Current state
- we have additional origins with format
android:apk-key-hash:xxxxxx to support android devices
- this results in an error log e.g.
[com.yubico.webauthn.OriginMatcher] Allowed origin is not a valid URL; skipping port/subdomain matching: []
Code reference: https://github.com/Yubico/java-webauthn-server/blob/main/webauthn-server-core/src/main/java/com/yubico/webauthn/OriginMatcher.java#L37
Desired state
- The
RelyingParty already uses a warn log when first setting up (see code) which is sensible
- The
OriginMatcher should not log at all during the course of regular usage (in isAllowed),
- At most it should be a
debug log
In summary: warn when setting up, but not on the actual hot path
Rationale
- That same
OriginMatcher class is happy to match for exact string match (allowedOriginString.equals(origin))),
- This indicates it is not incorrect to configure such origins.
RelyingParty only considers the same string formats a warning (not an error)- Therefore it should not be an error in the
OriginMatcher
Current state
android:apk-key-hash:xxxxxxto support android devicesCode reference: https://github.com/Yubico/java-webauthn-server/blob/main/webauthn-server-core/src/main/java/com/yubico/webauthn/OriginMatcher.java#L37
Desired state
RelyingPartyalready uses awarnlog when first setting up (see code) which is sensibleOriginMatchershould not log at all during the course of regular usage (inisAllowed),debuglogIn summary: warn when setting up, but not on the actual hot path
Rationale
OriginMatcherclass is happy to match for exact string match (allowedOriginString.equals(origin))),RelyingPartyonly considers the same string formats a warning (not an error)OriginMatcher