rodauth 2.2.0 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f672a0312d4a0c6103bb763d339161119551a0e64cc248546a0cb52f4e6784c1
-  data.tar.gz: 530d322cc3ddba655959238aafe155512de11f090afb9465980181dcc729d1b9
+  metadata.gz: ce2af7161a7aaba17ebb25beda65f8598306b2d040986db0be215b89fb683149
+  data.tar.gz: cf69c788c9401485610599f0b6996f340ab315fcbceb359bccf01a78dceaadc8
 SHA512:
-  metadata.gz: d8018f5e02d077bd8625c17c8c5a1f607b986c1916296132ef68e2651d2af26d65ddbdfdc9b5f1352431c74caa30e94d270cc03840207303f8fa0e6a44910a0b
-  data.tar.gz: 5f24ce4d800d3bbe914dac40dba1cd68b78af4aff5efdaf976b32702d45b5fe7809453d2a650f407437afb1b9d6206ff3d79e6f703fcd85d8d55a0f0658464eb
+  metadata.gz: 8b2d72d0f9338a359653e90829618f2579afc30095bb0dd1bd0c627730c91117158ef5ebbca9a4a32bb78bd312ebbac308a68efb761cf93c4dfc707d7bdcea24
+  data.tar.gz: d5eb1fc01df26b8305edec707642d3192e7a5dc3507416d0e60aaf6ffd1b079ac4ddced72a85d61c4623c70df2d784307cfba60b8759741b2991f591c623b0b0

data/CHANGELOG

@@ -1,3 +1,53 @@
+=== 2.7.0 (2020-12-22)
+
+* Avoid method redefinition warnings in verbose warning mode (jeremyevans)
+
+* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
+
+* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
+
+* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
+
+* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
+
+=== 2.6.0 (2020-11-20)
+
+* Avoid loading features multiple times (janko) (#131)
+
+* Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
+
+* Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
+
+* Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
+
+* Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)
+
+=== 2.5.0 (2020-10-22)
+
+* Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)
+
+* Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)
+
+=== 2.4.0 (2020-09-21)
+
+* Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
+
+* Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)
+
+=== 2.3.0 (2020-08-21)
+
+* Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)
+
+* Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)
+
+* Add rodauth.login('login_type') for logging in after setting a valid account (janko) (#114)
+
+* Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)
+
+* Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)
+
+* Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)
+
 === 2.2.0 (2020-07-20)
 
 * Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)

data/README.rdoc

@@ -44,6 +44,7 @@ HTML and JSON API for all supported features.
 * Verify Account Grace Period (Don't require verification before login)
 * Password Grace Period (Don't require password entry if recently entered)
 * Password Complexity (More sophisticated checks)
+* Password Pepper
 * Disallow Password Reuse
 * Disallow Common Passwords
 * Password Expiration
@@ -881,6 +882,7 @@ view the appropriate file in the doc directory.
 * {Password Complexity}[rdoc-ref:doc/password_complexity.rdoc]
 * {Password Expiration}[rdoc-ref:doc/password_expiration.rdoc]
 * {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
+* {Password Pepper}[rdoc-ref:doc/password_pepper.rdoc]
 * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
 * {Remember}[rdoc-ref:doc/remember.rdoc]
 * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
@@ -1062,6 +1064,18 @@ the name as an argument to use that configuration:
     r.rodauth
   end
 
+By default, alternate configurations will use the same session keys as the
+primary configuration, which may be undesirable. To ensure session state is
+separated between configurations, you can set a session key prefix for
+alternate configurations.  If you are using the remember feature in both
+configurations, you may also want to set a different remember key in the
+alternate configuration:
+
+  plugin :rodauth, :name=>:secondary do
+    session_key_prefix "secondary_"
+    remember_cookie_key "_secondary_remember"
+  end
+
 === With Password Hashes Inside the Accounts Table
 
 You can use Rodauth if you are storing password hashes in the same

data/doc/base.rdoc

@@ -1,7 +1,7 @@
 = Documentation for Base Feature
 
 The base feature is automatically loaded when you use Rodauth.  It contains
-shared functionality that is used by multiple features. 
+shared functionality that is used by multiple features.
 
 == Auth Value Methods
 
@@ -17,6 +17,7 @@ mark_input_fields_as_required? :: Whether input fields should be marked as requi
 prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
 require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
 session_key :: The key in the session hash storing the primary key of the logged in account.
+session_key_prefix :: The string that will be prepended to the default value for all session keys.
 skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.
 title_instance_variable :: The instance variable to set in the Roda scope with the page title.  The layout should use this instance variable if available to set the title of the page.  You can use +set_title+ if setting the page title is not done through an instance variable.
 
