npm - @simplewebauthn/server - Versions diffs - 7.4.0 → 8.0.0-alpha.0 - Mend

@simplewebauthn/server 7.4.0 → 8.0.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (343) hide show

package/esm/services/defaultRootCerts/android-key.js ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Google Hardware Attestation Root 1
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (first entry)
+ *
+ * Valid until 2026-05-24 @ 09:28 PST
+ *
+ * SHA256 Fingerprint
+ * C1:98:4A:3E:F4:5C:1E:2A:91:85:51:DE:10:60:3C:86:F7:05:1B:22:49:C4:89:1C:AE:32:30:EA:BD:0C:97:D5
+ */
+export const Google_Hardware_Attestation_Root_1 = `-----BEGIN CERTIFICATE-----
+MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYy
+ODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYD
+VR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lk
+Lmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQAD
+ggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfB
+Pb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00m
+qC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rY
+DBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPm
+QUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4u
+JU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyD
+CdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79Iy
+ZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxD
+qwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23Uaic
+MDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1
+wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk
+-----END CERTIFICATE-----
+`;
+/**
+ * Google Hardware Attestation Root 2
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (second entry)
+ *
+ * Valid until 2034-11-18 @ 12:37 PST
+ *
+ * SHA256 Fingerprint
+ * 1E:F1:A0:4B:8B:A5:8A:B9:45:89:AC:49:8C:89:82:A7:83:F2:4E:A7:30:7E:01:59:A0:C3:A7:3B:37:7D:87:CC
+ */
+export const Google_Hardware_Attestation_Root_2 = `-----BEGIN CERTIFICATE-----
+MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAz
+NzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud
+IwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnu
+XKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83U
+h6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cno
+L/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2ok
+QBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vA
+D32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAI
+mMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoW
+Fua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91
+oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09o
+jm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUB
+ZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH
+ex0SdDrx+tWUDqG8At2JHA==
+-----END CERTIFICATE-----
+`;

package/esm/services/defaultRootCerts/android-safetynet.js ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * GlobalSign Root CA
+ *
+ * Downloaded from https://pki.goog/roots.pem
+ *
+ * Valid until 2028-01-28 @ 04:00 PST
+ *
+ * SHA256 Fingerprint
+ * EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
+ */
+export const GlobalSign_Root_CA = `-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
+`;

package/esm/services/defaultRootCerts/apple.js ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Apple WebAuthn Root CA
+ *
+ * Downloaded from https://www.apple.com/certificateauthority/Apple_WebAuthn_Root_CA.pem
+ *
+ * Valid until 2045-03-14 @ 17:00 PST
+ *
+ * SHA256 Fingerprint
+ * 09:15:DD:5C:07:A2:8D:B5:49:D1:F6:77:BB:5A:75:D4:BF:BE:95:61:A7:73:42:43:27:76:2E:9E:02:F9:BB:29
+ */
+export const Apple_WebAuthn_Root_CA = `-----BEGIN CERTIFICATE-----
+MIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w
+HQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ
+bmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx
+NTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG
+A1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k
+xu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/
+pcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk
+2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
+MGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3
+jAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B
+1bWeT0vT
+-----END CERTIFICATE-----
+`;

package/esm/services/defaultRootCerts/mds.js ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * GlobalSign Root CA - R3
+ *
+ * Downloaded from https://valid.r3.roots.globalsign.com/
+ *
+ * Valid until 2029-03-18 @ 00:00 PST
+ *
+ * SHA256 Fingerprint
+ * CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B
+ */
+export const GlobalSign_Root_CA_R3 = `-----BEGIN CERTIFICATE-----
+ MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
+ A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
+ Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
+ MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
+ A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+ hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
+ RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
+ gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
+ KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
+ QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
+ XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
+ DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
+ LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
+ RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
+ jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
+ 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
+ mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
+ Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
+ WD9f
+ -----END CERTIFICATE-----
+ `;

package/{dist → esm}/services/metadataService.d.ts RENAMED Viewed

@@ -1,4 +1,4 @@
-import type { MetadataStatement } from '../metadata/mdsTypes';
+import type { MetadataStatement } from '../metadata/mdsTypes.js';
 type VerificationMode = 'permissive' | 'strict';
 /**
  * A basic service for coordinating interactions with the FIDO Metadata Service. This includes BLOB

