@simplewebauthn/server - npm Package Compare versions

Comparing version 5.4.4 to 5.4.5

dist/authentication/verifyAuthenticationResponse.d.ts

 /// <reference types="node" />
-import { AuthenticationCredentialJSON, AuthenticatorDevice, CredentialDeviceType } from '@simplewebauthn/typescript-types';
+import { AuthenticationCredentialJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '@simplewebauthn/typescript-types';
 import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions';
@@ -11,2 +11,5 @@ export declare type VerifyAuthenticationResponseOpts = {
     requireUserVerification?: boolean;
+    advancedFIDOConfig?: {
+        userVerification?: UserVerificationRequirement;
+    };
 };
@@ -26,2 +29,7 @@ /**
  * (via PIN, fingerprint, etc...)
+ * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
+ * requirements
+ * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
+ * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
+ * unless this value is `"required"`
  */
@@ -28,0 +36,0 @@ export declare function verifyAuthenticationResponse(options: VerifyAuthenticationResponseOpts): VerifiedAuthenticationResponse;

dist/authentication/verifyAuthenticationResponse.js

@@ -28,5 +28,10 @@ "use strict";
  * (via PIN, fingerprint, etc...)
+ * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
+ * requirements
+ * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
+ * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
+ * unless this value is `"required"`
  */
 function verifyAuthenticationResponse(options) {
-    const { credential, expectedChallenge, expectedOrigin, expectedRPID, authenticator, requireUserVerification, } = options;
+    const { credential, expectedChallenge, expectedOrigin, expectedRPID, authenticator, requireUserVerification, advancedFIDOConfig, } = options;
     const { id, rawId, type: credentialType, response } = credential;
@@ -115,9 +120,29 @@ // Ensure credential specified an ID
     }
-    // WebAuthn only requires the user presence flag be true
-    if (!flags.up) {
-        throw new Error('User not present during authentication');
+    if (advancedFIDOConfig !== undefined) {
+        const { userVerification: fidoUserVerification, } = advancedFIDOConfig;
+        /**
+         * Use FIDO Conformance-defined rules for verifying UP and UV flags
+         */
+        if (fidoUserVerification === 'required') {
+            // Require `flags.uv` be true (implies `flags.up` is true)
+            if (!flags.uv) {
+                throw new Error('User verification required, but user could not be verified');
+            }
+        }
+        else if (fidoUserVerification === 'preferred' || fidoUserVerification === 'discouraged') {
+            // Ignore `flags.uv`
+        }
     }
-    // Enforce user verification if required
-    if (requireUserVerification && !flags.uv) {
-        throw new Error('User verification required, but user could not be verified');
+    else {
+        /**
+         * Use WebAuthn spec-defined rules for verifying UP and UV flags
+         */
+        // WebAuthn only requires the user presence flag be true
+        if (!flags.up) {
+            throw new Error('User not present during authentication');
+        }
+        // Enforce user verification if required
+        if (requireUserVerification && !flags.uv) {
+            throw new Error('User verification required, but user could not be verified');
+        }
     }
@@ -124,0 +149,0 @@ const clientDataHash = (0, toHash_1.toHash)(base64url_1.default.toBuffer(response.clientDataJSON));

dist/helpers/decodeAuthenticatorExtensions.d.ts

@@ -9,3 +9,3 @@ /// <reference types="node" />
 export declare type AuthenticationExtensionsAuthenticatorOutputs = {
-    devicePublicKey?: DevicePublicKeyAuthenticatorOutput;
+    devicePubKey?: DevicePublicKeyAuthenticatorOutput;
     uvm?: UVMAuthenticatorOutput;
@@ -12,0 +12,0 @@ };

package.json

 {
   "name": "@simplewebauthn/server",
-  "version": "5.4.4",
+  "version": "5.4.5",
   "description": "SimpleWebAuthn for Servers",
@@ -62,3 +62,3 @@ "main": "dist/index.js",
   },
-  "gitHead": "9c05ec591fa1e8a1d7480a9f115a075fec9a88c5",
+  "gitHead": "d5fbeb340fb2610c86f102f184aa75a0d27cc243",
   "devDependencies": {
@@ -65,0 +65,0 @@ "@types/cbor": "^5.0.1",

No alert changes

Improved metrics

Total package byte prevSize

264134

increased by0.75%

Lines of code

4130

increased by0.81%

No dependency changes