From 7531bbb6958ab5e817adf8e9400e77312f608dfc Mon Sep 17 00:00:00 2001
From: Scott Helme <github@scotthelme.co.uk>
Date: Fri, 27 Mar 2026 23:05:57 +0000
Subject: [PATCH] Reject invalid backup flags combination BS without BE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per the WebAuthn spec (§6.3.3 / Level 3 §6.1), Backup State (BS)
cannot be set without Backup Eligible (BE) also being set. This is
a logically impossible state that no legitimate authenticator should
produce.

Fixes lbuchs/WebAuthn#128
---
 src/Attestation/AuthenticatorData.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Attestation/AuthenticatorData.php b/src/Attestation/AuthenticatorData.php
index 83462b1..a73d195 100644
--- a/src/Attestation/AuthenticatorData.php
+++ b/src/Attestation/AuthenticatorData.php
@@ -281,6 +281,12 @@ private function _readFlags($binFlag) {
         $flags->isBackup = $flags->bit_4;
         $flags->attestedDataIncluded = $flags->bit_6;
         $flags->extensionDataIncluded = $flags->bit_7;
+
+        // Backup State (BS) requires Backup Eligible (BE) per spec.
+        if ($flags->isBackup && !$flags->isBackupEligible) {
+            throw new WebAuthnException('invalid backup flags: BS without BE', WebAuthnException::INVALID_DATA);
+        }
+
         return $flags;
     }