@simplewebauthn/server 9.0.2 → 9.0.3

package/esm/deps.d.ts

@@ -1,5 +1,5 @@
 export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types';
-export * as cborx from 'cbor-x/index-no-eval';
+export * as tinyCbor from '@levischuck/tiny-cbor';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/esm/deps.js

@@ -1,5 +1,5 @@
-// cbor (a.k.a. cbor-x in Node land)
-export * as cborx from 'cbor-x/index-no-eval';
+// tiny_cbor (a.k.a. tiny-cbor in Node land)
+export * as tinyCbor from '@levischuck/tiny-cbor';
 // b64 (a.k.a. @hexagon/base64 in Node land)
 export { default as base64 } from '@hexagon/base64';
 // cross-fetch

package/esm/helpers/iso/isoCBOR.d.ts

@@ -1,3 +1,14 @@
+import { tinyCbor } from '../../deps.js';
+/**
+ * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded
+ *
+ * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use:
+ * - CBOR Map type values MUST decode to JavaScript Maps
+ * - CBOR tag 64 (uint8 Typed Array) MUST NOT be used when encoding Uint8Arrays back to CBOR
+ *
+ * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded
+ * freely while maintaining their lengths for the most accurate pointer movement across them.
+ */
 /**
  * Decode and return the first item in a sequence of CBOR-encoded values
  *
@@ -9,4 +20,4 @@ export declare function decodeFirst<Type>(input: Uint8Array): Type;
 /**
  * Encode data to CBOR
  */
-export declare function encode(input: unknown): Uint8Array;
+export declare function encode(input: tinyCbor.CBORType): Uint8Array;

package/esm/helpers/iso/isoCBOR.js

@@ -1,6 +1,6 @@
-import { cborx } from '../../deps.js';
+import { tinyCbor } from '../../deps.js';
 /**
- * This encoder should keep CBOR data the same length when data is re-encoded
+ * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded
  *
  * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use:
  * - CBOR Map type values MUST decode to JavaScript Maps
@@ -9,10 +9,6 @@ import { cborx } from '../../deps.js';
  * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded
  * freely while maintaining their lengths for the most accurate pointer movement across them.
  */
-const encoder = new cborx.Encoder({
-    mapsAsObjects: false,
-    tagUint8Array: false,
-});
 /**
  * Decode and return the first item in a sequence of CBOR-encoded values
  *
@@ -23,16 +19,7 @@ const encoder = new cborx.Encoder({
 export function decodeFirst(input) {
     // Make a copy so we don't mutate the original
     const _input = new Uint8Array(input);
-    const decoded = encoder.decodeMultiple(_input);
-    if (decoded === undefined) {
-        throw new Error('CBOR input data was empty');
-    }
-    /**
-     * Typing on `decoded` is `void | []` which causes TypeScript to think that it's an empty array,
-     * and thus you can't destructure it. I'm ignoring that because the code works fine in JS, and
-     * so this should be a valid operation.
-     */
-    // @ts-ignore 2493
+    const decoded = tinyCbor.decodePartialCBOR(_input, 0);
     const [first] = decoded;
     return first;
 }
@@ -40,5 +27,5 @@ export function decodeFirst(input) {
  * Encode data to CBOR
  */
 export function encode(input) {
-    return encoder.encode(input);
+    return tinyCbor.encodeCBOR(input);
 }

package/esm/helpers/parseAuthenticatorData.js

@@ -54,7 +54,16 @@ export function parseAuthenticatorData(authData) {
         }
         // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
         const firstDecoded = isoCBOR.decodeFirst(authData.slice(pointer));
-        const firstEncoded = Uint8Array.from(isoCBOR.encode(firstDecoded));
+        const firstEncoded = Uint8Array.from(
+        /**
+         * Casting to `Map` via `as unknown` here because TS doesn't make it possible to define Maps
+         * with discrete keys and properties with known types per pair, and CBOR libs typically parse
+         * CBOR Major Type 5 to `Map` because you can have numbers for keys. A `COSEPublicKey` can be
+         * generalized as "a Map with numbers for keys and either numbers or bytes for values" though.
+         * If this presumption falls apart then other parts of verification later on will fail so we
+         * should be safe doing this here.
+         */
+        isoCBOR.encode(firstDecoded));
         if (foundBadCBOR) {
             // Restore the bit we changed so that `authData` is the same as it came in and won't break
             // signature verification.

package/package.json

@@ -2,7 +2,7 @@
   "module": "./esm/index.js",
   "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "9.0.2",
+  "version": "9.0.3",
   "description": "SimpleWebAuthn for Servers",
   "license": "MIT",
   "author": "Matthew Miller <matthew@millerti.me>",
@@ -50,13 +50,13 @@
   },
   "dependencies": {
     "@hexagon/base64": "^1.1.27",
+    "@levischuck/tiny-cbor": "^0.2.2",
     "@peculiar/asn1-android": "^2.3.10",
     "@peculiar/asn1-ecc": "^2.3.8",
     "@peculiar/asn1-rsa": "^2.3.8",
     "@peculiar/asn1-schema": "^2.3.8",
     "@peculiar/asn1-x509": "^2.3.8",
     "@simplewebauthn/types": "^9.0.1",
-    "cbor-x": "^1.5.2",
     "cross-fetch": "^4.0.0"
   },
   "devDependencies": {

package/script/deps.d.ts

@@ -1,5 +1,5 @@
 export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types';
-export * as cborx from 'cbor-x/index-no-eval';
+export * as tinyCbor from '@levischuck/tiny-cbor';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/script/deps.js

