@simplewebauthn/server 7.4.0 → 8.0.0

package/esm/services/defaultRootCerts/android-key.js

@@ -0,0 +1,85 @@
+/**
+ * Google Hardware Attestation Root 1
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (first entry)
+ *
+ * Valid until 2026-05-24 @ 09:28 PST
+ *
+ * SHA256 Fingerprint
+ * C1:98:4A:3E:F4:5C:1E:2A:91:85:51:DE:10:60:3C:86:F7:05:1B:22:49:C4:89:1C:AE:32:30:EA:BD:0C:97:D5
+ */
+export const Google_Hardware_Attestation_Root_1 = `-----BEGIN CERTIFICATE-----
+MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYy
+ODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYD
+VR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lk
+Lmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQAD
+ggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfB
+Pb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00m
+qC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rY
+DBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPm
+QUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4u
+JU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyD
+CdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79Iy
+ZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxD
+qwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23Uaic
+MDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1
+wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk
+-----END CERTIFICATE-----
+`;
+/**
+ * Google Hardware Attestation Root 2
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (second entry)
+ *
+ * Valid until 2034-11-18 @ 12:37 PST
+ *
+ * SHA256 Fingerprint
+ * 1E:F1:A0:4B:8B:A5:8A:B9:45:89:AC:49:8C:89:82:A7:83:F2:4E:A7:30:7E:01:59:A0:C3:A7:3B:37:7D:87:CC
+ */
+export const Google_Hardware_Attestation_Root_2 = `-----BEGIN CERTIFICATE-----
+MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAz
+NzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud
+IwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnu
+XKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83U
+h6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cno
+L/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2ok
+QBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vA
+D32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAI
+mMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoW
+Fua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91
+oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09o
+jm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUB
+ZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH
+ex0SdDrx+tWUDqG8At2JHA==
+-----END CERTIFICATE-----
+`;

package/esm/services/defaultRootCerts/android-safetynet.js

@@ -0,0 +1,32 @@
+/**
+ * GlobalSign Root CA
+ *
+ * Downloaded from https://pki.goog/roots.pem
+ *
+ * Valid until 2028-01-28 @ 04:00 PST
+ *
+ * SHA256 Fingerprint
+ * EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
+ */
+export const GlobalSign_Root_CA = `-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
+`;

package/esm/services/defaultRootCerts/apple.js

@@ -0,0 +1,25 @@
+/**
+ * Apple WebAuthn Root CA
+ *
+ * Downloaded from https://www.apple.com/certificateauthority/Apple_WebAuthn_Root_CA.pem
+ *
+ * Valid until 2045-03-14 @ 17:00 PST
+ *
+ * SHA256 Fingerprint
+ * 09:15:DD:5C:07:A2:8D:B5:49:D1:F6:77:BB:5A:75:D4:BF:BE:95:61:A7:73:42:43:27:76:2E:9E:02:F9:BB:29
+ */
+export const Apple_WebAuthn_Root_CA = `-----BEGIN CERTIFICATE-----
+MIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w
+HQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ
+bmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx
+NTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG
+A1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k
+xu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/
+pcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk
+2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
+MGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3
+jAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B
+1bWeT0vT
+-----END CERTIFICATE-----
+`;

package/esm/services/defaultRootCerts/mds.js

@@ -0,0 +1,32 @@
+/**
+ * GlobalSign Root CA - R3
+ *
+ * Downloaded from https://valid.r3.roots.globalsign.com/
+ *
+ * Valid until 2029-03-18 @ 00:00 PST
+ *
+ * SHA256 Fingerprint
+ * CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B
+ */
+export const GlobalSign_Root_CA_R3 = `-----BEGIN CERTIFICATE-----
+ MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
+ A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
+ Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
+ MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
+ A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+ hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
+ RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
+ gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
+ KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
+ QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
+ XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
+ DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
+ LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
+ RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
+ jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
+ 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
+ mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
+ Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
+ WD9f
+ -----END CERTIFICATE-----
+ `;

