├── LICENSE ├── README.md ├── RELEASES.md ├── SECURITY.md ├── composer.json ├── link ├── package.json └── src ├── stimulus ├── .github │ ├── CONTRIBUTING.md │ ├── FUNDING.yml │ ├── PULL_REQUEST_TEMPLATE.md │ ├── close-pull-request.yml │ └── stale.yml ├── LICENSE ├── assets │ ├── dist │ │ ├── controller.d.ts │ │ └── controller.js │ ├── jest.config.js │ ├── package.json │ └── src │ │ └── controller.ts ├── composer.json ├── doc │ └── index.rst └── src │ └── WebauthnStimulusBundle.php ├── symfony ├── LICENSE ├── composer.json └── src │ ├── Controller │ ├── AllowedOriginsController.php │ ├── AssertionControllerFactory.php │ ├── AssertionRequestController.php │ ├── AssertionResponseController.php │ ├── AttestationControllerFactory.php │ ├── AttestationRequestController.php │ ├── AttestationResponseController.php │ ├── DummyController.php │ └── DummyControllerFactory.php │ ├── CredentialOptionsBuilder │ ├── ProfileBasedCreationOptionsBuilder.php │ ├── ProfileBasedRequestOptionsBuilder.php │ ├── PublicKeyCredentialCreationOptionsBuilder.php │ └── PublicKeyCredentialRequestOptionsBuilder.php │ ├── DataCollector │ └── WebauthnCollector.php │ ├── DependencyInjection │ ├── Compiler │ │ ├── AttestationStatementSupportCompilerPass.php │ │ ├── CeremonyStepManagerFactoryCompilerPass.php │ │ ├── CoseAlgorithmCompilerPass.php │ │ ├── CounterCheckerSetterCompilerPass.php │ │ ├── DynamicRouteCompilerPass.php │ │ ├── EventDispatcherSetterCompilerPass.php │ │ ├── ExtensionOutputCheckerCompilerPass.php │ │ └── LoggerSetterCompilerPass.php │ ├── Configuration.php │ ├── Factory │ │ └── Security │ │ │ ├── WebauthnFactory.php │ │ │ └── WebauthnServicesFactory.php │ └── WebauthnExtension.php │ ├── Doctrine │ └── Type │ │ ├── AAGUIDDataType.php │ │ ├── AttestedCredentialDataType.php │ │ ├── Base64BinaryDataType.php │ │ ├── PublicKeyCredentialDescriptorType.php │ │ ├── SerializerTrait.php │ │ └── TrustPathDataType.php │ ├── Dto │ ├── PublicKeyCredentialCreationOptionsRequest.php │ ├── ServerPublicKeyCredentialCreationOptionsRequest.php │ └── ServerPublicKeyCredentialRequestOptionsRequest.php │ ├── Event │ ├── PublicKeyCredentialCreationOptionsCreatedEvent.php │ └── PublicKeyCredentialRequestOptionsCreatedEvent.php │ ├── Exception │ ├── HttpNotImplementedException.php │ ├── MissingFeatureException.php │ └── MissingUserEntityException.php │ ├── Repository │ ├── CanGenerateUserEntity.php │ ├── CanRegisterUserEntity.php │ ├── CanSaveCredentialSource.php │ ├── DoctrineCredentialSourceRepository.php │ ├── DummyPublicKeyCredentialSourceRepository.php │ ├── DummyPublicKeyCredentialUserEntityRepository.php │ ├── PublicKeyCredentialSourceRepositoryInterface.php │ └── PublicKeyCredentialUserEntityRepositoryInterface.php │ ├── Resources │ ├── config │ │ ├── cose.php │ │ ├── dev_services.php │ │ ├── doctrine-mapping │ │ │ ├── PublicKeyCredentialEntity.orm.xml │ │ │ ├── PublicKeyCredentialSource.orm.xml │ │ │ └── PublicKeyCredentialUserEntity.orm.xml │ │ ├── metadata_statement_supports.php │ │ ├── routing.php │ │ ├── security.php │ │ └── services.php │ └── views │ │ └── data_collector │ │ ├── tab │ │ ├── attestation.html.twig │ │ └── request.html.twig │ │ └── template.html.twig │ ├── Routing │ └── Loader.php │ ├── Security │ ├── Authentication │ │ ├── Exception │ │ │ ├── WebauthnAuthenticationEvent.php │ │ │ └── WebauthnAuthenticationEvents.php │ │ ├── Token │ │ │ └── WebauthnToken.php │ │ ├── WebauthnAuthenticator.php │ │ ├── WebauthnBadge.php │ │ ├── WebauthnBadgeListener.php │ │ └── WebauthnPassport.php │ ├── Authorization │ │ └── Voter │ │ │ ├── IsUserPresentVoter.php │ │ │ └── IsUserVerifiedVoter.php │ ├── Guesser │ │ ├── CurrentUserEntityGuesser.php │ │ ├── RequestBodyUserEntityGuesser.php │ │ └── UserEntityGuesser.php │ ├── Handler │ │ ├── CreationOptionsHandler.php │ │ ├── DefaultCreationOptionsHandler.php │ │ ├── DefaultFailureHandler.php │ │ ├── DefaultRequestOptionsHandler.php │ │ ├── DefaultSuccessHandler.php │ │ ├── FailureHandler.php │ │ ├── RequestOptionsHandler.php │ │ └── SuccessHandler.php │ ├── Http │ │ └── Authenticator │ │ │ ├── Passport │ │ │ └── Credentials │ │ │ │ └── WebauthnCredentials.php │ │ │ └── WebauthnAuthenticator.php │ ├── Storage │ │ ├── CacheStorage.php │ │ ├── Item.php │ │ ├── OptionsStorage.php │ │ └── SessionStorage.php │ └── WebauthnFirewallConfig.php │ ├── Service │ ├── DefaultFailureHandler.php │ ├── DefaultSuccessHandler.php │ ├── PublicKeyCredentialCreationOptionsFactory.php │ └── PublicKeyCredentialRequestOptionsFactory.php │ └── WebauthnBundle.php └── webauthn ├── LICENSE ├── composer.json └── src ├── AttestationStatement ├── AndroidKeyAttestationStatementSupport.php ├── AppleAttestationStatementSupport.php ├── AttestationObject.php ├── AttestationObjectLoader.php ├── AttestationStatement.php ├── AttestationStatementSupport.php ├── AttestationStatementSupportManager.php ├── FidoU2FAttestationStatementSupport.php ├── NoneAttestationStatementSupport.php ├── PackedAttestationStatementSupport.php └── TPMAttestationStatementSupport.php ├── AttestedCredentialData.php ├── AuthenticationExtensions ├── AppIdExcludeInputExtension.php ├── AppIdInputExtension.php ├── AuthenticationExtension.php ├── AuthenticationExtensionLoader.php ├── AuthenticationExtensions.php ├── CredentialPropertiesInputExtension.php ├── ExtensionOutputChecker.php ├── ExtensionOutputCheckerHandler.php ├── ExtensionOutputError.php ├── LargeBlobInputExtension.php ├── PseudoRandomFunctionInputExtension.php ├── PseudoRandomFunctionInputExtensionBuilder.php └── UvmInputExtension.php ├── AuthenticatorAssertionResponse.php ├── AuthenticatorAssertionResponseValidator.php ├── AuthenticatorAttestationResponse.php ├── AuthenticatorAttestationResponseValidator.php ├── AuthenticatorData.php ├── AuthenticatorDataLoader.php ├── AuthenticatorResponse.php ├── AuthenticatorSelectionCriteria.php ├── CeremonyStep ├── CeremonyStep.php ├── CeremonyStepManager.php ├── CeremonyStepManagerFactory.php ├── CheckAlgorithm.php ├── CheckAllowedCredentialList.php ├── CheckAllowedOrigins.php ├── CheckAttestationFormatIsKnownAndValid.php ├── CheckBackupBitsAreConsistent.php ├── CheckChallenge.php ├── CheckClientDataCollectorType.php ├── CheckCounter.php ├── CheckCredentialId.php ├── CheckExtensions.php ├── CheckHasAttestedCredentialData.php ├── CheckMetadataStatement.php ├── CheckOrigin.php ├── CheckRelyingPartyIdIdHash.php ├── CheckSignature.php ├── CheckTopOrigin.php ├── CheckUserHandle.php ├── CheckUserVerification.php ├── CheckUserWasPresent.php ├── HostTopOriginValidator.php └── TopOriginValidator.php ├── ClientDataCollector ├── ClientDataCollector.php ├── ClientDataCollectorManager.php └── WebauthnAuthenticationCollector.php ├── CollectedClientData.php ├── Counter ├── CounterChecker.php └── ThrowExceptionIfInvalid.php ├── Credential.php ├── Denormalizer ├── AttestationObjectDenormalizer.php ├── AttestationStatementDenormalizer.php ├── AttestedCredentialDataNormalizer.php ├── AuthenticationExtensionNormalizer.php ├── AuthenticationExtensionsDenormalizer.php ├── AuthenticatorAssertionResponseDenormalizer.php ├── AuthenticatorAttestationResponseDenormalizer.php ├── AuthenticatorDataDenormalizer.php ├── AuthenticatorResponseDenormalizer.php ├── CollectedClientDataDenormalizer.php ├── ExtensionDescriptorDenormalizer.php ├── PublicKeyCredentialDenormalizer.php ├── PublicKeyCredentialDescriptorNormalizer.php ├── PublicKeyCredentialOptionsDenormalizer.php ├── PublicKeyCredentialParametersDenormalizer.php ├── PublicKeyCredentialSourceDenormalizer.php ├── PublicKeyCredentialUserEntityDenormalizer.php ├── TrustPathDenormalizer.php ├── VerificationMethodANDCombinationsDenormalizer.php └── WebauthnSerializerFactory.php ├── Event ├── AttestationObjectLoaded.php ├── AttestationStatementLoaded.php ├── AuthenticatorAssertionResponseValidationFailedEvent.php ├── AuthenticatorAssertionResponseValidationSucceededEvent.php ├── AuthenticatorAttestationResponseValidationFailedEvent.php ├── AuthenticatorAttestationResponseValidationSucceededEvent.php ├── BeforeCertificateChainValidation.php ├── CanDispatchEvents.php ├── CertificateChainValidationFailed.php ├── CertificateChainValidationSucceeded.php ├── MetadataStatementFound.php ├── NullEventDispatcher.php └── WebauthnEvent.php ├── Exception ├── AttestationStatementException.php ├── AttestationStatementLoadingException.php ├── AttestationStatementVerificationException.php ├── AuthenticationExtensionException.php ├── AuthenticatorResponseVerificationException.php ├── CertificateChainException.php ├── CertificateException.php ├── CertificateRevocationListException.php ├── CounterException.php ├── ExpiredCertificateException.php ├── InvalidAttestationStatementException.php ├── InvalidCertificateException.php ├── InvalidDataException.php ├── InvalidTrustPathException.php ├── InvalidUserHandleException.php ├── MetadataServiceException.php ├── MetadataStatementException.php ├── MetadataStatementLoadingException.php ├── MissingMetadataStatementException.php ├── RevokedCertificateException.php ├── UnsupportedFeatureException.php └── WebauthnException.php ├── FakeCredentialGenerator.php ├── MetadataService ├── CanLogData.php ├── CertificateChain │ ├── CertificateChainValidator.php │ ├── CertificateToolbox.php │ └── PhpCertificateChainValidator.php ├── MetadataStatementRepository.php ├── Psr18HttpClient.php ├── Service │ ├── ChainedMetadataServices.php │ ├── DistantResourceMetadataService.php │ ├── FidoAllianceCompliantMetadataService.php │ ├── FolderResourceMetadataService.php │ ├── InMemoryMetadataService.php │ ├── JsonMetadataService.php │ ├── LocalResourceMetadataService.php │ ├── MetadataBLOBPayload.php │ ├── MetadataBLOBPayloadEntry.php │ └── MetadataService.php ├── Statement │ ├── AbstractDescriptor.php │ ├── AlternativeDescriptions.php │ ├── AuthenticatorGetInfo.php │ ├── AuthenticatorStatus.php │ ├── BiometricAccuracyDescriptor.php │ ├── BiometricStatusReport.php │ ├── CodeAccuracyDescriptor.php │ ├── DisplayPNGCharacteristicsDescriptor.php │ ├── ExtensionDescriptor.php │ ├── MetadataStatement.php │ ├── PatternAccuracyDescriptor.php │ ├── RgbPaletteEntry.php │ ├── RogueListEntry.php │ ├── StatusReport.php │ ├── VerificationMethodANDCombinations.php │ ├── VerificationMethodDescriptor.php │ └── Version.php └── StatusReportRepository.php ├── PublicKeyCredential.php ├── PublicKeyCredentialCreationOptions.php ├── PublicKeyCredentialDescriptor.php ├── PublicKeyCredentialEntity.php ├── PublicKeyCredentialOptions.php ├── PublicKeyCredentialParameters.php ├── PublicKeyCredentialRequestOptions.php ├── PublicKeyCredentialRpEntity.php ├── PublicKeyCredentialSource.php ├── PublicKeyCredentialUserEntity.php ├── SimpleFakeCredentialGenerator.php ├── StringStream.php ├── TrustPath ├── CertificateTrustPath.php ├── EmptyTrustPath.php └── TrustPath.php ├── U2FPublicKey.php └── Util ├── Base64.php └── CoseSignatureFixer.php /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2018-2022 Spomky-Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /RELEASES.md: -------------------------------------------------------------------------------- 1 | # Versioning and Release 2 | 3 | This document describes the versioning and release process of the Webauthn Framework. 