From 08c930e6cf3369232a9604eea363b3fce5f8eab9 Mon Sep 17 00:00:00 2001 From: Marvin <127591405+Lokowitz@users.noreply.github.com> Date: Sun, 21 Sep 2025 18:32:18 +0000 Subject: [PATCH 1/9] update webauthen --- package-lock.json | 237 ++++++++++++++++++----------- package.json | 4 +- server/routers/auth/securityKey.ts | 37 +++-- 3 files changed, 170 insertions(+), 108 deletions(-) diff --git a/package-lock.json b/package-lock.json index d3b0f434..4d140f7c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -35,8 +35,8 @@ "@react-email/components": "0.5.3", "@react-email/render": "^1.2.0", "@react-email/tailwind": "1.2.2", - "@simplewebauthn/browser": "^13.1.2", - "@simplewebauthn/server": "^9.0.3", + "@simplewebauthn/browser": "^13.2.0", + "@simplewebauthn/server": "^13.2.1", "@tailwindcss/forms": "^0.5.10", "@tanstack/react-table": "8.21.3", "arctic": "^3.7.0", @@ -3663,34 +3663,101 @@ "tslib": "^2.8.1" } }, - "node_modules/@peculiar/asn1-ecc": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.4.0.tgz", - "integrity": "sha512-fJiYUBCJBDkjh347zZe5H81BdJ0+OGIg0X9z06v8xXUoql3MFeENUX0JsjCaVaU9A0L85PefLPGYkIoGpTnXLQ==", + "node_modules/@peculiar/asn1-cms": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.5.0.tgz", + "integrity": "sha512-p0SjJ3TuuleIvjPM4aYfvYw8Fk1Hn/zAVyPJZTtZ2eE9/MIer6/18ROxX6N/e6edVSfvuZBqhxAj3YgsmSjQ/A==", "license": "MIT", "dependencies": { - "@peculiar/asn1-schema": "^2.4.0", - "@peculiar/asn1-x509": "^2.4.0", + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "@peculiar/asn1-x509-attr": "^2.5.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-csr": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.5.0.tgz", + "integrity": "sha512-ioigvA6WSYN9h/YssMmmoIwgl3RvZlAYx4A/9jD2qaqXZwGcNlAxaw54eSx2QG1Yu7YyBC5Rku3nNoHrQ16YsQ==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-ecc": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.5.0.tgz", + "integrity": "sha512-t4eYGNhXtLRxaP50h3sfO6aJebUCDGQACoeexcelL4roMFRRVgB20yBIu2LxsPh/tdW9I282gNgMOyg3ywg/mg==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-pfx": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.5.0.tgz", + "integrity": "sha512-Vj0d0wxJZA+Ztqfb7W+/iu8Uasw6hhKtCdLKXLG/P3kEPIQpqGI4P4YXlROfl7gOCqFIbgsj1HzFIFwQ5s20ug==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-cms": "^2.5.0", + "@peculiar/asn1-pkcs8": "^2.5.0", + "@peculiar/asn1-rsa": "^2.5.0", + "@peculiar/asn1-schema": "^2.5.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-pkcs8": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.5.0.tgz", + "integrity": "sha512-L7599HTI2SLlitlpEP8oAPaJgYssByI4eCwQq2C9eC90otFpm8MRn66PpbKviweAlhinWQ3ZjDD2KIVtx7PaVw==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-pkcs9": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.5.0.tgz", + "integrity": "sha512-UgqSMBLNLR5TzEZ5ZzxR45Nk6VJrammxd60WMSkofyNzd3DQLSNycGWSK5Xg3UTYbXcDFyG8pA/7/y/ztVCa6A==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-cms": "^2.5.0", + "@peculiar/asn1-pfx": "^2.5.0", + "@peculiar/asn1-pkcs8": "^2.5.0", + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "@peculiar/asn1-x509-attr": "^2.5.0", "asn1js": "^3.0.6", "tslib": "^2.8.1" } }, "node_modules/@peculiar/asn1-rsa": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.4.0.tgz", - "integrity": "sha512-6PP75voaEnOSlWR9sD25iCQyLgFZHXbmxvUfnnDcfL6Zh5h2iHW38+bve4LfH7a60x7fkhZZNmiYqAlAff9Img==", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.5.0.tgz", + "integrity": "sha512-qMZ/vweiTHy9syrkkqWFvbT3eLoedvamcUdnnvwyyUNv5FgFXA3KP8td+ATibnlZ0EANW5PYRm8E6MJzEB/72Q==", "license": "MIT", "dependencies": { - "@peculiar/asn1-schema": "^2.4.0", - "@peculiar/asn1-x509": "^2.4.0", + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", "asn1js": "^3.0.6", "tslib": "^2.8.1" } }, "node_modules/@peculiar/asn1-schema": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.4.0.tgz", - "integrity": "sha512-umbembjIWOrPSOzEGG5vxFLkeM8kzIhLkgigtsOrfLKnuzxWxejAcUX+q/SoZCdemlODOcr5WiYa7+dIEzBXZQ==", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.5.0.tgz", + "integrity": "sha512-YM/nFfskFJSlHqv59ed6dZlLZqtZQwjRVJ4bBAiWV08Oc+1rSd5lDZcBEx0lGDHfSoH3UziI2pXt2UM33KerPQ==", "license": "MIT", "dependencies": { "asn1js": "^3.0.6", @@ -3699,17 +3766,48 @@ } }, "node_modules/@peculiar/asn1-x509": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.4.0.tgz", - "integrity": "sha512-F7mIZY2Eao2TaoVqigGMLv+NDdpwuBKU1fucHPONfzaBS4JXXCNCmfO0Z3dsy7JzKGqtDcYC1mr9JjaZQZNiuw==", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.5.0.tgz", + "integrity": "sha512-CpwtMCTJvfvYTFMuiME5IH+8qmDe3yEWzKHe7OOADbGfq7ohxeLaXwQo0q4du3qs0AII3UbLCvb9NF/6q0oTKQ==", "license": "MIT", "dependencies": { - "@peculiar/asn1-schema": "^2.4.0", + "@peculiar/asn1-schema": "^2.5.0", "asn1js": "^3.0.6", "pvtsutils": "^1.3.6", "tslib": "^2.8.1" } }, + "node_modules/@peculiar/asn1-x509-attr": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.5.0.tgz", + "integrity": "sha512-9f0hPOxiJDoG/bfNLAFven+Bd4gwz/VzrCIIWc1025LEI4BXO0U5fOCTNDPbbp2ll+UzqKsZ3g61mpBp74gk9A==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/x509": { + "version": "1.14.0", + "resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.14.0.tgz", + "integrity": "sha512-Yc4PDxN3OrxUPiXgU63c+ZRXKGE8YKF2McTciYhUHFtHVB0KMnjeFSU0qpztGhsp4P0uKix4+J2xEpIEDu8oXg==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-cms": "^2.5.0", + "@peculiar/asn1-csr": "^2.5.0", + "@peculiar/asn1-ecc": "^2.5.0", + "@peculiar/asn1-pkcs9": "^2.5.0", + "@peculiar/asn1-rsa": "^2.5.0", + "@peculiar/asn1-schema": "^2.5.0", + "@peculiar/asn1-x509": "^2.5.0", + "pvtsutils": "^1.3.6", + "reflect-metadata": "^0.2.2", + "tslib": "^2.8.1", + "tsyringe": "^4.10.0" + } + }, "node_modules/@posthog/core": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/@posthog/core/-/core-1.0.2.tgz", @@ -5102,15 +5200,15 @@ } }, "node_modules/@simplewebauthn/browser": { - "version": "13.1.2", - "resolved": "https://registry.npmjs.org/@simplewebauthn/browser/-/browser-13.1.2.tgz", - "integrity": "sha512-aZnW0KawAM83fSBUgglP5WofbrLbLyr7CoPqYr66Eppm7zO86YX6rrCjRB3hQKPrL7ATvY4FVXlykZ6w6FwYYw==", + "version": "13.2.0", + "resolved": "https://registry.npmjs.org/@simplewebauthn/browser/-/browser-13.2.0.tgz", + "integrity": "sha512-N3fuA1AAnTo5gCStYoIoiasPccC+xPLx2YU88Dv0GeAmPQTWHETlZQq5xZ0DgUq1H9loXMWQH5qqUjcI7BHJ1A==", "license": "MIT" }, "node_modules/@simplewebauthn/server": { - "version": "9.0.3", - "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-9.0.3.tgz", - "integrity": "sha512-FMZieoBosrVLFxCnxPFD9Enhd1U7D8nidVDT4MsHc6l4fdVcjoeHjDueeXCloO1k5O/fZg1fsSXXPKbY2XTzDA==", + "version": "13.2.1", + "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.2.1.tgz", + "integrity": "sha512-Inmfye5opZXe3HI0GaksqBnQiM7glcNySoG6DH1GgkO1Lh9dvuV4XSV9DK02DReUVX39HpcDob9nxHELjECoQw==", "license": "MIT", "dependencies": { "@hexagon/base64": "^1.1.27", @@ -5120,20 +5218,12 @@ "@peculiar/asn1-rsa": "^2.3.8", "@peculiar/asn1-schema": "^2.3.8", "@peculiar/asn1-x509": "^2.3.8", - "@simplewebauthn/types": "^9.0.1", - "cross-fetch": "^4.0.0" + "@peculiar/x509": "^1.13.0" }, "engines": { - "node": ">=16.0.0" + "node": ">=20.0.0" } }, - "node_modules/@simplewebauthn/types": { - "version": "9.0.1", - "resolved": "https://registry.npmjs.org/@simplewebauthn/types/-/types-9.0.1.tgz", - "integrity": "sha512-tGSRP1QvsAvsJmnOlRQyw/mvK9gnPtjEc5fg2+m8n+QUa+D7rvrKkOYyfpy42GTs90X3RDOnqJgfHt+qO67/+w==", - "deprecated": "Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.", - "license": "MIT" - }, "node_modules/@smithy/abort-controller": { "version": "4.1.1", "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.1.1.tgz", @@ -8079,35 +8169,6 @@ "node": ">= 0.10" } }, - "node_modules/cross-fetch": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-4.1.0.tgz", - "integrity": "sha512-uKm5PU+MHTootlWEY+mZ4vvXoCn4fLQxT9dSc1sXVMSFkINTJVN8cAQROpwcKm8bJ/c7rgZVIBWzH5T78sNZZw==", - "license": "MIT", - "dependencies": { - "node-fetch": "^2.7.0" - } - }, - "node_modules/cross-fetch/node_modules/node-fetch": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", - "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", - "license": "MIT", - "dependencies": { - "whatwg-url": "^5.0.0" - }, - "engines": { - "node": "4.x || >=6.0.0" - }, - "peerDependencies": { - "encoding": "^0.1.0" - }, - "peerDependenciesMeta": { - "encoding": { - "optional": true - } - } - }, "node_modules/cross-spawn": { "version": "7.0.6", "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", @@ -16205,6 +16266,12 @@ "node": ">=0.8.8" } }, + "node_modules/reflect-metadata": { + "version": "0.2.2", + "resolved": "https://registry.npmjs.org/reflect-metadata/-/reflect-metadata-0.2.2.tgz", + "integrity": "sha512-urBwgfrvVP/eAyXx4hluJivBKzuEbSQs9rKWCrCkbSxNv8mxPcUZKeuoF3Uy4mJl3Lwprp6yy5/39VWigZ4K6Q==", + "license": "Apache-2.0" + }, "node_modules/reflect.getprototypeof": { "version": "1.0.10", "resolved": "https://registry.npmjs.org/reflect.getprototypeof/-/reflect.getprototypeof-1.0.10.tgz", @@ -17515,12 +17582,6 @@ "node": ">=0.6" } }, - "node_modules/tr46": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==", - "license": "MIT" - }, "node_modules/triple-beam": { "version": "1.4.1", "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.4.1.tgz", @@ -17685,6 +17746,24 @@ "fsevents": "~2.3.3" } }, + "node_modules/tsyringe": { + "version": "4.10.0", + "resolved": "https://registry.npmjs.org/tsyringe/-/tsyringe-4.10.0.tgz", + "integrity": "sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==", + "license": "MIT", + "dependencies": { + "tslib": "^1.9.3" + }, + "engines": { + "node": ">= 6.0.0" + } + }, + "node_modules/tsyringe/node_modules/tslib": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", + "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==", + "license": "0BSD" + }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", @@ -18036,22 +18115,6 @@ "node": ">= 8" } }, - "node_modules/webidl-conversions": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==", - "license": "BSD-2-Clause" - }, - "node_modules/whatwg-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", - "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "license": "MIT", - "dependencies": { - "tr46": "~0.0.3", - "webidl-conversions": "^3.0.0" - } - }, "node_modules/which": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/which/-/which-4.0.0.tgz", diff --git a/package.json b/package.json index d03f7c2f..c0d71dab 100644 --- a/package.json +++ b/package.json @@ -52,8 +52,8 @@ "@react-email/components": "0.5.3", "@react-email/render": "^1.2.0", "@react-email/tailwind": "1.2.2", - "@simplewebauthn/browser": "^13.1.2", - "@simplewebauthn/server": "^9.0.3", + "@simplewebauthn/browser": "^13.2.0", + "@simplewebauthn/server": "^13.2.1", "@tailwindcss/forms": "^0.5.10", "@tanstack/react-table": "8.21.3", "arctic": "^3.7.0", diff --git a/server/routers/auth/securityKey.ts b/server/routers/auth/securityKey.ts index 6b014986..8c9b02a5 100644 --- a/server/routers/auth/securityKey.ts +++ b/server/routers/auth/securityKey.ts @@ -20,14 +20,16 @@ import type { GenerateAuthenticationOptionsOpts, VerifyAuthenticationResponseOpts, VerifiedRegistrationResponse, - VerifiedAuthenticationResponse -} from "@simplewebauthn/server"; -import type { + VerifiedAuthenticationResponse, AuthenticatorTransport, AuthenticatorTransportFuture, PublicKeyCredentialDescriptorJSON, PublicKeyCredentialDescriptorFuture -} from "@simplewebauthn/types"; +} from "@simplewebauthn/server"; +import { + isoUint8Array, + isoBase64URL +} from '@simplewebauthn/server/helpers'; import config from "@server/lib/config"; import { UserType } from "@server/types/UserTypes"; import { verifyPassword } from "@server/auth/password"; @@ -204,15 +206,15 @@ export async function startRegistration( .where(eq(securityKeys.userId, user.userId)); const excludeCredentials = existingSecurityKeys.map(key => ({ - id: new Uint8Array(Buffer.from(key.credentialId, 'base64')), - type: 'public-key' as const, + id: key.credentialId, + type: "public-key" as const, transports: key.transports ? JSON.parse(key.transports) as AuthenticatorTransportFuture[] : undefined })); const options: GenerateRegistrationOptionsOpts = { rpName, rpID, - userID: user.userId, + userID: isoUint8Array.fromUTF8String( user.userId ), userName: user.email || user.username, attestationType: 'none', excludeCredentials, @@ -308,10 +310,10 @@ export async function verifyRegistration( // Store the security key in the database await db.insert(securityKeys).values({ - credentialId: Buffer.from(registrationInfo.credentialID).toString('base64'), + credentialId: registrationInfo.credential.id, userId: user.userId, - publicKey: Buffer.from(registrationInfo.credentialPublicKey).toString('base64'), - signCount: registrationInfo.counter || 0, + publicKey: Buffer.from(registrationInfo.credential.publicKey).toString('base64'), + signCount: registrationInfo.credential.counter || 0, transports: credential.response.transports ? JSON.stringify(credential.response.transports) : null, name: challengeData.securityKeyName, lastUsed: new Date().toISOString(), @@ -496,7 +498,7 @@ export async function startAuthentication( const { email } = parsedBody.data; try { - let allowCredentials: PublicKeyCredentialDescriptorFuture[] = []; + let allowCredentials; let userId; // If email is provided, get security keys for that specific user @@ -533,13 +535,10 @@ export async function startAuthentication( } allowCredentials = userSecurityKeys.map(key => ({ - id: new Uint8Array(Buffer.from(key.credentialId, 'base64')), + id: key.credentialId, type: 'public-key' as const, transports: key.transports ? JSON.parse(key.transports) as AuthenticatorTransportFuture[] : undefined })); - } else { - // If no email provided, allow any security key (for resident key authentication) - allowCredentials = []; } const options: GenerateAuthenticationOptionsOpts = { @@ -653,9 +652,9 @@ export async function verifyAuthentication( expectedChallenge: challengeData.challenge, expectedOrigin: origin, expectedRPID: rpID, - authenticator: { - credentialID: Buffer.from(securityKey.credentialId, 'base64'), - credentialPublicKey: Buffer.from(securityKey.publicKey, 'base64'), + credential: { + id: securityKey.credentialId, + publicKey: Buffer.from(securityKey.publicKey, 'base64'), counter: securityKey.signCount, transports: securityKey.transports ? JSON.parse(securityKey.transports) as AuthenticatorTransportFuture[] : undefined }, @@ -714,4 +713,4 @@ export async function verifyAuthentication( ) ); } -} \ No newline at end of file +} \ No newline at end of file From 31896c9be9da3f8dbe78bfea5007a435e586f72f Mon Sep 17 00:00:00 2001 From: Marvin <127591405+Lokowitz@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:12:46 +0000 Subject: [PATCH 2/9] cleanup --- server/routers/auth/securityKey.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/server/routers/auth/securityKey.ts b/server/routers/auth/securityKey.ts index 8c9b02a5..ba357f51 100644 --- a/server/routers/auth/securityKey.ts +++ b/server/routers/auth/securityKey.ts @@ -207,7 +207,6 @@ export async function startRegistration( const excludeCredentials = existingSecurityKeys.map(key => ({ id: key.credentialId, - type: "public-key" as const, transports: key.transports ? JSON.parse(key.transports) as AuthenticatorTransportFuture[] : undefined })); @@ -536,7 +535,6 @@ export async function startAuthentication( allowCredentials = userSecurityKeys.map(key => ({ id: key.credentialId, - type: 'public-key' as const, transports: key.transports ? JSON.parse(key.transports) as AuthenticatorTransportFuture[] : undefined })); } From 76da2ee324ec999816822b9d9d73e9d2838eb35a Mon Sep 17 00:00:00 2001 From: Marvin <127591405+Lokowitz@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:19:35 +0000 Subject: [PATCH 3/9] cleanup --- server/routers/auth/securityKey.ts | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/server/routers/auth/securityKey.ts b/server/routers/auth/securityKey.ts index ba357f51..62e4b997 100644 --- a/server/routers/auth/securityKey.ts +++ b/server/routers/auth/securityKey.ts @@ -16,19 +16,11 @@ import { } from "@simplewebauthn/server"; import type { GenerateRegistrationOptionsOpts, - VerifyRegistrationResponseOpts, GenerateAuthenticationOptionsOpts, - VerifyAuthenticationResponseOpts, - VerifiedRegistrationResponse, - VerifiedAuthenticationResponse, - AuthenticatorTransport, - AuthenticatorTransportFuture, - PublicKeyCredentialDescriptorJSON, - PublicKeyCredentialDescriptorFuture + AuthenticatorTransportFuture } from "@simplewebauthn/server"; import { - isoUint8Array, - isoBase64URL + isoUint8Array } from '@simplewebauthn/server/helpers'; import config from "@server/lib/config"; import { UserType } from "@server/types/UserTypes"; From 73cd82081a4f39c47c2efed9d0ccb43b2f5744a4 Mon Sep 17 00:00:00 2001 From: Lokowitz Date: Tue, 23 Sep 2025 16:51:08 +0000 Subject: [PATCH 4/9] fix securitykey --- server/routers/auth/securityKey.