fix(deps): update dependency @simplewebauthn/browser to v11 #1605
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.0.1
->11.0.0
Release Notes
MasterKale/SimpleWebAuthn (@simplewebauthn/browser)
v11.0.0
Compare Source
Say hello to support for automatic passkey registration, support for valid conditional UI
<input>
elements stashed away in web components, and to the new
WebAuthnCredential
type that modernizessome logic within.
There are some breaking changes in this release! Please see Breaking Changes below for refactor
guidance.
Packages
Changes
useAutoRegister
argument has been added tostartRegistration()
tosupport attempts to automatically register passkeys for users who just completed non-passkey auth.
verifyRegistrationResponse()
has gained a newrequireUserPresence
option that can be set tofalse
when verifying responses fromstartRegistration({ useAutoRegister: true, ... })
(#623)
verifyBrowserAutofillInput
argument has been added tostartAuthentication()
to disable throwing an error when a correctly configured<input>
elementcannot be found (but perhaps a valid one is present in a web component shadow's DOM)
(#621)
AuthenticatorDevice
type has been renamed toWebAuthnCredential
andhas had its properties renamed. The return value out of
verifyRegistrationResponse()
andcorresponding inputs into
verifyAuthenticationResponse()
have been updated accordingly. SeeBreaking Changes below for refactor guidance
(#625)
verifyRegistrationResponse()
now verifies that the authenticator data AAGUIDmatches the leaf cert's
id-fido-gen-ce-aaguid
extension AAGUID when it is present(#609)
IBM (#610)
uvm
anddpk
have been removed(#611)
Breaking Changes
[browser] Positional arguments in
startRegistration()
andstartAuthentication()
have been replaced by a single objectProperty names in the object match the names of the previously-positional arguments. To update
existing implementations, wrap existing options in an object with corresponding properties:
Before:
After:
[server] [types] The
AuthenticatorDevice
type has been renamed toWebAuthnCredential
AuthenticatorDevice.credentialID
andAuthenticatorDevice.credentialPublicKey
have been shortenedto
WebAuthnCredential.id
andWebAuthnCredential.publicKey
respectively.verifyRegistrationResponse()
has been updated accordingly to return a newcredential
value oftype
WebAuthnCredential
. Update code that storescredentialID
,credentialPublicKey
, andcounter
out ofverifyRegistrationResponse()
to storecredential.id
,credential.publicKey
,and
credential.counter
instead:Before:
After:
Update calls to
verifyAuthenticationResponse()
to match the newcredential
argument thatreplaces the
authenticator
argument:Before:
After:
v10.0.0
Compare Source
Thanks for everything, Node 16 and Node 18, but it's time to move on! The headlining change of this
release is the targeting of Node LTS v20+ as the minimum Node runtime. Additional developer-centric
quality-of-life changes have also been made in the name of streamlining use of SimpleWebAuthn on
both the back end and front end.
This release is packed with updates, so buckle up! Refactor advice for breaking changes is, as
always, offered below.
Packages
Changes
(#531)
user.displayName
now defaults to an empty string if a value is not specified foruserDisplayName
when callinggenerateRegistrationOptions()
(#538)
browserSupportsWebAuthnAutofill()
helper will no longer break in environmentsin which
PublicKeyCredential
is not present(#557, with thanks to @clarafitzgerald)
Breaking Changes
#529:
generateRegistrationOptions()
now expectsBase64URLString
for excluded credential IDsgenerateAuthenticationOptions()
now expectsBase64URLString
for allowed credential IDscredentialID
returned from response verification methods is now aBase64URLString
AuthenticatorDevice.credentialID
is now aBase64URLString
isoBase64URL.isBase64url()
is now calledisoBase64URL.isBase64URL()
#552:
generateRegistrationOptions()
now accepts an optionalUint8Array
instead of astring
foruserID
isoBase64URL.toString()
andisoBase64URL.fromString()
have been renamedgenerateRegistrationOptions()
will now generate random user IDsuser.id
is now treated like a base64url string instartRegistration()
userHandle
is now treated like a base64url string instartAuthentication()
rpID
is now a required argument when callinggenerateAuthenticationOptions()
(#555)
[server]
generateRegistrationOptions()
now expectsBase64URLString
for excluded credential IDsThe
isoBase64URL
helper can be used to massageUint8Array
credential IDs into base64url strings:Before
After
The
type
argument is no longer needed either.[server]
generateAuthenticationOptions()
now expectsBase64URLString
for allowed credential IDsSimilarly, the
isoBase64URL
helper can also be used during auth to massageUint8Array
credentialIDs into base64url strings:
Before
After
The
type
argument is no longer needed either.[server]
credentialID
returned from response verification methods is now aBase64URLString
It is no longer necessary to manually stringify
credentialID
out of response verification methods:Before
After
[server]
AuthenticatorDevice.credentialID
is now aBase64URLString
Calls to
verifyAuthenticationResponse()
will need to be updated to encode the credential ID to abase64url string:
Before
After
[server]
isoBase64URL.isBase64url()
is now calledisoBase64URL.isBase64URL()
Note the capitalization change from "url" to "URL" in the method name. Update calls to this method
accordingly.
[server]
generateRegistrationOptions()
will now generate random user IDs[browser]
user.id
is now treated like a base64url string instartRegistration()
[browser]
userHandle
is now treated like a base64url string instartAuthentication()
A random identifier will now be generated when a value is not provided for the now-optional
userID
argument when calling
generateRegistrationOptions()
. This identifier will be base64url-encodedstring of 32 random bytes. RPs that wish to take advantage of this can simply omit this
argument.
Additionally,
startRegistration()
will base64url-decodeuser.id
before calling WebAuthn. Duringauth
startAuthentication()
will base64url-encodeuserHandle
in the returned credential. Thisshould be a transparent change for RP's that simply feed @simplewebauthn/server options output
into the corresponding @simplewebauthn/browser methods.
However, RP's that wish to continue generating their own user identifiers will need to take
additional steps to ensure they get back user IDs in the expected format after authentication.
Before (SimpleWebAuthn v9)
After (SimpleWebAuthn v10)
[server]
isoBase64URL.toString()
andisoBase64URL.fromString()
have been renamedThe method names have been updated to reflect the use of UTF-8 string encoding:
Before:
After:
[server]
rpID
is now a required argument when callinggenerateAuthenticationOptions()
Update calls to this method to specify the same
rpID
as passed intogenerateRegistrationOptions()
:Before
After
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.