package/{dist → esm}/services/metadataService.d.ts

@@ -1,4 +1,4 @@
-import type { MetadataStatement } from '../metadata/mdsTypes';
+import type { MetadataStatement } from '../metadata/mdsTypes.js';
 type VerificationMode = 'permissive' | 'strict';
 /**
  * A basic service for coordinating interactions with the FIDO Metadata Service. This includes BLOB

package/{dist → esm}/services/metadataService.js

@@ -1,18 +1,12 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MetadataService = exports.BaseMetadataService = void 0;
-const cross_fetch_1 = __importDefault(require("cross-fetch"));
-const validateCertificatePath_1 = require("../helpers/validateCertificatePath");
-const convertCertBufferToPEM_1 = require("../helpers/convertCertBufferToPEM");
-const convertAAGUIDToString_1 = require("../helpers/convertAAGUIDToString");
-const settingsService_1 = require("../services/settingsService");
-const logging_1 = require("../helpers/logging");
-const convertPEMToBytes_1 = require("../helpers/convertPEMToBytes");
-const parseJWT_1 = require("../metadata/parseJWT");
-const verifyJWT_1 = require("../metadata/verifyJWT");
+import { validateCertificatePath } from '../helpers/validateCertificatePath.js';
+import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM.js';
+import { convertAAGUIDToString } from '../helpers/convertAAGUIDToString.js';
+import { SettingsService } from './settingsService.js';
+import { getLogger } from '../helpers/logging.js';
+import { convertPEMToBytes } from '../helpers/convertPEMToBytes.js';
+import { fetch } from '../helpers/fetch.js';
+import { parseJWT } from '../metadata/parseJWT.js';
+import { verifyJWT } from '../metadata/verifyJWT.js';
 const defaultURLMDS = 'https://mds.fidoalliance.org/'; // v3
 var SERVICE_STATE;
 (function (SERVICE_STATE) {
@@ -20,19 +14,39 @@ var SERVICE_STATE;
     SERVICE_STATE[SERVICE_STATE["REFRESHING"] = 1] = "REFRESHING";
     SERVICE_STATE[SERVICE_STATE["READY"] = 2] = "READY";
 })(SERVICE_STATE || (SERVICE_STATE = {}));
-const log = (0, logging_1.getLogger)('MetadataService');
+const log = getLogger('MetadataService');
 /**
  * A basic service for coordinating interactions with the FIDO Metadata Service. This includes BLOB
  * download and parsing, and on-demand requesting and caching of individual metadata statements.
  *
  * https://fidoalliance.org/metadata/
  */
-class BaseMetadataService {
+export class BaseMetadataService {
     constructor() {
-        this.mdsCache = {};
-        this.statementCache = {};
-        this.state = SERVICE_STATE.DISABLED;
-        this.verificationMode = 'strict';
+        Object.defineProperty(this, "mdsCache", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: {}
+        });
+        Object.defineProperty(this, "statementCache", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: {}
+        });
+        Object.defineProperty(this, "state", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: SERVICE_STATE.DISABLED
+        });
+        Object.defineProperty(this, "verificationMode", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: 'strict'
+        });
     }
     /**
      * Prepare the service to handle remote MDS servers and/or cache local metadata statements.
@@ -51,9 +65,9 @@ class BaseMetadataService {
         const { mdsServers = [defaultURLMDS], statements, verificationMode } = opts;
         this.setState(SERVICE_STATE.REFRESHING);
         // If metadata statements are provided, load them into the cache first
-        if (statements === null || statements === void 0 ? void 0 : statements.length) {
+        if (statements?.length) {
             let statementsAdded = 0;
-            statements.forEach(statement => {
+            statements.forEach((statement) => {
                 // Only cache statements that are for FIDO2-compatible authenticators
                 if (statement.aaguid) {
                     this.statementCache[statement.aaguid] = {
@@ -70,7 +84,7 @@ class BaseMetadataService {
             log(`Cached ${statementsAdded} local statements`);