package/{dist → esm}/services/metadataService.js RENAMED Viewed

@@ -1,18 +1,12 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MetadataService = exports.BaseMetadataService = void 0;
-const cross_fetch_1 = __importDefault(require("cross-fetch"));
-const validateCertificatePath_1 = require("../helpers/validateCertificatePath");
-const convertCertBufferToPEM_1 = require("../helpers/convertCertBufferToPEM");
-const convertAAGUIDToString_1 = require("../helpers/convertAAGUIDToString");
-const settingsService_1 = require("../services/settingsService");
-const logging_1 = require("../helpers/logging");
-const convertPEMToBytes_1 = require("../helpers/convertPEMToBytes");
-const parseJWT_1 = require("../metadata/parseJWT");
-const verifyJWT_1 = require("../metadata/verifyJWT");
+import { validateCertificatePath } from '../helpers/validateCertificatePath.js';
+import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM.js';
+import { convertAAGUIDToString } from '../helpers/convertAAGUIDToString.js';
+import { SettingsService } from './settingsService.js';
+import { getLogger } from '../helpers/logging.js';
+import { convertPEMToBytes } from '../helpers/convertPEMToBytes.js';
+import { fetch } from '../helpers/fetch.js';
+import { parseJWT } from '../metadata/parseJWT.js';
+import { verifyJWT } from '../metadata/verifyJWT.js';
 const defaultURLMDS = 'https://mds.fidoalliance.org/'; // v3
 var SERVICE_STATE;
 (function (SERVICE_STATE) {
@@ -20,19 +14,39 @@ var SERVICE_STATE;
     SERVICE_STATE[SERVICE_STATE["REFRESHING"] = 1] = "REFRESHING";
     SERVICE_STATE[SERVICE_STATE["READY"] = 2] = "READY";
 })(SERVICE_STATE || (SERVICE_STATE = {}));
-const log = (0, logging_1.getLogger)('MetadataService');
+const log = getLogger('MetadataService');
 /**
  * A basic service for coordinating interactions with the FIDO Metadata Service. This includes BLOB
  * download and parsing, and on-demand requesting and caching of individual metadata statements.
  *
  * https://fidoalliance.org/metadata/
  */
-class BaseMetadataService {
+export class BaseMetadataService {
     constructor() {
-        this.mdsCache = {};
-        this.statementCache = {};
-        this.state = SERVICE_STATE.DISABLED;
-        this.verificationMode = 'strict';
+        Object.defineProperty(this, "mdsCache", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: {}
+        });
+        Object.defineProperty(this, "statementCache", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: {}
+        });
+        Object.defineProperty(this, "state", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: SERVICE_STATE.DISABLED
+        });
+        Object.defineProperty(this, "verificationMode", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: 'strict'
+        });
     }
     /**
      * Prepare the service to handle remote MDS servers and/or cache local metadata statements.
@@ -51,9 +65,9 @@ class BaseMetadataService {
         const { mdsServers = [defaultURLMDS], statements, verificationMode } = opts;
         this.setState(SERVICE_STATE.REFRESHING);
         // If metadata statements are provided, load them into the cache first
-        if (statements === null || statements === void 0 ? void 0 : statements.length) {
+        if (statements?.length) {
             let statementsAdded = 0;
-            statements.forEach(statement => {
+            statements.forEach((statement) => {
                 // Only cache statements that are for FIDO2-compatible authenticators
                 if (statement.aaguid) {
                     this.statementCache[statement.aaguid] = {
@@ -70,7 +84,7 @@ class BaseMetadataService {
             log(`Cached ${statementsAdded} local statements`);
