pocketbase-passkey 1.0.0

package/README.md

@@ -0,0 +1,92 @@
+# 📦 PocketBase Passkey SDK
+
+[![NPM Version](https://img.shields.io/npm/v/pocketbase-passkey.svg)](https://www.npmjs.com/package/pocketbase-passkey)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+A lightweight, TypeScript-first SDK to integrate **Passkey (WebAuthn)** authentication with **PocketBase**.
+
+## Features
+
+- **🚀 One-Click Registration & Login**: High-level methods to skip the "Begin/Finish" boilerplate.
+- **🔐 PocketBase Native**: Seamlessly integrates with the official PocketBase SDK to handle `authStore` automatically.
+- **🛠️ Type-Safe**: Written in TypeScript with full JSDoc support for IntelliSense.
+- **⚠️ Custom Error Classes**: Easily handle user cancellations and verification failures.
+
+## Installation
+
+```bash
+npm install pocketbase-passkey
+```
+
+## Basic Usage
+
+### Initialize the SDK
+
+```typescript
+import { PocketBasePasskey } from "pocketbase-passkey";
+import PocketBase from "pocketbase";
+
+// 1. Initialize official PocketBase SDK
+const pb = new PocketBase("http://localhost:8090");
+
+// 2. Initialize Passkey SDK (passing the pb instance)
+const sdk = new PocketBasePasskey({ pb });
+```
+
+### One-Click Register
+
+Registers a new passkey for the current user ID.
+
+```typescript
+try {
+  const result = await sdk.register("user_record_id");
+  console.log("Passkey registered!");
+} catch (err) {
+  console.error("Registration failed", err);
+}
+```
+
+### One-Click Login
+
+Authenticates the user and **automatically** populates `pb.authStore`.
+
+```typescript
+try {
+  const result = await sdk.login("user_record_id");
+  // pb.authStore.token is now saved and valid!
+  console.log("Authenticated as:", pb.authStore.model.email);
+} catch (err) {
+  if (err.name === "PasskeyCancelledError") {
+    console.log("User closed the biometric dialog");
+  }
+}
+```
+
+## Advanced Error Handling
+
+The SDK provides specific error classes for robust UX:
+
+```typescript
+import {
+  PasskeyCancelledError,
+  PasskeyVerificationError,
+} from "pocketbase-passkey";
+
+try {
+  await sdk.login(userId);
+} catch (err) {
+  if (err instanceof PasskeyCancelledError) {
+    // User clicked "Cancel" or closed the Face ID prompt
+  } else if (err instanceof PasskeyVerificationError) {
+    // Server rejected the passkey signature
+  }
+}
+```
+
+## Support & Integration
+
+This SDK is designed to work with the [PocketBase Passkey Server](https://github.com/kaiseo/pocketbase-passkey).
+
+## License
+
+MIT

