Merge branch '5.2.x' into 5.3.x

* 5.2.x:
  fix: normalize host-only allowed origins to https:// scheme (#822)
  fix: pass topOriginValidator to CheckTopOrigin in requestCeremony() (#821)
  fix: enforce HTTPS scheme check in CheckAllowedOrigins fallback path (#820)
  fix: regenerate PHPStan baseline to fix CI on 5.2.x
  fix: add PHPStan type annotations for parse_url() return values in CheckAllowedOrigins
  Merge commit from fork
  fix: set trust anchor when validating certificate path to support intermediate CA certificates (#793)

# Conflicts:
#	phpstan-baseline.neon
#	src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php
#	src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php

Author: Spomky

src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php

@@ -125,8 +125,12 @@ public function requestCeremony(): CeremonyStepManager
             new CheckChallenge(),
             $this->allowedOrigins === null ? new CheckOrigin(
                 $this->securedRelyingPartyId ?? []
-            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains),
-            new CheckTopOrigin(),
+            ) : new CheckAllowedOrigins(
+                $this->allowedOrigins,
+                $this->allowSubdomains,
+                $this->securedRelyingPartyId ?? []
+            ),
+            new CheckTopOrigin($this->topOriginValidator),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent(),
             new CheckUserVerification(),
@@ -176,7 +180,11 @@ private function buildCreationCeremony(bool $requireUserPresence): CeremonyStepM
             new CheckChallenge(),
             $this->allowedOrigins === null ? new CheckOrigin(
                 $this->securedRelyingPartyId ?? []
-            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains),
+            ) : new CheckAllowedOrigins(
+                $this->allowedOrigins,
+                $this->allowSubdomains,
+                $this->securedRelyingPartyId ?? []
+            ),
             new CheckTopOrigin($this->topOriginValidator),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent($requireUserPresence),

src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php

@@ -23,40 +23,35 @@
 final readonly class CheckAllowedOrigins implements CeremonyStep
 {
     /**
-     * Full origin entries (scheme://host[:port]) from allowed origins that include a scheme.
+     * Full origin entries (scheme://host[:port]) from allowed origins.
      *
      * @var string[]
      */
     private array $fullOrigins;
 
-    /**
-     * Host-only entries from allowed origins without a scheme (backward compatibility).
-     *
-     * @var string[]
-     */
-    private array $hostOrigins;
-
     /**
      * @param string[] $allowedOrigins
+     * @param string[] $securedRelyingPartyId RP IDs that are allowed to use HTTP (e.g. localhost for development)
      */
     public function __construct(
         array $allowedOrigins,
-        private bool $allowSubdomains = false
+        private bool $allowSubdomains = false,
+        private array $securedRelyingPartyId = [],
     ) {
         $fullOrigins = [];
-        $hostOrigins = [];
         foreach ($allowedOrigins as $allowedOrigin) {
             $parsed = parse_url($allowedOrigin);
             $parsed !== false || throw new InvalidArgumentException(sprintf('Invalid origin: %s', $allowedOrigin));
             if (isset($parsed['scheme'], $parsed['host'])) {
                 $fullOrigins[] = self::buildOrigin($parsed['scheme'], $parsed['host'], $parsed['port'] ?? null);
             } else {
-                $hostOrigins[] = $parsed['host'] ?? $allowedOrigin;
+                // Host-only entries are normalized to https:// since WebAuthn requires TLS
+                $host = $parsed['host'] ?? $allowedOrigin;
+                $fullOrigins[] = self::buildOrigin('https', $host, null);
             }
         }
 
         $this->fullOrigins = array_unique($fullOrigins);
-        $this->hostOrigins = array_unique($hostOrigins);
     }
 
     public function process(
@@ -83,7 +78,7 @@ public function process(
         );
         $originHost = $parsedOrigin['host'] ?? $C->origin;
 
-        $hasAllowedOrigins = count($this->fullOrigins) !== 0 || count($this->hostOrigins) !== 0;
+        $hasAllowedOrigins = count($this->fullOrigins) !== 0;
 
         if ($hasAllowedOrigins) {
             // Full origin match (scheme + host + port)
@@ -98,15 +93,8 @@ public function process(
                 }
             }
 
-            // Host-only match (backward compatibility for entries without scheme)
-            if (in_array($originHost, $this->hostOrigins, true)) {
-                return;
-            }
-
             // Subdomain matching
-            $isFullOriginSubdomain = $this->isSubdomainOfFullOrigins($parsedOrigin);
-            $isHostSubdomain = $this->isSubdomain($this->hostOrigins, $originHost);
-            $isSubDomain = $isFullOriginSubdomain || $isHostSubdomain;
+            $isSubDomain = $this->isSubdomainOfFullOrigins($parsedOrigin);
 
             if ($this->allowSubdomains && $isSubDomain) {
                 return;
@@ -121,6 +109,13 @@ public function process(
 
