@simplewebauthn/server 9.0.2 → 10.0.0

package/esm/registration/verifications/verifyAttestationAndroidSafetyNet.js

@@ -23,8 +23,8 @@ export async function verifyAttestationAndroidSafetyNet(options) {
     // Prepare to verify a JWT
     const jwt = isoUint8Array.toUTF8String(response);
     const jwtParts = jwt.split('.');
-    const HEADER = JSON.parse(isoBase64URL.toString(jwtParts[0]));
-    const PAYLOAD = JSON.parse(isoBase64URL.toString(jwtParts[1]));
+    const HEADER = JSON.parse(isoBase64URL.toUTF8String(jwtParts[0]));
+    const PAYLOAD = JSON.parse(isoBase64URL.toUTF8String(jwtParts[1]));
     const SIGNATURE = jwtParts[2];
     /**
      * START Verify PAYLOAD

package/esm/registration/verifyRegistrationResponse.d.ts

@@ -1,4 +1,4 @@
-import type { COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON } from '../deps.js';
+import type { Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON } from '../deps.js';
 import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject.js';
 import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 export type VerifyRegistrationResponseOpts = {
@@ -15,16 +15,13 @@ export type VerifyRegistrationResponseOpts = {
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateRegistrationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.create')
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
- * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateRegistrationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.create')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
  */
 export declare function verifyRegistrationResponse(options: VerifyRegistrationResponseOpts): Promise<VerifiedRegistrationResponse>;
 /**
@@ -59,7 +56,7 @@ export type VerifiedRegistrationResponse = {
         fmt: AttestationFormat;
         counter: number;
         aaguid: string;
-        credentialID: Uint8Array;
+        credentialID: Base64URLString;
         credentialPublicKey: Uint8Array;
         credentialType: 'public-key';
         attestationObject: Uint8Array;

package/esm/registration/verifyRegistrationResponse.js

@@ -21,16 +21,13 @@ import { verifyAttestationApple } from './verifications/verifyAttestationApple.j
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateRegistrationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.create')
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
- * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateRegistrationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.create')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
  */
 export async function verifyRegistrationResponse(options) {
     const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options;
@@ -194,7 +191,7 @@ export async function verifyRegistrationResponse(options) {
             fmt,
             counter,
             aaguid: convertAAGUIDToString(aaguid),
-            credentialID,
+            credentialID: isoBase64URL.fromBuffer(credentialID),
             credentialPublicKey,
             credentialType,
             attestationObject,

package/package.json

@@ -2,7 +2,7 @@
   "module": "./esm/index.js",
   "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "9.0.2",
+  "version": "10.0.0",
   "description": "SimpleWebAuthn for Servers",
   "license": "MIT",
   "author": "Matthew Miller <matthew@millerti.me>",
@@ -16,7 +16,7 @@
     "access": "public"
   },
   "engines": {
-    "node": ">=16.0.0"
+    "node": ">=20.0.0"
   },
   "bugs": {
     "url": "https://github.com/MasterKale/SimpleWebAuthn/issues"
@@ -50,13 +50,13 @@
   },
   "dependencies": {
     "@hexagon/base64": "^1.1.27",
+    "@levischuck/tiny-cbor": "^0.2.2",
     "@peculiar/asn1-android": "^2.3.10",
     "@peculiar/asn1-ecc": "^2.3.8",
     "@peculiar/asn1-rsa": "^2.3.8",
     "@peculiar/asn1-schema": "^2.3.8",
     "@peculiar/asn1-x509": "^2.3.8",
-    "@simplewebauthn/types": "^9.0.1",
-    "cbor-x": "^1.5.2",
+    "@simplewebauthn/types": "^10.0.0",
     "cross-fetch": "^4.0.0"
   },
   "devDependencies": {

