From eb29fa7b82aed1bfb3941a51639ae152d766225a Mon Sep 17 00:00:00 2001
From: Florent Morselli <florent.morselli@spomky-labs.com>
Date: Mon, 9 Sep 2024 13:37:15 +0200
Subject: [PATCH] Set default algorithms for PublicKeyCredentialCreationOptions

Add a default set of algorithms to the PublicKeyCredentialCreationOptions when none are provided, aligning with the WebAuthn specification. Update unit tests to ensure these default algorithms are correctly set and verified.
---
 .../PublicKeyCredentialCreationOptions.php    | 11 ++++++++
 ...PublicKeyCredentialCreationOptionsTest.php | 25 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/webauthn/src/PublicKeyCredentialCreationOptions.php b/src/webauthn/src/PublicKeyCredentialCreationOptions.php
index 46d22203..d4d7b59c 100644
--- a/src/webauthn/src/PublicKeyCredentialCreationOptions.php
+++ b/src/webauthn/src/PublicKeyCredentialCreationOptions.php
@@ -4,6 +4,7 @@
 
 namespace Webauthn;
 
+use Cose\Algorithms;
 use InvalidArgumentException;
 use Webauthn\AuthenticationExtensions\AuthenticationExtensions;
 use Webauthn\Exception\InvalidDataException;
@@ -60,6 +61,16 @@ public function __construct(
             'Invalid attestation conveyance mode'
         );
 
+        if (count($this->pubKeyCredParams) === 0) {
+            // set default algorithms
+            // see https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-pubkeycredparams
+            $this->pubKeyCredParams = [
+                PublicKeyCredentialParameters::createPk(Algorithms::COSE_ALGORITHM_EDDSA),
+                PublicKeyCredentialParameters::createPk(Algorithms::COSE_ALGORITHM_ES256),
+                PublicKeyCredentialParameters::createPk(Algorithms::COSE_ALGORITHM_RS256),
+            ];
+        }
+
         parent::__construct($challenge, $timeout, $extensions);
     }
 
diff --git a/tests/library/Unit/PublicKeyCredentialCreationOptionsTest.php b/tests/library/Unit/PublicKeyCredentialCreationOptionsTest.php
index e686c09b..ac31920f 100644
--- a/tests/library/Unit/PublicKeyCredentialCreationOptionsTest.php
+++ b/tests/library/Unit/PublicKeyCredentialCreationOptionsTest.php
@@ -4,6 +4,7 @@
 
 namespace Webauthn\Tests\Unit;
 
+use Cose\Algorithms;
 use PHPUnit\Framework\Attributes\Test;
 use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
 use Webauthn\PublicKeyCredentialCreationOptions;
@@ -100,4 +101,28 @@ public function anPublicKeyCredentialCreationOptionsWithoutExcludeCredentialsCan
             ]);
         static::assertSame([], $data->excludeCredentials);
     }
+
+    #[Test]
+    public function aPublicKeyCredentialCreationOptionsIsCreatedWithDefaultAlgorithms(): void
+    {
+        $rp = PublicKeyCredentialRpEntity::create('RP');
+        $user = PublicKeyCredentialUserEntity::create('USER', 'id', 'FOO BAR');
+
+        $options = PublicKeyCredentialCreationOptions::create(
+            $rp,
+            $user,
+            'challenge',
+        );
+
+        $actualAlgorithms = [];
+        foreach ($options->pubKeyCredParams as $pubKeyCredParam) {
+            $actualAlgorithms[] = $pubKeyCredParam->alg;
+        }
+
+        static::assertSame([
+            Algorithms::COSE_ALGORITHM_EDDSA,
+            Algorithms::COSE_ALGORITHM_ES256,
+            Algorithms::COSE_ALGORITHM_RS256,
+        ], $actualAlgorithms);
+    }
 }