Changed userHandle behavior v10 breaks definitely with existing registrations about simplewebauthn HOT 2 CLOSED

Hi @MasterKale! Thanks for your answer, I know you don't support interaction with other frameworks, but the browser library is really easy to implement. 😄 I really like it!

However, I see that the server package isn't validating the userHandle during an authentication request and therefore this change is indeed not breaking existing implementations in a definite way when using the browser and server combination. An extra decoding step (when needed for the given credential) in the backend seems to be to most logical the solution or I should an implementation for the frontend myself (or find another one elsewhere). For now, I just stick with v9. 😉 Thanks again!

from simplewebauthn.

Hello @joostdebruijn, for the record I only officially support issues with combined use of @simplewebauthn/browser and @simplewebauthn/server - the fact that browser can work with others server libraries is a happy coincidence.

That said, can you solve this with an additional base64url encode of userID, and adding an initial base64url decoding of userHandle after auth? These operations could happen on the back end.

Alternatively, this could be handled on the front end, before calling startRegistration() and startAuthentication(), so that your server receives bytes in the expected order. But I'd say you have less flexibility to do this in the front end because of fewer built-in library tools to handle this.

from simplewebauthn.