         }
         // If MDS servers are provided, then process them and add their statements to the cache
-        if (mdsServers === null || mdsServers === void 0 ? void 0 : mdsServers.length) {
+        if (mdsServers?.length) {
             // Get a current count so we know how many new statements we've added from MDS servers
             const currentCacheCount = Object.keys(this.statementCache).length;
             let numServers = mdsServers.length;
@@ -112,7 +126,7 @@ class BaseMetadataService {
             return;
         }
         if (aaguid instanceof Uint8Array) {
-            aaguid = (0, convertAAGUIDToString_1.convertAAGUIDToString)(aaguid);
+            aaguid = convertAAGUIDToString(aaguid);
         }
         // If a cache refresh is in progress then pause this until the service is ready
         await this.pauseUntilReady();
@@ -159,10 +173,10 @@ class BaseMetadataService {
     async downloadBlob(mds) {
         const { url, no } = mds;
         // Get latest "BLOB" (FIDO's terminology, not mine)
-        const resp = await (0, cross_fetch_1.default)(url);
+        const resp = await fetch(url);
         const data = await resp.text();
         // Parse the JWT
-        const parsedJWT = (0, parseJWT_1.parseJWT)(data);
+        const parsedJWT = parseJWT(data);
         const header = parsedJWT[0];
         const payload = parsedJWT[1];
         if (payload.no <= no) {
@@ -170,11 +184,13 @@ class BaseMetadataService {
             // number of the last BLOB cached locally."
             throw new Error(`Latest BLOB no. "${payload.no}" is not greater than previous ${no}`);
         }
-        const headerCertsPEM = header.x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM);
+        const headerCertsPEM = header.x5c.map(convertCertBufferToPEM);
         try {
             // Validate the certificate chain
-            const rootCerts = settingsService_1.SettingsService.getRootCertificates({ identifier: 'mds' });
-            await (0, validateCertificatePath_1.validateCertificatePath)(headerCertsPEM, rootCerts);
+            const rootCerts = SettingsService.getRootCertificates({
+                identifier: 'mds',
+            });
+            await validateCertificatePath(headerCertsPEM, rootCerts);
         }
         catch (error) {
             const _error = error;
@@ -184,7 +200,7 @@ class BaseMetadataService {
         }
         // Verify the BLOB JWT signature
         const leafCert = headerCertsPEM[0];
-        const verified = await (0, verifyJWT_1.verifyJWT)(data, (0, convertPEMToBytes_1.convertPEMToBytes)(leafCert));
+        const verified = await verifyJWT(data, convertPEMToBytes(leafCert));
         if (!verified) {
             // From FIDO MDS docs: "The FIDO Server SHOULD ignore the file if the signature is invalid."
             throw new Error('BLOB signature could not be verified');
@@ -211,9 +227,11 @@ class BaseMetadataService {
     /**
      * A helper method to pause execution until the service is ready
      */
-    async pauseUntilReady() {
+    pauseUntilReady() {
         if (this.state === SERVICE_STATE.READY) {
-            return;
+            return new Promise((resolve) => {
+                resolve();
+            });
         }
         // State isn't ready, so set up polling
         const readyPromise = new Promise((resolve, reject) => {
@@ -251,7 +269,5 @@ class BaseMetadataService {
         }
     }
 }
-exports.BaseMetadataService = BaseMetadataService;
 // Export a service singleton
-exports.MetadataService = new BaseMetadataService();
-//# sourceMappingURL=metadataService.js.map
+export const MetadataService = new BaseMetadataService();

package/{dist → esm}/services/settingsService.d.ts

@@ -1,4 +1,4 @@
-import { AttestationFormat } from '../helpers/decodeAttestationObject';
+import { AttestationFormat } from '../helpers/decodeAttestationObject.js';
 type RootCertIdentifier = AttestationFormat | 'mds';
 declare class BaseSettingsService {
     private pemCertificates;

