+				return json({ ok: true });
+			}
+			const sessionDeleteMatch = path.match(/^\/account\/sessions\/([^/]+)$/);
+			if (sessionDeleteMatch && request.method === "DELETE") {
+				await requireAuth(request);
+				await auth.revokeSessionById(sessionDeleteMatch[1]);
+				return json({ ok: true });
+			}
+			if (path === "/account/credentials" && request.method === "GET") {
+				const { user } = await requireAuth(request);
+				return json({ credentials: await auth.getUserCredentials(user.id) });
+			}
+			const credPatchMatch = path.match(/^\/account\/credentials\/([^/]+)$/);
+			if (credPatchMatch && request.method === "PATCH") {
+				await requireAuth(request);
+				const body = await readJSON(request);
+				await auth.updateCredential({
+					credentialId: credPatchMatch[1],
+					label: expectString(body, "label")
+				});
+				return json({ ok: true });
+			}
+			const credDeleteMatch = path.match(/^\/account\/credentials\/([^/]+)$/);
+			if (credDeleteMatch && request.method === "DELETE") {
+				await requireAuth(request);
+				await auth.removeCredential(credDeleteMatch[1]);
+				return json({ ok: true });
+			}
+			if (path === "/account/link-email" && request.method === "POST") {
+				const { user } = await requireAuth(request);
+				const body = await readJSON(request);
+				return json(await auth.linkEmail({
+					userId: user.id,
+					email: expectString(body, "email")
+				}));
+			}
+			if (path === "/account/unlink-email" && request.method === "POST") {
+				const { user } = await requireAuth(request);
+				return json(await auth.unlinkEmail({ userId: user.id }));
+			}
+			if (path === "/account/email-available" && request.method === "POST") {
+				const body = await readJSON(request);
+				return json({ available: await auth.isEmailAvailable(expectString(body, "email")) });
+			}
+			return json({ error: "Not found" }, 404);
+		} catch (err) {
+			if (err instanceof HttpError) return json({ error: err.message }, err.status);
+			const message = err instanceof Error ? err.message : "Internal error";
+			const status = isClientError(message) ? 400 : 500;
+			return json({ error: message }, status);
+		}
+	};
+}
+var HttpError = class extends Error {
+	constructor(status, message) {
+		super(message);
+		this.status = status;
+	}
+};
+function json(data, status = 200) {
+	return new Response(JSON.stringify(data), {
+		status,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+function extractBearerToken(request) {
+	const header = request.headers.get("Authorization");
+	if (header?.startsWith("Bearer ")) return header.slice(7);
+	return null;
+}
+async function readJSON(request) {
+	try {
+		const body = await request.json();
+		if (typeof body !== "object" || body === null || Array.isArray(body)) throw new HttpError(400, "Request body must be a JSON object");
+		return body;
+	} catch (err) {
+		if (err instanceof HttpError) throw err;
+		throw new HttpError(400, "Invalid JSON in request body");
+	}
+}
+function expectString(body, key) {
+	const value = body[key];
+	if (typeof value !== "string" || value.length === 0) throw new HttpError(400, `Missing or invalid field: ${key}`);
+	return value;
+}
+function expectOptionalString(body, key) {
+	const value = body[key];
+	if (value === void 0 || value === null) return void 0;
+	if (typeof value !== "string") throw new HttpError(400, `Invalid field: ${key} (expected string)`);
+	return value;
+}
+function expectObject(body, key) {
+	const value = body[key];
+	if (typeof value !== "object" || value === null || Array.isArray(value)) throw new HttpError(400, `Missing or invalid field: ${key}`);
+	return value;
+}
+/** Known client-side errors that should return 400 instead of 500. */
+function isClientError(message) {
+	const patterns = [
+		"not found",
+		"expired",
+		"invalid",
+		"blocked",
+		"already",
+		"cannot remove",
+		"cannot unlink",
+		"no email",
+		"no passkey"
+	];
+	const lower = message.toLowerCase();
+	return patterns.some((p) => lower.includes(p));
+}
+//#endregion
+//#region src/server/index.ts
+const SEVEN_DAYS = 10080 * 60 * 1e3;
+const SIXTY_SECONDS = 60 * 1e3;
+const FIFTEEN_MINUTES = 900 * 1e3;
+const FIVE_MINUTES = 300 * 1e3;
+/**
+* Create a passkey-magic auth instance.
