fix(ios): use platform-only provider for targeted assertions

.github/workflows/publish.yml

@@ -0,0 +1,74 @@
+name: Publish to npm
+
+# Manual-only for now. Flip to a tag-push or version-bump trigger once we have
+# a release cadence we like. `workflow_dispatch` keeps the first publish (and
+# any future one-offs) under human control.
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run npm publish with --dry-run (no registry write).'
+        required: false
+        default: false
+        type: boolean
+
+# Package-name-scoped concurrency: one publish at a time, never cancelled
+# mid-flight (npm publishes aren't safely interruptable).
+concurrency:
+  group: publish-npm
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  # OIDC: npm exchanges this token for a short-lived publish credential via
+  # the Trusted Publisher configured on `@officialunofficial/react-native-passkeys`.
+  # No NPM_TOKEN secret needed; every publish also gets a signed provenance
+  # attestation in sigstore's transparency log.
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v6
+        with:
+          version: '10'
+
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          # Node 22 ships with npm 11, which has native Trusted Publisher
+          # OIDC support. On Node 20's npm 10, `npm publish` can't exchange
+          # the GH OIDC token for a publish credential and falls through to
+          # unauthenticated → 404.
+          node-version: '22'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+          scope: '@officialunofficial'
+
+
+      - name: Install
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm run build
+
+      - name: Check exports (types)
+        run: pnpm run check-exports
+
+      # Trusted Publisher OIDC requires npm >= 11.5.1. Node 22 ships npm 10,
+      # so we run the latest npm ephemerally via `npx`. This avoids the
+      # `npm install -g npm@latest` self-upgrade bug (missing promise-retry
+      # in the reify path) while still getting OIDC support per publish.
+      - name: Publish
+        run: |
+          if [ "${{ inputs.dry_run }}" = "true" ]; then
+            npx -y npm@latest publish --provenance --access public --dry-run
+          else
+            npx -y npm@latest publish --provenance --access public
+          fi

.gitignore

@@ -6,9 +6,12 @@
 .vscode/
 jsconfig.json
 
-# Xcode
+# Xcode — only ignore the iOS Xcode build dir, not the root `build/` (which is
+# our TypeScript output; committed so consumers don't re-run `expo-module build`
+# on install — avoids CF Workers Builds' yarn-via-corepack quirk).
 #
-build/
+ios/build/
+example/ios/build/
 *.pbxuser
 !default.pbxuser
 *.mode1v3

