@simplewebauthn/server - npm Package Compare versions

Comparing version 4.0.0 to 4.1.0

dist/services/metadataService.d.ts

 /// <reference types="node" />
 import type { MetadataStatement } from '../metadata/mdsTypes';
+declare type VerificationMode = 'permissive' | 'strict';
 /**
@@ -13,4 +14,15 @@ * A basic service for coordinating interactions with the FIDO Metadata Service. This includes BLOB
     private state;
+    private verificationMode;
     /**
      * Prepare the service to handle remote MDS servers and/or cache local metadata statements.
+     *
+     * **Options:**
+     *
+     * @param opts.mdsServers An array of URLs to FIDO Alliance Metadata Service
+     * (version 3.0)-compatible servers. Defaults to the official FIDO MDS server
+     * @param opts.statements An array of local metadata statements
+     * @param opts.verificationMode How MetadataService will handle unregistered AAGUIDs. Defaults to
+     * `"strict"` which throws errors during registration response verification when an
+     * unregistered AAGUID is encountered. Set to `"permissive"` to allow registration by
+     * authenticators with unregistered AAGUIDs
      */
@@ -20,5 +32,6 @@ initialize(opts?: {
         statements?: MetadataStatement[];
+        verificationMode?: VerificationMode;
     }): Promise<void>;
     /**
-     * Get a metadata statement for a given aaguid. Defaults to returning a cached statement.
+     * Get a metadata statement for a given AAGUID.
      *
@@ -25,0 +38,0 @@ * This method will coordinate updating the cache as per the `nextUpdate` property in the initial

dist/services/metadataService.js

@@ -34,8 +34,19 @@ "use strict";
         this.state = SERVICE_STATE.DISABLED;
+        this.verificationMode = 'strict';
     }
     /**
      * Prepare the service to handle remote MDS servers and/or cache local metadata statements.
+     *
+     * **Options:**
+     *
+     * @param opts.mdsServers An array of URLs to FIDO Alliance Metadata Service
+     * (version 3.0)-compatible servers. Defaults to the official FIDO MDS server
+     * @param opts.statements An array of local metadata statements
+     * @param opts.verificationMode How MetadataService will handle unregistered AAGUIDs. Defaults to
+     * `"strict"` which throws errors during registration response verification when an
+     * unregistered AAGUID is encountered. Set to `"permissive"` to allow registration by
+     * authenticators with unregistered AAGUIDs
      */
     async initialize(opts = {}) {
-        const { mdsServers = [defaultURLMDS], statements } = opts;
+        const { mdsServers = [defaultURLMDS], statements, verificationMode, } = opts;
         this.setState(SERVICE_STATE.REFRESHING);
@@ -83,6 +94,9 @@ // If metadata statements are provided, load them into the cache first
         }
+        if (verificationMode) {
+            this.verificationMode = verificationMode;
+        }
         this.setState(SERVICE_STATE.READY);
     }
     /**
-     * Get a metadata statement for a given aaguid. Defaults to returning a cached statement.
+     * Get a metadata statement for a given AAGUID.
      *
@@ -107,5 +121,8 @@ * This method will coordinate updating the cache as per the `nextUpdate` property in the initial
         if (!cachedStatement) {
-            // TODO: FIDO conformance requires this, but it seems excessive for WebAuthn. Investigate
-            // later
-            throw new Error(`No metadata statement found for aaguid "${aaguid}"`);
+            if (this.verificationMode === 'strict') {
+                // FIDO conformance requires RP's to only support registered AAGUID's
+                throw new Error(`No metadata statement found for aaguid "${aaguid}"`);
+            }
+            // Allow registration verification to continue without using metadata
+            return;
         }
@@ -112,0 +129,0 @@ // If the statement points to an MDS API, check the MDS' nextUpdate to see if we need to refresh

package.json

 {
   "name": "@simplewebauthn/server",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "description": "SimpleWebAuthn for Servers",
@@ -61,3 +61,3 @@ "main": "dist/index.js",
   },
-  "gitHead": "fbb552d5e6f91c0ab9f0577510855f846d5b2d41",
+  "gitHead": "bbcb4c28db1073801e41c5a089cd6feb4373c32e",
   "devDependencies": {
@@ -64,0 +64,0 @@ "@types/cbor": "^5.0.1",

Fixed alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

240043

increased by0.72%

Lines of code

3740

increased by0.81%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes