Skip to content

Releases: MasterKale/SimpleWebAuthn

v13.3.2

Choose a tag to compare

@MasterKale MasterKale released this 24 Jun 05:13
803d1da

This update fixes a CVSS v4 Low (2.0) security vulnerability identified in @simplewebauthn/server. See the security advisory linked below for more information.

Changes:

  • [server] Fixed an issue with verifyRegistrationResponse() allowing a maliciously-crafted attestation statement's x5c to contain a self-signed "root certificate" instead of chaining back to an RP-specified trust anchor (GHSA-6hxq-p678-4hr2)

v13.3.1

Choose a tag to compare

@MasterKale MasterKale released this 27 May 17:07
de9dec5

Changes:

  • [server] Fixed an issue with verifyRegistrationResponse() failing to verify some Packed and SafetyNet statements (#767)

v13.3.0

Choose a tag to compare

@MasterKale MasterKale released this 10 Mar 05:58
8b76229
  • [browser] startRegistration() and startAuthentication() will recognize punycode domains as valid domains when trying to identify why an error occurred (#750)
  • [server] A new verifyMDSBlob() helper method has been added to verify and extract metadata statements from FIDO MDS blobs. See the docs here for more info (#752)

v13.2.3

Choose a tag to compare

@MasterKale MasterKale released this 21 Feb 19:17
3207571

Changes

  • [server] Dependencies have been updated to fix a "Cannot get schema" error that may occur when verifying responses after upgrading to v13.2.0+ (#747)

v13.2.2

Choose a tag to compare

@MasterKale MasterKale released this 04 Oct 17:12
0249061

Changes

v13.2.1

Choose a tag to compare

@MasterKale MasterKale released this 17 Sep 06:41
75ad6b7

Changes:

  • [server] generateRegistrationOptions() will now correctly encoded the userID argument to base64url when it is an instance of Node's Buffer (#724)

v13.2.0

Choose a tag to compare

@MasterKale MasterKale released this 15 Sep 02:59
84c61db
  • [server] The return value from verifyRegistrationResponse() has been defined more strictly to communicate that registrationInfo will only ever be present if verified is true (#715)
  • [server] verifyRegistrationResponse() can now verify attestations containing SHA256 hashes by using EC public keys with the P-384 curve (#721)
  • [server] The Android SafetyNet "CTS profile match" system integrity check can now be disabled by setting attestationSafetyNetEnforceCTSCheck: false when calling verifyRegistrationResponse(). This check remains enforced by default (#722)
  • [browser] [server] These libraries now have better support in Deno 2.2+ projects which use generic typing for Uint8Array via TypeScript 5.7. SimpleWebAuthn values of type Uint8Array_ are equivalent to Uint8Array in Deno 2.1 and earlier, and Uint8Array<ArrayBuffer> in Deno 2.2 and later. (#717)

v13.1.2

Choose a tag to compare

@MasterKale MasterKale released this 05 Jul 20:51
467f8f1

Changes

  • [browser] [server] Exported the ResidentKeyRequirement type to help with type inference (#704)

v13.1.1

Choose a tag to compare

@MasterKale MasterKale released this 26 Jan 20:20
1f6216e

Changes:

  • [server] "android-key" attestation statement verification has been modernized (#675)
  • [server] More TPM manufacturers are recognized while verifying "tpm" attestation statements (#673)

v13.1.0

Choose a tag to compare

@MasterKale MasterKale released this 13 Jan 00:46
cfd2400

Changes:

  • [server] The cross-fetch dependency has been removed from the project to silence in the console DeprecationWarning's about a "punycode" module (#661)
  • [browser] startRegistration() and startAuthentication() will now warn about calls made using the pre-v11 call structure to encourage refactoring to use the current call structure, but still try to handle such calls the best they can (#664)