Ensure invalid attestation key is not sent through for attestation responses. Resolves #62

Author: rawilk

src/Services/Webauthn.php

@@ -9,6 +9,7 @@
 use Cose\Algorithm\Manager;
 use Cose\Algorithm\Signature;
 use Illuminate\Contracts\Auth\Authenticatable as User;
+use Illuminate\Support\Arr;
 use Illuminate\Support\Str;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use Psr\Log\LoggerInterface;
@@ -295,6 +296,8 @@ public function serializePublicKeyOptionsForRequest(
             'challenge' => Base64UrlSafe::encodeUnpadded($options->challenge),
         ];
 
+        Arr::forget($data, 'attestation');
+
         if ($options instanceof PublicKeyCredentialCreationOptions) {
             $data['user'] = (array) $options->user;