@simplewebauthn/server - npm Package Compare versions

Comparing version 8.3.2 to 8.3.3

esm/helpers/parseAuthenticatorData.js

@@ -49,4 +49,6 @@ import { decodeAuthenticatorExtensions, } from './decodeAuthenticatorExtensions.js';
         const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
+        let foundBadCBOR = false;
         if (isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
             // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
+            foundBadCBOR = true;
             authData[pointer] = 0xa4;
@@ -57,2 +59,7 @@ }
         const firstEncoded = Uint8Array.from(isoCBOR.encode(firstDecoded));
+        if (foundBadCBOR) {
+            // Restore the bit we changed so that `authData` is the same as it came in and won't break
+            // signature verification.
+            authData[pointer] = 0xa3;
+        }
         credentialPublicKey = firstEncoded;
@@ -59,0 +66,0 @@ pointer += firstEncoded.byteLength;

package.json

@@ -5,3 +5,3 @@ {
   "name": "@simplewebauthn/server",
-  "version": "8.3.2",
+  "version": "8.3.3",
   "description": "SimpleWebAuthn for Servers",
@@ -59,3 +59,3 @@ "license": "MIT",
     "@peculiar/asn1-x509": "^2.3.6",
-    "@simplewebauthn/typescript-types": "^8.0.0",
+    "@simplewebauthn/typescript-types": "^8.3.3",
     "cbor-x": "^1.5.2",
@@ -62,0 +62,0 @@ "cross-fetch": "^4.0.0"

script/helpers/parseAuthenticatorData.js

@@ -52,4 +52,6 @@ "use strict";
         const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
+        let foundBadCBOR = false;
         if (index_js_1.isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
             // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
+            foundBadCBOR = true;
             authData[pointer] = 0xa4;
@@ -60,2 +62,7 @@ }
         const firstEncoded = Uint8Array.from(index_js_1.isoCBOR.encode(firstDecoded));
+        if (foundBadCBOR) {
+            // Restore the bit we changed so that `authData` is the same as it came in and won't break
+            // signature verification.
+            authData[pointer] = 0xa3;
+        }
         credentialPublicKey = firstEncoded;
@@ -62,0 +69,0 @@ pointer += firstEncoded.byteLength;

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

465619

increased by0.12%

Lines of code

10879

increased by0.13%

Dependency changes

• Updated@simplewebauthn/typescript-types@^8.3.3