         }
         // If MDS servers are provided, then process them and add their statements to the cache
-        if (mdsServers === null || mdsServers === void 0 ? void 0 : mdsServers.length) {
+        if (mdsServers?.length) {
             // Get a current count so we know how many new statements we've added from MDS servers
             const currentCacheCount = Object.keys(this.statementCache).length;
             let numServers = mdsServers.length;
@@ -112,7 +126,7 @@ class BaseMetadataService {
             return;
         }
         if (aaguid instanceof Uint8Array) {
-            aaguid = (0, convertAAGUIDToString_1.convertAAGUIDToString)(aaguid);
+            aaguid = convertAAGUIDToString(aaguid);
         }
         // If a cache refresh is in progress then pause this until the service is ready
         await this.pauseUntilReady();
@@ -159,10 +173,10 @@ class BaseMetadataService {
     async downloadBlob(mds) {
         const { url, no } = mds;
         // Get latest "BLOB" (FIDO's terminology, not mine)
-        const resp = await (0, cross_fetch_1.default)(url);
+        const resp = await fetch(url);
         const data = await resp.text();
         // Parse the JWT
-        const parsedJWT = (0, parseJWT_1.parseJWT)(data);
+        const parsedJWT = parseJWT(data);
         const header = parsedJWT[0];
         const payload = parsedJWT[1];
         if (payload.no <= no) {
@@ -170,11 +184,13 @@ class BaseMetadataService {
             // number of the last BLOB cached locally."
             throw new Error(`Latest BLOB no. "${payload.no}" is not greater than previous ${no}`);
         }
-        const headerCertsPEM = header.x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM);
+        const headerCertsPEM = header.x5c.map(convertCertBufferToPEM);
         try {
             // Validate the certificate chain
-            const rootCerts = settingsService_1.SettingsService.getRootCertificates({ identifier: 'mds' });
-            await (0, validateCertificatePath_1.validateCertificatePath)(headerCertsPEM, rootCerts);
+            const rootCerts = SettingsService.getRootCertificates({
+                identifier: 'mds',
+            });
+            await validateCertificatePath(headerCertsPEM, rootCerts);
         }
         catch (error) {
             const _error = error;
@@ -184,7 +200,7 @@ class BaseMetadataService {
         }
         // Verify the BLOB JWT signature
         const leafCert = headerCertsPEM[0];
-        const verified = await (0, verifyJWT_1.verifyJWT)(data, (0, convertPEMToBytes_1.convertPEMToBytes)(leafCert));
+        const verified = await verifyJWT(data, convertPEMToBytes(leafCert));
         if (!verified) {
             // From FIDO MDS docs: "The FIDO Server SHOULD ignore the file if the signature is invalid."
             throw new Error('BLOB signature could not be verified');
@@ -211,9 +227,11 @@ class BaseMetadataService {
     /**
      * A helper method to pause execution until the service is ready
      */
-    async pauseUntilReady() {
+    pauseUntilReady() {
         if (this.state === SERVICE_STATE.READY) {
-            return;
+            return new Promise((resolve) => {
+                resolve();
+            });
         }
         // State isn't ready, so set up polling
         const readyPromise = new Promise((resolve, reject) => {
@@ -251,7 +269,5 @@ class BaseMetadataService {
         }
     }
 }
-exports.BaseMetadataService = BaseMetadataService;
 // Export a service singleton
-exports.MetadataService = new BaseMetadataService();
-//# sourceMappingURL=metadataService.js.map
+export const MetadataService = new BaseMetadataService();

