Merge branch '5.2.x' into dependabot/github_actions/ossf/scorecard-action-2.4.1

Author: mergify[bot]

composer.json

@@ -45,16 +45,16 @@
         "ext-json": "*",
         "ext-openssl": "*",
         "paragonie/constant_time_encoding": "^2.6|^3.0",
+        "phpdocumentor/reflection-docblock": "^5.3",
         "psr/clock": "^1.0",
         "psr/event-dispatcher": "^1.0",
         "psr/log": "^1.0|^2.0|^3.0",
-        "phpdocumentor/reflection-docblock": "^5.3",
         "spomky-labs/cbor-php": "^3.0",
         "spomky-labs/pki-framework": "^1.0",
+        "symfony/clock": "^6.4|^7.0",
         "symfony/config": "^6.4|^7.0",
         "symfony/dependency-injection": "^6.4|^7.0",
         "symfony/deprecation-contracts": "^3.2",
-        "symfony/clock": "^6.4|^7.0",
         "symfony/framework-bundle": "^6.4|^7.0",
         "symfony/http-client": "^6.4|^7.0",
         "symfony/property-access": "^6.4|^7.0",
@@ -93,6 +93,7 @@
         "doctrine/orm": "^2.14|^3.0",
         "doctrine/persistence": "^3.1|^4.0",
         "ekino/phpstan-banned-code": "^3.0",
+        "ergebnis/phpunit-slow-test-detector": "^2.18",
         "infection/infection": "^0.29",
         "matthiasnoback/symfony-dependency-injection-test": "^5.1|^6.0",
         "php-parallel-lint/php-parallel-lint": "^1.3",

phpstan-baseline.neon

@@ -108,7 +108,7 @@ parameters:
 		-
 			message: '#^Cannot access offset ''routes'' on mixed\.$#'
 			identifier: offsetAccess.nonOffsetAccessible
-			count: 12
+			count: 14
 			path: src/symfony/src/DependencyInjection/Factory/Security/WebauthnFactory.php
 
 		-
@@ -214,19 +214,19 @@ parameters:
 			path: src/symfony/src/DependencyInjection/Factory/Security/WebauthnFactory.php
 
 		-
-			message: '#^Parameter \#7 \$optionsStorageId of method Webauthn\\Bundle\\DependencyInjection\\Factory\\Security\\WebauthnFactory\:\:createAssertionRequestControllerAndRoute\(\) expects string, mixed given\.$#'
+			message: '#^Parameter \#7 \$optionsStorageId of method Webauthn\\Bundle\\DependencyInjection\\Factory\\Security\\WebauthnFactory\:\:createAssertionRequestControllerAndRoute\(\) expects string\|null, mixed given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/symfony/src/DependencyInjection/Factory/Security/WebauthnFactory.php
 
 		-
-			message: '#^Parameter \#7 \$optionsStorageId of method Webauthn\\Bundle\\DependencyInjection\\Factory\\Security\\WebauthnFactory\:\:createAttestationRequestControllerAndRoute\(\) expects string, mixed given\.$#'
+			message: '#^Parameter \#7 \$optionsStorageId of method Webauthn\\Bundle\\DependencyInjection\\Factory\\Security\\WebauthnFactory\:\:createAttestationRequestControllerAndRoute\(\) expects string\|null, mixed given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/symfony/src/DependencyInjection/Factory/Security/WebauthnFactory.php
 
