Add Webauthn Badge support

composer.json

@@ -119,6 +119,7 @@
         "symfony/filesystem": "^6.4|^7.0",
         "symfony/finder": "^6.4|^7.0",
         "symfony/monolog-bundle": "^3.8",
+        "symfony/twig-bundle": "^6.4|^7.0",
         "symfony/var-dumper": "^6.4|^7.0",
         "symfony/yaml": "^6.4|^7.0",
         "symplify/easy-coding-standard": "^12.0",

phpstan-baseline.neon

@@ -418,7 +418,7 @@ parameters:
 			path: src/symfony/src/DependencyInjection/WebauthnExtension.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\AttestedCredentialDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\AttestedCredentialDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns T of mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Doctrine/Type/AttestedCredentialDataType.php
@@ -436,7 +436,7 @@ parameters:
 			path: src/symfony/src/Doctrine/Type/AttestedCredentialDataType.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\PublicKeyCredentialDescriptorType\:\:convertToDatabaseValue\(\) should return string\|null but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\PublicKeyCredentialDescriptorType\:\:convertToDatabaseValue\(\) should return string\|null but returns T of mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Doctrine/Type/PublicKeyCredentialDescriptorType.php
@@ -454,7 +454,7 @@ parameters:
 			path: src/symfony/src/Doctrine/Type/PublicKeyCredentialDescriptorType.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\TrustPathDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Doctrine\\Type\\TrustPathDataType\:\:convertToDatabaseValue\(\) should return string\|null but returns T of mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Doctrine/Type/TrustPathDataType.php
@@ -561,6 +561,168 @@ parameters:
 			count: 1
 			path: src/symfony/src/Security/Authentication/Token/WebauthnToken.php
 
+		-
+			message: '#^Access to an undefined property Webauthn\\AuthenticatorResponse\:\:\$attestationObject\.$#'
+			identifier: property.notFound
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot access property \$authData on mixed\.$#'
+			identifier: property.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot access property \$extensions on mixed\.$#'
+			identifier: property.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot access property \$signCount on mixed\.$#'
+			identifier: property.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method getReservedForFutureUse1\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method getReservedForFutureUse2\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isBackedUp\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isBackupEligible\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isUserPresent\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Cannot call method isUserVerified\(\) on mixed\.$#'
+			identifier: method.nonObject
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#12 \$isBackupEligible of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#13 \$isBackedUp of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#4 \$isUserPresent of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#5 \$isUserVerified of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects bool, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#6 \$reservedForFutureUse1 of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects int, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#7 \$reservedForFutureUse2 of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects int, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#8 \$signCount of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects int, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Parameter \#9 \$extensions of class Webauthn\\Bundle\\Security\\Authentication\\Token\\WebauthnToken constructor expects Webauthn\\AuthenticationExtensions\\AuthenticationExtensions\|null, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnAuthenticator.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$authenticatorResponse\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$publicKeyCredentialOptions\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$publicKeyCredentialSource\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$publicKeyCredentialUserEntity\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Class Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge has an uninitialized property \$user\. Give it default value or assign it in the constructor\.$#'
+			identifier: property.uninitialized
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Method Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge\:\:__construct\(\) has parameter \$attributes with no value type specified in iterable type array\.$#'
+			identifier: missingType.iterableValue
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Property Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadge\:\:\$user \(Symfony\\Component\\Security\\Core\\User\\UserInterface\) does not accept mixed\.$#'
+			identifier: assign.propertyType
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadge.php
+
+		-
+			message: '#^Method Webauthn\\Bundle\\Security\\Authentication\\WebauthnBadgeListener\:\:__construct\(\) has parameter \$userProvider with generic interface Symfony\\Component\\Security\\Core\\User\\UserProviderInterface but does not specify its types\: TUser$#'
+			identifier: missingType.generics
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnBadgeListener.php
+
+		-
+			message: '#^Webauthn\\Bundle\\Security\\Authentication\\WebauthnPassport\:\:__construct\(\) does not call parent constructor from Symfony\\Component\\Security\\Http\\Authenticator\\Passport\\Passport\.$#'
+			identifier: constructor.missingParentCall
+			count: 1
+			path: src/symfony/src/Security/Authentication/WebauthnPassport.php
+
 		-
 			message: '#^Method Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator\:\:__construct\(\) has parameter \$userProvider with generic interface Symfony\\Component\\Security\\Core\\User\\UserProviderInterface but does not specify its types\: TUser$#'
 			identifier: missingType.generics
@@ -1341,12 +1503,6 @@ parameters:
 			count: 3
 			path: src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php
 
-		-
-			message: '#^Cannot unset @readonly Webauthn\\AuthenticationExtensions\\AuthenticationExtensions\:\:\$extensions property\.$#'
-			identifier: unset.readOnlyPropertyByPhpDoc
-			count: 1
-			path: src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php
-
 		-
 			message: '#^Class Webauthn\\AuthenticationExtensions\\AuthenticationExtensions implements generic interface ArrayAccess but does not specify its types\: TKey, TValue$#'
 			identifier: missingType.generics

rector.php

@@ -5,6 +5,7 @@
 use Rector\Config\RectorConfig;
 use Rector\DeadCode\Rector\ClassMethod\RemoveUnusedPrivateMethodParameterRector;
 use Rector\Doctrine\Set\DoctrineSetList;
+use Rector\Php84\Rector\Param\ExplicitNullableParamTypeRector;
 use Rector\PHPUnit\CodeQuality\Rector\Class_\PreferPHPUnitThisCallRector;
 use Rector\PHPUnit\Set\PHPUnitSetList;
 use Rector\Set\ValueObject\SetList;
@@ -34,6 +35,7 @@
         ],
         PreferPHPUnitThisCallRector::class,
     ]);
+    $config->rule(ExplicitNullableParamTypeRector::class);
     $config->phpVersion(PhpVersion::PHP_82);
     $config::configure()->withComposerBased(twig: true, doctrine: true, phpunit: true);
     $config::configure()->withPhpSets();

src/stimulus/.github/close-pull-request.yml

@@ -0,0 +1,20 @@
+name: Close Pull Request
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: superbrothers/close-pull-request@v3
+        with:
+          comment: |
+            Thanks for your Pull Request! We love contributions.
+
+            However, you should instead open your PR on the main repository:
+            https://github.com/web-auth/webauthn-framework
+
+            This repository is what we call a "subtree split": a read-only subset of that main repository.
+            We're looking forward to your PR there!