package/dist/index.d.mts

@@ -0,0 +1,94 @@
+/**
+ * Base error class for all Passkey-related operations.
+ */
+declare class PasskeyError extends Error {
+    constructor(message: string);
+}
+/**
+ * Thrown when a user explicitly cancels the Face ID / Touch ID / Security Key prompt.
+ */
+declare class PasskeyCancelledError extends PasskeyError {
+    constructor();
+}
+/**
+ * Thrown when the server fails to verify the passkey response.
+ */
+declare class PasskeyVerificationError extends PasskeyError {
+    constructor(message: string);
+}
+/**
+ * Configuration options for the PocketBasePasskey SDK.
+ */
+interface PasskeyOptions {
+    /** The base URL of your PocketBase server (e.g., 'http://localhost:8090'). */
+    apiUrl: string;
+    /**
+     * Optional: An instance of the official PocketBase JavaScript SDK.
+     * If provided, the SDK will automatically authenticate this instance on successful login.
+     */
+    pb?: any;
+}
+/**
+ * The main SDK class for handling Passkey registration and authentication with PocketBase.
+ */
+declare class PocketBasePasskey {
+    private apiUrl;
+    private pb?;
+    /**
+     * Initializes the Passkey SDK.
+     * @param options - A configuration object or just the API URL string.
+     */
+    constructor(options: PasskeyOptions | string);
+    /**
+     * Completes the entire Passkey registration flow in a single call.
+     * This will trigger the browser's biometric/security key prompt.
+     *
+     * @param userId - The ID (Record ID) of the user to register the passkey for.
+     * @returns A promise that resolves to the registration result from the server.
+     * @throws {PasskeyCancelledError} If the user cancels the prompt.
+     * @throws {PasskeyVerificationError} If the server-side verification fails.
+     */
+    register(userId: string): Promise<any>;
+    /**
+     * Completes the entire Passkey login flow in a single call.
+     * If a PocketBase instance was provided in the constructor, it will be automatically authenticated.
+     *
+     * @param userId - The ID (Record ID) of the user to authenticate.
+     * @returns A promise that resolves to the authentication result (contains token and record).
+     * @throws {PasskeyCancelledError} If the user cancels the prompt.
+     * @throws {PasskeyVerificationError} If the credentials are invalid or verification fails.
+     */
+    login(userId: string): Promise<any>;
+    /**
+     * Fetch registration options from the server.
+     * @internal
+     */
+    private registerBegin;
+    /**
+     * Create the credential locally and send verification data to the server.
+     * @internal
+     */
+    private registerFinish;
+    /**
+     * Fetch login options from the server.
+     * @internal
+     */
+    private loginBegin;
+    /**
+     * Handle biometric prompt for authentication and verify response with the server.
+     * @internal
+     */
+    private loginFinish;
+    /**
+     * Decodes a base64url string to an ArrayBuffer.
+     * @private
+     */
+    private base64urlToBuffer;
+    /**
+     * Encodes a Uint8Array to a base64url string.
+     * @private
+     */
+    private bufferToBase64url;
+}
+
+export { PasskeyCancelledError, PasskeyError, type PasskeyOptions, PasskeyVerificationError, PocketBasePasskey };

package/dist/index.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Base error class for all Passkey-related operations.
+ */
+declare class PasskeyError extends Error {
+    constructor(message: string);
+}
+/**
+ * Thrown when a user explicitly cancels the Face ID / Touch ID / Security Key prompt.
+ */
+declare class PasskeyCancelledError extends PasskeyError {
+    constructor();
+}
+/**
+ * Thrown when the server fails to verify the passkey response.
+ */
+declare class PasskeyVerificationError extends PasskeyError {
+    constructor(message: string);
+}
+/**
+ * Configuration options for the PocketBasePasskey SDK.
+ */
+interface PasskeyOptions {
+    /** The base URL of your PocketBase server (e.g., 'http://localhost:8090'). */
+    apiUrl: string;
+    /**
+     * Optional: An instance of the official PocketBase JavaScript SDK.
+     * If provided, the SDK will automatically authenticate this instance on successful login.
+     */
+    pb?: any;
+}
+/**
+ * The main SDK class for handling Passkey registration and authentication with PocketBase.
+ */
+declare class PocketBasePasskey {
+    private apiUrl;
+    private pb?;
+    /**
+     * Initializes the Passkey SDK.
+     * @param options - A configuration object or just the API URL string.
+     */
+    constructor(options: PasskeyOptions | string);
+    /**
+     * Completes the entire Passkey registration flow in a single call.
+     * This will trigger the browser's biometric/security key prompt.
+     *
+     * @param userId - The ID (Record ID) of the user to register the passkey for.
+     * @returns A promise that resolves to the registration result from the server.
+     * @throws {PasskeyCancelledError} If the user cancels the prompt.
+     * @throws {PasskeyVerificationError} If the server-side verification fails.
+     */
+    register(userId: string): Promise<any>;
+    /**
+     * Completes the entire Passkey login flow in a single call.
+     * If a PocketBase instance was provided in the constructor, it will be automatically authenticated.
+     *
+     * @param userId - The ID (Record ID) of the user to authenticate.
+     * @returns A promise that resolves to the authentication result (contains token and record).
+     * @throws {PasskeyCancelledError} If the user cancels the prompt.
+     * @throws {PasskeyVerificationError} If the credentials are invalid or verification fails.
+     */
+    login(userId: string): Promise<any>;
+    /**
+     * Fetch registration options from the server.
+     * @internal
+     */
+    private registerBegin;
+    /**
+     * Create the credential locally and send verification data to the server.
+     * @internal
+     */
+    private registerFinish;
+    /**
+     * Fetch login options from the server.
+     * @internal
+     */
+    private loginBegin;
+    /**
+     * Handle biometric prompt for authentication and verify response with the server.
+     * @internal
+     */
+    private loginFinish;
+    /**
+     * Decodes a base64url string to an ArrayBuffer.
+     * @private
+     */
+    private base64urlToBuffer;
+    /**
+     * Encodes a Uint8Array to a base64url string.
+     * @private
+     */
+    private bufferToBase64url;
+}
+
+export { PasskeyCancelledError, PasskeyError, type PasskeyOptions, PasskeyVerificationError, PocketBasePasskey };

