feat: aaguid lookup & authenticator metadata

[o-az]

• Add Aaguid.extract to parse AAGUID from attestation objects
• Add Aaguid.lookup to resolve authenticator metadata (name, icons) from the passkey-authenticator-aaguids registry
• Include aaguid in Registration.verify response (optional — undefined when not decodable)
• Update Hono example to display authenticator name & icon via AAGUID lookup

---

Logic:

webauthx always extracts the raw aaguid synchronously during Registration.verify(...), and Aaguid.lookup({ id, remoteList?, fetchFn?, cache? }) optionally resolves friendly metadata by fetching a remote registry. The lookup uses remoteList if provided, otherwise defaults to the GitHub combined_aaguid.json URL, uses fetchFn if provided or globalThis.fetch otherwise, normalizes AAGUID keys to lowercase plus upstream snake_case/camelCase icon fields, and caches the fetched registry in a module-level in-memory Map keyed by URL so later lookups reuse the same cached result or in-flight promise; cache: false bypasses that, and failed fetches are evicted so retries can succeed.

Aaguid.lookup:

import { Aaguid, Registration } from 'webauthx/server'

// After registration verification
const result = Registration.verify(credential, { challenge, origin, rpId })

// Extract authenticator metadata from AAGUID
if (result.aaguid) {
  const authenticator = await Aaguid.lookup({ id: result.aaguid })
  // ^? { name: 'iCloud Keychain', iconLight: 'https://...', iconDark: 'https://...' } | null
}

// Store alongside the credential
await db.saveCredential({
  id: result.credential.id,
  publicKey: result.credential.publicKey,
  aaguid: result.aaguid,
})

Aaguid.extract:

import { Aaguid } from 'webauthx/server'

// Extract AAGUID from a serialized registration credential
const aaguid = Aaguid.extract(credential)
// ^? string | undefined
// e.g. '08987058-cadc-4b81-b6e1-30de50dcbe96'

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/webauthx@5

commit: 768c3df

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	zile@​0.0.21 ⏵ 0.0.24	+1		+1
	vitest@​4.0.18 ⏵ 4.1.2			+1
	@​types/​node@​25.3.0 ⏵ 25.5.2	+1		+1
	vite@​7.3.1 ⏵ 6.4.2	-9	+23	+1
	@​vitest/​browser-playwright@​4.0.18 ⏵ 4.1.2			+1	-1
	@​cloudflare/​vite-plugin@​1.25.2 ⏵ 1.31.0	+7		+1
	oxfmt@​0.34.0 ⏵ 0.44.0	+1			+1
	oxlint@​1.49.0 ⏵ 1.59.0
	wrangler@​4.67.0 ⏵ 4.80.0	+1		-3
	@​changesets/​cli@​2.29.8 ⏵ 2.30.0			+1
	hono@​4.12.0 ⏵ 4.12.12	+1	+30	+1	+1
	@​vitejs/​plugin-react@​5.1.4 ⏵ 5.2.0				+1
	ox@​0.14.11 ⏵ 0.14.15	+3		+1	+1

View full report