Add @since tags to JavaDoc of features added in 2.7.0

doc/releasing.md

@@ -15,6 +15,8 @@ Release candidate versions
     Gradle build script. Conversely, remove or downgrade to `implementation` any
     dependencies no longer exposed in the public API.
 
+    Add `@since` tags to the JavaDoc for new features.
+
  3. Run the tests one more time:
 
     ```
@@ -105,6 +107,8 @@ Release versions
     Gradle build script. Conversely, remove or downgrade to `implementation` any
     dependencies no longer exposed in the public API.
 
+    Add `@since` tags to the JavaDoc for new features.
+
  3. Make a no-fast-forward merge from the last (non release candidate) release
     to the commit to be released:
 

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -386,6 +386,7 @@ public Optional<Boolean> isDiscoverable() {
    *
    * @return the <code>credProtect</code> extension policy that was set for the credential, if
    *     available.
+   * @since 2.7.0
    * @see
    *     StartRegistrationOptions.StartRegistrationOptionsBuilder#extensions(RegistrationExtensionInputs)
    * @see

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java

@@ -588,11 +588,67 @@ public static class RelyingPartyBuilder {
         Optional.empty();
     private @NonNull Optional<AttestationTrustSource> attestationTrustSource = Optional.empty();
 
+    /**
+     * The allowed origins that returned authenticator responses will be compared against.
+     *
+     * <p>The default is the set containing only the string <code>
+     * "https://" + {@link #getIdentity()}.getId()</code>.
+     *
+     * <p>If {@link RelyingPartyBuilder#allowOriginPort(boolean) allowOriginPort} and {@link
+     * RelyingPartyBuilder#allowOriginSubdomain(boolean) allowOriginSubdomain} are both <code>false
+     * </code> (the default), then a successful registration or authentication operation requires
+     * {@link CollectedClientData#getOrigin()} to exactly equal one of these values.
+     *
+     * <p>If {@link RelyingPartyBuilder#allowOriginPort(boolean) allowOriginPort} is <code>true
+     * </code> , then the above rule is relaxed to allow any port number in {@link
+     * CollectedClientData#getOrigin()}, regardless of any port specified.
+     *
+     * <p>If {@link RelyingPartyBuilder#allowOriginSubdomain(boolean) allowOriginSubdomain} is
+     * <code>true</code>, then the above rule is relaxed to allow any subdomain, of any depth, of
+     * any of these values.
+     *
+     * <p>For either of the above relaxations to take effect, both the allowed origin and the client
+     * data origin must be valid URLs. Origins that are not valid URLs are matched only by exact
+     * string equality.
+     *
+     * @since 0.6.0
+     * @see #getIdentity()
+     * @see #origins(Optional)
+     */
     public RelyingPartyBuilder origins(@NonNull Set<String> origins) {
       this.origins = origins;
       return this;
     }
 
+    /**
+     * The allowed origins that returned authenticator responses will be compared against.
+     *
+     * <p>If set to empty, this setting reverts to the default value.
+     *
+     * <p>The default is the set containing only the string <code>
+     * "https://" + {@link #getIdentity()}.getId()</code>.
+     *
+     * <p>If {@link RelyingPartyBuilder#allowOriginPort(boolean) allowOriginPort} and {@link
+     * RelyingPartyBuilder#allowOriginSubdomain(boolean) allowOriginSubdomain} are both <code>false
+     * </code> (the default), then a successful registration or authentication operation requires
+     * {@link CollectedClientData#getOrigin()} to exactly equal one of these values.
+     *
+     * <p>If {@link RelyingPartyBuilder#allowOriginPort(boolean) allowOriginPort} is <code>true
+     * </code> , then the above rule is relaxed to allow any port number in {@link
+     * CollectedClientData#getOrigin()}, regardless of any port specified.
+     *
+     * <p>If {@link RelyingPartyBuilder#allowOriginSubdomain(boolean) allowOriginSubdomain} is
+     * <code>true</code>, then the above rule is relaxed to allow any subdomain, of any depth, of
+     * any of these values.
+     *
+     * <p>For either of the above relaxations to take effect, both the allowed origin and the client
+     * data origin must be valid URLs. Origins that are not valid URLs are matched only by exact
+     * string equality.
+     *
+     * @since 2.7.0
+     * @see #getIdentity()
+     * @see #origins(Set)
+     */
     public RelyingPartyBuilder origins(@NonNull Optional<Set<String>> origins) {
       this.origins = origins.orElse(null);
       return this;

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingPartyV2.java

@@ -563,11 +563,67 @@ public static class RelyingPartyV2Builder<C extends CredentialRecord> {
         Optional.empty();
     private @NonNull Optional<AttestationTrustSource> attestationTrustSource = Optional.empty();
 
