@simplewebauthn/server
Advanced tools
Changelog
v8.0.0 - Around the (ESM) World
This major release marks the completion of a long journey that started with the release of v7.0.0: SimpleWebAuthn is now available for use in non-Node projects! 🎉
SimpleWebAuthn debuted in mid-2020 as a combination of libraries aiming to make WebAuthn simpler to use across browsers and "NodeJS + CommonJS" applications. Since then NodeJS has evolved to gain ESM support, and additional JavaScript and TypeScript runtimes have debuted that offer ESM-centric, TypeScript-first alternatives while also implementing Web APIs to offer a more consistent and capable execution environment for developers.
I've wanted to make this project available to developers using these Node alternatives to help them get past some of WebAuthn's rough spots. Today I'm happy to announce that this goal has been achieved! 😌
See the Changes below for more information, as well as additional information on breaking changes made in this release.
generateRegistrationOptions()
and generateAuthenticationOptions()
are now
asynchronous methods. Refactor calls to these methods to handle the Promise
that's now returned
in whatever way is appropriate for your project.generateChallenge()
(in @simplewebauthn/server/helpers
) is now an asynchronous
method. Refactor calls to this method to handle the Promise
that's now returned in whatever way
is appropriate for your project.Changelog
v7.4.0
Packages:
Changes:
AuthenticatorAttestationResponseJSON
now includes additional,
optional publicKeyAlgorithm
, publicKey
, and authenticatorData
convenience values that track
JSON interface changes in WebAuthn L3 draft
(#400)verifyRegistrationResponse()
and verifyAuthenticationResponse()
now return the
matched origin and RP ID in their to output to help RP's that use the same verification logic with
multiple origins and RP ID's understand where a response was generated and for which RP
(#415)"smart-card"
is now a recognized value for AuthenticatorTransportFuture
(#399)Changelog
v7.3.1
Packages:
Changes:
AttestationStatement.size
property declaration is now more tolerant of older
versions of TypeScriptChangelog
v7.2.0
Packages:
Changes:
generateRegistrationOptions()
defaults to -8
, -7
, and -257
for supported
public key algorithms (#361)npm install @simplewebauthn/typescript-types
to pull in type definitions when using these
libraries (#370)startRegistration()
and startAuthentication()
now include a
code
property to help programmatically detect identified errors. A new cause
property is also
populated that will always include the original error raised by the WebAuthn API call
(#367)startAuthentication(..., true)
and then
subsequently calling startAuthentication()
for modal UI) will now throw an AbortError
instead
of a string
(#371)Changelog
v7.0.0 - The one that sets the library loose
The highlight of this release is the rearchitecture of @simplewebauthn/server to start allowing
it to be used in more environments than Node. This was accomplished by refactoring the library
completely away from Node's Buffer
type and crypto
package, and instead leveraging Uint8Array
and the WebCrypto Web API for all
cryptographic operations. This means that, hypothetically, this library can now also work in any
non-Node environment that provides access to the WebCrypto API on the global crypto
object.
Existing Node support is still first-class! In fact because @simplewebauth/server still builds to CommonJS it will continue to be tricky to incorporate the library in non-Node, ESM-only environments that do not support CommonJS modules (whether natively, via a bundler, etc...) A future update will attempt to fix this to offer better support for use in ESM-only projects with support for WebCrypto (e.g. Deno).
Please read all of the changes below! There are significant breaking changes in this update and additional information has been included to help adapt existing projects to the newest version of these libraries.
Packages:
Changes:
@simplewebauthn/server/helpers
now includes several new helpers for working with
WebAuthn-related data types that should work in all run times:
isoCBOR
for working with CBOR-encoded valuesisoCrypto
for leveraging the WebCrypto API when working with various WebAuthn/FIDO2 data
structuresisoBase64URL
for encoding and decoding values into base64url (with optional base64 support)isoUint8Array
for working with Uint8Array
scose
for working with COSE-related methods and typesverifyRegistrationResponse()
are now a
Uint8Array
instead of a Buffer
. They will need to be passed into Buffer.from(...)
to convert
them to Buffer
if needed:
aaguid
authData
clientDataHash
credentialID
credentialPublicKey
rpIdHash
verifyAuthenticationResponse()
are now a
Uint8Array
instead of a Buffer
. They will need to be passed into Buffer.from(...)
to convert
them to Buffer
if needed:
credentialID
isBase64URLString()
helper is now isoBase64URL.isBase64url()
decodeCborFirst()
helper is now isoCBOR.decodeFirst()
convertPublicKeyToPEM()
helper has been removedRegistrationCredentialJSON
type has been replaced by the RegistrationResponseJSON
typeAuthenticationCredentialJSON
type has been replaced by the AuthenticationResponseJSON
typeRegistrationCredentialJSON.transports
has been relocated into
RegistrationResponseJSON.response.transports
to mirror response structure in the WebAuthn specverifyRegistrationResponse()
method has had its credential
argument renamed to
response
verifyAuthenticationResponse()
method has had its credential
argument renamed to
response
generateRegistrationOptions()
now marks user verification as "preferred"
during
registration and authentication (to reduce some user friction at the browser+authenticator level),
and requires user verification during response verification. See below for refactor tips
(#307)verifyRegistrationResponse()
Before
const verification = await verifyRegistrationResponse({
credential: attestationFIDOU2F,
// ...
});
After
const verification = await verifyRegistrationResponse({
credential: attestationFIDOU2F,
// ...
requireUserVerification: false,
});
verifyAuthenticationResponse()
Before
const verification = await verifyAuthenticationResponse({
credential: assertionResponse,
// ...
});
After
const verification = await verifyAuthenticationResponse({
credential: assertionResponse,
// ...
requireUserVerification: false,
});
</details>
generateRegistrationOptions()
now defaults to preferring the creation of
discoverable credentials. See below for refactor tips
(#324)generateRegistrationOptions()
Before
const options = generateRegistrationOptions({
rpName: 'SimpleWebAuthn',
rpID: 'simplewebauthn.dev',
userID: '1234',
userName: 'usernameHere',
});
After
const options = generateRegistrationOptions({
rpName: 'SimpleWebAuthn',
rpID: 'simplewebauthn.dev',
userID: '1234',
userName: 'usernameHere',
authenticatorSelection: {
// See https://www.w3.org/TR/webauthn-2/#enumdef-residentkeyrequirement
residentKey: 'discouraged',
},
});
</details>