@simplewebauthn/server 8.1.1 → 8.3.2

package/esm/authentication/verifyAuthenticationResponse.d.ts

@@ -5,6 +5,7 @@ export type VerifyAuthenticationResponseOpts = {
     expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>);
     expectedOrigin: string | string[];
     expectedRPID: string | string[];
+    expectedType?: string | string[];
     authenticator: AuthenticatorDevice;
     requireUserVerification?: boolean;
     advancedFIDOConfig?: {
@@ -21,6 +22,7 @@ export type VerifyAuthenticationResponseOpts = {
  * `generateAuthenticationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.get')
  * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)

package/esm/authentication/verifyAuthenticationResponse.js

@@ -15,6 +15,7 @@ import { isoBase64URL, isoUint8Array } from '../helpers/iso/index.js';
  * `generateAuthenticationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.get')
  * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)
@@ -25,7 +26,7 @@ import { isoBase64URL, isoUint8Array } from '../helpers/iso/index.js';
  * unless this value is `"required"`
  */
 export async function verifyAuthenticationResponse(options) {
-    const { response, expectedChallenge, expectedOrigin, expectedRPID, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
     const { id, rawId, type: credentialType, response: assertionResponse } = response;
     // Ensure credential specified an ID
     if (!id) {
@@ -48,7 +49,18 @@ export async function verifyAuthenticationResponse(options) {
     const clientDataJSON = decodeClientDataJSON(assertionResponse.clientDataJSON);
     const { type, origin, challenge, tokenBinding } = clientDataJSON;
     // Make sure we're handling an authentication
-    if (type !== 'webauthn.get') {
+    if (Array.isArray(expectedType)) {
+        if (!expectedType.includes(type)) {
+            const joinedExpectedType = expectedType.join(', ');
+            throw new Error(`Unexpected authentication response type "${type}", expected one of: ${joinedExpectedType}`);
+        }
+    }
+    else if (expectedType) {
+        if (type !== expectedType) {
+            throw new Error(`Unexpected authentication response type "${type}", expected "${expectedType}"`);
+        }
+    }
+    else if (type !== 'webauthn.get') {
         throw new Error(`Unexpected authentication response type: ${type}`);
     }
     // Ensure the device provided the challenge we gave it

package/esm/deps.d.ts

@@ -1,5 +1,5 @@
 export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/typescript-types';
-export * as cborx from 'cbor-x';
+export * as cborx from 'cbor-x/encode';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/esm/deps.js

@@ -1,5 +1,5 @@
 // cbor (a.k.a. cbor-x in Node land)
-export * as cborx from 'cbor-x';
+export * as cborx from 'cbor-x/encode';
 // b64 (a.k.a. @hexagon/base64 in Node land)
 export { default as base64 } from '@hexagon/base64';
 // cross-fetch

package/esm/helpers/parseAuthenticatorData.js

@@ -34,6 +34,22 @@ export function parseAuthenticatorData(authData) {
         const credIDLen = dataView.getUint16(pointer);
         pointer += 2;
         credentialID = authData.slice(pointer, pointer += credIDLen);
+        /**
+         * Firefox 117 incorrectly CBOR-encodes authData when EdDSA (-8) is used for the public key.
+         * A CBOR "Map of 3 items" (0xa3) should be "Map of 4 items" (0xa4), and if we manually adjust
+         * the single byte there's a good chance the authData can be correctly parsed.
+         *
+         * This browser release also incorrectly uses the string labels "OKP" and "Ed25519" instead of
+         * their integer representations for kty and crv respectively. That's why the COSE public key
+         * in the hex below looks so odd.
+         */
+        // Bytes decode to `{ 1: "OKP", 3: -8, -1: "Ed25519" }` (it's missing key -2 a.k.a. COSEKEYS.x)
+        const badEdDSACBOR = isoUint8Array.fromHex('a301634f4b500327206745643235353139');
+        const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
+        if (isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
+            // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
+            authData[pointer] = 0xa4;
+        }
         // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
         const firstDecoded = isoCBOR.decodeFirst(authData.slice(pointer));
         const firstEncoded = Uint8Array.from(isoCBOR.encode(firstDecoded));

