@simplewebauthn/server 9.0.3 → 10.0.1

package/esm/registration/generateRegistrationOptions.js

@@ -1,4 +1,5 @@
 import { generateChallenge } from '../helpers/generateChallenge.js';
+import { generateUserID } from '../helpers/generateUserID.js';
 import { isoBase64URL, isoUint8Array } from '../helpers/iso/index.js';
 /**
  * Supported crypto algo identifiers
@@ -46,28 +47,25 @@ const defaultAuthenticatorSelection = {
  */
 const defaultSupportedAlgorithmIDs = [-8, -7, -257];
 /**
- * Prepare a value to pass into navigator.credentials.create(...) for authenticator "registration"
+ * Prepare a value to pass into navigator.credentials.create(...) for authenticator registration
  *
  * **Options:**
  *
- * @param rpName User-visible, "friendly" website/service name
- * @param rpID Valid domain name (after `https://`)
- * @param userID User's website-specific unique ID
- * @param userName User's website-specific username (email, etc...)
- * @param challenge Random value the authenticator needs to sign and pass back
- * @param userDisplayName User's actual name
- * @param timeout How long (in ms) the user can take to complete attestation
- * @param attestationType Specific attestation statement
- * @param excludeCredentials Authenticators registered by the user so the user can't register the
- * same credential multiple times
- * @param authenticatorSelection Advanced criteria for restricting the types of authenticators that
- * may be used
- * @param extensions Additional plugins the authenticator or browser should use during attestation
- * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
- * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ * @param rpName - User-visible, "friendly" website/service name
+ * @param rpID - Valid domain name (after `https://`)
+ * @param userName - User's website-specific username (email, etc...)
+ * @param userID **(Optional)** - User's website-specific unique ID. Defaults to generating a random identifier
+ * @param challenge **(Optional)** - Random value the authenticator needs to sign and pass back. Defaults to generating a random value
+ * @param userDisplayName **(Optional)** - User's actual name. Defaults to `""`
+ * @param timeout **(Optional)** - How long (in ms) the user can take to complete attestation. Defaults to `60000`
+ * @param attestationType **(Optional)** - Specific attestation statement. Defaults to `"none"`
+ * @param excludeCredentials **(Optional)** - Authenticators registered by the user so the user can't register the same credential multiple times. Defaults to `[]`
+ * @param authenticatorSelection **(Optional)** - Advanced criteria for restricting the types of authenticators that may be used. Defaults to `{ residentKey: 'preferred', userVerification: 'preferred' }`
+ * @param extensions **(Optional)** - Additional plugins the authenticator or browser should use during attestation
+ * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to `[-8, -7, -257]`
  */
 export async function generateRegistrationOptions(options) {
-    const { rpName, rpID, userID, userName, challenge = await generateChallenge(), userDisplayName = userName, timeout = 60000, attestationType = 'none', excludeCredentials = [], authenticatorSelection = defaultAuthenticatorSelection, extensions, supportedAlgorithmIDs = defaultSupportedAlgorithmIDs, } = options;
+    const { rpName, rpID, userName, userID, challenge = await generateChallenge(), userDisplayName = '', timeout = 60000, attestationType = 'none', excludeCredentials = [], authenticatorSelection = defaultAuthenticatorSelection, extensions, supportedAlgorithmIDs = defaultSupportedAlgorithmIDs, } = options;
     /**
      * Prepare pubKeyCredParams from the array of algorithm ID's
      */
@@ -115,6 +113,20 @@ export async function generateRegistrationOptions(options) {
     if (typeof _challenge === 'string') {
         _challenge = isoUint8Array.fromUTF8String(_challenge);
     }
+    /**
+     * Explicitly disallow use of strings for userID anymore because `isoBase64URL.fromBuffer()` below
+     * will return an empty string if one gets through!
+     */
+    if (typeof userID === 'string') {
+        throw new Error(`String values for \`userID\` are no longer supported. See https://simplewebauthn.dev/docs/advanced/server/custom-user-ids`);
+    }
+    /**
+     * Generate a user ID if one is not provided
+     */
+    let _userID = userID;
+    if (!_userID) {
+        _userID = await generateUserID();
+    }
     return {
         challenge: isoBase64URL.fromBuffer(_challenge),
         rp: {
@@ -122,17 +134,23 @@ export async function generateRegistrationOptions(options) {
             id: rpID,
         },
         user: {
-            id: userID,
+            id: isoBase64URL.fromBuffer(_userID),
             name: userName,
             displayName: userDisplayName,
         },
         pubKeyCredParams,
         timeout,
         attestation: attestationType,
-        excludeCredentials: excludeCredentials.map((cred) => ({
-            ...cred,
-            id: isoBase64URL.fromBuffer(cred.id),
-        })),
+        excludeCredentials: excludeCredentials.map((cred) => {
+            if (!isoBase64URL.isBase64URL(cred.id)) {
+                throw new Error(`excludeCredential id "${cred.id}" is not a valid base64url string`);
+            }
+            return {
+                ...cred,
+                id: isoBase64URL.trimPadding(cred.id),
+                type: 'public-key',
+            };
+        }),
         authenticatorSelection,
         extensions: {
             ...extensions,

