From 6fa3eb462d25b498c424fad79868dab959d18267 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 7 Jan 2022 13:01:26 +0000
Subject: [PATCH 01/14] Bump spotless-plugin-gradle from 6.0.4 to 6.1.2

Bumps [spotless-plugin-gradle](https://github.com/diffplug/spotless) from 6.0.4 to 6.1.2.
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](https://github.com/diffplug/spotless/compare/gradle/6.0.4...gradle/6.1.2)

---
updated-dependencies:
- dependency-name: com.diffplug.spotless:spotless-plugin-gradle
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 3bd0c4a60..b3c660a43 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.0.4'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.1.2'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.8'
   }
 }

From b5a9fe389a72f8f1ff1a38d6991f857009fc2e14 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 13 Jan 2022 13:01:31 +0000
Subject: [PATCH 02/14] Bump spotless-plugin-gradle from 6.1.2 to 6.2.0

Bumps [spotless-plugin-gradle](https://github.com/diffplug/spotless) from 6.1.2 to 6.2.0.
- [Release notes](https://github.com/diffplug/spotless/releases)
- [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md)
- [Commits](https://github.com/diffplug/spotless/compare/gradle/6.1.2...gradle/6.2.0)

---
updated-dependencies:
- dependency-name: com.diffplug.spotless:spotless-plugin-gradle
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index b3c660a43..ca917b032 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.1.2'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.2.0'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.8'
   }
 }

From ba4f99927522c486c520c52064e04a4bef62d3a2 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:16:39 +0100
Subject: [PATCH 03/14] Fix syntax errors trying to define and use named
 parameters

---
 .../src/main/webapp/index.html                | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index 5dd90ece8..da0af2435 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -182,7 +182,7 @@
   ;
 }
 
-function getRegisterRequest(urls, username, displayName, credentialNickname, requireResidentKey = false) {
+function getRegisterRequest(urls, username, displayName, credentialNickname, requireResidentKey) {
   return fetch(urls.register, {
     body: new URLSearchParams({
       username,
@@ -199,7 +199,7 @@
   ;
 }
 
-function executeRegisterRequest(request, useU2f = false) {
+function executeRegisterRequest(request, useU2f) {
   console.log('executeRegisterRequest', request);
 
   if (useU2f) {
@@ -361,10 +361,10 @@
     });
 }
 
-function registerResidentKey() {
-  return register(requireResidentKey = true);
+function registerResidentKey(event) {
+  return register(event, true);
 }
-function register(requireResidentKey = false, getRequest = getRegisterRequest) {
+function register(event, requireResidentKey) {
   const username = document.getElementById('username').value;
   const displayName = document.getElementById('displayName').value;
   const credentialNickname = document.getElementById('credentialNickname').value;
@@ -374,7 +374,7 @@
 
   return performCeremony({
     getIndexActions,
-    getRequest: urls => getRequest(urls, username, displayName, credentialNickname, requireResidentKey),
+    getRequest: urls => getRegisterRequest(urls, username, displayName, credentialNickname, requireResidentKey),
     statusStrings: {
       init: 'Initiating registration ceremony with server...',
       authenticatorRequest: 'Asking authenticators to create credential...',
@@ -446,13 +446,13 @@
   return webauthn.getAssertion(request.publicKeyCredentialRequestOptions);
 }
 
-function authenticateWithUsername() {
-  return authenticate(username = document.getElementById('username').value);
+function authenticateWithUsername(event) {
+  return authenticate(event, document.getElementById('username').value);
 }
-function authenticate(username = null, getRequest = getAuthenticateRequest) {
+function authenticate(event, username) {
   return performCeremony({
     getIndexActions,
-    getRequest: urls => getRequest(urls, username),
+    getRequest: urls => getAuthenticateRequest(urls, username),
     statusStrings: {
       init: 'Initiating authentication ceremony with server...',
       authenticatorRequest: 'Asking authenticators to perform assertion...',

From 4f6f872d8d10b5730a99dad79f7e3a304c808924 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:15:38 +0100
Subject: [PATCH 04/14] Add webauthn-json library

---
 .../webapp/lib/webauthn-json-0.6.1/LICENSE.md |  22 ++
 .../dist/esm/webauthn-json.js                 | 189 ++++++++++++++++++
 .../dist/esm/webauthn-json.js.map             |   7 +
 3 files changed, 218 insertions(+)
 create mode 100644 webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/LICENSE.md
 create mode 100644 webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js
 create mode 100644 webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js.map