@@ -87,6 +88,7 @@ account_session_value :: The primary value of the current account to store in th
 after_login :: Run arbitrary code after a successful login.
 after_login_failure :: Run arbitrary code after a login failure due to an invalid password.
 already_logged_in :: What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.
+around_rodauth(&block) :: Run arbitrary code around handling any rodauth route.  Call <tt>super(&block)</tt> for Rodauth to handle the action.
 authenticated? :: Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.
 before_login :: Run arbitrary code after password has been checked, but before updating the session.
 before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.

data/doc/jwt_refresh.rdoc

@@ -19,23 +19,36 @@ when logging out, provide the refresh token when submitting the JSON request to
 If you would like to remove all refresh tokens for the account when logging out, provide
 a value of <tt>all</tt> as the token value.
 
+When using the refresh token, you must provide a valid access token, as that contains
+information about the current session, which is used to create the new access token.
+If you change the +allow_refresh_with_expired_jwt_access_token?+ setting to +true+,
+an expired but otherwise valid access token will be accepted, and Rodauth will check
+that the access token was issued in the same session as the refresh token.
+
 This feature depends on the jwt feature.
 
 == Auth Value Methods
 
+allow_refresh_with_expired_jwt_access_token? :: Whether refreshing should be allowed with an expired access token. Default is +false+.  You must set an +hmac_secret+ if setting this value to +true+.
+expired_jwt_access_token_status :: The HTTP status code to use when a access token (JWT) is expired is submitted in the Authorization header. Default is 400 for backwards compatibility, and it is recommended to set it to 401.
+expired_jwt_access_token_message :: The error message to use when a access token (JWT) is expired is submitted in the Authorization header.
 jwt_access_token_key :: Name of the key in the response json holding the access token.  Default is +access_token+.
 jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
 jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
 jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
 jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
 jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
+jwt_refresh_token_data_session_key :: The key in the session hash storing random data, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
 jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
 jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
+jwt_refresh_token_hmac_session_key :: The key in the session hash storing the hmac, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
 jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
 jwt_refresh_token_key :: Name of the key in the response json holding the refresh token.  Default is +refresh_token+.
 jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.
 jwt_refresh_token_key_param :: Name of parameter in which the refresh token is provided when requesting a new token.  Default is +refresh_token+.
 jwt_refresh_token_table :: Name of the table holding refresh token keys.
+jwt_refresh_without_access_token_message :: Error message when trying to refresh with providing an access token.
+jwt_refresh_without_access_token_status :: The HTTP status code to use when trying to refresh without providing an access token.
 
 == Auth Methods
 

data/doc/login.rdoc

@@ -3,6 +3,13 @@
 The login feature implements a login page.  It's the most commonly
 used feature.
 
+In addition to the auth methods below, it provides a +login+ method that wraps
++login_session+, running login hooks and redirecting to the configured
+location.
+
+  rodauth.account           #=> { id: 123, ... }
+  rodauth.login('password') # login the current account
+
 == Auth Value Methods
 
 login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.
@@ -27,4 +34,5 @@ use_multi_phase_login? :: Whether to ask for login first, and only ask for passw
 
 before_login_route :: Run arbitrary code before handling a login route.
 login_view :: The HTML to use for the login form.
+login_return_to_requested_location_path :: If +login_return_to_requested_location?+ is true, the path to use as the requested location.  By default, uses the full path of the request for GET requests, and is nil for non-GET requests (in which case the default +login_redirect+ will be used).
 multi_phase_login_view :: The HTML to use for the login form after login has been entered when using multi phase login.

data/doc/login_password_requirements_base.rdoc

@@ -9,8 +9,10 @@ already_an_account_with_this_login_message :: The error message to display when
 login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
 login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
+login_email_regexp :: The regular expression used to validate whether login is a valid email address.
 login_maximum_length :: The maximum length for logins, 255 by default.
 login_minimum_length :: The minimum length for logins, 3 by default.
+login_not_valid_email_message :: The error message to display when login is not a valid email address.
 login_too_long_message :: The error message fragment to show if the login is too long.
 login_too_short_message :: The error message fragment to show if the login is too short.
 logins_do_not_match_message :: The error message to display when login and login confirmation do not match.
@@ -29,6 +31,7 @@ same_as_existing_password_message :: The error message to display when a new pas
 == Auth Methods
 
 login_meets_requirements?(login) :: Whether the given login meets the requirements.  By default, just checks that the login is a valid email address.
+login_valid_email?(login) :: Whether the login is a valid email address.
 password_hash(password) :: A hash of the given password.
 password_meets_requirements?(password) :: Whether the given password meets the requirements. Can be used to implement complexity requirements for passwords.
 set_password(password) :: Set the password for the current account to the given password.