+    /**
+     * The allowed origins that returned authenticator responses will be compared against.
+     *
+     * <p>The default is the set containing only the string <code>
+     * "https://" + {@link #getIdentity()}.getId()</code>.
+     *
+     * <p>If {@link RelyingPartyV2Builder#allowOriginPort(boolean) allowOriginPort} and {@link
+     * RelyingPartyV2Builder#allowOriginSubdomain(boolean) allowOriginSubdomain} are both <code>
+     * false</code> (the default), then a successful registration or authentication operation
+     * requires {@link CollectedClientData#getOrigin()} to exactly equal one of these values.
+     *
+     * <p>If {@link RelyingPartyV2Builder#allowOriginPort(boolean) allowOriginPort} is <code>true
+     * </code> , then the above rule is relaxed to allow any port number in {@link
+     * CollectedClientData#getOrigin()}, regardless of any port specified.
+     *
+     * <p>If {@link RelyingPartyV2Builder#allowOriginSubdomain(boolean) allowOriginSubdomain} is
+     * <code>true</code>, then the above rule is relaxed to allow any subdomain, of any depth, of
+     * any of these values.
+     *
+     * <p>For either of the above relaxations to take effect, both the allowed origin and the client
+     * data origin must be valid URLs. Origins that are not valid URLs are matched only by exact
+     * string equality.
+     *
+     * @since 2.7.0
+     * @see #getIdentity()
+     * @see #origins(Optional)
+     */
     public RelyingPartyV2Builder<C> origins(@NonNull Set<String> origins) {
       this.origins = origins;
       return this;
     }
 
+    /**
+     * The allowed origins that returned authenticator responses will be compared against.
+     *
+     * <p>If set to empty, this setting reverts to the default value.
+     *
+     * <p>The default is the set containing only the string <code>
+     * "https://" + {@link #getIdentity()}.getId()</code>.
+     *
+     * <p>If {@link RelyingPartyV2Builder#allowOriginPort(boolean) allowOriginPort} and {@link
+     * RelyingPartyV2Builder#allowOriginSubdomain(boolean) allowOriginSubdomain} are both <code>
+     * false</code> (the default), then a successful registration or authentication operation
+     * requires {@link CollectedClientData#getOrigin()} to exactly equal one of these values.
+     *
+     * <p>If {@link RelyingPartyV2Builder#allowOriginPort(boolean) allowOriginPort} is <code>true
+     * </code> , then the above rule is relaxed to allow any port number in {@link
+     * CollectedClientData#getOrigin()}, regardless of any port specified.
+     *
+     * <p>If {@link RelyingPartyV2Builder#allowOriginSubdomain(boolean) allowOriginSubdomain} is
+     * <code>true</code>, then the above rule is relaxed to allow any subdomain, of any depth, of
+     * any of these values.
+     *
+     * <p>For either of the above relaxations to take effect, both the allowed origin and the client
+     * data origin must be valid URLs. Origins that are not valid URLs are matched only by exact
+     * string equality.
+     *
+     * @since 2.7.0
+     * @see #getIdentity()
+     * @see #origins(Set)
+     */
     public RelyingPartyV2Builder<C> origins(@NonNull Optional<Set<String>> origins) {
       this.origins = origins.orElse(null);
       return this;

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AssertionExtensionInputs.java

@@ -199,6 +199,7 @@ public AssertionExtensionInputsBuilder largeBlob(
      *       with a "fallback" input for credentials without their own input.
      * </ul>
      *
+     * @since 2.7.0
      * @see Extensions.Prf.PrfAuthenticationInput#eval(Extensions.Prf.PrfValues)
      * @see Extensions.Prf.PrfAuthenticationInput#evalByCredential(Map)
      * @see Extensions.Prf.PrfAuthenticationInput#evalByCredentialWithFallback(Map,
@@ -278,6 +279,7 @@ private Extensions.LargeBlob.LargeBlobAuthenticationInput getLargeBlobJson() {
    * <p>This extension allows a Relying Party to evaluate outputs from a pseudo-random function
    * (PRF) associated with a credential.
    *
+   * @since 2.7.0
    * @see Extensions.Prf.PrfAuthenticationInput#eval(Extensions.Prf.PrfValues)
    * @see Extensions.Prf.PrfAuthenticationInput#evalByCredential(Map)
    * @see Extensions.Prf.PrfAuthenticationInput#evalByCredentialWithFallback(Map,

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorRegistrationExtensionOutputs.java

@@ -144,6 +144,7 @@ public Set<String> getExtensionIds() {
    *     href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credProtect-extension">Credential
    *     Protection (credProtect) extension</a>, if any. This indicates the credential protection
    *     policy that was set for the credential.
+   * @since 2.7.0
    * @see <a
    *     href="https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credProtect-extension">CTAP2
    *     §12.1. Credential Protection (credProtect)</a>

webauthn-server-core/src/main/java/com/yubico/webauthn/data/ClientAssertionExtensionOutputs.java

@@ -126,6 +126,7 @@ public Optional<Extensions.LargeBlob.LargeBlobAuthenticationOutput> getLargeBlob
    * href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#prf-extension">Pseudo-random function
    * (<code>prf</code>) extension</a>, if any.
    *
+   * @since 2.7.0
    * @see com.yubico.webauthn.data.Extensions.Prf.PrfAuthenticationOutput
    * @see <a href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#prf-extension">§10.1.4.
    *     Pseudo-random function extension (prf)</a>

webauthn-server-core/src/main/java/com/yubico/webauthn/data/ClientRegistrationExtensionOutputs.java

@@ -140,6 +140,7 @@ public Optional<Extensions.LargeBlob.LargeBlobRegistrationOutput> getLargeBlob()
    * href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#prf-extension">Pseudo-random function
    * (<code>prf</code>) extension</a>, if any.
    *
+   * @since 2.7.0
    * @see com.yubico.webauthn.data.Extensions.Prf.PrfRegistrationOutput
    * @see <a href="https://www.w3.org/TR/2025/WD-webauthn-3-20250127/#prf-extension">§10.1.4.
    *     Pseudo-random function extension (prf)</a>