package/esm/services/settingsService.js

@@ -0,0 +1,65 @@
+import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM.js';
+import { GlobalSign_Root_CA } from './defaultRootCerts/android-safetynet.js';
+import { Google_Hardware_Attestation_Root_1, Google_Hardware_Attestation_Root_2, } from './defaultRootCerts/android-key.js';
+import { Apple_WebAuthn_Root_CA } from './defaultRootCerts/apple.js';
+import { GlobalSign_Root_CA_R3 } from './defaultRootCerts/mds.js';
+class BaseSettingsService {
+    constructor() {
+        // Certificates are stored as PEM-formatted strings
+        Object.defineProperty(this, "pemCertificates", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.pemCertificates = new Map();
+    }
+    /**
+     * Set potential root certificates for attestation formats that use them. Root certs will be tried
+     * one-by-one when validating a certificate path.
+     *
+     * Certificates can be specified as a raw `Buffer`, or as a PEM-formatted string. If a
+     * `Buffer` is passed in it will be converted to PEM format.
+     */
+    setRootCertificates(opts) {
+        const { identifier, certificates } = opts;
+        const newCertificates = [];
+        for (const cert of certificates) {
+            if (cert instanceof Uint8Array) {
+                newCertificates.push(convertCertBufferToPEM(cert));
+            }
+            else {
+                newCertificates.push(cert);
+            }
+        }
+        this.pemCertificates.set(identifier, newCertificates);
+    }
+    /**
+     * Get any registered root certificates for the specified attestation format
+     */
+    getRootCertificates(opts) {
+        const { identifier } = opts;
+        return this.pemCertificates.get(identifier) ?? [];
+    }
+}
+export const SettingsService = new BaseSettingsService();
+// Initialize default certificates
+SettingsService.setRootCertificates({
+    identifier: 'android-key',
+    certificates: [
+        Google_Hardware_Attestation_Root_1,
+        Google_Hardware_Attestation_Root_2,
+    ],
+});
+SettingsService.setRootCertificates({
+    identifier: 'android-safetynet',
+    certificates: [GlobalSign_Root_CA],
+});
+SettingsService.setRootCertificates({
+    identifier: 'apple',
+    certificates: [Apple_WebAuthn_Root_CA],
+});
+SettingsService.setRootCertificates({
+    identifier: 'mds',
+    certificates: [GlobalSign_Root_CA_R3],
+});