data/doc/password_pepper.rdoc

@@ -0,0 +1,44 @@
+= Documentation for Password Pepper Feature
+
+The password pepper feature appends a specified secret string to passwords
+before they are hashed. This way, if the password hashes get compromised, an
+attacker cannot use them to crack the passwords without also knowing the
+pepper.
+
+In the configuration block set the +password_pepper+ with your secret string.
+It's recommended for the password pepper to be at last 32 characters long and
+randomly generated.
+
+  password_pepper "<long secret key>"
+
+If your database already contains password hashes that were created without a
+password pepper, these will get automatically updated with a password pepper
+next time the user successfully enters their password.
+
+You can rotate the password pepper as well, just make sure to add the previous
+pepper to the +previous_password_peppers+ array. Password hashes using the old
+pepper will get automatically updated on the next successful password match.
+
+  password_pepper "new pepper"
+  previous_password_peppers ["old pepper", ""] 
+
+The empty string above ensures password hashes without pepper are handled as
+well.
+
+Note that each entry in +previous_password_peppers+ will multiply the amount of
+possible password checks during login, at least for incorrect passwords.
+
+Additionally, when using this feature with the disallow_password_reuse feature,
+the number of passwords checked when changing or resetting a password will be
+
+  (previous_password_peppers.length + 1) * previous_passwords_to_check
+
+So if you have 2 entries in +previous_password_peppers+, using the default
+value of 6 for +previous_passwords_to_check+, every time a password
+is changed, there will be 18 password checks done, which will be quite slow.
+
+== Auth Value Methods
+
+password_pepper :: The secret string appended to passwords before they are hashed.
+previous_password_peppers :: An array of password peppers that will be tried on an unsuccessful password match. Defaults to <tt>[""]</tt>, which allows introducing this feature with existing passwords.
+password_pepper_update? :: Whether to update password hashes that use a pepper from +previous_password_peppers+ with a new pepper. Defaults to +true+.

data/doc/recovery_codes.rdoc

@@ -17,7 +17,8 @@ add_recovery_codes_error_flash :: The flash error to show when adding recovery c
 add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
 add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
 add_recovery_codes_param :: The parameter name to use for adding recovery codes.
-auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when another multifactor authentication type is enabled (false by default).
+auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when enabling otp, webauthn, or sms authentication (false by default).
+auto_remove_recovery_codes? :: Whether to automatically remove recovery codes when disabling otp, webauthn, or sms authentication and not having one of the other two authentication methods enabled (false by default).
 invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
 invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
 recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.

data/doc/release_notes/2.3.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* Configuration methods have been added for easier validation of
+  logins when logins must be valid email addresses (the default):
+
+  * login_valid_email?(login) can be used for full control of
+    determining whether the login is valid.
+
+  * login_email_regexp can be used to set the regexp used in the
+    default login_valid_email? check.
+
+  * login_not_valid_email_message can be used to set the field
+    error message if the login is not a valid email.  Previously, this
+    value was hardcoded and not translatable.
+
+* The {create,drop}_database_authentication_functions now work
+  correctly with uuid keys on PostgreSQL.  All other parts of
+  Rodauth already worked correctly with uuid keys.
+
+= Other Improvements
+
+* The before_jwt_refresh_route hook is now called before the route
+  is taken. Previously, the configuration method had no effect.
+
+* rodauth.login can now be used by external code to login the current
+  account (the account that rodauth.account returns).  This should be
+  passed the authentication type string used to login, such as
+  password.
+
+* The jwt_refresh route now returns an error for requests where a
+  valid access token for a logged in session is not provided.  You
+  can use the jwt_refresh_without_access_token_message and
+  jwt_refresh_without_access_token_status configuration methods
+  to configure the error response.
+
+* The new refresh token is now available to the after_refresh_token
+  hook by looking in json_response[jwt_refresh_token_key].

data/doc/release_notes/2.4.0.txt

@@ -0,0 +1,22 @@
+= New Features
+
+* A password_pepper feature has been added.  This allows you to use a
+  secret key (called a pepper) to append to passwords before hashing
+  and hash checking.  Using this approach, if an attacker obtains the
+  password hash, it is unusable for cracking unless they can also
+  get access to the pepper.
+
+  The password_pepper feature also supports a list of previous peppers
+  that can be used to implement secret rotation and to support
+  compatibility with unpeppered passwords.
+
+  Rodauth by default uses database functions for password hash
+  checking on PostgreSQL, MySQL, and Microsoft SQL Server, which in
+  general provides more security than a password pepper, but both
+  approaches can be used simultaneously.
+
+* A session_key_prefix configuration method has been added for
+  prefixing the values of all default session keys.  This can be
+  useful if you are using multiple Rodauth configurations in the same
+  application and want to make sure the session keys for the separate
+  configurations do not overlap.

