Refactor Symfony test configurations and add badge support

Reorganized test configurations by splitting `config.yml` into `common.yml` and added Twig template support. Introduced Webauthn authentication mechanism with related classes, functional tests, and templates to enhance security. This commit also includes tests for authenticated access and successful login handling.

Author: Spomky

composer.json

@@ -119,6 +119,7 @@
         "symfony/filesystem": "^6.4|^7.0",
         "symfony/finder": "^6.4|^7.0",
         "symfony/monolog-bundle": "^3.8",
+        "symfony/twig-bundle": "^6.4|^7.0",
         "symfony/var-dumper": "^6.4|^7.0",
         "symfony/yaml": "^6.4|^7.0",
         "symplify/easy-coding-standard": "^12.0",

phpstan-baseline.neon

@@ -418,7 +418,7 @@ parameters:
 			path: src/symfony/src/DependencyInjection/WebauthnExtension.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\AttestedCredentialDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\AttestedCredentialDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns T of mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Doctrine/Type/AttestedCredentialDataType.php
@@ -436,7 +436,7 @@ parameters:
 			path: src/symfony/src/Doctrine/Type/AttestedCredentialDataType.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\PublicKeyCredentialDescriptorType\:\:convertToDatabaseValue\(\) should return string\|null but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\PublicKeyCredentialDescriptorType\:\:convertToDatabaseValue\(\) should return string\|null but returns T of mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Doctrine/Type/PublicKeyCredentialDescriptorType.php
@@ -454,7 +454,7 @@ parameters:
 			path: src/symfony/src/Doctrine/Type/PublicKeyCredentialDescriptorType.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\TrustPathDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\TrustPathDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns T of mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Doctrine/Type/TrustPathDataType.php
@@ -561,6 +561,168 @@ parameters:
 			count: 1
 			path: src/symfony/src/Security/Authentication/Token/WebauthnToken.php
 
+		-
+			message: '#^Access to an undefined property Webauthn\\AuthenticatorResponse\:\:\$attestationObject\.$#'
+			identifier: property.notFound
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot access property \$authData on mixed\.$#'
+			identifier: property.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot access property \$extensions on mixed\.$#'
+			identifier: property.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot access property \$signCount on mixed\.$#'
+			identifier: property.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method getReservedForFutureUse1\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method getReservedForFutureUse2\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isBackedUp\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isBackupEligible\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isUserPresent\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isUserVerified\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#12 \$isBackupEligible of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#13 \$isBackedUp of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#4 \$isUserPresent of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#5 \$isUserVerified of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#6 \$reservedForFutureUse1 of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects int, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#7 \$reservedForFutureUse2 of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects int, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#8 \$signCount of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects int, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#9 \$extensions of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects Webauthn\\AuthenticationExtensions\\AuthenticationExtensions\|null, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$authenticatorResponse\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$publicKeyCredentialOptions\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$publicKeyCredentialSource\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$publicKeyCredentialUserEntity\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$user\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Method Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge\:\:__construct\(\) has parameter \$attributes with no value type specified in iterable type array\.$#'
+			identifier: missingType.iterableValue
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Property Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge\:\:\$user \(Symfony\\Component\\Security\\Core\\User\\UserInterface\) does not accept mixed\.$#'
+			identifier: assign.propertyType
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Method Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadgeListener\:\:__construct\(\) has parameter \$userProvider with generic interface Symfony\\Component\\Security\\Core\\User\\UserProviderInterface but does not specify its types\: TUser$#'
+			identifier: missingType.generics
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadgeListener.php
+
+		-
+			message: '#^Webauthn\\Bundle\\Security\\Authentication\\WebauthnPassport\:\:__construct\(\) does not call parent constructor from Symfony\\Component\\Security\\Http\\Authenticator\\Passport\\Passport\.$#'
+			identifier: constructor.missingParentCall
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnPassport.php
+
 		-
 			message: '#^Method Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator\:\:__construct\(\) has parameter \$userProvider with generic interface Symfony\\Component\\Security\\Core\\User\\UserProviderInterface but does not specify its types\: TUser$#'
 			identifier: missingType.generics
@@ -1341,12 +1503,6 @@ parameters:
 			count: 3
 			path: src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php
 
-		-
-			message: '#^Cannot unset @readonly Webauthn\\AuthenticationExtensions\\AuthenticationExtensions\:\:\$extensions property\.$#'
-			identifier: unset.readOnlyPropertyByPhpDoc
-			count: 1
-			path: src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php
-
 		-
 			message: '#^Class Webauthn\\AuthenticationExtensions\\AuthenticationExtensions implements generic interface ArrayAccess but does not specify its types\: TKey, TValue$#'
 			identifier: missingType.generics

rector.php

@@ -5,6 +5,7 @@
 use Rector\Config\RectorConfig;
 use Rector\DeadCode\Rector\ClassMethod\RemoveUnusedPrivateMethodParameterRector;
 use Rector\Doctrine\Set\DoctrineSetList;
+use Rector\Php84\Rector\Param\ExplicitNullableParamTypeRector;
 use Rector\PHPUnit\CodeQuality\Rector\Class_\PreferPHPUnitThisCallRector;
 use Rector\PHPUnit\Set\PHPUnitSetList;
 use Rector\Set\ValueObject\SetList;
@@ -34,6 +35,7 @@
         ],
         PreferPHPUnitThisCallRector::class,
     ]);
+    $config->rule(ExplicitNullableParamTypeRector::class);
     $config->phpVersion(PhpVersion::PHP_82);
     $config::configure()->withComposerBased(twig: true, doctrine: true, phpunit: true);
     $config::configure()->withPhpSets();

src/stimulus/.github/close-pull-request.yml

@@ -0,0 +1,20 @@
+name: Close Pull Request
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: superbrothers/close-pull-request@v3
+        with:
+          comment: |
+            Thanks for your Pull Request! We love contributions.
+
+            However, you should instead open your PR on the main repository:
+            https://github.com/web-auth/webauthn-framework
+
+            This repository is what we call a "subtree split": a read-only subset of that main repository.
+            We're looking forward to your PR there!

