@bradford-tech/supabase-integrity-attest 0.7.0 → 0.8.0

package/README.md

@@ -61,7 +61,6 @@ const supabase = createClient(
 
 Deno.serve(withAssertion({
   appId: Deno.env.get("APP_ATTEST_APP_ID")!,
-  developmentEnv: Deno.env.get("APP_ATTEST_ENV") === "development",
   getDeviceKey: async (deviceId) => {
     const { data } = await supabase
       .from("device_attestations")

package/esm/src/assertion.d.ts

@@ -2,8 +2,6 @@
 export interface AppInfo {
     /** Apple App ID in the format `TEAMID.bundleId`. */
     appId: string;
-    /** Set to `true` when verifying assertions from the development environment. */
-    developmentEnv?: boolean;
 }
 /** Successful assertion verification result. */
 export interface AssertionResult {

package/esm/src/assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../../src/src/assertion.ts"],"names":[],"mappings":"AAaA,8DAA8D;AAC9D,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,gFAAgF;IAChF,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,UAAU,GAAG,MAAM,EAC9B,UAAU,EAAE,UAAU,GAAG,MAAM,EAC/B,YAAY,EAAE,MAAM,EACpB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,eAAe,CAAC,CA2G1B"}
+{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../../src/src/assertion.ts"],"names":[],"mappings":"AAaA,8DAA8D;AAC9D,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;CACf;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,UAAU,GAAG,MAAM,EAC9B,UAAU,EAAE,UAAU,GAAG,MAAM,EAC/B,YAAY,EAAE,MAAM,EACpB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,eAAe,CAAC,CAmH1B"}

package/esm/src/assertion.js

@@ -14,7 +14,13 @@ import { concat, constantTimeEqual, decodeBase64Bytes, importPemPublicKey, toByt
  * @throws {AssertionError} If any verification step fails.
  */
 export async function verifyAssertion(appInfo, assertion, clientData, publicKeyPem, previousSignCount) {
-    const assertionBytes = decodeBase64Bytes(assertion);
+    let assertionBytes;
+    try {
+        assertionBytes = decodeBase64Bytes(assertion);
+    }
+    catch {
+        throw new AssertionError(AssertionErrorCode.INVALID_FORMAT, "Invalid base64-encoded assertion");
+    }
     const clientDataBytes = toBytes(clientData);
     // Step 1: CBOR decode
     let decoded;

package/esm/src/certificate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AA+UA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CA6BpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}
+{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AAmWA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CAwCpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}