package/{dist → esm}/services/settingsService.d.ts RENAMED Viewed

@@ -1,4 +1,4 @@
-import { AttestationFormat } from '../helpers/decodeAttestationObject';
+import { AttestationFormat } from '../helpers/decodeAttestationObject.js';
 type RootCertIdentifier = AttestationFormat | 'mds';
 declare class BaseSettingsService {
     private pemCertificates;

package/esm/services/settingsService.js ADDED Viewed

@@ -0,0 +1,65 @@
+import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM.js';
+import { GlobalSign_Root_CA } from './defaultRootCerts/android-safetynet.js';
+import { Google_Hardware_Attestation_Root_1, Google_Hardware_Attestation_Root_2, } from './defaultRootCerts/android-key.js';
+import { Apple_WebAuthn_Root_CA } from './defaultRootCerts/apple.js';
+import { GlobalSign_Root_CA_R3 } from './defaultRootCerts/mds.js';
+class BaseSettingsService {
+    constructor() {
+        // Certificates are stored as PEM-formatted strings
+        Object.defineProperty(this, "pemCertificates", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.pemCertificates = new Map();
+    }
+    /**
+     * Set potential root certificates for attestation formats that use them. Root certs will be tried
+     * one-by-one when validating a certificate path.
+     *
+     * Certificates can be specified as a raw `Buffer`, or as a PEM-formatted string. If a
+     * `Buffer` is passed in it will be converted to PEM format.
+     */
+    setRootCertificates(opts) {
+        const { identifier, certificates } = opts;
+        const newCertificates = [];
+        for (const cert of certificates) {
+            if (cert instanceof Uint8Array) {
+                newCertificates.push(convertCertBufferToPEM(cert));
+            }
+            else {
+                newCertificates.push(cert);
+            }
+        }
+        this.pemCertificates.set(identifier, newCertificates);
+    }
+    /**
+     * Get any registered root certificates for the specified attestation format
+     */
+    getRootCertificates(opts) {
+        const { identifier } = opts;
+        return this.pemCertificates.get(identifier) ?? [];
+    }
+}
+export const SettingsService = new BaseSettingsService();
+// Initialize default certificates
+SettingsService.setRootCertificates({
+    identifier: 'android-key',
+    certificates: [
+        Google_Hardware_Attestation_Root_1,
+        Google_Hardware_Attestation_Root_2,
+    ],
+});
+SettingsService.setRootCertificates({
+    identifier: 'android-safetynet',
+    certificates: [GlobalSign_Root_CA],
+});
+SettingsService.setRootCertificates({
+    identifier: 'apple',
+    certificates: [Apple_WebAuthn_Root_CA],
+});
+SettingsService.setRootCertificates({
+    identifier: 'mds',
+    certificates: [GlobalSign_Root_CA_R3],
+});

package/package.json CHANGED Viewed

@@ -1,44 +1,22 @@
 {
+  "module": "./esm/index.js",
+  "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "7.4.0",
+  "version": "8.0.0-alpha.0",
   "description": "SimpleWebAuthn for Servers",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "exports": {
-    ".": "./dist/index.js",
-    "./helpers": "./dist/helpers/index.js"
-  },
-  "typesVersions": {
-    "*": {
-      "./dist/index.d.ts": [
-        "./dist/index.d.ts"
-      ],
-      "helpers": [
-        "./dist/helpers/index.d.ts"
-      ]
-    }
-  },
-  "author": "Matthew Miller <matthew@millerti.me>",
   "license": "MIT",
+  "author": "Matthew Miller <matthew@millerti.me>",
   "repository": {
     "type": "git",
-    "url": "https://github.com/MasterKale/SimpleWebAuthn.git",
+    "url": "git+https://github.com/MasterKale/SimpleWebAuthn.git",
     "directory": "packages/server"
   },
   "homepage": "https://github.com/MasterKale/SimpleWebAuthn/tree/master/packages/server#readme",
   "publishConfig": {
     "access": "public"
   },
-  "engines": {
-    "node": ">=16.0.0"
-  },
-  "scripts": {
-    "build": "rimraf dist && tsc",
-    "build:lerna-debug": "rimraf dist && tsc > output.txt; cat output.txt; rm output.txt",
-    "test": "jest",
-    "test:watch": "jest --watch",
-    "test:coverage": "npm test -- --coverage",
-    "prepublish": "npm run build"
+  "bugs": {
+    "url": "https://github.com/MasterKale/SimpleWebAuthn/issues"
   },
   "keywords": [
     "typescript",
@@ -47,20 +25,37 @@
     "fido",
     "node"
   ],
-  "dependencies": {
-    "@hexagon/base64": "^1.1.25",
-    "@peculiar/asn1-android": "^2.3.3",
-    "@peculiar/asn1-ecc": "^2.3.4",
-    "@peculiar/asn1-rsa": "^2.3.4",
-    "@peculiar/asn1-schema": "^2.3.3",
-    "@peculiar/asn1-x509": "^2.3.4",
-    "@simplewebauthn/iso-webcrypto": "^7.4.0",
-    "@simplewebauthn/typescript-types": "^7.4.0",
-    "@types/debug": "^4.1.7",
-    "@types/node": "^18.11.9",
-    "cbor-x": "^1.4.1",
-    "cross-fetch": "^3.1.5",
-    "debug": "^4.3.2"
+  "typesVersions": {
+    "*": {
+      ".": [
+        "esm/index.d.ts"
+      ],
+      "helpers": [
+        "esm/helpers/index.d.ts"
+      ]
+    }
   },
-  "gitHead": "f21955a5947f575858db0cd9ee728abc6b5f4310"
-}
+  "exports": {
+    ".": {
+      "import": "./esm/index.js",
+      "require": "./script/index.js"
+    },
+    "./helpers": {
+      "import": "./esm/helpers/index.js",
+      "require": "./script/helpers/index.js"
+    }
+  },
+  "dependencies": {
+    "@hexagon/base64": "^1.1.27",
+    "@peculiar/asn1-android": "^2.3.6",
+    "@peculiar/asn1-ecc": "^2.3.6",
+    "@peculiar/asn1-rsa": "^2.3.6",
+    "@peculiar/asn1-schema": "^2.3.6",
+    "@peculiar/asn1-x509": "^2.3.6",
+    "@simplewebauthn/typescript-types": "^8.0.0-alpha.0",
+    "@types/debug": "^4.1.8",
+    "cbor-x": "^1.5.2",
+    "cross-fetch": "^4.0.0",
+    "debug": "^4.3.4"
+  }
+}

