New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@simplewebauthn/server
Advanced tools
@simplewebauthn/server - npm Package Compare versions
Comparing version 9.0.2 to 9.0.3
| export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types'; | ||
| export * as cborx from 'cbor-x/index-no-eval'; | ||
| export * as tinyCbor from '@levischuck/tiny-cbor'; | ||
| export { default as base64 } from '@hexagon/base64'; | ||
@@ -4,0 +4,0 @@ export { fetch as crossFetch } from 'cross-fetch'; |
@@ -1,3 +0,3 @@ | ||
| // cbor (a.k.a. cbor-x in Node land) | ||
| export * as cborx from 'cbor-x/index-no-eval'; | ||
| // tiny_cbor (a.k.a. tiny-cbor in Node land) | ||
| export * as tinyCbor from '@levischuck/tiny-cbor'; | ||
| // b64 (a.k.a. @hexagon/base64 in Node land) | ||
@@ -4,0 +4,0 @@ export { default as base64 } from '@hexagon/base64'; |
@@ -0,2 +1,13 @@ | ||
| import { tinyCbor } from '../../deps.js'; | ||
| /** | ||
| * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded | ||
| * | ||
| * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use: | ||
| * - CBOR Map type values MUST decode to JavaScript Maps | ||
| * - CBOR tag 64 (uint8 Typed Array) MUST NOT be used when encoding Uint8Arrays back to CBOR | ||
| * | ||
| * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded | ||
| * freely while maintaining their lengths for the most accurate pointer movement across them. | ||
| */ | ||
| /** | ||
| * Decode and return the first item in a sequence of CBOR-encoded values | ||
@@ -12,2 +23,2 @@ * | ||
| */ | ||
| export declare function encode(input: unknown): Uint8Array; | ||
| export declare function encode(input: tinyCbor.CBORType): Uint8Array; |
@@ -1,4 +0,4 @@ | ||
| import { cborx } from '../../deps.js'; | ||
| import { tinyCbor } from '../../deps.js'; | ||
| /** | ||
| * This encoder should keep CBOR data the same length when data is re-encoded | ||
| * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded | ||
| * | ||
@@ -12,6 +12,2 @@ * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use: | ||
| */ | ||
| const encoder = new cborx.Encoder({ | ||
| mapsAsObjects: false, | ||
| tagUint8Array: false, | ||
| }); | ||
| /** | ||
@@ -27,12 +23,3 @@ * Decode and return the first item in a sequence of CBOR-encoded values | ||
| const _input = new Uint8Array(input); | ||
| const decoded = encoder.decodeMultiple(_input); | ||
| if (decoded === undefined) { | ||
| throw new Error('CBOR input data was empty'); | ||
| } | ||
| /** | ||
| * Typing on `decoded` is `void | []` which causes TypeScript to think that it's an empty array, | ||
| * and thus you can't destructure it. I'm ignoring that because the code works fine in JS, and | ||
| * so this should be a valid operation. | ||
| */ | ||
| // @ts-ignore 2493 | ||
| const decoded = tinyCbor.decodePartialCBOR(_input, 0); | ||
| const [first] = decoded; | ||
@@ -45,3 +32,3 @@ return first; | ||
| export function encode(input) { | ||
| return encoder.encode(input); | ||
| return tinyCbor.encodeCBOR(input); | ||
| } |
@@ -57,3 +57,12 @@ import { decodeAuthenticatorExtensions, } from './decodeAuthenticatorExtensions.js'; | ||
| const firstDecoded = isoCBOR.decodeFirst(authData.slice(pointer)); | ||
| const firstEncoded = Uint8Array.from(isoCBOR.encode(firstDecoded)); | ||
| const firstEncoded = Uint8Array.from( | ||
| /** | ||
| * Casting to `Map` via `as unknown` here because TS doesn't make it possible to define Maps | ||
| * with discrete keys and properties with known types per pair, and CBOR libs typically parse | ||
| * CBOR Major Type 5 to `Map` because you can have numbers for keys. A `COSEPublicKey` can be | ||
| * generalized as "a Map with numbers for keys and either numbers or bytes for values" though. | ||
| * If this presumption falls apart then other parts of verification later on will fail so we | ||
| * should be safe doing this here. | ||
| */ | ||
| isoCBOR.encode(firstDecoded)); | ||
| if (foundBadCBOR) { | ||
@@ -60,0 +69,0 @@ // Restore the bit we changed so that `authData` is the same as it came in and won't break |
@@ -5,3 +5,3 @@ { | ||
| "name": "@simplewebauthn/server", | ||
| "version": "9.0.2", | ||
| "version": "9.0.3", | ||
| "description": "SimpleWebAuthn for Servers", | ||
@@ -54,2 +54,3 @@ "license": "MIT", | ||
| "@hexagon/base64": "^1.1.27", | ||
| "@levischuck/tiny-cbor": "^0.2.2", | ||
| "@peculiar/asn1-android": "^2.3.10", | ||
@@ -61,3 +62,2 @@ "@peculiar/asn1-ecc": "^2.3.8", | ||
| "@simplewebauthn/types": "^9.0.1", | ||
| "cbor-x": "^1.5.2", | ||
| "cross-fetch": "^4.0.0" | ||
@@ -64,0 +64,0 @@ }, |
| export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types'; | ||
| export * as cborx from 'cbor-x/index-no-eval'; | ||
| export * as tinyCbor from '@levischuck/tiny-cbor'; | ||
