From 85dd6f507506db550b54edd850263f0c037b3e2a Mon Sep 17 00:00:00 2001
From: Rodrigo Reis <rodrigo.reis@forgerock.com>
Date: Tue, 4 Jun 2024 15:14:03 -0700
Subject: [PATCH] SDKS-3244 Only store PublicKeyCredentialSource when
 requireResidentKey is true

---
 .../android/auth/webauthn/FRWebAuthn.kt       |  3 ++-
 .../auth/webauthn/WebAuthnRegistration.kt     | 19 +++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/FRWebAuthn.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/FRWebAuthn.kt
index 1f2906ea..b6ebac34 100644
--- a/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/FRWebAuthn.kt
+++ b/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/FRWebAuthn.kt
@@ -52,7 +52,8 @@ class FRWebAuthn @JvmOverloads constructor(private val context: Context,
     }
 
     /**
-     * Delete the provide [PublicKeyCredentialSource] from local storage and also remotely from Server.
+     * Delete the provide [PublicKeyCredentialSource] from local storage and also remotely from
+     * Server if the key is discoverable.
      * By default, if failed to delete from server, local storage will not be deleted,
      * by providing [forceDelete] to true, it will also delete local keys if server call is failed.
      * @param publicKeyCredentialSource The [PublicKeyCredentialSource] to be deleted
diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/WebAuthnRegistration.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/WebAuthnRegistration.kt
index 4106786f..d84fb6c3 100644
--- a/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/WebAuthnRegistration.kt
+++ b/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/WebAuthnRegistration.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 - 2024 ForgeRock. All rights reserved.
+ * Copyright (c) 2022 ForgeRock. All rights reserved.
  *
  *  This software may be modified and distributed under the terms
  *  of the MIT license. See the LICENSE file for details.
@@ -156,13 +156,16 @@ open class WebAuthnRegistration() : WebAuthn() {
                 publicKeyCredential.rawId,
                 Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING))
 
-        val source = PublicKeyCredentialSource.builder()
-            .id(publicKeyCredential.rawId)
-            .rpid(options.rp.id)
-            .userHandle(Base64.decode(options.user.id, Base64.URL_SAFE or Base64.NO_WRAP))
-            .otherUI(options.user.displayName).build()
-        persist(context, source)
-
+        //Extension to support username-less
+        if (options.authenticatorSelection?.requireResidentKey == true &&
+            options.authenticatorSelection?.residentKeyRequirement == ResidentKeyRequirement.RESIDENT_KEY_DISCOURAGED) {
+            val source = PublicKeyCredentialSource.builder()
+                .id(publicKeyCredential.rawId)
+                .rpid(options.rp.id)
+                .userHandle(Base64.decode(options.user.id, Base64.URL_SAFE or Base64.NO_WRAP))
+                .otherUI(options.user.displayName).build()
+            persist(context, source)
+        }
         return (sb.toString())
     }