fix: don't break on Edge runtime when WebAuthn isn't used (#9919)

* require externally-defined simplewebauthn methods

* import simplewebauthn in provider file

* revert unnecessary changes

* explicitly only import type from providers/webauthn

* remove getSimpleWebAuthnBrowserScriptTag

* fixes

* drop @internal

---------

Co-authored-by: Balázs Orbán <[email protected]>

Author: Maronato

packages/core/package.json

@@ -70,10 +70,14 @@
     "preact-render-to-string": "5.2.3"
   },
   "peerDependencies": {
+    "@simplewebauthn/browser": "^9.0.1",
     "@simplewebauthn/server": "^9.0.1",
     "nodemailer": "^6.8.0"
   },
   "peerDependenciesMeta": {
+    "@simplewebauthn/browser": {
+      "optional": true
+    },
     "@simplewebauthn/server": {
       "optional": true
     },
@@ -99,4 +103,4 @@
     "postcss": "8.4.19",
     "postcss-nesting": "^12.0.2"
   }
-}
+}

packages/core/src/lib/pages/index.ts

@@ -14,16 +14,24 @@ import type {
   PublicProvider,
 } from "../../types.js"
 import type { Cookie } from "../utils/cookie.js"
-import { getSimpleWebAuthnBrowserScriptTag } from "../../providers/webauthn.js"
 
-function send({ html, title, status, cookies, theme, headTags }: any): ResponseInternal {
+function send({
+  html,
+  title,
+  status,
+  cookies,
+  theme,
+  headTags,
+}: any): ResponseInternal {
   return {
     cookies,
     status,
     headers: { "Content-Type": "text/html" },
     body: `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>${css}</style><title>${title}</title>${
       headTags ?? ""
-    }</head><body class="__next-auth-theme-${theme?.colorScheme ?? "auto"}"><div class="page">${renderToString(html)}</div></body></html>`,
+    }</head><body class="__next-auth-theme-${
+      theme?.colorScheme ?? "auto"
+    }"><div class="page">${renderToString(html)}</div></body></html>`,
   }
 }
 
@@ -87,11 +95,17 @@ export default function renderPage(params: RenderPageParams) {
       // a simpleWebAuthnBrowserScript is defined, we need to
       // render the script in the page.
       const webauthnProvider = providers?.find(
-        (p): p is InternalProvider<"webauthn"> => p.type === "webauthn" && p.enableConditionalUI
+        (p): p is InternalProvider<"webauthn"> =>
+          p.type === "webauthn" &&
+          p.enableConditionalUI &&
+          !!p.simpleWebAuthnBrowserVersion
       )
-      const simpleWebAuthnBrowserScript = webauthnProvider ?
-        getSimpleWebAuthnBrowserScriptTag(webauthnProvider) :
-        undefined
+
+      let simpleWebAuthnBrowserScript = ""
+      if (webauthnProvider) {
+        const { simpleWebAuthnBrowserVersion } = webauthnProvider
+        simpleWebAuthnBrowserScript = `<script src="https://unpkg.com/browse/@simplewebauthn/browser@${simpleWebAuthnBrowserVersion}/dist/bundle/index.umd.min.js" crossorigin="anonymous"></script>`
+      }
 
       return send({
         cookies,

packages/core/src/lib/utils/webauthn-utils.ts

@@ -1,9 +1,8 @@
-import type { RelayingParty, WebAuthnProviderType } from "../../providers/webauthn";
+import type { WebAuthnProviderType } from "../../providers/webauthn";
 import type { Account, Authenticator, Awaited, InternalOptions, RequestInternal, ResponseInternal, User } from "../../types";
 import type { Cookie } from "./cookie";
 import { AdapterError, AuthError, InvalidProvider, MissingAdapter, WebAuthnVerificationError } from "../../errors";
 import { webauthnChallenge } from "../actions/callback/oauth/checks";
-import { VerifiedAuthenticationResponse, VerifiedRegistrationResponse, generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
 import type {
   AuthenticationResponseJSON,
   PublicKeyCredentialCreationOptionsJSON,
@@ -13,6 +12,7 @@ import type {
 import type { Adapter, AdapterAccount, AdapterAuthenticator } from "../../adapters";
 import type { GetUserInfo } from "../../providers/webauthn";
 import { randomString } from "./web";
+import type { VerifiedAuthenticationResponse, VerifiedRegistrationResponse } from "@simplewebauthn/server";
 
 export type WebAuthnRegister = "register"
 export type WebAuthnAuthenticate = "authenticate"
@@ -198,7 +198,7 @@ export async function verifyAuthenticate(
   let verification: VerifiedAuthenticationResponse
   try {
     const relayingParty = provider.getRelayingParty(options, request)
-    verification = await verifyAuthenticationResponse({
+    verification = await provider.simpleWebAuthn.verifyAuthenticationResponse({
       ...provider.verifyAuthenticationOptions,
       expectedChallenge,
       response: data as AuthenticationResponseJSON,
@@ -274,7 +274,7 @@ export async function verifyRegister(
   let verification: VerifiedRegistrationResponse
   try {
     const relayingParty = provider.getRelayingParty(options, request)
-    verification = await verifyRegistrationResponse({
+    verification = await provider.simpleWebAuthn.verifyRegistrationResponse({
       ...provider.verifyRegistrationOptions,
       expectedChallenge,
       response: data as RegistrationResponseJSON,
@@ -336,7 +336,7 @@ async function getAuthenticationOptions(options: InternalOptionsWebAuthn, reques
   const relayingParty = provider.getRelayingParty(options, request)
 
   // Return the authentication options.
-  return await generateAuthenticationOptions({
+  return await provider.simpleWebAuthn.generateAuthenticationOptions({
     ...provider.authenticationOptions,
     rpID: relayingParty.id,
     allowCredentials: authenticators?.map((a) => ({
@@ -375,7 +375,7 @@ async function getRegistrationOptions(
   const relayingParty = provider.getRelayingParty(options, request)
 
   // Return the registration options.
-  return await generateRegistrationOptions({
+  return await provider.simpleWebAuthn.generateRegistrationOptions({
     ...provider.registrationOptions,
     userID,
     userName: user.email,