4 | This document is a living document, contents will be updated according to each release. 5 | 6 | ## Releases 7 | 8 | Webauthn Framework releases will be versioned using dotted triples, similar to [Semantic Version](http://semver.org/). 9 | For this specific document, we will refer to the respective components of this triple as `..`. 10 | The version number may have additional information, such as "-rc1,-rc2,-rc3" to mark release candidate builds for earlier access. 11 | Such releases will be considered as "pre-releases". 12 | 13 | ## Minor Release Support Matrix 14 | 15 | | Version | Supported | 16 | |---------| ------------------ | 17 | | 5.0.x | :white_check_mark: | 18 | | 4.8.x | :white_check_mark: | 19 | | 4.7.x | :white_check_mark: | 20 | | <4.7.x | :x: | 21 | -------------------------------------------------------------------------------- /src/stimulus/.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This repository is a sub repository of [the Webauthn Framework](https://github.com/web-auth/webauthn-framework) project 4 | and is READ ONLY. 5 | Please do not submit any Pull Requests here. It will be automatically closed. 6 | -------------------------------------------------------------------------------- /src/stimulus/.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: Spomky 2 | patreon: FlorentMorselli 3 | -------------------------------------------------------------------------------- /src/stimulus/.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Please do not submit any Pull Requests here. It will be automatically closed. 2 | 3 | You should submit it here: https://github.com/web-auth/webauthn-framework/pulls 4 | -------------------------------------------------------------------------------- /src/stimulus/.github/close-pull-request.yml: -------------------------------------------------------------------------------- 1 | name: Close Pull Request 2 | 3 | on: 4 | pull_request_target: 5 | types: [opened] 6 | 7 | jobs: 8 | run: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: superbrothers/close-pull-request@v3 12 | with: 13 | comment: | 14 | Thanks for your Pull Request! We love contributions. 15 | 16 | However, you should instead open your PR on the main repository: 17 | https://github.com/web-auth/webauthn-framework 18 | 19 | This repository is what we call a "subtree split": a read-only subset of that main repository. 20 | We're looking forward to your PR there! 21 | -------------------------------------------------------------------------------- /src/stimulus/.github/stale.yml: -------------------------------------------------------------------------------- 1 | daysUntilStale: 1 2 | daysUntilClose: 1 3 | staleLabel: wontfix 4 | markComment: > 5 | This issue has been automatically marked as stale because this repository 6 | is a read-only repository and nobody will take care of it. Please submit it to the main repository. 7 | Thank you for your contributions. 8 | closeComment: false 9 | -------------------------------------------------------------------------------- /src/stimulus/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2018-2022 Spomky-Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/stimulus/assets/jest.config.js: -------------------------------------------------------------------------------- 1 | module.exports = require('../../../jest.config.js'); 2 | -------------------------------------------------------------------------------- /src/stimulus/assets/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@web-auth/webauthn-stimulus", 3 | "description": "Webauthn integration for Symfony", 4 | "license": "MIT", 5 | "version": "1.0.0", 6 | "main": "dist/controller.js", 7 | "types": "dist/controller.d.ts", 8 | "symfony": { 9 | "controllers": { 10 | "webauthn": { 11 | "main": "dist/controller.js", 12 | "name": "web-auth/webauthn-stimulus", 13 | "webpackMode": "eager", 14 | "fetch": "eager", 15 | "enabled": true 16 | } 17 | }, 18 | "importmap": { 19 | "@hotwired/stimulus": "^3.0.0", 20 | "@simplewebauthn/browser": "^13.0.0" 21 | } 22 | }, 23 | "peerDependencies": { 24 | "@hotwired/stimulus": "^3.0.0", 25 | "@simplewebauthn/browser": "^13.0.0" 26 | }, 27 | "devDependencies": { 28 | "@hotwired/stimulus": "^3.0.0", 29 | "@simplewebauthn/browser": "^13.0.0" 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/stimulus/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "web-auth/webauthn-stimulus", 3 | "type": "symfony-bundle", 4 | "description": "Webauthn integration for Symfony", 5 | "keywords": [ 6 | "symfony", 7 | "symfony-ux", 8 | "FIDO", 9 | "FIDO2", 10 | "webauthn" 11 | ], 12 | "homepage": "https://github.com/web-auth", 13 | "authors": [ 14 | { 15 | "name": "Florent Morselli", 16 | "homepage": "https://github.com/Spomky" 17 | }, 18 | { 19 | "name": "All contributors", 20 | "homepage": "https://github.com/web-auth/ux/contributors" 21 | } 22 | ], 23 | "license": "MIT", 24 | "autoload": { 25 | "psr-4": { 26 | "Webauthn\\Stimulus\\": "src/" 27 | } 28 | }, 29 | "conflict": { 30 | "symfony/flex": "<1.13" 31 | }, 32 | "extra": { 33 | "thanks": { 34 | "name": "web-auth/webauthn-framework", 35 | "url": "https://github.com/web-auth/webauthn-framework" 36 | } 37 | }, 38 | "minimum-stability": "dev" 39 | } 40 | -------------------------------------------------------------------------------- /src/stimulus/src/WebauthnStimulusBundle.php: -------------------------------------------------------------------------------- 1 | isAssetMapperAvailable($builder)) { 17 | return; 18 | } 19 | 20 | $builder->prependExtensionConfig('framework', [ 21 | 'asset_mapper' => [ 22 | 'paths' => [ 23 | __DIR__ . '/../assets/dist' => '@web-auth/webauthn-stimulus', 24 | ], 25 | ], 26 | ]); 27 | } 28 | 29 | private function isAssetMapperAvailable(ContainerBuilder $container): bool 30 | { 31 | if (! interface_exists(AssetMapperInterface::class)) { 32 | return false; 33 | } 34 | 35 | // check that FrameworkBundle is installed 36 | $bundlesMetadata = $container->getParameter('kernel.bundles_metadata'); 37 | if (! isset($bundlesMetadata['FrameworkBundle'])) { 38 | return false; 39 | } 40 | 41 | return is_file($bundlesMetadata['FrameworkBundle']['path'] . '/Resources/config/asset_mapper.php'); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/symfony/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018-2022 Spomky-Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/symfony/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "web-auth/webauthn-symfony-bundle", 3 | "type": "symfony-bundle", 4 | "license": "MIT", 5 | "description": "FIDO2/Webauthn Security Bundle For Symfony", 6 | "keywords": [ 7 | "FIDO", 8 | "FIDO2", 9 | "webauthn", 10 | "symfony", 11 | "symfony-bundle", 12 | "bundle" 13 | ], 14 | "homepage": "https://github.com/web-auth", 15 | "authors": [ 16 | { 17 | "name": "Florent Morselli", 18 | "homepage": "https://github.com/Spomky" 19 | }, 20 | { 21 | "name": "All contributors", 22 | "homepage": "https://github.com/web-auth/webauthn-symfony-bundle/contributors" 23 | } 24 | ], 25 | "require": { 26 | "php": ">=8.2", 27 | "psr/event-dispatcher": "^1.0", 28 | "symfony/config": "^6.4|^7.0", 29 | "symfony/dependency-injection": "^6.4|^7.0", 30 | "symfony/framework-bundle": "^6.4|^7.0", 31 | "symfony/http-client": "^6.4|^7.0", 32 | "symfony/security-bundle": "^6.4|^7.0", 33 | "symfony/security-core": "^6.4|^7.0", 34 | "symfony/security-http": "^6.4|^7.0", 35 | "symfony/serializer": "^6.4|^7.0", 36 | "symfony/validator": "^6.4|^7.0", 37 | "web-auth/webauthn-lib": "self.version" 38 | }, 39 | "extra": { 40 | "thanks": { 41 | "name": "web-auth/webauthn-framework", 42 | "url": "https://github.com/web-auth/webauthn-framework" 43 | } 44 | }, 45 | "autoload": { 46 | "psr-4": { 47 | "Webauthn\\Bundle\\": "src/" 48 | } 49 | }, 50 | "suggest": { 51 | "symfony/security-bundle": "Symfony firewall using a JSON API (perfect for script applications)" 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/symfony/src/Controller/AllowedOriginsController.php: -------------------------------------------------------------------------------- 1 | $this->allowedOrigins, 23 | ]); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/symfony/src/Controller/AssertionRequestController.php: -------------------------------------------------------------------------------- 1 | optionsBuilder->getFromRequest($request, $userEntity); 35 | $response = $this->optionsHandler->onRequestOptions($publicKeyCredentialRequestOptions, $userEntity); 36 | $this->optionsStorage->store(Item::create($publicKeyCredentialRequestOptions, $userEntity)); 37 | 38 | return $response; 39 | } catch (Throwable $throwable) { 40 | $this->logger->error('An error occurred during the assertion ceremony', [ 41 | 'exception' => $throwable, 42 | ]); 43 | if ($this->failureHandler instanceof AuthenticationFailureHandlerInterface) { 44 | return $this->failureHandler->onAuthenticationFailure( 45 | $request, 46 | new AuthenticationException($throwable->getMessage(), $throwable->getCode(), $throwable) 47 | ); 48 | } 49 | 50 | return $this->failureHandler->onFailure($request, $throwable); 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/symfony/src/Controller/DummyController.php: -------------------------------------------------------------------------------- 1 | hasDefinition(AttestationStatementSupportManager::class)) { 19 | return; 20 | } 21 | 22 | $definition = $container->getDefinition(AttestationStatementSupportManager::class); 23 | $taggedServices = $container->findTaggedServiceIds(self::TAG); 24 | foreach ($taggedServices as $id => $attributes) { 25 | $definition->addMethodCall('add', [new Reference($id)]); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/symfony/src/DependencyInjection/Compiler/CoseAlgorithmCompilerPass.php: -------------------------------------------------------------------------------- 1 | hasDefinition('webauthn.cose.algorithm.manager')) { 18 | return; 19 | } 20 | 21 | $definition = $container->getDefinition('webauthn.cose.algorithm.manager'); 22 | 23 | $taggedServices = $container->findTaggedServiceIds(self::TAG); 24 | foreach ($taggedServices as $id => $attributes) { 25 | $definition->addMethodCall('add', [new Reference($id)]); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/symfony/src/DependencyInjection/Compiler/CounterCheckerSetterCompilerPass.php: -------------------------------------------------------------------------------- 1 | hasAlias(CounterChecker::class) 19 | || ! $container->hasDefinition(CeremonyStepManagerFactory::class) 20 | ) { 21 | return; 22 | } 23 | 24 | $definition = $container->getDefinition(CeremonyStepManagerFactory::class); 25 | $definition->addMethodCall('setCounterChecker', [new Reference(CounterChecker::class)]); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/symfony/src/DependencyInjection/Compiler/DynamicRouteCompilerPass.php: -------------------------------------------------------------------------------- 1 | hasDefinition(Loader::class)) { 21 | return; 22 | } 23 | 24 | $definition = $container->getDefinition(Loader::class); 25 | 26 | $taggedServices = $container->findTaggedServiceIds(self::TAG); 27 | foreach ($taggedServices as $id => $tags) { 28 | foreach ($tags as $attributes) { 29 | array_key_exists('path', $attributes) || throw new InvalidArgumentException(sprintf( 30 | 'The path is missing for "%s"', 31 | $id 32 | )); 33 | array_key_exists('host', $attributes) || throw new InvalidArgumentException(sprintf( 34 | 'The host is missing for "%s"', 35 | $id 36 | )); 37 | $definition->addMethodCall( 38 | 'add', 39 | [$attributes['path'], $attributes['host'], $id, $attributes['method'] ?? 'POST'] 40 | ); 41 | } 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/symfony/src/DependencyInjection/Compiler/EventDispatcherSetterCompilerPass.php: -------------------------------------------------------------------------------- 1 | hasAlias('webauthn.event_dispatcher')) { 18 | return; 19 | } 20 | 21 | $taggedServices = $container->findTaggedServiceIds(self::TAG); 22 | foreach ($taggedServices as $id => $attributes) { 23 | $service = $container->getDefinition($id); 24 | $service->addMethodCall('setEventDispatcher', [new Reference('webauthn.event_dispatcher')]); 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/symfony/src/DependencyInjection/Compiler/ExtensionOutputCheckerCompilerPass.php: -------------------------------------------------------------------------------- 1 | hasDefinition(ExtensionOutputCheckerHandler::class)) { 19 | return; 20 | } 21 | 22 | $definition = $container->getDefinition(ExtensionOutputCheckerHandler::class); 23 | 24 | $taggedServices = $container->findTaggedServiceIds(self::TAG); 25 | foreach ($taggedServices as $id => $attributes) { 26 | $definition->addMethodCall('add', [new Reference($id)]); 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/symfony/src/DependencyInjection/Compiler/LoggerSetterCompilerPass.php: -------------------------------------------------------------------------------- 1 | hasAlias('webauthn.logger')) { 18 | return; 19 | } 20 | 21 | $taggedServices = $container->findTaggedServiceIds(self::TAG); 22 | foreach ($taggedServices as $id => $attributes) { 23 | $service = $container->getDefinition($id); 24 | $service->addMethodCall('setLogger', [new Reference('webauthn.logger')]); 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/symfony/src/Doctrine/Type/AAGUIDDataType.php: -------------------------------------------------------------------------------- 1 | __toString(); 21 | } 22 | return null; 23 | } 24 | 25 | public function convertToPHPValue(mixed $value, AbstractPlatform $platform): ?Uuid 26 | { 27 | if ($value instanceof Uuid) { 28 | return $value; 29 | } 30 | if (is_string($value)) { 31 | return Uuid::fromString($value); 32 | } 33 | 34 | return null; 35 | } 36 | 37 | public function getSQLDeclaration(array $column, AbstractPlatform $platform): string 38 | { 39 | return $platform->getClobTypeDeclarationSQL($column); 40 | } 41 | 42 | public function getName(): string 43 | { 44 | return 'aaguid'; 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/symfony/src/Doctrine/Type/AttestedCredentialDataType.php: -------------------------------------------------------------------------------- 1 | serialize($value); 22 | } 23 | 24 | public function convertToPHPValue($value, AbstractPlatform $platform): ?AttestedCredentialData 25 | { 26 | if ($value === null || $value instanceof AttestedCredentialData) { 27 | return $value; 28 | } 29 | 30 | return $this->deserialize($value, AttestedCredentialData::class); 31 | } 32 | 33 | public function getName(): string 34 | { 35 | return 'attested_credential_data'; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/symfony/src/Doctrine/Type/Base64BinaryDataType.php: -------------------------------------------------------------------------------- 1 | getClobTypeDeclarationSQL($column); 35 | } 36 | 37 | public function getName(): string 38 | { 39 | return 'base64'; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/symfony/src/Doctrine/Type/PublicKeyCredentialDescriptorType.php: -------------------------------------------------------------------------------- 1 | serialize($value); 22 | } 23 | 24 | public function convertToPHPValue($value, AbstractPlatform $platform): ?PublicKeyCredentialDescriptor 25 | { 26 | if ($value === null || $value instanceof PublicKeyCredentialDescriptor) { 27 | return $value; 28 | } 29 | 30 | return $this->deserialize($value, PublicKeyCredentialDescriptor::class); 31 | } 32 | 33 | public function getName(): string 34 | { 35 | return 'public_key_credential_descriptor'; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/symfony/src/Doctrine/Type/SerializerTrait.php: -------------------------------------------------------------------------------- 1 | create(); 19 | 20 | return $serializer->serialize($data, JsonEncoder::FORMAT, [ 21 | AbstractObjectNormalizer::SKIP_NULL_VALUES => true, 22 | JsonEncode::OPTIONS => JSON_THROW_ON_ERROR, 23 | ]); 24 | } 25 | 26 | protected function deserialize(string $data, string $class): mixed 27 | { 28 | $serializer = (new WebauthnSerializerFactory(AttestationStatementSupportManager::create()))->create(); 29 | 30 | return $serializer->deserialize($data, $class, JsonEncoder::FORMAT); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/symfony/src/Doctrine/Type/TrustPathDataType.php: -------------------------------------------------------------------------------- 1 | serialize($value); 22 | } 23 | 24 | public function convertToPHPValue($value, AbstractPlatform $platform): ?TrustPath 25 | { 26 | if ($value === null || $value instanceof TrustPath) { 27 | return $value; 28 | } 29 | 30 | return $this->deserialize($value, TrustPath::class); 31 | } 32 | 33 | public function getName(): string 34 | { 35 | return 'trust_path'; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/symfony/src/Dto/PublicKeyCredentialCreationOptionsRequest.php: -------------------------------------------------------------------------------- 1 | |null 49 | */ 50 | public ?array $extensions = null; 51 | } 52 | -------------------------------------------------------------------------------- /src/symfony/src/Dto/ServerPublicKeyCredentialCreationOptionsRequest.php: -------------------------------------------------------------------------------- 1 | |null 26 | */ 27 | public ?array $extensions = null; 28 | } 29 | -------------------------------------------------------------------------------- /src/symfony/src/Event/PublicKeyCredentialCreationOptionsCreatedEvent.php: -------------------------------------------------------------------------------- 1 | $headers 14 | */ 15 | public function __construct(string $message = '', ?Throwable $previous = null, int $code = 0, array $headers = []) 16 | { 17 | parent::__construct(501, $message, $previous, $headers, $code); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/symfony/src/Exception/MissingFeatureException.php: -------------------------------------------------------------------------------- 1 | logger = $logger; 28 | } 29 | 30 | public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array 31 | { 32 | $this->throwException(); 33 | } 34 | 35 | public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource 36 | { 37 | $this->throwException(); 38 | } 39 | 40 | private function throwException(): never 41 | { 42 | $this->logger->critical( 43 | 'Please change the Public Key Credential Source Repository in the bundle configuration. See https://webauthn-doc.spomky-labs.com/the-webauthn-server/the-symfony-way#repositories-1' 44 | ); 45 | throw new LogicException( 46 | 'You are using the DummyPublicKeyCredentialSourceRepository service. Please create your own repository' 47 | ); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/symfony/src/Repository/DummyPublicKeyCredentialUserEntityRepository.php: -------------------------------------------------------------------------------- 1 | logger = $logger; 27 | } 28 | 29 | public function findOneByUsername(string $username): ?PublicKeyCredentialUserEntity 30 | { 31 | $this->throwException(); 32 | } 33 | 34 | public function findOneByUserHandle(string $userHandle): ?PublicKeyCredentialUserEntity 35 | { 36 | $this->throwException(); 37 | } 38 | 39 | private function throwException(): never 40 | { 41 | $this->logger->critical( 42 | 'Please change the Public Key Credential User Entity Repository in the bundle configuration. See https://webauthn-doc.spomky-labs.com/the-webauthn-server/the-symfony-way#repositories-1' 43 | ); 44 | throw new LogicException( 45 | 'You are using the DummyPublicKeyCredentialUserEntityRepository service. Please create your own repository' 46 | ); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/symfony/src/Repository/PublicKeyCredentialSourceRepositoryInterface.php: -------------------------------------------------------------------------------- 1 | services() 12 | ->defaults() 13 | ->private() 14 | ->autoconfigure() 15 | ->autowire() 16 | ; 17 | 18 | $service->set(WebauthnCollector::class) 19 | ->args([service('serializer')]) 20 | ->tag('data_collector', [ 21 | 'id' => 'webauthn_collector', 22 | 'template' => '@Webauthn/data_collector/template.html.twig', 23 | ]); 24 | }; 25 | -------------------------------------------------------------------------------- /src/symfony/src/Resources/config/doctrine-mapping/PublicKeyCredentialEntity.orm.