Revert "Add .isUserVerified() to RegistrationResult and AssertionResult"

This reverts commit 5c06fc0.

This commit makes changes to the README that will not be accurate
until the new version is released, so these changes have to move to a
release branch instead of main.

Author: emlun

NEWS

@@ -1,9 +1,5 @@
-== Version 2.5.0 (unreleased) ==
+== Version 2.4.2 (unreleased) ==
 
-New features:
-
-* Added method `.isUserVerified()` to `RegistrationResult` and `AssertionResult`
-  as a shortcut for accessing the UV flag in authenticator data.
 * Updated README and JavaDoc to use the "passkey" term and provide more guidance
   around passkey use cases.
 

README

@@ -489,50 +489,6 @@ PublicKeyCredentialCreationOptions request = rp.startRegistration(
     .build());
 ----------
 
-You can also request that user verification be used if possible, but is not required:
-
-[source,java]
-----------
-PublicKeyCredentialCreationOptions request = rp.startRegistration(
-  StartRegistrationOptions.builder()
-    .user(/* ... */)
-    .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
-        .userVerification(UserVerificationRequirement.PREFERRED)
-        .build())
-    .build());
-
-AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder()
-    .username("alice")
-    .userVerification(UserVerificationRequirement.PREFERRED)
-    .build());
-----------
-
-In this case
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.4.1/com/yubico/webauthn/RelyingParty.html#finishRegistration(com.yubico.webauthn.FinishRegistrationOptions)[`RelyingParty.finishRegistration(...)`]
-and
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.4.1/com/yubico/webauthn/RelyingParty.html#finishAssertion(com.yubico.webauthn.FinishAssertionOptions)[`RelyingParty.finishAssertion(...)`]
-will NOT enforce user verification,
-but instead the `isUserVerified()` method of
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.0/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`]
-and
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.0/com/yubico/webauthn/AssertionResult.html[`AssertionResult`]
-will tell whether user verification was used.
-
-For example, you could prompt for a password as the second factor if `isUserVerified()` returns `false`:
-
-[source,java]
-----------
-AssertionResult result = rp.finishAssertion(/* ... */);
-
-if (result.isSuccess()) {
-    if (result.isUserVerified()) {
-        return successfulLogin(result.getUsername());
-    } else {
-        return passwordRequired(result.getUsername());
-    }
-}
-----------
-
 User verification can be used with both discoverable credentials (passkeys) and non-discoverable credentials.
 
 

webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java

@@ -31,8 +31,6 @@
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.AuthenticatorAttachment;
 import com.yubico.webauthn.data.AuthenticatorData;
-import com.yubico.webauthn.data.AuthenticatorDataFlags;
-import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
@@ -146,25 +144,6 @@ public ByteArray getUserHandle() {
     return credential.getUserHandle();
   }
 
-  /**
-   * Check whether the <a href="https://www.w3.org/TR/webauthn/#user-verification">user
-   * verification</a> as performed during the authentication ceremony.
-   *
-   * <p>This flag is also available via <code>
-   * {@link PublicKeyCredential}.{@link PublicKeyCredential#getResponse() getResponse()}.{@link AuthenticatorResponse#getParsedAuthenticatorData() getParsedAuthenticatorData()}.{@link AuthenticatorData#getFlags() getFlags()}.{@link AuthenticatorDataFlags#UV UV}
-   * </code>.
-   *
-   * @return <code>true</code> if and only if the authenticator claims to have performed user
-   *     verification during the authentication ceremony.
-   * @see <a href="https://www.w3.org/TR/webauthn/#user-verification">User Verification</a>
-   * @see <a href="https://w3c.github.io/webauthn/#authdata-flags-uv">UV flag in §6.1. Authenticator
-   *     Data</a>
-   */
-  @JsonIgnore
-  public boolean isUserVerified() {
-    return credentialResponse.getResponse().getParsedAuthenticatorData().getFlags().UV;
-  }
-
   /**
    * Check whether the asserted credential is <a
    * href="https://w3c.github.io/webauthn/#backup-eligible">backup eligible</a>, using the <a

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -33,10 +33,7 @@
 import com.yubico.webauthn.data.AttestationType;
 import com.yubico.webauthn.data.AuthenticatorAttachment;
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
-import com.yubico.webauthn.data.AuthenticatorData;
-import com.yubico.webauthn.data.AuthenticatorDataFlags;
 import com.yubico.webauthn.data.AuthenticatorRegistrationExtensionOutputs;
-import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
@@ -128,25 +125,6 @@ private static RegistrationResult fromJson(
                     .collect(Collectors.toList())));
   }
 
