fix: enforce HTTPS scheme check before host matching in CheckAllowedOrigins fallback path

The HTTPS scheme check was unreachable in the fallback path (no allowed
origins configured) because the method returned early on host match.
Move the check before host comparison so it is always enforced.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Spomky

src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php

@@ -135,7 +135,7 @@ public function creationCeremony(): CeremonyStepManager
             new CheckChallenge(),
             $this->allowedOrigins === null ? new CheckOrigin(
                 $this->securedRelyingPartyId ?? []
-            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains),
+            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains, $this->securedRelyingPartyId ?? []),
             new CheckTopOrigin($this->topOriginValidator),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent(),
@@ -160,7 +160,7 @@ public function requestCeremony(): CeremonyStepManager
             new CheckChallenge(),
             $this->allowedOrigins === null ? new CheckOrigin(
                 $this->securedRelyingPartyId ?? []
-            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains),
+            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains, $this->securedRelyingPartyId ?? []),
             new CheckTopOrigin(),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent(),

src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php

@@ -38,10 +38,12 @@
 
     /**
      * @param string[] $allowedOrigins
+     * @param string[] $securedRelyingPartyId RP IDs that are allowed to use HTTP (e.g. localhost for development)
      */
     public function __construct(
         array $allowedOrigins,
-        private bool $allowSubdomains = false
+        private bool $allowSubdomains = false,
+        private array $securedRelyingPartyId = [],
     ) {
         $fullOrigins = [];
         $hostOrigins = [];
@@ -113,6 +115,13 @@ public function process(
 
         $rpId = $publicKeyCredentialOptions->rpId ?? $publicKeyCredentialOptions->rp->id ?? $host;
         $facetId = $this->getFacetId($rpId, $publicKeyCredentialOptions->extensions, $authData->extensions);
+
+        if (! in_array($facetId, $this->securedRelyingPartyId, true)) {
+            $scheme = $parsedOrigin['scheme'] ?? '';
+            $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(
+                'Invalid scheme. HTTPS required.'
+            );
+        }
         $facetId !== '' || throw AuthenticatorResponseVerificationException::create(
             'Invalid origin. Unable to determine the facet ID.'
         );
@@ -126,11 +135,7 @@ public function process(
         if (! $this->allowSubdomains && $isSubDomains) {
             throw AuthenticatorResponseVerificationException::create('Invalid origin. Subdomains are not allowed.');
         }
-
-        $scheme = $parsedOrigin['scheme'] ?? '';
-        $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(
-            'Invalid scheme. HTTPS required.'
-        );
+        throw AuthenticatorResponseVerificationException::create('Invalid origin.');
     }
 
     /**