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /src/symfony/src/Resources/config/doctrine-mapping/PublicKeyCredentialSource.orm.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/symfony/src/Resources/config/doctrine-mapping/PublicKeyCredentialUserEntity.orm.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /src/symfony/src/Resources/config/metadata_statement_supports.php: -------------------------------------------------------------------------------- 1 | services() 16 | ->defaults() 17 | ->private() 18 | ->autoconfigure(); 19 | 20 | $service 21 | ->set(AppleAttestationStatementSupport::class); 22 | $service 23 | ->set(TPMAttestationStatementSupport::class) 24 | ->args([service('webauthn.clock')]) 25 | ; 26 | $service 27 | ->set(FidoU2FAttestationStatementSupport::class); 28 | $service 29 | ->set(AndroidKeyAttestationStatementSupport::class); 30 | $service 31 | ->set(PackedAttestationStatementSupport::class) 32 | ->args([service('webauthn.cose.algorithm.manager')]); 33 | 34 | $service 35 | ->set(PhpCertificateChainValidator::class) 36 | ->args([service('webauthn.http_client'), service('webauthn.clock')]); 37 | }; 38 | -------------------------------------------------------------------------------- /src/symfony/src/Resources/config/routing.php: -------------------------------------------------------------------------------- 1 | import('.', 'webauthn'); 9 | }; 10 | -------------------------------------------------------------------------------- /src/symfony/src/Routing/Loader.php: -------------------------------------------------------------------------------- 1 | routes = new RouteCollection(); 20 | } 21 | 22 | public function add(string $pattern, ?string $host, string $name, string $method = 'POST'): void 23 | { 24 | $controllerId = sprintf('%s', $name); 25 | $defaults = [ 26 | '_controller' => $controllerId, 27 | ]; 28 | $route = new Route($pattern, $defaults, [], [], $host, [], [$method]); 29 | $this->routes->add($name, $route); 30 | } 31 | 32 | /** 33 | * @noRector 34 | */ 35 | public function load(mixed $resource, ?string $type = null): RouteCollection 36 | { 37 | return $this->routes; 38 | } 39 | 40 | public function supports(mixed $resource, ?string $type = null): bool 41 | { 42 | return $type === 'webauthn'; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Authentication/Exception/WebauthnAuthenticationEvent.php: -------------------------------------------------------------------------------- 1 | getBadge(WebauthnBadge::class); 20 | assert($webauthnBadge instanceof WebauthnBadge, 'Invalid badge'); 21 | if ($webauthnBadge->getAuthenticatorResponse() instanceof AuthenticatorAssertionResponse) { 22 | $authData = $webauthnBadge->getAuthenticatorResponse() 23 | ->authenticatorData; 24 | } else { 25 | $authData = $webauthnBadge->getAuthenticatorResponse() 26 | ->attestationObject 27 | ->authData; 28 | } 29 | 30 | $token = new WebauthnToken( 31 | $webauthnBadge->getPublicKeyCredentialUserEntity(), 32 | $webauthnBadge->getPublicKeyCredentialOptions(), 33 | $webauthnBadge->getPublicKeyCredentialSource() 34 | ->getPublicKeyCredentialDescriptor(), 35 | $authData->isUserPresent(), 36 | $authData->isUserVerified(), 37 | $authData->getReservedForFutureUse1(), 38 | $authData->getReservedForFutureUse2(), 39 | $authData->signCount, 40 | $authData->extensions, 41 | $firewallName, 42 | $webauthnBadge->getUser() 43 | ->getRoles(), 44 | $authData->isBackupEligible(), 45 | $authData->isBackedUp(), 46 | ); 47 | $token->setUser($webauthnBadge->getUser()); 48 | 49 | return $token; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Authentication/WebauthnPassport.php: -------------------------------------------------------------------------------- 1 | addBadge($webauthnBadge); 21 | $this->addBadge(new PreAuthenticatedUserBadge()); 22 | foreach ($badges as $badge) { 23 | $this->addBadge($badge); 24 | } 25 | } 26 | 27 | public function getUser(): UserInterface 28 | { 29 | $webauthnBadge = $this->getBadge(WebauthnBadge::class); 30 | if ($webauthnBadge === null || ! $webauthnBadge instanceof WebauthnBadge) { 31 | throw new LogicException('No WebauthnBadge found in the passport.'); 32 | } 33 | 34 | return $webauthnBadge->getUser(); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Authorization/Voter/IsUserPresentVoter.php: -------------------------------------------------------------------------------- 1 | isUserPresent() ? VoterInterface::ACCESS_GRANTED : VoterInterface::ACCESS_DENIED; 28 | } 29 | 30 | return $result; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Authorization/Voter/IsUserVerifiedVoter.php: -------------------------------------------------------------------------------- 1 | isUserVerified() ? VoterInterface::ACCESS_GRANTED : VoterInterface::ACCESS_DENIED; 28 | } 29 | 30 | return $result; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Guesser/CurrentUserEntityGuesser.php: -------------------------------------------------------------------------------- 1 | tokenStorage->getToken()?->getUser(); 24 | $user !== null || throw MissingUserEntityException::create('Unable to find the user entity'); 25 | $userEntity = $this->userEntityRepository->findOneByUsername($user->getUserIdentifier()); 26 | $userEntity !== null || throw MissingUserEntityException::create('Unable to find the user entity'); 27 | 28 | return $userEntity; 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Guesser/UserEntityGuesser.php: -------------------------------------------------------------------------------- 1 | normalizer->normalize($publicKeyCredentialCreationOptions, JsonEncoder::FORMAT, [ 29 | AbstractObjectNormalizer::SKIP_NULL_VALUES => true, 30 | ]); 31 | is_array($data) || throw new RuntimeException('Unable to encode the response to JSON.'); 32 | $data['status'] = 'ok'; 33 | $data['errorMessage'] = ''; 34 | 35 | return new JsonResponse($data); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Handler/DefaultFailureHandler.php: -------------------------------------------------------------------------------- 1 | 'error', 20 | 'errorMessage' => $exception === null ? 'Authentication failed' : $exception->getMessage(), 21 | ]; 22 | 23 | return new JsonResponse($data, Response::HTTP_UNAUTHORIZED); 24 | } 25 | 26 | public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response 27 | { 28 | return $this->onFailure($request, $exception); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Handler/DefaultRequestOptionsHandler.php: -------------------------------------------------------------------------------- 1 | normalizer->normalize($publicKeyCredentialRequestOptions, JsonEncoder::FORMAT, [ 29 | AbstractObjectNormalizer::SKIP_NULL_VALUES => true, 30 | ]); 31 | is_array($data) || throw new RuntimeException('Unable to encode the response to JSON.'); 32 | $data['status'] = 'ok'; 33 | $data['errorMessage'] = ''; 34 | 35 | return new JsonResponse($data); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Handler/DefaultSuccessHandler.php: -------------------------------------------------------------------------------- 1 | 'ok', 19 | 'errorMessage' => '', 20 | ]; 21 | $statusCode = $request->getMethod() === Request::METHOD_POST ? Response::HTTP_CREATED : Response::HTTP_OK; 22 | 23 | return new JsonResponse($data, $statusCode); 24 | } 25 | 26 | public function onAuthenticationSuccess(Request $request, TokenInterface $token): Response 27 | { 28 | return $this->onSuccess($request); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Handler/FailureHandler.php: -------------------------------------------------------------------------------- 1 | authenticatorResponse; 27 | } 28 | 29 | public function getPublicKeyCredentialOptions(): PublicKeyCredentialOptions 30 | { 31 | return $this->publicKeyCredentialOptions; 32 | } 33 | 34 | public function getPublicKeyCredentialUserEntity(): ?PublicKeyCredentialUserEntity 35 | { 36 | return $this->publicKeyCredentialUserEntity; 37 | } 38 | 39 | public function getPublicKeyCredentialSource(): PublicKeyCredentialSource 40 | { 41 | return $this->publicKeyCredentialSource; 42 | } 43 | 44 | public function getFirewallName(): string 45 | { 46 | return $this->firewallName; 47 | } 48 | 49 | public function isResolved(): bool 50 | { 51 | return true; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Storage/CacheStorage.php: -------------------------------------------------------------------------------- 1 | getPublicKeyCredentialOptions()->challenge) 26 | ); 27 | 28 | $cacheItem = $this->cache->getItem($key); 29 | $cacheItem->set($item); 30 | $this->cache->save($cacheItem); 31 | } 32 | 33 | public function get(string $challenge): Item 34 | { 35 | $key = sprintf('%s-%s', self::CACHE_PARAMETER, hash('xxh128', $challenge)); 36 | $cacheItem = $this->cache->getItem($key); 37 | if (! $cacheItem->isHit()) { 38 | throw new BadRequestHttpException('No public key credential options available.'); 39 | } 40 | $item = $cacheItem->get(); 41 | $this->cache->deleteItem($key); 42 | if (! $item instanceof Item) { 43 | throw new BadRequestHttpException('No public key credential options available.'); 44 | } 45 | 46 | return $item; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Storage/Item.php: -------------------------------------------------------------------------------- 1 | publicKeyCredentialOptions; 28 | } 29 | 30 | public function getPublicKeyCredentialUserEntity(): ?PublicKeyCredentialUserEntity 31 | { 32 | return $this->publicKeyCredentialUserEntity; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/symfony/src/Security/Storage/OptionsStorage.php: -------------------------------------------------------------------------------- 1 | 'error', 19 | 'errorMessage' => $exception === null ? 