feat!: Support Laravel 12 and webauthn-lib 5.0+ (#497)

BREAKING CHANGES:
- The `Webauthn::prepareAssertion` and `Webauthn::prepareAttestation` methods now return `LaravelWebauthn\Services\Webauthn\PublicKeyCredentialRequestOptionsRequest` and `LaravelWebauthn\Services\Webauthn\PublicKeyCredentialCreationOptionsRequest` respectively, and this impacts all classes that rely on it.
- `EloquentWebAuthnProvider`: removes `validator` parameter
- `OptionsFactory`: removes `repository` parameter
- The user_verification setting was previously forced to `required` when `webauthn.userless` config was set to `preferred` or `required`. It nows only relies on the `webauthn.user_verification` config.

See [migration-v4-to-v5](https://github.com/asbiin/laravel-webauthn/blob/main/docs/migration-v4-to-v5.md) page.

Author: asbiin

.github/workflows/static.yml

@@ -13,4 +13,4 @@ jobs:
     name: Static analysis
     uses: monicahq/workflows/.github/workflows/static.yml@v2
     with:
-      php-version: 8.2
+      php-version: 8.4

.github/workflows/tests.yml

@@ -16,9 +16,9 @@ on:
   workflow_dispatch:
 
 env:
-  default-php-version: '8.3'
-  default-laravel-version: '11.0'
-  semantic-node-version: 20
+  default-php-version: '8.4'
+  default-laravel-version: '12.0'
+  semantic-node-version: 22
 
 concurrency:
   group: Tests ${{ github.ref }}
@@ -32,22 +32,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-version: ['8.1', '8.2', '8.3']
-        laravel-version: ['9.0', '10.0', '11.0']
+        php-version: ['8.2', '8.3', '8.4']
+        laravel-version: ['11.0', '12.0']
         psr7: ['guzzle']
         include:
-          - php-version: '8.1'
-            laravel-version: '9.0'
-            psr7: 'nyholm'
-          - php-version: '8.1'
-            laravel-version: '9.0'
-            psr7: 'discovery'
-          - php-version: '8.2'
-            laravel-version: '10.0'
-            psr7: 'nyholm'
-          - php-version: '8.2'
-            laravel-version: '10.0'
-            psr7: 'discovery'
           - php-version: '8.2'
             laravel-version: '11.0'
             psr7: 'nyholm'
@@ -60,9 +48,12 @@ jobs:
           - php-version: '8.3'
             laravel-version: '11.0'
             psr7: 'discovery'
-        exclude:
-          - php-version: '8.1'
-            laravel-version: '11.0'
+          - php-version: '8.4'
+            laravel-version: '12.0'
+            psr7: 'nyholm'
+          - php-version: '8.4'
+            laravel-version: '12.0'
+            psr7: 'discovery'
 
     steps:
       - name: Checkout sources
@@ -183,7 +174,7 @@ jobs:
 
       - name: SonarCloud Scan
         if: env.SONAR_TOKEN != ''
-        uses: SonarSource/sonarqube-scan-action@v4
+        uses: SonarSource/sonarqube-scan-action@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

README.md

@@ -129,7 +129,7 @@ To enable passwordless authentication, first add the webauthn user provider: upd
 Then allow your login page to initiate a webauthn login with an `email` identifier.
 
 You can call `webauthn.auth.options` route with a POST request and an `email` input to get the challenge data.
-See [authentication](#Authenticate) section for more details.
+See [Authenticate](#Authenticate) section for more details.
 