build/ReactNativePasskeys.types.d.ts

@@ -0,0 +1,214 @@
+import type { AuthenticationExtensionsClientInputs as TypeScriptAuthenticationExtensionsClientInputs, Base64URLString, AuthenticatorTransportFuture, PublicKeyCredentialJSON, PublicKeyCredentialDescriptorJSON, PublicKeyCredentialUserEntityJSON, AuthenticatorAttestationResponseJSON } from "@simplewebauthn/typescript-types";
+export type { AttestationConveyancePreference, AuthenticationCredential, AuthenticatorAssertionResponse, AuthenticatorAttachment, AuthenticatorAttestationResponse, AuthenticatorSelectionCriteria, AuthenticatorTransport, COSEAlgorithmIdentifier, Crypto, PublicKeyCredentialCreationOptions, PublicKeyCredentialDescriptor, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptions, PublicKeyCredentialRpEntity, PublicKeyCredentialType, PublicKeyCredentialUserEntity, RegistrationCredential, UserVerificationRequirement, } from "@simplewebauthn/typescript-types";
+export type { Base64URLString, PublicKeyCredentialJSON, AuthenticatorTransportFuture, PublicKeyCredentialDescriptorJSON, PublicKeyCredentialUserEntityJSON, AuthenticatorAttestationResponseJSON, };
+/**
+ * A variant of PublicKeyCredentialCreationOptions suitable for JSON transmission
+ *
+ * This should eventually get replaced with official TypeScript DOM types when WebAuthn L3 types
+ * eventually make it into the language:
+ *
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptionsjson
+ */
+export interface PublicKeyCredentialCreationOptionsJSON {
+    rp: PublicKeyCredentialRpEntity;
+    user: PublicKeyCredentialUserEntityJSON;
+    challenge: Base64URLString;
+    pubKeyCredParams: PublicKeyCredentialParameters[];
+    timeout?: number;
+    excludeCredentials?: PublicKeyCredentialDescriptorJSON[];
+    authenticatorSelection?: AuthenticatorSelectionCriteria;
+    attestation?: AttestationConveyancePreference;
+    extensions?: AuthenticationExtensionsClientInputs;
+}
+/**
+ * A variant of PublicKeyCredentialRequestOptions suitable for JSON transmission
+ */
+export interface PublicKeyCredentialRequestOptionsJSON {
+    challenge: Base64URLString;
+    timeout?: number;
+    rpId?: string;
+    allowCredentials?: PublicKeyCredentialDescriptorJSON[];
+    userVerification?: UserVerificationRequirement;
+    extensions?: AuthenticationExtensionsClientInputs;
+}
+export type AccountCreationContactIdentifierType = "email" | "phoneNumber";
+export interface FastAccountCreationOptions {
+    acceptedContactIdentifiers: AccountCreationContactIdentifierType[];
+    challenge: Base64URLString;
+    rpId: string;
+    shouldRequestName?: boolean;
+    userId: Base64URLString;
+}
+export interface PersonNameComponentsJSON {
+    namePrefix?: string;
+    givenName?: string;
+    middleName?: string;
+    familyName?: string;
+    nameSuffix?: string;
+    nickname?: string;
+}
+export interface AccountCreationContactIdentifier {
+    type: AccountCreationContactIdentifierType;
+    value: string;
+}
+export interface AccountCreationDetails {
+    contactIdentifier: AccountCreationContactIdentifier;
+    name?: PersonNameComponentsJSON;
+}
+/**
+ * A slightly-modified RegistrationCredential to simplify working with ArrayBuffers that
+ * are Base64URL-encoded so that they can be sent as JSON.
+ *
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-registrationresponsejson
+ */
+export interface RegistrationResponseJSON {
+    id: Base64URLString;
+    rawId: Base64URLString;
+    response: AuthenticatorAttestationResponseJSON;
+    authenticatorAttachment?: AuthenticatorAttachment;
+    clientExtensionResults: AuthenticationExtensionsClientOutputsJSON;
+    type: PublicKeyCredentialType;
+}
+/**
+ * A slightly-modified AuthenticationCredential to simplify working with ArrayBuffers that
+ * are Base64URL-encoded so that they can be sent as JSON.
+ *
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationresponsejson
+ */
+export interface AuthenticationResponseJSON {
+    id: Base64URLString;
+    rawId: Base64URLString;
+    response: AuthenticatorAssertionResponseJSON;
+    authenticatorAttachment?: AuthenticatorAttachment;
+    clientExtensionResults: AuthenticationExtensionsClientOutputsJSON;
+    type: PublicKeyCredentialType;
+}
+/**
+ * A slightly-modified AuthenticatorAssertionResponse to simplify working with ArrayBuffers that
+ * are Base64URL-encoded so that they can be sent as JSON.
+ *
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticatorassertionresponsejson
+ */
+export interface AuthenticatorAssertionResponseJSON {
+    clientDataJSON: Base64URLString;
+    authenticatorData: Base64URLString;
+    signature: Base64URLString;
+    userHandle?: string;
+}
+/**
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfinputs
+ */