package/script/authentication/generateAuthenticationOptions.d.ts

@@ -1,23 +1,25 @@
-import type { AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
+import type { AuthenticationExtensionsClientInputs, AuthenticatorTransportFuture, Base64URLString, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
 export type GenerateAuthenticationOptionsOpts = {
-    allowCredentials?: PublicKeyCredentialDescriptorFuture[];
+    rpID: string;
+    allowCredentials?: {
+        id: Base64URLString;
+        transports?: AuthenticatorTransportFuture[];
+    }[];
     challenge?: string | Uint8Array;
     timeout?: number;
     userVerification?: UserVerificationRequirement;
     extensions?: AuthenticationExtensionsClientInputs;
-    rpID?: string;
 };
 /**
- * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator authentication
  *
- * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
- * the client will ask the user which credential they want to use
- * @param challenge Random value the authenticator needs to sign and pass back
- * user for authentication
- * @param timeout How long (in ms) the user can take to complete authentication
- * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
- * set to `'preferred'` or `'required'` as desired.
- * @param extensions Additional plugins the authenticator or browser should use during authentication
- * @param rpID Valid domain name (after `https://`)
+ * **Options:**
+ *
+ * @param rpID - Valid domain name (after `https://`)
+ * @param allowCredentials **(Optional)** - Authenticators previously registered by the user, if any. If undefined the client will ask the user which credential they want to use
+ * @param challenge **(Optional)** - Random value the authenticator needs to sign and pass back user for authentication. Defaults to generating a random value
+ * @param timeout **(Optional)** - How long (in ms) the user can take to complete authentication. Defaults to `60000`
+ * @param userVerification **(Optional)** - Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise set to `'preferred'` or `'required'` as desired. Defaults to `"preferred"`
+ * @param extensions **(Optional)** - Additional plugins the authenticator or browser should use during authentication
  */
-export declare function generateAuthenticationOptions(options?: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;
+export declare function generateAuthenticationOptions(options: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;

package/script/authentication/generateAuthenticationOptions.js

@@ -4,19 +4,18 @@ exports.generateAuthenticationOptions = void 0;
 const index_js_1 = require("../helpers/iso/index.js");
 const generateChallenge_js_1 = require("../helpers/generateChallenge.js");
 /**
- * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator authentication
  *
- * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
- * the client will ask the user which credential they want to use
- * @param challenge Random value the authenticator needs to sign and pass back
- * user for authentication
- * @param timeout How long (in ms) the user can take to complete authentication
- * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
- * set to `'preferred'` or `'required'` as desired.
- * @param extensions Additional plugins the authenticator or browser should use during authentication
- * @param rpID Valid domain name (after `https://`)
+ * **Options:**
+ *
+ * @param rpID - Valid domain name (after `https://`)
+ * @param allowCredentials **(Optional)** - Authenticators previously registered by the user, if any. If undefined the client will ask the user which credential they want to use
+ * @param challenge **(Optional)** - Random value the authenticator needs to sign and pass back user for authentication. Defaults to generating a random value
+ * @param timeout **(Optional)** - How long (in ms) the user can take to complete authentication. Defaults to `60000`
+ * @param userVerification **(Optional)** - Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise set to `'preferred'` or `'required'` as desired. Defaults to `"preferred"`
+ * @param extensions **(Optional)** - Additional plugins the authenticator or browser should use during authentication
  */
-async function generateAuthenticationOptions(options = {}) {
+async function generateAuthenticationOptions(options) {
     const { allowCredentials, challenge = await (0, generateChallenge_js_1.generateChallenge)(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
     /**
      * Preserve ability to specify `string` values for challenges
@@ -26,15 +25,21 @@ async function generateAuthenticationOptions(options = {}) {
         _challenge = index_js_1.isoUint8Array.fromUTF8String(_challenge);
     }
     return {
+        rpId: rpID,
         challenge: index_js_1.isoBase64URL.fromBuffer(_challenge),
-        allowCredentials: allowCredentials?.map((cred) => ({
-            ...cred,
-            id: index_js_1.isoBase64URL.fromBuffer(cred.id),
-        })),
+        allowCredentials: allowCredentials?.map((cred) => {
+            if (!index_js_1.isoBase64URL.isBase64URL(cred.id)) {
+                throw new Error(`excludeCredential id "${cred.id}" is not a valid base64url string`);
+            }
+            return {
+                ...cred,
+                id: index_js_1.isoBase64URL.trimPadding(cred.id),
+                type: 'public-key',
+            };
+        }),
         timeout,
         userVerification,
         extensions,
-        rpId: rpID,
     };
 }
 exports.generateAuthenticationOptions = generateAuthenticationOptions;

