omit null values from options

Author: benbjurstrom

src/Http/Controllers/PasskeyConfirmationController.php

@@ -40,7 +40,7 @@ public function index(Request $request, GenerateVerificationOptions $generate):
         $request->session()->put('passkey.verification_options', $serialized);
 
         return response()->json([
-            'options' => json_decode($serialized, true),
+            'options' => WebAuthn::toBrowserArray($options),
         ]);
     }
 

src/Http/Controllers/PasskeyLoginController.php

@@ -33,7 +33,7 @@ public function index(Request $request, GenerateVerificationOptions $generate):
         $request->session()->put('passkey.verification_options', $serialized);
 
         return response()->json([
-            'options' => json_decode($serialized, true),
+            'options' => WebAuthn::toBrowserArray($options),
         ]);
     }
 

src/Http/Controllers/PasskeyRegistrationController.php

@@ -38,7 +38,7 @@ public function index(Request $request, GenerateRegistrationOptions $generate):
         $request->session()->put('passkey.registration_options', $serialized);
 
         return response()->json([
-            'options' => json_decode($serialized, true),
+            'options' => WebAuthn::toBrowserArray($options),
         ]);
     }
 

src/Support/WebAuthn.php

@@ -5,7 +5,10 @@
 namespace Laravel\Passkeys\Support;
 
 use Laravel\Passkeys\Passkeys;
+use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
+use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
 use Symfony\Component\Serializer\SerializerInterface;
+use UnexpectedValueException;
 use Webauthn\AttestationStatement\AttestationStatementSupportManager;
 use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
 use Webauthn\AuthenticatorAssertionResponseValidator;
@@ -37,6 +40,27 @@ public static function toJson(mixed $data): string
         return self::serializer()->serialize($data, 'json');
     }
 
+    /**
+     * Serialize data to a browser-facing array, omitting null values.
+     *
+     * @return array<array-key, mixed>
+     */
+    public static function toBrowserArray(mixed $data): array
+    {
+        $serializer = self::serializer();
+        assert($serializer instanceof NormalizerInterface);
+
+        $normalized = $serializer->normalize($data, 'json', [
+            AbstractObjectNormalizer::SKIP_NULL_VALUES => true,
+        ]);
+
+        if (! is_array($normalized)) {
+            throw new UnexpectedValueException('Serialized WebAuthn data must normalize to an array.');
+        }
+
+        return $normalized;
+    }
+
     /**
      * Deserialize JSON to a specific class.
      *

tests/Feature/Controllers/PasskeyRegistrationTest.php

@@ -33,6 +33,24 @@
         ]);
 });
 
+it('omits null values from browser-facing registration options', function (): void {
+    $user = User::create([
+        'name' => 'Test User',
+        'email' => 'test@example.com',
+    ]);
+
+    $response = $this->actingAs($user)
+        ->withSession(['auth.password_confirmed_at' => time()])
+        ->getJson('/user/passkeys/options')
+        ->assertOk();
+
+    expect($response->json('options.authenticatorSelection.authenticatorAttachment'))->toBeNull();
+    expect($response->json('options.authenticatorSelection'))
+        ->not->toHaveKey('authenticatorAttachment')
+        ->toHaveKey('residentKey', 'required')
+        ->toHaveKey('userVerification', 'required');
+});
+
 it('stores registration options in session', function (): void {
     $user = User::create([
         'name' => 'Test User',

tests/Feature/WebAuthnTest.php

@@ -1,6 +1,7 @@
 <?php
 
 use Laravel\Passkeys\Support\WebAuthn;
+use Webauthn\AuthenticatorSelectionCriteria;
 use Webauthn\PublicKeyCredentialCreationOptions;
 use Webauthn\PublicKeyCredentialRequestOptions;
 use Webauthn\PublicKeyCredentialRpEntity;
@@ -30,6 +31,31 @@
     expect($restored->user->displayName)->toBe('Test User');
 });
 
+it('serializes browser arrays without null values', function (): void {
+    $options = PublicKeyCredentialCreationOptions::create(
+        rp: PublicKeyCredentialRpEntity::create(name: 'Test App', id: 'localhost'),
+        user: PublicKeyCredentialUserEntity::create(
+            name: 'test@example.com',
+            id: 'user-id-123',
+            displayName: 'Test User',
+        ),
+        challenge: random_bytes(32),
+        authenticatorSelection: AuthenticatorSelectionCriteria::create(
+            authenticatorAttachment: AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
+            residentKey: AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_REQUIRED,
+        ),
+        excludeCredentials: [],
+    );
+
+    $array = WebAuthn::toBrowserArray($options);
+
+    expect($array)->not->toHaveKey('attestation');
+    expect($array)->toHaveKey('excludeCredentials', []);
+    expect($array['authenticatorSelection'])
+        ->not->toHaveKey('authenticatorAttachment')
+        ->toHaveKey('residentKey', 'required');
+});
+
 it('serializes and deserializes verification options', function (): void {
     $options = PublicKeyCredentialRequestOptions::create(
         challenge: random_bytes(32),