data/doc/release_notes/2.5.0.txt

@@ -0,0 +1,20 @@
+= New Features
+
+* A login_return_to_requested_location_path configuration method has
+  been added to the login feature.  This controls the path to redirect
+  to if using login_return_to_requested_location?.  By default, this
+  is the same as the fullpath of the request that required login if
+  that request was a GET request, and nil if that request was not a
+  GET request.  Previously, the fullpath of that request was used even
+  if it was not a GET request, which caused problems as browsers use a
+  GET request for redirects, and it is a bad idea to redirect to a path
+  that may not handle GET requests.
+
+* A change_login_needs_verification_notice_flash configuration method
+  has been added to the verify_login_change feature, for allowing
+  translations when using the feature and not using the
+  change_login_notice_flash configuration method.
+
+= Other Improvements
+
+* new_password_label is now translatable.

data/doc/release_notes/2.6.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* An around_rodauth configuration method has been added, which is
+  called around all Rodauth actions.  This configuration method
+  is passed a block, and is useful for cases where you want to wrap
+  Rodauth's handling of the request.
+
+  For example, if you had a method named time_block in your Roda scope
+  that timed block execution and added a response header, you could
+  time Rodauth actions using something like:
+
+    around_rodauth do |&block|
+      scope.time_block('Rodauth') do
+        super(&block)
+      end
+    end
+
+* The allow_refresh_with_expired_jwt_access_token? configuration has
+  been added to the jwt_refresh feature, allowing refreshing with an
+  expired but otherwise valid access token.  When using this method,
+  it is required to have an hmac_secret specified, so that Rodauth
+  can make sure the access token matches the refresh token.
+
+= Other Improvements
+
+* The javascript for setting up a WebAuthn token has been fixed to
+  allow it to work correctly if there is already an existing
+  WebAuthn token for the account.
+
+* The rodauth.setup_account_verification method has been promoted to
+  public API.  You can use this method for automatically sending
+  account verification emails when automatically creating accounts.
+
+* Rodauth no longer loads the same feature multiple times into a
+  single configuration.  This didn't cause any problems before, but
+  could result in duplicate entries when looking at the loaded
+  features.

data/doc/release_notes/2.7.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* An auto_remove_recovery_codes? configuration method has been added
+  to the recovery_codes feature.  This will automatically remove
+  recovery codes when the last multifactor authentication type other
+  than the recovery codes has been removed.
+
+* The jwt_access_expired_status and expired_jwt_access_token_message
+  configuration methods have been added to the jwt_refresh feature,
+  for supporting custom statuses and messages for expired tokens.
+
+= Other Improvements
+
+* Rodauth will no longer attempt to require a feature that has
+  already been required.  Related to this is you can now use a
+  a custom Rodauth feature without a rodauth/features/*.rb file
+  in the Ruby library path, as long as you load the feature
+  manually.
+
+* Rodauth now avoids method redefinition warnings in verbose
+  warning mode.  As Ruby 3 is dropping uninitialized instance
+  variable warnings, Rodauth will be verbose warning free in
+  Ruby 3.
+
+= Backwards Compatibility
+
+* The default remember cookie path is now set to '/'. This fixes
+  usage in the case where rodauth is loaded under a subpath of the
+  application (which is not the default behavior).  Unfortunately,
+  this change can negatively affect cases where multiple rodauth
+  configurations are used in separate paths on the same domain.
+  In these cases, you should now use remember_cookie_options and
+  include a :path option.

data/doc/remember.rdoc

@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie.
+remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.

data/doc/verify_login_change.rdoc

@@ -14,6 +14,7 @@ control.  Depends on the change login and email base features.
 == Auth Value Methods
 
 no_matching_verify_login_change_key_error_flash :: The flash error message to show when an invalid verify login change key is used.
+change_login_needs_verification_notice_flash :: The flash notice to show after changing a login when using this feature, if +change_login_notice_flash+ is not overridden.
 verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
 verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
 verify_login_change_button :: The text to use for the verify login change button.

data/javascript/webauthn_auth.js

@@ -1,34 +1,34 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-auth-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.allowCredentials.forEach(function(cred) {
-        cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      });
+      opts.challenge = unpack(opts.challenge);
+      opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.get({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
 
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          var rawId = pack(cred.rawId);
           var authValue = {
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              authenticatorData: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.authenticatorData))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              signature: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.signature))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              authenticatorData: pack(cred.response.authenticatorData),
+              clientDataJSON: pack(cred.response.clientDataJSON),
+              signature: pack(cred.response.signature)
             }
           };
 
           if (cred.response.userHandle) {
-            authValue.response.userHandle = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.userHandle))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+            authValue.response.userHandle = pack(cred.response.userHandle);
           }
 
           document.getElementById('webauthn-auth').value = JSON.stringify(authValue);