Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →

@simplewebauthn/iso-webcrypto

Package Overview

Dependencies

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

@simplewebauthn/iso-webcrypto

A small library for accessing a runtime's WebCrypto API

7.0.0
Source
npm

Version published: 2 years ago

Weekly downloads: 1.7K; decreased by-50.25%

Maintainers: 1

Weekly downloads

Created: 2 years ago

Source

@simplewebauthn/iso-webcrypto

A small library for accessing a runtime's WebCrypto API. Supports browsers, and Node projects using ESM and/or CommonJS.

This library is not officially supported for use outside of SimpleWebAuthn!

Install

npm install --save @simplewebauthn/iso-webcrypto

Usage

import WebCrypto from '@simplewebauthn/iso-webcrypto';

WebCrypto.randomUUID (); // => '43e16416-7a2a-4c00-b2e8-1ea7a57adfb9'

Acknowledgements

Thank you to Fabio Spampinato and their tiny-webcrypto project that all but solves the issue of isomorphic WebCrypto use across browsers and Node. I forked that project and made this one to add in support for Node libraries written in TypeScript that transpile to CommonJS modules.

v7.0.0 - The one that sets the library loose

The highlight of this release is the rearchitecture of @simplewebauthn/server to start allowing it to be used in more environments than Node. This was accomplished by refactoring the library completely away from Node's Buffer type and crypto package, and instead leveraging Uint8Array and the WebCrypto Web API for all cryptographic operations. This means that, hypothetically, this library can now also work in any non-Node environment that provides access to the WebCrypto API on the global crypto object.

Existing Node support is still first-class! In fact because @simplewebauth/server still builds to CommonJS it will continue to be tricky to incorporate the library in non-Node, ESM-only environments that do not support CommonJS modules (whether natively, via a bundler, etc...) A future update will attempt to fix this to offer better support for use in ESM-only projects with support for WebCrypto (e.g. Deno).

Please read all of the changes below! There are significant breaking changes in this update and additional information has been included to help adapt existing projects to the newest version of these libraries.

Packages:

@simplewebauthn/browser@7.0.0
@simplewebauthn/server@7.0.0
@simplewebauthn/typescript-types@7.0.0
@simplewebauthn/iso-webcrypto@7.0.0

Changes:

[server] A new "isomorphic" library architecture allows for use of this library in non-Node environments. In addition, the library now targets Node 16 and above (#299)
[server] @simplewebauthn/server/helpers now includes several new helpers for working with WebAuthn-related data types that should work in all run times:
- isoCBOR for working with CBOR-encoded values
- isoCrypto for leveraging the WebCrypto API when working with various WebAuthn/FIDO2 data structures
- isoBase64URL for encoding and decoding values into base64url (with optional base64 support)
- isoUint8Array for working with Uint8Arrays
- cose for working with COSE-related methods and types
[server] Certificate chains using self-signed X.509 root certificates now validate more reliably (#310)
[server] Code execution times for some common use cases are approximately 60-90% faster (#311, #315)
[iso-webcrypto] This new library helps @simplewebauthn/server reference the WebCrypto API in more environments than Node. This package is available on NPM, but it is not officially supported for use outside of @simplewebauthn/server!

Breaking Changes

[server] The following values returned from verifyRegistrationResponse() are now a Uint8Array instead of a Buffer. They will need to be passed into Buffer.from(...) to convert them to Buffer if needed:
- aaguid
- authData
- clientDataHash
- credentialID
- credentialPublicKey
- rpIdHash
[server] The following values returned from verifyAuthenticationResponse() are now a Uint8Array instead of a Buffer. They will need to be passed into Buffer.from(...) to convert them to Buffer if needed:
- credentialID
[server] The isBase64URLString() helper is now isoBase64URL.isBase64url()
[server] The decodeCborFirst() helper is now isoCBOR.decodeFirst()
[server] The convertPublicKeyToPEM() helper has been removed
[typescript-types] [server] [browser] New JSON-serialization-friendly data structures added to the WebAuthn L3 spec have been preemptively mapped into this project. Some types, values, and methods have been refactored or replaced accordingly (#320):
- The RegistrationCredentialJSON type has been replaced by the RegistrationResponseJSON type
- The AuthenticationCredentialJSON type has been replaced by the AuthenticationResponseJSON type
- RegistrationCredentialJSON.transports has been relocated into RegistrationResponseJSON.response.transports to mirror response structure in the WebAuthn spec
- The verifyRegistrationResponse() method has had its credential argument renamed to response
- The verifyAuthenticationResponse() method has had its credential argument renamed to response
[server] generateRegistrationOptions() now marks user verification as "preferred" during registration and authentication (to reduce some user friction at the browser+authenticator level), and requires user verification during response verification. See below for refactor tips (#307)

<details> <summary>Refactor Tips</summary> RP's implementing a second-factor flow with WebAuthn, where UV is not important (because username+password are provided before WebAuthn is leveraged for the second factor), should not require user verification when verifying responses:

`verifyRegistrationResponse()`

Before

const verification = await verifyRegistrationResponse({
  credential: attestationFIDOU2F,
  // ...
});

After

const verification = await verifyRegistrationResponse({
  credential: attestationFIDOU2F,
  // ...
  requireUserVerification: false,
});

`verifyAuthenticationResponse()`

Before

const verification = await verifyAuthenticationResponse({
  credential: assertionResponse,
  // ...
});

After

const verification = await verifyAuthenticationResponse({
  credential: assertionResponse,
  // ...
  requireUserVerification: false,
});

</details>

[server] generateRegistrationOptions() now defaults to preferring the creation of discoverable credentials. See below for refactor tips (#324)

<details> <summary>Refactor Tips</summary> RP's that do not require support for discoverable credentials from authenticators will need to update their calls to `generateRegistrationOptions()` accordingly:

`generateRegistrationOptions()`

Before

const options = generateRegistrationOptions({
  rpName: 'SimpleWebAuthn',
  rpID: 'simplewebauthn.dev',
  userID: '1234',
  userName: 'usernameHere',
});

After

const options = generateRegistrationOptions({
  rpName: 'SimpleWebAuthn',
  rpID: 'simplewebauthn.dev',
  userID: '1234',
  userName: 'usernameHere',
  authenticatorSelection: {
    // See https://www.w3.org/TR/webauthn-2/#enumdef-residentkeyrequirement
    residentKey: 'discouraged',
  },
});

</details>

Keywords

FAQs

What is @simplewebauthn/iso-webcrypto?

Is @simplewebauthn/iso-webcrypto popular?

Is @simplewebauthn/iso-webcrypto well maintained?

Package last updated on 05 Jan 2023

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install