package/script/authentication/verifyAuthenticationResponse.d.ts

@@ -1,36 +1,31 @@
-import type { AuthenticationResponseJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
+import type { AuthenticationResponseJSON, AuthenticatorDevice, Base64URLString, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
 import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 export type VerifyAuthenticationResponseOpts = {
     response: AuthenticationResponseJSON;
     expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>);
     expectedOrigin: string | string[];
     expectedRPID: string | string[];
-    expectedType?: string | string[];
     authenticator: AuthenticatorDevice;
+    expectedType?: string | string[];
     requireUserVerification?: boolean;
     advancedFIDOConfig?: {
         userVerification?: UserVerificationRequirement;
     };
 };
 /**
- * Verify that the user has legitimately completed the login process
+ * Verify that the user has legitimately completed the authentication process
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateAuthenticationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.get')
- * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
- * requirements
- * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
- * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
- * unless this value is `"required"`
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateAuthenticationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator - An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.get')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param advancedFIDOConfig **(Optional)** - Options for satisfying more stringent FIDO RP feature requirements
+ * @param advancedFIDOConfig.userVerification **(Optional)** - Enable alternative rules for evaluating the User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional unless this value is `"required"`
  */
 export declare function verifyAuthenticationResponse(options: VerifyAuthenticationResponseOpts): Promise<VerifiedAuthenticationResponse>;
 /**
@@ -56,7 +51,7 @@ export declare function verifyAuthenticationResponse(options: VerifyAuthenticati
 export type VerifiedAuthenticationResponse = {
     verified: boolean;
     authenticationInfo: {
-        credentialID: Uint8Array;
+        credentialID: Base64URLString;
         newCounter: number;
         userVerified: boolean;
         credentialDeviceType: CredentialDeviceType;

package/script/authentication/verifyAuthenticationResponse.js

@@ -9,24 +9,19 @@ const parseBackupFlags_js_1 = require("../helpers/parseBackupFlags.js");
 const matchExpectedRPID_js_1 = require("../helpers/matchExpectedRPID.js");
 const index_js_1 = require("../helpers/iso/index.js");
 /**
- * Verify that the user has legitimately completed the login process
+ * Verify that the user has legitimately completed the authentication process
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateAuthenticationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.get')
- * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
- * requirements
- * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
- * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
- * unless this value is `"required"`
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateAuthenticationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator - An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.get')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param advancedFIDOConfig **(Optional)** - Options for satisfying more stringent FIDO RP feature requirements
+ * @param advancedFIDOConfig.userVerification **(Optional)** - Enable alternative rules for evaluating the User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional unless this value is `"required"`
  */
 async function verifyAuthenticationResponse(options) {
     const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
@@ -87,10 +82,10 @@ async function verifyAuthenticationResponse(options) {
             throw new Error(`Unexpected authentication response origin "${origin}", expected "${expectedOrigin}"`);
         }
     }
-    if (!index_js_1.isoBase64URL.isBase64url(assertionResponse.authenticatorData)) {
+    if (!index_js_1.isoBase64URL.isBase64URL(assertionResponse.authenticatorData)) {
         throw new Error('Credential response authenticatorData was not a base64url string');
     }
-    if (!index_js_1.isoBase64URL.isBase64url(assertionResponse.signature)) {
+    if (!index_js_1.isoBase64URL.isBase64URL(assertionResponse.signature)) {
         throw new Error('Credential response signature was not a base64url string');
     }
     if (assertionResponse.userHandle &&

package/script/deps.d.ts

@@ -1,5 +1,5 @@
-export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types';
-export * as cborx from 'cbor-x/index-no-eval';
+export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types';
+export * as tinyCbor from '@levischuck/tiny-cbor';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/script/deps.js

@@ -26,9 +26,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.cborx = void 0;
-// cbor (a.k.a. cbor-x in Node land)
-exports.cborx = __importStar(require("cbor-x/index-no-eval"));
+exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.tinyCbor = void 0;
+// tiny_cbor (a.k.a. tiny-cbor in Node land)
+exports.tinyCbor = __importStar(require("@levischuck/tiny-cbor"));
 // b64 (a.k.a. @hexagon/base64 in Node land)
 var base64_1 = require("@hexagon/base64");
 Object.defineProperty(exports, "base64", { enumerable: true, get: function () { return __importDefault(base64_1).default; } });

package/script/helpers/convertCertBufferToPEM.js

@@ -11,7 +11,7 @@ function convertCertBufferToPEM(certBuffer) {
      * Get certBuffer to a base64 representation
      */
     if (typeof certBuffer === 'string') {
-        if (index_js_1.isoBase64URL.isBase64url(certBuffer)) {
+        if (index_js_1.isoBase64URL.isBase64URL(certBuffer)) {
             b64cert = index_js_1.isoBase64URL.toBase64(certBuffer);
         }
         else if (index_js_1.isoBase64URL.isBase64(certBuffer)) {

