Conditional registration support

src/CreateResponse.php

@@ -44,6 +44,7 @@ public function verify(
         RelyingPartyInterface $rp,
         Enums\UserVerificationRequirement $uv = Enums\UserVerificationRequirement::Preferred,
         bool $rejectUncertainTrustPaths = true,
+        Enums\CredentialMediationRequirement $mediation = Enums\CredentialMediationRequirement::Optional,
     ): CredentialInterface {
         // 7.1.1 - 7.1.3 are client code
         // 7.1.4 is temporarily skpped
@@ -93,7 +94,7 @@ public function verify(
         }
 
         // 7.1.14
-        if (!$authData->isUserPresent()) {
+        if (!$authData->isUserPresent() && $mediation !== Enums\CredentialMediationRequirement::Conditional) {
             $this->fail('7.1.14', 'authData.isUserPresent');
         }
 

src/Enums/CredentialMediationRequirement.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Firehed\WebAuthn\Enums;
+
+/**
+ * Credential Management (Level 1)
+ * §2.3.2
+ * @link https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional
+ */
+enum CredentialMediationRequirement: string
+{
+    case Silent = 'silent';
+    case Optional = 'optional';
+    case Conditional = 'conditional';
+    case Required = 'required';
+}

tests/CreateResponseTest.php

@@ -263,8 +263,62 @@
     // 7.1.14
     public function testUserNotPresentIsError(): void
     {
-        // override authData
-        self::markTestIncomplete();
+        $ad = self::createMock(AuthenticatorData::class);
+        $ad->method('isUserPresent')->willReturn(false);
+        $ad->method('getRpIdHash')->willReturn(new BinaryString(hash('sha256', 'localhost', true)));
+
+        $ao = self::createMock(Attestations\AttestationObjectInterface::class);
+        $ao->method('getAuthenticatorData')->willReturn($ad);
+
+        $response = new CreateResponse(
+            type: Enums\PublicKeyCredentialType::PublicKey,
+            id: $this->id,
+            ao: $ao,
+            clientDataJson: $this->clientDataJson,
+            transports: [],
+        );
+
+        $this->expectRegistrationError('7.1.14');
+        $response->verify(
+            challengeLoader: $this->cm,
+            rp: $this->rp,
+        );
+    }
+
+    public function testUserNotPresentIsAllowedDuringConditionalRegistration(): void
+    {
+        $ad = self::createMock(AuthenticatorData::class);
+        $ad->method('isUserPresent')->willReturn(false);
+        $ad->method('getRpIdHash')->willReturn(new BinaryString(hash('sha256', 'localhost', true)));
+        $acd = new AttestedCredentialData(
+            aaguid: new BinaryString(''),
+            credentialId: $this->id,
+            coseKey: self::createMock(COSEKey::class),
+        );
+        $ad->method('getAttestedCredentialData')->willReturn($acd);
+
+        $ao = self::createMock(Attestations\AttestationObjectInterface::class);
+        $ao->method('getAuthenticatorData')->willReturn($ad);
+        $ao->method('verify')->willReturn(
+            new Attestations\VerificationResult(Attestations\AttestationType::None)
+        );
+
+        $response = new CreateResponse(
+            type: Enums\PublicKeyCredentialType::PublicKey,
+            id: $this->id,
+            ao: $ao,
+            clientDataJson: $this->clientDataJson,
+            transports: [],
+        );
+
+        $credential = $response->verify(
+            challengeLoader: $this->cm,
+            rp: $this->rp,
+            mediation: Enums\CredentialMediationRequirement::Conditional,
+        );
+
+        // This is mostly a smoke-test to inverse testUserNotPresentIsError
+        self::assertSame($this->id, $credential->getId());
     }
 
     // 7.1.15
@@ -279,7 +333,7 @@
     // 7.1.16
     public function testPubKeyAlgorithmNotMatchingOptionsIsError(): void
     {
         self::markTestSkipped('Only EC2/ED256 supported at this time');
     }
 
     // 7.1.19