@simplewebauthn/server
Advanced tools
Changelog
v3.0.0 - The one with a legacy
This release is focused on updating @simplewebauthn/browser for better browser support out of the box. Most projects will now pull in its (slightly larger) ES5 bundle to ensure maximum browser compatibility, including older browsers in which WebAuthn will never be available. The ES2018 build is still available for projects that only need to target newer browsers, but bundler configuration changes must now be made to include it instead of the ES5 build.
Packages:
Changes:
startAssertion()
no longer Base64URL-encodes userHandle
stringjsrsasign
to 10.2.0
(see
GHSA-27fj-mc8w-j9wg)startAssertion()
fixresponse.userHandle
as returned from startAssertion()
.Changelog
v2.2.1
Packages:
Changes:
Changelog
v2.2.0
Packages:
Changes:
// Newly exported types
import type {
GenerateAssertionOptionsOpts,
GenerateAttestationOptionsOpts,
VerifiedAssertion,
VerifiedAttestation,
VerifyAssertionResponseOpts,
VerifyAttestationResponseOpts,
} from '@simplewebauthn/server';
Changelog
v2.1.0
Packages:
Changes:
startAttestation()
and startAssertion()
now include extension results as
clientExtensionResults
in their return valuePublicKeyCredentialCreationOptionsJSON
and
PublicKeyCredentialRequestOptionsJSON
types with new optional extensions
property to
support specifying WebAuthn extensions when calling generateAttestationOptions()
and
generateAssertionOptions()
AttestationCredentialJSON
and AssertionCredentialJSON
types with new clientExtensionResults
properties to contain output from WebAuthn's
credential.getClientExtensionResults()
Changelog
v2.0.0 - The one with -less and more Buffers
This major release includes improvements intended to make it easier to support passwordless and usernameless WebAuthn flows. Additional information returned from attestation verification can be used by RP's to further scrutinize the attestation now or in the future.
I also made the decision to reduce the amount of encoding from Buffer to Base64URL and decoding from Base64URL to Buffer throughout the library. Verification methods now return raw Buffers so that RP's are free to store and retrieve these values as they see fit without the library imposing any kind of encoding overhead that may complicate storage in a database, etc...
Packages:
Changes:
verifyAttestationResponse()
now returns a different data structure
with additional information that RP's can use to more easily support passwordless and usernameless
WebAuthn flows.
Buffer
values are now returned in place of previously-base64url-encoded values.
This is intended to offer more flexibility in how these values are persisted without imposing an
encoding scheme that may introduce undesirable overhead.Before:
type VerifiedAttestation = {
verified: boolean;
userVerified: boolean;
authenticatorInfo?: {
fmt: ATTESTATION_FORMAT;
counter: number;
base64PublicKey: string;
base64CredentialID: string;
};
};
After:
type VerifiedAttestation = {
verified: boolean;
attestationInfo?: {
fmt: ATTESTATION_FORMAT;
counter: number;
aaguid: string;
credentialPublicKey: Buffer;
credentialID: Buffer;
credentialType: string;
userVerified: boolean;
attestationObject: Buffer;
};
};
verifyAssertionResponse()
now returns a different data structure to
align with changes made to verifyAttestationResponse()
.Before:
type VerifiedAssertion = {
verified: boolean;
authenticatorInfo: {
counter: number;
base64CredentialID: string;
};
};
After:
type VerifiedAssertion = {
verified: boolean;
assertionInfo: {
credentialID: Buffer;
newCounter: number;
};
};
excludeCredentials
argument in generateAttestationOptions()
now expects a
Buffer
type for a credential's id
property. Previously id
needed to be a string
. Existing
credential IDs stored in base64url encoding can be easily converted to Buffer with a library like
base64url
:Before:
const options = generateAttestationOptions({
// ...
excludeCredentials: [{
id: 'PPa1spYTB680cQq5q6qBtFuPLLdG1FQ73EastkT8n0o',
// ...
}],
// ...
});
After:
const options = generateAttestationOptions({
// ...
excludeCredentials: [{
id: base64url.toBuffer('PPa1spYTB680cQq5q6qBtFuPLLdG1FQ73EastkT8n0o'),
// ...
}],
// ...
});
allowCredentials
argument in generateAssertionOptions()
now expects a
Buffer
type for a credential's id
property. Previously id
needed to be a string
. Existing
credential IDs stored in base64url encoding can be easily converted to Buffer with a library like
base64url
:Before:
const options = generateAssertionOptions({
// ...
allowCredentials: [{
id: 'PPa1spYTB680cQq5q6qBtFuPLLdG1FQ73EastkT8n0o',
// ...
}],
// ...
});
After:
const options = generateAssertionOptions({
// ...
allowCredentials: [{
id: base64url.toBuffer('PPa1spYTB680cQq5q6qBtFuPLLdG1FQ73EastkT8n0o'),
// ...
}],
// ...
});
AuthenticatorDevice
type has been updated to expect Buffer
's for
credential data. Naming of its properties have also been updated to help maintain consistency with
naming in the WebAuthn spec:Before:
type AuthenticatorDevice = {
publicKey: Base64URLString;
credentialID: Base64URLString;
counter: number;
transports?: AuthenticatorTransport[];
};
After:
type AuthenticatorDevice = {
credentialPublicKey: Buffer;
credentialID: Buffer;
counter: number;
transports?: AuthenticatorTransport[];
};
Changelog
v1.0.0 - The one that gets things out of "Beta"
Packages:
Changes:
verifyAttestationResponse()
and verifyAssertionResponse()
generateAttestationOptions()
to force legacy
authenticatorSelection.requireResidentKey
to true
when authenticatorSelection.residentKey
is
"required"
(as per L2 of the WebAuthn spec)AuthenticatorDevice
type with optional transports
propertyThere are no breaking changes in this release. Several recent minor changes presented an opportunity to release a "v1.0". I'd received enough positive feedback about SimpleWebAuthn and noticed growing usage which granted me the confidence to take advantage of this opportunity.
And perhaps this will give the project more legitimacy in the eyes of larger organizations wishing to use it but waiting for the libraries to "get out of beta"...
Changelog
v0.10.6
Packages:
Changes:
toUint8Array()
for easier testing when integratedChangelog
v0.10.5
Packages:
Changes:
allowCredentials
in generateAssertionOptions()
optionalgenerateAssertionOptions()
without any optionsallowCredentials
before starting assertionChangelog
v0.10.4
Packages:
Changes: