Fix Uncaught DOMException: Failed to execute 'atob' on 'Window'

There is a missing import within the `uint8-to-base64` javascript
package which assumes that `atob` and `btoa` are present and exported
instead of using the `window.atob` and `window.btoa` functions. This
previously worked but as far as I can see things have become more strict
and this no longer works.

The dependency is small and I do not believe that we gain much from
having this code as an external dependency. I think instead we should
just consume this dependency and bring the code directly into Gitea
itself - the code is itself just some standard incantation for creating
base64 arrays in javascript.

Therefore this PR simply removes the dependency on `uint8-to-base64` and
rewrites the functions used in it.

Fix go-gitea#22507

Signed-off-by: Andrew Thornton <art27@cantab.net>

package.json

@@ -39,7 +39,6 @@
     "swagger-ui-dist": "4.15.5",
     "tippy.js": "6.3.7",
     "tributejs": "5.1.3",
-    "uint8-to-base64": "0.2.0",
     "vue": "3.2.45",
     "vue-bar-graph": "2.0.0",
     "vue-loader": "17.0.1",

web_src/js/features/user-auth-webauthn.js

@@ -1,8 +1,19 @@
 import $ from 'jquery';
-import {encode, decode} from 'uint8-to-base64';
 
 const {appSubUrl, csrfToken} = window.config;
 
+function encodeToBase64(toEncode) {
+  const output = [];
+  for (let i = 0; i < toEncode.length; i++) {
+    output.push(String.fromCharCode(toEncode[i]));
+  }
+  return window.btoa(output.join(''));
+}
+
+function decodeFromBase64(toDecode) {
+  return Uint8Array.from(window.atob(toDecode), (c) => c.charCodeAt(0));
+}
+
 export function initUserAuthWebAuthn() {
   if ($('.user.signin.webauthn-prompt').length === 0) {
     return;
@@ -14,9 +25,9 @@ export function initUserAuthWebAuthn() {
 
   $.getJSON(`${appSubUrl}/user/webauthn/assertion`, {})
     .done((makeAssertionOptions) => {
-      makeAssertionOptions.publicKey.challenge = decode(makeAssertionOptions.publicKey.challenge);
+      makeAssertionOptions.publicKey.challenge = decodeFromBase64(makeAssertionOptions.publicKey.challenge);
       for (let i = 0; i < makeAssertionOptions.publicKey.allowCredentials.length; i++) {
-        makeAssertionOptions.publicKey.allowCredentials[i].id = decode(makeAssertionOptions.publicKey.allowCredentials[i].id);
+        makeAssertionOptions.publicKey.allowCredentials[i].id = decodeFromBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);
       }
       navigator.credentials.get({
         publicKey: makeAssertionOptions.publicKey
@@ -87,7 +98,7 @@ function verifyAssertion(assertedCredential) {
 
 // Encode an ArrayBuffer into a base64 string.
 function bufferEncode(value) {
-  return encode(value)
+  return encodeToBase64(value)
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=/g, '');
@@ -184,11 +195,11 @@ function webAuthnRegisterRequest() {
   }).done((makeCredentialOptions) => {
     $('#nickname').closest('div.field').removeClass('error');
 
-    makeCredentialOptions.publicKey.challenge = decode(makeCredentialOptions.publicKey.challenge);
-    makeCredentialOptions.publicKey.user.id = decode(makeCredentialOptions.publicKey.user.id);
+    makeCredentialOptions.publicKey.challenge = decodeFromBase64(makeCredentialOptions.publicKey.challenge);
+    makeCredentialOptions.publicKey.user.id = decodeFromBase64(makeCredentialOptions.publicKey.user.id);
     if (makeCredentialOptions.publicKey.excludeCredentials) {
       for (let i = 0; i < makeCredentialOptions.publicKey.excludeCredentials.length; i++) {
-        makeCredentialOptions.publicKey.excludeCredentials[i].id = decode(makeCredentialOptions.publicKey.excludeCredentials[i].id);
+        makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeFromBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);
       }
     }