Token binding status "present" silently accepted without verification

[ScottHelme]

Problem

The library does not check the tokenBinding field in clientDataJSON during either processCreate() or processGet().

Per the W3C WebAuthn Level 2 spec (§7.1 Step 6 for registration, §7.2 Step 10 for authentication), if tokenBinding is present in clientDataJSON and its status is "present", the server must verify the tokenBinding.id matches the Token Binding ID of the TLS connection.

The library has no Token Binding support, so it cannot verify a binding ID. Silently accepting status: "present" means accepting an unverifiable claim, which is the wrong default behaviour.

Note: Token Binding has been deprecated and removed from the Level 3 spec. No major browser supports it. However, the correct behaviour for a library that does not implement Token Binding is to reject "present" rather than ignore it. The "supported" status (browser supports Token Binding but didn't use it for this connection) is fine to accept.

Suggested fix

Add a check in both processCreate() and processGet() after the existing origin validation:

if (\property_exists($clientData, 'tokenBinding') && \is_object($clientData->tokenBinding)
    && \property_exists($clientData->tokenBinding, 'status') && $clientData->tokenBinding->status === 'present') {
    throw new WebAuthnException('token binding not supported', WebAuthnException::INVALID_DATA);
}