package/esm/registration/verifications/verifyAttestationAndroidSafetyNet.js

@@ -23,8 +23,8 @@ export async function verifyAttestationAndroidSafetyNet(options) {
     // Prepare to verify a JWT
     const jwt = isoUint8Array.toUTF8String(response);
     const jwtParts = jwt.split('.');
-    const HEADER = JSON.parse(isoBase64URL.toString(jwtParts[0]));
-    const PAYLOAD = JSON.parse(isoBase64URL.toString(jwtParts[1]));
+    const HEADER = JSON.parse(isoBase64URL.toUTF8String(jwtParts[0]));
+    const PAYLOAD = JSON.parse(isoBase64URL.toUTF8String(jwtParts[1]));
     const SIGNATURE = jwtParts[2];
     /**
      * START Verify PAYLOAD

package/esm/registration/verifyRegistrationResponse.d.ts

@@ -1,4 +1,4 @@
-import type { COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON } from '../deps.js';
+import type { Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON } from '../deps.js';
 import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject.js';
 import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 export type VerifyRegistrationResponseOpts = {
@@ -15,16 +15,13 @@ export type VerifyRegistrationResponseOpts = {
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateRegistrationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.create')
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
- * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateRegistrationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.create')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
  */
 export declare function verifyRegistrationResponse(options: VerifyRegistrationResponseOpts): Promise<VerifiedRegistrationResponse>;
 /**
@@ -59,7 +56,7 @@ export type VerifiedRegistrationResponse = {
         fmt: AttestationFormat;
         counter: number;
         aaguid: string;
-        credentialID: Uint8Array;
+        credentialID: Base64URLString;
         credentialPublicKey: Uint8Array;
         credentialType: 'public-key';
         attestationObject: Uint8Array;

package/esm/registration/verifyRegistrationResponse.js

@@ -21,16 +21,13 @@ import { verifyAttestationApple } from './verifications/verifyAttestationApple.j
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateRegistrationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.create')
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
- * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateRegistrationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.create')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
  */
 export async function verifyRegistrationResponse(options) {
     const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options;
@@ -194,7 +191,7 @@ export async function verifyRegistrationResponse(options) {
             fmt,
             counter,
             aaguid: convertAAGUIDToString(aaguid),
-            credentialID,
+            credentialID: isoBase64URL.fromBuffer(credentialID),
             credentialPublicKey,
             credentialType,
             attestationObject,

