v6.2.0

Packages:

• @simplewebauthn/server@6.2.0

Changes:

• [server] The value of the user verification flag is now returned from verifyAuthenticationResponse() as authenticationInfo.userVerified, similar to how verifyRegistrationResponse() currently returns this value.

v6.1.0

Packages:

• @simplewebauthn/server@6.1.0

Changes:

• [server] Improve support for requiring resident keys when targeting WebAuthn L1 (#259)
• [server] Encourage authenticators to produce Ed25519 credential keypairs when supported (#261)

v6.0.0 - The one with Ed25519 Support

This release marks the return of the library's ability to pass FIDO Conformance 🎉

Adding Ed25519 signature verification (see below) finally allowed the library to pass all required tests, and nearly all optional tests:

Packages:

• @simplewebauthn/browser@6.0.0
• @simplewebauthn/server@6.0.0
• @simplewebauthn/testing@6.0.0
• @simplewebauthn/typescript-types@6.0.0

Changes:

• [server] Signatures can now be verified with OKP public keys that use the Ed25519 curve and EDDSA algorithm (#256)
• [testing] Version sync
• [typescript-types] Version sync

Breaking Changes

• [server] verifyAuthenticationResponse() now returns Promise<VerifiedAuthenticationResponse> instead of VerifiedAuthenticationResponse (#256)

Update your existing calls to verifyAuthenticationResponse() to handle the values resolved by the promises, whether with .then() or await depending on your code structure:

Before:

const verification = verifyAuthenticationResponse({
  // ...
});

After:

const verification = await verifyAuthenticationResponse({
  // ...
});

• [browser] browserSupportsWebauthn() has been renamed to browserSupportsWebAuthn() (#257)

Update calls to browserSupportsWebauthn() to capitalize the "A" in "WebAuthn":

Before:

if (browserSupportsWebauthn()) {
  // ...
}

After:

if (browserSupportsWebAuthn()) {
  // ...
}

v5.4.5

Packages:

• @simplewebauthn/server@5.4.5

Changes:

• [server] Support FIDO Conformance user verification requirements (#254)

To leverage these requirements (as might be the case for RP's seeking FIDO certification), update your calls to verifyAuthenticationResponse() to replace requireUserVerification with the new advancedFIDOConfig.userVerification option:

Before:

const verification = verifyAuthenticationResponse({
  // ...
  requireUserVerification: true
});

After

const verification = verifyAuthenticationResponse({
  // ...
  advancedFIDOConfig: {
    // UserVerificationRequirement: 'required' | 'preferred' | 'discouraged'
    userVerification: 'required',
  },
});

Setting advancedFIDOConfig.userVerification to 'required' will only require the uv flag to be true; up flag may be false. Setting it to 'preferred' or 'discouraged' will allow both up and uv to be false during verification.

• [server] Rename the devicePublicKey property on the AuthenticationExtensionsAuthenticatorOutputs type to devicePubKey (#243; no one supports this yet so it's not a breaking change)

v5.4.4

Packages:

• @simplewebauthn/server@5.4.4

Changes:

• [server] Enhance compliance with current FIDO conformance requirements (#249, #251)
• [server] Minor performance improvements (#150)

v5.4.3

Packages:

• @simplewebauthn/server@5.4.3

Changes:

• [server] Remove support for the following defunct FIDO metadata authentication algorithms: "rsa_emsa_pkcs1_sha256_raw", "rsa_emsa_pkcs1_sha256_der", "sm2_sm3_raw" (#245)
• [server] Update remaining FIDO metadata constants to match v2.2 of the FIDO Registry of Predefined Values (#244)

v5.4.2

Packages:

• @simplewebauthn/server@5.4.2

Changes:

• [server] Add support for "rsa_emsa_pkcs1_sha256_raw" and "rsa_emsa_pkcs1_sha256_der" authentication algorithms in FIDO MDS metadata statements (#241)

v5.4.1

Packages:

• @simplewebauthn/browser@5.4.1
• @simplewebauthn/server@5.4.1

Changes:

• [browser] "type": "module" has been added to package.json to appease modern front end tooling that expects this value to be present when using the ESM build (#237)
• [server] TPM attestation statement verification now properly verifies statements with ECC public area type (#239)

v5.4.0

Packages:

• @simplewebauthn/browser@5.4.0
• @simplewebauthn/server@5.4.0
• @simplewebauthn/typescript-types@5.4.0

Changes:

• [server] verifyRegistrationResponse() and verifyAuthenticationResponse() now return authenticator extension data upon successful verification as the new authenticatorExtensionResults property (#230)
• [browser] Code quality improvements
• [typescript-types] Code quality improvements

v5.3.0

Packages:

• @simplewebauthn/browser@5.3.0
• @simplewebauthn/server@5.3.0
• @simplewebauthn/typescript-types@5.3.0

Changes:

• [browser] startAuthentication() now accepts a second useBrowserAutofill boolean argument that sets up support for credential selection via a browser's autofill prompt (a.k.a. Conditional UI). The new browserSupportsWebAuthnAutofill() helper method can be used independently to determine when this feature is supported by the browser (#214)
• [browser] startRegistration() and startAuthentication() will return a new authenticatorAttachment value when present that captures whether a cross-platform or platform authenticator was just used (#221)
• [typescript-types] A new PublicKeyCredentialFuture interface has been added to define new properties currently defined in the WebAuthn L3 spec draft. These new values support the above new functionality until official TypeScript types are updated accordingly (#214, #221)
• [typescript-types] A new "hybrid" transport has been added to AuthenticatorTransportFuture while browsers migrate away from the existing "cable" transport for cross-device auth (#222)