Merge pull request #579 from web-auth/4.8.x-merge-up-into-5.0.x_5donwdju

Merge release 4.8.3 into 5.0.x

.github/workflows/infection.yml

@@ -26,7 +26,7 @@ jobs:
  run: "git fetch --depth=1 origin ${GITHUB_BASE_REF}"
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "highest"
  composer-options: "--optimize-autoloader"

.github/workflows/integrate.yml

@@ -39,7 +39,7 @@ jobs:
  uses: "actions/checkout@v4"
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "highest"
 
@@ -77,7 +77,7 @@ jobs:
  fetch-depth: 0
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "${{ matrix.dependencies }}"
  composer-options: "--optimize-autoloader"
@@ -114,7 +114,7 @@ jobs:
  fetch-depth: 0
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "${{ matrix.dependencies }}"
  composer-options: "--optimize-autoloader"
@@ -143,7 +143,7 @@ jobs:
  run: "composer validate"
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "highest"
  composer-options: "--optimize-autoloader"
@@ -175,7 +175,7 @@ jobs:
  uses: "greut/eclint-action@v0"
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "highest"
  composer-options: "--optimize-autoloader"
@@ -214,7 +214,7 @@ jobs:
  run: "git fetch --depth=1 origin ${GITHUB_BASE_REF}"
 
  - name: "Install dependencies"
- uses: "ramsey/composer-install@v2"
+ uses: "ramsey/composer-install@v3"
  with:
  dependency-versions: "highest"
  composer-options: "--optimize-autoloader"

.github/workflows/scorecards.yml

@@ -50,7 +50,7 @@ jobs:
  # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  # format to the repository Actions tab.
  - name: "Upload artifact"
- uses: actions/[email protected].0
+ uses: actions/[email protected].1
  with:
  name: SARIF file
  path: results.sarif

README.md

@@ -37,11 +37,15 @@ Or
 
 [![Become a Patreon](https://c5.patreon.com/external/logo/become_a_patron_button.png)](https://www.patreon.com/FlorentMorselli)
 
+# Supported Versions
+
+The list of the supported versions is available [on this page](https://github.com/web-auth/webauthn-framework/blob/4.8.x/RELEASES.md).
+
 # Contributing
 
 If you discover a security vulnerability within the project, please **don't use the bug tracker and don't publish it
 publicly**.
-Instead, all security issues must be sent to security [at] spomky-labs.com.
+Instead, all security issues must be sent via the [GitHub Vulnerability Report system](https://github.com/web-auth/webauthn-framework/security).
 
 # Licence
 

composer.json

@@ -94,7 +94,7 @@
  "symfony/security-bundle": "Symfony firewall using a JSON API (perfect for script applications)"
  },
  "require-dev": {
- "doctrine/dbal": "^3.8|4.0",
+ "doctrine/dbal": "^3.8|^4.0",
  "doctrine/doctrine-bundle": "^2.11",
  "doctrine/orm": "^2.14|^3.0",
  "doctrine/persistence": "^3.1",

phpstan-baseline.neon

@@ -136,6 +136,11 @@ parameters:
  count: 1
  path: src/metadata-service/src/Service/FidoAllianceCompliantMetadataService.php
 
+ -
+ message: "#^Parameter &\\$rootCertificates by\\-ref type of method Webauthn\\\\MetadataService\\\\Service\\\\FidoAllianceCompliantMetadataService\\:\\:getJwsPayload\\(\\) expects array\\<string\\>, array given\\.$#"
+ count: 1
+ path: src/metadata-service/src/Service/FidoAllianceCompliantMetadataService.php
+
  -
  message: """
  #^Call to deprecated method createFromString\\(\\) of class Webauthn\\\\MetadataService\\\\Statement\\\\MetadataStatement\\:
@@ -2326,11 +2331,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/AttestationObjectDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AttestationObjectDenormalizer.php
-
  -
  message: "#^Cannot access offset 'fmt' on mixed\\.$#"
  count: 1
@@ -2356,16 +2356,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/AttestationStatementDenormalizer.php
 
- -
- message: "#^Argument of an invalid type mixed supplied for foreach, only iterables are supported\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php
-
- -
- message: "#^Cannot access offset string on mixed\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php
-
  -
  message: """
  #^Fetching class constant class of deprecated class Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtensionsClientInputs\\:
@@ -2392,16 +2382,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php
 