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/server/routers/auth/securityKey.ts b/server/routers/auth/securityKey.ts index 62e4b997..a3389ba7 100644 --- a/server/routers/auth/securityKey.ts +++ b/server/routers/auth/securityKey.ts @@ -20,7 +20,7 @@ import type { AuthenticatorTransportFuture } from "@simplewebauthn/server"; import { - isoUint8Array + isoBase64URL } from '@simplewebauthn/server/helpers'; import config from "@server/lib/config"; import { UserType } from "@server/types/UserTypes"; @@ -205,7 +205,7 @@ export async function startRegistration( const options: GenerateRegistrationOptionsOpts = { rpName, rpID, - userID: isoUint8Array.fromUTF8String( user.userId ), + userID: isoBase64URL.toBuffer(user.userId), userName: user.email || user.username, attestationType: 'none', excludeCredentials, @@ -303,9 +303,9 @@ export async function verifyRegistration( await db.insert(securityKeys).values({ credentialId: registrationInfo.credential.id, userId: user.userId, - publicKey: Buffer.from(registrationInfo.credential.publicKey).toString('base64'), + publicKey: isoBase64URL.fromBuffer(registrationInfo.credential.publicKey), signCount: registrationInfo.credential.counter || 0, - transports: credential.response.transports ? JSON.stringify(credential.response.transports) : null, + transports: registrationInfo.credential.transports ? JSON.stringify(registrationInfo.credential.transports) : null, name: challengeData.securityKeyName, lastUsed: new Date().toISOString(), dateCreated: new Date().toISOString() @@ -644,7 +644,7 @@ export async function verifyAuthentication( expectedRPID: rpID, credential: { id: securityKey.credentialId, - publicKey: Buffer.from(securityKey.publicKey, 'base64'), + publicKey: isoBase64URL.toBuffer(securityKey.publicKey), counter: securityKey.signCount, transports: securityKey.transports ? JSON.parse(securityKey.transports) as AuthenticatorTransportFuture[] : undefined }, From 1352316492bc8fb6b33af5983b69b4044bafd520 Mon Sep 17 00:00:00 2001 From: Lokowitz Date: Tue, 23 Sep 2025 17:44:34 +0000 Subject: [PATCH 5/9] update securityKey --- server/routers/auth/securityKey.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/routers/auth/securityKey.ts b/server/routers/auth/securityKey.ts index a3389ba7..7e131dfd 100644 --- a/server/routers/auth/securityKey.ts +++ b/server/routers/auth/securityKey.ts @@ -605,7 +605,7 @@ export async function verifyAuthentication( } // Find the security key in database - const credentialId = Buffer.from(credential.id, 'base64').toString('base64'); + const credentialId = credential.id; const [securityKey] = await db .select() .from(securityKeys) From df92e413849f519f573e9b1a344db394392d1413 Mon Sep 17 00:00:00 2001 From: Lokowitz Date: Thu, 25 Sep 2025 19:55:36 +0000 Subject: [PATCH 6/9] added migration for simplewebauthn --- server/setup/migrationsPg.ts | 2 ++ server/setup/migrationsSqlite.ts | 2 ++ server/setup/scriptsPg/1.10.4.ts | 39 ++++++++++++++++++++++++++++ server/setup/scriptsSqlite/1.10.4.ts | 34 ++++++++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 server/setup/scriptsPg/1.10.4.ts create mode 100644 server/setup/scriptsSqlite/1.10.4.ts diff --git a/server/setup/migrationsPg.ts b/server/setup/migrationsPg.ts index 04779f30..5c748c89 100644 --- a/server/setup/migrationsPg.ts +++ b/server/setup/migrationsPg.ts @@ -11,6 +11,7 @@ import m3 from "./scriptsPg/1.8.0"; import m4 from "./scriptsPg/1.9.0"; import m5 from "./scriptsPg/1.10.0"; import m6 from "./scriptsPg/1.10.2"; +import m7 from "./scriptsPg/1.10.4"; // THIS CANNOT IMPORT ANYTHING FROM THE SERVER // EXCEPT FOR THE DATABASE AND THE SCHEMA @@ -23,6 +24,7 @@ const migrations = [ { version: "1.9.0", run: m4 }, { version: "1.10.0", run: m5 }, { version: "1.10.2", run: m6 }, + { version: "1.10.4", run: m7 }, // Add new migrations here as they are created ] as { version: string; diff --git a/server/setup/migrationsSqlite.ts b/server/setup/migrationsSqlite.ts index 654c2716..d7c6793f 100644 --- a/server/setup/migrationsSqlite.ts +++ b/server/setup/migrationsSqlite.ts @@ -29,6 +29,7 @@ import m24 from "./scriptsSqlite/1.9.0"; import m25 from "./scriptsSqlite/1.10.0"; import m26 from "./scriptsSqlite/1.10.1"; import m27 from "./scriptsSqlite/1.10.2"; +import m28 from "./scriptsSqlite/1.10.4"; // THIS CANNOT IMPORT ANYTHING FROM THE SERVER // EXCEPT FOR THE DATABASE AND THE SCHEMA @@ -57,6 +58,7 @@ const migrations = [ { version: "1.10.0", run: m25 }, { version: "1.10.1", run: m26 }, { version: "1.10.2", run: m27 }, + { version: "1.10.4", run: m28 }, // Add new migrations here as they are created ] as const; diff --git a/server/setup/scriptsPg/1.10.4.ts b/server/setup/scriptsPg/1.10.4.ts new file mode 100644 index 00000000..311e6dc2 --- /dev/null +++ b/server/setup/scriptsPg/1.10.4.ts @@ -0,0 +1,39 @@ +import { db } from "@server/db/pg/driver"; +import { sql } from "drizzle-orm"; +import { isoBase64URL } from "@simplewebauthn/server/helpers"; + +const version = "1.10.4"; + +export default async function migration() { + console.log(`Running setup script ${version}...`); + + try { + await db.execute(sql`BEGIN`); + + const webauthnCredentialsQuery = await db.execute(sql`SELECT credentialId, publicKey FROM 'webauthnCredentials'`); + + const webauthnCredentials = webauthnCredentialsQuery.rows as { credentialId: string; publicKey: string }[]; + + for (const webauthnCredential of webauthnCredentials) { + const credentialId = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.credentialId, 'base64'))); + await db.execute(sql` + UPDATE "webauthnCredentials" SET "credentialId" = ${credentialId} + `); + + const publicKey = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.publicKey, 'base64'))); + await db.execute(sql` + UPDATE "webauthnCredentials" SET "publicKey" = ${publicKey} + `); + } + + await db.execute(sql`COMMIT`); + console.log(`Updated credentialId and publicKey`); + } catch (e) { + await db.execute(sql`ROLLBACK`); + console.log("Unable to update credentialId and publicKey"); + console.log(e); + throw e; + } + + console.log(`${version} migration complete`); +} diff --git a/server/setup/scriptsSqlite/1.10.4.ts b/server/setup/scriptsSqlite/1.10.4.ts new file mode 100644 index 00000000..5c7f0a0e --- /dev/null +++ b/server/setup/scriptsSqlite/1.10.4.ts @@ -0,0 +1,34 @@ +import { APP_PATH } from "@server/lib/consts"; +import Database from "better-sqlite3"; +import path from "path"; +import { isoBase64URL } from "@simplewebauthn/server/helpers"; + +const version = "1.10.4"; + +export default async function migration() { + console.log(`Running setup script ${version}...`); + + const location = path.join(APP_PATH, "db", "db.sqlite"); + const db = new Database(location); + + db.transaction(() => { + + const webauthnCredentials = db.prepare(`SELECT credentialId, publicKey FROM 'webauthnCredentials'`).all() as { + credentialId: string; publicKey: string + }[]; + + for (const webauthnCredential of webauthnCredentials) { + const credentialId = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.credentialId, 'base64'))); + db.prepare( + `UPDATE 'webauthnCredentials' SET 'credentialId' = ?` + ).run(credentialId); + + const publicKey = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.publicKey, 'base64'))); + db.prepare( + `UPDATE 'webauthnCredentials' SET 'publicKey' = ?