package/package.json

@@ -2,7 +2,7 @@
   "module": "./esm/index.js",
   "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "9.0.3",
+  "version": "10.0.1",
   "description": "SimpleWebAuthn for Servers",
   "license": "MIT",
   "author": "Matthew Miller <matthew@millerti.me>",
@@ -16,7 +16,7 @@
     "access": "public"
   },
   "engines": {
-    "node": ">=16.0.0"
+    "node": ">=20.0.0"
   },
   "bugs": {
     "url": "https://github.com/MasterKale/SimpleWebAuthn/issues"
@@ -56,7 +56,7 @@
     "@peculiar/asn1-rsa": "^2.3.8",
     "@peculiar/asn1-schema": "^2.3.8",
     "@peculiar/asn1-x509": "^2.3.8",
-    "@simplewebauthn/types": "^9.0.1",
+    "@simplewebauthn/types": "^10.0.0",
     "cross-fetch": "^4.0.0"
   },
   "devDependencies": {

package/script/authentication/generateAuthenticationOptions.d.ts

@@ -1,23 +1,25 @@
-import type { AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
+import type { AuthenticationExtensionsClientInputs, AuthenticatorTransportFuture, Base64URLString, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
 export type GenerateAuthenticationOptionsOpts = {
-    allowCredentials?: PublicKeyCredentialDescriptorFuture[];
+    rpID: string;
+    allowCredentials?: {
+        id: Base64URLString;
+        transports?: AuthenticatorTransportFuture[];
+    }[];
     challenge?: string | Uint8Array;
     timeout?: number;
     userVerification?: UserVerificationRequirement;
     extensions?: AuthenticationExtensionsClientInputs;
-    rpID?: string;
 };
 /**
- * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator authentication
  *
- * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
- * the client will ask the user which credential they want to use
- * @param challenge Random value the authenticator needs to sign and pass back
- * user for authentication
- * @param timeout How long (in ms) the user can take to complete authentication
- * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
- * set to `'preferred'` or `'required'` as desired.
- * @param extensions Additional plugins the authenticator or browser should use during authentication
- * @param rpID Valid domain name (after `https://`)
+ * **Options:**
+ *
+ * @param rpID - Valid domain name (after `https://`)
+ * @param allowCredentials **(Optional)** - Authenticators previously registered by the user, if any. If undefined the client will ask the user which credential they want to use
+ * @param challenge **(Optional)** - Random value the authenticator needs to sign and pass back user for authentication. Defaults to generating a random value
+ * @param timeout **(Optional)** - How long (in ms) the user can take to complete authentication. Defaults to `60000`
+ * @param userVerification **(Optional)** - Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise set to `'preferred'` or `'required'` as desired. Defaults to `"preferred"`
+ * @param extensions **(Optional)** - Additional plugins the authenticator or browser should use during authentication
  */
-export declare function generateAuthenticationOptions(options?: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;
+export declare function generateAuthenticationOptions(options: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;

package/script/authentication/generateAuthenticationOptions.js

@@ -4,19 +4,18 @@ exports.generateAuthenticationOptions = void 0;
 const index_js_1 = require("../helpers/iso/index.js");
 const generateChallenge_js_1 = require("../helpers/generateChallenge.js");
 /**
- * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator authentication
  *
- * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
- * the client will ask the user which credential they want to use
- * @param challenge Random value the authenticator needs to sign and pass back
- * user for authentication
- * @param timeout How long (in ms) the user can take to complete authentication
- * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
- * set to `'preferred'` or `'required'` as desired.
- * @param extensions Additional plugins the authenticator or browser should use during authentication
- * @param rpID Valid domain name (after `https://`)
+ * **Options:**
+ *
+ * @param rpID - Valid domain name (after `https://`)
+ * @param allowCredentials **(Optional)** - Authenticators previously registered by the user, if any. If undefined the client will ask the user which credential they want to use
+ * @param challenge **(Optional)** - Random value the authenticator needs to sign and pass back user for authentication. Defaults to generating a random value
+ * @param timeout **(Optional)** - How long (in ms) the user can take to complete authentication. Defaults to `60000`
+ * @param userVerification **(Optional)** - Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise set to `'preferred'` or `'required'` as desired. Defaults to `"preferred"`
+ * @param extensions **(Optional)** - Additional plugins the authenticator or browser should use during authentication
  */
-async function generateAuthenticationOptions(options = {}) {
+async function generateAuthenticationOptions(options) {
     const { allowCredentials, challenge = await (0, generateChallenge_js_1.generateChallenge)(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
     /**
      * Preserve ability to specify `string` values for challenges
@@ -26,15 +25,21 @@ async function generateAuthenticationOptions(options = {}) {
         _challenge = index_js_1.isoUint8Array.fromUTF8String(_challenge);
     }
     return {
+        rpId: rpID,
         challenge: index_js_1.isoBase64URL.fromBuffer(_challenge),
-        allowCredentials: allowCredentials?.map((cred) => ({
-            ...cred,
-            id: index_js_1.isoBase64URL.fromBuffer(cred.id),
-        })),
+        allowCredentials: allowCredentials?.map((cred) => {
+            if (!index_js_1.isoBase64URL.isBase64URL(cred.id)) {
+                throw new Error(`excludeCredential id "${cred.id}" is not a valid base64url string`);
+            }
+            return {
+                ...cred,
+                id: index_js_1.isoBase64URL.trimPadding(cred.id),
+                type: 'public-key',
+            };
+        }),
         timeout,
         userVerification,
         extensions,
-        rpId: rpID,
     };
 }
 exports.generateAuthenticationOptions = generateAuthenticationOptions;

