v2.8.0

Server initiated passkey updates and deletions

Introduces a more reliable, token-based passkey lifecycle flow by making both passkey deletion and update operations exchange a backend-issued token that the client uses to complete local/device cleanup, aligning behavior with registration; it also removes support for browser-initiated passkey updates/deletions so all passkey changes are coordinated through the intended backend-driven process; and it clarifies update semantics by making it explicit that only all passkeys for a given userId can be updated, since WebAuthn does not support targeting individual passkeys.

Added

• Delete passkey now uses an exchangeable token to synchronize backend and frontend records. This process is similar to that used for passkey registration. The backend initiates the process, returning a token. The frontend uses this token to perform its client-side cleanup.

• Update passkey now uses an exchangeable token to synchronize backend and frontend records. This process is similar to that used for passkey registration. The backend initiates the process, returning a token. The frontend uses this token to update the device passkeys.

Removed

• Browser-initiated passkey updates and deletions are no longer possible

Changed

• It is now only possible to update all passkeys for a given userId. Previous versions of @passlock/browser implied it was possible to update a specific passkey, however the WebAuthn specs don't actually permit this.