@bradford-tech/supabase-integrity-attest 0.7.0 → 0.8.1

package/README.md

@@ -61,7 +61,6 @@ const supabase = createClient(
 
 Deno.serve(withAssertion({
   appId: Deno.env.get("APP_ATTEST_APP_ID")!,
-  developmentEnv: Deno.env.get("APP_ATTEST_ENV") === "development",
   getDeviceKey: async (deviceId) => {
     const { data } = await supabase
       .from("device_attestations")

package/esm/src/assertion.d.ts

@@ -2,8 +2,6 @@
 export interface AppInfo {
     /** Apple App ID in the format `TEAMID.bundleId`. */
     appId: string;
-    /** Set to `true` when verifying assertions from the development environment. */
-    developmentEnv?: boolean;
 }
 /** Successful assertion verification result. */
 export interface AssertionResult {

package/esm/src/assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../../src/src/assertion.ts"],"names":[],"mappings":"AAaA,8DAA8D;AAC9D,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,gFAAgF;IAChF,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,UAAU,GAAG,MAAM,EAC9B,UAAU,EAAE,UAAU,GAAG,MAAM,EAC/B,YAAY,EAAE,MAAM,EACpB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,eAAe,CAAC,CA2G1B"}
+{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../../src/src/assertion.ts"],"names":[],"mappings":"AAaA,8DAA8D;AAC9D,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;CACf;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,UAAU,GAAG,MAAM,EAC9B,UAAU,EAAE,UAAU,GAAG,MAAM,EAC/B,YAAY,EAAE,MAAM,EACpB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,eAAe,CAAC,CAmH1B"}

package/esm/src/assertion.js

@@ -14,7 +14,13 @@ import { concat, constantTimeEqual, decodeBase64Bytes, importPemPublicKey, toByt
  * @throws {AssertionError} If any verification step fails.
  */
 export async function verifyAssertion(appInfo, assertion, clientData, publicKeyPem, previousSignCount) {
-    const assertionBytes = decodeBase64Bytes(assertion);
+    let assertionBytes;
+    try {
+        assertionBytes = decodeBase64Bytes(assertion);
+    }
+    catch {
+        throw new AssertionError(AssertionErrorCode.INVALID_FORMAT, "Invalid base64-encoded assertion");
+    }
     const clientDataBytes = toBytes(clientData);
     // Step 1: CBOR decode
     let decoded;

package/esm/src/attestation.d.ts

@@ -40,7 +40,12 @@ export interface AttestationCbor {
     };
     authData: Uint8Array;
 }
-/** Decode an Apple App Attest attestation object from raw CBOR bytes. */
+/**
+ * Decode an Apple App Attest attestation object from raw CBOR bytes.
+ *
+ * @throws {AttestationError} with code `INVALID_FORMAT` if the data is not
+ *   a valid attestation CBOR structure.
+ */
 export declare function decodeAttestationCbor(data: Uint8Array): AttestationCbor;
 /**
  * Verify an Apple App Attest attestation.

package/esm/src/attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/src/attestation.ts"],"names":[],"mappings":"AAaA,yCAAyC;AACzC,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,kFAAkF;IAClF,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,OAAO,EAAE,UAAU,CAAC;IACpB,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACvC,uFAAuF;IACvF,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE;QACP,GAAG,EAAE,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,CAAC;IACF,QAAQ,EAAE,UAAU,CAAC;CACtB;AAsGD,yEAAyE;AACzE,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,eAAe,CAyEvE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,UAAU,GAAG,MAAM,EACnC,WAAW,EAAE,UAAU,GAAG,MAAM,EAChC,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,iBAAiB,CAAC,CAkJ5B"}
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/src/attestation.ts"],"names":[],"mappings":"AAgBA,yCAAyC;AACzC,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,kFAAkF;IAClF,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,OAAO,EAAE,UAAU,CAAC;IACpB,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACvC,uFAAuF;IACvF,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE;QACP,GAAG,EAAE,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,CAAC;IACF,QAAQ,EAAE,UAAU,CAAC;CACtB;AAsGD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,eAAe,CAwFvE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,UAAU,GAAG,MAAM,EACnC,WAAW,EAAE,UAAU,GAAG,MAAM,EAChC,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,iBAAiB,CAAC,CAoJ5B"}