package/esm/registration/verifyRegistrationResponse.d.ts

@@ -6,6 +6,7 @@ export type VerifyRegistrationResponseOpts = {
     expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>);
     expectedOrigin: string | string[];
     expectedRPID?: string | string[];
+    expectedType?: string | string[];
     requireUserVerification?: boolean;
     supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
 };
@@ -19,6 +20,7 @@ export type VerifyRegistrationResponseOpts = {
  * `generateRegistrationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.create')
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)
  * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for

package/esm/registration/verifyRegistrationResponse.js

@@ -26,13 +26,14 @@ import { verifyAttestationApple } from './verifications/verifyAttestationApple.j
  * `generateRegistrationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.create')
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)
  * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
  * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
  */
 export async function verifyRegistrationResponse(options) {
-    const { response, expectedChallenge, expectedOrigin, expectedRPID, requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options;
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options;
     const { id, rawId, type: credentialType, response: attestationResponse } = response;
     // Ensure credential specified an ID
     if (!id) {
@@ -49,7 +50,18 @@ export async function verifyRegistrationResponse(options) {
     const clientDataJSON = decodeClientDataJSON(attestationResponse.clientDataJSON);
     const { type, origin, challenge, tokenBinding } = clientDataJSON;
     // Make sure we're handling an registration
-    if (type !== 'webauthn.create') {
+    if (Array.isArray(expectedType)) {
+        if (!expectedType.includes(type)) {
+            const joinedExpectedType = expectedType.join(', ');
+            throw new Error(`Unexpected registration response type "${type}", expected one of: ${joinedExpectedType}`);
+        }
+    }
+    else if (expectedType) {
+        if (type !== expectedType) {
+            throw new Error(`Unexpected registration response type "${type}", expected "${expectedType}"`);
+        }
+    }
+    else if (type !== 'webauthn.create') {
         throw new Error(`Unexpected registration response type: ${type}`);
     }
     // Ensure the device provided the challenge we gave it

package/package.json

@@ -2,7 +2,7 @@
   "module": "./esm/index.js",
   "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "8.1.1",
+  "version": "8.3.2",
   "description": "SimpleWebAuthn for Servers",
   "license": "MIT",
   "author": "Matthew Miller <matthew@millerti.me>",

package/script/authentication/verifyAuthenticationResponse.d.ts

@@ -5,6 +5,7 @@ export type VerifyAuthenticationResponseOpts = {
     expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>);
     expectedOrigin: string | string[];
     expectedRPID: string | string[];
+    expectedType?: string | string[];
     authenticator: AuthenticatorDevice;
     requireUserVerification?: boolean;
     advancedFIDOConfig?: {
@@ -21,6 +22,7 @@ export type VerifyAuthenticationResponseOpts = {
  * `generateAuthenticationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.get')
  * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)

package/script/authentication/verifyAuthenticationResponse.js

@@ -18,6 +18,7 @@ const index_js_1 = require("../helpers/iso/index.js");
  * `generateAuthenticationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.get')
  * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)
@@ -28,7 +29,7 @@ const index_js_1 = require("../helpers/iso/index.js");
  * unless this value is `"required"`
  */
 async function verifyAuthenticationResponse(options) {
-    const { response, expectedChallenge, expectedOrigin, expectedRPID, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
     const { id, rawId, type: credentialType, response: assertionResponse } = response;
     // Ensure credential specified an ID
     if (!id) {
@@ -51,7 +52,18 @@ async function verifyAuthenticationResponse(options) {
     const clientDataJSON = (0, decodeClientDataJSON_js_1.decodeClientDataJSON)(assertionResponse.clientDataJSON);
     const { type, origin, challenge, tokenBinding } = clientDataJSON;
     // Make sure we're handling an authentication
-    if (type !== 'webauthn.get') {
+    if (Array.isArray(expectedType)) {
+        if (!expectedType.includes(type)) {
+            const joinedExpectedType = expectedType.join(', ');
+            throw new Error(`Unexpected authentication response type "${type}", expected one of: ${joinedExpectedType}`);
+        }
+    }
+    else if (expectedType) {
+        if (type !== expectedType) {
+            throw new Error(`Unexpected authentication response type "${type}", expected "${expectedType}"`);
+        }
+    }
+    else if (type !== 'webauthn.get') {
         throw new Error(`Unexpected authentication response type: ${type}`);
     }
     // Ensure the device provided the challenge we gave it

package/script/deps.d.ts

@@ -1,5 +1,5 @@
 export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/typescript-types';
-export * as cborx from 'cbor-x';
+export * as cborx from 'cbor-x/encode';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/script/deps.js