         $rpId = $publicKeyCredentialOptions->rpId ?? $publicKeyCredentialOptions->rp->id ?? $host;
         $facetId = $this->getFacetId($rpId, $publicKeyCredentialOptions->extensions, $authData->extensions);
+
+        if (! in_array($facetId, $this->securedRelyingPartyId, true)) {
+            $scheme = $parsedOrigin['scheme'] ?? '';
+            $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(
+                'Invalid scheme. HTTPS required.'
+            );
+        }
         $facetId !== '' || throw AuthenticatorResponseVerificationException::create(
             'Invalid origin. Unable to determine the facet ID.'
         );
@@ -134,11 +129,7 @@ public function process(
         if (! $this->allowSubdomains && $isSubDomains) {
             throw AuthenticatorResponseVerificationException::create('Invalid origin. Subdomains are not allowed.');
         }
-
-        $scheme = $parsedOrigin['scheme'] ?? '';
-        $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(
-            'Invalid scheme. HTTPS required.'
-        );
+        throw AuthenticatorResponseVerificationException::create('Invalid origin.');
     }
 
     /**
@@ -217,17 +208,4 @@ private function getFacetId(
 
         return (is_string($appId) && $wasUsed === true) ? $appId : $rpId;
     }
-
-    /**
-     * @param string[] $origins
-     */
-    private function isSubdomain(array $origins, string $domain): bool
-    {
-        foreach ($origins as $allowedOrigin) {
-            if ($this->isSubdomainOf($domain, $allowedOrigin)) {
-                return true;
-            }
-        }
-        return false;
-    }
 }

src/webauthn/src/CeremonyStep/CheckTopOrigin.php

@@ -43,9 +43,8 @@ public function process(
             throw AuthenticatorResponseVerificationException::create('The response is not cross-origin.');
         }
         if ($this->topOriginValidator === null) {
-            (new HostTopOriginValidator($host))->validate($topOrigin);
-        } else {
-            $this->topOriginValidator->validate($topOrigin);
+            return;
         }
+        $this->topOriginValidator->validate($topOrigin);
     }
 }

tests/library/Functional/CheckAllowedOriginsTest.php

@@ -196,6 +196,72 @@ public function emptyAllowedOriginsWithoutSubdomainsAndValidHost(): void
         static::assertTrue(true); // if no exception, test passes
     }
 
+    #[Test]
+    public function differentPortIsRejected(): void
+    {
+        // PoC from GHSA-f7pm-6hr8-7ggm: different port on same host must be rejected
+        // C.origin = https://webauthn.spomky-labs.com (port 443)
+        // Allowed = https://webauthn.spomky-labs.com:8443 (port 8443)
+        $this->expectException(AuthenticatorResponseVerificationException::class);
+        $this->expectExceptionMessage('Invalid origin');
+
+        $checkOrigins = new CheckAllowedOrigins(['https://webauthn.spomky-labs.com:8443']);
+        $publicKeyCredentialSource = $this->getPublicKeyCredentialSource();
+        $publicKeyCredentialRequestOptions = $this->getPublicKeyCredentialRequestOptions();
+        $publicKeyCredential = $this->getPublicKeyCredential();
+
+        $checkOrigins->process(
+            $publicKeyCredentialSource,
+            $publicKeyCredential->response,
+            $publicKeyCredentialRequestOptions,
+            null,
+            'webauthn.spomky-labs.com',
+        );
+    }
+
+    #[Test]
+    public function explicitDefaultPortMatchesImplicitPort(): void
+    {
+        // https://webauthn.spomky-labs.com:443 should match https://webauthn.spomky-labs.com
+        $checkOrigins = new CheckAllowedOrigins(['https://webauthn.spomky-labs.com:443']);
+        $publicKeyCredentialSource = $this->getPublicKeyCredentialSource();
+        $publicKeyCredentialRequestOptions = $this->getPublicKeyCredentialRequestOptions();
+        $publicKeyCredential = $this->getPublicKeyCredential();
+
+        $checkOrigins->process(
+            $publicKeyCredentialSource,
+            $publicKeyCredential->response,
+            $publicKeyCredentialRequestOptions,
+            null,
+            'webauthn.spomky-labs.com',
+        );
+
+        static::assertTrue(true);
+    }
+
+    #[Test]
+    public function httpSchemeIsRejectedWhenHttpsIsConfigured(): void
+    {
+        // Allowed = https://webauthn.spomky-labs.com
+        // C.origin = https://webauthn.spomky-labs.com (matches, but testing that http:// would not)
+        // We test by configuring http:// and verifying it rejects https:// origin
+        $this->expectException(AuthenticatorResponseVerificationException::class);
+        $this->expectExceptionMessage('Invalid origin');
+
+        $checkOrigins = new CheckAllowedOrigins(['http://webauthn.spomky-labs.com']);
+        $publicKeyCredentialSource = $this->getPublicKeyCredentialSource();
+        $publicKeyCredentialRequestOptions = $this->getPublicKeyCredentialRequestOptions();
+        $publicKeyCredential = $this->getPublicKeyCredential();
+
+        $checkOrigins->process(
+            $publicKeyCredentialSource,
+            $publicKeyCredential->response,
+            $publicKeyCredentialRequestOptions,
+            null,
+            'webauthn.spomky-labs.com',
+        );
+    }
+
     #[Test]
     public function emptyAllowedOriginsWithSubdomainsAndInvalidHost(): void
     {