package/esm/src/attestation.js

@@ -3,7 +3,7 @@ import { decodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.10/base64.js";
 import { extractNonceFromCert, extractPublicKeyFromCert, verifyCertificateChain, } from "./certificate.js";
 import { AAGUID_DEVELOPMENT, AAGUID_PRODUCTION } from "./constants.js";
 import { AttestationError, AttestationErrorCode } from "./errors.js";
-import { parseAttestationAuthData } from "./authdata.js";
+import { parseAttestationAuthData, } from "./authdata.js";
 import { concat, constantTimeEqual, exportKeyToPem, toBytes } from "./utils.js";
 /** Read a CBOR unsigned integer (additional info + following bytes). */
 function readCborUint(data, offset) {
@@ -88,72 +88,86 @@ function findCborTextKey(data, key, startOffset) {
     }
     return -1;
 }
-/** Decode an Apple App Attest attestation object from raw CBOR bytes. */
+/**
+ * Decode an Apple App Attest attestation object from raw CBOR bytes.
+ *
+ * @throws {AttestationError} with code `INVALID_FORMAT` if the data is not
+ *   a valid attestation CBOR structure.
+ */
 export function decodeAttestationCbor(data) {
-    // Verify top-level is a CBOR map
-    const majorType = (data[0] >> 5) & 0x07;
-    if (majorType !== 5) {
-        throw new Error("Expected CBOR map at top level");
-    }
-    // Find "fmt" key and read its value
-    const fmtKeyPos = findCborTextKey(data, "fmt", 0);
-    if (fmtKeyPos === -1)
-        throw new Error('Missing "fmt" key');
-    const fmtKeyEnd = fmtKeyPos + 1 + 3; // 0x63 + "fmt"
-    const { value: fmt } = readCborText(data, fmtKeyEnd);
-    // Find "attStmt" key
-    const attStmtKeyPos = findCborTextKey(data, "attStmt", 0);
-    if (attStmtKeyPos === -1)
-        throw new Error('Missing "attStmt" key');
-    // After "attStmt" key: 0x67 + "attStmt" = 8 bytes
-    const attStmtValuePos = attStmtKeyPos + 8;
-    // attStmt value should be a map
-    const attStmtMajor = (data[attStmtValuePos] >> 5) & 0x07;
-    if (attStmtMajor !== 5)
-        throw new Error("attStmt is not a CBOR map");
-    // Find "x5c" key within attStmt
-    const x5cKeyPos = findCborTextKey(data, "x5c", attStmtValuePos);
-    if (x5cKeyPos === -1)
-        throw new Error('Missing "x5c" key in attStmt');
-    const x5cValuePos = x5cKeyPos + 4; // 0x63 + "x5c"
-    // x5c value is an array
-    const x5cMajor = (data[x5cValuePos] >> 5) & 0x07;
-    if (x5cMajor !== 4)
-        throw new Error("x5c is not a CBOR array");
-    const { value: x5cCount, end: x5cFirstItemPos } = readCborUint(data, x5cValuePos);
-    // Read each certificate byte string
-    const x5c = [];
-    let pos = x5cFirstItemPos;
-    for (let i = 0; i < x5cCount; i++) {
-        const { value: cert, end } = readCborBytes(data, pos);
-        x5c.push(cert);
-        pos = end;
+    try {
+        // Verify top-level is a CBOR map
+        const majorType = (data[0] >> 5) & 0x07;
+        if (majorType !== 5) {
+            throw new Error("Expected CBOR map at top level");
+        }
+        // Find "fmt" key and read its value
+        const fmtKeyPos = findCborTextKey(data, "fmt", 0);
+        if (fmtKeyPos === -1)
+            throw new Error('Missing "fmt" key');
+        const fmtKeyEnd = fmtKeyPos + 1 + 3; // 0x63 + "fmt"
+        const { value: fmt } = readCborText(data, fmtKeyEnd);
+        // Find "attStmt" key
+        const attStmtKeyPos = findCborTextKey(data, "attStmt", 0);
+        if (attStmtKeyPos === -1)
+            throw new Error('Missing "attStmt" key');
+        // After "attStmt" key: 0x67 + "attStmt" = 8 bytes
+        const attStmtValuePos = attStmtKeyPos + 8;
+        // attStmt value should be a map
+        const attStmtMajor = (data[attStmtValuePos] >> 5) & 0x07;
+        if (attStmtMajor !== 5)
+            throw new Error("attStmt is not a CBOR map");
+        // Find "x5c" key within attStmt
+        const x5cKeyPos = findCborTextKey(data, "x5c", attStmtValuePos);
+        if (x5cKeyPos === -1)
+            throw new Error('Missing "x5c" key in attStmt');
+        const x5cValuePos = x5cKeyPos + 4; // 0x63 + "x5c"
+        // x5c value is an array
+        const x5cMajor = (data[x5cValuePos] >> 5) & 0x07;
+        if (x5cMajor !== 4)
+            throw new Error("x5c is not a CBOR array");
+        const { value: x5cCount, end: x5cFirstItemPos } = readCborUint(data, x5cValuePos);
+        // Read each certificate byte string
+        const x5c = [];
+        let pos = x5cFirstItemPos;
+        for (let i = 0; i < x5cCount; i++) {
+            const { value: cert, end } = readCborBytes(data, pos);
+            x5c.push(cert);
+            pos = end;
+        }
+        // After x5c, find "receipt" key