package/script/authentication/verifyAuthenticationResponse.d.ts

@@ -1,36 +1,31 @@
-import type { AuthenticationResponseJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
+import type { AuthenticationResponseJSON, AuthenticatorDevice, Base64URLString, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
 import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 export type VerifyAuthenticationResponseOpts = {
     response: AuthenticationResponseJSON;
     expectedChallenge: string | ((challenge: string) => boolean | Promise<boolean>);
     expectedOrigin: string | string[];
     expectedRPID: string | string[];
-    expectedType?: string | string[];
     authenticator: AuthenticatorDevice;
+    expectedType?: string | string[];
     requireUserVerification?: boolean;
     advancedFIDOConfig?: {
         userVerification?: UserVerificationRequirement;
     };
 };
 /**
- * Verify that the user has legitimately completed the login process
+ * Verify that the user has legitimately completed the authentication process
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateAuthenticationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.get')
- * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
- * requirements
- * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
- * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
- * unless this value is `"required"`
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateAuthenticationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator - An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.get')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param advancedFIDOConfig **(Optional)** - Options for satisfying more stringent FIDO RP feature requirements
+ * @param advancedFIDOConfig.userVerification **(Optional)** - Enable alternative rules for evaluating the User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional unless this value is `"required"`
  */
 export declare function verifyAuthenticationResponse(options: VerifyAuthenticationResponseOpts): Promise<VerifiedAuthenticationResponse>;
 /**
@@ -56,7 +51,7 @@ export declare function verifyAuthenticationResponse(options: VerifyAuthenticati
 export type VerifiedAuthenticationResponse = {
     verified: boolean;
     authenticationInfo: {
-        credentialID: Uint8Array;
+        credentialID: Base64URLString;
         newCounter: number;
         userVerified: boolean;
         credentialDeviceType: CredentialDeviceType;