 
 ## Disabling Views
@@ -427,11 +427,12 @@ List of methods and their expected response contracts:
 
 This package has the following Laravel compatibility:
 
-| Laravel  | [asbiin/laravel-webauthn](https://github.com/asbiin/laravel-webauthn) |
+| [asbiin/laravel-webauthn](https://github.com/asbiin/laravel-webauthn) | Laravel |
 |----------|----------|
-| 5.8-8.x  | <= 1.2.0 |
-| 7.x-8.x  | 2.0.1    |
-| >= 9.x   | >= 3.0.0 |
+| <= 1.2.0 | 5.8-8.x  |
+| 2.0.1    | 7.x-8.x  |
+| >= 3.0.0, <= 4.6.0 | 9.x-11.x |
+| >= 5.0.0 | >= 11.x   |
 
 ## Browser compatibility
 
@@ -466,6 +467,6 @@ If you haven't done so already, describe your site domain and network in your ho
 
 Author: [Alexis Saettler](https://github.com/asbiin)
 
-Copyright © 2019–2024.
+Copyright © 2019–2025.
 
 Licensed under the MIT License. [View license](/LICENSE.md).

composer.json

@@ -20,34 +20,34 @@
         }
     ],
     "require": {
-        "php": ">=8.1",
-        "illuminate/support": "^9.0 || ^10.0 || ^11.0",
+        "php": ">=8.2",
+        "illuminate/support": "^11.0 || ^12.0",
         "phpdocumentor/reflection-docblock": "^5.3",
         "psr/http-factory-implementation": "1.0",
         "symfony/property-access": "^6.4 || ^7.0",
         "symfony/property-info": "^6.4 || ^7.0",
         "symfony/serializer": "^6.4 || ^7.0",
         "web-auth/cose-lib": "^4.0",
-        "web-auth/webauthn-lib": "^4.8",
-        "web-token/jwt-library": "^3.0"
+        "web-auth/webauthn-lib": "^4.8 || ^5.0",
+        "web-token/jwt-library": "^3.0 || ^4.0"
     },
     "conflict": {
         "web-auth/webauthn-lib": "4.7.0"
     },
     "require-dev": {
         "ext-sqlite3": "*",
+        "brainmaestro/composer-git-hooks": "^3.0",
         "guzzlehttp/psr7": "^2.1",
-        "jschaedl/composer-git-hooks": "^4.0",
-        "larastan/larastan": "^2.0",
+        "larastan/larastan": "^2.0 || ^3.0",
         "laravel/legacy-factories": "^1.0",
         "laravel/pint": "^1.13",
         "ocramius/package-versions": "^2.0",
-        "orchestra/testbench": "^7.0 || ^8.0 || ^9.0",
-        "phpstan/phpstan-deprecation-rules": "^1.0",
-        "phpstan/phpstan-phpunit": "^1.0",
-        "phpstan/phpstan-strict-rules": "^1.0",
-        "phpunit/phpunit": "^9.5 || ^10.0 || ^11.0",
-        "psalm/plugin-laravel": "^2.8"
+        "orchestra/testbench": "^9.0 || ^10.0",
+        "phpstan/phpstan-deprecation-rules": "^1.0 || ^2.0",
+        "phpstan/phpstan-phpunit": "^1.0 || ^2.0",
+        "phpstan/phpstan-strict-rules": "^1.0 || ^2.0",
+        "phpunit/phpunit": "^10.0 || ^11.0 || ^12.0",
+        "psalm/plugin-laravel": "^2.8 || ^3.0"
     },
     "suggest": {
         "guzzlehttp/psr7": "To provide a psr/http-factory-implementation implementation",

config/webauthn.php

@@ -277,8 +277,6 @@
     | ID to use for authentication, but they can also login without specifying
     | one if the device can remember them, allowing for true one-touch login.
     |
-    | If required or preferred, login verification will be always required.
-    |
     | See https://www.w3.org/TR/webauthn/#enum-residentKeyRequirement
     |
     | Supported: "null", "required", "preferred", "discouraged".

database/migrations/2019_03_29_163611_add_webauthn.php

@@ -6,7 +6,7 @@
 use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Support\Facades\Schema;
 
-return new class() extends Migration
+return new class extends Migration
 {
     /**
      * Run the migrations.