+        const receiptKeyPos = findCborTextKey(data, "receipt", pos);
+        if (receiptKeyPos === -1) {
+            throw new Error('Missing "receipt" key in attStmt');
+        }
+        // Find "authData" key - search from after the receipt key position
+        const authDataKeyPos = findCborTextKey(data, "authData", receiptKeyPos);
+        if (authDataKeyPos === -1) {
+            throw new Error('Missing "authData" key');
+        }
+        // The receipt value is the bytes between the receipt key end and the authData key start.
+        // Receipt key: 0x67 + "receipt" = 8 bytes
+        const receiptValueStart = receiptKeyPos + 8;
+        // Read the receipt CBOR header to get the data start offset
+        const receiptMajor = (data[receiptValueStart] >> 5) & 0x07;
+        if (receiptMajor !== 2) {
+            throw new Error("receipt is not a CBOR byte string");
+        }
+        const { end: receiptDataStart } = readCborUint(data, receiptValueStart);
+        // The actual receipt data extends to just before the authData key.
+        // This handles the case where Apple's CBOR length header is incorrect.
+        const receipt = data.slice(receiptDataStart, authDataKeyPos);
+        // Read authData value
+        // authData key: 0x68 + "authData" = 9 bytes
+        const authDataValuePos = authDataKeyPos + 9;
+        const { value: authData } = readCborBytes(data, authDataValuePos);
+        return { fmt, attStmt: { x5c, receipt }, authData };
     }
-    // After x5c, find "receipt" key
-    const receiptKeyPos = findCborTextKey(data, "receipt", pos);
-    if (receiptKeyPos === -1)
-        throw new Error('Missing "receipt" key in attStmt');
-    // Find "authData" key - search from after the receipt key position
-    const authDataKeyPos = findCborTextKey(data, "authData", receiptKeyPos);
-    if (authDataKeyPos === -1) {
-        throw new Error('Missing "authData" key');
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Failed to CBOR-decode attestation object: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
     }
-    // The receipt value is the bytes between the receipt key end and the authData key start.
-    // Receipt key: 0x67 + "receipt" = 8 bytes
-    const receiptValueStart = receiptKeyPos + 8;
-    // Read the receipt CBOR header to get the data start offset
-    const receiptMajor = (data[receiptValueStart] >> 5) & 0x07;
-    if (receiptMajor !== 2)
-        throw new Error("receipt is not a CBOR byte string");
-    const { end: receiptDataStart } = readCborUint(data, receiptValueStart);
-    // The actual receipt data extends to just before the authData key.
-    // This handles the case where Apple's CBOR length header is incorrect.
-    const receipt = data.slice(receiptDataStart, authDataKeyPos);
-    // Read authData value
-    // authData key: 0x68 + "authData" = 9 bytes
-    const authDataValuePos = authDataKeyPos + 9;
-    const { value: authData } = readCborBytes(data, authDataValuePos);
-    return { fmt, attStmt: { x5c, receipt }, authData };
 }
 /**
  * Verify an Apple App Attest attestation.
@@ -188,13 +202,7 @@ export async function verifyAttestation(appInfo, keyId, clientDataHash, attestat
         attestationBytes = attestation;
     }
     // Step 1: CBOR decode attestation -> { fmt, attStmt: { x5c, receipt }, authData }
-    let decoded;
-    try {
-        decoded = decodeAttestationCbor(attestationBytes);
-    }
-    catch {
-        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to CBOR-decode attestation object");
-    }
+    const decoded = decodeAttestationCbor(attestationBytes);
     // Step 2: Validate fmt === "apple-appattest"
     if (decoded.fmt !== "apple-appattest") {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid attestation format: expected "apple-appattest", got "${decoded.fmt}"`);
@@ -228,7 +236,13 @@ export async function verifyAttestation(appInfo, keyId, clientDataHash, attestat
         throw new AttestationError(AttestationErrorCode.KEY_ID_MISMATCH, "Public key hash does not match keyId");
     }
     // Step 11: Parse authData
-    const parsedAuthData = parseAttestationAuthData(authData);
+    let parsedAuthData;
+    try {
+        parsedAuthData = parseAttestationAuthData(authData);
+    }
+    catch (e) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid authenticatorData: ${e instanceof Error ? e.message : String(e)}`);
+    }
     // Step 12: Verify rpIdHash === SHA-256(appId)
     const appIdHash = new Uint8Array(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(appInfo.appId)));
     if (!constantTimeEqual(parsedAuthData.rpIdHash, appIdHash)) {

