Fix issues identified in PR review

Signed-off-by: Borghi <137845283+Borghii@users.noreply.github.com>
2025-06-26 05:42:31 +00:00 · 2025-03-24 12:58:08 -03:00 · 2025-03-24 12:58:08 -03:00 · e3a715b8f5
commit e3a715b8f5
parent 0bc9313fdd
2 changed files with 13 additions and 3 deletions
--- a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -346,7 +346,8 @@ public class Webauthn4JRelyingPartyOperations implements WebAuthnRelyingPartyOpe
 	}

 	private List<CredentialRecord> findCredentialRecords(Authentication authentication) {
-		if (authentication instanceof AnonymousAuthenticationToken) {
+		AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+		if (authentication == null || trustResolver.isAnonymous(authentication)) {
 			return Collections.emptyList();
 		}
 		PublicKeyCredentialUserEntity userEntity = this.userEntities.findByUsername(authentication.getName());
--- a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -548,6 +548,15 @@ class Webauthn4jRelyingPartyOperationsTests {
 		assertThat(credentialRequestOptions.getAllowCredentials()).isEmpty();
 	}

+	@Test
+	void shouldReturnEmptyCredentialsWhenAnonymousUserIsDisabled() {
+		PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest(null);
+		PublicKeyCredentialRequestOptions credentialRequestOptions = this.rpOperations
+			.createCredentialRequestOptions(createRequest);
+
+		assertThat(credentialRequestOptions.getAllowCredentials()).isEmpty();
+	}
+
 	private static AuthenticatorAttestationResponse setFlag(byte... flags) throws Exception {
 		AuthenticatorAttestationResponseBuilder authAttResponseBldr = TestAuthenticatorAttestationResponse
 			.createAuthenticatorAttestationResponse();