 		-
-			message: '#^Parameter \#7 \$optionsStorageId of method Webauthn\\Bundle\\DependencyInjection\\Factory\\Security\\WebauthnFactory\:\:createAuthenticatorService\(\) expects string, mixed given\.$#'
+			message: '#^Parameter \#7 \$optionsStorageId of method Webauthn\\Bundle\\DependencyInjection\\Factory\\Security\\WebauthnFactory\:\:createAuthenticatorService\(\) expects string\|null, mixed given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/symfony/src/DependencyInjection/Factory/Security/WebauthnFactory.php
@@ -402,7 +402,7 @@ parameters:
 		-
 			message: '#^Parameter \#2 \$id of method Symfony\\Component\\DependencyInjection\\ContainerBuilder\:\:setAlias\(\) expects string\|Symfony\\Component\\DependencyInjection\\Alias, mixed given\.$#'
 			identifier: argument.type
-			count: 12
+			count: 13
 			path: src/symfony/src/DependencyInjection/WebauthnExtension.php
 
 		-
@@ -682,7 +682,7 @@ parameters:
 			path: src/symfony/src/Security/WebauthnFirewallConfig.php
 
 		-
-			message: '#^Method Webauthn\\Bundle\\Security\\WebauthnFirewallConfig\:\:getOptionsStorage\(\) should return string but returns mixed\.$#'
+			message: '#^Method Webauthn\\Bundle\\Security\\WebauthnFirewallConfig\:\:getOptionsStorage\(\) should return string\|null but returns mixed\.$#'
 			identifier: return.type
 			count: 1
 			path: src/symfony/src/Security/WebauthnFirewallConfig.php
@@ -1341,6 +1341,12 @@ parameters:
 			count: 3
 			path: src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php
 
+		-
+			message: '#^Cannot unset @readonly Webauthn\\AuthenticationExtensions\\AuthenticationExtensions\:\:\$extensions property\.$#'
+			identifier: unset.readOnlyPropertyByPhpDoc
+			count: 1
+			path: src/webauthn/src/AuthenticationExtensions/AuthenticationExtensions.php
+
 		-
 			message: '#^Class Webauthn\\AuthenticationExtensions\\AuthenticationExtensions implements generic interface ArrayAccess but does not specify its types\: TKey, TValue$#'
 			identifier: missingType.generics

phpunit.xml.dist

@@ -32,4 +32,7 @@
             <file>src/symfony/src/Repository/DummyPublicKeyCredentialUserEntityRepository.php</file>
         </exclude>
     </source>
+    <extensions>
+        <bootstrap class="Ergebnis\PHPUnit\SlowTestDetector\Extension"/>
+    </extensions>
 </phpunit>

src/stimulus/assets/dist/controller.d.ts

@@ -9,6 +9,10 @@ export default class extends Controller {
             type: StringConstructor;
             default: string;
         };
+        requestResultField: {
+            type: StringConstructor;
+            default: null;
+        };
         requestSuccessRedirectUri: StringConstructor;
         creationResultUrl: {
             type: StringConstructor;
@@ -18,6 +22,10 @@ export default class extends Controller {
             type: StringConstructor;
             default: string;
         };
+        creationResultField: {
+            type: StringConstructor;
+            default: null;
+        };
         creationSuccessRedirectUri: StringConstructor;
         usernameField: {
             type: StringConstructor;
@@ -59,9 +67,11 @@ export default class extends Controller {
     };
     readonly requestResultUrlValue: string;
     readonly requestOptionsUrlValue: string;
+    readonly requestResultFieldValue?: string;
     readonly requestSuccessRedirectUriValue?: string;
     readonly creationResultUrlValue: string;
     readonly creationOptionsUrlValue: string;
+    readonly creationResultFieldValue?: string;
     readonly creationSuccessRedirectUriValue?: string;
     readonly usernameFieldValue: string;
     readonly displayNameFieldValue: string;