package/esm/src/authdata.d.ts

@@ -6,7 +6,6 @@ export interface AssertionAuthData {
 export interface AttestationAuthData extends AssertionAuthData {
     aaguid: Uint8Array;
     credentialId: Uint8Array;
-    coseKeyBytes: Uint8Array;
 }
 export declare function parseAssertionAuthData(data: Uint8Array): AssertionAuthData;
 export declare function parseAttestationAuthData(data: Uint8Array): AttestationAuthData;

package/esm/src/authdata.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authdata.d.ts","sourceRoot":"","sources":["../../src/src/authdata.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAoB,SAAQ,iBAAiB;IAC5D,MAAM,EAAE,UAAU,CAAC;IACnB,YAAY,EAAE,UAAU,CAAC;IACzB,YAAY,EAAE,UAAU,CAAC;CAC1B;AAED,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,iBAAiB,CAgB1E;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,UAAU,GACf,mBAAmB,CAiCrB"}
+{"version":3,"file":"authdata.d.ts","sourceRoot":"","sources":["../../src/src/authdata.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAoB,SAAQ,iBAAiB;IAC5D,MAAM,EAAE,UAAU,CAAC;IACnB,YAAY,EAAE,UAAU,CAAC;CAC1B;AAED,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,iBAAiB,CAgB1E;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,UAAU,GACf,mBAAmB,CA+BrB"}

package/esm/src/authdata.js

@@ -19,11 +19,9 @@ export function parseAttestationAuthData(data) {
         throw new Error(`authenticatorData truncated: credentialIdLength=${credentialIdLength} but only ${data.length - 55} bytes remain`);
     }
     const credentialId = data.slice(55, 55 + credentialIdLength);
-    const coseKeyBytes = data.slice(55 + credentialIdLength);
     return {
         ...base,
         aaguid,
         credentialId,
-        coseKeyBytes,
     };
 }