docs/migration-v4-to-v5.md

@@ -0,0 +1,49 @@
+# Migration from v4 to v5
+
+V5 of Webauthn introduces multiple breaking changes:
+
+## Classes and Interfaces
+
+The [`Webauthn\PublicKeyCredentialRequestOptions`](https://github.com/web-auth/webauthn-framework/blob/5.2.x/src/webauthn/src/PublicKeyCredentialRequestOptions.php) and [`Webauthn\PublicKeyCredentialCreationOptions`](https://github.com/web-auth/webauthn-framework/blob/5.2.x/src/webauthn/src/PublicKeyCredentialCreationOptions.php) classes from webauthn-lib no longer implement the `JsonSerializable` interface. This means that the `jsonSerialize` method is no longer available. Instead, the `Webauthn\PublicKeyCredentialRequestOptions` and `Webauthn\PublicKeyCredentialCreationOptions` classes have been replaced by `LaravelWebauthn\Services\Webauthn\PublicKeyCredentialRequestOptionsRequest` and `LaravelWebauthn\Services\Webauthn\PublicKeyCredentialCreationOptionsRequest` classes, which do implement the `JsonSerializable` interface and help serializing it for Laravel.
+
+The `Webauthn::prepareAssertion` and `Webauthn::prepareAttestation` methods now return `LaravelWebauthn\Services\Webauthn\PublicKeyCredentialRequestOptionsRequest` and `LaravelWebauthn\Services\Webauthn\PublicKeyCredentialCreationOptionsRequest` respectively, and this impacts all classes that rely on it.
+
+This change impacts:
+* `LaravelWebauthn\Actions\PrepareAssertionData`
+* `LaravelWebauthn\Actions\PrepareCreationData`
+* `LaravelWebauthn\Contracts\LoginViewResponse`
+* `LaravelWebauthn\Contracts\RegisterViewResponse`
+* `LaravelWebauthn\Services\Webauthn\CreationOptionsFactory`
+* `LaravelWebauthn\Services\Webauthn\RequestOptionsFactory`
+* `LaravelWebauthn\Services\Webauthn`
+
+To implement the change, just replace
+```php
+use Webauthn\PublicKeyCredentialRequestOptions;
+```
+
+with
+```php
+use LaravelWebauthn\Services\Webauthn\PublicKeyCredentialRequestOptions;
+```
+
+and
+```php
+use Webauthn\PublicKeyCredentialCreationOptions;
+```
+
+with
+```php
+use LaravelWebauthn\Services\Webauthn\PublicKeyCredentialCreationOptions;
+```
+
+
+## User Verification
+
+The user_verification setting was previously forced to `required` when `webauthn.userless` config was set to `preferred` or `required`. It nows only relies on the `webauthn.user_verification` config.
+
+
+## Simplications
+
+* `EloquentWebAuthnProvider` constructor: removes `validator` parameter
+* `OptionsFactory`: removes `repository` parameter

phpstan.neon

@@ -16,5 +16,3 @@ parameters:
           paths:
             - */Actions/AttemptToAuthenticate.php
             - */Services/Webauthn/CreationOptionsFactory.php
-
-    excludes_analyse:

psalm.xml

@@ -17,4 +17,8 @@
     <plugins>
         <pluginClass class="Psalm\LaravelPlugin\Plugin"/>
     </plugins>
+
+    <issueHandlers>
+        <PossiblyUnusedMethod errorLevel="suppress"/>
+    </issueHandlers>
 </psalm>

src/Actions/PrepareAssertionData.php

@@ -4,7 +4,7 @@
 
 use Illuminate\Contracts\Auth\Authenticatable as User;
 use LaravelWebauthn\Facades\Webauthn;
-use Webauthn\PublicKeyCredentialRequestOptions;
+use LaravelWebauthn\Services\Webauthn\PublicKeyCredentialRequestOptions;
 
 class PrepareAssertionData
 {