package/script/helpers/decodeClientDataJSON.d.ts

@@ -1,7 +1,8 @@
+import type { Base64URLString } from '../deps.js';
 /**
  * Decode an authenticator's base64url-encoded clientDataJSON to JSON
  */
-export declare function decodeClientDataJSON(data: string): ClientDataJSON;
+export declare function decodeClientDataJSON(data: Base64URLString): ClientDataJSON;
 export type ClientDataJSON = {
     type: string;
     challenge: string;

package/script/helpers/decodeClientDataJSON.js

@@ -6,7 +6,7 @@ const index_js_1 = require("./iso/index.js");
  * Decode an authenticator's base64url-encoded clientDataJSON to JSON
  */
 function decodeClientDataJSON(data) {
-    const toString = index_js_1.isoBase64URL.toString(data);
+    const toString = index_js_1.isoBase64URL.toUTF8String(data);
     const clientData = JSON.parse(toString);
     return exports._decodeClientDataJSONInternals.stubThis(clientData);
 }

package/script/helpers/generateUserID.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Generate a suitably random value to be used as user ID
+ */
+export declare function generateUserID(): Promise<Uint8Array>;
+export declare const _generateUserIDInternals: {
+    stubThis: (value: Uint8Array) => Uint8Array;
+};

package/script/helpers/generateUserID.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._generateUserIDInternals = exports.generateUserID = void 0;
+const index_js_1 = require("./iso/index.js");
+/**
+ * Generate a suitably random value to be used as user ID
+ */
+async function generateUserID() {
+    /**
+     * WebAuthn spec says user.id has a max length of 64 bytes. I prefer how 32 random bytes look
+     * after they're base64url-encoded so I'm choosing to go with that here.
+     */
+    const newUserID = new Uint8Array(32);
+    await index_js_1.isoCrypto.getRandomValues(newUserID);
+    return exports._generateUserIDInternals.stubThis(newUserID);
+}
+exports.generateUserID = generateUserID;
+// Make it possible to stub the return value during testing
+exports._generateUserIDInternals = {
+    stubThis: (value) => value,
+};

package/script/helpers/index.d.ts

@@ -5,6 +5,7 @@ import { decodeAttestationObject } from './decodeAttestationObject.js';
 import { decodeClientDataJSON } from './decodeClientDataJSON.js';
 import { decodeCredentialPublicKey } from './decodeCredentialPublicKey.js';
 import { generateChallenge } from './generateChallenge.js';
+import { generateUserID } from './generateUserID.js';
 import { getCertificateInfo } from './getCertificateInfo.js';
 import { isCertRevoked } from './isCertRevoked.js';
 import { parseAuthenticatorData } from './parseAuthenticatorData.js';
@@ -13,7 +14,7 @@ import { validateCertificatePath } from './validateCertificatePath.js';
 import { verifySignature } from './verifySignature.js';
 import { isoBase64URL, isoCBOR, isoCrypto, isoUint8Array } from './iso/index.js';
 import * as cose from './cose.js';
-export { convertAAGUIDToString, convertCertBufferToPEM, convertCOSEtoPKCS, cose, decodeAttestationObject, decodeClientDataJSON, decodeCredentialPublicKey, generateChallenge, getCertificateInfo, isCertRevoked, isoBase64URL, isoCBOR, isoCrypto, isoUint8Array, parseAuthenticatorData, toHash, validateCertificatePath, verifySignature, };
+export { convertAAGUIDToString, convertCertBufferToPEM, convertCOSEtoPKCS, cose, decodeAttestationObject, decodeClientDataJSON, decodeCredentialPublicKey, generateChallenge, generateUserID, getCertificateInfo, isCertRevoked, isoBase64URL, isoCBOR, isoCrypto, isoUint8Array, parseAuthenticatorData, toHash, validateCertificatePath, verifySignature, };
 import type { AttestationFormat, AttestationObject, AttestationStatement } from './decodeAttestationObject.js';
 import type { CertificateInfo } from './getCertificateInfo.js';
 import type { ClientDataJSON } from './decodeClientDataJSON.js';

