fix(passkey): bump @simplewebauthn/server and @simplewebauthn/browser to v10.0.0

[masterjanic]

☕️ Reasoning

The latest version of SimpleWebAuthn (v10.0.0) was released on April 13th and fixes an issue where the browser webauthn autofill handler was not correctly working due to PublicKeyCredential missing. This version also includes changes to how the credentialID and userID is handled. Further we don't need to encode them to an Uint8Array anymore, because the library now expects base64url strings.

This pull request bumps the version and implements the necessary changes for using the latest version.

🧢 Checklist

I couldn't get the tests running on my machine yet, but I will try to test the changes. Database adapters should not be affected since credentialID and userID is stored as a text field already.

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

There are no affected issues but we might prevent further issues by already implementing the latest version of SimpleWebAuthn.

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 1, 2024 11:54am

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Jun 1, 2024 11:54am

[vercel]

@masterjanic is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

[ndom91]

Ooo nice, thanks! I was just looking into upgrading to 10.x the other day!

I'll take a closer look at this later today 🙏

[ndom91]

We're there no other relevant breaking changes other than the base64/uint8array changes?

There were a good bit of changes in v10, I just expected us to be affected by more haha

[ndom91]

I see the packages/framework-sveltekit/package.json versions aren't bumped. Can you check that?

[masterjanic]

Got it, I probably missed them. I can also see that some examples have the version listed in the package-lock.yaml as well, but they depend on the latest version of @auth/core

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@types/[email protected]	None	0	6.67 kB	types

🚮 Removed packages: npm/@auth/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[ndom91]

@masterjanic what do you mean by this exactly?

...I can also see that some examples have the version listed in the package-lock.yaml as well, but they depend on the latest version of @auth/core

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 53.03%. Comparing base (f1bf7ae) to head (2014f49).
Report is 2 commits behind head on main.

❗ Current head 2014f49 differs from pull request most recent head b97b35c

Please upload reports for the commit b97b35c to get more accurate results.

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #10996       +/-   ##
===========================================
+ Coverage   40.91%   53.03%   +12.12%     
===========================================
  Files         176      108       -68     
  Lines       27924     3373    -24551     
  Branches     1243      344      -899     
===========================================
- Hits        11424     1789     -9635     
+ Misses      16500     1584    -14916     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ndom91]

@masterjanic looks like some of the tests in packages/core/test/webauthn-utils.test.ts need to be updated for the new datatypes

[kmr600]

Any update on this?

[masterjanic]

Hi @ndom91, its been a long time since I opened this PR. Is there anything missing from my side? Anything that I can do?

[michaelhays]

We're now 2 major versions behind -- SimpleWebAuthn just released 11.0.0 (with some meaningful features): https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v11.0.0

[rinarakaki]

Now 4 major versions behind:
https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v13.0.0

[masterjanic]

Closing since maintainer does not respond.

[rinarakaki]

@masterjanic
Could you merge the main into your branch and try again, please?

@ndom91
Are there still some tests that need to be fixed? If some approval is required to run it, can you please do it?

[masterjanic]

@masterjanic Could you merge the main into your branch and try again, please?

Sorry, I don't have time to make any more changes to the PR. It has been open for half a year, nobody cared. I switched to better-auth in the meantime, so I don't think I can really contribute anything here.

[rinarakaki]

Everybody cares about good passkey support of Auth.js. I believe that the maintainers are just catching it up right now.