fix: enforce HTTPS scheme check in CheckAllowedOrigins fallback path (#820)

* fix: enforce HTTPS scheme check before host matching in CheckAllowedOrigins fallback path

The HTTPS scheme check was unreachable in the fallback path (no allowed
origins configured) because the method returned early on host match.
Move the check before host comparison so it is always enforced.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: coding standards and regenerate PHPStan baseline

- Break long CheckAllowedOrigins constructor calls into multi-line format
- Regenerate PHPStan baseline to match current codebase state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: remove unmatched PHPStan baseline entries for deprecated parameters

Remove baseline entries for $optionStorage and $icon deprecations that
no longer match reported errors in CI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Spomky

phpstan-baseline.neon

@@ -12,18 +12,6 @@ parameters:
 			count: 1
 			path: src/stimulus/src/WebauthnStimulusBundle.php
 
-		-
-			rawMessage: 'Since web-auth/webauthn-lib 5.2.0: The parameter "$optionStorage" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set "null" and use the global option storage instead..'
-			identifier: todoBy.sfDeprecation
-			count: 2
-			path: src/symfony/src/Controller/AssertionControllerFactory.php
-
-		-
-			rawMessage: 'Since web-auth/webauthn-lib 5.2.0: The parameter "$optionStorage" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set "null" and use the global option storage instead..'
-			identifier: todoBy.sfDeprecation
-			count: 2
-			path: src/symfony/src/Controller/AttestationControllerFactory.php
-
 		-
 			rawMessage: 'Method Webauthn\Bundle\CredentialOptionsBuilder\PublicKeyCredentialCreationOptionsBuilder::getFromRequest() invoked with 3 parameters, 2 required.'
 			identifier: arguments.count
@@ -1612,7 +1600,7 @@ parameters:
 			path: src/webauthn/src/Denormalizer/AuthenticationExtensionNormalizer.php
 
 		-
-			rawMessage: 'Parameter #1 $extensions of static method Webauthn\AuthenticationExtensions\AuthenticationExtensions::create() expects array<Webauthn\AuthenticationExtensions\AuthenticationExtension>, array given.'
+			rawMessage: 'Parameter #1 $extensions of static method Webauthn\AuthenticationExtensions\AuthenticationExtensions::create() expects array<Webauthn\AuthenticationExtensions\AuthenticationExtension>, array<mixed> given.'
 			identifier: argument.type
 			count: 1
 			path: src/webauthn/src/Denormalizer/AuthenticationExtensionsDenormalizer.php
@@ -2181,12 +2169,6 @@ parameters:
 			count: 1
 			path: src/webauthn/src/MetadataService/Statement/MetadataStatement.php
 
-		-
-			rawMessage: 'Since web-auth/webauthn-lib 5.1.0: The parameter "$icon" is deprecated since 5.1.0 and will be removed in 6.0.0. This value has no effect. Please set "null" instead..'
-			identifier: todoBy.sfDeprecation
-			count: 1
-			path: src/webauthn/src/PublicKeyCredentialEntity.php
-
 		-
 			rawMessage: 'Parameter #1 $extensions of static method Webauthn\AuthenticationExtensions\AuthenticationExtensions::create() expects array<Webauthn\AuthenticationExtensions\AuthenticationExtension>, array<Webauthn\AuthenticationExtensions\AuthenticationExtensions> given.'
 			identifier: argument.type

src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php

@@ -135,7 +135,11 @@ public function creationCeremony(): CeremonyStepManager
             new CheckChallenge(),
             $this->allowedOrigins === null ? new CheckOrigin(
                 $this->securedRelyingPartyId ?? []
-            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains),
+            ) : new CheckAllowedOrigins(
+                $this->allowedOrigins,
+                $this->allowSubdomains,
+                $this->securedRelyingPartyId ?? []
+            ),
             new CheckTopOrigin($this->topOriginValidator),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent(),
@@ -160,7 +164,11 @@ public function requestCeremony(): CeremonyStepManager
             new CheckChallenge(),
             $this->allowedOrigins === null ? new CheckOrigin(
                 $this->securedRelyingPartyId ?? []
-            ) : new CheckAllowedOrigins($this->allowedOrigins, $this->allowSubdomains),
+            ) : new CheckAllowedOrigins(
+                $this->allowedOrigins,
+                $this->allowSubdomains,
+                $this->securedRelyingPartyId ?? []
+            ),
             new CheckTopOrigin(),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent(),

src/webauthn/src/CeremonyStep/CheckAllowedOrigins.php

@@ -38,10 +38,12 @@
 
     /**
      * @param string[] $allowedOrigins
+     * @param string[] $securedRelyingPartyId RP IDs that are allowed to use HTTP (e.g. localhost for development)
      */
     public function __construct(
         array $allowedOrigins,
-        private bool $allowSubdomains = false
+        private bool $allowSubdomains = false,
+        private array $securedRelyingPartyId = [],
     ) {
         $fullOrigins = [];
         $hostOrigins = [];
@@ -113,6 +115,13 @@ public function process(
 
         $rpId = $publicKeyCredentialOptions->rpId ?? $publicKeyCredentialOptions->rp->id ?? $host;
         $facetId = $this->getFacetId($rpId, $publicKeyCredentialOptions->extensions, $authData->extensions);
+
+        if (! in_array($facetId, $this->securedRelyingPartyId, true)) {
+            $scheme = $parsedOrigin['scheme'] ?? '';
+            $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(
+                'Invalid scheme. HTTPS required.'
+            );
+        }
         $facetId !== '' || throw AuthenticatorResponseVerificationException::create(
             'Invalid origin. Unable to determine the facet ID.'
         );
@@ -126,11 +135,7 @@ public function process(
         if (! $this->allowSubdomains && $isSubDomains) {
             throw AuthenticatorResponseVerificationException::create('Invalid origin. Subdomains are not allowed.');
         }
-
-        $scheme = $parsedOrigin['scheme'] ?? '';
-        $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(
-            'Invalid scheme. HTTPS required.'
-        );
+        throw AuthenticatorResponseVerificationException::create('Invalid origin.');
     }
 
     /**