diff --git a/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/LICENSE.md b/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/LICENSE.md
new file mode 100644
index 000000000..bfc6c46ef
--- /dev/null
+++ b/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/LICENSE.md
@@ -0,0 +1,22 @@
+Copyright (c) 2019 GitHub, Inc.
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
diff --git a/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js b/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js
new file mode 100644
index 000000000..d6ef38b2b
--- /dev/null
+++ b/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js
@@ -0,0 +1,189 @@
+// src/webauthn-json/base64url.ts
+function base64urlToBuffer(baseurl64String) {
+  const padding = "==".slice(0, (4 - baseurl64String.length % 4) % 4);
+  const base64String = baseurl64String.replace(/-/g, "+").replace(/_/g, "/") + padding;
+  const str = atob(base64String);
+  const buffer = new ArrayBuffer(str.length);
+  const byteView = new Uint8Array(buffer);
+  for (let i = 0; i < str.length; i++) {
+    byteView[i] = str.charCodeAt(i);
+  }
+  return buffer;
+}
+function bufferToBase64url(buffer) {
+  const byteView = new Uint8Array(buffer);
+  let str = "";
+  for (const charCode of byteView) {
+    str += String.fromCharCode(charCode);
+  }
+  const base64String = btoa(str);
+  const base64urlString = base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return base64urlString;
+}
+
+// src/webauthn-json/convert.ts
+var copyValue = "copy";
+var convertValue = "convert";
+function convert(conversionFn, schema2, input) {
+  if (schema2 === copyValue) {
+    return input;
+  }
+  if (schema2 === convertValue) {
+    return conversionFn(input);
+  }
+  if (schema2 instanceof Array) {
+    return input.map((v) => convert(conversionFn, schema2[0], v));
+  }
+  if (schema2 instanceof Object) {
+    const output = {};
+    for (const [key, schemaField] of Object.entries(schema2)) {
+      if (schemaField.deriveFn) {
+        const v = schemaField.deriveFn(input);
+        if (v !== void 0) {
+          input[key] = v;
+        }
+      }
+      if (!(key in input)) {
+        if (schemaField.required) {
+          throw new Error(`Missing key: ${key}`);
+        }
+        continue;
+      }
+      if (input[key] == null) {
+        output[key] = null;
+        continue;
+      }
+      output[key] = convert(conversionFn, schemaField.schema, input[key]);
+    }
+    return output;
+  }
+}
+function derived(schema2, deriveFn) {
+  return {
+    required: true,
+    schema: schema2,
+    deriveFn
+  };
+}
+function required(schema2) {
+  return {
+    required: true,
+    schema: schema2
+  };
+}
+function optional(schema2) {
+  return {
+    required: false,
+    schema: schema2
+  };
+}
+
+// src/webauthn-json/basic/schema.ts
+var publicKeyCredentialDescriptorSchema = {
+  type: required(copyValue),
+  id: required(convertValue),
+  transports: optional(copyValue)
+};
+var simplifiedExtensionsSchema = {
+  appid: optional(copyValue),
+  appidExclude: optional(copyValue),
+  credProps: optional(copyValue)
+};
+var simplifiedClientExtensionResultsSchema = {
+  appid: optional(copyValue),
+  appidExclude: optional(copyValue),
+  credProps: optional(copyValue)
+};
+var credentialCreationOptions = {
+  publicKey: required({
+    rp: required(copyValue),
+    user: required({
+      id: required(convertValue),
+      name: required(copyValue),
+      displayName: required(copyValue)
+    }),
+    challenge: required(convertValue),
+    pubKeyCredParams: required(copyValue),
+    timeout: optional(copyValue),
+    excludeCredentials: optional([publicKeyCredentialDescriptorSchema]),
+    authenticatorSelection: optional(copyValue),
+    attestation: optional(copyValue),
+    extensions: optional(simplifiedExtensionsSchema)
+  }),
+  signal: optional(copyValue)
+};
+var publicKeyCredentialWithAttestation = {
+  type: required(copyValue),
+  id: required(copyValue),
+  rawId: required(convertValue),
+  response: required({
+    clientDataJSON: required(convertValue),
+    attestationObject: required(convertValue),
+    transports: derived(copyValue, (response) => response.getTransports?.() || [])
+  }),
+  clientExtensionResults: derived(simplifiedClientExtensionResultsSchema, (pkc) => pkc.getClientExtensionResults())
+};
+var credentialRequestOptions = {
+  mediation: optional(copyValue),
+  publicKey: required({
+    challenge: required(convertValue),
+    timeout: optional(copyValue),
+    rpId: optional(copyValue),
+    allowCredentials: optional([publicKeyCredentialDescriptorSchema]),
+    userVerification: optional(copyValue),
+    extensions: optional(simplifiedExtensionsSchema)
+  }),
+  signal: optional(copyValue)
+};
+var publicKeyCredentialWithAssertion = {
+  type: required(copyValue),
+  id: required(copyValue),
+  rawId: required(convertValue),
+  response: required({
+    clientDataJSON: required(convertValue),
+    authenticatorData: required(convertValue),
+    signature: required(convertValue),
+    userHandle: required(convertValue)
+  }),
+  clientExtensionResults: derived(simplifiedClientExtensionResultsSchema, (pkc) => pkc.getClientExtensionResults())
+};
+var schema = {
+  credentialCreationOptions,
+  publicKeyCredentialWithAttestation,
+  credentialRequestOptions,
+  publicKeyCredentialWithAssertion
+};
+
+// src/webauthn-json/basic/api.ts
+function createRequestFromJSON(requestJSON) {
+  return convert(base64urlToBuffer, credentialCreationOptions, requestJSON);
+}
+function createResponseToJSON(credential) {
+  return convert(bufferToBase64url, publicKeyCredentialWithAttestation, credential);
+}
+async function create(requestJSON) {
+  const credential = await navigator.credentials.create(createRequestFromJSON(requestJSON));
+  return createResponseToJSON(credential);
+}
+function getRequestFromJSON(requestJSON) {
+  return convert(base64urlToBuffer, credentialRequestOptions, requestJSON);
+}
+function getResponseToJSON(credential) {
+  return convert(bufferToBase64url, publicKeyCredentialWithAssertion, credential);
+}
+async function get(requestJSON) {
+  const credential = await navigator.credentials.get(getRequestFromJSON(requestJSON));
+  return getResponseToJSON(credential);
+}
+
+// src/webauthn-json/basic/supported.ts
+function supported() {
+  return !!(navigator.credentials && navigator.credentials.create && navigator.credentials.get && window.PublicKeyCredential);
+}
+export {
+  create,
+  get,
+  schema,
+  supported
+};
+//# sourceMappingURL=webauthn-json.js.map
diff --git a/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js.map b/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js.map
new file mode 100644
index 000000000..9d6aa22ef
--- /dev/null
+++ b/webauthn-server-demo/src/main/webapp/lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js.map
@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/webauthn-json/base64url.ts", "../../src/webauthn-json/convert.ts", "../../src/webauthn-json/basic/schema.ts", "../../src/webauthn-json/basic/api.ts", "../../src/webauthn-json/basic/supported.ts"],
+  "sourcesContent": ["export type Base64urlString = string;\n\nexport function base64urlToBuffer(\n  baseurl64String: Base64urlString,\n): ArrayBuffer {\n  // Base64url to Base64\n  const padding = \"==\".slice(0, (4 - (baseurl64String.length % 4)) % 4);\n  const base64String =\n    baseurl64String.replace(/-/g, \"+\").replace(/_/g, \"/\") + padding;\n\n  // Base64 to binary string\n  const str = atob(base64String);\n\n  // Binary string to buffer\n  const buffer = new ArrayBuffer(str.length);\n  const byteView = new Uint8Array(buffer);\n  for (let i = 0; i < str.length; i++) {\n    byteView[i] = str.charCodeAt(i);\n  }\n  return buffer;\n}\n\nexport function bufferToBase64url(buffer: ArrayBuffer): Base64urlString {\n  // Buffer to binary string\n  const byteView = new Uint8Array(buffer);\n  let str = \"\";\n  for (const charCode of byteView) {\n    str += String.fromCharCode(charCode);\n  }\n\n  // Binary string to base64\n  const base64String = btoa(str);\n\n  // Base64 to base64url\n  // We assume that the base64url string is well-formed.\n  const base64urlString = base64String\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=/g, \"\");\n  return base64urlString;\n}\n", "// We export these values in order so that they can be used to deduplicate\n// schema definitions in minified JS code.\n\nimport { Schema, SchemaProperty } from \"./schema-format\";\n\n// TODO: Parcel isn't deduplicating these values.\nexport const copyValue = \"copy\";\nexport const convertValue = \"convert\";\n\nexport function convert<From, To>(\n  conversionFn: (v: From) => To,\n  schema: Schema,\n  input: any,\n): any {\n  if (schema === copyValue) {\n    return input;\n  }\n  if (schema === convertValue) {\n    return conversionFn(input);\n  }\n  if (schema instanceof Array) {\n    return input.map((v: any) => convert<From, To>(conversionFn, schema[0], v));\n  }\n  if (schema instanceof Object) {\n    const output: any = {};\n    for (const [key, schemaField] of Object.entries(schema)) {\n      if (schemaField.deriveFn) {\n        const v = schemaField.deriveFn(input);\n        if (v !== undefined) {\n          input[key] = v;\n        }\n      }\n\n      if (!