Move to ESM. Replace Node-specific code.

[Hexagon]

Overview

PR based on https://github.com/Hexagon/webauthn but ported back to fido2-lib directory structure and code conventions.

Changelog

Fixes

• Experimental fix for #69, keep issue open until a test case is added.
• Partial fix for #79. Keep issue open until a separate Deno specific PR is merged.

Added

• Added new module keyUtils.js, which take care of conversion between different key formats (cose, jwk, pem) using jose and webcrypto.

• Adds dependecies

  • rollup (dev-dependency for building commonjs module)
  • @hexagon/base64 (for cross platform (node/deno) base64 operations)

• Additional build steps in package.json

  • npm run build runs esm test, builds cjs distributable, and tests cjs
  • npm run test:dist It makes no sense to run this separately, only use build, which includes this step

Changed

• Bumps major version to 3.0.0

• All code ported to ESM

• All code portable between node/deno/browser. For example Buffer -> ArrayBuffer/Uint8Array

• 100% ready for Deno, but the Deno-specific files is not included now, to keep the PR as clean as possible.

• Upgraded all code to more recent standards (replaced var with letor const etc.)

• Moved external dependencies and related utilities to a separate toolbox lib/toolbox.js

• Moved fixtures/ to test/fixtures

• Moved all fixture-likes in test/ to test/fixtures

• Documentation update

• Updated dependencies

  • sinon ^7 -> ^13
  • eslint ^8.7 -> ^8.13
  • @peculiar/webcrypto ^1.2 -> ^1.3

• Replaced dependencies

  • cbor-x (replacement for cbor)
  • node-jose (not esm-compilant) replaced by jose
  • psl (non esm), replaced by tldts + punycode + new utility functions - validEtldPlusOne and validDomainName)
  • cbor (non esm), replaced by cbor-x

Removed

• Removed old commonjs entrypoint index.js - as the package is converted to module, .js files is not usable for commonjs, so it's not possible to keep it for commonjs imports.

• Converted signing and hashing functions from Node Crypto to webcrypto.

• Removed ./test.js, did not fill any function and used Node specific imports. Good to have this removed before major bump.

• Removed dependencies

  • @babel/eslint-parser (not needed anymode)
  • eslint-plugin-vue (not needed anymore)
  • pvutils (not needed anymore)
  • bytestreamjs (not needed anymore)
  • cose-to-jwk (not needed anymore)
  • jwk-to-pem (not needed anymore)
  • fido2-helpers (bundled and modified, to reduce duplication)
  • mockery (not used?)

Comments

• The basic interface has not changed much (if any) but this should really be released as a new major if accepted.

[JamesCullum]

Thanks for the awesome work! Will review asap

[JamesCullum]

Really great changes, thanks! I did a quick review and all looks good.

A few points open:

1. You changed the algName from "SHA256" to "SHA-256". Will this break something? I don't see this being changed elsewhere.
2. I would like this to be a major version bump - can you increment the major version in package.json?
3. Do we need to update documentation?
4. Code scanning raised line 220 in lib/utils.js - this would only replace the first \r - I assume that you actually want this to be a global replace?

[Hexagon]

@JamesCullum Glad to hear it looks ok!

1. It's changed where it's needed in the code, the background is that node crypto uses algorithm names without dash (https://nodejs.org/api/crypto.html#class-hash) while webcrypto includes the dash (https://nodejs.org/api/webcrypto.html#rsahashedimportparamshash)

2. Fixed in next commit

3. The following changes is made to Readme.md

   • Separate examples for require and import
   • Changed CI -> Node CI on badge, to prepare for Deno CI
   • Added --save on npm install command
   • Changed var to const in example implementations

4. Fixed in next commit. Also added CRLF-line endings to one of the pem fixtures, to make sure it works as intended.

Additional changes:

5. Replaced npm run test with npm run build in testing pipeline. npm run build run these steps:

   • npm run test
   • npx rollup (to generate dist/main.cjs and test/dist/*.js
   • npm run test:dist

6. Removed ./test.js

7. Updated changelog in PR description

[JamesCullum]

Thanks for the awesome work - looking forward to the Deno PR 👍