[symfony-bundle] Typo in PublicKeyCredentialCreationOptionsFactory ?

[gabrielmustiere]

Version(s) affected

5.2.2

Description

In the generation of the PublicKeyCredentialCreationOptionsFactory key, I believe there is a typo in the authenticatorSelection section.
The userVerification attribute is returned in snake_case instead of camelCase, which causes the option to be ignored by WebAuthn on the JavaScript side.
When the attribute is returned in camelCase, the option is correctly interpreted by WebAuthn in JS.

I checked the RFC as well as the logs on https://webauthn.io/, and the userVerification option is indeed expected to be in camelCase.

However, in the generated PublicKeyCredentialCreationOptionsFactory, the attribute is returned in snake_case, which causes WebAuthn on the JavaScript side to ignore the option.
When using camelCase, the userVerification option is correctly interpreted by WebAuthn.

How to reproduce

I used the bundle strictly “by the book” and changed the configuration value from preferred to required. The key is correctly passed to WebAuthn, but the userVerification option is still returned in snake_case instead of camelCase, so WebAuthn does not interpret it properly.

Possible Solution

The solution would be to fix the casing of the options so that userVerification is returned in camelCase, as expected by the WebAuthn specification. This would ensure the option is correctly interpreted on the JavaScript side.

Additional Context

No response

[gabrielmustiere]

The conversion to snake_case is performed during normalization in the onCreationOptions function of the DefaultCreationOptionsHandler class.

[Spomky]

Hi,

Indeed this is not compliant with the specification.

[gabrielmustiere]

Perhaps I could make my first open-source contribution. Would you be willing to help me ? We are both French, which will facilitate communication.