- -
- message: "#^Parameter \\#1 \\$extensions of static method Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtensions\\:\\:create\\(\\) expects array\\<int\\|string, Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtension\\>, mixed given\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php
-
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php
-
  -
  message: "#^Cannot access offset 'attestationObject' on mixed\\.$#"
  count: 1
@@ -2472,11 +2452,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/AuthenticatorAssertionResponseDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticatorAssertionResponseDenormalizer.php
-
  -
  message: "#^Cannot access offset 'attestationObject' on mixed\\.$#"
  count: 2
@@ -2527,11 +2502,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/AuthenticatorAttestationResponseDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticatorAttestationResponseDenormalizer.php
-
  -
  message: "#^Cannot access offset 1 on array\\|false\\.$#"
  count: 2
@@ -2577,11 +2547,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/AuthenticatorDataDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticatorDataDenormalizer.php
-
  -
  message: "#^Method Webauthn\\\\Denormalizer\\\\AuthenticatorResponseDenormalizer\\:\\:denormalize\\(\\) has parameter \\$context with no value type specified in iterable type array\\.$#"
  count: 1
@@ -2597,11 +2562,6 @@ parameters:
  count: 2
  path: src/webauthn/src/Denormalizer/AuthenticatorResponseDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/AuthenticatorResponseDenormalizer.php
-
  -
  message: "#^Method Webauthn\\\\Denormalizer\\\\CollectedClientDataDenormalizer\\:\\:denormalize\\(\\) has parameter \\$context with no value type specified in iterable type array\\.$#"
  count: 1
@@ -2627,11 +2587,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/CollectedClientDataDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/CollectedClientDataDenormalizer.php
-
  -
  message: "#^Method Webauthn\\\\Denormalizer\\\\PublicKeyCredentialDenormalizer\\:\\:denormalize\\(\\) has parameter \\$context with no value type specified in iterable type array\\.$#"
  count: 1
@@ -2652,11 +2607,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/PublicKeyCredentialDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/PublicKeyCredentialDenormalizer.php
-
  -
  message: "#^Argument of an invalid type mixed supplied for foreach, only iterables are supported\\.$#"
  count: 1
@@ -2832,11 +2782,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/PublicKeyCredentialOptionsDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/PublicKeyCredentialOptionsDenormalizer.php
-
  -
  message: "#^Method Webauthn\\\\Denormalizer\\\\PublicKeyCredentialParametersDenormalizer\\:\\:denormalize\\(\\) has parameter \\$context with no value type specified in iterable type array\\.$#"
  count: 1
@@ -3002,11 +2947,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/PublicKeyCredentialSourceDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/PublicKeyCredentialSourceDenormalizer.php
-
  -
  message: "#^Method Webauthn\\\\Denormalizer\\\\PublicKeyCredentialUserEntityDenormalizer\\:\\:denormalize\\(\\) has parameter \\$context with no value type specified in iterable type array\\.$#"
  count: 1
@@ -3022,11 +2962,6 @@ parameters:
  count: 1
  path: src/webauthn/src/Denormalizer/PublicKeyCredentialUserEntityDenormalizer.php
 
- -
- message: "#^Strict comparison using \\=\\=\\= between Symfony\\\\Component\\\\Serializer\\\\Normalizer\\\\DenormalizerInterface and null will always evaluate to false\\.$#"
- count: 1
- path: src/webauthn/src/Denormalizer/PublicKeyCredentialUserEntityDenormalizer.php
-
  -
  message: "#^Cannot access offset 'type' on mixed\\.$#"
  count: 1
@@ -3114,7 +3049,7 @@ parameters:
  path: src/webauthn/src/PublicKeyCredentialOptions.php
 
  -
- message: "#^Parameter \\#1 \\$extensions of static method Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtensions\\:\\:create\\(\\) expects array\\<int\\|string, Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtension\\>, array\\<int\\|string, mixed\\> given\\.$#"
+ message: "#^Parameter \\#1 \\$extensions of static method Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtensions\\:\\:create\\(\\) expects array\\<Webauthn\\\\AuthenticationExtensions\\\\AuthenticationExtension\\>, array\\<int\\|string, mixed\\> given\\.$#"
  count: 1
  path: src/webauthn/src/PublicKeyCredentialOptions.php
 

src/metadata-service/src/Denormalizer/MetadataStatementSerializerFactory.php

@@ -16,6 +16,8 @@
 
 final class MetadataStatementSerializerFactory
 {
+ private const PACKAGE_SYMFONY_PROPERTY_INFO = 'symfony/property-info';
+
  private const PACKAGE_SYMFONY_SERIALIZER = 'symfony/serializer';
 
  private const PACKAGE_PHPDOCUMENTOR_REFLECTION_DOCBLOCK = 'phpdocumentor/reflection-docblock';
@@ -52,9 +54,9 @@ private static function getRequiredSerializerClasses(): array
  UidNormalizer::class => self::PACKAGE_SYMFONY_SERIALIZER,
  ArrayDenormalizer::class => self::PACKAGE_SYMFONY_SERIALIZER,
  ObjectNormalizer::class => self::PACKAGE_SYMFONY_SERIALIZER,
- PropertyInfoExtractor::class => self::PACKAGE_SYMFONY_SERIALIZER,
+ PropertyInfoExtractor::class => self::PACKAGE_SYMFONY_PROPERTY_INFO,
  PhpDocExtractor::class => self::PACKAGE_PHPDOCUMENTOR_REFLECTION_DOCBLOCK,
- ReflectionExtractor::class => self::PACKAGE_SYMFONY_SERIALIZER,
+ ReflectionExtractor::class => self::PACKAGE_SYMFONY_PROPERTY_INFO,
  JsonEncoder::class => self::PACKAGE_SYMFONY_SERIALIZER,
  Serializer::class => self::PACKAGE_SYMFONY_SERIALIZER,
  ];

src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php

@@ -29,7 +29,7 @@ class AuthenticationExtensions implements JsonSerializable, Countable, IteratorA
  public array $extensions;
 