src/symfony/.github/close-pull-request.yml

@@ -0,0 +1,20 @@
+name: Close Pull Request
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: superbrothers/close-pull-request@v3
+        with:
+          comment: |
+            Thanks for your Pull Request! We love contributions.
+
+            However, you should instead open your PR on the main repository:
+            https://github.com/web-auth/webauthn-framework
+
+            This repository is what we call a "subtree split": a read-only subset of that main repository.
+            We're looking forward to your PR there!

src/symfony/src/Repository/DoctrineCredentialSourceRepository.php

@@ -14,8 +14,6 @@
 /**
  * @template T of PublicKeyCredentialSource
  * @template-extends  ServiceEntityRepository<T>
- *
- * @deprecated since 5.2.0, to be removed in 6.0.0. Please create your own doctrine-based repository.
  */
 class DoctrineCredentialSourceRepository extends ServiceEntityRepository implements PublicKeyCredentialSourceRepositoryInterface, CanSaveCredentialSource
 {

src/symfony/src/Resources/config/doctrine-mapping/PublicKeyCredentialSource.orm.xml

@@ -5,7 +5,7 @@
     xsi:schemaLocation="http://doctrine-project.org/schemas/orm/doctrine-mapping https://raw.github.com/doctrine/doctrine2/master/doctrine-mapping.xsd"
 >
     <mapped-superclass name="Webauthn\PublicKeyCredentialSource">
-        <field name="publicKeyCredentialId" type="base64"/>
+        <field name="publicKeyCredentialId" type="base64" unique="true" length="250"/>
         <field name="type"/>
         <field name="transports" type="json"/>
         <field name="attestationType"/>

src/symfony/src/Resources/config/security.php

@@ -8,6 +8,7 @@
 use Webauthn\Bundle\DependencyInjection\Factory\Security\WebauthnFactory;
 use Webauthn\Bundle\Repository\PublicKeyCredentialSourceRepositoryInterface;
 use Webauthn\Bundle\Repository\PublicKeyCredentialUserEntityRepositoryInterface;
+use Webauthn\Bundle\Security\Authentication\WebauthnBadgeListener;
 use Webauthn\Bundle\Security\Authorization\Voter\IsUserPresentVoter;
 use Webauthn\Bundle\Security\Authorization\Voter\IsUserVerifiedVoter;
 use Webauthn\Bundle\Security\Guesser\CurrentUserEntityGuesser;
@@ -51,9 +52,7 @@
             service(PublicKeyCredentialUserEntityRepositoryInterface::class),
             service(SerializerInterface::class),
             abstract_arg('Authenticator Assertion Response Validator'),
-            abstract_arg(
-                'Authenticator Attestation Response Validator'
-            ), //service(AuthenticatorAttestationResponseValidator::class)
+            abstract_arg('Authenticator Attestation Response Validator'),
         ]);
     $service
         ->set(WebauthnFactory::FIREWALL_CONFIG_DEFINITION_ID, WebauthnFirewallConfig::class)
@@ -62,4 +61,5 @@
 
     $service->set(CurrentUserEntityGuesser::class);
     $service->set(RequestBodyUserEntityGuesser::class);
+    $service->set(WebauthnBadgeListener::class);
 };

src/symfony/src/Security/Authentication/WebauthnAuthenticator.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Webauthn\Bundle\Security\Authentication;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\Bundle\Security\Authentication\Token\WebauthnToken;
+use function assert;
+
+abstract class WebauthnAuthenticator extends AbstractLoginFormAuthenticator
+{
+    public function createToken(Passport $passport, string $firewallName): TokenInterface
+    {
+        assert($passport instanceof WebauthnPassport, 'Invalid passport');
+        $webauthnBadge = $passport->getBadge(WebauthnBadge::class);
+        assert($webauthnBadge instanceof WebauthnBadge, 'Invalid badge');
+        if ($webauthnBadge->getAuthenticatorResponse() instanceof AuthenticatorAssertionResponse) {
+            $authData = $webauthnBadge->getAuthenticatorResponse()
+                ->authenticatorData;
+        } else {
+            $authData = $webauthnBadge->getAuthenticatorResponse()
+                ->attestationObject
+                ->authData;
+        }
+
+        $token = new WebauthnToken(
+            $webauthnBadge->getPublicKeyCredentialUserEntity(),
+            $webauthnBadge->getPublicKeyCredentialOptions(),
+            $webauthnBadge->getPublicKeyCredentialSource()
+                ->getPublicKeyCredentialDescriptor(),
+            $authData->isUserPresent(),
+            $authData->isUserVerified(),
+            $authData->getReservedForFutureUse1(),
+            $authData->getReservedForFutureUse2(),
+            $authData->signCount,
+            $authData->extensions,
+            $firewallName,
+            $webauthnBadge->getUser()
+                ->getRoles(),
+            $authData->isBackupEligible(),
+            $authData->isBackedUp(),
+        );
+        $token->setUser($webauthnBadge->getUser());
+
+        return $token;
+    }
+}