'An unexpected error occurred' : $exception->getMessage(), 20 | ]; 21 | 22 | return new JsonResponse($data, Response::HTTP_BAD_REQUEST); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/symfony/src/Service/DefaultSuccessHandler.php: -------------------------------------------------------------------------------- 1 | 'ok', 18 | 'errorMessage' => '', 19 | ]; 20 | 21 | return new JsonResponse($data, JsonResponse::HTTP_CREATED); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/webauthn/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018-2022 Spomky-Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/webauthn/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "web-auth/webauthn-lib", 3 | "type": "library", 4 | "license": "MIT", 5 | "description": "FIDO2/Webauthn Support For PHP", 6 | "keywords": [ 7 | "FIDO", 8 | "FIDO2", 9 | "webauthn" 10 | ], 11 | "homepage": "https://github.com/web-auth", 12 | "authors": [ 13 | { 14 | "name": "Florent Morselli", 15 | "homepage": "https://github.com/Spomky" 16 | }, 17 | { 18 | "name": "All contributors", 19 | "homepage": "https://github.com/web-auth/webauthn-library/contributors" 20 | } 21 | ], 22 | "require": { 23 | "php": ">=8.2", 24 | "ext-json": "*", 25 | "ext-openssl": "*", 26 | "paragonie/constant_time_encoding": "^2.6|^3.0", 27 | "phpdocumentor/reflection-docblock": "^5.3", 28 | "psr/clock": "^1.0", 29 | "psr/event-dispatcher": "^1.0", 30 | "psr/log": "^1.0|^2.0|^3.0", 31 | "spomky-labs/cbor-php": "^3.0", 32 | "symfony/clock": "^6.4|^7.0", 33 | "symfony/uid": "^6.4|^7.0", 34 | "spomky-labs/pki-framework": "^1.0", 35 | "symfony/property-info": "^6.4|^7.0", 36 | "symfony/property-access": "^6.4|^7.0", 37 | "symfony/serializer": "^6.4|^7.0", 38 | "symfony/deprecation-contracts": "^3.2", 39 | "web-auth/cose-lib": "^4.2.3" 40 | }, 41 | "autoload": { 42 | "psr-4": { 43 | "Webauthn\\": "src/" 44 | } 45 | }, 46 | "extra": { 47 | "thanks": { 48 | "name": "web-auth/webauthn-framework", 49 | "url": "https://github.com/web-auth/webauthn-framework" 50 | } 51 | }, 52 | "suggest": { 53 | "psr/log-implementation": "Recommended to receive logs from the library", 54 | "symfony/event-dispatcher": "Recommended to use dispatched events", 55 | "web-token/jwt-library": "Mandatory for fetching Metadata Statement from distant sources" 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/webauthn/src/AttestationStatement/AttestationObject.php: -------------------------------------------------------------------------------- 1 | $attestation 15 | */ 16 | public function load(array $attestation): AttestationStatement; 17 | 18 | public function isValid( 19 | string $clientDataJSONHash, 20 | AttestationStatement $attestationStatement, 21 | AuthenticatorData $authenticatorData 22 | ): bool; 23 | } 24 | -------------------------------------------------------------------------------- /src/webauthn/src/AttestationStatement/AttestationStatementSupportManager.php: -------------------------------------------------------------------------------- 1 | add(new NoneAttestationStatementSupport()); 20 | foreach ($attestationStatementSupports as $attestationStatementSupport) { 21 | $this->add($attestationStatementSupport); 22 | } 23 | } 24 | 25 | /** 26 | * @param AttestationStatementSupport[] $attestationStatementSupports 27 | */ 28 | public static function create(array $attestationStatementSupports = []): self 29 | { 30 | return new self($attestationStatementSupports); 31 | } 32 | 33 | public function add(AttestationStatementSupport $attestationStatementSupport): void 34 | { 35 | $this->attestationStatementSupports[$attestationStatementSupport->name()] = $attestationStatementSupport; 36 | } 37 | 38 | public function has(string $name): bool 39 | { 40 | return array_key_exists($name, $this->attestationStatementSupports); 41 | } 42 | 43 | public function get(string $name): AttestationStatementSupport 44 | { 45 | $this->has($name) || throw InvalidDataException::create($name, sprintf( 46 | 'The attestation statement format "%s" is not supported.', 47 | $name 48 | )); 49 | 50 | return $this->attestationStatementSupports[$name]; 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/webauthn/src/AttestedCredentialData.php: -------------------------------------------------------------------------------- 1 | normalize(); 17 | return AuthenticationExtensions::create( 18 | array_map( 19 | fn (mixed $value, string $key) => AuthenticationExtension::create($key, $value), 20 | $data, 21 | array_keys($data) 22 | ) 23 | ); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/webauthn/src/AuthenticationExtensions/CredentialPropertiesInputExtension.php: -------------------------------------------------------------------------------- 1 | checkers[] = $checker; 22 | } 23 | 24 | public function check(AuthenticationExtensions $inputs, AuthenticationExtensions $outputs): void 25 | { 26 | foreach ($this->checkers as $checker) { 27 | $checker->check($inputs, $outputs); 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/webauthn/src/AuthenticationExtensions/ExtensionOutputError.php: -------------------------------------------------------------------------------- 1 | $support, 22 | ]); 23 | } 24 | 25 | public static function read(): AuthenticationExtension 26 | { 27 | return self::create('largeBlob', [ 28 | 'read' => true, 29 | ]); 30 | } 31 | 32 | public static function write(string $value): AuthenticationExtension 33 | { 34 | return self::create('largeBlob', [ 35 | 'write' => $value, 36 | ]); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/webauthn/src/AuthenticationExtensions/PseudoRandomFunctionInputExtension.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | private array $values = []; 16 | 17 | private function __construct() 18 | { 19 | } 20 | 21 | public static function create(): self 22 | { 23 | return new self(); 24 | } 25 | 26 | public function withInputs(string $first, null|string $second = null): self 27 | { 28 | $eval = [ 29 | 'first' => Base64UrlSafe::encodeUnpadded($first), 30 | ]; 31 | if ($second !== null) { 32 | $eval['second'] = Base64UrlSafe::encodeUnpadded($second); 33 | } 34 | $this->values['eval'] = $eval; 35 | 36 | return $this; 37 | } 38 | 39 | public function withCredentialInputs(string $credentialId, string $first, null|string $second = null): self 40 | { 41 | $eval = [ 42 | 'first' => Base64UrlSafe::encodeUnpadded($first), 43 | ]; 44 | if ($second !== null) { 45 | $eval['second'] = Base64UrlSafe::encodeUnpadded($second); 46 | } 47 | if (! array_key_exists('evalByCredential', $this->values)) { 48 | $this->values['evalByCredential'] = []; 49 | } 50 | $this->values['evalByCredential'][$credentialId] = $eval; 51 | 52 | return $this; 53 | } 54 | 55 | public function build(): PseudoRandomFunctionInputExtension 56 | { 57 | return new PseudoRandomFunctionInputExtension('prf', $this->values); 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/webauthn/src/AuthenticationExtensions/UvmInputExtension.php: -------------------------------------------------------------------------------- 1 | steps as $step) { 31 | $step->process( 32 | $publicKeyCredentialSource, 33 | $authenticatorResponse, 34 | $publicKeyCredentialOptions, 35 | $userHandle, 36 | $host 37 | ); 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckAllowedCredentialList.php: -------------------------------------------------------------------------------- 1 | allowCredentials) === 0) { 28 | return; 29 | } 30 | 31 | foreach ($publicKeyCredentialOptions->allowCredentials as $allowedCredential) { 32 | if (hash_equals($allowedCredential->id, $publicKeyCredentialSource->publicKeyCredentialId)) { 33 | return; 34 | } 35 | } 36 | throw AuthenticatorResponseVerificationException::create('The credential ID is not allowed.'); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckAttestationFormatIsKnownAndValid.php: -------------------------------------------------------------------------------- 1 | attestationObject; 30 | if ($attestationObject === null) { 31 | return; 32 | } 33 | 34 | $fmt = $attestationObject->attStmt 35 | ->fmt; 36 | $this->attestationStatementSupportManager->has( 37 | $fmt 38 | ) || throw AuthenticatorResponseVerificationException::create('Unsupported attestation statement format.'); 39 | 40 | $attestationStatementSupport = $this->attestationStatementSupportManager->get($fmt); 41 | $clientDataJSONHash = hash('sha256', $authenticatorResponse->clientDataJSON ->rawData, true); 42 | $attestationStatementSupport->isValid( 43 | $clientDataJSONHash, 44 | $attestationObject->attStmt, 45 | $attestationObject->authData 46 | ) || throw AuthenticatorResponseVerificationException::create('Invalid attestation statement.'); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckBackupBitsAreConsistent.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 24 | if ($authData->isBackupEligible()) { 25 | return; 26 | } 27 | $authData->isBackedUp() !== true || throw AuthenticatorResponseVerificationException::create( 28 | 'Backup up bit is set but the backup is not eligible.' 29 | ); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckChallenge.php: -------------------------------------------------------------------------------- 1 | challenge !== '' || throw AuthenticatorResponseVerificationException::create( 24 | 'Invalid challenge.' 25 | ); 26 | hash_equals( 27 | $publicKeyCredentialOptions->challenge, 28 | $authenticatorResponse->clientDataJSON->challenge 29 | ) || throw AuthenticatorResponseVerificationException::create('Invalid challenge.'); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckClientDataCollectorType.php: -------------------------------------------------------------------------------- 1 | clientDataCollectorManager = $clientDataCollectorManager ?? new ClientDataCollectorManager([ 23 | new WebauthnAuthenticationCollector(), 24 | ]); 25 | } 26 | 27 | public function process( 28 | PublicKeyCredentialSource $publicKeyCredentialSource, 29 | AuthenticatorAssertionResponse|AuthenticatorAttestationResponse $authenticatorResponse, 30 | PublicKeyCredentialRequestOptions|PublicKeyCredentialCreationOptions $publicKeyCredentialOptions, 31 | ?string $userHandle, 32 | string $host 33 | ): void { 34 | $this->clientDataCollectorManager->collect( 35 | $authenticatorResponse->clientDataJSON, 36 | $publicKeyCredentialOptions, 37 | $authenticatorResponse, 38 | $host 39 | ); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckCounter.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 29 | $storedCounter = $publicKeyCredentialSource->counter; 30 | $responseCounter = $authData->signCount; 31 | if ($responseCounter !== 0 || $storedCounter !== 0) { 32 | $this->counterChecker->check($publicKeyCredentialSource, $responseCounter); 33 | } 34 | $publicKeyCredentialSource->counter = $responseCounter; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckCredentialId.php: -------------------------------------------------------------------------------- 1 | publicKeyCredentialId; 25 | strlen($credentialId) <= 1023 || throw new AuthenticatorResponseVerificationException( 26 | 'Credential ID too long.' 27 | ); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckExtensions.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 29 | $extensionsClientOutputs = $authData->extensions; 30 | if ($extensionsClientOutputs !== null) { 31 | $this->extensionOutputCheckerHandler->check( 32 | $publicKeyCredentialOptions->extensions, 33 | $extensionsClientOutputs 34 | ); 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckHasAttestedCredentialData.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 24 | $authData 25 | ->hasAttestedCredentialData() || throw AuthenticatorResponseVerificationException::create( 26 | 'There is no attested credential data.' 27 | ); 28 | $authData->attestedCredentialData !== null || throw AuthenticatorResponseVerificationException::create( 29 | 'There is no attested credential data.' 30 | ); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckTopOrigin.php: -------------------------------------------------------------------------------- 1 | clientDataJSON->topOrigin; 29 | if ($topOrigin === null) { 30 | return; 31 | } 32 | if ($authenticatorResponse->clientDataJSON->crossOrigin !== true) { 33 | throw AuthenticatorResponseVerificationException::create('The response is not cross-origin.'); 34 | } 35 | if ($this->topOriginValidator === null) { 36 | (new HostTopOriginValidator($host))->validate($topOrigin); 37 | } else { 38 | $this->topOriginValidator->validate($topOrigin); 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckUserHandle.php: -------------------------------------------------------------------------------- 1 | userHandle; 27 | $responseUserHandle = $authenticatorResponse->userHandle; 28 | if ($userHandle !== null) { //If the user was identified before the authentication ceremony was initiated, 29 | $credentialUserHandle === $userHandle || throw InvalidUserHandleException::create(); 30 | if ($responseUserHandle !== null && $responseUserHandle !== '') { 31 | $credentialUserHandle === $responseUserHandle || throw InvalidUserHandleException::create(); 32 | } 33 | } else { 34 | ($responseUserHandle !== '' && $credentialUserHandle === $responseUserHandle) || throw InvalidUserHandleException::create(); 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckUserVerification.php: -------------------------------------------------------------------------------- 1 | userVerification : $publicKeyCredentialOptions->authenticatorSelection?->userVerification; 25 | if ($userVerification !== AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED) { 26 | return; 27 | } 28 | $authData = $authenticatorResponse instanceof AuthenticatorAssertionResponse ? $authenticatorResponse->authenticatorData : $authenticatorResponse->attestationObject->authData; 29 | $authData->isUserVerified() || throw AuthenticatorResponseVerificationException::create( 30 | 'User authentication required.' 31 | ); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/CheckUserWasPresent.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 24 | $authData->isUserPresent() || throw AuthenticatorResponseVerificationException::create('User was not present'); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/HostTopOriginValidator.php: -------------------------------------------------------------------------------- 1 | host || throw AuthenticatorResponseVerificationException::create( 19 | 'The top origin does not correspond to the host.' 20 | ); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/webauthn/src/CeremonyStep/TopOriginValidator.php: -------------------------------------------------------------------------------- 1 | clientDataCollectors as $clientDataCollector) { 30 | if (in_array($collectedClientData->type, $clientDataCollector->supportedTypes(), true)) { 31 | $clientDataCollector->verifyCollectedClientData( 32 | $collectedClientData, 33 | $publicKeyCredentialOptions, 34 | $authenticatorResponse, 35 | $host 36 | ); 37 | return; 38 | } 39 | } 40 | 41 | throw AuthenticatorResponseVerificationException::create('No client data collector found.'); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/webauthn/src/ClientDataCollector/WebauthnAuthenticationCollector.php: -------------------------------------------------------------------------------- 1 | type, 29 | $this->supportedTypes(), 30 | true 31 | ) || throw AuthenticatorResponseVerificationException::create( 32 | sprintf('The client data type is not "%s" supported.', implode('", "', $this->supportedTypes())) 33 | ); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/webauthn/src/Counter/CounterChecker.php: -------------------------------------------------------------------------------- 1 | logger = $logger; 23 | } 24 | 25 | public function check(PublicKeyCredentialSource $publicKeyCredentialSource, int $currentCounter): void 26 | { 27 | try { 28 | $currentCounter > $publicKeyCredentialSource->counter || throw CounterException::create( 29 | $currentCounter, 30 | $publicKeyCredentialSource->counter, 31 | 'Invalid counter.' 32 | ); 33 | } catch (CounterException $throwable) { 34 | $this->logger->error('The counter is invalid', [ 35 | 'current' => $currentCounter, 36 | 'new' => $publicKeyCredentialSource->counter, 37 | ]); 38 | throw $throwable; 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/webauthn/src/Credential.php: -------------------------------------------------------------------------------- 1 | attestationStatementSupportManager->get($data['fmt']); 21 | 22 | return $attestationStatementSupport->load($data); 23 | } 24 | 25 | public function supportsDenormalization( 26 | mixed $data, 27 | string $type, 28 | ?string $format = null, 29 | array $context = [] 30 | ): bool { 31 | return $type === AttestationStatement::class; 32 | } 33 | 34 | /** 35 | * @return array 36 | */ 37 | public function getSupportedTypes(?string $format): array 38 | { 39 | return [ 40 | AttestationStatement::class => true, 41 | ]; 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/AttestedCredentialDataNormalizer.php: -------------------------------------------------------------------------------- 1 | 19 | */ 20 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 21 | { 22 | assert($data instanceof AttestedCredentialData); 23 | $result = [ 24 | 'aaguid' => $this->normalizer->normalize($data->aaguid, $format, $context), 25 | 'credentialId' => base64_encode($data->credentialId), 26 | ]; 27 | if ($data->credentialPublicKey !== null) { 28 | $result['credentialPublicKey'] = base64_encode($data->credentialPublicKey); 29 | } 30 | 31 | return $result; 32 | } 33 | 34 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 35 | { 36 | return $data instanceof AttestedCredentialData; 37 | } 38 | 39 | public function getSupportedTypes(?string $format): array 40 | { 41 | return [ 42 | AttestedCredentialData::class => true, 43 | ]; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/AuthenticationExtensionNormalizer.php: -------------------------------------------------------------------------------- 1 | 15 | */ 16 | public function getSupportedTypes(?string $format): array 17 | { 18 | return [ 19 | AuthenticationExtension::class => true, 20 | ]; 21 | } 22 | 23 | /** 24 | * @return array 25 | */ 26 | public function normalize(mixed $object, ?string $format = null, array $context = []): array 27 | { 28 | assert($object instanceof AuthenticationExtension); 29 | 30 | return $object->value; 31 | } 32 | 33 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 34 | { 35 | return $data instanceof AuthenticationExtension; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/AuthenticatorAttestationResponseDenormalizer.php: -------------------------------------------------------------------------------- 1 | denormalizer->denormalize( 26 | $data['clientDataJSON'], 27 | CollectedClientData::class, 28 | $format, 29 | $context 30 | ); 31 | $attestationObject = $this->denormalizer->denormalize( 32 | $data['attestationObject'], 33 | AttestationObject::class, 34 | $format, 35 | $context 36 | ); 37 | 38 | return AuthenticatorAttestationResponse::create( 39 | $clientDataJSON, 40 | $attestationObject, 41 | $data['transports'] ?? [], 42 | ); 43 | } 44 | 45 | public function supportsDenormalization( 46 | mixed $data, 47 | string $type, 48 | ?string $format = null, 49 | array $context = [] 50 | ): bool { 51 | return $type === AuthenticatorAttestationResponse::class; 52 | } 53 | 54 | /** 55 | * @return array 56 | */ 57 | public function getSupportedTypes(?string $format): array 58 | { 59 | return [ 60 | AuthenticatorAttestationResponse::class => true, 61 | ]; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/AuthenticatorResponseDenormalizer.php: -------------------------------------------------------------------------------- 1 | AuthenticatorAttestationResponse::class, 24 | array_key_exists('signature', $data) => AuthenticatorAssertionResponse::class, 25 | default => throw InvalidDataException::create($data, 'Unable to create the response object'), 26 | }; 27 | 28 | return $this->denormalizer->denormalize($data, $realType, $format, $context); 29 | } 30 | 31 | public function supportsDenormalization( 32 | mixed $data, 33 | string $type, 34 | ?string $format = null, 35 | array $context = [] 36 | ): bool { 37 | return $type === AuthenticatorResponse::class; 38 | } 39 | 40 | /** 41 | * @return array 42 | */ 43 | public function getSupportedTypes(?string $format): array 44 | { 45 | return [ 46 | AuthenticatorResponse::class => true, 47 | ]; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/CollectedClientDataDenormalizer.php: -------------------------------------------------------------------------------- 1 | 33 | */ 34 | public function getSupportedTypes(?string $format): array 35 | { 36 | return [ 37 | CollectedClientData::class => true, 38 | ]; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/ExtensionDescriptorDenormalizer.php: -------------------------------------------------------------------------------- 1 | 34 | */ 35 | public function getSupportedTypes(?string $format): array 36 | { 37 | return [ 38 | ExtensionDescriptor::class => true, 39 | ]; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/PublicKeyCredentialDenormalizer.php: -------------------------------------------------------------------------------- 1 | denormalizer->denormalize($data['response'], AuthenticatorResponse::class, $format, $context), 35 | ); 36 | } 37 | 38 | public function supportsDenormalization( 39 | mixed $data, 40 | string $type, 41 | ?string $format = null, 42 | array $context = [] 43 | ): bool { 44 | return $type === PublicKeyCredential::class; 45 | } 46 | 47 | /** 48 | * @return array 49 | */ 50 | public function getSupportedTypes(?string $format): array 51 | { 52 | return [ 53 | PublicKeyCredential::class => true, 54 | ]; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/PublicKeyCredentialDescriptorNormalizer.php: -------------------------------------------------------------------------------- 1 | 21 | */ 22 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 23 | { 24 | assert($data instanceof PublicKeyCredentialDescriptor); 25 | $result = [ 26 | 'type' => $data->type, 27 | 'id' => Base64UrlSafe::encodeUnpadded($data->id), 28 | ]; 29 | if (count($data->transports) !== 0) { 30 | $result['transports'] = $data->transports; 31 | } 32 | 33 | return $result; 34 | } 35 | 36 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 37 | { 38 | return $data instanceof PublicKeyCredentialDescriptor; 39 | } 40 | 41 | public function getSupportedTypes(?string $format): array 42 | { 43 | return [ 44 | PublicKeyCredentialDescriptor::class => true, 45 | ]; 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/PublicKeyCredentialParametersDenormalizer.php: -------------------------------------------------------------------------------- 1 | 34 | */ 35 | public function getSupportedTypes(?string $format): array 36 | { 37 | return [ 38 | PublicKeyCredentialParameters::class => true, 39 | ]; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/PublicKeyCredentialUserEntityDenormalizer.php: -------------------------------------------------------------------------------- 1 | 38 | */ 39 | public function getSupportedTypes(?string $format): array 40 | { 41 | return [ 42 | PublicKeyCredentialUserEntity::class => true, 43 | ]; 44 | } 45 | 46 | /** 47 | * @return array 48 | */ 49 | public function normalize(mixed $object, ?string $format = null, array $context = []): array 50 | { 51 | assert($object instanceof PublicKeyCredentialUserEntity); 52 | return [ 53 | 'id' => Base64UrlSafe::encodeUnpadded($object->id), 54 | 'name' => $object->name, 55 | 'displayName' => $object->displayName, 56 | ]; 57 | } 58 | 59 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 60 | { 61 | return $data instanceof PublicKeyCredentialUserEntity; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/TrustPathDenormalizer.php: -------------------------------------------------------------------------------- 1 | CertificateTrustPath::create($data['x5c']), 23 | $data === [], isset($data['type']) && $data['type'] === EmptyTrustPath::class => EmptyTrustPath::create(), 24 | default => throw new InvalidTrustPathException('Unsupported trust path type'), 25 | }; 26 | } 27 | 28 | public function supportsDenormalization( 29 | mixed $data, 30 | string $type, 31 | ?string $format = null, 32 | array $context = [] 33 | ): bool { 34 | return $type === TrustPath::class; 35 | } 36 | 37 | /** 38 | * @return array 39 | */ 40 | public function getSupportedTypes(?string $format): array 41 | { 42 | return [ 43 | TrustPath::class => true, 44 | ]; 45 | } 46 | 47 | /** 48 | * @return array 49 | */ 50 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 51 | { 52 | assert($data instanceof TrustPath); 53 | return match (true) { 54 | $data instanceof CertificateTrustPath => [ 55 | 'x5c' => $data->certificates, 56 | ], 57 | $data instanceof EmptyTrustPath => [], 58 | default => throw new InvalidTrustPathException('Unsupported trust path type'), 59 | }; 60 | } 61 | 62 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 63 | { 64 | return $data instanceof TrustPath; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /src/webauthn/src/Denormalizer/VerificationMethodANDCombinationsDenormalizer.php: -------------------------------------------------------------------------------- 1 | 20 | */ 21 | public function getSupportedTypes(?string $format): array 22 | { 23 | return [ 24 | VerificationMethodANDCombinations::class => true, 25 | ]; 26 | } 27 | 28 | /** 29 | * @return array 30 | */ 31 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 32 | { 33 | assert($data instanceof VerificationMethodANDCombinations); 34 | 35 | return array_map( 36 | fn ($verificationMethod) => $this->normalizer->normalize($verificationMethod, $format, $context), 37 | $data->verificationMethods 38 | ); 39 | } 40 | 41 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 42 | { 43 | return $data instanceof VerificationMethodANDCombinations; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/webauthn/src/Event/AttestationObjectLoaded.php: -------------------------------------------------------------------------------- 1 | $attestation 13 | */ 14 | public function __construct( 15 | public readonly array $attestation, 16 | string $message, 17 | ?Throwable $previous = null 18 | ) { 19 | parent::__construct($message, $previous); 20 | } 21 | 22 | /** 23 | * @param array $attestation 24 | */ 25 | public static function create( 26 | array $attestation, 27 | string $message = 'Invalid attestation object', 28 | ?Throwable $previous = null 29 | ): self { 30 | return new self($attestation, $message, $previous); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/webauthn/src/Exception/AttestationStatementVerificationException.php: -------------------------------------------------------------------------------- 1 | $untrustedCertificates 13 | * @param array $trustedCertificates 14 | */ 15 | public function __construct( 16 | public readonly array $untrustedCertificates, 17 | public readonly array $trustedCertificates, 18 | string $message, 19 | ?Throwable $previous = null 20 | ) { 21 | parent::__construct($message, $previous); 22 | } 23 | 24 | /** 25 | * @param array $untrustedCertificates 26 | * @param array $trustedCertificates 27 | */ 28 | public static function create( 29 | array $untrustedCertificates, 30 | array $trustedCertificates, 31 | string $message = 'Unable to validate the certificate chain.', 32 | ?Throwable $previous = null 33 | ): self { 34 | return new self($untrustedCertificates, $trustedCertificates, $message, $previous); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/webauthn/src/Exception/CertificateException.php: -------------------------------------------------------------------------------- 1 | self::fixPEMStructure($d, $type), $data); 23 | } 24 | 25 | public static function fixPEMStructure(string $data, string $type = 'CERTIFICATE'): string 26 | { 27 | if (str_contains($data, self::PEM_HEADER)) { 28 | return trim($data); 29 | } 30 | $pem = self::PEM_HEADER . $type . '-----' . PHP_EOL; 31 | $pem .= chunk_split($data, 64, PHP_EOL); 32 | 33 | return $pem . (self::PEM_FOOTER . $type . '-----' . PHP_EOL); 34 | } 35 | 36 | public static function convertDERToPEM(string $data, string $type = 'CERTIFICATE'): string 37 | { 38 | if (str_contains($data, self::PEM_HEADER)) { 39 | return $data; 40 | } 41 | 42 | return self::fixPEMStructure(base64_encode($data), $type); 43 | } 44 | 45 | /** 46 | * @param string[] $data 47 | * 48 | * @return string[] 49 | */ 50 | public static function convertAllDERToPEM(array $data, string $type = 'CERTIFICATE'): array 51 | { 52 | return array_map(static fn ($d): string => self::convertDERToPEM($d, $type), $data); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/MetadataStatementRepository.php: -------------------------------------------------------------------------------- 1 | addServices($service); 21 | } 22 | } 23 | 24 | public static function create(MetadataService ...$services): self 25 | { 26 | return new self(...$services); 27 | } 28 | 29 | public function addServices(MetadataService ...$services): self 30 | { 31 | foreach ($services as $service) { 32 | $this->services[] = $service; 33 | } 34 | 35 | return $this; 36 | } 37 | 38 | public function list(): iterable 39 | { 40 | foreach ($this->services as $service) { 41 | yield from $service->list(); 42 | } 43 | } 44 | 45 | public function has(string $aaguid): bool 46 | { 47 | foreach ($this->services as $service) { 48 | if ($service->has($aaguid)) { 49 | return true; 50 | } 51 | } 52 | 53 | return false; 54 | } 55 | 56 | public function get(string $aaguid): MetadataStatement 57 | { 58 | foreach ($this->services as $service) { 59 | if ($service->has($aaguid)) { 60 | return $service->get($aaguid); 61 | } 62 | } 63 | 64 | throw MissingMetadataStatementException::create($aaguid); 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Service/InMemoryMetadataService.php: -------------------------------------------------------------------------------- 1 | addStatements($statement); 28 | } 29 | $this->dispatcher = new NullEventDispatcher(); 30 | } 31 | 32 | public function setEventDispatcher(EventDispatcherInterface $eventDispatcher): void 33 | { 34 | $this->dispatcher = $eventDispatcher; 35 | } 36 | 37 | public static function create(MetadataStatement ...$statements): self 38 | { 39 | return new self(...$statements); 40 | } 41 | 42 | public function addStatements(MetadataStatement ...$statements): self 43 | { 44 | foreach ($statements as $statement) { 45 | $aaguid = $statement->aaguid; 46 | if ($aaguid === null) { 47 | continue; 48 | } 49 | $this->statements[$aaguid] = $statement; 50 | } 51 | 52 | return $this; 53 | } 54 | 55 | public function list(): iterable 56 | { 57 | yield from array_keys($this->statements); 58 | } 59 | 60 | public function has(string $aaguid): bool 61 | { 62 | return array_key_exists($aaguid, $this->statements); 63 | } 64 | 65 | public function get(string $aaguid): MetadataStatement 66 | { 67 | array_key_exists($aaguid, $this->statements) || throw MissingMetadataStatementException::create($aaguid); 68 | $mds = $this->statements[$aaguid]; 69 | $this->dispatcher->dispatch(MetadataStatementFound::create($mds)); 70 | 71 | return $mds; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Service/MetadataBLOBPayload.