package/package.json

@@ -1,28 +1,14 @@
 {
+  "module": "./esm/index.js",
+  "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "7.4.0",
+  "version": "8.0.0",
   "description": "SimpleWebAuthn for Servers",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "exports": {
-    ".": "./dist/index.js",
-    "./helpers": "./dist/helpers/index.js"
-  },
-  "typesVersions": {
-    "*": {
-      "./dist/index.d.ts": [
-        "./dist/index.d.ts"
-      ],
-      "helpers": [
-        "./dist/helpers/index.d.ts"
-      ]
-    }
-  },
-  "author": "Matthew Miller <matthew@millerti.me>",
   "license": "MIT",
+  "author": "Matthew Miller <matthew@millerti.me>",
   "repository": {
     "type": "git",
-    "url": "https://github.com/MasterKale/SimpleWebAuthn.git",
+    "url": "git+https://github.com/MasterKale/SimpleWebAuthn.git",
     "directory": "packages/server"
   },
   "homepage": "https://github.com/MasterKale/SimpleWebAuthn/tree/master/packages/server#readme",
@@ -32,13 +18,8 @@
   "engines": {
     "node": ">=16.0.0"
   },
-  "scripts": {
-    "build": "rimraf dist && tsc",
-    "build:lerna-debug": "rimraf dist && tsc > output.txt; cat output.txt; rm output.txt",
-    "test": "jest",
-    "test:watch": "jest --watch",
-    "test:coverage": "npm test -- --coverage",
-    "prepublish": "npm run build"
+  "bugs": {
+    "url": "https://github.com/MasterKale/SimpleWebAuthn/issues"
   },
   "keywords": [
     "typescript",
@@ -47,20 +28,37 @@
     "fido",
     "node"
   ],
-  "dependencies": {
-    "@hexagon/base64": "^1.1.25",
-    "@peculiar/asn1-android": "^2.3.3",
-    "@peculiar/asn1-ecc": "^2.3.4",
-    "@peculiar/asn1-rsa": "^2.3.4",
-    "@peculiar/asn1-schema": "^2.3.3",
-    "@peculiar/asn1-x509": "^2.3.4",
-    "@simplewebauthn/iso-webcrypto": "^7.4.0",
-    "@simplewebauthn/typescript-types": "^7.4.0",
-    "@types/debug": "^4.1.7",
-    "@types/node": "^18.11.9",
-    "cbor-x": "^1.4.1",
-    "cross-fetch": "^3.1.5",
-    "debug": "^4.3.2"
+  "typesVersions": {
+    "*": {
+      ".": [
+        "esm/index.d.ts"
+      ],
+      "helpers": [
+        "esm/helpers/index.d.ts"
+      ]
+    }
   },
-  "gitHead": "f21955a5947f575858db0cd9ee728abc6b5f4310"
-}
+  "exports": {
+    ".": {
+      "import": "./esm/index.js",
+      "require": "./script/index.js"
+    },
+    "./helpers": {
+      "import": "./esm/helpers/index.js",
+      "require": "./script/helpers/index.js"
+    }
+  },
+  "dependencies": {
+    "@hexagon/base64": "^1.1.27",
+    "@peculiar/asn1-android": "^2.3.6",
+    "@peculiar/asn1-ecc": "^2.3.6",
+    "@peculiar/asn1-rsa": "^2.3.6",
+    "@peculiar/asn1-schema": "^2.3.6",
+    "@peculiar/asn1-x509": "^2.3.6",
+    "@simplewebauthn/typescript-types": "^8.0.0",
+    "@types/debug": "^4.1.8",
+    "cbor-x": "^1.5.2",
+    "cross-fetch": "^4.0.0",
+    "debug": "^4.3.4"
+  }
+}

package/script/authentication/generateAuthenticationOptions.d.ts

@@ -0,0 +1,23 @@
+import type { AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
+export type GenerateAuthenticationOptionsOpts = {
+    allowCredentials?: PublicKeyCredentialDescriptorFuture[];
+    challenge?: string | Uint8Array;
+    timeout?: number;
+    userVerification?: UserVerificationRequirement;
+    extensions?: AuthenticationExtensionsClientInputs;
+    rpID?: string;
+};
+/**
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ *
+ * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
+ * the client will ask the user which credential they want to use
+ * @param challenge Random value the authenticator needs to sign and pass back
+ * user for authentication
+ * @param timeout How long (in ms) the user can take to complete authentication
+ * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
+ * set to `'preferred'` or `'required'` as desired.
+ * @param extensions Additional plugins the authenticator or browser should use during authentication
+ * @param rpID Valid domain name (after `https://`)
+ */
+export declare function generateAuthenticationOptions(options?: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;