package/esm/src/certificate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AA+UA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CA6BpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}
+{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AAmWA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CAwCpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}

package/esm/src/certificate.js

@@ -60,98 +60,105 @@ function parseCertificate(der) {
     if (asn1.offset === -1) {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse certificate DER");
     }
-    const certSeq = asn1.result;
-    const certChildren = certSeq.valueBlock.value;
-    // certChildren: [tbsCertificate, signatureAlgorithm, signatureValue]
-    const tbsElement = certChildren[0];
-    const sigAlgElement = certChildren[1];
-    const sigValueElement = certChildren[2];
-    // TBS bytes — slice from the element's full encoding (tag + length + value)
-    const tbsView = tbsElement
-        .valueBeforeDecodeView;
-    const tbsCertificateDer = sliceFromView(tbsView);
-    // Signature algorithm OID
-    const sigAlgOid = sigAlgElement.valueBlock.value[0].valueBlock
-        .toString();
-    // Signature value — unused-bits byte already stripped by asn1js
-    const signatureValue = new Uint8Array(sigValueElement.valueBlock.valueHexView);
-    // TBS children — check for v3 version tag
-    const tbsChildren = tbsElement.valueBlock.value;
-    let offset = 0;
-    // First child is explicit [0] version tag for v3 certs
-    const firstChild = tbsChildren[0];
-    if (firstChild.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
-        firstChild.idBlock.tagNumber === 0) {
-        offset = 1; // Version tag present, shift all indices
-    }
-    // TBS layout (with offset): serial, sigAlg, issuer, validity, subject, SPKI, [extensions]
-    // [offset+0]=serial, [offset+1]=sigAlg, [offset+2]=issuer, [offset+3]=validity,
-    // [offset+4]=subject, [offset+5]=SPKI
-    const issuerElement = tbsChildren[offset + 2];
-    const issuerView = issuerElement
-        .valueBeforeDecodeView;
-    const issuer = sliceFromView(issuerView);
-    const validityElement = tbsChildren[offset + 3];
-    const validityChildren = validityElement.valueBlock.value;
-    const validityNotBefore = parseAsn1Date(validityChildren[0]);
-    const validityNotAfter = parseAsn1Date(validityChildren[1]);
-    const subjectElement = tbsChildren[offset + 4];
-    const subjectView = subjectElement
-        .valueBeforeDecodeView;
-    const subject = sliceFromView(subjectView);
-    const spkiElement = tbsChildren[offset + 5];
-    const spkiView = spkiElement
-        .valueBeforeDecodeView;
-    const subjectPublicKeyInfoDer = sliceFromView(spkiView);
-    // Extract curve OID from SPKI's AlgorithmIdentifier
-    const spkiSeq = spkiElement;
-    const spkiAlgId = spkiSeq.valueBlock.value[0];
-    const curveOidElement = spkiAlgId.valueBlock
-        .value[1];
-    const publicKeyCurveOid = curveOidElement.valueBlock.toString();
-    // Extensions — found in explicit [3] tag within TBS
-    const extensions = [];
-    for (let i = offset + 6; i < tbsChildren.length; i++) {
-        const child = tbsChildren[i];
-        if (child.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
-            child.idBlock.tagNumber === 3) {
-            // This is the extensions wrapper: explicit [3] containing a SEQUENCE of extensions
-            const extWrapper = child;
-            const extSeqOfSeq = extWrapper.valueBlock.value[0];
-            for (const extSeq of extSeqOfSeq.valueBlock.value) {
-                const extChildren = extSeq.valueBlock.value;
-                const oid = extChildren[0].valueBlock
-                    .toString();
-                let critical = false;
-                let valueElement;
-                if (extChildren[1] instanceof asn1js.Boolean) {
-                    critical = extChildren[1].getValue();
-                    valueElement = extChildren[2];
-                }
-                else {
-                    valueElement = extChildren[1];
+    try {
+        const certSeq = asn1.result;
+        const certChildren = certSeq.valueBlock.value;
+        // certChildren: [tbsCertificate, signatureAlgorithm, signatureValue]
+        const tbsElement = certChildren[0];
+        const sigAlgElement = certChildren[1];
+        const sigValueElement = certChildren[2];
+        // TBS bytes — slice from the element's full encoding (tag + length + value)
+        const tbsView = tbsElement
+            .valueBeforeDecodeView;
+        const tbsCertificateDer = sliceFromView(tbsView);
+        // Signature algorithm OID
+        const sigAlgOid = sigAlgElement.valueBlock.value[0].valueBlock
+            .toString();
+        // Signature value — unused-bits byte already stripped by asn1js
+        const signatureValue = new Uint8Array(sigValueElement.valueBlock.valueHexView);
+        // TBS children — check for v3 version tag
+        const tbsChildren = tbsElement.valueBlock.value;
+        let offset = 0;
+        // First child is explicit [0] version tag for v3 certs
+        const firstChild = tbsChildren[0];
+        if (firstChild.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
+            firstChild.idBlock.tagNumber === 0) {
+            offset = 1; // Version tag present, shift all indices
+        }
+        // TBS layout (with offset): serial, sigAlg, issuer, validity, subject, SPKI, [extensions]