package/dist/index.js

@@ -0,0 +1,263 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  PasskeyCancelledError: () => PasskeyCancelledError,
+  PasskeyError: () => PasskeyError,
+  PasskeyVerificationError: () => PasskeyVerificationError,
+  PocketBasePasskey: () => PocketBasePasskey
+});
+module.exports = __toCommonJS(index_exports);
+var PasskeyError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PasskeyError";
+  }
+};
+var PasskeyCancelledError = class extends PasskeyError {
+  constructor() {
+    super("Passkey operation was cancelled by the user");
+    this.name = "PasskeyCancelledError";
+  }
+};
+var PasskeyVerificationError = class extends PasskeyError {
+  constructor(message) {
+    super(message);
+    this.name = "PasskeyVerificationError";
+  }
+};
+var PocketBasePasskey = class {
+  apiUrl;
+  pb;
+  /**
+   * Initializes the Passkey SDK.
+   * @param options - A configuration object or just the API URL string.
+   */
+  constructor(options) {
+    if (typeof options === "string") {
+      this.apiUrl = options;
+    } else {
+      this.apiUrl = options.apiUrl || options.pb?.baseUrl;
+      this.pb = options.pb;
+    }
+    if (!this.apiUrl) {
+      throw new PasskeyError("API URL is required");
+    }
+    this.apiUrl = this.apiUrl.replace(/\/$/, "");
+  }
+  /**
+   * Completes the entire Passkey registration flow in a single call.
+   * This will trigger the browser's biometric/security key prompt.
+   * 
+   * @param userId - The ID (Record ID) of the user to register the passkey for.
+   * @returns A promise that resolves to the registration result from the server.
+   * @throws {PasskeyCancelledError} If the user cancels the prompt.
+   * @throws {PasskeyVerificationError} If the server-side verification fails.
+   */
+  async register(userId) {
+    try {
+      const options = await this.registerBegin(userId);
+      return await this.registerFinish(userId, options);
+    } catch (err) {
+      if (err.name === "NotAllowedError" || err.message?.includes("cancelled")) {
+        throw new PasskeyCancelledError();
+      }
+      throw err;
+    }
+  }
+  /**
+   * Completes the entire Passkey login flow in a single call.
+   * If a PocketBase instance was provided in the constructor, it will be automatically authenticated.
+   * 
+   * @param userId - The ID (Record ID) of the user to authenticate.
+   * @returns A promise that resolves to the authentication result (contains token and record).
+   * @throws {PasskeyCancelledError} If the user cancels the prompt.
+   * @throws {PasskeyVerificationError} If the credentials are invalid or verification fails.
+   */
+  async login(userId) {
+    try {
+      const options = await this.loginBegin(userId);
+      const result = await this.loginFinish(userId, options);
+      if (this.pb && result.token && result.record) {
+        this.pb.authStore.save(result.token, result.record);
+      }
+      return result;
+    } catch (err) {
+      if (err.name === "NotAllowedError" || err.message?.includes("cancelled")) {
+        throw new PasskeyCancelledError();
+      }
+      throw err;
+    }
+  }
+  // --- Private/Lower-level methods ---
+  /**
+   * Fetch registration options from the server.
+   * @internal
+   */
+  async registerBegin(userId) {
+    const res = await fetch(`${this.apiUrl}/api/passkey/register/begin`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ userId })
+    });
+    const data = await res.json();
+    if (!res.ok) throw new PasskeyError(data.error || "Failed to begin registration");
+    return data;
+  }
+  /**
+   * Create the credential locally and send verification data to the server.
+   * @internal
+   */
+  async registerFinish(userId, data) {
+    const options = data.publicKey || data;
+    const creationOptions = {
+      ...options,
+      challenge: this.base64urlToBuffer(options.challenge),
+      user: {
+        ...options.user,
+        id: this.base64urlToBuffer(options.user?.id)
+      }
+    };