@@ -26,9 +26,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.cborx = void 0;
-// cbor (a.k.a. cbor-x in Node land)
-exports.cborx = __importStar(require("cbor-x/index-no-eval"));
+exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.tinyCbor = void 0;
+// tiny_cbor (a.k.a. tiny-cbor in Node land)
+exports.tinyCbor = __importStar(require("@levischuck/tiny-cbor"));
 // b64 (a.k.a. @hexagon/base64 in Node land)
 var base64_1 = require("@hexagon/base64");
 Object.defineProperty(exports, "base64", { enumerable: true, get: function () { return __importDefault(base64_1).default; } });

package/script/helpers/iso/isoCBOR.d.ts

@@ -1,3 +1,14 @@
+import { tinyCbor } from '../../deps.js';
+/**
+ * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded
+ *
+ * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use:
+ * - CBOR Map type values MUST decode to JavaScript Maps
+ * - CBOR tag 64 (uint8 Typed Array) MUST NOT be used when encoding Uint8Arrays back to CBOR
+ *
+ * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded
+ * freely while maintaining their lengths for the most accurate pointer movement across them.
+ */
 /**
  * Decode and return the first item in a sequence of CBOR-encoded values
  *
@@ -9,4 +20,4 @@ export declare function decodeFirst<Type>(input: Uint8Array): Type;
 /**
  * Encode data to CBOR
  */
-export declare function encode(input: unknown): Uint8Array;
+export declare function encode(input: tinyCbor.CBORType): Uint8Array;

package/script/helpers/iso/isoCBOR.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.encode = exports.decodeFirst = void 0;
 const deps_js_1 = require("../../deps.js");
 /**
- * This encoder should keep CBOR data the same length when data is re-encoded
+ * Whatever CBOR encoder is used should keep CBOR data the same length when data is re-encoded
  *
  * MOST CRITICALLY, this means the following needs to be true of whatever CBOR library we use:
  * - CBOR Map type values MUST decode to JavaScript Maps
@@ -12,10 +12,6 @@ const deps_js_1 = require("../../deps.js");
  * So long as these requirements are maintained, then CBOR sequences can be encoded and decoded
  * freely while maintaining their lengths for the most accurate pointer movement across them.
  */
-const encoder = new deps_js_1.cborx.Encoder({
-    mapsAsObjects: false,
-    tagUint8Array: false,
-});
 /**
  * Decode and return the first item in a sequence of CBOR-encoded values
  *
@@ -26,16 +22,7 @@ const encoder = new deps_js_1.cborx.Encoder({
 function decodeFirst(input) {
     // Make a copy so we don't mutate the original
     const _input = new Uint8Array(input);
-    const decoded = encoder.decodeMultiple(_input);
-    if (decoded === undefined) {
-        throw new Error('CBOR input data was empty');
-    }
-    /**
-     * Typing on `decoded` is `void | []` which causes TypeScript to think that it's an empty array,
-     * and thus you can't destructure it. I'm ignoring that because the code works fine in JS, and
-     * so this should be a valid operation.
-     */
-    // @ts-ignore 2493
+    const decoded = deps_js_1.tinyCbor.decodePartialCBOR(_input, 0);
     const [first] = decoded;
     return first;
 }
@@ -44,6 +31,6 @@ exports.decodeFirst = decodeFirst;
  * Encode data to CBOR
  */
 function encode(input) {
-    return encoder.encode(input);
+    return deps_js_1.tinyCbor.encodeCBOR(input);
 }
 exports.encode = encode;

package/script/helpers/parseAuthenticatorData.js

@@ -57,7 +57,16 @@ function parseAuthenticatorData(authData) {
         }
         // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
         const firstDecoded = index_js_1.isoCBOR.decodeFirst(authData.slice(pointer));
-        const firstEncoded = Uint8Array.from(index_js_1.isoCBOR.encode(firstDecoded));
+        const firstEncoded = Uint8Array.from(
+        /**
+         * Casting to `Map` via `as unknown` here because TS doesn't make it possible to define Maps
+         * with discrete keys and properties with known types per pair, and CBOR libs typically parse
+         * CBOR Major Type 5 to `Map` because you can have numbers for keys. A `COSEPublicKey` can be
+         * generalized as "a Map with numbers for keys and either numbers or bytes for values" though.
+         * If this presumption falls apart then other parts of verification later on will fail so we
+         * should be safe doing this here.
+         */
+        index_js_1.isoCBOR.encode(firstDecoded));
         if (foundBadCBOR) {
             // Restore the bit we changed so that `authData` is the same as it came in and won't break
             // signature verification.