@simplewebauthn/server
Advanced tools
@simplewebauthn/server - npm Package Versions
Changelog
v13.0.0 - The one where they share a type
Hot on the heels of the last major release, v13 introduces support for registration hints! Refined types and improved attestation trust anchor verification are also included. Last but not least, we say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read on for more information, including refactor advice for dealing with the retirement of @simplewebauthn/types.
Changes:
- [server] A new
preferredAuthenticatorTypeargument can be set when callinggenerateRegistrationOptions()to generate options that encourage the browser to direct the user to register one of three types of authenticators:'securityKey','localDevice', or'remoteDevice'(a.k.a. opinionated WebAuthn hints support) (#653) - [browser]
startRegistration()will recognizehintsif specified inoptionsJSON(#652) - [server] Attestation verification now recognizes intermediate certificates as trust anchors (#650)
- [browser] [server] The types previously maintained in the types package are now included within the browser and server packages. See Breaking Changes below for more info (#655)
Breaking Changes
@typescript/types is being retired. Its types will now be included directly in @simplewebauthn/browser and @simplewebauthn/server.
To refactor existing imports from /types, simply import them from /browser or /server instead:
Before:
import type {
AuthenticationResponseJSON,
RegistrationResponseJSON,
WebAuthnCredential,
} from '@simplewebauthn/types'; // <--
After:
import type {
AuthenticationResponseJSON,
RegistrationResponseJSON,
WebAuthnCredential,
} from '@simplewebauthn/server'; // <--
Changelog
v12.0.0 - The one that claims a JSR scope
All SimpleWebAuthn packages are now available for installation from the JavaScript Registry (JSR)! JSR is an "open-source package registry for modern JavaScript and TypeScript" - you can read more about this new package registry and its ESM-centric capabilities here.
All packages in v12.0.0 are functionally identical to v11.0.0! And JSR package hosting is in
addition to existing package hosting on NPM. Nothing changes about package installation via
npm install. Read on for more information.
Packages
- @simplewebauthn/browser@12.0.0
- @simplewebauthn/server@12.0.0
- @simplewebauthn/types@12.0.0
Changes
- [browser] [server] [types] All packages can now be installed from JSR wherever JSR imports are supported (#634)
- [browser] Deno projects using frameworks like Fresh can now import and use @simplewebauthn/browser (#634)
To install from JSR, use npx jsr add @simplewebauthn/... or deno add jsr:@simplewebauthn/...
depending on which package manager is available.
Projects using npm for package management:
npx jsr add @simplewebauthn/browser
npx jsr add @simplewebauthn/server
npx jsr add @simplewebauthn/types
Projects using deno for package management:
deno add jsr:@simplewebauthn/browser
deno add jsr:@simplewebauthn/server
deno add jsr:@simplewebauthn/types
Changelog
v11.0.0 - The one that auto-registers
Say hello to support for automatic passkey registration, support for valid conditional UI <input>
elements stashed away in web components, and to the new WebAuthnCredential type that modernizes
some logic within.
There are some breaking changes in this release! Please see Breaking Changes below for refactor guidance.
Packages
- @simplewebauthn/browser@11.0.0
- @simplewebauthn/server@11.0.0
- @simplewebauthn/types@11.0.0
Changes
- [browser] [server] A new
useAutoRegisterargument has been added tostartRegistration()to support attempts to automatically register passkeys for users who just completed non-passkey auth.verifyRegistrationResponse()has gained a newrequireUserPresenceoption that can be set tofalsewhen verifying responses fromstartRegistration({ useAutoRegister: true, ... })(#623) - [browser] A new
verifyBrowserAutofillInputargument has been added tostartAuthentication()to disable throwing an error when a correctly configured<input>element cannot be found (but perhaps a valid one is present in a web component shadow's DOM) (#621) - [server] [types] The
AuthenticatorDevicetype has been renamed toWebAuthnCredentialand has had its properties renamed. The return value out ofverifyRegistrationResponse()and corresponding inputs intoverifyAuthenticationResponse()have been updated accordingly. See Breaking Changes below for refactor guidance (#625) - [server]
verifyRegistrationResponse()now verifies that the authenticator data AAGUID matches the leaf cert'sid-fido-gen-ce-aaguidextension AAGUID when it is present (#609) - [server] TPM attestation verification recognizes the corrected TPM manufacturer identifier for IBM (#610)
- [server] Types for the defunct authenticator extensions
uvmanddpkhave been removed (#611)
Breaking Changes
[browser] Positional arguments in startRegistration() and startAuthentication() have been replaced by a single object
Property names in the object match the names of the previously-positional arguments. To update existing implementations, wrap existing options in an object with corresponding properties:
Before:
startRegistration(options);
startAuthentication(options, true);
After:
startRegistration({ optionsJSON: options });
startAuthentication({ optionsJSON: options, useBrowserAutofill: true });
[server] [types] The AuthenticatorDevice type has been renamed to WebAuthnCredential
AuthenticatorDevice.credentialID and AuthenticatorDevice.credentialPublicKey have been shortened
to WebAuthnCredential.id and WebAuthnCredential.publicKey respectively.