+*
+* @example
+* ```ts
+* const auth = createAuth({
+*   rpName: 'My App',
+*   rpID: 'example.com',
+*   origin: 'https://example.com',
+*   storage: memoryAdapter(),
+* })
+* ```
+*
+* @example With magic link fallback:
+* ```ts
+* const auth = createAuth({
+*   rpName: 'My App',
+*   rpID: 'example.com',
+*   origin: 'https://example.com',
+*   storage: memoryAdapter(),
+*   email: myEmailAdapter,
+*   magicLinkURL: 'https://example.com/auth/verify',
+* })
+* auth.sendMagicLink({ email: 'user@example.com' }) // ✓ type-safe
+* ```
+*/
+function createAuth(config) {
+	const emitter = new AuthEmitter();
+	const hooks = config.hooks ?? {};
+	const sessions = createSessionManager(config.storage, {
+		ttl: config.sessionTTL ?? SEVEN_DAYS,
+		generateId: config.generateId
+	});
+	const passkeys = createPasskeyManager(config.storage, {
+		rpName: config.rpName,
+		rpID: config.rpID,
+		origin: config.origin,
+		challengeTTL: config.challengeTTL ?? SIXTY_SECONDS,
+		generateId: config.generateId
+	});
+	const qrSessions = createQRSessionManager(config.storage, {
+		ttl: config.qrSessionTTL ?? FIVE_MINUTES,
+		generateId: config.generateId
+	});
+	const base = {
+		async generateRegistrationOptions(params) {
+			if (hooks.beforeRegister) {
+				if (await hooks.beforeRegister({ email: params.email }) === false) throw new Error("Registration blocked by hook");
+			}
+			return passkeys.generateRegistrationOptions(params);
+		},
+		async verifyRegistration({ userId, response }) {
+			const existingUser = await config.storage.getUserById(userId);
+			const { user, credential } = await passkeys.verifyRegistration({
+				userId,
+				response
+			});
+			const session = await sessions.create(user.id);
+			if (!existingUser) emitter.emit("user:created", { user });
+			emitter.emit("credential:created", {
+				credential,
+				user
+			});
+			emitter.emit("session:created", {
+				session,
+				user,
+				method: "passkey"
+			});
+			if (hooks.afterRegister) await hooks.afterRegister({
+				user,
+				credential
+			});
+			return {
+				method: "passkey",
+				user,
+				session,
+				credential
+			};
+		},
+		async generateAuthenticationOptions(params) {
+			if (hooks.beforeAuthenticate) {
+				if (await hooks.beforeAuthenticate({ credentialId: params?.userId }) === false) throw new Error("Authentication blocked by hook");
+			}
+			return passkeys.generateAuthenticationOptions(params);
+		},
+		async verifyAuthentication({ response }) {
+			const { user } = await passkeys.verifyAuthentication({ response });
+			const session = await sessions.create(user.id);
+			emitter.emit("session:created", {
+				session,
+				user,
+				method: "passkey"
+			});
+			if (hooks.afterAuthenticate) await hooks.afterAuthenticate({
+				user,
+				session
+			});
+			return {
+				method: "passkey",
+				user,
+				session
+			};
+		},
+		async addPasskey({ userId, userName }) {
+			const user = await config.storage.getUserById(userId);
+			if (!user) throw new Error("User not found");
+			const { options } = await passkeys.generateRegistrationOptions({
+				userId,
+				email: user.email,
+				userName: userName ?? user.email ?? userId
+			});
+			return { options };
+		},
+		async verifyAddPasskey({ userId, response }) {
+			const { user, credential } = await passkeys.verifyRegistration({
+				userId,
+				response
+			});
+			emitter.emit("credential:created", {
+				credential,
+				user
+			});
+			return { credential };
+		},
+		async updateCredential({ credentialId, label }) {
+			const cred = await config.storage.getCredentialById(credentialId);
+			if (!cred) throw new Error("Credential not found");
+			await config.storage.updateCredential(credentialId, { label });
+			emitter.emit("credential:updated", {
+				credentialId,
+				userId: cred.userId
+			});
+		},
+		async removeCredential(credentialId) {
+			const cred = await config.storage.getCredentialById(credentialId);
+			if (!cred) throw new Error("Credential not found");
+			if ((await config.storage.getCredentialsByUserId(cred.userId)).length <= 1) {
+				if (!(await config.storage.getUserById(cred.userId))?.email) throw new Error("Cannot remove the last passkey — user has no email for recovery");
+			}
+			await config.storage.deleteCredential(credentialId);
+			emitter.emit("credential:removed", {
+				credentialId,
+				userId: cred.userId
+			});
+		},
+		async getUserCredentials(userId) {
+			return config.storage.getCredentialsByUserId(userId);
+		},
+		async createQRSession() {
+			return qrSessions.create();
+		},
+		async getQRSessionStatus(sessionId) {
+			return qrSessions.getStatus(sessionId);
+		},