package/script/authentication/verifyAuthenticationResponse.js

@@ -9,24 +9,19 @@ const parseBackupFlags_js_1 = require("../helpers/parseBackupFlags.js");
 const matchExpectedRPID_js_1 = require("../helpers/matchExpectedRPID.js");
 const index_js_1 = require("../helpers/iso/index.js");
 /**
- * Verify that the user has legitimately completed the login process
+ * Verify that the user has legitimately completed the authentication process
  *
  * **Options:**
  *
- * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
- * @param expectedChallenge The base64url-encoded `options.challenge` returned by
- * `generateAuthenticationOptions()`
- * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
- * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
- * @param expectedType (Optional) The response type expected ('webauthn.get')
- * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
- * @param requireUserVerification (Optional) Enforce user verification by the authenticator
- * (via PIN, fingerprint, etc...)
- * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
- * requirements
- * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
- * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
- * unless this value is `"required"`
+ * @param response - Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge - The base64url-encoded `options.challenge` returned by `generateAuthenticationOptions()`
+ * @param expectedOrigin - Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID - RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator - An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param expectedType **(Optional)** - The response type expected ('webauthn.get')
+ * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
+ * @param advancedFIDOConfig **(Optional)** - Options for satisfying more stringent FIDO RP feature requirements
+ * @param advancedFIDOConfig.userVerification **(Optional)** - Enable alternative rules for evaluating the User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional unless this value is `"required"`
  */
 async function verifyAuthenticationResponse(options) {
     const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
@@ -87,10 +82,10 @@ async function verifyAuthenticationResponse(options) {
             throw new Error(`Unexpected authentication response origin "${origin}", expected "${expectedOrigin}"`);
         }
     }
-    if (!index_js_1.isoBase64URL.isBase64url(assertionResponse.authenticatorData)) {
+    if (!index_js_1.isoBase64URL.isBase64URL(assertionResponse.authenticatorData)) {
         throw new Error('Credential response authenticatorData was not a base64url string');
     }
-    if (!index_js_1.isoBase64URL.isBase64url(assertionResponse.signature)) {
+    if (!index_js_1.isoBase64URL.isBase64URL(assertionResponse.signature)) {
         throw new Error('Credential response signature was not a base64url string');
     }
     if (assertionResponse.userHandle &&

package/script/deps.d.ts

@@ -1,4 +1,4 @@
-export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types';
+export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/types';
 export * as tinyCbor from '@levischuck/tiny-cbor';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';

package/script/helpers/convertCertBufferToPEM.js

@@ -11,7 +11,7 @@ function convertCertBufferToPEM(certBuffer) {
      * Get certBuffer to a base64 representation
      */
     if (typeof certBuffer === 'string') {
-        if (index_js_1.isoBase64URL.isBase64url(certBuffer)) {
+        if (index_js_1.isoBase64URL.isBase64URL(certBuffer)) {
             b64cert = index_js_1.isoBase64URL.toBase64(certBuffer);
         }
         else if (index_js_1.isoBase64URL.isBase64(certBuffer)) {

package/script/helpers/decodeClientDataJSON.d.ts

@@ -1,7 +1,8 @@
+import type { Base64URLString } from '../deps.js';
 /**
  * Decode an authenticator's base64url-encoded clientDataJSON to JSON
  */
-export declare function decodeClientDataJSON(data: string): ClientDataJSON;
+export declare function decodeClientDataJSON(data: Base64URLString): ClientDataJSON;
 export type ClientDataJSON = {
     type: string;
     challenge: string;

package/script/helpers/decodeClientDataJSON.js

@@ -6,7 +6,7 @@ const index_js_1 = require("./iso/index.js");
  * Decode an authenticator's base64url-encoded clientDataJSON to JSON
  */
 function decodeClientDataJSON(data) {
-    const toString = index_js_1.isoBase64URL.toString(data);
+    const toString = index_js_1.isoBase64URL.toUTF8String(data);
     const clientData = JSON.parse(toString);
     return exports._decodeClientDataJSONInternals.stubThis(clientData);
 }

package/script/helpers/generateUserID.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Generate a suitably random value to be used as user ID
+ */
+export declare function generateUserID(): Promise<Uint8Array>;
+export declare const _generateUserIDInternals: {
+    stubThis: (value: Uint8Array) => Uint8Array;
+};

package/script/helpers/generateUserID.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._generateUserIDInternals = exports.generateUserID = void 0;
+const index_js_1 = require("./iso/index.js");
+/**
+ * Generate a suitably random value to be used as user ID
+ */
+async function generateUserID() {
+    /**
+     * WebAuthn spec says user.id has a max length of 64 bytes. I prefer how 32 random bytes look
+     * after they're base64url-encoded so I'm choosing to go with that here.
+     */
+    const newUserID = new Uint8Array(32);
+    await index_js_1.isoCrypto.getRandomValues(newUserID);
+    return exports._generateUserIDInternals.stubThis(newUserID);
+}
+exports.generateUserID = generateUserID;
+// Make it possible to stub the return value during testing
+exports._generateUserIDInternals = {
+    stubThis: (value) => value,
+};