(key in input)) {\n        if (schemaField.required) {\n          throw new Error(`Missing key: ${key}`);\n        }\n        continue;\n      }\n      // Fields can be null (rather than missing or `undefined`), e.g. the\n      // `userHandle` field of the `AuthenticatorAssertionResponse`:\n      // https://www.w3.org/TR/webauthn/#iface-authenticatorassertionresponse\n      if (input[key] == null) {\n        output[key] = null;\n        continue;\n      }\n      output[key] = convert<From, To>(\n        conversionFn,\n        schemaField.schema,\n        input[key],\n      );\n    }\n    return output;\n  }\n}\n\nexport function derived(\n  schema: Schema,\n  deriveFn: (v: any) => any,\n): SchemaProperty {\n  return {\n    required: true,\n    schema,\n    deriveFn,\n  };\n}\n\nexport function required(schema: Schema): SchemaProperty {\n  return {\n    required: true,\n    schema,\n  };\n}\n\nexport function optional(schema: Schema): SchemaProperty {\n  return {\n    required: false,\n    schema,\n  };\n}\n", "import { Schema } from \"../schema-format\";\nimport {\n  convertValue as convert,\n  copyValue as copy,\n  derived,\n  optional,\n  required,\n} from \"../convert\";\n\n// Shared by `create()` and `get()`.\n\nconst publicKeyCredentialDescriptorSchema: Schema = {\n  type: required(copy),\n  id: required(convert),\n  transports: optional(copy),\n};\n\nconst simplifiedExtensionsSchema: Schema = {\n  appid: optional(copy),\n  appidExclude: optional(copy),\n  credProps: optional(copy),\n};\n\nconst simplifiedClientExtensionResultsSchema = {\n  appid: optional(copy),\n  appidExclude: optional(copy),\n  credProps: optional(copy),\n};\n\n// `navigator.create()` request\n\nexport const credentialCreationOptions: Schema = {\n  publicKey: required({\n    rp: required(copy),\n    user: required({\n      id: required(convert),\n      name: required(copy),\n      displayName: required(copy),\n    }),\n\n    challenge: required(convert),\n    pubKeyCredParams: required(copy),\n\n    timeout: optional(copy),\n    excludeCredentials: optional([publicKeyCredentialDescriptorSchema]),\n    authenticatorSelection: optional(copy),\n    attestation: optional(copy),\n    extensions: optional(simplifiedExtensionsSchema),\n  }),\n  signal: optional(copy),\n};\n\n// `navigator.create()` response\n\nexport const publicKeyCredentialWithAttestation: Schema = {\n  type: required(copy),\n  id: required(copy),\n  rawId: required(convert),\n  response: required({\n    clientDataJSON: required(convert),\n    attestationObject: required(convert),\n    transports: derived(\n      copy,\n      (response: any) => response.getTransports?.() || [],\n    ),\n  }),\n  clientExtensionResults: derived(\n    simplifiedClientExtensionResultsSchema,\n    (pkc: PublicKeyCredential) => pkc.getClientExtensionResults(),\n  ),\n};\n\n// `navigator.get()` request\n\nexport const credentialRequestOptions: Schema = {\n  mediation: optional(copy),\n  publicKey: required({\n    challenge: required(convert),\n    timeout: optional(copy),\n    rpId: optional(copy),\n    allowCredentials: optional([publicKeyCredentialDescriptorSchema]),\n    userVerification: optional(copy),\n    extensions: optional(simplifiedExtensionsSchema),\n  }),\n  signal: optional(copy),\n};\n\n// `navigator.get()` response\n\nexport const publicKeyCredentialWithAssertion: Schema = {\n  type: required(copy),\n  id: required(copy),\n  rawId: required(convert),\n  response: required({\n    clientDataJSON: required(convert),\n    authenticatorData: required(convert),\n    signature: required(convert),\n    userHandle: required(convert),\n  }),\n  clientExtensionResults: derived(\n    simplifiedClientExtensionResultsSchema,\n    (pkc: PublicKeyCredential) => pkc.getClientExtensionResults(),\n  ),\n};\n\nexport const schema: { [s: string]: Schema } = {\n  credentialCreationOptions,\n  publicKeyCredentialWithAttestation,\n  credentialRequestOptions,\n  publicKeyCredentialWithAssertion,\n};\n", "import { base64urlToBuffer, bufferToBase64url } from \"../base64url\";\nimport { convert } from \"../convert\";\nimport {\n  CredentialCreationOptionsJSON,\n  CredentialRequestOptionsJSON,\n  PublicKeyCredentialWithAssertionJSON,\n  PublicKeyCredentialWithAttestationJSON,\n} from \"./json\";\nimport {\n  credentialCreationOptions,\n  credentialRequestOptions,\n  publicKeyCredentialWithAssertion,\n  publicKeyCredentialWithAttestation,\n} from \"./schema\";\n\nexport function createRequestFromJSON(\n  requestJSON: CredentialCreationOptionsJSON,\n): CredentialCreationOptions {\n  return convert(base64urlToBuffer, credentialCreationOptions, requestJSON);\n}\n\nexport function createResponseToJSON(\n  credential: PublicKeyCredential,\n): PublicKeyCredentialWithAttestationJSON {\n  return convert(\n    bufferToBase64url,\n    publicKeyCredentialWithAttestation,\n    credential,\n  );\n}\n\nexport async function create(\n  requestJSON: CredentialCreationOptionsJSON,\n): Promise<PublicKeyCredentialWithAttestationJSON> {\n  const credential = (await navigator.credentials.create(\n    createRequestFromJSON(requestJSON),\n  )) as PublicKeyCredential;\n  return createResponseToJSON(credential);\n}\n\nexport function getRequestFromJSON(\n  requestJSON: CredentialRequestOptionsJSON,\n): CredentialRequestOptions {\n  return convert(base64urlToBuffer, credentialRequestOptions, requestJSON);\n}\n\nexport function getResponseToJSON(\n  credential: PublicKeyCredential,\n): PublicKeyCredentialWithAssertionJSON {\n  return convert(\n    bufferToBase64url,\n    publicKeyCredentialWithAssertion,\n    credential,\n  );\n}\n\nexport async function get(\n  requestJSON: CredentialRequestOptionsJSON,\n): Promise<PublicKeyCredentialWithAssertionJSON> {\n  const credential = (await navigator.credentials.get(\n    getRequestFromJSON(requestJSON),\n  )) as PublicKeyCredential;\n  return getResponseToJSON(credential);\n}\n\ndeclare global {\n  interface Window {\n    PublicKeyCredential: PublicKeyCredential | undefined;\n  }\n}\n", "// This function does a simple check to test for the credential management API\n// functions we need, and an indication of public key credential authentication\n// support.\n// https://developers.google.com/web/updates/2018/03/webauthn-credential-management\n\nexport function supported(): boolean {\n  return !!(\n    navigator.credentials &&\n    navigator.credentials.create &&\n    navigator.credentials.get &&\n    window.PublicKeyCredential\n  );\n}\n"],
+  "mappings": ";AAEO,2BACL,iBACa;AAEb,QAAM,UAAU,KAAK,MAAM,GAAI,KAAK,gBAAgB,SAAS,KAAM;AACnE,QAAM,eACJ,gBAAgB,QAAQ,MAAM,KAAK,QAAQ,MAAM,OAAO;AAG1D,QAAM,MAAM,KAAK;AAGjB,QAAM,SAAS,IAAI,YAAY,IAAI;AACnC,QAAM,WAAW,IAAI,WAAW;AAChC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,aAAS,KAAK,IAAI,WAAW;AAAA;AAE/B,SAAO;AAAA;AAGF,2BAA2B,QAAsC;AAEtE,QAAM,WAAW,IAAI,WAAW;AAChC,MAAI,MAAM;AACV,aAAW,YAAY,UAAU;AAC/B,WAAO,OAAO,aAAa;AAAA;AAI7B,QAAM,eAAe,KAAK;AAI1B,QAAM,kBAAkB,aACrB,QAAQ,OAAO,KACf,QAAQ,OAAO,KACf,QAAQ,MAAM;AACjB,SAAO;AAAA;;;ACjCF,IAAM,YAAY;AAClB,IAAM,eAAe;AAErB,iBACL,cACA,SACA,OACK;AACL,MAAI,YAAW,WAAW;AACxB,WAAO;AAAA;AAET,MAAI,YAAW,cAAc;AAC3B,WAAO,aAAa;AAAA;AAEtB,MAAI,mBAAkB,OAAO;AAC3B,WAAO,MAAM,IAAI,CAAC,MAAW,QAAkB,cAAc,QAAO,IAAI;AAAA;AAE1E,MAAI,mBAAkB,QAAQ;AAC5B,UAAM,SAAc;AACpB,eAAW,CAAC,KAAK,gBAAgB,OAAO,QAAQ,UAAS;AACvD,UAAI,YAAY,UAAU;AACxB,cAAM,IAAI,YAAY,SAAS;AAC/B,YAAI,MAAM,QAAW;AACnB,gBAAM,OAAO;AAAA;AAAA;AAIjB,UAAI,CAAE,QAAO,QAAQ;AACnB,YAAI,YAAY,UAAU;AACxB,gBAAM,IAAI,MAAM,gBAAgB;AAAA;AAElC;AAAA;AAKF,UAAI,MAAM,QAAQ,MAAM;AACtB,eAAO,OAAO;AACd;AAAA;AAEF,aAAO,OAAO,QACZ,cACA,YAAY,QACZ,MAAM;AAAA;AAGV,WAAO;AAAA;AAAA;AAIJ,iBACL,SACA,UACgB;AAChB,SAAO;AAAA,IACL,UAAU;AAAA,IACV;AAAA,IACA;AAAA;AAAA;AAIG,kBAAkB,SAAgC;AACvD,SAAO;AAAA,IACL,UAAU;AAAA,IACV;AAAA;AAAA;AAIG,kBAAkB,SAAgC;AACvD,SAAO;AAAA,IACL,UAAU;AAAA,IACV;AAAA;AAAA;;;AClEJ,IAAM,sCAA8C;AAAA,EAClD,MAAM,SAAS;AAAA,EACf,IAAI,SAAS;AAAA,EACb,YAAY,SAAS;AAAA;AAGvB,IAAM,6BAAqC;AAAA,EACzC,OAAO,SAAS;AAAA,EAChB,cAAc,SAAS;AAAA,EACvB,WAAW,SAAS;AAAA;AAGtB,IAAM,yCAAyC;AAAA,EAC7C,OAAO,SAAS;AAAA,EAChB,cAAc,SAAS;AAAA,EACvB,WAAW,SAAS;AAAA;AAKf,IAAM,4BAAoC;AAAA,EAC/C,WAAW,SAAS;AAAA,IAClB,IAAI,SAAS;AAAA,IACb,MAAM,SAAS;AAAA,MACb,IAAI,SAAS;AAAA,MACb,MAAM,SAAS;AAAA,MACf,aAAa,SAAS;AAAA;AAAA,IAGxB,WAAW,SAAS;AAAA,IACpB,kBAAkB,SAAS;AAAA,IAE3B,SAAS,SAAS;AAAA,IAClB,oBAAoB,SAAS,CAAC;AAAA,IAC9B,wBAAwB,SAAS;AAAA,IACjC,aAAa,SAAS;AAAA,IACtB,YAAY,SAAS;AAAA;AAAA,EAEvB,QAAQ,SAAS;AAAA;AAKZ,IAAM,qCAA6C;AAAA,EACxD,MAAM,SAAS;AAAA,EACf,IAAI,SAAS;AAAA,EACb,OAAO,SAAS;AAAA,EAChB,UAAU,SAAS;AAAA,IACjB,gBAAgB,SAAS;AAAA,IACzB,mBAAmB,SAAS;AAAA,IAC5B,YAAY,QACV,WACA,CAAC,aAAkB,SAAS,qBAAqB;AAAA;AAAA,EAGrD,wBAAwB,QACtB,wCACA,CAAC,QAA6B,IAAI;AAAA;AAM/B,IAAM,2BAAmC;AAAA,EAC9C,WAAW,SAAS;AAAA,EACpB,WAAW,SAAS;AAAA,IAClB,WAAW,SAAS;AAAA,IACpB,SAAS,SAAS;AAAA,IAClB,MAAM,SAAS;AAAA,IACf,kBAAkB,SAAS,CAAC;AAAA,IAC5B,kBAAkB,SAAS;AAAA,IAC3B,YAAY,SAAS;AAAA;AAAA,EAEvB,QAAQ,SAAS;AAAA;AAKZ,IAAM,mCAA2C;AAAA,EACtD,MAAM,SAAS;AAAA,EACf,IAAI,SAAS;AAAA,EACb,OAAO,SAAS;AAAA,EAChB,UAAU,SAAS;AAAA,IACjB,gBAAgB,SAAS;AAAA,IACzB,mBAAmB,SAAS;AAAA,IAC5B,WAAW,SAAS;AAAA,IACpB,YAAY,SAAS;AAAA;AAAA,EAEvB,wBAAwB,QACtB,wCACA,CAAC,QAA6B,IAAI;AAAA;AAI/B,IAAM,SAAkC;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;;;AC9FK,+BACL,aAC2B;AAC3B,SAAO,QAAQ,mBAAmB,2BAA2B;AAAA;AAGxD,8BACL,YACwC;AACxC,SAAO,QACL,mBACA,oCACA;AAAA;AAIJ,sBACE,aACiD;AACjD,QAAM,aAAc,MAAM,UAAU,YAAY,OAC9C,sBAAsB;AAExB,SAAO,qBAAqB;AAAA;AAGvB,4BACL,aAC0B;AAC1B,SAAO,QAAQ,mBAAmB,0BAA0B;AAAA;AAGvD,2BACL,YACsC;AACtC,SAAO,QACL,mBACA,kCACA;AAAA;AAIJ,mBACE,aAC+C;AAC/C,QAAM,aAAc,MAAM,UAAU,YAAY,IAC9C,mBAAmB;AAErB,SAAO,kBAAkB;AAAA;;;ACzDpB,qBAA8B;AACnC,SAAO,CAAC,CACN,WAAU,eACV,UAAU,YAAY,UACtB,UAAU,YAAY,OACtB,OAAO;AAAA;",
+  "names": []
+}

