3 files changed, 40 insertions, 6 deletions

diff --git a/packages/server/src/assertion/generateAssertionOptions.ts b/packages/server/src/assertion/generateAssertionOptions.ts
index ac18233..8a242dc 100644
--- a/packages/server/src/assertion/generateAssertionOptions.ts
+++ b/packages/server/src/assertion/generateAssertionOptions.ts
@@ -1,25 +1,29 @@
-import { PublicKeyCredentialRequestOptionsJSON } from '@webauthntine/typescript-types';
+import type {
+  PublicKeyCredentialRequestOptionsJSON,
+} from '@webauthntine/typescript-types';
 
 /**
  * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
  *
  * @param challenge Random string the authenticator needs to sign and pass back
- * @param base64CredentialIDs Array of base64-encoded authenticator IDs registered by the user for
- * assertion
+ * @param allowedBase64CredentialIDs Array of base64-encoded authenticator IDs registered by the
+ * user for assertion
  * @param timeout How long (in ms) the user can take to complete assertion
+ * @param suggestedTransports Suggested types of authenticators for assertion
  */
 export default function generateAssertionOptions(
   challenge: string,
-  base64CredentialIDs: string[],
+  allowedBase64CredentialIDs: string[],
   timeout = 60000,
+  suggestedTransports: AuthenticatorTransport[] = ['usb', 'ble', 'nfc', 'internal'],
 ): PublicKeyCredentialRequestOptionsJSON {
   return {
     publicKey: {
       challenge,
-      allowCredentials: base64CredentialIDs.map(id => ({
+      allowCredentials: allowedBase64CredentialIDs.map(id => ({
         id,
         type: 'public-key',
-        transports: ['usb', 'ble', 'nfc', 'internal'],
+        transports: suggestedTransports,
       })),
       timeout,
     },
diff --git a/packages/server/src/attestation/generateAttestationOptions.test.ts b/packages/server/src/attestation/generateAttestationOptions.test.ts
index d3d49c7..dc67cf5 100644
--- a/packages/server/src/attestation/generateAttestationOptions.test.ts
+++ b/packages/server/src/attestation/generateAttestationOptions.test.ts
@@ -39,10 +39,30 @@ test('should generate credential request options suitable for sending via JSON',
       ],
       timeout,
       attestation: attestationType,
+      excludeCredentials: [],
     },
   });
 });
 
+test('should map excluded credential IDs if specified', () => {
+  const options = generateAttestationOptions(
+    'WebAuthntine',
+    'not.real',
+    'totallyrandomvalue',
+    '1234',
+    'usernameHere',
+    undefined,
+    undefined,
+    ['someIDhere'],
+  );
+
+  expect(options.publicKey.excludeCredentials).toEqual([{
+    id: 'someIDhere',
+    type: 'public-key',
+    transports: ['usb', 'ble', 'nfc', 'internal'],
+  }]);
+});
+
 test('defaults to 60 seconds if no timeout is specified', () => {
   const options = generateAttestationOptions(
     'WebAuthntine',
diff --git a/packages/server/src/attestation/generateAttestationOptions.ts b/packages/server/src/attestation/generateAttestationOptions.ts
index e644d06..1b571ae 100644
--- a/packages/server/src/attestation/generateAttestationOptions.ts
+++ b/packages/server/src/attestation/generateAttestationOptions.ts
@@ -10,6 +10,9 @@ import { PublicKeyCredentialCreationOptionsJSON } from '@webauthntine/typescript
  * @param username User's website-specific username
  * @param timeout How long (in ms) the user can take to complete attestation
  * @param attestationType Request a full ("direct") or anonymized ("indirect") attestation statement
+ * @param excludedBase64CredentialIDs Array of base64-encoded authenticator IDs registered by the
+ * user so the user can't register the same credential multiple times
+ * @param suggestedTransports Suggested types of authenticators for attestation
  */
 export default function generateAttestationOptions(
   serviceName: string,
@@ -19,6 +22,8 @@ export default function generateAttestationOptions(
   username: string,
   timeout = 60000,
   attestationType: 'direct' | 'indirect' = 'direct',
+  excludedBase64CredentialIDs: string[] = [],
+  suggestedTransports: AuthenticatorTransport[] = ['usb', 'ble', 'nfc', 'internal'],
 ): PublicKeyCredentialCreationOptionsJSON {
   return {
     publicKey: {
@@ -42,6 +47,11 @@ export default function generateAttestationOptions(
       ],
       timeout,
       attestation: attestationType,
+      excludeCredentials: excludedBase64CredentialIDs.map((id) => ({
+        id,
+        type: 'public-key',
+        transports: suggestedTransports,
+      })),
     },
   };
 }