package/esm/src/certificate.js

@@ -60,98 +60,105 @@ function parseCertificate(der) {
     if (asn1.offset === -1) {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse certificate DER");
     }
-    const certSeq = asn1.result;
-    const certChildren = certSeq.valueBlock.value;
-    // certChildren: [tbsCertificate, signatureAlgorithm, signatureValue]
-    const tbsElement = certChildren[0];
-    const sigAlgElement = certChildren[1];
-    const sigValueElement = certChildren[2];
-    // TBS bytes — slice from the element's full encoding (tag + length + value)
-    const tbsView = tbsElement
-        .valueBeforeDecodeView;
-    const tbsCertificateDer = sliceFromView(tbsView);
-    // Signature algorithm OID
-    const sigAlgOid = sigAlgElement.valueBlock.value[0].valueBlock
-        .toString();
-    // Signature value — unused-bits byte already stripped by asn1js
-    const signatureValue = new Uint8Array(sigValueElement.valueBlock.valueHexView);
-    // TBS children — check for v3 version tag
-    const tbsChildren = tbsElement.valueBlock.value;
-    let offset = 0;
-    // First child is explicit [0] version tag for v3 certs
-    const firstChild = tbsChildren[0];
-    if (firstChild.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
-        firstChild.idBlock.tagNumber === 0) {
-        offset = 1; // Version tag present, shift all indices
-    }
-    // TBS layout (with offset): serial, sigAlg, issuer, validity, subject, SPKI, [extensions]
-    // [offset+0]=serial, [offset+1]=sigAlg, [offset+2]=issuer, [offset+3]=validity,
-    // [offset+4]=subject, [offset+5]=SPKI
-    const issuerElement = tbsChildren[offset + 2];
-    const issuerView = issuerElement
-        .valueBeforeDecodeView;
-    const issuer = sliceFromView(issuerView);
-    const validityElement = tbsChildren[offset + 3];
-    const validityChildren = validityElement.valueBlock.value;
-    const validityNotBefore = parseAsn1Date(validityChildren[0]);
-    const validityNotAfter = parseAsn1Date(validityChildren[1]);
-    const subjectElement = tbsChildren[offset + 4];
-    const subjectView = subjectElement
-        .valueBeforeDecodeView;
-    const subject = sliceFromView(subjectView);
-    const spkiElement = tbsChildren[offset + 5];
-    const spkiView = spkiElement
-        .valueBeforeDecodeView;
-    const subjectPublicKeyInfoDer = sliceFromView(spkiView);
-    // Extract curve OID from SPKI's AlgorithmIdentifier
-    const spkiSeq = spkiElement;
-    const spkiAlgId = spkiSeq.valueBlock.value[0];
-    const curveOidElement = spkiAlgId.valueBlock
-        .value[1];
-    const publicKeyCurveOid = curveOidElement.valueBlock.toString();
-    // Extensions — found in explicit [3] tag within TBS
-    const extensions = [];
-    for (let i = offset + 6; i < tbsChildren.length; i++) {
-        const child = tbsChildren[i];
-        if (child.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
-            child.idBlock.tagNumber === 3) {
-            // This is the extensions wrapper: explicit [3] containing a SEQUENCE of extensions
-            const extWrapper = child;
-            const extSeqOfSeq = extWrapper.valueBlock.value[0];
-            for (const extSeq of extSeqOfSeq.valueBlock.value) {
-                const extChildren = extSeq.valueBlock.value;
-                const oid = extChildren[0].valueBlock
-                    .toString();
-                let critical = false;
-                let valueElement;
-                if (extChildren[1] instanceof asn1js.Boolean) {
-                    critical = extChildren[1].getValue();
-                    valueElement = extChildren[2];
-                }
-                else {
-                    valueElement = extChildren[1];
+    try {
+        const certSeq = asn1.result;
+        const certChildren = certSeq.valueBlock.value;
+        // certChildren: [tbsCertificate, signatureAlgorithm, signatureValue]
+        const tbsElement = certChildren[0];
+        const sigAlgElement = certChildren[1];
+        const sigValueElement = certChildren[2];
+        // TBS bytes — slice from the element's full encoding (tag + length + value)
+        const tbsView = tbsElement
+            .valueBeforeDecodeView;
+        const tbsCertificateDer = sliceFromView(tbsView);
+        // Signature algorithm OID
+        const sigAlgOid = sigAlgElement.valueBlock.value[0].valueBlock
+            .toString();
+        // Signature value — unused-bits byte already stripped by asn1js
+        const signatureValue = new Uint8Array(sigValueElement.valueBlock.valueHexView);
+        // TBS children — check for v3 version tag
+        const tbsChildren = tbsElement.valueBlock.value;
+        let offset = 0;
+        // First child is explicit [0] version tag for v3 certs
+        const firstChild = tbsChildren[0];
+        if (firstChild.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
+            firstChild.idBlock.tagNumber === 0) {
+            offset = 1; // Version tag present, shift all indices
+        }
+        // TBS layout (with offset): serial, sigAlg, issuer, validity, subject, SPKI, [extensions]
+        // [offset+0]=serial, [offset+1]=sigAlg, [offset+2]=issuer, [offset+3]=validity,
+        // [offset+4]=subject, [offset+5]=SPKI
+        const issuerElement = tbsChildren[offset + 2];