+		async markQRSessionScanned(sessionId) {
+			await qrSessions.markScanned(sessionId);
+			emitter.emit("qr:scanned", { sessionId });
+		},
+		async completeQRSession({ sessionId, response }) {
+			const { user } = await passkeys.verifyAuthentication({ response });
+			if (hooks.beforeQRComplete) {
+				if (await hooks.beforeQRComplete({
+					sessionId,
+					userId: user.id
+				}) === false) throw new Error("QR completion blocked by hook");
+			}
+			const session = await sessions.create(user.id);
+			await config.storage.updateQRSession(sessionId, {
+				state: "authenticated",
+				userId: user.id,
+				sessionToken: session.token
+			});
+			emitter.emit("qr:completed", {
+				sessionId,
+				user
+			});
+			emitter.emit("session:created", {
+				session,
+				user,
+				method: "qr"
+			});
+			if (hooks.afterQRComplete) await hooks.afterQRComplete({
+				user,
+				session
+			});
+			return {
+				method: "qr",
+				user,
+				session
+			};
+		},
+		async validateSession(token) {
+			const session = await sessions.validate(token);
+			if (!session) return null;
+			const user = await config.storage.getUserById(session.userId);
+			if (!user) return null;
+			return {
+				user,
+				session
+			};
+		},
+		async getUserSessions(userId) {
+			return sessions.listByUser(userId);
+		},
+		async revokeSession(token) {
+			const session = await sessions.validate(token);
+			if (session) {
+				await sessions.revoke(session.id);
+				emitter.emit("session:revoked", {
+					sessionId: session.id,
+					userId: session.userId
+				});
+			}
+		},
+		async revokeSessionById(sessionId) {
+			await sessions.revoke(sessionId);
+		},
+		async revokeAllSessions(userId) {
+			await sessions.revokeAll(userId);
+		},
+		async getUser(userId) {
+			return config.storage.getUserById(userId);
+		},
+		async isEmailAvailable(email) {
+			if (!isValidEmail(email)) return false;
+			return await config.storage.getUserByEmail(email) === null;
+		},
+		async linkEmail({ userId, email }) {
+			if (!isValidEmail(email)) throw new Error("Invalid email address");
+			const existing = await config.storage.getUserByEmail(email);
+			if (existing && existing.id !== userId) throw new Error("Email is already linked to another account");
+			const user = await config.storage.updateUser(userId, { email });
+			emitter.emit("email:linked", {
+				userId,
+				email
+			});
+			return { user };
+		},
+		async unlinkEmail({ userId }) {
+			const user = await config.storage.getUserById(userId);
+			if (!user) throw new Error("User not found");
+			if (!user.email) throw new Error("User has no email to unlink");
+			if ((await config.storage.getCredentialsByUserId(userId)).length === 0) throw new Error("Cannot unlink email — user has no passkeys for recovery");
+			const oldEmail = user.email;
+			const updated = await config.storage.updateUser(userId, { email: void 0 });
+			emitter.emit("email:unlinked", {
+				userId,
+				email: oldEmail
+			});
+			return { user: updated };
+		},
+		async deleteAccount(userId) {
+			const creds = await config.storage.getCredentialsByUserId(userId);
+			for (const cred of creds) await config.storage.deleteCredential(cred.id);
+			await config.storage.deleteSessionsByUserId(userId);
+			await config.storage.deleteUser(userId);
+			emitter.emit("user:deleted", { userId });
+		},
+		on(event, handler) {
+			return emitter.on(event, handler);
+		},
+		createHandler(opts) {
+			return createHandler(this, opts);
+		}
+	};
+	if (config.email) {
+		const magicLinks = createMagicLinkManager(config.storage, config.email, {
+			magicLinkURL: config.magicLinkURL,
+			ttl: config.magicLinkTTL ?? FIFTEEN_MINUTES,
+			generateId: config.generateId
+		});
+		Object.assign(base, {
+			async sendMagicLink({ email }) {
+				if (hooks.beforeMagicLink) {
+					if (await hooks.beforeMagicLink({ email }) === false) throw new Error("Magic link blocked by hook");
+				}
+				const response = await magicLinks.send({ email });
+				emitter.emit("magic-link:sent", { email });
+				return response;
+			},
+			async verifyMagicLink({ token }) {
+				const { user, isNewUser } = await magicLinks.verify({ token });
+				const session = await sessions.create(user.id);
+				if (isNewUser) emitter.emit("user:created", { user });
+				emitter.emit("session:created", {
+					session,
+					user,
+					method: "magic-link"
+				});
+				if (hooks.afterMagicLink) await hooks.afterMagicLink({
+					user,
+					session,
+					isNewUser
+				});
+				return {
+					method: "magic-link",
+					user,
+					session,
+					isNewUser
+				};
+			}
+		});
+	}
+	return base;
+}
+//#endregion
+export { createAuth as t };