+    if (creationOptions.excludeCredentials) {
+      creationOptions.excludeCredentials = creationOptions.excludeCredentials.map((cred) => ({
+        ...cred,
+        id: this.base64urlToBuffer(cred.id)
+      }));
+    }
+    const credential = await navigator.credentials.create({
+      publicKey: creationOptions
+    });
+    if (!credential) throw new PasskeyCancelledError();
+    const response = credential.response;
+    const body = {
+      userId,
+      id: credential.id,
+      rawId: this.bufferToBase64url(new Uint8Array(credential.rawId)),
+      type: credential.type,
+      response: {
+        attestationObject: this.bufferToBase64url(new Uint8Array(response.attestationObject)),
+        clientDataJSON: this.bufferToBase64url(new Uint8Array(response.clientDataJSON))
+      }
+    };
+    const finishRes = await fetch(`${this.apiUrl}/api/passkey/register/finish`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const finishData = await finishRes.json();
+    if (!finishRes.ok) throw new PasskeyVerificationError(finishData.error || "Registration failed");
+    return finishData;
+  }
+  /**
+   * Fetch login options from the server.
+   * @internal
+   */
+  async loginBegin(userId) {
+    const res = await fetch(`${this.apiUrl}/api/passkey/login/begin`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ userId })
+    });
+    const data = await res.json();
+    if (!res.ok) throw new PasskeyError(data.error || "Failed to begin login");
+    return data;
+  }
+  /**
+   * Handle biometric prompt for authentication and verify response with the server.
+   * @internal
+   */
+  async loginFinish(userId, data) {
+    const options = data.publicKey || data;
+    const requestOptions = {
+      ...options,
+      challenge: this.base64urlToBuffer(options.challenge)
+    };
+    if (requestOptions.allowCredentials) {
+      requestOptions.allowCredentials = requestOptions.allowCredentials.map((cred) => ({
+        ...cred,
+        id: this.base64urlToBuffer(cred.id)
+      }));
+    }
+    const assertion = await navigator.credentials.get({
+      publicKey: requestOptions
+    });
+    if (!assertion) throw new PasskeyCancelledError();
+    const response = assertion.response;
+    const body = {
+      userId,
+      id: assertion.id,
+      rawId: this.bufferToBase64url(new Uint8Array(assertion.rawId)),
+      type: assertion.type,
+      response: {
+        authenticatorData: this.bufferToBase64url(new Uint8Array(response.authenticatorData)),
+        clientDataJSON: this.bufferToBase64url(new Uint8Array(response.clientDataJSON)),
+        signature: this.bufferToBase64url(new Uint8Array(response.signature)),
+        userHandle: response.userHandle ? this.bufferToBase64url(new Uint8Array(response.userHandle)) : null
+      }
+    };
+    const finishRes = await fetch(`${this.apiUrl}/api/passkey/login/finish`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const finishData = await finishRes.json();
+    if (!finishRes.ok) throw new PasskeyVerificationError(finishData.error || "Login failed");
+    if (!finishData.token) {
+      throw new PasskeyVerificationError("No token received");
+    }
+    return finishData;
+  }
+  // --- Utils ---
+  /**
+   * Decodes a base64url string to an ArrayBuffer.
+   * @private
+   */
+  base64urlToBuffer(base64url) {
+    if (!base64url || typeof base64url !== "string") {
+      return new ArrayBuffer(0);
+    }
+    const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    const padLen = (4 - base64.length % 4) % 4;
+    const paddedBase64 = base64 + "=".repeat(padLen);
+    const binary = atob(paddedBase64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+  /**
+   * Encodes a Uint8Array to a base64url string.
+   * @private
+   */
+  bufferToBase64url(buffer) {
+    const binary = String.fromCharCode(...buffer);
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PasskeyCancelledError,
+  PasskeyError,
+  PasskeyVerificationError,
+  PocketBasePasskey
+});