+        // [offset+0]=serial, [offset+1]=sigAlg, [offset+2]=issuer, [offset+3]=validity,
+        // [offset+4]=subject, [offset+5]=SPKI
+        const issuerElement = tbsChildren[offset + 2];
+        const issuerView = issuerElement
+            .valueBeforeDecodeView;
+        const issuer = sliceFromView(issuerView);
+        const validityElement = tbsChildren[offset + 3];
+        const validityChildren = validityElement.valueBlock.value;
+        const validityNotBefore = parseAsn1Date(validityChildren[0]);
+        const validityNotAfter = parseAsn1Date(validityChildren[1]);
+        const subjectElement = tbsChildren[offset + 4];
+        const subjectView = subjectElement
+            .valueBeforeDecodeView;
+        const subject = sliceFromView(subjectView);
+        const spkiElement = tbsChildren[offset + 5];
+        const spkiView = spkiElement
+            .valueBeforeDecodeView;
+        const subjectPublicKeyInfoDer = sliceFromView(spkiView);
+        // Extract curve OID from SPKI's AlgorithmIdentifier
+        const spkiSeq = spkiElement;
+        const spkiAlgId = spkiSeq.valueBlock.value[0];
+        const curveOidElement = spkiAlgId.valueBlock
+            .value[1];
+        const publicKeyCurveOid = curveOidElement.valueBlock.toString();
+        // Extensions — found in explicit [3] tag within TBS
+        const extensions = [];
+        for (let i = offset + 6; i < tbsChildren.length; i++) {
+            const child = tbsChildren[i];
+            if (child.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
+                child.idBlock.tagNumber === 3) {
+                // This is the extensions wrapper: explicit [3] containing a SEQUENCE of extensions
+                const extWrapper = child;
+                const extSeqOfSeq = extWrapper.valueBlock.value[0];
+                for (const extSeq of extSeqOfSeq.valueBlock.value) {
+                    const extChildren = extSeq.valueBlock.value;
+                    const oid = extChildren[0].valueBlock
+                        .toString();
+                    let critical = false;
+                    let valueElement;
+                    if (extChildren[1] instanceof asn1js.Boolean) {
+                        critical = extChildren[1].getValue();
+                        valueElement = extChildren[2];
+                    }
+                    else {
+                        valueElement = extChildren[1];
+                    }
+                    extensions.push({
+                        oid,
+                        critical,
+                        value: new Uint8Array(valueElement.valueBlock.valueHexView),
+                    });
                 }
-                extensions.push({
-                    oid,
-                    critical,
-                    value: new Uint8Array(valueElement.valueBlock.valueHexView),
-                });
+                break;
             }
-            break;
         }
+        return {
+            tbsCertificateDer,
+            signatureAlgorithmOid: sigAlgOid,
+            signatureValue,
+            issuer,
+            subject,
+            validityNotBefore,
+            validityNotAfter,
+            subjectPublicKeyInfoDer,
+            publicKeyCurveOid,
+            extensions,
+        };
+    }
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid X.509 certificate structure: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
     }
-    return {
-        tbsCertificateDer,
-        signatureAlgorithmOid: sigAlgOid,
-        signatureValue,
-        issuer,
-        subject,
-        validityNotBefore,
-        validityNotAfter,
-        subjectPublicKeyInfoDer,
-        publicKeyCurveOid,
-        extensions,
-    };
 }
 // ── extractRawPublicKeyFromSpki ─────────────────────────────────────
 /**
@@ -164,9 +171,16 @@ function extractRawPublicKeyFromSpki(spkiDer) {
     if (asn1.offset === -1) {
         throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Failed to parse SPKI DER");
     }
-    const spkiSeq = asn1.result;
-    const publicKeyBitString = spkiSeq.valueBlock.value[1];
-    return new Uint8Array(publicKeyBitString.valueBlock.valueHexView);
+    try {
+        const spkiSeq = asn1.result;
+        const publicKeyBitString = spkiSeq.valueBlock.value[1];
+        return new Uint8Array(publicKeyBitString.valueBlock.valueHexView);
+    }
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Invalid SPKI structure: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
+    }
 }
 // ── verifySignature ─────────────────────────────────────────────────
 /**
@@ -286,10 +300,17 @@ export function extractNonceFromCert(certDer) {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse nonce extension ASN.1");
     }
     // Navigate: SEQUENCE -> tagged [1] -> OCTET STRING
-    const sequence = extAsn1.result;
-    const tagged = sequence.valueBlock.value[0];
-    const octetString = tagged.valueBlock.value[0];
-    return new Uint8Array(octetString.valueBlock.valueHexView);
+    try {
+        const sequence = extAsn1.result;
+        const tagged = sequence.valueBlock.value[0];
+        const octetString = tagged.valueBlock.value[0];
+        return new Uint8Array(octetString.valueBlock.valueHexView);
+    }
+    catch (e) {
+        if (e instanceof AttestationError)
+            throw e;
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid nonce extension structure: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
+    }
 }
 /**
  * Extract the raw (uncompressed) public key from a DER-encoded certificate.