package/script/helpers/index.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifySignature = exports.validateCertificatePath = exports.toHash = exports.parseAuthenticatorData = exports.isoUint8Array = exports.isoCrypto = exports.isoCBOR = exports.isoBase64URL = exports.isCertRevoked = exports.getCertificateInfo = exports.generateChallenge = exports.decodeCredentialPublicKey = exports.decodeClientDataJSON = exports.decodeAttestationObject = exports.cose = exports.convertCOSEtoPKCS = exports.convertCertBufferToPEM = exports.convertAAGUIDToString = void 0;
+exports.verifySignature = exports.validateCertificatePath = exports.toHash = exports.parseAuthenticatorData = exports.isoUint8Array = exports.isoCrypto = exports.isoCBOR = exports.isoBase64URL = exports.isCertRevoked = exports.getCertificateInfo = exports.generateUserID = exports.generateChallenge = exports.decodeCredentialPublicKey = exports.decodeClientDataJSON = exports.decodeAttestationObject = exports.cose = exports.convertCOSEtoPKCS = exports.convertCertBufferToPEM = exports.convertAAGUIDToString = void 0;
 const convertAAGUIDToString_js_1 = require("./convertAAGUIDToString.js");
 Object.defineProperty(exports, "convertAAGUIDToString", { enumerable: true, get: function () { return convertAAGUIDToString_js_1.convertAAGUIDToString; } });
 const convertCertBufferToPEM_js_1 = require("./convertCertBufferToPEM.js");
@@ -38,6 +38,8 @@ const decodeCredentialPublicKey_js_1 = require("./decodeCredentialPublicKey.js")
 Object.defineProperty(exports, "decodeCredentialPublicKey", { enumerable: true, get: function () { return decodeCredentialPublicKey_js_1.decodeCredentialPublicKey; } });
 const generateChallenge_js_1 = require("./generateChallenge.js");
 Object.defineProperty(exports, "generateChallenge", { enumerable: true, get: function () { return generateChallenge_js_1.generateChallenge; } });
+const generateUserID_js_1 = require("./generateUserID.js");
+Object.defineProperty(exports, "generateUserID", { enumerable: true, get: function () { return generateUserID_js_1.generateUserID; } });
 const getCertificateInfo_js_1 = require("./getCertificateInfo.js");
 Object.defineProperty(exports, "getCertificateInfo", { enumerable: true, get: function () { return getCertificateInfo_js_1.getCertificateInfo; } });
 const isCertRevoked_js_1 = require("./isCertRevoked.js");

package/script/helpers/iso/isoBase64URL.d.ts

@@ -1,3 +1,4 @@
+import type { Base64URLString } from '../../deps.js';
 /**
  * Decode from a Base64URL-encoded string to an ArrayBuffer. Best used when converting a
  * credential ID from a JSON string to an ArrayBuffer, like in allowCredentials or
@@ -20,13 +21,13 @@ export declare function fromBuffer(buffer: Uint8Array, to?: 'base64' | 'base64ur
  */
 export declare function toBase64(base64urlString: string): string;
 /**
- * Encode a string to base64url
+ * Encode a UTF-8 string to base64url
  */
-export declare function fromString(ascii: string): string;
+export declare function fromUTF8String(utf8String: string): string;
 /**
- * Decode a base64url string into its original string
+ * Decode a base64url string into its original UTF-8 string
  */
-export declare function toString(base64urlString: string): string;
+export declare function toUTF8String(base64urlString: string): string;
 /**
  * Confirm that the string is encoded into base64
  */
@@ -34,4 +35,8 @@ export declare function isBase64(input: string): boolean;
 /**
  * Confirm that the string is encoded into base64url, with support for optional padding
  */
-export declare function isBase64url(input: string): boolean;
+export declare function isBase64URL(input: string): boolean;
+/**
+ * Remove optional padding from a base64url-encoded string
+ */
+export declare function trimPadding(input: Base64URLString): Base64URLString;