package/dist/index.mjs

@@ -0,0 +1,235 @@
+// src/index.ts
+var PasskeyError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PasskeyError";
+  }
+};
+var PasskeyCancelledError = class extends PasskeyError {
+  constructor() {
+    super("Passkey operation was cancelled by the user");
+    this.name = "PasskeyCancelledError";
+  }
+};
+var PasskeyVerificationError = class extends PasskeyError {
+  constructor(message) {
+    super(message);
+    this.name = "PasskeyVerificationError";
+  }
+};
+var PocketBasePasskey = class {
+  apiUrl;
+  pb;
+  /**
+   * Initializes the Passkey SDK.
+   * @param options - A configuration object or just the API URL string.
+   */
+  constructor(options) {
+    if (typeof options === "string") {
+      this.apiUrl = options;
+    } else {
+      this.apiUrl = options.apiUrl || options.pb?.baseUrl;
+      this.pb = options.pb;
+    }
+    if (!this.apiUrl) {
+      throw new PasskeyError("API URL is required");
+    }
+    this.apiUrl = this.apiUrl.replace(/\/$/, "");
+  }
+  /**
+   * Completes the entire Passkey registration flow in a single call.
+   * This will trigger the browser's biometric/security key prompt.
+   * 
+   * @param userId - The ID (Record ID) of the user to register the passkey for.
+   * @returns A promise that resolves to the registration result from the server.
+   * @throws {PasskeyCancelledError} If the user cancels the prompt.
+   * @throws {PasskeyVerificationError} If the server-side verification fails.
+   */
+  async register(userId) {
+    try {
+      const options = await this.registerBegin(userId);
+      return await this.registerFinish(userId, options);
+    } catch (err) {
+      if (err.name === "NotAllowedError" || err.message?.includes("cancelled")) {
+        throw new PasskeyCancelledError();
+      }
+      throw err;
+    }
+  }
+  /**
+   * Completes the entire Passkey login flow in a single call.
+   * If a PocketBase instance was provided in the constructor, it will be automatically authenticated.
+   * 
+   * @param userId - The ID (Record ID) of the user to authenticate.
+   * @returns A promise that resolves to the authentication result (contains token and record).
+   * @throws {PasskeyCancelledError} If the user cancels the prompt.
+   * @throws {PasskeyVerificationError} If the credentials are invalid or verification fails.
+   */
+  async login(userId) {
+    try {
+      const options = await this.loginBegin(userId);
+      const result = await this.loginFinish(userId, options);
+      if (this.pb && result.token && result.record) {
+        this.pb.authStore.save(result.token, result.record);
+      }
+      return result;
+    } catch (err) {
+      if (err.name === "NotAllowedError" || err.message?.includes("cancelled")) {
+        throw new PasskeyCancelledError();
+      }
+      throw err;
+    }
+  }
+  // --- Private/Lower-level methods ---
+  /**
+   * Fetch registration options from the server.
+   * @internal
+   */
+  async registerBegin(userId) {
+    const res = await fetch(`${this.apiUrl}/api/passkey/register/begin`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ userId })
+    });
+    const data = await res.json();
+    if (!res.ok) throw new PasskeyError(data.error || "Failed to begin registration");
+    return data;
+  }
+  /**
+   * Create the credential locally and send verification data to the server.
+   * @internal
+   */
+  async registerFinish(userId, data) {
+    const options = data.publicKey || data;
+    const creationOptions = {
+      ...options,
+      challenge: this.base64urlToBuffer(options.challenge),
+      user: {
+        ...options.user,
+        id: this.base64urlToBuffer(options.user?.id)
+      }
+    };
+    if (creationOptions.excludeCredentials) {
+      creationOptions.excludeCredentials = creationOptions.excludeCredentials.map((cred) => ({
+        ...cred,
+        id: this.base64urlToBuffer(cred.id)
+      }));
+    }
+    const credential = await navigator.credentials.create({
+      publicKey: creationOptions
+    });
+    if (!credential) throw new PasskeyCancelledError();
+    const response = credential.response;
+    const body = {