  /**
- * @param array<string|int, mixed|AuthenticationExtension> $extensions
+ * @param array<array-key, mixed|AuthenticationExtension> $extensions
  */
  public function __construct(array $extensions = [])
  {
@@ -50,7 +50,7 @@ public function __construct(array $extensions = [])
  }
 
  /**
- * @param array<string|int, AuthenticationExtension> $extensions
+ * @param array<array-key, AuthenticationExtension> $extensions
  */
  public static function create(array $extensions = []): static
  {

src/webauthn/src/Denormalizer/AttestationObjectDenormalizer.php

@@ -6,7 +6,6 @@
 
 use CBOR\Decoder;
 use CBOR\Normalizable;
-use Symfony\Component\Serializer\Exception\BadMethodCallException;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareInterface;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareTrait;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
@@ -22,9 +21,6 @@ final class AttestationObjectDenormalizer implements DenormalizerInterface, Deno
 
  public function denormalize(mixed $data, string $type, string $format = null, array $context = []): mixed
  {
- if ($this->denormalizer === null) {
- throw new BadMethodCallException('Please set a denormalizer before calling denormalize()!');
- }
  $stream = new StringStream($data);
  $parsed = Decoder::create()->decode($stream);
 

src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php

@@ -4,15 +4,16 @@
 
 namespace Webauthn\Denormalizer;
 
-use Symfony\Component\Serializer\Exception\BadMethodCallException;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareInterface;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareTrait;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
 use Webauthn\AuthenticationExtensions\AuthenticationExtension;
 use Webauthn\AuthenticationExtensions\AuthenticationExtensions;
 use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
 use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientOutputs;
+use function assert;
 use function in_array;
+use function is_array;
 use function is_string;
 
 final class AuthenticationExtensionsDenormalizer implements DenormalizerInterface, DenormalizerAwareInterface
@@ -21,9 +22,10 @@ final class AuthenticationExtensionsDenormalizer implements DenormalizerInterfac
 
  public function denormalize(mixed $data, string $type, string $format = null, array $context = []): mixed
  {
- if ($this->denormalizer === null) {
- throw new BadMethodCallException('Please set a denormalizer before calling denormalize()!');
+ if ($data instanceof AuthenticationExtensions) {
+ return AuthenticationExtensions::create($data->extensions);
  }
+ assert(is_array($data), 'The data should be an array.');
  foreach ($data as $key => $value) {
  if (! is_string($key)) {
  continue;

src/webauthn/src/Denormalizer/AuthenticatorAssertionResponseDenormalizer.php

@@ -5,7 +5,6 @@
 namespace Webauthn\Denormalizer;
 
 use ParagonIE\ConstantTime\Base64UrlSafe;
-use Symfony\Component\Serializer\Exception\BadMethodCallException;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareInterface;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareTrait;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
@@ -21,10 +20,6 @@ final class AuthenticatorAssertionResponseDenormalizer implements DenormalizerIn
 
  public function denormalize(mixed $data, string $type, string $format = null, array $context = []): mixed
  {
- if ($this->denormalizer === null) {
- throw new BadMethodCallException('Please set a denormalizer before calling denormalize()!');
- }
-
  $data['authenticatorData'] = Base64::decode($data['authenticatorData']);
  $data['signature'] = Base64::decode($data['signature']);
  $data['clientDataJSON'] = Base64UrlSafe::decodeNoPadding($data['clientDataJSON']);

src/webauthn/src/Denormalizer/AuthenticatorAttestationResponseDenormalizer.php

@@ -5,7 +5,6 @@
 namespace Webauthn\Denormalizer;
 
 use ParagonIE\ConstantTime\Base64UrlSafe;
-use Symfony\Component\Serializer\Exception\BadMethodCallException;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareInterface;
 use Symfony\Component\Serializer\Normalizer\DenormalizerAwareTrait;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
@@ -20,10 +19,6 @@ final class AuthenticatorAttestationResponseDenormalizer implements Denormalizer
 
  public function denormalize(mixed $data, string $type, string $format = null, array $context = []): mixed
  {
- if ($this->denormalizer === null) {
- throw new BadMethodCallException('Please set a denormalizer before calling denormalize()!');
- }
-
  $data['clientDataJSON'] = Base64UrlSafe::decodeNoPadding($data['clientDataJSON']);
  $data['attestationObject'] = Base64::decode($data['attestationObject']);