Removal of JWT code, cleanup, using User dataclass rather than UserModel in APIs.

passkey/fastapi/reset.py

@@ -7,6 +7,8 @@ This module provides endpoints for authenticated users to:
 - Add new passkeys to existing accounts via tokens
 """
 
+from uuid import UUID
+
 from fastapi import FastAPI, Path, Request
 from fastapi.responses import RedirectResponse
 
@@ -61,20 +63,20 @@ def register_reset_routes(app: FastAPI):
     ):
         try:
             # Get session token to validate it exists and get user_id
-            session_data = await sql.get_session(passphrase)
-            if not session_data:
+            session = await sql.get_session(passphrase)
+            if not session:
                 # Token doesn't exist, redirect to home
                 return RedirectResponse(url="/", status_code=303)
 
             # Check if this is a device addition session (credential_id is None)
-            if session_data["credential_id"] is not None:
+            if session.credential_id is not None:
                 # Not a device addition session, redirect to home
                 return RedirectResponse(url="/", status_code=303)
 
             # Create a device addition session token for the user
             client_info = get_client_info(request)
             session_token = await sql.create_session(
-                session_data["user_id"], None, None, client_info
+                UUID(bytes=session.user_id), None, None, client_info
             )
 
             # Create response and set session cookie
@@ -92,12 +94,12 @@ async def use_reset_token(token: str) -> dict:
     """Delete a device addition token after successful use."""
     try:
         # Get session token first to validate it exists and is not expired
-        session_data = await sql.get_session(token)
-        if not session_data:
+        session = await sql.get_session(token)
+        if not session:
             return {"error": "Invalid or expired device addition token"}
 
         # Check if this is a device addition session (credential_id is None)
-        if session_data["credential_id"] is not None:
+        if session.credential_id is not None:
             return {"error": "Invalid device addition token"}
 
         # Delete the token (it's now used)

passkey/fastapi/ws.py

@@ -9,7 +9,7 @@ This module contains all WebSocket endpoints for:
 """
 
 import logging
-from datetime import datetime, timedelta
+from datetime import datetime
 from uuid import UUID
 
 import uuid7
@@ -139,17 +139,11 @@ async def websocket_add_device_credential(ws: WebSocket, token: str):
     await ws.accept()
     origin = ws.headers.get("origin")
     try:
-        reset_token = await sql.get_reset_token(token)
+        reset_token = await sql.get_session(token)
         if not reset_token:
             await ws.send_json({"error": "Invalid or expired device addition token"})
             return
 
-        # Check if token is expired (24 hours)
-        expiry_time = reset_token.created_at + timedelta(hours=24)
-        if datetime.now() > expiry_time:
-            await ws.send_json({"error": "Device addition token has expired"})
-            return
-
         # Get user information
         user = await sql.get_user_by_id(reset_token.user_id)