Fake Credentials

In order to prevent username enumeration, random credentials are set when a username is passed but no user entity is found.

A very simple service is provided. If you want to change the way the fake credentials are generated, you can create a custom service. The service shall implement the Webauthn\FakeCredentialGenerator interface.

src/CustomCredentialGenerator.php
<?php

namespace App;

use Webauthn\FakeCredentialGenerator;
use Webauthn\PublicKeyCredentialDescriptor;

final readonly class CustomCredentialGenerator implements FakeCredentialGenerator
{
    /**
     * @return PublicKeyCredentialDescriptor[]
     */
    public function generate(Request $request, string $username): array
    {
        // Generate your list of fake credentials.
        // Note that for a given username you should always return the same credentials.
    }
}

Then, declare this service in the container and use it in your bundle configuration.

config/packages/webauthn.yaml
webauthn:
    fake_credential_generator: App\CustomCredentialGenerator