NFC

app/api/auth/login/route.ts

@@ -13,7 +13,8 @@ export async function POST(req: NextRequest) {
 	});
 
 	if (!res.ok) {
-		return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+		const text = await res.text();
+		return NextResponse.json({ error: text }, { status: 401 });
 	}
 
 	// Returns { session_id, challenge } — browser completes the WebAuthn step

app/api/auth/register/finish/route.ts

@@ -1,6 +1,11 @@
 import { NextRequest, NextResponse } from "next/server";
 
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
 export async function POST(req: NextRequest) {
+	if (!ENROLLMENT_OPEN) {
+		return new NextResponse(null, { status: 404 });
+	}
 	const body = await req.json();
 
 	const res = await fetch("http://localhost:3001/auth/register/finish", {

app/api/auth/register/start/route.ts

@@ -1,6 +1,11 @@
 import { NextRequest, NextResponse } from "next/server";
 
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
 export async function POST(req: NextRequest) {
+	if (!ENROLLMENT_OPEN) {
+		return new NextResponse(null, { status: 404 });
+	}
 	const { username, password } = await req.json();
 
 	const res = await fetch("http://localhost:3001/auth/register/start", {

app/auth/page.tsx

@@ -69,11 +69,13 @@ export default function AuthPage() {
 			setStatus("waiting_yubikey");
 			const opts = challenge.publicKey;
 			opts.challenge = b64uToBuf(opts.challenge);
+			opts.userVerification = "discouraged";
 			if (opts.allowCredentials) {
 				opts.allowCredentials = opts.allowCredentials.map(
 					(c: { id: string; type: string; transports?: string[] }) => ({
-						...c,
+						type: c.type,
 						id: b64uToBuf(c.id),
+						transports: ["usb", "nfc", "ble", "hybrid"],
 					}),
 				);
 			}

app/enroll/page.tsx

@@ -50,6 +50,14 @@ export default function EnrollPage() {
 			const opts = challenge.publicKey;
 			opts.challenge = b64uToBuf(opts.challenge);
 			opts.user.id = b64uToBuf(opts.user.id);
+			// Force security key UI — residentKey/UV discouraged so Android
+			// Chrome doesn't suppress the NFC option in favour of biometrics
+			opts.authenticatorSelection = {
+				authenticatorAttachment: "cross-platform",
+				residentKey: "discouraged",
+				requireResidentKey: false,
+				userVerification: "discouraged",
+			};
 			if (opts.excludeCredentials) {
 				opts.excludeCredentials = opts.excludeCredentials.map(
 					(c: { id: string; type: string; transports?: string[] }) => ({
@@ -89,9 +97,7 @@ export default function EnrollPage() {
 						response: {
 							attestationObject: bufToB64u(attestation.attestationObject),
 							clientDataJSON: bufToB64u(attestation.clientDataJSON),
-							transports: attestation.getTransports
+							transports: ["usb", "nfc", "ble", "hybrid"],
-								? attestation.getTransports()
-								: [],
 						},
 						extensions: {},
 					},

app/layout.tsx

@@ -29,7 +29,12 @@ export default function RootLayout({
 			lang="en"
 			className={`${dmSans.variable} ${playfair.variable} h-full antialiased`}
 		>
-			<body className="min-h-full h-full flex flex-col">{children}</body>
+			<body className="min-h-full h-full flex flex-col">
+				{children}
+				<span className="fixed bottom-3 right-4 text-[10px] text-gray-300 select-none pointer-events-none">
+					v0.1.0
+				</span>
+			</body>
 		</html>
 	);
 }

middleware.ts

@@ -1,16 +1,28 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
 
-export function proxy(req: NextRequest) {
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
-	const token = req.cookies.get("token")?.value;
+
+export function middleware(req: NextRequest) {
 	const { pathname } = req.nextUrl;
 
-	// always allow login page and auth api routes
+	// Enrollment routes — only accessible when enrollment is open
+	if (
+		pathname.startsWith("/enroll") ||
+		pathname.startsWith("/api/auth/register")
+	) {
+		return ENROLLMENT_OPEN
+			? NextResponse.next()
+			: new NextResponse(null, { status: 404 });
+	}
+
+	// Always allow login page and auth api routes
 	if (pathname.startsWith("/auth") || pathname.startsWith("/api/auth")) {
 		return NextResponse.next();
 	}
 
-	// no token — redirect to login
+	// No token — redirect to login
+	const token = req.cookies.get("token")?.value;
 	if (!token) {
 		const loginUrl = new URL("/auth", req.url);
 		loginUrl.searchParams.set("callbackUrl", pathname);