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 16 | 'Invalid data. The value of "maxRetries" must be a positive integer' 17 | ); 18 | $blockSlowdown >= 0 || throw MetadataStatementLoadingException::create( 19 | 'Invalid data. The value of "blockSlowdown" must be a positive integer' 20 | ); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/AlternativeDescriptions.php: -------------------------------------------------------------------------------- 1 | $descriptions 11 | */ 12 | public function __construct( 13 | public array $descriptions = [] 14 | ) { 15 | } 16 | 17 | /** 18 | * @param array $descriptions 19 | */ 20 | public static function create(array $descriptions = []): self 21 | { 22 | return new self($descriptions); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/AuthenticatorGetInfo.php: -------------------------------------------------------------------------------- 1 | $info 11 | */ 12 | public function __construct( 13 | public array $info = [] 14 | ) { 15 | } 16 | 17 | /** 18 | * @param array $info 19 | */ 20 | public static function create(array $info = []): self 21 | { 22 | return new self($info); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/AuthenticatorStatus.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 18 | 'Invalid data. The value of "base" must be a positive integer' 19 | ); 20 | $minLength >= 0 || throw MetadataStatementLoadingException::create( 21 | 'Invalid data. The value of "minLength" must be a positive integer' 22 | ); 23 | parent::__construct($maxRetries, $blockSlowdown); 24 | } 25 | 26 | public static function create(int $base, int $minLength, ?int $maxRetries = null, ?int $blockSlowdown = null): self 27 | { 28 | return new self($base, $minLength, $maxRetries, $blockSlowdown); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/DisplayPNGCharacteristicsDescriptor.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create('Invalid width'); 26 | $height >= 0 || throw MetadataStatementLoadingException::create('Invalid height'); 27 | ($bitDepth >= 0 && $bitDepth <= 254) || throw MetadataStatementLoadingException::create('Invalid bit depth'); 28 | ($colorType >= 0 && $colorType <= 254) || throw MetadataStatementLoadingException::create( 29 | 'Invalid color type' 30 | ); 31 | ($compression >= 0 && $compression <= 254) || throw MetadataStatementLoadingException::create( 32 | 'Invalid compression' 33 | ); 34 | ($filter >= 0 && $filter <= 254) || throw MetadataStatementLoadingException::create('Invalid filter'); 35 | ($interlace >= 0 && $interlace <= 254) || throw MetadataStatementLoadingException::create( 36 | 'Invalid interlace' 37 | ); 38 | } 39 | 40 | /** 41 | * @param RgbPaletteEntry[] $plte 42 | */ 43 | public static function create( 44 | int $width, 45 | int $height, 46 | int $bitDepth, 47 | int $colorType, 48 | int $compression, 49 | int $filter, 50 | int $interlace, 51 | array $plte = [] 52 | ): self { 53 | return new self($width, $height, $bitDepth, $colorType, $compression, $filter, $interlace, $plte); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/ExtensionDescriptor.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 21 | 'Invalid data. The parameter "tag" shall be a positive integer' 22 | ); 23 | } 24 | } 25 | 26 | public static function create( 27 | string $id, 28 | ?int $tag = null, 29 | ?string $data = null, 30 | bool $failIfUnknown = false 31 | ): self { 32 | return new self($id, $tag, $data, $failIfUnknown); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/PatternAccuracyDescriptor.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 17 | 'Invalid data. The value of "minComplexity" must be a positive integer' 18 | ); 19 | parent::__construct($maxRetries, $blockSlowdown); 20 | } 21 | 22 | public static function create(int $minComplexity, ?int $maxRetries = null, ?int $blockSlowdown = null): self 23 | { 24 | return new self($minComplexity, $maxRetries, $blockSlowdown); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/RgbPaletteEntry.php: -------------------------------------------------------------------------------- 1 | = 0 && $r <= 255) || throw MetadataStatementLoadingException::create('The key "r" is invalid'); 17 | ($g >= 0 && $g <= 255) || throw MetadataStatementLoadingException::create('The key "g" is invalid'); 18 | ($b >= 0 && $b <= 255) || throw MetadataStatementLoadingException::create('The key "b" is invalid'); 19 | } 20 | 21 | public static function create(int $r, int $g, int $b): self 22 | { 23 | return new self($r, $g, $b); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/RogueListEntry.php: -------------------------------------------------------------------------------- 1 | status, [ 55 | AuthenticatorStatus::ATTESTATION_KEY_COMPROMISE, 56 | AuthenticatorStatus::USER_KEY_PHYSICAL_COMPROMISE, 57 | AuthenticatorStatus::USER_KEY_REMOTE_COMPROMISE, 58 | AuthenticatorStatus::USER_VERIFICATION_BYPASS, 59 | ], true); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/Statement/VerificationMethodANDCombinations.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create('Invalid argument "major"'); 19 | $minor >= 0 || throw MetadataStatementLoadingException::create('Invalid argument "minor"'); 20 | } 21 | 22 | public static function create(?int $major, ?int $minor): self 23 | { 24 | return new self($major, $minor); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/webauthn/src/MetadataService/StatusReportRepository.php: -------------------------------------------------------------------------------- 1 | response instanceof AuthenticatorAttestationResponse ? $this->response->transports : []; 28 | 29 | return PublicKeyCredentialDescriptor::create($this->type, $this->rawId, $transport); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/webauthn/src/PublicKeyCredentialDescriptor.php: -------------------------------------------------------------------------------- 1 | $extensions 17 | * @protected 18 | */ 19 | public function __construct( 20 | public string $challenge, 21 | public null|int $timeout = null, 22 | null|array|AuthenticationExtensions $extensions = null, 23 | ) { 24 | ($this->timeout === null || $this->timeout > 0) || throw new InvalidArgumentException('Invalid timeout'); 25 | if ($extensions === null) { 26 | $this->extensions = AuthenticationExtensions::create(); 27 | } elseif ($extensions instanceof AuthenticationExtensions) { 28 | $this->extensions = $extensions; 29 | } else { 30 | $this->extensions = AuthenticationExtensions::create($extensions); 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/webauthn/src/PublicKeyCredentialParameters.php: -------------------------------------------------------------------------------- 1 | id = $id; 23 | } 24 | 25 | public static function create(string $name, string $id, string $displayName, ?string $icon = null): self 26 | { 27 | return new self($name, $id, $displayName, $icon); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/webauthn/src/SimpleFakeCredentialGenerator.php: -------------------------------------------------------------------------------- 1 | cache === null) { 25 | return $this->generateCredentials($username); 26 | } 27 | 28 | $cacheKey = 'fake_credentials_' . hash('xxh128', $username); 29 | $cacheItem = $this->cache->getItem($cacheKey); 30 | if ($cacheItem->isHit()) { 31 | return $cacheItem->get(); 32 | } 33 | 34 | $credentials = $this->generateCredentials($username); 35 | $cacheItem->set($credentials); 36 | $this->cache->save($cacheItem); 37 | 38 | return $credentials; 39 | } 40 | 41 | /** 42 | * @return PublicKeyCredentialDescriptor[] 43 | */ 44 | private function generateCredentials(string $username): array 45 | { 46 | $transports = [ 47 | PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_USB, 48 | PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_NFC, 49 | PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_BLE, 50 | ]; 51 | $credentials = []; 52 | for ($i = 0; $i < random_int(1, 3); $i++) { 53 | $randomTransportKeys = array_rand($transports, random_int(1, count($transports))); 54 | if (is_int($randomTransportKeys)) { 55 | $randomTransportKeys = [$randomTransportKeys]; 56 | } 57 | $randomTransports = array_values(array_intersect_key($transports, array_flip($randomTransportKeys))); 58 | $credentials[] = PublicKeyCredentialDescriptor::create( 59 | PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY, 60 | hash('sha256', random_bytes(16) . $username), 61 | $randomTransports 62 | ); 63 | } 64 | 65 | return $credentials; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/webauthn/src/StringStream.php: -------------------------------------------------------------------------------- 1 | length = strlen($data); 32 | $resource = fopen('php://memory', 'rb+'); 33 | assert($resource !== false, 'The resource could not be opened.'); 34 | fwrite($resource, $data); 35 | rewind($resource); 36 | $this->data = $resource; 37 | } 38 | 39 | public function read(int $length): string 40 | { 41 | if ($length <= 0) { 42 | return ''; 43 | } 44 | $read = fread($this->data, $length); 45 | assert($read !== false, 'The data could not be read.'); 46 | $bytesRead = strlen($read); 47 | strlen($read) === $length || throw InvalidDataException::create(null, sprintf( 48 | 'Out of range. Expected: %d, read: %d.', 49 | $length, 50 | $bytesRead 51 | )); 52 | $this->totalRead += $bytesRead; 53 | 54 | return $read; 55 | } 56 | 57 | public function close(): void 58 | { 59 | fclose($this->data); 60 | } 61 | 62 | public function isEOF(): bool 63 | { 64 | return $this->totalRead === $this->length; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /src/webauthn/src/TrustPath/CertificateTrustPath.php: -------------------------------------------------------------------------------- 1 | __toString(); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/webauthn/src/Util/Base64.php: -------------------------------------------------------------------------------- 1 |