src/symfony/.github/close-pull-request.yml

@@ -0,0 +1,20 @@
+name: Close Pull Request
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: superbrothers/close-pull-request@v3
+        with:
+          comment: |
+            Thanks for your Pull Request! We love contributions.
+
+            However, you should instead open your PR on the main repository:
+            https://github.com/web-auth/webauthn-framework
+
+            This repository is what we call a "subtree split": a read-only subset of that main repository.
+            We're looking forward to your PR there!

src/symfony/src/Repository/DoctrineCredentialSourceRepository.php

@@ -14,8 +14,6 @@
 /**
  * @template T of PublicKeyCredentialSource
  * @template-extends  ServiceEntityRepository<T>
- *
- * @deprecated since 5.2.0, to be removed in 6.0.0. Please create your own doctrine-based repository.
  */
 class DoctrineCredentialSourceRepository extends ServiceEntityRepository implements PublicKeyCredentialSourceRepositoryInterface, CanSaveCredentialSource
 {

src/symfony/src/Resources/config/doctrine-mapping/PublicKeyCredentialSource.orm.xml

@@ -5,7 +5,7 @@
     xsi:schemaLocation="http://doctrine-project.org/schemas/orm/doctrine-mapping https://raw.github.com/doctrine/doctrine2/master/doctrine-mapping.xsd"
 >
     <mapped-superclass name="Webauthn\PublicKeyCredentialSource">
-        <field name="publicKeyCredentialId" type="base64"/>
+        <field name="publicKeyCredentialId" type="base64" unique="true" length="250"/>
         <field name="type"/>
         <field name="transports" type="json"/>
         <field name="attestationType"/>

src/symfony/src/Resources/config/security.php

@@ -8,6 +8,7 @@
 use Webauthn\Bundle\DependencyInjection\Factory\Security\WebauthnFactory;
 use Webauthn\Bundle\Repository\PublicKeyCredentialSourceRepositoryInterface;
 use Webauthn\Bundle\Repository\PublicKeyCredentialUserEntityRepositoryInterface;
+use Webauthn\Bundle\Security\Authentication\WebauthnBadgeListener;
 use Webauthn\Bundle\Security\Authorization\Voter\IsUserPresentVoter;
 use Webauthn\Bundle\Security\Authorization\Voter\IsUserVerifiedVoter;
 use Webauthn\Bundle\Security\Guesser\CurrentUserEntityGuesser;
@@ -51,9 +52,7 @@
             service(PublicKeyCredentialUserEntityRepositoryInterface::class),
             service(SerializerInterface::class),
             abstract_arg('Authenticator Assertion Response Validator'),
-            abstract_arg(
-                'Authenticator Attestation Response Validator'
-            ), //service(AuthenticatorAttestationResponseValidator::class)
+            abstract_arg('Authenticator Attestation Response Validator'),
         ]);
     $service
         ->set(WebauthnFactory::FIREWALL_CONFIG_DEFINITION_ID, WebauthnFirewallConfig::class)
@@ -62,4 +61,5 @@
 
     $service->set(CurrentUserEntityGuesser::class);
     $service->set(RequestBodyUserEntityGuesser::class);
+    $service->set(WebauthnBadgeListener::class);
 };

src/symfony/src/Security/Authentication/WebauthnAuthenticator.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Webauthn\Bundle\Security\Authentication;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\Bundle\Security\Authentication\Token\WebauthnToken;
+use function assert;
+
+abstract class WebauthnAuthenticator extends AbstractLoginFormAuthenticator
+{
+    public function createToken(Passport $passport, string $firewallName): TokenInterface
+    {
+        assert($passport instanceof WebauthnPassport, 'Invalid passport');
+        $webauthnBadge = $passport->getBadge(WebauthnBadge::class);
+        assert($webauthnBadge instanceof WebauthnBadge, 'Invalid badge');
+        if ($webauthnBadge->getAuthenticatorResponse() instanceof AuthenticatorAssertionResponse) {
+            $authData = $webauthnBadge->getAuthenticatorResponse()
+                ->authenticatorData;
+        } else {
+            $authData = $webauthnBadge->getAuthenticatorResponse()
+                ->attestationObject
+                ->authData;
+        }
+
+        $token = new WebauthnToken(
+            $webauthnBadge->getPublicKeyCredentialUserEntity(),
+            $webauthnBadge->getPublicKeyCredentialOptions(),
+            $webauthnBadge->getPublicKeyCredentialSource()
+                ->getPublicKeyCredentialDescriptor(),
+            $authData->isUserPresent(),
+            $authData->isUserVerified(),
+            $authData->getReservedForFutureUse1(),
+            $authData->getReservedForFutureUse2(),
+            $authData->signCount,
+            $authData->extensions,
+            $firewallName,
+            $webauthnBadge->getUser()
+                ->getRoles(),
+            $authData->isBackupEligible(),
+            $authData->isBackedUp(),
+        );
+        $token->setUser($webauthnBadge->getUser());
+
+        return $token;
+    }
+}