Change attestation in PublicKeyCredentialCreationOptions to none

The attestation option in PublicKeyCredentialCreationOptions is a
parameter that controls whether to request attestation from the security key.
However, Spring Security Passkeys currently doesn't implement attestation verification.
Therefore, requesting attestation is unnecessary.
Specifying `direct` to request attestation may trigger browsers to
display additional privacy related dialog to users, so it is best to
avoid specifying `direct` unnecessarily.

Author: ynojima

web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java

@@ -183,7 +183,7 @@ public PublicKeyCredentialCreationOptions createPublicKeyCredentialCreationOptio
 		List<CredentialRecord> credentialRecords = this.userCredentials.findByUserId(userEntity.getId());
 
 		PublicKeyCredentialCreationOptions options = PublicKeyCredentialCreationOptions.builder()
-			.attestation(AttestationConveyancePreference.DIRECT)
+			.attestation(AttestationConveyancePreference.NONE)
 			.pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256,
 					PublicKeyCredentialParameters.RS256)
 			.authenticatorSelection(authenticatorSelection)

web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java

@@ -40,7 +40,7 @@ public static PublicKeyCredentialCreationOptions.PublicKeyCredentialCreationOpti
 		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
 				ImmutableAuthenticationExtensionsClientInput.credProps);
 		return PublicKeyCredentialCreationOptions.builder()
-			.attestation(AttestationConveyancePreference.DIRECT)
+			.attestation(AttestationConveyancePreference.NONE)
 			.user(userEntity)
 			.pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256,
 					PublicKeyCredentialParameters.RS256)

web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java

@@ -149,7 +149,7 @@ void readAuthenticationExtensionsClientOutputsWhenFieldAfter() throws Exception
 	void writePublicKeyCredentialCreationOptions() throws Exception {
 		String expected = """
 				{
-				    "attestation": "direct",
+				    "attestation": "none",
 				    "authenticatorSelection": {
 				        "residentKey": "required"
 				    },

web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java

@@ -153,7 +153,7 @@ void doFilterWhenNoCredentials() throws Exception {
 									"residentKey": "required",
 									"userVerification": "preferred"
 								},
-								"attestation": "direct",
+								"attestation": "none",
 								"extensions": {
 									"credProps": true
 								}