next-auth fix(passkey): bump `@simplewebauthn/server` and `@simplewebauthn/browser` to v10.0.0

☕️ Reasoning

The latest version of SimpleWebAuthn (v10.0.0) was released on April 13th and fixes an issue where the browser webauthn autofill handler was not correctly working due to PublicKeyCredential missing. This version also includes changes to how the credentialID and userID is handled. Further we don't need to encode them to an Uint8Array anymore, because the library now expects base64url strings.

This pull request bumps the version and implements the necessary changes for using the latest version.

🧢 Checklist

I couldn't get the tests running on my machine yet, but I will try to test the changes. Database adapters should not be affected since credentialID and userID is stored as a text field already.

[X] Documentation
[ ] Tests
[ ] Ready to be merged

🎫 Affected issues

There are no affected issues but we might prevent further issues by already implementing the latest version of SimpleWebAuthn.

📌 Resources

May 23 '24 12:05 masterjanic

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 1, 2024 11:54am

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Jun 1, 2024 11:54am

May 23 '24 12:05 vercel[bot]

@masterjanic is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

May 23 '24 12:05 vercel[bot]

Ooo nice, thanks! I was just looking into upgrading to 10.x the other day!

I'll take a closer look at this later today 🙏

May 23 '24 12:05 ndom91

We're there no other relevant breaking changes other than the base64/uint8array changes?

There were a good bit of changes in v10, I just expected us to be affected by more haha

May 23 '24 12:05 ndom91

Got it, I probably missed them. I can also see that some examples have the version listed in the package-lock.yaml as well, but they depend on the latest version of @auth/core

May 23 '24 13:05 masterjanic

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@types/[email protected]	None	`0`	6.67 kB	types

🚮 Removed packages: npm/@auth/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

May 23 '24 13:05 socket-security[bot]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

May 23 '24 13:05 socket-security[bot]

@masterjanic what do you mean by this exactly?

...I can also see that some examples have the version listed in the package-lock.yaml as well, but they depend on the latest version of @auth/core

May 28 '24 15:05 ndom91

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 53.03%. Comparing base (f1bf7ae) to head (2014f49). Report is 2 commits behind head on main.

:exclamation: Current head 2014f49 differs from pull request most recent head b97b35c

Please upload reports for the commit b97b35c to get more accurate results.

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #10996       +/-   ##
===========================================
+ Coverage   40.91%   53.03%   +12.12%     
===========================================
  Files         176      108       -68     
  Lines       27924     3373    -24551     
  Branches     1243      344      -899     
===========================================
- Hits        11424     1789     -9635     
+ Misses      16500     1584    -14916

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

Jun 01 '24 10:06 codecov[bot]

@masterjanic looks like some of the tests in packages/core/test/webauthn-utils.test.ts need to be updated for the new datatypes

Jun 01 '24 10:06 ndom91

Any update on this?

Jun 26 '24 22:06 kmr600

Hi @ndom91, its been a long time since I opened this PR. Is there anything missing from my side? Anything that I can do?

Sep 09 '24 09:09 masterjanic

We're now 2 major versions behind -- SimpleWebAuthn just released 11.0.0 (with some meaningful features): https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v11.0.0

Oct 16 '24 21:10 michaelhays

Now 4 major versions behind: https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v13.0.0

Jan 01 '25 16:01 rinarakaki

Closing since maintainer does not respond.

Jan 01 '25 17:01 masterjanic

@masterjanic Could you merge the main into your branch and try again, please?

@ndom91 Are there still some tests that need to be fixed? If some approval is required to run it, can you please do it?

Jan 01 '25 17:01 rinarakaki

@masterjanic Could you merge the main into your branch and try again, please?

Sorry, I don't have time to make any more changes to the PR. It has been open for half a year, nobody cared. I switched to better-auth in the meantime, so I don't think I can really contribute anything here.

Jan 01 '25 17:01 masterjanic

Everybody cares about good passkey support of Auth.js. I believe that the maintainers are just catching it up right now.

Jan 01 '25 17:01 rinarakaki