+      userId,
+      id: credential.id,
+      rawId: this.bufferToBase64url(new Uint8Array(credential.rawId)),
+      type: credential.type,
+      response: {
+        attestationObject: this.bufferToBase64url(new Uint8Array(response.attestationObject)),
+        clientDataJSON: this.bufferToBase64url(new Uint8Array(response.clientDataJSON))
+      }
+    };
+    const finishRes = await fetch(`${this.apiUrl}/api/passkey/register/finish`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const finishData = await finishRes.json();
+    if (!finishRes.ok) throw new PasskeyVerificationError(finishData.error || "Registration failed");
+    return finishData;
+  }
+  /**
+   * Fetch login options from the server.
+   * @internal
+   */
+  async loginBegin(userId) {
+    const res = await fetch(`${this.apiUrl}/api/passkey/login/begin`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ userId })
+    });
+    const data = await res.json();
+    if (!res.ok) throw new PasskeyError(data.error || "Failed to begin login");
+    return data;
+  }
+  /**
+   * Handle biometric prompt for authentication and verify response with the server.
+   * @internal
+   */
+  async loginFinish(userId, data) {
+    const options = data.publicKey || data;
+    const requestOptions = {
+      ...options,
+      challenge: this.base64urlToBuffer(options.challenge)
+    };
+    if (requestOptions.allowCredentials) {
+      requestOptions.allowCredentials = requestOptions.allowCredentials.map((cred) => ({
+        ...cred,
+        id: this.base64urlToBuffer(cred.id)
+      }));
+    }
+    const assertion = await navigator.credentials.get({
+      publicKey: requestOptions
+    });
+    if (!assertion) throw new PasskeyCancelledError();
+    const response = assertion.response;
+    const body = {
+      userId,
+      id: assertion.id,
+      rawId: this.bufferToBase64url(new Uint8Array(assertion.rawId)),
+      type: assertion.type,
+      response: {
+        authenticatorData: this.bufferToBase64url(new Uint8Array(response.authenticatorData)),
+        clientDataJSON: this.bufferToBase64url(new Uint8Array(response.clientDataJSON)),
+        signature: this.bufferToBase64url(new Uint8Array(response.signature)),
+        userHandle: response.userHandle ? this.bufferToBase64url(new Uint8Array(response.userHandle)) : null
+      }
+    };
+    const finishRes = await fetch(`${this.apiUrl}/api/passkey/login/finish`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const finishData = await finishRes.json();
+    if (!finishRes.ok) throw new PasskeyVerificationError(finishData.error || "Login failed");
+    if (!finishData.token) {
+      throw new PasskeyVerificationError("No token received");
+    }
+    return finishData;
+  }
+  // --- Utils ---
+  /**
+   * Decodes a base64url string to an ArrayBuffer.
+   * @private
+   */
+  base64urlToBuffer(base64url) {
+    if (!base64url || typeof base64url !== "string") {
+      return new ArrayBuffer(0);
+    }
+    const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    const padLen = (4 - base64.length % 4) % 4;
+    const paddedBase64 = base64 + "=".repeat(padLen);
+    const binary = atob(paddedBase64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+  /**
+   * Encodes a Uint8Array to a base64url string.
+   * @private
+   */
+  bufferToBase64url(buffer) {
+    const binary = String.fromCharCode(...buffer);
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  }
+};
+export {
+  PasskeyCancelledError,
+  PasskeyError,
+  PasskeyVerificationError,
+  PocketBasePasskey
+};

package/package.json

@@ -0,0 +1,25 @@
+{
+    "name": "pocketbase-passkey",
+    "version": "1.0.0",
+    "description": "PocketBase Passkey (WebAuthn) SDK",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "files": [
+        "dist"
+    ],
+    "scripts": {
+        "build": "tsup src/index.ts --format cjs,esm --dts --clean"
+    },
+    "keywords": [
+        "pocketbase",
+        "passkey",
+        "webauthn",
+        "auth"
+    ],
+    "author": "kaiseo",
+    "license": "MIT",
+    "devDependencies": {
+        "tsup": "^8.0.0",
+        "typescript": "^5.0.0"
+    }
+}