+        const issuerView = issuerElement
+            .valueBeforeDecodeView;
+        const issuer = sliceFromView(issuerView);
+        const validityElement = tbsChildren[offset + 3];
+        const validityChildren = validityElement.valueBlock.value;
+        const validityNotBefore = parseAsn1Date(validityChildren[0]);
+        const validityNotAfter = parseAsn1Date(validityChildren[1]);
+        const subjectElement = tbsChildren[offset + 4];
+        const subjectView = subjectElement
+            .valueBeforeDecodeView;
+        const subject = sliceFromView(subjectView);
+        const spkiElement = tbsChildren[offset + 5];
+        const spkiView = spkiElement
+            .valueBeforeDecodeView;
+        const subjectPublicKeyInfoDer = sliceFromView(spkiView);
+        // Extract curve OID from SPKI's AlgorithmIdentifier
+        const spkiSeq = spkiElement;
+        const spkiAlgId = spkiSeq.valueBlock.value[0];
+        const curveOidElement = spkiAlgId.valueBlock
+            .value[1];
+        const publicKeyCurveOid = curveOidElement.valueBlock.toString();
+        // Extensions — found in explicit [3] tag within TBS
+        const extensions = [];
+        for (let i = offset + 6; i < tbsChildren.length; i++) {
+            const child = tbsChildren[i];
+            if (child.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
+                child.idBlock.tagNumber === 3) {
+                // This is the extensions wrapper: explicit [3] containing a SEQUENCE of extensions
+                const extWrapper = child;
+                const extSeqOfSeq = extWrapper.valueBlock.value[0];
+                for (const extSeq of extSeqOfSeq.valueBlock.value) {
+                    const extChildren = extSeq.valueBlock.value;
+                    const oid = extChildren[0].valueBlock
+                        .toString();
+                    let critical = false;
+                    let valueElement;
+                    if (extChildren[1] instanceof asn1js.Boolean) {
+                        critical = extChildren[1].getValue();
+                        valueElement = extChildren[2];
+                    }
+                    else {
+                        valueElement = extChildren[1];
+                    }
+                    extensions.push({
+                        oid,
+                        critical,
+                        value: new Uint8Array(valueElement.valueBlock.valueHexView),
+                    });
                 }
-                extensions.push({
-                    oid,
-                    critical,
-                    value: new Uint8Array(valueElement.valueBlock.valueHexView),
-                });
+                break;
             }
-            break;
         }
+        return {
+            tbsCertificateDer,
+            signatureAlgorithmOid: sigAlgOid,
+            signatureValue,
+            issuer,
+            subject,
+            validityNotBefore,
+            validityNotAfter,
+            subjectPublicKeyInfoDer,
+            publicKeyCurveOid,
+            extensions,
+        };
+    }
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid X.509 certificate structure: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
     }
-    return {
-        tbsCertificateDer,
-        signatureAlgorithmOid: sigAlgOid,
-        signatureValue,
-        issuer,
-        subject,
-        validityNotBefore,
-        validityNotAfter,
-        subjectPublicKeyInfoDer,
-        publicKeyCurveOid,
-        extensions,
-    };
 }
 // ── extractRawPublicKeyFromSpki ─────────────────────────────────────
 /**
@@ -164,9 +171,16 @@ function extractRawPublicKeyFromSpki(spkiDer) {
     if (asn1.offset === -1) {
         throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Failed to parse SPKI DER");
     }
-    const spkiSeq = asn1.result;
-    const publicKeyBitString = spkiSeq.valueBlock.value[1];
-    return new Uint8Array(publicKeyBitString.valueBlock.valueHexView);
+    try {
+        const spkiSeq = asn1.result;
+        const publicKeyBitString = spkiSeq.valueBlock.value[1];
+        return new Uint8Array(publicKeyBitString.valueBlock.valueHexView);
+    }
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Invalid SPKI structure: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
+    }
 }
 // ── verifySignature ─────────────────────────────────────────────────
 /**
@@ -286,10 +300,17 @@ export function extractNonceFromCert(certDer) {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse nonce extension ASN.1");
     }
     // Navigate: SEQUENCE -> tagged [1] -> OCTET STRING
-    const sequence = extAsn1.result;
-    const tagged = sequence.valueBlock.value[0];
-    const octetString = tagged.valueBlock.value[0];
-    return new Uint8Array(octetString.valueBlock.valueHexView);
+    try {
+        const sequence = extAsn1.result;
+        const tagged = sequence.valueBlock.value[0];
+        const octetString = tagged.valueBlock.value[0];
+        return new Uint8Array(octetString.valueBlock.valueHexView);
+    }
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid nonce extension structure: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
+    }
 }
 /**
  * Extract the raw (uncompressed) public key from a DER-encoded certificate.

