fix(deps): update dependency @simplewebauthn/server to v10 #10029
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.0.3
->10.0.1
Release Notes
MasterKale/SimpleWebAuthn (@simplewebauthn/server)
v10.0.1
Compare Source
Packages
Changes
isoCrypto.verify()
now has better support for signature verification with ECCpublic keys using P-256, P-385, and P-521 curves
(#594, with thanks to @nlordell)
v10.0.0
Compare Source
Thanks for everything, Node 16 and Node 18, but it's time to move on! The headlining change of this
release is the targeting of Node LTS v20+ as the minimum Node runtime. Additional developer-centric
quality-of-life changes have also been made in the name of streamlining use of SimpleWebAuthn on
both the back end and front end.
This release is packed with updates, so buckle up! Refactor advice for breaking changes is, as
always, offered below.
Packages
Changes
(#531)
user.displayName
now defaults to an empty string if a value is not specified foruserDisplayName
when callinggenerateRegistrationOptions()
(#538)
browserSupportsWebAuthnAutofill()
helper will no longer break in environmentsin which
PublicKeyCredential
is not present(#557, with thanks to @clarafitzgerald)
Breaking Changes
#529:
generateRegistrationOptions()
now expectsBase64URLString
for excluded credential IDsgenerateAuthenticationOptions()
now expectsBase64URLString
for allowed credential IDscredentialID
returned from response verification methods is now aBase64URLString
AuthenticatorDevice.credentialID
is now aBase64URLString
isoBase64URL.isBase64url()
is now calledisoBase64URL.isBase64URL()
#552:
generateRegistrationOptions()
now accepts an optionalUint8Array
instead of astring
foruserID
isoBase64URL.toString()
andisoBase64URL.fromString()
have been renamedgenerateRegistrationOptions()
will now generate random user IDsuser.id
is now treated like a base64url string instartRegistration()
userHandle
is now treated like a base64url string instartAuthentication()
rpID
is now a required argument when callinggenerateAuthenticationOptions()
(#555)
[server]
generateRegistrationOptions()
now expectsBase64URLString
for excluded credential IDsThe
isoBase64URL
helper can be used to massageUint8Array
credential IDs into base64url strings:Before
After
The
type
argument is no longer needed either.[server]
generateAuthenticationOptions()
now expectsBase64URLString
for allowed credential IDsSimilarly, the
isoBase64URL
helper can also be used during auth to massageUint8Array
credentialIDs into base64url strings:
Before
After
The
type
argument is no longer needed either.[server]
credentialID
returned from response verification methods is now aBase64URLString
It is no longer necessary to manually stringify
credentialID
out of response verification methods:Before
After
[server]
AuthenticatorDevice.credentialID
is now aBase64URLString
Calls to
verifyAuthenticationResponse()
will need to be updated to encode the credential ID to abase64url string:
Before
After
[server]
isoBase64URL.isBase64url()
is now calledisoBase64URL.isBase64URL()
Note the capitalization change from "url" to "URL" in the method name. Update calls to this method
accordingly.
[server]
generateRegistrationOptions()
will now generate random user IDs[browser]
user.id
is now treated like a base64url string instartRegistration()
[browser]
userHandle
is now treated like a base64url string instartAuthentication()
A random identifier will now be generated when a value is not provided for the now-optional
userID
argument when calling
generateRegistrationOptions()
. This identifier will be base64url-encodedstring of 32 random bytes. RPs that wish to take advantage of this can simply omit this
argument.
Additionally,
startRegistration()
will base64url-decodeuser.id
before calling WebAuthn. Duringauth
startAuthentication()
will base64url-encodeuserHandle
in the returned credential. Thisshould be a transparent change for RP's that simply feed @simplewebauthn/server options output
into the corresponding @simplewebauthn/browser methods.
However, RP's that wish to continue generating their own user identifiers will need to take
additional steps to ensure they get back user IDs in the expected format after authentication.
Before (SimpleWebAuthn v9)
After (SimpleWebAuthn v10)
[server]
isoBase64URL.toString()
andisoBase64URL.fromString()
have been renamedThe method names have been updated to reflect the use of UTF-8 string encoding:
Before:
After:
[server]
rpID
is now a required argument when callinggenerateAuthenticationOptions()
Update calls to this method to specify the same
rpID
as passed intogenerateRegistrationOptions()
:Before
After
Configuration
📅 Schedule: Branch creation - "every weekday after 2:00 am before 6:00 am,every weekend" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.