From 6508e29490c5ffff1cc9bf13011061ca2bc8a30b Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:22:26 +0100
Subject: [PATCH 05/14] Use webauthn-json library in demo

---
 .../src/main/webapp/index.html                |  34 ++--
 .../src/main/webapp/js/webauthn.js            | 172 ------------------
 2 files changed, 21 insertions(+), 185 deletions(-)
 delete mode 100644 webauthn-server-demo/src/main/webapp/js/webauthn.js

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index da0af2435..30379ac80 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -55,9 +55,9 @@
   <script src="lib/fetch/fetch-3.0.0.js"></script>
   <script src="lib/base64js/base64js-1.3.0.min.js"></script>
   <script src="js/base64url.js"></script>
-  <script src="js/webauthn.js"></script>
 
-  <script>
+  <script type="module">
+import * as webauthnJson from "./lib/webauthn-json-0.6.1/dist/esm/webauthn-json.js";
 
 let ceremonyState = {};
 let session = {
@@ -205,7 +205,7 @@
   if (useU2f) {
     return executeU2fRegisterRequest(request);
   } else {
-    return webauthn.createCredential(request.publicKeyCredentialCreationOptions);
+    return webauthnJson.create({ publicKey: request.publicKeyCredentialCreationOptions });
   }
 }
 
@@ -329,8 +329,7 @@
         urls,
         useU2f,
       };
-      return executeRequest(request)
-        .then(webauthn.responseToObject);
+      return executeRequest(request);
     })
     .then(finishCeremony)
   ;
@@ -443,7 +442,7 @@
 function executeAuthenticateRequest(request) {
   console.log('executeAuthenticateRequest', request);
 
-  return webauthn.getAssertion(request.publicKeyCredentialRequestOptions);
+  return webauthnJson.get({ publicKey: request.publicKeyCredentialRequestOptions });
 }
 
 function authenticateWithUsername(event) {
@@ -529,6 +528,15 @@
 
 function init() {
   hideDeviceInfo();
+
+  document.getElementById("username").oninput = usernameChanged;
+  document.getElementById("registerButton").onclick = register;
+  document.getElementById("registerRkButton").onclick = registerResidentKey;
+  document.getElementById("authenticateWithUsernameButton").onclick = authenticateWithUsername;
+  document.getElementById("authenticateButton").onclick = authenticate;
+  document.getElementById("deregisterButton").onclick = deregister;
+  document.getElementById("logoutButton").onclick = logout;
+
   return false;
 }
 
@@ -553,7 +561,7 @@ <h1> Test your WebAuthn device </h1>
     <form class="horizontal">
       <div class="row">
         <label for="username">Username:</label>
-        <div><input type="text" id="username" onInput="javascript:usernameChanged(event)" /></div>
+        <div><input type="text" id="username" /></div>
       </div>
       <div class="row">
         <label for="displayName">Display name:</label>
@@ -564,12 +572,12 @@ <h1> Test your WebAuthn device </h1>
         <label for="credentialNickname">Credential nickname:</label>
         <div><input type="text" id="credentialNickname"/></div>
         <div>
-          <button type="button" id="registerButton" onClick="javascript:register()">
+          <button type="button" id="registerButton">
             Register new account
           </button>
         </div>
         <div>
-          <button type="button" id="registerRkButton" onClick="javascript:registerResidentKey()">
+          <button type="button" id="registerRkButton">
             Register new account with resident credential
           </button>
         </div>
@@ -579,12 +587,12 @@ <h1> Test your WebAuthn device </h1>
         <div></div>
         <div></div>
         <div>
-          <button type="button" onClick="javascript:authenticateWithUsername()">
+          <button type="button" id="authenticateWithUsernameButton">
             Authenticate
           </button>
         </div>
         <div>
-          <button type="button" onClick="javascript:authenticate()">
+          <button type="button" id="authenticateButton">
             Authenticate without username
           </button>
         </div>
@@ -603,7 +611,7 @@ <h1> Test your WebAuthn device </h1>
         <label for="deregisterCredentialId">Credential ID:</label>
         <div><input type="text" id="deregisterCredentialId"/></div>
         <div>
-          <button type="button" onClick="javascript:deregister()">
+          <button type="button" id="deregisterButton">
             Deregister
           </button>
         </div>
@@ -612,7 +620,7 @@ <h1> Test your WebAuthn device </h1>
 