src/stimulus/assets/dist/controller.js

@@ -5,14 +5,16 @@ class default_1 extends Controller {
     constructor() {
         super(...arguments);
         this.connect = async () => {
-            var _a, _b;
+            var _a, _b, _c, _d;
             const options = {
                 requestResultUrl: this.requestResultUrlValue,
                 requestOptionsUrl: this.requestOptionsUrlValue,
-                requestSuccessRedirectUri: (_a = this.requestSuccessRedirectUriValue) !== null && _a !== undefined ? _a : null,
+                requestResultField: (_a = this.requestResultFieldValue) !== null && _a !== undefined ? _a : null,
+                creationResultField: (_b = this.creationResultFieldValue) !== null && _b !== undefined ? _b : null,
+                requestSuccessRedirectUri: (_c = this.requestSuccessRedirectUriValue) !== null && _c !== undefined ? _c : null,
                 creationResultUrl: this.creationResultUrlValue,
                 creationOptionsUrl: this.creationOptionsUrlValue,
-                creationSuccessRedirectUri: (_b = this.creationSuccessRedirectUriValue) !== null && _b !== undefined ? _b : null,
+                creationSuccessRedirectUri: (_d = this.creationSuccessRedirectUriValue) !== null && _d !== undefined ? _d : null,
             };
             this._dispatchEvent('webauthn:connect', { options });
             const supportAutofill = await browserSupportsWebAuthnAutofill();
@@ -38,9 +40,15 @@ class default_1 extends Controller {
         this._processSignin(optionsResponseJson, false);
     }
     async _processSignin(optionsResponseJson, useBrowserAutofill) {
+        var _a;
         try {
             const authenticatorResponse = await startAuthentication({ optionsJSON: optionsResponseJson, useBrowserAutofill });
             this._dispatchEvent('webauthn:authenticator:response', { response: authenticatorResponse });
+            if (this.requestResultFieldValue && this.element instanceof HTMLFormElement) {
+                (_a = this.element.querySelector(this.requestResultFieldValue)) === null || _a === void 0 ? void 0 : _a.setAttribute('value', JSON.stringify(authenticatorResponse));
+                this.element.submit();
+                return;
+            }
             const assertionResponse = await this._getAssertionResponse(authenticatorResponse);
             if (assertionResponse !== false && this.requestSuccessRedirectUriValue) {
                 window.location.replace(this.requestSuccessRedirectUriValue);
@@ -52,6 +60,7 @@ class default_1 extends Controller {
         }
     }
     async signup(event) {
+        var _a;
         try {
             if (!browserSupportsWebAuthn()) {
                 this._dispatchEvent('webauthn:unsupported', {});
@@ -64,6 +73,11 @@ class default_1 extends Controller {
             }
             const authenticatorResponse = await startRegistration({ optionsJSON: optionsResponseJson });
             this._dispatchEvent('webauthn:authenticator:response', { response: authenticatorResponse });
+            if (this.creationResultFieldValue && this.element instanceof HTMLFormElement) {
+                (_a = this.element.querySelector(this.creationResultFieldValue)) === null || _a === void 0 ? void 0 : _a.setAttribute('value', JSON.stringify(authenticatorResponse));
+                this.element.submit();
+                return;
+            }
             const attestationResponseJSON = await this._getAttestationResponse(authenticatorResponse);
             if (attestationResponseJSON !== false && this.creationSuccessRedirectUriValue) {
                 window.location.replace(this.creationSuccessRedirectUriValue);
@@ -151,9 +165,11 @@ class default_1 extends Controller {
 default_1.values = {
     requestResultUrl: { type: String, default: '/request' },
     requestOptionsUrl: { type: String, default: '/request/options' },
+    requestResultField: { type: String, default: null },
     requestSuccessRedirectUri: String,
     creationResultUrl: { type: String, default: '/creation' },
     creationOptionsUrl: { type: String, default: '/creation/options' },
+    creationResultField: { type: String, default: null },
     creationSuccessRedirectUri: String,
     usernameField: { type: String, default: 'username' },
     displayNameField: { type: String, default: 'displayName' },

