/** * Server-side WebAuthn implementation * * Uses @simplewebauthn/server for full WebAuthn verification including: * - clientDataJSON.type validation ('webauthn.create' / 'webauthn.get') * - origin verification * - rpIdHash verification * - authenticator cryptographic signature verification * - sign counter checking for clone detection */ import type { WebAuthnOptions, StoredCredential } from '../types/auth'; import { type RegistrationResponseJSON, type AuthenticationResponseJSON } from '@simplewebauthn/server'; /** * NOTE: The in-memory credential store is suitable for development and testing only. * Production deployments should use a persistent database (e.g., PostgreSQL, SQLite) * for credential storage to survive server restarts and support horizontal scaling. */ export declare class WebAuthnServer { /** Maximum number of WebAuthn credentials a single user may register */ private static readonly MAX_CREDENTIALS_PER_USER; /** Maximum number of distinct users with stored credentials */ private static readonly MAX_TOTAL_USERS; private options; private challenges; private credentials; constructor(options: WebAuthnOptions); /** * Generate a new challenge for registration * @param userId The user's ID (pubkey) */ generateRegistrationChallenge(userId: string): string; /** * Generate a new challenge for authentication * @param userId The user's ID (pubkey) */ generateAuthenticationChallenge(userId: string): string; /** * Verify a WebAuthn registration response. * * Validates: * - clientDataJSON.type === 'webauthn.create' * - clientDataJSON.origin matches expected origin * - clientDataJSON.challenge matches the issued challenge (constant-time) * - rpIdHash matches SHA-256 of the configured RP ID * - Authenticator flags (user presence, user verification if required) * - Attestation statement (if present) * * On success, stores the extracted credential public key and counter * for future authentication verification. * * @param userId The user's ID (pubkey) * @param credential The RegistrationResponseJSON from the client */ verifyRegistration(userId: string, credential: RegistrationResponseJSON): Promise; /** * Verify a WebAuthn authentication response. * * Validates: * - clientDataJSON.type === 'webauthn.get' * - clientDataJSON.origin matches expected origin * - clientDataJSON.challenge matches the issued challenge (constant-time) * - rpIdHash matches SHA-256 of the configured RP ID * - Authenticator signature against the stored credential public key * - Sign counter to detect cloned authenticators * * @param userId The user's ID (pubkey) * @param credential The AuthenticationResponseJSON from the client */ verifyAuthentication(userId: string, credential: AuthenticationResponseJSON): Promise; /** * Get stored credentials for a user (useful for generating authentication options) * @param userId The user's ID (pubkey) */ getCredentials(userId: string): StoredCredential[] | undefined; /** * Remove all credentials for a user * @param userId The user's ID (pubkey) */ removeCredentials(userId: string): boolean; }