Support loading offline MDS blobs in MetadataService by MasterKale · Pull Request #752 · MasterKale/SimpleWebAuthn

MasterKale · 2026-03-03T22:00:30Z

This PR exports a new verifyMDSBlob() method from @simplewebauthn/server/helpers to enable FIDO MDS metadata statements to be validated and then cached, to be loaded later into a runtime that does not support runtime network egress. It accepts a single string value containing a FIDO MDS JWT, verifies the integrity of the JWT, and then extracts the metadata statements suitable for passing in as statements when calling MetadataService.initialize() later.

Fixes #732.

Example

On runtime that can make external network requests:

import { verifyMDSBlob } from '@simplewebauthn/server/helpers';

const blob: string = manuallyFetchMDSBlob();

// Makes network requests for things like CRL checks
const { statements, parsedNextUpdate, payload } = await verifyMDSBlob(blob);

await writeStatementsToDisk(statements);

On runtime that cannot make external network requests

import { MetadataService } from '@simplewebauthn/server';

const savedStatements = await readStatementsFromDisk();

// No network requests nor validation happen here because the statements are assumed trusted
await MetadataService.initialize({
  mdsServers: [],
  statements: savedStatements,
});

MasterKale added 12 commits March 3, 2026 09:02

Stop ignoring a JWT test in modern Deno tests

c80fc79

Export JWT test values for reuse

f878f63

Define NonRefreshingMDS to capture quirky behavior

9a2fed5

Break apart blob download and verification

061be02

Refine some docstrings

c896d0c

Refactor existing downloads to use new verifier

733d072

Use NonRefreshingMDS URL for statements

53f90f5

Add and handle new mdsBlobs arg to initialize()

78ad52f

Add test MDS blob root cert to test data

ca9d32a

Reset metadata cache on initialization

ab8566a

Add test for loading offline MDS blob

08381fe

Tweak data staleness warning message

8798082

MasterKale mentioned this pull request Mar 3, 2026

Expose MDS download or statement cache #732

Closed

MasterKale added the package:server @simplewebauthn/server label Mar 3, 2026

MasterKale added this to the v13.2.4 milestone Mar 3, 2026

(Unrelated) Fix a docstring typo

972713b

MasterKale mentioned this pull request Mar 3, 2026

Update parameter description for authentication response #730

Closed

MasterKale added 5 commits March 4, 2026 09:34

Extract blob verification into new exported helper

2a6b4f0

Remove mdsBlobs argument

adf33d3

Clean up from mdsBlobs removal

31d8314

Rename method to verifyMDSBlob()

65e87a9

Export as a helper

6bf921e

MasterKale merged commit d9e7dd1 into master Mar 10, 2026
4 checks passed

MasterKale deleted the feat/support-offline-metadata-blobs branch March 10, 2026 05:09

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support loading offline MDS blobs in MetadataService#752

Support loading offline MDS blobs in MetadataService#752
MasterKale merged 18 commits intomasterfrom
feat/support-offline-metadata-blobs

MasterKale commented Mar 3, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

MasterKale commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Example

On runtime that can make external network requests:

On runtime that cannot make external network requests

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

MasterKale commented Mar 3, 2026 •

edited

Loading