4 files changed, 8 insertions, 9 deletions

diff --git a/packages/server/src/assertion/verifyAssertionResponse.ts b/packages/server/src/assertion/verifyAssertionResponse.ts
index 0029796..889c577 100644
--- a/packages/server/src/assertion/verifyAssertionResponse.ts
+++ b/packages/server/src/assertion/verifyAssertionResponse.ts
@@ -49,9 +49,11 @@ export default function verifyAssertionResponse(options: Options): VerifiedAsser
     throw new Error(`Unexpected assertion type: ${type}`);
   }
 
-  if (challenge !== expectedChallenge) {
+  // Ensure the device provided the challenge we gave it
+  const encodedExpectedChallenge = base64url.encode(expectedChallenge);
+  if (challenge !== encodedExpectedChallenge) {
     throw new Error(
-      `Unexpected assertion challenge "${challenge}", expected "${expectedChallenge}"`,
+      `Unexpected assertion challenge "${challenge}", expected "${encodedExpectedChallenge}"`,
     );
   }
 
diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts
index b2c874d..f52b13e 100644
--- a/packages/server/src/attestation/verifyAttestationResponse.ts
+++ b/packages/server/src/attestation/verifyAttestationResponse.ts
@@ -53,9 +53,10 @@ export default function verifyAttestationResponse(options: Options): VerifiedAtt
   }
 
   // Ensure the device provided the challenge we gave it
-  if (challenge !== expectedChallenge) {
+  const encodedExpectedChallenge = base64url.encode(expectedChallenge);
+  if (challenge !== encodedExpectedChallenge) {
     throw new Error(
-      `Unexpected attestation challenge "${challenge}", expected "${expectedChallenge}"`,
+      `Unexpected attestation challenge "${challenge}", expected "${encodedExpectedChallenge}"`,
     );
   }
 
diff --git a/packages/server/src/helpers/decodeClientDataJSON.test.ts b/packages/server/src/helpers/decodeClientDataJSON.test.ts
index b1a7940..b51f7ce 100644
--- a/packages/server/src/helpers/decodeClientDataJSON.test.ts
+++ b/packages/server/src/helpers/decodeClientDataJSON.test.ts
@@ -8,7 +8,7 @@ test('should convert base64url-encoded attestation clientDataJSON to JSON', () =
         'Y6MzAwMCIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ==',
     ),
   ).toEqual({
-    challenge: 'Sgx7v43OLrWOoTydLgNZ2',
+    challenge: 'U2d4N3Y0M09McldPb1R5ZExnTloy',
     clientExtensions: {},
     hashAlgorithm: 'SHA-256',
     origin: 'https://clover.millertime.dev:3000',
diff --git a/packages/server/src/helpers/decodeClientDataJSON.ts b/packages/server/src/helpers/decodeClientDataJSON.ts
index 52bbf4c..da0c693 100644
--- a/packages/server/src/helpers/decodeClientDataJSON.ts
+++ b/packages/server/src/helpers/decodeClientDataJSON.ts
@@ -7,10 +7,6 @@ export default function decodeClientDataJSON(data: string): ClientDataJSON {
   const toString = base64url.decode(data);
   const clientData: ClientDataJSON = JSON.parse(toString);
 
-  // `challenge` will be Base64URL-encoded here. Decode it for easier comparisons with what is
-  // provided as the expected value
-  clientData.challenge = base64url.decode(clientData.challenge);
-
   return clientData;
 }