feat: Add domainLevels option and remove resend dependency

[treeder]

This PR introduces a domainLevels option to the Passkeys constructor, allowing flexible configuration of the cookie domain and WebAuthn Relying Party ID. This supports both numeric levels (e.g., keeping the last 2 parts of the hostname) and explicit domain strings, falling back to the COOKIE_DOMAIN environment variable if not provided.

Additionally, this PR removes the resend integration from functions/globals.js, as it was identified as being outside the scope of this library.

Changes:

• src/utils.js: Implemented cookieDomain logic to handle domainLevels (numeric or string).
• src/passkeys.js: Propagated domainLevels from constructor to context and used cookieDomain for RP ID.
• src/sessions.js: Updated to use cookieDomain for session cookies.
• functions/globals.js: Removed resend parsing.
• functions/v2/auth/[[catchall]].js: Passed COOKIE_DOMAIN env var as domainLevels.
• Added integration tests in test/ for various domain configurations.

---

PR created automatically by Jules for task 6153692776333184428 started by @treeder

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @treeder, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Passkeys authentication system by introducing a configurable domainLevels option, providing greater control over cookie domains and WebAuthn Relying Party IDs. This change allows developers to specify domain behavior either by retaining a certain number of hostname levels or by providing an explicit domain string, improving adaptability across different deployment environments. Concurrently, an external email service integration was removed to streamline the library's focus. The changes are supported by new utility functions and comprehensive tests.

Highlights

• Flexible Domain Configuration: Introduced a new domainLevels option in the Passkeys constructor, allowing for flexible configuration of cookie domains and WebAuthn Relying Party IDs. This option supports both numeric values (to specify the number of domain levels to retain from the hostname) and explicit domain strings. It also falls back to the COOKIE_DOMAIN environment variable if domainLevels is not explicitly provided.
• Removed Resend Integration: The resend integration was removed from functions/globals.js, as it was deemed outside the scope of the core library functionality.
• Updated Cookie and RP ID Logic: The src/passkeys.js and src/sessions.js files were updated to utilize the new cookieDomain utility function, ensuring that session cookies and WebAuthn RP IDs are set according to the configured domainLevels.
• Comprehensive Integration Tests: New integration tests were added to cover various domain configurations, including default, custom, and numeric domain level scenarios, ensuring the robustness of the new domainLevels functionality.

Changelog

• functions/globals.js
  • Removed the initialization and parsing of the RESEND environment variable, effectively decoupling the resend email service.
• functions/v2/auth/[[catchall]].js
  • Passed the COOKIE_DOMAIN environment variable as the domainLevels option to the Passkeys constructor, enabling dynamic domain configuration from environment settings.
• src/passkeys.js
  • Imported the new cookieDomain utility function.
  • Added opts.domainLevels to the Passkeys constructor documentation.
  • Extended the context object (c2) to include env and domainLevels from the constructor options.
  • Updated rpID generation to use the new cookieDomain utility instead of hostname for generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, and verifyAuthenticationResponse.
• src/sessions.js
  • Imported the new cookieDomain utility function.
  • Modified the domain attribute for session and user ID cookies to use the cookieDomain utility, aligning cookie behavior with the new domain configuration logic.
• src/utils.js
  • Added a new cookieDomain utility function that calculates the appropriate domain based on domainLevels (numeric or string) or falls back to COOKIE_DOMAIN environment variable, or the full hostname if no specific configuration is provided.
• test/test_custom.js
  • Added a new integration test to verify that cookies are set with a custom domain when domainLevels is configured as an explicit string.
• test/test_default.js
  • Added a new integration test to confirm that cookies default to localhost or 127.0.0.1 when no specific domain configuration is provided.
• test/test_numeric.js
  • Added integration tests to validate the cookieDomain function's behavior when domainLevels is a numeric value, ensuring it correctly extracts the specified number of domain levels from the hostname.

Activity

• No human activity (comments, reviews) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully introduces a domainLevels option for more flexible cookie domain and Relying Party ID configuration, which is a great enhancement for multi-tenant or complex domain setups. The removal of the resend dependency is a good cleanup, simplifying the library's scope. The addition of integration tests for various domain configurations is also a valuable contribution that improves confidence in the changes. I've found one issue in the implementation of the cookieDomain logic that could lead to incorrect behavior when domainLevels is set to 0. Please see my comment for details.