Bump webauthn-json fork (#527)

incorbador · web-flow · commit 3ac9d760b088 · 2025-03-31T13:12:16.000+02:00
* Bump webauthn-json fork

* Prettier

* Address parts of the vulnarabilities from playgrounds and toolings (only internal so not a big problem)

* Address more tooling vulns (non-breaking, for the rest we have to replace CRA)

* Update to Next15 in connect-next playground

* Prettier
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -39,7 +39,6 @@
     "eslint-plugin-simple-import-sort": "10.0.0",
     "lerna": "^8.1.8",
     "node-fetch": "^3.3.2",
-    "pm2": "^5.3.0",
     "prettier": "^3.1.0",
     "rimraf": "^5.0.5",
     "ts-loader": "^9.5.1",
diff --git a/packages/connect-react/package.json b/packages/connect-react/package.json
@@ -32,10 +32,7 @@
   },
   "dependencies": {
     "@corbado/web-core": "^3.0.1",
-    "date-fns": "^3.6.0",
-    "i18next": "23.5.1",
-    "i18next-browser-languagedetector": "7.1.0",
-    "react-i18next": "13.2.2"
+    "date-fns": "^3.6.0"
   },
   "devDependencies": {
     "@corbado/types": "^3.0.1",
diff --git a/packages/connect-react/webpack.prod.js b/packages/connect-react/webpack.prod.js
@@ -20,8 +20,5 @@ module.exports = merge(common, {
   externals: {
     '@corbado/web-core': '@corbado/web-core',
     react: 'react',
-    i18next: 'i18next',
-    'i18next-browser-languagedetector': 'i18next-browser-languagedetector',
-    'react-i18next': 'react-i18next',
   },
 });
diff --git a/packages/react/changelog.md b/packages/react/changelog.md
@@ -4,7 +4,6 @@
 
 - Fix a bug where passkey-append aborts in rare cases when users create a passkey right after signup.
 
-
 ## 3.0.0
 
 ### Major changes
diff --git a/packages/web-core/package.json b/packages/web-core/package.json
@@ -34,9 +34,9 @@
     "url": "https://github.com/corbado/javascript/issues"
   },
   "dependencies": {
-    "@corbado/webauthn-json": "^2.1.2",
+    "@corbado/webauthn-json": "^2.2.0",
     "@fingerprintjs/fingerprintjs": "^3.4.2",
-    "axios": "^1.7.4",
+    "axios": "^1.8.4",
     "detectincognitojs": "^1.3.7",
     "loglevel": "^1.8.1",
     "rxjs": "^7.8.1",
diff --git a/playground/connect-next/app/actions.ts b/playground/connect-next/app/actions.ts
@@ -3,12 +3,13 @@
 import { cookies } from 'next/headers';
 
 export async function getAppendToken() {
-  const displayName = cookies().get('displayName');
+  const cookieStore = await cookies();
+  const displayName = cookieStore.get('displayName');
   if (!displayName) {
     return null;
   }
 
-  const identifier = cookies().get('identifier');
+  const identifier = cookieStore.get('identifier');
   if (!identifier) {
     return null;
   }
diff --git a/playground/connect-next/app/home/page.tsx b/playground/connect-next/app/home/page.tsx
@@ -1,8 +1,9 @@
 import { cookies } from 'next/headers';
 import Home from '@/app/home/client';
 
-export default function Page() {
-  const maybeSecretCode = cookies().get('secretCode');
+export default async function Page() {
+  const cookieStore = await cookies();
+  const maybeSecretCode = cookieStore.get('secretCode');
 
   return <Home maybeSecretCode={maybeSecretCode?.value} />;
 }
diff --git a/playground/connect-next/app/login/actions.ts b/playground/connect-next/app/login/actions.ts
@@ -36,8 +36,9 @@ export async function postPasskeyLogin(session: string) {
 
   const email = response.UserAttributes?.find(attr => attr.Name === 'email')?.Value;
   if (email) {
-    cookies().set('displayName', email);
-    cookies().set('identifier', username);
+    const cookieStore = await cookies();
+    cookieStore.set('displayName', email);
+    cookieStore.set('identifier', username);
   }
 
   return;
@@ -64,7 +65,8 @@ export async function postPasskeyLoginNew(signedPasskeyData: string, clientState
   await postPasskeyLogin(out.session);
 
   // update client side state
-  cookies().set({ name: 'cbo_client_state', value: clientState, httpOnly: true });
+  const cookieStore = await cookies();
+  cookieStore.set({ name: 'cbo_client_state', value: clientState, httpOnly: true });
 }
 
 function createSecretHash(username: string, clientId: string, clientSecret: string) {
@@ -80,7 +82,8 @@ export async function startConventionalLogin(email: string, password: string) {
       throw new Error('Email and password are required.');
     }
 
-    cookies().set('displayName', email);
+    const cookieStore = await cookies();
+    cookieStore.set('displayName', email);
 
     const client = new CognitoIdentityProviderClient({
       region: process.env.AWS_REGION!,
@@ -113,14 +116,14 @@ export async function startConventionalLogin(email: string, password: string) {
       const decoded = await verifyToken(response.AuthenticationResult.AccessToken);
       const username = decoded.username;
       if (email) {
-        cookies().set('identifier', username);
+        cookieStore.set('identifier', username);
       }
 
       return { success: true };
     }
 
     if (response.Session && response.ChallengeName === 'SOFTWARE_TOKEN_MFA') {
-      cookies().set('mfa_session', response.Session);
+      cookieStore.set('mfa_session', response.Session);
 
       return { success: true, screen: 'MFA_SOFTWARE_TOKEN' };
     }
diff --git a/playground/connect-next/app/login/page.tsx b/playground/connect-next/app/login/page.tsx
@@ -5,8 +5,9 @@ export type Props = {
   clientState: string | undefined;
 };
 