src/stimulus/assets/src/controller.ts

@@ -11,9 +11,11 @@ export default class extends Controller {
     static values = {
         requestResultUrl: { type: String, default: '/request' },
         requestOptionsUrl: { type: String, default: '/request/options' },
+        requestResultField: { type: String, default: null },
         requestSuccessRedirectUri: String,
         creationResultUrl: { type: String, default: '/creation' },
         creationOptionsUrl: { type: String, default: '/creation/options' },
+        creationResultField: { type: String, default: null },
         creationSuccessRedirectUri: String,
         usernameField: { type: String, default: 'username' },
         displayNameField: { type: String, default: 'displayName' },
@@ -32,9 +34,11 @@ export default class extends Controller {
 
     declare readonly requestResultUrlValue: string;
     declare readonly requestOptionsUrlValue: string;
+    declare readonly requestResultFieldValue?: string;
     declare readonly requestSuccessRedirectUriValue?: string;
     declare readonly creationResultUrlValue: string;
     declare readonly creationOptionsUrlValue: string;
+    declare readonly creationResultFieldValue?: string;
     declare readonly creationSuccessRedirectUriValue?: string;
     declare readonly usernameFieldValue: string;
     declare readonly displayNameFieldValue: string;
@@ -49,6 +53,8 @@ export default class extends Controller {
         const options = {
             requestResultUrl: this.requestResultUrlValue,
             requestOptionsUrl: this.requestOptionsUrlValue,
+            requestResultField: this.requestResultFieldValue ?? null,
+            creationResultField: this.creationResultFieldValue ?? null,
             requestSuccessRedirectUri: this.requestSuccessRedirectUriValue ?? null,
             creationResultUrl: this.creationResultUrlValue,
             creationOptionsUrl: this.creationOptionsUrlValue,
@@ -85,6 +91,11 @@ export default class extends Controller {
             // @ts-ignore
             const authenticatorResponse = await startAuthentication({ optionsJSON: optionsResponseJson, useBrowserAutofill });
             this._dispatchEvent('webauthn:authenticator:response', { response: authenticatorResponse });
+            if (this.requestResultFieldValue && this.element instanceof HTMLFormElement) {
+                this.element.querySelector(this.requestResultFieldValue)?.setAttribute('value', JSON.stringify(authenticatorResponse));
+                this.element.submit();
+                return;
+            }
 
             const assertionResponse = await this._getAssertionResponse(authenticatorResponse);
             if (assertionResponse !== false && this.requestSuccessRedirectUriValue) {
@@ -111,6 +122,11 @@ export default class extends Controller {
             // @ts-ignore
             const authenticatorResponse = await startRegistration({ optionsJSON: optionsResponseJson });
             this._dispatchEvent('webauthn:authenticator:response', { response: authenticatorResponse });
+            if (this.creationResultFieldValue && this.element instanceof HTMLFormElement) {
+                this.element.querySelector(this.creationResultFieldValue)?.setAttribute('value', JSON.stringify(authenticatorResponse));
+                this.element.submit();
+                return;
+            }
 
             const attestationResponseJSON = await this._getAttestationResponse(authenticatorResponse);
             if (attestationResponseJSON !== false && this.creationSuccessRedirectUriValue) {

src/symfony/src/Controller/AssertionControllerFactory.php

@@ -23,6 +23,7 @@ final class AssertionControllerFactory implements CanLogData
 
     public function __construct(
         private readonly SerializerInterface $serializer,
+        private readonly OptionsStorage $optionStorage,
         private readonly AuthenticatorAssertionResponseValidator $authenticatorAssertionResponseValidator,
         private readonly PublicKeyCredentialSourceRepositoryInterface $publicKeyCredentialSourceRepository,
     ) {
@@ -36,30 +37,44 @@ public function setLogger(LoggerInterface $logger): void
 