 
     <p id="session">Not logged in.</p>
-    <button id="logoutButton" disabled="disabled" onClick="javascript:logout()">Log out</button>
+    <button id="logoutButton" disabled="disabled">Log out</button>
     <p id="status"></p>
     <div id="messages"></div>
 
diff --git a/webauthn-server-demo/src/main/webapp/js/webauthn.js b/webauthn-server-demo/src/main/webapp/js/webauthn.js
deleted file mode 100644
index 589d19808..000000000
--- a/webauthn-server-demo/src/main/webapp/js/webauthn.js
+++ /dev/null
@@ -1,172 +0,0 @@
-// Copyright (c) 2018, Yubico AB
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// 1. Redistributions of source code must retain the above copyright notice, this
-//    list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright notice,
-//    this list of conditions and the following disclaimer in the documentation
-//    and/or other materials provided with the distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-(function(root, factory) {
-  if (typeof define === 'function' && define.amd) {
-    define(['base64url'], factory);
-  } else if (typeof module === 'object' && module.exports) {
-    module.exports = factory(require('base64url'));
-  } else {
-    root.webauthn = factory(root.base64url);
-  }
-})(this, function(base64url) {
-
-  function extend(obj, more) {
-    return Object.assign({}, obj, more);
-  }
-
-  /**
-   * Create a WebAuthn credential.
-   *
-   * @param request: object - A PublicKeyCredentialCreationOptions object, except
-   *   where binary values are base64url encoded strings instead of byte arrays
-   *
-   * @return a PublicKeyCredentialCreationOptions suitable for passing as the
-   *   `publicKey` parameter to `navigator.credentials.create()`
-   */
-  function decodePublicKeyCredentialCreationOptions(request) {
-    const excludeCredentials = request.excludeCredentials.map(credential => extend(
-      credential, {
-      id: base64url.toByteArray(credential.id),
-    }));
-
-    const publicKeyCredentialCreationOptions = extend(
-      request, {
-      attestation: 'direct',
-      user: extend(
-        request.user, {
-        id: base64url.toByteArray(request.user.id),
-      }),
-      challenge: base64url.toByteArray(request.challenge),
-      excludeCredentials,
-    });
-
-    return publicKeyCredentialCreationOptions;
-  }
-
-  /**
-   * Create a WebAuthn credential.
-   *
-   * @param request: object - A PublicKeyCredentialCreationOptions object, except
-   *   where binary values are base64url encoded strings instead of byte arrays
-   *
-   * @return the Promise returned by `navigator.credentials.create`
-   */
-  function createCredential(request) {
-    return navigator.credentials.create({
-      publicKey: decodePublicKeyCredentialCreationOptions(request),
-    });
-  }
-
-  /**
-   * Perform a WebAuthn assertion.
-   *
-   * @param request: object - A PublicKeyCredentialRequestOptions object,
-   *   except where binary values are base64url encoded strings instead of byte
-   *   arrays
-   *
-   * @return a PublicKeyCredentialRequestOptions suitable for passing as the
-   *   `publicKey` parameter to `navigator.credentials.get()`
-   */
-  function decodePublicKeyCredentialRequestOptions(request) {
-    const allowCredentials = request.allowCredentials && request.allowCredentials.map(credential => extend(
-      credential, {
-      id: base64url.toByteArray(credential.id),
-    }));
-
-    const publicKeyCredentialRequestOptions = extend(
-      request, {
-      allowCredentials,
-      challenge: base64url.toByteArray(request.challenge),
-    });
-
-    return publicKeyCredentialRequestOptions;
-  }
-
-  /**
-   * Perform a WebAuthn assertion.
-   *
-   * @param request: object - A PublicKeyCredentialRequestOptions object,
-   *   except where binary values are base64url encoded strings instead of byte
-   *   arrays
-   *
-   * @return the Promise returned by `navigator.credentials.get`
-   */
-  function getAssertion(request) {
-    console.log('Get assertion', request);
-    return navigator.credentials.get({
-      publicKey: decodePublicKeyCredentialRequestOptions(request),
-    });
-  }
-
-
-  /** Turn a PublicKeyCredential object into a plain object with base64url encoded binary values */
-  function responseToObject(response) {
-    if (response.u2fResponse) {
-      return response;
-    } else {
-      let clientExtensionResults = {};
-
-      try {
-        clientExtensionResults = response.getClientExtensionResults();
-      } catch (e) {
-        console.error('getClientExtensionResults failed', e);
-      }
-
-      if (response.response.attestationObject) {
-        return {
-          type: response.type,
-          id: response.id,
-          response: {
-            attestationObject: base64url.fromByteArray(response.response.attestationObject),
-            clientDataJSON: base64url.fromByteArray(response.response.clientDataJSON),
-            transports: response.response.getTransports && response.response.getTransports() || [],
-          },
-          clientExtensionResults,
-        };
-      } else {
-        return {
-          type: response.type,
-          id: response.id,
-          response: {
-            authenticatorData: base64url.fromByteArray(response.response.authenticatorData),
-            clientDataJSON: base64url.fromByteArray(response.response.clientDataJSON),
-            signature: base64url.fromByteArray(response.response.signature),
-            userHandle: response.response.userHandle && base64url.fromByteArray(response.response.userHandle),
-          },
-          clientExtensionResults,
-        };
-      }
-    }
-  }
-
-  return {
-    decodePublicKeyCredentialCreationOptions,
-    decodePublicKeyCredentialRequestOptions,
-    createCredential,
-    getAssertion,
-    responseToObject,
-  };
-
-});

From 70e1434ac0758669f66b32e90abe611134d8d99b Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 20:01:23 +0100
Subject: [PATCH 06/14] Use webauthn-json in getting started guide

---
 README | 127 ++++++++++++---------------------------------------------
 1 file changed, 27 insertions(+), 100 deletions(-)

diff --git a/README b/README
index 00f5eb037..f7af0a168 100644
--- a/README
+++ b/README
@@ -110,10 +110,7 @@ The client side involves:
     passing the result from `RelyingParty.startRegistration(...)` or `.startAssertion(...)` as the argument.
  2. Encode the result of the successfully resolved promise and return it to the server.
     For this you need some way to encode `Uint8Array` values;
-    this guide will assume use of link:https://github.com/beatgammit/base64-js[base64-js].
-    However the built-in parser methods for
-    link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/data/PublicKeyCredential.html[`PublicKeyCredential`]
-    expect URL-safe Base64 encoding, so the below examples will include this as an additional step.
+    this guide will use GitHub's link:https://github.com/github/webauthn-json[webauthn-json] library.
 
 Example code is given below.
 For more detailed example usage, see
@@ -163,6 +160,8 @@ A registration ceremony consists of 5 main steps:
  4. Validate the response using `RelyingParty.finishRegistration(...)`.
  5. Update your database using the `finishRegistration` output.
 
+This example uses GitHub's link:https://github.com/github/webauthn-json[webauthn-json] library to do both (2) and (3) in one function call.
+
 First, generate registration parameters and send them to the client:
 
 [source,java]
@@ -196,62 +195,23 @@ Now call the WebAuthn API on the client side:
 
