I've played around with the test page a bit trying to get this added to one of my websites, but there's one thing I'm missing:

On sites like Google, or on test pages like webauthn.io when I try to register an authenticator that's already linked to my account, I get a message from my browser telling me to "Try a different key - you already registered this key, it doesn't need to be registered again."

When I do the same thing on your test page, it happily registers the same authenticator over and over again. Is there a special setting I have to set to be able to detect and block duplicate authenticators, or does the library not support that yet?

Haven't found anything in the readme or on the test page. All the values shown in the registration iFrame are also all different for all the registrations so I can't check for that (duplicate authenticator) myself, looks like that has to happen in the browser somehow like Google does - but how do I trigger that?

Looking at the spec, the related parameter seems to be excludeCredentials. Is this supported by this library and if not, can that be added?

This feature is also recommended by the spec, if I interpret it correctly:

Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these different credentials are bound to different authenticators.

you have to provide the Ids which are already registered to the function getCreateArgs (Parameter $excludeCredentialIds).

On my demo this parameter is not used so you can register multiple times, it makes it easier for testing.

Thanks for the quick response. Do you happen to have a short example for that? Would that be the ID that's displayed as credentialID on the demo page?

When I tried it like this, just to test:

        $s = "ad4eb651c.....b41ac"; // This is the ID displayed as "credentialID" for the existing registration
        $x = ByteBuffer::fromhex($s);
        $x = array( $x );
        $createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 20, $requireResidentKey, $userVerification, $crossPlatformAttachment, $x);

(just by patching the demo code), it didn't work and still allowed me to register the same token multiple times, even though the object returned by the getCreateArgs call included the entry in the "excludeCredentials" array:

"excludeCredentials":[{"id":"=?BINARY?B?rU62......BrA==?=","type":"public-key","transports":["usb","ble","nfc","internal"]}]

Am I using the wrong ID? Or am I a dumbass and made a mistake in these three lines of PHP code?

EDIT: I am a dumbass, apparently. I just added this snippet and now it's working, thanks!:

        $ids = array();
            if (is_array($_SESSION['registrations'])) {
                foreach ($_SESSION['registrations'] as $reg) {
                    if ($reg->userId === $userId) {
                        $ids[] = $reg->credentialId;
                    }
                }
            }


        $createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 20, $requireResidentKey, $userVerification, $crossPlatformAttachment, $ids);