-export default function LoginPage() {
-  const clientState = cookies().get('cbo_client_state');
+export default async function LoginPage() {
+  const cookieStore = await cookies();
+  const clientState = cookieStore.get('cbo_client_state');
   console.log('clientState', clientState);
 
   return <LoginComponent clientState={clientState?.value} />;
diff --git a/playground/connect-next/app/mfa-software-token/actions.ts b/playground/connect-next/app/mfa-software-token/actions.ts
@@ -18,8 +18,9 @@ function createSecretHash(username: string, clientId: string, clientSecret: stri
 
 export async function startMFASoftwareToken(totp: string) {
   try {
-    const session = cookies().get('mfa_session');
-    const displayName = cookies().get('displayName');
+    const cookieStore = await cookies();
+    const session = cookieStore.get('mfa_session');
+    const displayName = cookieStore.get('displayName');
 
     if (!totp || !session || !displayName) {
       throw new Error('Missing required fields.');
@@ -75,7 +76,8 @@ export async function startMFASoftwareToken(totp: string) {
 }
 
 export async function generateTOTP() {
-  const secretCode = cookies().get('secretCode');
+  const cookieStore = await cookies();
+  const secretCode = cookieStore.get('secretCode');
   if (!secretCode) {
     return {
       success: false,
diff --git a/playground/connect-next/app/passkey-list/actions.ts b/playground/connect-next/app/passkey-list/actions.ts
@@ -4,7 +4,8 @@ import { cookies } from 'next/headers';
 import { ConnectTokenType } from '@corbado/types';
 
 export async function getCorbadoToken(tokenType: ConnectTokenType) {
-  const identifier = cookies().get('identifier');
+  const cookieStore = await cookies();
+  const identifier = cookieStore.get('identifier');
   if (!identifier) {
     return null;
   }
diff --git a/playground/connect-next/app/post-login/actions.ts b/playground/connect-next/app/post-login/actions.ts
@@ -3,6 +3,6 @@
 import { cookies } from 'next/headers';
 
 export async function postPasskeyAppend(_: string, clientState: string) {
-  // update client side state
-  cookies().set({ name: 'cbo_client_state', value: clientState, httpOnly: true });
+  const cookieStore = await cookies();
+  cookieStore.set({ name: 'cbo_client_state', value: clientState, httpOnly: true });
 }
diff --git a/playground/connect-next/app/signup/actions.ts b/playground/connect-next/app/signup/actions.ts
@@ -25,9 +25,10 @@ export const createAccount = async (email: string, phone: string, password: stri
   // of course this is not secure, but it's just a demo ;)
 
   const randomUsername = generateRandomString(10);
+  const cookieStore = await cookies();
 
-  cookies().set('displayName', email);
-  cookies().set('identifier', randomUsername);
+  cookieStore.set('displayName', email);
+  cookieStore.set('identifier', randomUsername);
 
   // create client that loads profile from ~/.aws/credentials or environment variables
   const client = new CognitoIdentityProviderClient({
@@ -91,7 +92,7 @@ export const createAccount = async (email: string, phone: string, password: stri
   const associateSoftwareTokenRes = await client.send(associateSoftwareTokenCommand);
   console.log('associateSoftwareTokenRes', associateSoftwareTokenRes);
 
-  cookies().set('secretCode', associateSoftwareTokenRes.SecretCode!);
+  cookieStore.set('secretCode', associateSoftwareTokenRes.SecretCode!);
 
   const { otp } = TOTP.generate(associateSoftwareTokenRes.SecretCode!);
   console.log('otp', otp);
diff --git a/playground/connect-next/package.json b/playground/connect-next/package.json
@@ -17,7 +17,7 @@
     "crypto-js": "^4.2.0",
     "jsonwebtoken": "^9.0.2",
     "jwks-rsa": "^3.1.0",
-    "next": "14.2.4",
+    "next": "15.2.4",
     "react": "^18",
     "react-dom": "^18",
     "totp-generator": "^1.0.0"
diff --git a/playground/connect-next/tsconfig.json b/playground/connect-next/tsconfig.json
@@ -19,7 +19,8 @@
     ],
     "paths": {
       "@/*": ["./*"]
-    }
+    },
+    "target": "ES2017"
   },
   "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
   "exclude": ["node_modules"]
diff --git a/scripts/e2eTests.ts b/scripts/e2eTests.ts

Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,13 @@`
`3`	`3`	`import { cookies } from 'next/headers';`
`4`	`4`
`5`	`5`	`export async function getAppendToken() {`
`6`		`- const displayName = cookies().get('displayName');`
	`6`	`+ const cookieStore = await cookies();`
	`7`	`+ const displayName = cookieStore.get('displayName');`
`7`	`8`	`if (!displayName) {`
`8`	`9`	`return null;`
`9`	`10`	`}`
`10`	`11`
`11`		`- const identifier = cookies().get('identifier');`
	`12`	`+ const identifier = cookieStore.get('identifier');`
`12`	`13`	`if (!identifier) {`
`13`	`14`	`return null;`
`14`	`15`	`}`