my own indieAuth provider!
indiko.dunkirk.sh/docs
indieauth
oauth2-server
feat: filter passkeys
+7
-3
+7
-3
src/routes/auth.ts
+7
-3
src/routes/auth.ts
···
322
322
return Response.json({ error: "Account is suspended" }, { status: 403 });
323
323
}
324
324
325
-
// Get user's credentials (just to verify they exist)
325
+
// Get user's credentials
326
326
const credentials = db
327
327
.query("SELECT credential_id FROM credentials WHERE user_id = ?")
328
328
.all(user.id) as { credential_id: Buffer }[];
···
335
335
}
336
336
337
337
// Generate authentication options
338
-
// For discoverable credentials, omit allowCredentials to let password managers
339
-
// show all available passkeys for this RP ID
338
+
// Include allowCredentials to filter to only this user's passkeys
340
339
const options: PublicKeyCredentialRequestOptionsJSON =
341
340
await generateAuthenticationOptions({
342
341
rpID: process.env.RP_ID!,
343
342
userVerification: "required",
343
+
allowCredentials: credentials.map(c => ({
344
+
id: c.credential_id.toString('base64url'),
345
+
type: 'public-key' as const,
346
+
transports: ['hybrid', 'internal', 'usb', 'ble', 'nfc'] as AuthenticatorTransportFuture[],
347
+
})),
344
348
});
345
349
346
350
// Store challenge