Deprecation of PublicKeyCredentialSourceRepository

[Jorgu5]

Version(s) affected

4.7.2

Description

The AuthenticatorAssertionResponseValidator claims to have optional dependency on PublicKeyCredentialSourceRepository starting from version 4.6.0. However, this isn't entirely accurate. In line 144, the code checks if $credentialId is a string. If it is, the findOneByCredentialId method within PublicKeyCredentialSourceRepository is called. Since this method returns null when the repository is not set, the system outputs "The credential ID is invalid."

How to reproduce

$this->authenticatorAssertionResponseValidator::create(
null,
null,
ExtensionOutputCheckerHandler::create()
AlgorithmManager::init(),
null
)

will return The credential ID is invalid.

Possible Solution

Return directly $credential ID and bypass findOneByCredentialId method.

Additional Context

No response

[Spomky]

Hi,

You are right, if a CredentialId is passed as a argument, the repository shall be defined.
There is a deprecation notice for the CredentialId at line 122, but if the repository argument is set to null it will fails.
I created a PR for fixing this and indicates the reason for failure.

[Spomky]

PR was merged and tag added.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.