package/script/helpers/iso/isoBase64URL.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBase64url = exports.isBase64 = exports.toString = exports.fromString = exports.toBase64 = exports.fromBuffer = exports.toBuffer = void 0;
+exports.trimPadding = exports.isBase64URL = exports.isBase64 = exports.toUTF8String = exports.fromUTF8String = exports.toBase64 = exports.fromBuffer = exports.toBuffer = void 0;
 const deps_js_1 = require("../../deps.js");
 /**
  * Decode from a Base64URL-encoded string to an ArrayBuffer. Best used when converting a
@@ -36,19 +36,19 @@ function toBase64(base64urlString) {
 }
 exports.toBase64 = toBase64;
 /**
- * Encode a string to base64url
+ * Encode a UTF-8 string to base64url
  */
-function fromString(ascii) {
-    return deps_js_1.base64.fromString(ascii, true);
+function fromUTF8String(utf8String) {
+    return deps_js_1.base64.fromString(utf8String, true);
 }
-exports.fromString = fromString;
+exports.fromUTF8String = fromUTF8String;
 /**
- * Decode a base64url string into its original string
+ * Decode a base64url string into its original UTF-8 string
  */
-function toString(base64urlString) {
+function toUTF8String(base64urlString) {
     return deps_js_1.base64.toString(base64urlString, true);
 }
-exports.toString = toString;
+exports.toUTF8String = toUTF8String;
 /**
  * Confirm that the string is encoded into base64
  */
@@ -59,9 +59,16 @@ exports.isBase64 = isBase64;
 /**
  * Confirm that the string is encoded into base64url, with support for optional padding
  */
-function isBase64url(input) {
+function isBase64URL(input) {
     // Trim padding characters from the string if present
-    input = input.replace(/=/g, '');
+    input = trimPadding(input);
     return deps_js_1.base64.validate(input, true);
 }
-exports.isBase64url = isBase64url;
+exports.isBase64URL = isBase64URL;
+/**
+ * Remove optional padding from a base64url-encoded string
+ */
+function trimPadding(input) {
+    return input.replace(/=/g, '');
+}
+exports.trimPadding = trimPadding;

package/script/helpers/iso/isoCBOR.d.ts

@@ -1,3 +1,14 @@
+import { tinyCbor } from '../../deps.js';
+/**
+ * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded
+ *
+ * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use:
+ * - CBOR Map type values MUST decode to JavaScript Maps
+ * - CBOR tag 64 (uint8 Typed Array) MUST NOT be used when encoding Uint8Arrays back to CBOR
+ *
+ * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded
+ * freely while maintaining their lengths for the most accurate pointer movement across them.
+ */
 /**
  * Decode and return the first item in a sequence of CBOR-encoded values
  *
@@ -9,4 +20,4 @@ export declare function decodeFirst<Type>(input: Uint8Array): Type;
 /**
  * Encode data to CBOR
  */
-export declare function encode(input: unknown): Uint8Array;
+export declare function encode(input: tinyCbor.CBORType): Uint8Array;

package/script/helpers/iso/isoCBOR.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.encode = exports.decodeFirst = void 0;
 const deps_js_1 = require("../../deps.js");
 /**
- * This encoder should keep CBOR data the same length when data is re-encoded
+ * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded
  *
  * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use:
  * - CBOR Map type values MUST decode to JavaScript Maps
@@ -12,10 +12,6 @@ const deps_js_1 = require("../../deps.js");
  * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded
  * freely while maintaining their lengths for the most accurate pointer movement across them.
  */
-const encoder = new deps_js_1.cborx.Encoder({
-    mapsAsObjects: false,
-    tagUint8Array: false,
-});
 /**
  * Decode and return the first item in a sequence of CBOR-encoded values
  *
@@ -26,16 +22,7 @@ const encoder = new deps_js_1.cborx.Encoder({
 function decodeFirst(input) {
     // Make a copy so we don't mutate the original
     const _input = new Uint8Array(input);
-    const decoded = encoder.decodeMultiple(_input);
-    if (decoded === undefined) {
-        throw new Error('CBOR input data was empty');
-    }
-    /**
-     * Typing on `decoded` is `void | []` which causes TypeScript to think that it's an empty array,
-     * and thus you can't destructure it. I'm ignoring that because the code works fine in JS, and
-     * so this should be a valid operation.
-     */
-    // @ts-ignore 2493
+    const decoded = deps_js_1.tinyCbor.decodePartialCBOR(_input, 0);
     const [first] = decoded;
     return first;
 }
@@ -44,6 +31,6 @@ exports.decodeFirst = decodeFirst;
  * Encode data to CBOR
  */
 function encode(input) {
-    return encoder.encode(input);
+    return deps_js_1.tinyCbor.encodeCBOR(input);
 }
 exports.encode = encode;