verifyRegistrationResponse() has been updated accordingly to return a new credential value of
type WebAuthnCredential. Update code that stores credentialID, credentialPublicKey, and
counter out of verifyRegistrationResponse() to store credential.id, credential.publicKey,
and credential.counter instead:
Before:
const { registrationInfo } = await verifyRegistrationResponse({...});
storeInDatabase(
registrationInfo.credentialID,
registrationInfo.credentialPublicKey,
registrationInfo.counter,
body.response.transports,
);
After:
const { registrationInfo } = await verifyRegistrationResponse({...});
storeInDatabase(
registrationInfo.credential.id,
registrationInfo.credential.publicKey,
registrationInfo.credential.counter,
registrationInfo.credential.transports,
);
Update calls to verifyAuthenticationResponse() to match the new credential argument that
replaces the authenticator argument:
Before:
import { AuthenticatorDevice } from '@simplewebauthn/types';
const authenticator: AuthenticatorDevice = {
credentialID: ...,
credentialPublicKey: ...,
counter: 0,
transports: [...],
};
const verification = await verifyAuthenticationResponse({
// ...
authenticator,
});
After:
import { WebAuthnCredential } from '@simplewebauthn/types';
const credential: WebAuthnCredential = {
id: ...,
publicKey: ...,
counter: 0,
transports: [...],
};
const verification = await verifyAuthenticationResponse({
// ...
credential,
});
Changelog
v10.0.0 - The one that goes up to 20
Thanks for everything, Node 16 and Node 18, but it's time to move on! The headlining change of this release is the targeting of Node LTS v20+ as the minimum Node runtime. Additional developer-centric quality-of-life changes have also been made in the name of streamlining use of SimpleWebAuthn on both the back end and front end.
This release is packed with updates, so buckle up! Refactor advice for breaking changes is, as always, offered below.
Packages
- @simplewebauthn/browser@10.0.0
- @simplewebauthn/server@10.0.0
- @simplewebauthn/types@10.0.0
Changes
- [server] The minimum supported Node version has been raised to Node v20 (#531)
- [server]
user.displayNamenow defaults to an empty string if a value is not specified foruserDisplayNamewhen callinggenerateRegistrationOptions()(#538) - [browser] The
browserSupportsWebAuthnAutofill()helper will no longer break in environments in whichPublicKeyCredentialis not present (#557, with thanks to @clarafitzgerald)
Breaking Changes
- [server] The following breaking changes were made in PR
#529:
generateRegistrationOptions()now expectsBase64URLStringfor excluded credential IDsgenerateAuthenticationOptions()now expectsBase64URLStringfor allowed credential IDscredentialIDreturned from response verification methods is now aBase64URLStringAuthenticatorDevice.credentialIDis now aBase64URLStringisoBase64URL.isBase64url()is now calledisoBase64URL.isBase64URL()
- [browser, server] The following breaking changes were made in PR
#552:
generateRegistrationOptions()now accepts an optionalUint8Arrayinstead of astringforuserIDisoBase64URL.toString()andisoBase64URL.fromString()have been renamedgenerateRegistrationOptions()will now generate random user IDsuser.idis now treated like a base64url string instartRegistration()userHandleis now treated like a base64url string instartAuthentication()
- [server]
rpIDis now a required argument when callinggenerateAuthenticationOptions()(#555)
[server] generateRegistrationOptions() now expects Base64URLString for excluded credential IDs
The isoBase64URL helper can be used to massage Uint8Array credential IDs into base64url strings:
Before
const opts = await generateRegistrationOptions({
// ...
excludeCredentials: devices.map((dev) => ({
id: dev.credentialID, // type: Uint8Array
type: 'public-key',
transports: dev.transports,
})),
});
After
import { isoBase64URL } from '@simplewebauthn/server/helpers';
const opts = await generateRegistrationOptions({
// ...
excludeCredentials: devices.map((dev) => ({
id: isoBase64URL.fromBuffer(dev.credentialID), // type: string
transports: dev.transports,
})),
});
The type argument is no longer needed either.
[server] generateAuthenticationOptions() now expects Base64URLString for allowed credential IDs
Similarly, the isoBase64URL helper can also be used during auth to massage Uint8Array credential
IDs into base64url strings:
Before
const opts = await generateAuthenticationOptions({
// ...
allowCredentials: devices.map((dev) => ({
id: dev.credentialID, // type: Uint8Array
type: 'public-key',
transports: dev.transports,
})),
});
After
import { isoBase64URL } from '@simplewebauthn/server/helpers';
const opts = await generateAuthenticationOptions({
// ...
allowCredentials: devices.map((dev) => ({
id: isoBase64URL.fromBuffer(dev.credentialID), // type: Base64URLString (a.k.a string)
transports: dev.transports,
})),
});
The type argument is no longer needed either.
[server] credentialID returned from response verification methods is now a Base64URLString
It is no longer necessary to manually stringify credentialID out of response verification methods:
Before
import { isoBase64URL } from '@simplewebauthn/server/helpers';
// Registration
const { verified, registrationInfo } = await verifyRegistrationResponse({ ... });
if (verified && registrationInfo) {
const { credentialID } = registrationInfo;
await storeInDatabase({ credIDString: isoBase64URL.fromBuffer(credentialID), ... });
}
// Authentication
const { verified, authenticationInfo } = await verifyAuthenticationResponse({ ... });
if (verified && authenticationInfo) {
const { newCounter, credentialID } = authenticationInfo;
dbAuthenticator.counter = authenticationInfo.newCounter;
await updateCounterInDatabase({
credIDString: isoBase64URL.fromBuffer(credentialID),
newCounter,
});
}
After
// Registration
const { verified, registrationInfo } = await verifyRegistrationResponse({ ... });
if (verified && registrationInfo) {
const { credentialID } = registrationInfo;
await storeInDatabase({ credIDString: credentialID, ... });
}
// Authentication
const { verified, authenticationInfo } = await verifyAuthenticationResponse({ ... });
if (verified && authenticationInfo) {
const { newCounter, credentialID } = authenticationInfo;
dbAuthenticator.counter = authenticationInfo.newCounter;
await updateCounterInDatabase({ credIDString: credentialID, newCounter });
}