+export interface AuthenticationExtensionsPRFInputs {
+    /**
+     * A single set of PRF inputs to evaluate for the selected credential.
+     */
+    eval?: {
+        first: Base64URLString;
+        second?: Base64URLString;
+    };
+    /**
+     * A record mapping base64url-encoded credential IDs to PRF inputs.
+     * Only valid during authentication when allowCredentials is specified.
+     * Each credential can have different PRF inputs evaluated.
+     */
+    evalByCredential?: Record<Base64URLString, {
+        first: Base64URLString;
+        second?: Base64URLString;
+    }>;
+}
+/**
+ * TypeScript's types are behind the latest extensions spec, so we define them here.
+ * Should eventually be replaced by TypeScript's when TypeScript gets updated to
+ * know about it (sometime after 5.3)
+ *
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationextensionsclientinputs
+ */
+export interface AuthenticationExtensionsClientInputs extends TypeScriptAuthenticationExtensionsClientInputs {
+    largeBlob?: AuthenticationExtensionsLargeBlobInputs;
+    prf?: AuthenticationExtensionsPRFInputs;
+}
+export type LargeBlobSupport = "preferred" | "required";
+/**
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationextensionslargeblobinputs
+ */
+export interface AuthenticationExtensionsLargeBlobInputs {
+    support?: LargeBlobSupport;
+    read?: boolean;
+    write?: Base64URLString;
+}
+export interface AuthenticationExtensionsClientOutputs {
+    largeBlob?: Omit<AuthenticationExtensionsLargeBlobOutputs, "blob"> & {
+        blob?: ArrayBuffer;
+    };
+    prf?: Omit<AuthenticationExtensionsPRFOutputsJSON, "results"> & {
+        results: {
+            first: ArrayBuffer;
+            second?: ArrayBuffer;
+        };
+    };
+    credProps?: CredentialPropertiesOutput;
+}
+export interface AuthenticationExtensionsClientOutputsJSON {
+    largeBlob?: AuthenticationExtensionsLargeBlobOutputs;
+    prf?: AuthenticationExtensionsPRFOutputsJSON;
+    credProps?: CredentialPropertiesOutput;
+}
+/**
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationextensionslargebloboutputs
+ */
+export interface AuthenticationExtensionsLargeBlobOutputs {
+    supported?: boolean;
+    blob?: Base64URLString;
+    written?: boolean;
+}
+/**
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-credentialpropertiesoutput
+ */
+export interface CredentialPropertiesOutput {
+    /**
+     * This OPTIONAL property, known abstractly as the resident key credential property (i.e., client-side
+     * discoverable credential property), is a Boolean value indicating whether the PublicKeyCredential
+     * returned as a result of a registration ceremony is a client-side discoverable credential (passkey).
+     *
+     * If rk is true, the credential is a discoverable credential (resident key/passkey).
+     * If rk is false, the credential is a server-side credential.
+     * If rk is not present, it is not known whether the credential is a discoverable credential or not.
+     */
+    rk?: boolean;
+}
+/**
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfvalues
+ */
+export interface AuthenticationExtensionsPRFValuesJSON {
+    first: Base64URLString;
+    second?: Base64URLString;
+}
+/**
+ * - Specification reference: https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfoutputs
+ */
+export interface AuthenticationExtensionsPRFOutputsJSON {
+    enabled?: boolean;
+    results?: AuthenticationExtensionsPRFValuesJSON;
+}
+/**
+ * A library specific type that combines the JSON results of a registration operation with a method
+ * to get the public key of the new credential since these are not available directly from the native side
+ */
+export interface CreationResponse extends Omit<RegistrationResponseJSON, "response"> {
+    response: RegistrationResponseJSON["response"] & {
+        /**
+         * This operation returns a Base64URLString containing the DER SubjectPublicKeyInfo of the new credential, or null if this is not available.
+         *
+         * **Note:** This deviates from the standard Web Authentication API, which returns `ArrayBuffer | null` on web browsers.
+         * For cross-platform consistency, this library converts the ArrayBuffer to Base64URLString on web platforms,
+         * matching the native iOS/Android behavior where binary data is transmitted as Base64URL-encoded strings.
+         *
+         * @see https://w3c.github.io/webauthn/#dom-authenticatorattestationresponse-getpublickey
+         */
+        getPublicKey(): Base64URLString | null;
+    };
+}
+export interface AccountCreationResponse extends Omit<CreationResponse, "account"> {
+    account: AccountCreationDetails;
+}
+//# sourceMappingURL=ReactNativePasskeys.types.d.ts.map