package/script/helpers/index.d.ts

@@ -5,6 +5,7 @@ import { decodeAttestationObject } from './decodeAttestationObject.js';
 import { decodeClientDataJSON } from './decodeClientDataJSON.js';
 import { decodeCredentialPublicKey } from './decodeCredentialPublicKey.js';
 import { generateChallenge } from './generateChallenge.js';
+import { generateUserID } from './generateUserID.js';
 import { getCertificateInfo } from './getCertificateInfo.js';
 import { isCertRevoked } from './isCertRevoked.js';
 import { parseAuthenticatorData } from './parseAuthenticatorData.js';
@@ -13,7 +14,7 @@ import { validateCertificatePath } from './validateCertificatePath.js';
 import { verifySignature } from './verifySignature.js';
 import { isoBase64URL, isoCBOR, isoCrypto, isoUint8Array } from './iso/index.js';
 import * as cose from './cose.js';
-export { convertAAGUIDToString, convertCertBufferToPEM, convertCOSEtoPKCS, cose, decodeAttestationObject, decodeClientDataJSON, decodeCredentialPublicKey, generateChallenge, getCertificateInfo, isCertRevoked, isoBase64URL, isoCBOR, isoCrypto, isoUint8Array, parseAuthenticatorData, toHash, validateCertificatePath, verifySignature, };
+export { convertAAGUIDToString, convertCertBufferToPEM, convertCOSEtoPKCS, cose, decodeAttestationObject, decodeClientDataJSON, decodeCredentialPublicKey, generateChallenge, generateUserID, getCertificateInfo, isCertRevoked, isoBase64URL, isoCBOR, isoCrypto, isoUint8Array, parseAuthenticatorData, toHash, validateCertificatePath, verifySignature, };
 import type { AttestationFormat, AttestationObject, AttestationStatement } from './decodeAttestationObject.js';
 import type { CertificateInfo } from './getCertificateInfo.js';
 import type { ClientDataJSON } from './decodeClientDataJSON.js';

package/script/helpers/index.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifySignature = exports.validateCertificatePath = exports.toHash = exports.parseAuthenticatorData = exports.isoUint8Array = exports.isoCrypto = exports.isoCBOR = exports.isoBase64URL = exports.isCertRevoked = exports.getCertificateInfo = exports.generateChallenge = exports.decodeCredentialPublicKey = exports.decodeClientDataJSON = exports.decodeAttestationObject = exports.cose = exports.convertCOSEtoPKCS = exports.convertCertBufferToPEM = exports.convertAAGUIDToString = void 0;
+exports.verifySignature = exports.validateCertificatePath = exports.toHash = exports.parseAuthenticatorData = exports.isoUint8Array = exports.isoCrypto = exports.isoCBOR = exports.isoBase64URL = exports.isCertRevoked = exports.getCertificateInfo = exports.generateUserID = exports.generateChallenge = exports.decodeCredentialPublicKey = exports.decodeClientDataJSON = exports.decodeAttestationObject = exports.cose = exports.convertCOSEtoPKCS = exports.convertCertBufferToPEM = exports.convertAAGUIDToString = void 0;
 const convertAAGUIDToString_js_1 = require("./convertAAGUIDToString.js");
 Object.defineProperty(exports, "convertAAGUIDToString", { enumerable: true, get: function () { return convertAAGUIDToString_js_1.convertAAGUIDToString; } });
 const convertCertBufferToPEM_js_1 = require("./convertCertBufferToPEM.js");
@@ -38,6 +38,8 @@ const decodeCredentialPublicKey_js_1 = require("./decodeCredentialPublicKey.js")
 Object.defineProperty(exports, "decodeCredentialPublicKey", { enumerable: true, get: function () { return decodeCredentialPublicKey_js_1.decodeCredentialPublicKey; } });
 const generateChallenge_js_1 = require("./generateChallenge.js");
 Object.defineProperty(exports, "generateChallenge", { enumerable: true, get: function () { return generateChallenge_js_1.generateChallenge; } });
+const generateUserID_js_1 = require("./generateUserID.js");
+Object.defineProperty(exports, "generateUserID", { enumerable: true, get: function () { return generateUserID_js_1.generateUserID; } });
 const getCertificateInfo_js_1 = require("./getCertificateInfo.js");
 Object.defineProperty(exports, "getCertificateInfo", { enumerable: true, get: function () { return getCertificateInfo_js_1.getCertificateInfo; } });
 const isCertRevoked_js_1 = require("./isCertRevoked.js");