@@ -28,7 +28,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.cborx = void 0;
 // cbor (a.k.a. cbor-x in Node land)
-exports.cborx = __importStar(require("cbor-x"));
+exports.cborx = __importStar(require("cbor-x/encode"));
 // b64 (a.k.a. @hexagon/base64 in Node land)
 var base64_1 = require("@hexagon/base64");
 Object.defineProperty(exports, "base64", { enumerable: true, get: function () { return __importDefault(base64_1).default; } });

package/script/helpers/parseAuthenticatorData.js

@@ -37,6 +37,22 @@ function parseAuthenticatorData(authData) {
         const credIDLen = dataView.getUint16(pointer);
         pointer += 2;
         credentialID = authData.slice(pointer, pointer += credIDLen);
+        /**
+         * Firefox 117 incorrectly CBOR-encodes authData when EdDSA (-8) is used for the public key.
+         * A CBOR "Map of 3 items" (0xa3) should be "Map of 4 items" (0xa4), and if we manually adjust
+         * the single byte there's a good chance the authData can be correctly parsed.
+         *
+         * This browser release also incorrectly uses the string labels "OKP" and "Ed25519" instead of
+         * their integer representations for kty and crv respectively. That's why the COSE public key
+         * in the hex below looks so odd.
+         */
+        // Bytes decode to `{ 1: "OKP", 3: -8, -1: "Ed25519" }` (it's missing key -2 a.k.a. COSEKEYS.x)
+        const badEdDSACBOR = index_js_1.isoUint8Array.fromHex('a301634f4b500327206745643235353139');
+        const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
+        if (index_js_1.isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
+            // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
+            authData[pointer] = 0xa4;
+        }
         // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
         const firstDecoded = index_js_1.isoCBOR.decodeFirst(authData.slice(pointer));
         const firstEncoded = Uint8Array.from(index_js_1.isoCBOR.encode(firstDecoded));

package/script/registration/verifyRegistrationResponse.d.ts

@@ -6,6 +6,7 @@ export type VerifyRegistrationResponseOpts = {
     expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>);
     expectedOrigin: string | string[];
     expectedRPID?: string | string[];
+    expectedType?: string | string[];
     requireUserVerification?: boolean;
     supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
 };
@@ -19,6 +20,7 @@ export type VerifyRegistrationResponseOpts = {
  * `generateRegistrationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.create')
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)
  * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for

package/script/registration/verifyRegistrationResponse.js

@@ -29,13 +29,14 @@ const verifyAttestationApple_js_1 = require("./verifications/verifyAttestationAp
  * `generateRegistrationOptions()`
  * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
  * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType (Optional) The response type expected ('webauthn.create')
  * @param requireUserVerification (Optional) Enforce user verification by the authenticator
  * (via PIN, fingerprint, etc...)
  * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
  * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
  */
 async function verifyRegistrationResponse(options) {
-    const { response, expectedChallenge, expectedOrigin, expectedRPID, requireUserVerification = true, supportedAlgorithmIDs = generateRegistrationOptions_js_1.supportedCOSEAlgorithmIdentifiers, } = options;
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserVerification = true, supportedAlgorithmIDs = generateRegistrationOptions_js_1.supportedCOSEAlgorithmIdentifiers, } = options;
     const { id, rawId, type: credentialType, response: attestationResponse } = response;
     // Ensure credential specified an ID
     if (!id) {
@@ -52,7 +53,18 @@ async function verifyRegistrationResponse(options) {
     const clientDataJSON = (0, decodeClientDataJSON_js_1.decodeClientDataJSON)(attestationResponse.clientDataJSON);
     const { type, origin, challenge, tokenBinding } = clientDataJSON;
     // Make sure we're handling an registration
-    if (type !== 'webauthn.create') {
+    if (Array.isArray(expectedType)) {
+        if (!expectedType.includes(type)) {
+            const joinedExpectedType = expectedType.join(', ');
+            throw new Error(`Unexpected registration response type "${type}", expected one of: ${joinedExpectedType}`);
+        }
+    }
+    else if (expectedType) {
+        if (type !== expectedType) {
+            throw new Error(`Unexpected registration response type "${type}", expected "${expectedType}"`);
+        }
+    }
+    else if (type !== 'webauthn.create') {
         throw new Error(`Unexpected registration response type: ${type}`);
     }
     // Ensure the device provided the challenge we gave it