Skip to content

v13.0.0 - The one where they share a type

Latest
Latest
Compare
Choose a tag to compare
@MasterKale MasterKale released this 09 Dec 02:43
· 3 commits to master since this release
v13.0.0
6b27e92
This commit was signed with the committer’s verified signature.
MasterKale Matthew Miller
SSH Key Fingerprint: Jvn6a+nBf2s5VcRr+Xw7UKKWTc32Fl0Ol/uC7cKTI3k Learn about vigilant mode.

Hot on the heels of the last major release, v13 introduces support for registration hints! Refined types and improved attestation trust anchor verification are also included. Last but not least, we say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read on for more information, including refactor advice for dealing with the retirement of @simplewebauthn/types.

Changes:

  • [server] A new preferredAuthenticatorType argument can be set when calling generateRegistrationOptions() to generate options that encourage the browser to direct the user to register one of three types of authenticators: 'securityKey', 'localDevice', or 'remoteDevice' (a.k.a. opinionated WebAuthn hints support) (#653)
  • [browser] startRegistration() will recognize hints if specified in optionsJSON (#652)
  • [server] Attestation verification now recognizes intermediate certificates as trust anchors (#650)
  • [browser] [server] The types previously maintained in the types package are now included within the browser and server packages. See Breaking Changes below for more info (#655)

Breaking Changes

@typescript/types is being retired.

Its types will now be included directly in @simplewebauthn/browser and @simplewebauthn/server.

To refactor existing imports from /types, simply import them from /browser or /server instead:

Before:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@simplewebauthn/types'; // <--

After:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@simplewebauthn/server'; // <--

[server] attestationType no longer accepts 'indirect'

The benefits of indirect attestation are too minimal to be useful for Relying Parties. In practice it is almost never used over ignoring the concept completely with 'none' or needing to be intentional and setting 'direct'.

RP's that have been specifying attestationType: 'indirect' when calling generateRegistrationOptions() will need to refactor their code to either omit attestationType (generateRegistrationOptions() will default to attestationType: 'none') or set attestationType: 'direct' instead:

Before:

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'indirect'
});

After:

const options = await generateRegistrationOptions({
  // ...
});

-or-

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'direct'
});
Assets 2
Loading