package/esm/src/with-assertion.d.ts

@@ -46,8 +46,6 @@ export type ExtractAssertionFn = (req: Request) => Promise<{
 export type WithAssertionOptions = {
     /** Apple App ID in the format `TEAMID.bundleId`. */
     appId: string;
-    /** Set to `true` for development environment attestations. */
-    developmentEnv?: boolean;
     /** Retrieve the stored device key for a given device ID. Return `null` if not found. */
     getDeviceKey: (deviceId: string) => Promise<DeviceKey | null>;
     /**

package/esm/src/with-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAiGrC"}
+{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAmGrC"}

package/esm/src/with-assertion.js

@@ -35,10 +35,7 @@ function defaultErrorResponse(error) {
  * concurrent load.
  */
 export function withAssertion(options, handler) {
-    const appInfo = {
-        appId: options.appId,
-        developmentEnv: options.developmentEnv ?? false,
-    };
+    const appInfo = { appId: options.appId };
     const extract = options.extractAssertion ?? defaultExtractAssertion;
     return async (req) => {
         let deviceId;
@@ -90,7 +87,13 @@ export function withAssertion(options, handler) {
             const error = err instanceof AssertionError ? err : new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Internal error", {
                 cause: err,
             });
-            return options.onError?.(error, req) ?? defaultErrorResponse(error);
+            try {
+                return await options.onError?.(error, req) ??
+                    defaultErrorResponse(error);
+            }
+            catch {
+                return defaultErrorResponse(error);
+            }
         }
         // Step 5: handler — outside try/catch, errors bubble up
         return await handler(req, {

package/esm/src/with-attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-attestation.d.ts","sourceRoot":"","sources":["../../src/src/with-attestation.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAwB,MAAM,aAAa,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,qFAAqF;AACrF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,SAAS,EAAE,UAAU,CAAC;IACtB;;;;;;;;OAQG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,UAAU,CAAC;CACzB,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;;;OAOG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D;;;;OAIG;IACH,cAAc,EAAE,CAAC,GAAG,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AA8EF;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,kBAAkB,KACxB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2HrC"}
+{"version":3,"file":"with-attestation.d.ts","sourceRoot":"","sources":["../../src/src/with-attestation.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAwB,MAAM,aAAa,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,qFAAqF;AACrF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,SAAS,EAAE,UAAU,CAAC;IACtB;;;;;;;;OAQG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,UAAU,CAAC;CACzB,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;;;OAOG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D;;;;OAIG;IACH,cAAc,EAAE,CAAC,GAAG,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AA8EF;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,kBAAkB,KACxB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAgIrC"}

package/esm/src/with-attestation.js

@@ -146,7 +146,13 @@ export function withAttestation(options, handler) {
             const error = err instanceof AttestationError
                 ? err
                 : new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "Internal error", { cause: err });
-            return options.onError?.(error, req) ?? defaultErrorResponse(error);
+            try {
+                return await options.onError?.(error, req) ??
+                    defaultErrorResponse(error);
+            }
+            catch {
+                return defaultErrorResponse(error);
+            }
         }
         return await handler(req, {
             deviceId,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bradford-tech/supabase-integrity-attest",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "Verify Apple App Attest attestations and assertions using WebCrypto.",
   "homepage": "https://integrity-attest.bradford.tech",
   "repository": {
@@ -25,9 +25,9 @@
   },
   "scripts": {},
   "dependencies": {
-    "@noble/curves": "^2.0.1",
-    "asn1js": "^3.0.7",
-    "cborg": "^4.5.8"
+    "@noble/curves": "^2.2.0",
+    "asn1js": "^3.0.10",
+    "cborg": "^5.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.9.0"