package/{dist → script}/authentication/generateAuthenticationOptions.js

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.generateAuthenticationOptions = void 0;
-const iso_1 = require("../helpers/iso");
-const generateChallenge_1 = require("../helpers/generateChallenge");
+const index_js_1 = require("../helpers/iso/index.js");
+const generateChallenge_js_1 = require("../helpers/generateChallenge.js");
 /**
  * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
  *
@@ -16,20 +16,20 @@ const generateChallenge_1 = require("../helpers/generateChallenge");
  * @param extensions Additional plugins the authenticator or browser should use during authentication
  * @param rpID Valid domain name (after `https://`)
  */
-function generateAuthenticationOptions(options = {}) {
-    const { allowCredentials, challenge = (0, generateChallenge_1.generateChallenge)(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
+async function generateAuthenticationOptions(options = {}) {
+    const { allowCredentials, challenge = await (0, generateChallenge_js_1.generateChallenge)(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
     /**
      * Preserve ability to specify `string` values for challenges
      */
     let _challenge = challenge;
     if (typeof _challenge === 'string') {
-        _challenge = iso_1.isoUint8Array.fromUTF8String(_challenge);
+        _challenge = index_js_1.isoUint8Array.fromUTF8String(_challenge);
     }
     return {
-        challenge: iso_1.isoBase64URL.fromBuffer(_challenge),
-        allowCredentials: allowCredentials === null || allowCredentials === void 0 ? void 0 : allowCredentials.map(cred => ({
+        challenge: index_js_1.isoBase64URL.fromBuffer(_challenge),
+        allowCredentials: allowCredentials?.map((cred) => ({
             ...cred,
-            id: iso_1.isoBase64URL.fromBuffer(cred.id),
+            id: index_js_1.isoBase64URL.fromBuffer(cred.id),
         })),
         timeout,
         userVerification,
@@ -38,4 +38,3 @@ function generateAuthenticationOptions(options = {}) {
     };
 }
 exports.generateAuthenticationOptions = generateAuthenticationOptions;
-//# sourceMappingURL=generateAuthenticationOptions.js.map

package/script/authentication/verifyAuthenticationResponse.d.ts

@@ -0,0 +1,66 @@
+import type { AuthenticationResponseJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
+import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
+export type VerifyAuthenticationResponseOpts = {
+    response: AuthenticationResponseJSON;
+    expectedChallenge: string | ((challenge: string) => boolean);
+    expectedOrigin: string | string[];
+    expectedRPID: string | string[];
+    authenticator: AuthenticatorDevice;
+    requireUserVerification?: boolean;
+    advancedFIDOConfig?: {
+        userVerification?: UserVerificationRequirement;
+    };
+};
+/**
+ * Verify that the user has legitimately completed the login process
+ *
+ * **Options:**
+ *
+ * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge The base64url-encoded `options.challenge` returned by
+ * `generateAuthenticationOptions()`
+ * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param requireUserVerification (Optional) Enforce user verification by the authenticator
+ * (via PIN, fingerprint, etc...)
+ * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
+ * requirements
+ * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
+ * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
+ * unless this value is `"required"`
+ */
+export declare function verifyAuthenticationResponse(options: VerifyAuthenticationResponseOpts): Promise<VerifiedAuthenticationResponse>;
+/**
+ * Result of authentication verification
+ *
+ * @param verified If the authentication response could be verified
+ * @param authenticationInfo.credentialID The ID of the authenticator used during authentication.
+ * Should be used to identify which DB authenticator entry needs its `counter` updated to the value
+ * below
+ * @param authenticationInfo.newCounter The number of times the authenticator identified above
+ * reported it has been used. **Should be kept in a DB for later reference to help prevent replay
+ * attacks!**
+ * @param authenticationInfo.credentialDeviceType Whether this is a single-device or multi-device
+ * credential. **Should be kept in a DB for later reference!**
+ * @param authenticationInfo.credentialBackedUp Whether or not the multi-device credential has been
+ * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
+ * reference!**
+ * @param authenticationInfo.origin The origin of the website that the authentication occurred on
+ * @param authenticationInfo.rpID The RP ID that the authentication occurred on
+ * @param authenticationInfo?.authenticatorExtensionResults The authenticator extensions returned
+ * by the browser
+ */
+export type VerifiedAuthenticationResponse = {
+    verified: boolean;
+    authenticationInfo: {
+        credentialID: Uint8Array;
+        newCounter: number;
+        userVerified: boolean;
+        credentialDeviceType: CredentialDeviceType;
+        credentialBackedUp: boolean;
+        origin: string;
+        rpID: string;
+        authenticatorExtensionResults?: AuthenticationExtensionsAuthenticatorOutputs;
+    };
+};