package/script/authentication/generateAuthenticationOptions.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import type { AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
+export type GenerateAuthenticationOptionsOpts = {
+    allowCredentials?: PublicKeyCredentialDescriptorFuture[];
+    challenge?: string | Uint8Array;
+    timeout?: number;
+    userVerification?: UserVerificationRequirement;
+    extensions?: AuthenticationExtensionsClientInputs;
+    rpID?: string;
+};
+/**
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ *
+ * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
+ * the client will ask the user which credential they want to use
+ * @param challenge Random value the authenticator needs to sign and pass back
+ * user for authentication
+ * @param timeout How long (in ms) the user can take to complete authentication
+ * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
+ * set to `'preferred'` or `'required'` as desired.
+ * @param extensions Additional plugins the authenticator or browser should use during authentication
+ * @param rpID Valid domain name (after `https://`)
+ */
+export declare function generateAuthenticationOptions(options?: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;

package/{dist → script}/authentication/generateAuthenticationOptions.js RENAMED Viewed

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.generateAuthenticationOptions = void 0;
-const iso_1 = require("../helpers/iso");
-const generateChallenge_1 = require("../helpers/generateChallenge");
+const index_js_1 = require("../helpers/iso/index.js");
+const generateChallenge_js_1 = require("../helpers/generateChallenge.js");
 /**
  * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
  *
@@ -16,20 +16,20 @@ const generateChallenge_1 = require("../helpers/generateChallenge");
  * @param extensions Additional plugins the authenticator or browser should use during authentication
  * @param rpID Valid domain name (after `https://`)
  */
-function generateAuthenticationOptions(options = {}) {
-    const { allowCredentials, challenge = (0, generateChallenge_1.generateChallenge)(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
+async function generateAuthenticationOptions(options = {}) {
+    const { allowCredentials, challenge = await (0, generateChallenge_js_1.generateChallenge)(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
     /**
      * Preserve ability to specify `string` values for challenges
      */
     let _challenge = challenge;
     if (typeof _challenge === 'string') {
-        _challenge = iso_1.isoUint8Array.fromUTF8String(_challenge);
+        _challenge = index_js_1.isoUint8Array.fromUTF8String(_challenge);
     }
     return {
-        challenge: iso_1.isoBase64URL.fromBuffer(_challenge),
-        allowCredentials: allowCredentials === null || allowCredentials === void 0 ? void 0 : allowCredentials.map(cred => ({
+        challenge: index_js_1.isoBase64URL.fromBuffer(_challenge),
+        allowCredentials: allowCredentials?.map((cred) => ({
             ...cred,
-            id: iso_1.isoBase64URL.fromBuffer(cred.id),
+            id: index_js_1.isoBase64URL.fromBuffer(cred.id),
         })),
         timeout,
         userVerification,
@@ -38,4 +38,3 @@ function generateAuthenticationOptions(options = {}) {
     };
 }
 exports.generateAuthenticationOptions = generateAuthenticationOptions;
-//# sourceMappingURL=generateAuthenticationOptions.js.map