package/esm/src/with-assertion.d.ts

@@ -46,8 +46,6 @@ export type ExtractAssertionFn = (req: Request) => Promise<{
 export type WithAssertionOptions = {
     /** Apple App ID in the format `TEAMID.bundleId`. */
     appId: string;
-    /** Set to `true` for development environment attestations. */
-    developmentEnv?: boolean;
     /** Retrieve the stored device key for a given device ID. Return `null` if not found. */
     getDeviceKey: (deviceId: string) => Promise<DeviceKey | null>;
     /**

package/esm/src/with-assertion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAmCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAiGrC"}
+{"version":3,"file":"with-assertion.d.ts","sourceRoot":"","sources":["../../src/src/with-assertion.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAsB,MAAM,aAAa,CAAC;AAEjE,iEAAiE;AACjE,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AACjE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,2BAA2B,CAAC;AAEjE,0EAA0E;AAC1E,MAAM,MAAM,SAAS,GAAG;IACtB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF,0EAA0E;AAC1E,MAAM,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CAAC;AAEH,kEAAkE;AAClE,MAAM,MAAM,oBAAoB,GAAG;IACjC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,wFAAwF;IACxF,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAC9D;;;;;;;;;;;;;;;;OAgBG;IACH,eAAe,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9E,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,kBAAkB,CAAC;IACtC,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,cAAc,EACrB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AAqCF;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,gBAAgB,KACtB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAmGrC"}

