Skip to content

Update/passkey 01#13378

Open
rastislavcore wants to merge 4 commits intonextauthjs:mainfrom
rastislavcore:update/passkey-01
Open

Update/passkey 01#13378
rastislavcore wants to merge 4 commits intonextauthjs:mainfrom
rastislavcore:update/passkey-01

Conversation

@rastislavcore
Copy link

@rastislavcore rastislavcore commented Feb 9, 2026

☕️ Reasoning

This PR upgrades WebAuthn / Passkey support to SimpleWebAuthn v13 and keeps docs and tests in sync.

This will make it production ready instead of deprecated version.

Package updates

  • Bump @simplewebauthn/browser and @simplewebauthn/server from v9 to ^13.2.2 (peer and dev dependencies).
  • Drop @simplewebauthn/types (deprecated in v13; types now come from browser and server packages).

API and implementation changes (v13)

  • Registration options: userID is now a Uint8Array (encoded via TextEncoder); credential IDs in allowCredentials / excludeCredentials are base64 strings (a.credentialID).
  • Authentication verification: Use credential (WebAuthnCredential: id, publicKey, counter) instead of authenticator. Add adapterAuthenticatorToWebAuthnCredential() and ensure publicKey is an ArrayBuffer-backed Uint8Array for type compatibility.
  • Registration verification: Use v13 registrationInfo shape: credential (id, publicKey, counter) and top-level credentialDeviceType / credentialBackedUp.
  • Client script (webauthn-client.js): startAuthentication and startRegistration now take a single options object (optionsJSON, useBrowserAutofill / useAutoRegister).
  • Config type: ConfigurableVerifyAuthenticationOptions omits credential instead of authenticator. Remove unused fromAdapterAuthenticator.

Tests

  • Adjust expectations and mocks for v13 (e.g. registrationInfo.credential, credential in auth verification, CredentialDeviceType, Uint8Array for publicKey).
  • Add a Passkey provider test block: registration and authentication flows with Passkey defaults and provider.id === "passkey".

Documentation

  • Provider JSDoc (passkey.ts, webauthn.ts): document both peer deps, v13.2.2 install, and a short “SimpleWebAuthn v13” note (credential IDs, credential usage, browser API shape).
  • Guides: Update docs/pages/getting-started/providers/passkey.mdx and docs/pages/getting-started/authentication/webauthn.mdx to install @^13.2.2, mention v13 and that types live in browser/server. Fix typo @simplewebauth/browser@simplewebauthn/browser.

🧢 Checklist

  • Documentation
  • Tests
  • Ready to be merged

🎫 Affected issues

📌 Resources

@rastislavcore
Updates SimpleWebAuthn dependencies
6102e99 
Updates `@simplewebauthn/browser` and `@simplewebauthn/server` dependencies to v13.2.2.

This upgrade brings improved security and compatibility by aligning with the latest version of the library, addressing potential vulnerabilities and ensuring better integration with modern browser environments. It also changes the way options are passed to `startAuthentication` and `startRegistration` methods.

The userID for registration options is now expected to be a Uint8Array. The authenticator's credential ID is no longer base64 encoded.
@rastislavcore
Refactors WebAuthn verification process
defb80f 
Updates the WebAuthn verification process to align with changes in the underlying SimpleWebAuthn library.

This change streamlines the extraction and usage of credential information, resulting in a cleaner and more maintainable codebase. It simplifies the verification logic by directly passing credential data.
@rastislavcore
Updates WebAuthn/Passkey provider docs for v13
e0caf19 
Updates the WebAuthn and Passkey provider documentation to reflect the SimpleWebAuthn v13 API changes.

This includes clarifying the required peer dependencies, detailing the differences in the API (credential IDs as base64 strings, `verifyAuthenticationResponse` requiring a `credential` object, and the options shape for browser helpers), and updating the setup instructions accordingly.

This ensures developers using these providers with SimpleWebAuthn v13 have accurate and up-to-date information.
@rastislavcore
Updates SimpleWebAuthn dependencies to v13
ba7504a 
Updates the `@simplewebauthn/browser` and `@simplewebauthn/server` peer dependencies to version 13.2.2 in the WebAuthn and Passkey documentation.

Clarifies the usage of `@simplewebauthn/browser` dependency, emphasizing that it's only required for custom sign-in pages. Also, mentions that types are now exported from browser and server packages.
@vercel
Copy link

vercel bot commented Feb 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth-docs Error Error Feb 9, 2026 0:32am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
next-auth-docs Ignored Ignored Preview Feb 9, 2026 0:32am

Request Review

@vercel
Copy link

vercel bot commented Feb 9, 2026

@rastislavcore is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added providers core Refers to `@auth/core` labels Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThangHuuVu ThangHuuVu Awaiting requested review from ThangHuuVu ThangHuuVu is a code owner

@ndom91 ndom91 Awaiting requested review from ndom91 ndom91 is a code owner

@balazsorban44 balazsorban44 Awaiting requested review from balazsorban44 balazsorban44 is a code owner

Assignees

No one assigned

Labels

core Refers to `@auth/core` providers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rastislavcore