package/script/helpers/iso/isoBase64URL.d.ts

@@ -1,3 +1,4 @@
+import type { Base64URLString } from '../../deps.js';
 /**
  * Decode from a Base64URL-encoded string to an ArrayBuffer. Best used when converting a
  * credential ID from a JSON string to an ArrayBuffer, like in allowCredentials or
@@ -20,13 +21,13 @@ export declare function fromBuffer(buffer: Uint8Array, to?: 'base64' | 'base64ur
  */
 export declare function toBase64(base64urlString: string): string;
 /**
- * Encode a string to base64url
+ * Encode a UTF-8 string to base64url
  */
-export declare function fromString(ascii: string): string;
+export declare function fromUTF8String(utf8String: string): string;
 /**
- * Decode a base64url string into its original string
+ * Decode a base64url string into its original UTF-8 string
  */
-export declare function toString(base64urlString: string): string;
+export declare function toUTF8String(base64urlString: string): string;
 /**
  * Confirm that the string is encoded into base64
  */
@@ -34,4 +35,8 @@ export declare function isBase64(input: string): boolean;
 /**
  * Confirm that the string is encoded into base64url, with support for optional padding
  */
-export declare function isBase64url(input: string): boolean;
+export declare function isBase64URL(input: string): boolean;
+/**
+ * Remove optional padding from a base64url-encoded string
+ */
+export declare function trimPadding(input: Base64URLString): Base64URLString;

package/script/helpers/iso/isoBase64URL.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBase64url = exports.isBase64 = exports.toString = exports.fromString = exports.toBase64 = exports.fromBuffer = exports.toBuffer = void 0;
+exports.trimPadding = exports.isBase64URL = exports.isBase64 = exports.toUTF8String = exports.fromUTF8String = exports.toBase64 = exports.fromBuffer = exports.toBuffer = void 0;
 const deps_js_1 = require("../../deps.js");
 /**
  * Decode from a Base64URL-encoded string to an ArrayBuffer. Best used when converting a
@@ -36,19 +36,19 @@ function toBase64(base64urlString) {
 }
 exports.toBase64 = toBase64;
 /**
- * Encode a string to base64url
+ * Encode a UTF-8 string to base64url
  */
-function fromString(ascii) {
-    return deps_js_1.base64.fromString(ascii, true);
+function fromUTF8String(utf8String) {
+    return deps_js_1.base64.fromString(utf8String, true);
 }
-exports.fromString = fromString;
+exports.fromUTF8String = fromUTF8String;
 /**
- * Decode a base64url string into its original string
+ * Decode a base64url string into its original UTF-8 string
  */
-function toString(base64urlString) {
+function toUTF8String(base64urlString) {
     return deps_js_1.base64.toString(base64urlString, true);
 }
-exports.toString = toString;
+exports.toUTF8String = toUTF8String;
 /**
  * Confirm that the string is encoded into base64
  */
@@ -59,9 +59,16 @@ exports.isBase64 = isBase64;
 /**
  * Confirm that the string is encoded into base64url, with support for optional padding
  */
-function isBase64url(input) {
+function isBase64URL(input) {
     // Trim padding characters from the string if present
-    input = input.replace(/=/g, '');
+    input = trimPadding(input);
     return deps_js_1.base64.validate(input, true);
 }
-exports.isBase64url = isBase64url;
+exports.isBase64URL = isBase64URL;
+/**
+ * Remove optional padding from a base64url-encoded string
+ */
+function trimPadding(input) {
+    return input.replace(/=/g, '');
+}
+exports.trimPadding = trimPadding;