package/esm/src/with-assertion.js

@@ -19,7 +19,9 @@ function defaultErrorResponse(error) {
         ? 500
         : error.code === AssertionErrorCode.INVALID_FORMAT
             ? 400
-            : 401;
+            : error.code === AssertionErrorCode.SIGN_COUNT_STALE
+                ? 409
+                : 401;
     return new Response(JSON.stringify({ error: error.message, code: error.code }), { status, headers: { "Content-Type": "application/json" } });
 }
 /**
@@ -35,10 +37,7 @@ function defaultErrorResponse(error) {
  * concurrent load.
  */
 export function withAssertion(options, handler) {
-    const appInfo = {
-        appId: options.appId,
-        developmentEnv: options.developmentEnv ?? false,
-    };
+    const appInfo = { appId: options.appId };
     const extract = options.extractAssertion ?? defaultExtractAssertion;
     return async (req) => {
         let deviceId;
@@ -90,7 +89,13 @@ export function withAssertion(options, handler) {
             const error = err instanceof AssertionError ? err : new AssertionError(AssertionErrorCode.INTERNAL_ERROR, "Internal error", {
                 cause: err,
             });
-            return options.onError?.(error, req) ?? defaultErrorResponse(error);
+            try {
+                return await options.onError?.(error, req) ??
+                    defaultErrorResponse(error);
+            }
+            catch {
+                return defaultErrorResponse(error);
+            }
         }
         // Step 5: handler — outside try/catch, errors bubble up
         return await handler(req, {

package/esm/src/with-attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"with-attestation.d.ts","sourceRoot":"","sources":["../../src/src/with-attestation.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAwB,MAAM,aAAa,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,qFAAqF;AACrF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,SAAS,EAAE,UAAU,CAAC;IACtB;;;;;;;;OAQG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,UAAU,CAAC;CACzB,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;;;OAOG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D;;;;OAIG;IACH,cAAc,EAAE,CAAC,GAAG,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AA8EF;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,kBAAkB,KACxB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2HrC"}
+{"version":3,"file":"with-attestation.d.ts","sourceRoot":"","sources":["../../src/src/with-attestation.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAwB,MAAM,aAAa,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,qFAAqF;AACrF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,EAAE,UAAU,CAAC;IACpB,mEAAmE;IACnE,OAAO,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,SAAS,EAAE,UAAU,CAAC;IACtB;;;;;;;;OAQG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,UAAU,CAAC;CACzB,CAAC,CAAC;AAEH,oEAAoE;AACpE,MAAM,MAAM,sBAAsB,GAAG;IACnC,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB;;;;;;;OAOG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D;;;;OAIG;IACH,cAAc,EAAE,CAAC,GAAG,EAAE;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,uEAAuE;IACvE,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,OAAO,KACT,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnC,CAAC;AA8EF;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,CACP,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,kBAAkB,KACxB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAChC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAgIrC"}

package/esm/src/with-attestation.js

@@ -146,7 +146,13 @@ export function withAttestation(options, handler) {
             const error = err instanceof AttestationError
                 ? err
                 : new AttestationError(AttestationErrorCode.INTERNAL_ERROR, "Internal error", { cause: err });
-            return options.onError?.(error, req) ?? defaultErrorResponse(error);
+            try {
+                return await options.onError?.(error, req) ??
+                    defaultErrorResponse(error);
+            }
+            catch {
+                return defaultErrorResponse(error);
+            }
         }
         return await handler(req, {
             deviceId,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bradford-tech/supabase-integrity-attest",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "description": "Verify Apple App Attest attestations and assertions using WebCrypto.",
   "homepage": "https://integrity-attest.bradford.tech",
   "repository": {
@@ -25,9 +25,9 @@
   },
   "scripts": {},
   "dependencies": {
-    "@noble/curves": "^2.0.1",
-    "asn1js": "^3.0.7",
-    "cborg": "^4.5.8"
+    "@noble/curves": "^2.2.0",
+    "asn1js": "^3.0.10",
+    "cborg": "^5.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.9.0"