 [source,javascript]
 ----------
-function base64urlToUint8array(base64Bytes) {
-  const padding = '===='.substring(0, (4 - (base64Bytes.length % 4)) % 4);
-  return base64js.toByteArray((base64Bytes + padding).replace(/\//g, "_").replace(/\+/g, "-"));
-}
-function uint8arrayToBase64url(bytes) {
-  if (bytes instanceof Uint8Array) {
-    return base64js.fromByteArray(bytes).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-  } else {
-    return uint8arrayToBase64url(new Uint8Array(bytes));
-  }
-}
-
-fetch(/* ... */)                    // Make the call that returns the credentialCreateJson above
-  .then(credentialCreateJson => ({  // Decode byte arrays from base64url
-    publicKey: {
-      ...credentialCreateJson.publicKey,
-
-      challenge: base64urlToUint8array(credentialCreateJson.publicKey.challenge),
-      user: {
-        ...credentialCreateJson.publicKey.user,
-        id: base64urlToUint8array(credentialCreateJson.publicKey.user.id),
-      },
-      excludeCredentials: credentialCreateJson.publicKey.excludeCredentials.map(credential => ({
-        ...credential,
-        id: base64urlToUint8array(credential.id),
-      })),
-
-      // Warning: Extension inputs could also contain binary data that needs encoding
-      extensions: credentialCreateJson.publicKey.extensions,
-    },
-  }))
-  .then(credentialCreateOptions =>  // Call WebAuthn ceremony
-    navigator.credentials.create(credentialCreateOptions))
-  .then(publicKeyCredential => ({   // Encode PublicKeyCredential for transport to server (example)
-    type: publicKeyCredential.type,
-    id: publicKeyCredential.id,
-    response: {
-      attestationObject: uint8arrayToBase64url(publicKeyCredential.response.attestationObject),
-      clientDataJSON: uint8arrayToBase64url(publicKeyCredential.response.clientDataJSON),
-
-      // Attempt to read transports, but recover gracefully if not supported by the browser
-      transports: publicKeyCredential.response.getTransports && publicKeyCredential.response.getTransports() || [],
-    },
-
-    // Warning: Client extension results could also contain binary data that needs encoding
-    clientExtensionResults: publicKeyCredential.getClientExtensionResults(),
-  }))
-  .then(encodedResult =>
-    fetch(/* ... */));              // Return encoded PublicKeyCredential to server
+import * as webauthnJson from "@github/webauthn-json";
+
+// Make the call that returns the credentialCreateJson above
+const credentialCreateOptions = await fetch(/* ... */).then(resp => resp.json());
+
+// Call WebAuthn ceremony using webauthn-json wrapper
+const publicKeyCredential = await webauthnJson.create(credentialCreateOptions);
+
+// Return encoded PublicKeyCredential to server
+fetch(/* ... */, { body: JSON.stringify(publicKeyCredential) });
 ----------
 
 Validate the response on the server side:
 
 [source,java]
 ----------
-String publicKeyCredentialJson = /* ... */;     // encodedResult from client
+String publicKeyCredentialJson = /* ... */;     // publicKeyCredential from client
 PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> pkc =
     PublicKeyCredential.parseRegistrationResponseJson(publicKeyCredentialJson);
 
@@ -295,6 +255,8 @@ Like registration ceremonies, an authentication ceremony consists of 5 main step
  4. Validate the response using `RelyingParty.finishAssertion(...)`.
  5. Update your database using the `finishAssertion` output, and act upon the result (for example, grant login access).
 
+This example uses GitHub's link:https://github.com/github/webauthn-json[webauthn-json] library to do both (2) and (3) in one function call.
+
 First, generate authentication parameters and send them to the client:
 
 [source,java]
@@ -313,58 +275,23 @@ Now call the WebAuthn API on the client side:
 
 [source,javascript]
 ----------
-function base64urlToUint8array(base64Bytes) {
-  const padding = '===='.substring(0, (4 - (base64Bytes.length % 4)) % 4);
-  return base64js.toByteArray((base64Bytes + padding).replace(/\//g, "_").replace(/\+/g, "-"));
-}
-function uint8arrayToBase64url(bytes) {
-  if (bytes instanceof Uint8Array) {
-    return base64js.fromByteArray(bytes).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-  } else {
-    return uint8arrayToBase64url(new Uint8Array(bytes));
-  }
-}
-
-fetch(/* ... */)                    // Make the call that returns the credentialGetJson above
-  .then(credentialGetJson => ({     // Decode byte arrays from base64url
-    publicKey: {
-      ...credentialGetJson.publicKey,
-      allowCredentials: credentialGetJson.publicKey.allowCredentials
-        && credentialGetJson.publicKey.allowCredentials.map(credential => ({
-          ...credential,
-          id: base64urlToUint8array(credential.id),
-        })),
-
-      challenge: base64urlToUint8array(credentialGetJson.publicKey.challenge),
-
-      // Warning: Extension inputs could also contain binary data that needs encoding
-      extensions: credentialGetJson.publicKey.extensions,
-    },
-  }))
-  .then(credentialGetOptions =>        // Call WebAuthn ceremony
-    navigator.credentials.get(credentialGetOptions))
-  .then(publicKeyCredential => ({   // Encode PublicKeyCredential for transport to server (example)
-    type: publicKeyCredential.type,
-    id: publicKeyCredential.id,
-    response: {
-      authenticatorData: uint8arrayToBase64url(publicKeyCredential.response.authenticatorData),
-      clientDataJSON: uint8arrayToBase64url(publicKeyCredential.response.clientDataJSON),
-      signature: uint8arrayToBase64url(publicKeyCredential.response.signature),
-      userHandle: publicKeyCredential.response.userHandle && uint8arrayToBase64url(publicKeyCredential.response.userHandle),
-    },
-
-    // Warning: Client extension results could also contain binary data that needs encoding
-    clientExtensionResults: publicKeyCredential.getClientExtensionResults(),
-  }))
-  .then(encodedResult =>
-    fetch(/* ... */));              // Return encoded PublicKeyCredential to server
+import * as webauthnJson from "@github/webauthn-json";
+
+// Make the call that returns the credentialGetJson above
+const credentialGetOptions = await fetch(/* ... */).then(resp => resp.json());
+
+// Call WebAuthn ceremony using webauthn-json wrapper
+const publicKeyCredential = await webauthnJson.get(credentialGetOptions);
+
+// Return encoded PublicKeyCredential to server
+fetch(/* ... */, { body: JSON.stringify(publicKeyCredential) });
 ----------
 
 Validate the response on the server side:
 
 [source,java]
 ----------
-String publicKeyCredentialJson = /* ... */;  // encodedResult from client
+String publicKeyCredentialJson = /* ... */;  // publicKeyCredential from client
 PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> pkc =
     PublicKeyCredential.parseAssertionResponseJson(publicKeyCredentialJson);
 

From ad702a3c39f30aafdb5f8bcf0793cae6fc428b98 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 18 Jan 2022 23:35:45 +0100
Subject: [PATCH 07/14] Change U2F migration instructions from bullet list to
 numbered list

---
 README | 64 +++++++++++++++++++++++++++++-----------------------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/README b/README
index f7af0a168..ed128ad8a 100644
--- a/README
+++ b/README
@@ -400,13 +400,13 @@ and credentials registered via the U2F API will continue to work with the WebAut
 
 To migrate to using the WebAuthn API, you need to do the following:
 
-* Follow the link:#getting-started[Getting started] guide above to set up WebAuthn support in general.
+ 1. Follow the link:#getting-started[Getting started] guide above to set up WebAuthn support in general.
 +
 Note that unlike a U2F AppID, the WebAuthn link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/data/RelyingPartyIdentity.RelyingPartyIdentityBuilder.html#id(java.lang.String)[RP ID]
 consists of only the domain name of the AppID.
 WebAuthn does not support link:https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html[U2F Trusted Facet Lists].
 
-* Set the
+ 2. Set the
   link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#appId(com.yubico.webauthn.extension.appid.AppId)[`appId()`]
   setting on your `RelyingParty` instance.
   The argument to the `appid()` setting should be the same as you used for the `appId` argument to the
@@ -416,36 +416,36 @@ This will enable the link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sc
 and link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-appid-exclude-extension[`appidExclude`]
 extensions and configure the `RelyingParty` to accept the given AppId when verifying authenticator signatures.
 