` + ).run(publicKey); + } + })(); + + console.log(`${version} migration complete`); +} From 2c8082451f947a741a1608602c37aadff9895811 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 28 Sep 2025 10:32:46 -0700 Subject: [PATCH 7/9] Add where clause to sql migrations --- server/setup/scriptsPg/1.10.4.ts | 2 ++ server/setup/scriptsSqlite/1.10.4.ts | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/server/setup/scriptsPg/1.10.4.ts b/server/setup/scriptsPg/1.10.4.ts index 311e6dc2..fa4ff401 100644 --- a/server/setup/scriptsPg/1.10.4.ts +++ b/server/setup/scriptsPg/1.10.4.ts @@ -18,11 +18,13 @@ export default async function migration() { const credentialId = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.credentialId, 'base64'))); await db.execute(sql` UPDATE "webauthnCredentials" SET "credentialId" = ${credentialId} + WHERE "credentialId" = ${webauthnCredential.credentialId} `); const publicKey = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.publicKey, 'base64'))); await db.execute(sql` UPDATE "webauthnCredentials" SET "publicKey" = ${publicKey} + WHERE "credentialId" = ${webauthnCredential.credentialId} `); } diff --git a/server/setup/scriptsSqlite/1.10.4.ts b/server/setup/scriptsSqlite/1.10.4.ts index 5c7f0a0e..ff22d70f 100644 --- a/server/setup/scriptsSqlite/1.10.4.ts +++ b/server/setup/scriptsSqlite/1.10.4.ts @@ -20,13 +20,13 @@ export default async function migration() { for (const webauthnCredential of webauthnCredentials) { const credentialId = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.credentialId, 'base64'))); db.prepare( - `UPDATE 'webauthnCredentials' SET 'credentialId' = ?` - ).run(credentialId); + `UPDATE 'webauthnCredentials' SET 'credentialId' = ? WHERE 'credentialId' = ?` + ).run(credentialId, webauthnCredential.credentialId); const publicKey = isoBase64URL.fromBuffer(new Uint8Array(Buffer.from(webauthnCredential.publicKey, 'base64'))); db.prepare( - `UPDATE 'webauthnCredentials' SET 'publicKey' = ?` - ).run(publicKey); + `UPDATE 'webauthnCredentials' SET 'publicKey' = ? WHERE 'credentialId' = ?` + ).run(publicKey, webauthnCredential.credentialId); } })(); From 4523a8df0fe299ae7948951497cdda5d5d0b1a95 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 28 Sep 2025 10:36:03 -0700 Subject: [PATCH 8/9] Bump build --- server/lib/consts.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/lib/consts.ts b/server/lib/consts.ts index 6c13963a..5df517b8 100644 --- a/server/lib/consts.ts +++ b/server/lib/consts.ts @@ -2,7 +2,7 @@ import path from "path"; import { fileURLToPath } from "url"; // This is a placeholder value replaced by the build process -export const APP_VERSION = "1.10.2"; +export const APP_VERSION = "1.10.4"; export const __FILENAME = fileURLToPath(import.meta.url); export const __DIRNAME = path.dirname(__FILENAME); From e43fc59634449a65c73f624562a5c71690273087 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 28 Sep 2025 10:39:09 -0700 Subject: [PATCH 9/9] Use double quotes --- server/setup/scriptsPg/1.10.4.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/setup/scriptsPg/1.10.4.ts b/server/setup/scriptsPg/1.10.4.ts index fa4ff401..dafec24b 100644 --- a/server/setup/scriptsPg/1.10.4.ts +++ b/server/setup/scriptsPg/1.10.4.ts @@ -10,7 +10,7 @@ export default async function migration() { try { await db.execute(sql`BEGIN`); - const webauthnCredentialsQuery = await db.execute(sql`SELECT credentialId, publicKey FROM 'webauthnCredentials'`); + const webauthnCredentialsQuery = await db.execute(sql`SELECT "credentialId", "publicKey" FROM "webauthnCredentials"`); const webauthnCredentials = webauthnCredentialsQuery.rows as { credentialId: string; publicKey: string }[];