     public function createRequestController(
         PublicKeyCredentialRequestOptionsBuilder $optionsBuilder,
-        OptionsStorage $optionStorage,
+        null|OptionsStorage $optionStorage,
         RequestOptionsHandler $optionsHandler,
         FailureHandler|AuthenticationFailureHandlerInterface $failureHandler
     ): AssertionRequestController {
+        if ($optionStorage !== null) {
+            trigger_deprecation(
+                'web-auth/webauthn-lib',
+                '5.2.0',
+                'The parameter "$optionStorage" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set "null" and use the global option storage instead.'
+            );
+        }
         return new AssertionRequestController(
             $optionsBuilder,
-            $optionStorage,
+            $optionStorage ?? $this->optionStorage,
             $optionsHandler,
             $failureHandler,
             $this->logger,
         );
     }
 
     public function createResponseController(
-        OptionsStorage $optionStorage,
+        null|OptionsStorage $optionStorage,
         SuccessHandler $successHandler,
         FailureHandler|AuthenticationFailureHandlerInterface $failureHandler,
         null|AuthenticatorAssertionResponseValidator $authenticatorAssertionResponseValidator = null,
     ): AssertionResponseController {
+        if ($optionStorage !== null) {
+            trigger_deprecation(
+                'web-auth/webauthn-lib',
+                '5.2.0',
+                'The parameter "$optionStorage" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set "null" and use the global option storage instead.'
+            );
+        }
         return new AssertionResponseController(
             $this->serializer,
             $authenticatorAssertionResponseValidator ?? $this->authenticatorAssertionResponseValidator,
             $this->logger,
-            $optionStorage,
+            $optionStorage ?? $this->optionStorage,
             $successHandler,
             $failureHandler,
             $this->publicKeyCredentialSourceRepository

src/symfony/src/Controller/AttestationControllerFactory.php

@@ -18,6 +18,7 @@
 final readonly class AttestationControllerFactory
 {
     public function __construct(
+        private OptionsStorage $optionStorage,
         private SerializerInterface $serializer,
         private AuthenticatorAttestationResponseValidator $attestationResponseValidator,
         private PublicKeyCredentialSourceRepositoryInterface $publicKeyCredentialSourceRepository
@@ -27,32 +28,46 @@ public function __construct(
     public function createRequestController(
         PublicKeyCredentialCreationOptionsBuilder $optionsBuilder,
         UserEntityGuesser $userEntityGuesser,
-        OptionsStorage $optionStorage,
+        null|OptionsStorage $optionStorage,
         CreationOptionsHandler $creationOptionsHandler,
         FailureHandler|AuthenticationFailureHandlerInterface $failureHandler,
         bool $hideExistingExcludedCredentials = false
     ): AttestationRequestController {
+        if ($optionStorage !== null) {
+            trigger_deprecation(
+                'web-auth/webauthn-lib',
+                '5.2.0',
+                'The parameter "$optionStorage" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set "null" and use the global option storage instead.'
+            );
+        }
         return new AttestationRequestController(
             $optionsBuilder,
             $userEntityGuesser,
-            $optionStorage,
+            $optionStorage ?? $this->optionStorage,
             $creationOptionsHandler,
             $failureHandler,
             $hideExistingExcludedCredentials
         );
     }
 
     public function createResponseController(
-        OptionsStorage $optionStorage,
+        null|OptionsStorage $optionStorage,
         SuccessHandler $successHandler,
         FailureHandler|AuthenticationFailureHandlerInterface $failureHandler,
         null|AuthenticatorAttestationResponseValidator $attestationResponseValidator = null,
     ): AttestationResponseController {
+        if ($optionStorage !== null) {
+            trigger_deprecation(
+                'web-auth/webauthn-lib',
+                '5.2.0',
+                'The parameter "$optionStorage" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set "null" and use the global option storage instead.'
+            );
+        }
         return new AttestationResponseController(
             $this->serializer,
             $attestationResponseValidator ?? $this->attestationResponseValidator,
             $this->publicKeyCredentialSourceRepository,
-            $optionStorage,
+            $optionStorage ?? $this->optionStorage,
             $successHandler,
             $failureHandler,
         );