-* Generate a link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#user-handle[user handle] for each existing user
-  and store it in their account,
-  or decide on a method for deriving one deterministically from existing user attributes.
-  For example, if your user records are assigned UUIDs, you can use that UUID as the user handle.
-  You SHOULD NOT use a plain username or e-mail address, or hash of either, as the user handle -
-  for more on this, see the link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-user-handle-privacy[User Handle Contents]
-  privacy consideration.
-
-* When your `CredentialRepository` creates a `RegisteredCredential` for a U2F credential,
-  use the U2F key handle as the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegisteredCredential.RegisteredCredentialBuilder.html#credentialId(com.yubico.webauthn.data.ByteArray)[credential ID].
-  If you store key handles base64 encoded, you should decode them using
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/data/ByteArray.html#fromBase64(java.lang.String)[`ByteArray.fromBase64`]
-  or
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/data/ByteArray.html#fromBase64Url(java.lang.String)[`ByteArray.fromBase64Url`]
-  as appropriate before passing them to the `RegisteredCredential`.
-
-* When your `CredentialRepository` creates a `RegisteredCredential` for a U2F credential,
-  use the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegisteredCredential.RegisteredCredentialBuilder.html#publicKeyEs256Raw(com.yubico.webauthn.data.ByteArray)[`publicKeyEs256Raw()`]
-  method instead of link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegisteredCredential.RegisteredCredentialBuilder.html#publicKeyCose(com.yubico.webauthn.data.ByteArray)[`publicKeyCose()`]
-  to set the credential public key.
-
-* Replace calls to the U2F
-  link:https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#high-level-javascript-api[`register`]
-  method with calls to `navigator.credentials.create()` as described in link:#getting-started[Getting started].
-
-* Replace calls to the U2F
-  link:https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#high-level-javascript-api[`sign`]
-  method with calls to `navigator.credentials.get()` as described in link:#getting-started[Getting started].
+ 3. Generate a link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#user-handle[user handle]
+    for each existing user and store it in their account,
+    or decide on a method for deriving one deterministically from existing user attributes.
+    For example, if your user records are assigned UUIDs, you can use that UUID as the user handle.
+    You SHOULD NOT use a plain username or e-mail address, or hash of either, as the user handle -
+    for more on this, see the link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-user-handle-privacy[User Handle Contents]
+    privacy consideration.
+
+ 4. When your `CredentialRepository` creates a `RegisteredCredential` for a U2F credential,
+    use the U2F key handle as the
+    link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegisteredCredential.RegisteredCredentialBuilder.html#credentialId(com.yubico.webauthn.data.ByteArray)[credential ID].
+    If you store key handles base64 encoded, you should decode them using
+    link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/data/ByteArray.html#fromBase64(java.lang.String)[`ByteArray.fromBase64`]
+    or
+    link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/data/ByteArray.html#fromBase64Url(java.lang.String)[`ByteArray.fromBase64Url`]
+    as appropriate before passing them to the `RegisteredCredential`.
+
+ 5. When your `CredentialRepository` creates a `RegisteredCredential` for a U2F credential,
+    use the
+    link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegisteredCredential.RegisteredCredentialBuilder.html#publicKeyEs256Raw(com.yubico.webauthn.data.ByteArray)[`publicKeyEs256Raw()`]
+    method instead of link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/RegisteredCredential.RegisteredCredentialBuilder.html#publicKeyCose(com.yubico.webauthn.data.ByteArray)[`publicKeyCose()`]
+    to set the credential public key.
+
+ 6. Replace calls to the U2F
+    link:https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#high-level-javascript-api[`register`]
+    method with calls to `navigator.credentials.create()` as described in link:#getting-started[Getting started].
+
+ 7. Replace calls to the U2F
+    link:https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#high-level-javascript-api[`sign`]
+    method with calls to `navigator.credentials.get()` as described in link:#getting-started[Getting started].
 
 Existing U2F credentials should now work with the WebAuthn API.
 

From f65c4b53d43cca11ced9cc6639156e44657daff7 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:30:08 +0100
Subject: [PATCH 08/14] Use async-await in performCeremony

---
 .../src/main/webapp/index.html                | 53 +++++++++----------
 1 file changed, 25 insertions(+), 28 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index 30379ac80..6db0d4801 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -293,7 +293,7 @@
   ;
 }
 
-function performCeremony(params) {
+async function performCeremony(params) {
   const callbacks = params.callbacks || {}; /* { init, authenticatorRequest, serverRequest } */
   const getIndexActions = params.getIndexActions; /* function(): object */
   const getRequest = params.getRequest; /* function(urls: object): { publicKeyCredentialCreationOptions: object } | { publicKeyCredentialRequestOptions: object } */
@@ -305,34 +305,31 @@
   setStatus('Looking up API paths...');
   resetDisplays();
 
-  return getIndexActions()
-    .then(urls => {
-      setStatus(statusStrings.int);
-      if (callbacks.init) {
-        callbacks.init(urls);
-      }
-      return getRequest(urls);
-    })
+  const rootUrls = await getIndexActions();
 
-    .then((params) => {
-      const request = params.request;
-      const urls = params.actions;
-      setStatus(statusStrings.authenticatorRequest);
-      if (callbacks.authenticatorRequest) {
-        callbacks.authenticatorRequest({ request, urls });
-      }
-      showRequest(request);
-      ceremonyState = {
-        callbacks,
-        request,
-        statusStrings,
-        urls,
-        useU2f,
-      };
-      return executeRequest(request);
-    })
-    .then(finishCeremony)
-  ;
+  setStatus(statusStrings.int);
+  if (callbacks.init) {
+    callbacks.init(rootUrls);
+  }
+  const { request, actions: urls } = await getRequest(rootUrls);
+
+  setStatus(statusStrings.authenticatorRequest);
+  if (callbacks.authenticatorRequest) {
+    callbacks.authenticatorRequest({ request, urls });
+  }
+  showRequest(request);
+  ceremonyState = {
+    callbacks,
+    request,
+    statusStrings,
+    urls,
+    useU2f,
+  };
+
+  const webauthnResponse = await executeRequest(request);
+  const serverResponse = await finishCeremony(webauthnResponse);
+
+  return serverResponse;
 }
 
 function finishCeremony(response) {

From e2e6d6bf2ffd13f03a07727268cb646850aebe80 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:38:27 +0100
Subject: [PATCH 09/14] Use async-await in finishCeremony

---
 .../src/main/webapp/index.html                | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index 6db0d4801..ca1dbd951 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -332,7 +332,7 @@
   return serverResponse;
 }
 
-function finishCeremony(response) {
+async function finishCeremony(response) {
   const callbacks = ceremonyState.callbacks;
   const request = ceremonyState.request;
   const statusStrings = ceremonyState.statusStrings;
@@ -345,16 +345,16 @@
   }
   showAuthenticatorResponse(response);
 
-  return submitResponse(useU2f ? urls.finishU2f : urls.finish, request, response)
-    .then(data => {
-      if (data && data.success) {
-        setStatus(statusStrings.success);
-      } else {
-        setStatus('Error!');
-      }
-      showServerResponse(data);
-      return data;
-    });
+  const data = await submitResponse(useU2f ? urls.finishU2f : urls.finish, request, response);
+
+  if (data && data.success) {
+    setStatus(statusStrings.success);
+  } else {
+    setStatus('Error!');
+  }
+  showServerResponse(data);
+
+  return data;
 }
 
 function registerResidentKey(event) {

From 2f806bb0354bd1d586cdd439010573f1a24cf7b1 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:39:05 +0100
Subject: [PATCH 10/14] Use async-await in register

---
 .../src/main/webapp/index.html                | 39 ++++++++++---------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index ca1dbd951..e663905ac 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -360,7 +360,7 @@
 function registerResidentKey(event) {
   return register(event, true);
 }
-function register(event, requireResidentKey) {
+async function register(event, requireResidentKey) {
   const username = document.getElementById('username').value;
   const displayName = document.getElementById('displayName').value;
   const credentialNickname = document.getElementById('credentialNickname').value;
@@ -368,21 +368,22 @@
 
   var request;
 
-  return performCeremony({
-    getIndexActions,
-    getRequest: urls => getRegisterRequest(urls, username, displayName, credentialNickname, requireResidentKey),
-    statusStrings: {
-      init: 'Initiating registration ceremony with server...',
-      authenticatorRequest: 'Asking authenticators to create credential...',
-      success: 'Registration successful!',
-    },
-    executeRequest: req => {
-      request = req;
-      return executeRegisterRequest(req, useU2f);
-    },
-    useU2f,
-  })
-  .then(data => {
+  try {
+    const data = await performCeremony({
+      getIndexActions,
+      getRequest: urls => getRegisterRequest(urls, username, displayName, credentialNickname, requireResidentKey),
+      statusStrings: {
+        init: 'Initiating registration ceremony with server...',
+        authenticatorRequest: 'Asking authenticators to create credential...',
+        success: 'Registration successful!',
+      },
+      executeRequest: req => {
+        request = req;
+        return executeRegisterRequest(req, useU2f);
+      },
+      useU2f,
+    });
+
     if (data.registration) {
       const nicknameInfo = {
         nickname: data.registration.credentialNickname,
@@ -401,8 +402,8 @@
         addMessage("Warning: Attestation is not trusted!");
       }
     }
-  })
-  .catch((err) => {
+
+  } catch (err) {
     setStatus('Registration failed.');
     console.error('Registration failed', err);
 