| export { default as base64 } from '@hexagon/base64'; | ||
@@ -4,0 +4,0 @@ export { fetch as crossFetch } from 'cross-fetch'; |
@@ -29,5 +29,5 @@ "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.cborx = void 0; | ||
| // cbor (a.k.a. cbor-x in Node land) | ||
| exports.cborx = __importStar(require("cbor-x/index-no-eval")); | ||
| exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.tinyCbor = void 0; | ||
| // tiny_cbor (a.k.a. tiny-cbor in Node land) | ||
| exports.tinyCbor = __importStar(require("@levischuck/tiny-cbor")); | ||
| // b64 (a.k.a. @hexagon/base64 in Node land) | ||
@@ -34,0 +34,0 @@ var base64_1 = require("@hexagon/base64"); |
@@ -0,2 +1,13 @@ | ||
| import { tinyCbor } from '../../deps.js'; | ||
| /** | ||
| * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded | ||
| * | ||
| * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use: | ||
| * - CBOR Map type values MUST decode to JavaScript Maps | ||
| * - CBOR tag 64 (uint8 Typed Array) MUST NOT be used when encoding Uint8Arrays back to CBOR | ||
| * | ||
| * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded | ||
| * freely while maintaining their lengths for the most accurate pointer movement across them. | ||
| */ | ||
| /** | ||
| * Decode and return the first item in a sequence of CBOR-encoded values | ||
@@ -12,2 +23,2 @@ * | ||
| */ | ||
| export declare function encode(input: unknown): Uint8Array; | ||
| export declare function encode(input: tinyCbor.CBORType): Uint8Array; |
@@ -6,3 +6,3 @@ "use strict"; | ||
| /** | ||
| * This encoder should keep CBOR data the same length when data is re-encoded | ||
| * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded | ||
| * | ||
@@ -16,6 +16,2 @@ * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use: | ||
| */ | ||
| const encoder = new deps_js_1.cborx.Encoder({ | ||
| mapsAsObjects: false, | ||
| tagUint8Array: false, | ||
| }); | ||
| /** | ||
@@ -31,12 +27,3 @@ * Decode and return the first item in a sequence of CBOR-encoded values | ||
| const _input = new Uint8Array(input); | ||
| const decoded = encoder.decodeMultiple(_input); | ||
| if (decoded === undefined) { | ||
| throw new Error('CBOR input data was empty'); | ||
| } | ||
| /** | ||
| * Typing on `decoded` is `void | []` which causes TypeScript to think that it's an empty array, | ||
| * and thus you can't destructure it. I'm ignoring that because the code works fine in JS, and | ||
| * so this should be a valid operation. | ||
| */ | ||
| // @ts-ignore 2493 | ||
| const decoded = deps_js_1.tinyCbor.decodePartialCBOR(_input, 0); | ||
| const [first] = decoded; | ||
@@ -50,4 +37,4 @@ return first; | ||
| function encode(input) { | ||
| return encoder.encode(input); | ||
| return deps_js_1.tinyCbor.encodeCBOR(input); | ||
| } | ||
| exports.encode = encode; |
@@ -60,3 +60,12 @@ "use strict"; | ||
| const firstDecoded = index_js_1.isoCBOR.decodeFirst(authData.slice(pointer)); | ||
| const firstEncoded = Uint8Array.from(index_js_1.isoCBOR.encode(firstDecoded)); | ||
| const firstEncoded = Uint8Array.from( | ||
| /** | ||
| * Casting to `Map` via `as unknown` here because TS doesn't make it possible to define Maps | ||
| * with discrete keys and properties with known types per pair, and CBOR libs typically parse | ||
| * CBOR Major Type 5 to `Map` because you can have numbers for keys. A `COSEPublicKey` can be | ||
| * generalized as "a Map with numbers for keys and either numbers or bytes for values" though. | ||
| * If this presumption falls apart then other parts of verification later on will fail so we | ||
| * should be safe doing this here. | ||
| */ | ||
| index_js_1.isoCBOR.encode(firstDecoded)); | ||
| if (foundBadCBOR) { | ||
@@ -63,0 +72,0 @@ // Restore the bit we changed so that `authData` is the same as it came in and won't break |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by0.29%
543986
- Lines of code
- increased by0.12%
11537
- Published versions last year
- increased by11.11%
10
Worsened metrics
- Number of downloads
- decreased by-3.8%
251664
Dependency changes
+ Added@levischuck/tiny-cbor@^0.2.2
+ Added@levischuck/tiny-cbor@0.2.11(transitive)
- Removedcbor-x@^1.5.2
- Removed@cbor-extract/cbor-extract-darwin-arm64@2.2.0(transitive)
- Removed@cbor-extract/cbor-extract-darwin-x64@2.2.0(transitive)
- Removed@cbor-extract/cbor-extract-linux-arm@2.2.0(transitive)
- Removed@cbor-extract/cbor-extract-linux-arm64@2.2.0(transitive)
- Removed@cbor-extract/cbor-extract-linux-x64@2.2.0(transitive)
- Removed@cbor-extract/cbor-extract-win32-x64@2.2.0(transitive)
- Removedcbor-extract@2.2.0(transitive)
- Removedcbor-x@1.6.0(transitive)
- Removeddetect-libc@2.0.3(transitive)
- Removednode-gyp-build-optional-packages@5.1.1(transitive)