-  /**
-   * Check whether the <a href="https://www.w3.org/TR/webauthn/#user-verification">user
-   * verification</a> as performed during the registration ceremony.
-   *
-   * <p>This flag is also available via <code>
-   * {@link PublicKeyCredential}.{@link PublicKeyCredential#getResponse() getResponse()}.{@link AuthenticatorResponse#getParsedAuthenticatorData() getParsedAuthenticatorData()}.{@link AuthenticatorData#getFlags() getFlags()}.{@link AuthenticatorDataFlags#UV UV}
-   * </code>.
-   *
-   * @return <code>true</code> if and only if the authenticator claims to have performed user
-   *     verification during the registration ceremony.
-   * @see <a href="https://www.w3.org/TR/webauthn/#user-verification">User Verification</a>
-   * @see <a href="https://w3c.github.io/webauthn/#authdata-flags-uv">UV flag in §6.1. Authenticator
-   *     Data</a>
-   */
-  @JsonIgnore
-  public boolean isUserVerified() {
-    return credential.getResponse().getParsedAuthenticatorData().getFlags().UV;
-  }
-
   /**
    * Check whether the created credential is <a
    * href="https://w3c.github.io/webauthn/#backup-eligible">backup eligible</a>, using the <a

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -2575,43 +2575,6 @@ class RelyingPartyAssertionSpec
             .username(user.getName)
             .build()
 
-          it("exposes isUserVerified() with the UV flag value in authenticator data.") {
-            val pkcWithoutUv =
-              TestAuthenticator.createAssertion(
-                flags = Some(new AuthenticatorDataFlags(0x00.toByte)),
-                challenge =
-                  request.getPublicKeyCredentialRequestOptions.getChallenge,
-                credentialKey = credentialKeypair,
-                credentialId = credential.getId,
-              )
-            val pkcWithUv =
-              TestAuthenticator.createAssertion(
-                flags = Some(new AuthenticatorDataFlags(0x04.toByte)),
-                challenge =
-                  request.getPublicKeyCredentialRequestOptions.getChallenge,
-                credentialKey = credentialKeypair,
-                credentialId = credential.getId,
-              )
-
-            val resultWithoutUv = rp.finishAssertion(
-              FinishAssertionOptions
-                .builder()
-                .request(request)
-                .response(pkcWithoutUv)
-                .build()
-            )
-            val resultWithUv = rp.finishAssertion(
-              FinishAssertionOptions
-                .builder()
-                .request(request)
-                .response(pkcWithUv)
-                .build()
-            )
-
-            resultWithoutUv.isUserVerified should be(false)
-            resultWithUv.isUserVerified should be(true)
-          }
-
           it("exposes isBackupEligible() with the BE flag value in authenticator data.") {
             val pkcWithoutBackup =
               TestAuthenticator.createAssertion(

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -4623,37 +4623,6 @@ class RelyingPartyRegistrationSpec
           .pubKeyCredParams(List(PublicKeyCredentialParameters.ES256).asJava)
           .build()
 
-        it("exposes isUserVerified() with the UV flag value in authenticator data.") {
-          val (pkcWithoutUv, _, _) =
-            TestAuthenticator.createUnattestedCredential(
-              flags = Some(new AuthenticatorDataFlags(0x00.toByte)),
-              challenge = request.getChallenge,
-            )
-          val (pkcWithUv, _, _) =
-            TestAuthenticator.createUnattestedCredential(
-              flags = Some(new AuthenticatorDataFlags(0x04.toByte)),
-              challenge = request.getChallenge,
-            )
-
-          val resultWithoutUv = rp.finishRegistration(
-            FinishRegistrationOptions
-              .builder()
-              .request(request)
-              .response(pkcWithoutUv)
-              .build()
-          )
-          val resultWithUv = rp.finishRegistration(
-            FinishRegistrationOptions
-              .builder()
-              .request(request)
-              .response(pkcWithUv)
-              .build()
-          )
-
-          resultWithoutUv.isUserVerified should be(false)
-          resultWithUv.isUserVerified should be(true)
-        }
-
         it("exposes isBackupEligible() with the BE flag value in authenticator data.") {
           val (pkcWithoutBackup, _, _) =
             TestAuthenticator.createUnattestedCredential(