@@ -422,7 +423,7 @@
       addMessages(err.messages);
     }
     return rejected(err);
-  });
+  }
 }
 
 function getAuthenticateRequest(urls, username) {

From a2fdf6f0a4261d2cfc0c6ee0df81ec52e142d8ad Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 18:39:20 +0100
Subject: [PATCH 11/14] Use async-await in authenticate

---
 .../src/main/webapp/index.html                | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index e663905ac..c04445121 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -446,22 +446,25 @@
 function authenticateWithUsername(event) {
   return authenticate(event, document.getElementById('username').value);
 }
-function authenticate(event, username) {
-  return performCeremony({
-    getIndexActions,
-    getRequest: urls => getAuthenticateRequest(urls, username),
-    statusStrings: {
-      init: 'Initiating authentication ceremony with server...',
-      authenticatorRequest: 'Asking authenticators to perform assertion...',
-      success: 'Authentication successful!',
-    },
-    executeRequest: executeAuthenticateRequest,
-  }).then(data => {
+async function authenticate(event, username) {
+  try {
+    const data = await performCeremony({
+      getIndexActions,
+      getRequest: urls => getAuthenticateRequest(urls, username),
+      statusStrings: {
+        init: 'Initiating authentication ceremony with server...',
+        authenticatorRequest: 'Asking authenticators to perform assertion...',
+        success: 'Authentication successful!',
+      },
+      executeRequest: executeAuthenticateRequest,
+    });
+
     if (data.registrations) {
       addMessage(`Authenticated as: ${data.registrations[0].username}`);
     }
     return data;
-  }).catch((err) => {
+
+  } catch (err) {
     setStatus('Authentication failed.');
     if (err.name === 'InvalidStateError') {
       addMessage(`This authenticator is not registered for the account "${username}". Please try again with a registered authenticator.`)
@@ -472,7 +475,7 @@
     }
     console.error('Authentication failed', err);
     return rejected(err);
-  });
+  }
 }
 
 function deregister() {

From 14eef3df9a40080075bc98bec5da18f601861243 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 13 Jan 2022 19:26:21 +0100
Subject: [PATCH 12/14] Use async-await in executeU2fRegisterRequest

---
 .../src/main/webapp/index.html                | 46 +++++++++----------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/webauthn-server-demo/src/main/webapp/index.html b/webauthn-server-demo/src/main/webapp/index.html
index c04445121..1950e074e 100644
--- a/webauthn-server-demo/src/main/webapp/index.html
+++ b/webauthn-server-demo/src/main/webapp/index.html
@@ -209,10 +209,10 @@
   }
 }
 
-function executeU2fRegisterRequest(request) {
+async function executeU2fRegisterRequest(request) {
   const appId = 'https://localhost:8443';
   console.log('appId', appId);
-  return u2fRegister(
+  const result = await u2fRegister(
     appId,
     [{
       version: 'U2F_V2',
@@ -223,28 +223,26 @@
       version: 'U2F_V2',
       keyHandle: cred.id,
     }))
-  )
-    .then(result => {
-      const registrationDataBase64 = result.registrationData;
-      const clientDataBase64 = result.clientData;
-      const registrationDataBytes = base64url.toByteArray(registrationDataBase64);
-
-      const publicKeyBytes = registrationDataBytes.slice(1, 1 + 65);
-      const L = registrationDataBytes[1 + 65];
-      const keyHandleBytes = registrationDataBytes.slice(1 + 65 + 1, 1 + 65 + 1 + L);
-
-      const attestationCertAndTrailingBytes = registrationDataBytes.slice(1 + 65 + 1 + L);
-
-      return {
-        u2fResponse: {
-          keyHandle: base64url.fromByteArray(keyHandleBytes),
-          publicKey: base64url.fromByteArray(publicKeyBytes),
-          attestationCertAndSignature: base64url.fromByteArray(attestationCertAndTrailingBytes),
-          clientDataJSON: clientDataBase64,
-        },
-      };
-    })
-  ;
+  );
+
+  const registrationDataBase64 = result.registrationData;
+  const clientDataBase64 = result.clientData;
+  const registrationDataBytes = base64url.toByteArray(registrationDataBase64);
+
+  const publicKeyBytes = registrationDataBytes.slice(1, 1 + 65);
+  const L = registrationDataBytes[1 + 65];
+  const keyHandleBytes = registrationDataBytes.slice(1 + 65 + 1, 1 + 65 + 1 + L);
+
+  const attestationCertAndTrailingBytes = registrationDataBytes.slice(1 + 65 + 1 + L);
+
+  return {
+    u2fResponse: {
+      keyHandle: base64url.fromByteArray(keyHandleBytes),
+      publicKey: base64url.fromByteArray(publicKeyBytes),
+      attestationCertAndSignature: base64url.fromByteArray(attestationCertAndTrailingBytes),
+      clientDataJSON: clientDataBase64,
+    },
+  };
 }
 
 function u2fRegister(appId, registerRequests, registeredKeys) {

From fd0b962196e7b50ea5ab142b4178792249d35924 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 28 Jan 2022 17:49:10 +0100
Subject: [PATCH 13/14] Bump com.upokecenter:cbor dependency to minimum version
 4.5.2

Version 4.0.1 has known vulnerabilities and gets resolved to by transitive
exact-version dependencies; this forces a minimum version despite those
exact-version transitive dependencies.

See: https://github.com/advisories/GHSA-fj2w-wfgv-mwq6
---
 NEWS         | 8 ++++++++
 build.gradle | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 07649e96b..ae4fe6611 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+== Version 1.12.2 (unreleased) ==
+
+Fixes:
+
+* `com.upokecenter:cbor` dependency bumped to minimum version 4.5.1 due to a
+  known vulnerability, see: https://github.com/advisories/GHSA-fj2w-wfgv-mwq6
+
+
 == Version 1.12.1 ==
 
 Fixes:
diff --git a/build.gradle b/build.gradle
index ca917b032..f3da8fb6e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -51,7 +51,7 @@ dependencies {
     api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.11.0,3)')
     api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.11.0,3)')
     api('com.google.guava:guava:[24.1.1,31)')
-    api('com.upokecenter:cbor:[4.0.1,5)')
+    api('com.upokecenter:cbor:[4.5.1,5)')
     api('javax.ws.rs:javax.ws.rs-api:[2.1,3)')
     api('javax.xml.bind:jaxb-api:[2.3.0,3)')
     api('junit:junit:[4.12,5)')

From c07016c8b249583640778ce151e2bba64962f45b Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 28 Jan 2022 18:24:20 +0100
Subject: [PATCH 14/14] Add @JsonIgnore to transient AuthenticatorData fields

This fixes a crash in deserializing AuthenticatorData with
`com.upokecenter:cbor` versions later than 4.0.1.
---
 NEWS                                                         | 2 ++
 .../java/com/yubico/webauthn/data/AuthenticatorData.java     | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index ae4fe6611..03ae3e68e 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ Fixes:
 
 * `com.upokecenter:cbor` dependency bumped to minimum version 4.5.1 due to a
   known vulnerability, see: https://github.com/advisories/GHSA-fj2w-wfgv-mwq6
+* Fixed crash in `AuthenticatorData` deserialization with `com.upokecenter:cbor`
+  versions later than 4.0.1
 
 
 == Version 1.12.1 ==
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorData.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorData.java
index 699071670..f15c7fbdd 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorData.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorData.java
@@ -25,6 +25,7 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.SerializerProvider;
@@ -81,9 +82,9 @@ public class AuthenticatorData {
    *
    * @see #flags
    */
-  private final transient AttestedCredentialData attestedCredentialData;
+  @JsonIgnore private final transient AttestedCredentialData attestedCredentialData;
 
-  private final transient CBORObject extensions;
+  @JsonIgnore private final transient CBORObject extensions;
 
   private static final int RP_ID_HASH_INDEX = 0;
   private static final int RP_ID_HASH_END = RP_ID_HASH_INDEX + 32;