UNPKG

accounts

Version:

Tempo Accounts SDK

130 lines 5.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
import { type Handler, from } from '../../Handler.js'; import * as Kv from '../../Kv.js'; import * as Session from './session.js'; /** * Session payload persisted in the session store and surfaced via * `getSession`. Mirrors the shape of the WebAuthn login response so * downstream handlers can identify the authenticated credential without * an extra round-trip. */ export type SessionPayload = { /** Credential ID returned by the authenticator. */ credentialId: string; /** Credential public key (hex). */ publicKey: string; /** Optional `userHandle` returned by the authenticator. */ userId?: string | undefined; /** Unix timestamp (seconds) when the session was issued. */ issuedAt: number; /** Unix timestamp (seconds) when the session expires. */ expiresAt: number; }; /** * Instantiates a WebAuthn ceremony handler that manages registration and * authentication flows server-side. * * Mounts five POST endpoints under `path`: * - `POST {path}/register/options` — generate credential creation options * - `POST {path}/register` — verify registration and store credential * - `POST {path}/login/options` — generate credential request options * - `POST {path}/login` — verify authentication and issue a session * (cookie via `Set-Cookie`, or `{ token }` body when `cookie: false` * or the request opts in via `returnToken: true`) * - `POST {path}/logout` — revoke the session and clear the cookie * * The returned handler also exposes `getSession(req)` for resolving the * current session from a follow-up request's cookie or `Authorization: * Bearer` header. * * @example * ```ts * import { Handler, Kv } from 'accounts/server' * * const handler = Handler.webAuthn({ * kv: Kv.memory(), * origin: 'https://example.com', * rpId: 'example.com', * }) * * export default handler * ``` * * @param options - Options. * @returns Request handler. */ export declare function webAuthn(options: webAuthn.Options): webAuthn.ReturnType; export declare namespace webAuthn { /** Return type of `webAuthn()` — a `Handler` extended with `getSession`. */ type ReturnType = Handler & { getSession: getSession; }; /** Resolves the current session from a request's cookie or bearer token. */ type getSession = (req: Session.SessionRequest) => Promise<SessionPayload | undefined>; type Options = from.Options & { /** * Whether to issue a session cookie on successful login. When * `false`, the login response always contains `{ token }` in the * body, no `Set-Cookie` header is sent, logout does not clear a * cookie, and `getSession` ignores any incoming cookie — only * `Authorization: Bearer <token>` is honored. Use this when the SDK * lives in a non-browser context or the host app already manages * its own auth cookies. * @default true */ cookie?: boolean | undefined; /** Cookie name for the session token. @default "accounts_webauthn" */ cookieName?: string | undefined; /** Key-value store for challenges, credentials, and sessions. */ kv: Kv.Kv; /** Called after a successful registration. The returned response is merged onto the default JSON response. */ onRegister?: (parameters: { credentialId: string; /** The name provided during `/register/options` (e.g. user email). */ name: string; publicKey: string; request: Request; /** The `userId` provided during `/register/options`, if any. */ userId?: string | undefined; }) => Response | Promise<Response> | void | Promise<void>; /** * Called after a successful authentication, before the session * token is issued. Returning a `Response` merges its JSON body and * status onto the default login response (legacy contract). * Throwing rejects the request with `401` — the thrown error's * `message` is surfaced as the response `error` field — and no * session is issued. */ onAuthenticate?: (parameters: { credentialId: string; publicKey: string; userId?: string | undefined; request: Request; }) => Response | Promise<Response> | void | Promise<void>; /** Expected origin(s) (e.g. `"https://example.com"` or `["https://a.com", "https://b.com"]`). */ origin: string | readonly string[]; /** Path prefix for the WebAuthn endpoints (e.g. `"/webauthn"`). @default "" */ path?: string | undefined; /** Relying Party ID (e.g. `"example.com"`). */ rpId: string; /** * Whether to issue a session on successful login. When `false`, * login acts as a stateless WebAuthn verification — no token is * generated, no entry is written to the kv, and no cookie is sent. * The login response still carries `{ credentialId, publicKey, * userId? }`. `getSession` always returns `undefined` and `/logout` * is a no-op (still returns `204`). Use this when the host * application mints its own session token (e.g. a JWT inside * `onAuthenticate`). * @default true */ session?: boolean | undefined; /** TTLs in seconds. */ ttl?: { /** Challenge TTL. @default 300 (5m) */ challenge?: number | undefined; /** Session TTL. @default 86400 (24h) */ session?: number | undefined; } | undefined; }; } //# sourceMappingURL=webAuthn.d.ts.map