PM-34840: bug: Allow related-origin passkey creation

[david-livefront]

🎟️ Tracking

PM-34840

📔 Objective

This PR pulls the requested origin for privileged apps (browsers) since they have already had their origin validated. This allows us to create passkeys from websites that use related-origins.

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.61%. Comparing base (287d8a9) to head (4b4625f).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...dentials/manager/BitwardenCredentialManagerImpl.kt	66.66%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6777      +/-   ##
==========================================
+ Coverage   85.00%   85.61%   +0.60%     
==========================================
  Files         971      871     -100     
  Lines       61312    60044    -1268     
  Branches     8647     8613      -34     
==========================================
- Hits        52121    51409     -712     
+ Misses       6190     5652     -538     
+ Partials     3001     2983      -18     

Flag	Coverage Δ
app-data	17.32% <66.66%> (-0.41%)	⬇️
app-ui-auth-tools	20.39% <0.00%> (-0.34%)	⬇️
app-ui-platform	15.68% <0.00%> (-0.25%)	⬇️
app-ui-vault	26.68% <0.00%> (+0.07%)	⬆️
authenticator	6.55% <0.00%> (-0.01%)	⬇️
lib-core-network-bridge	4.28% <0.00%> (-0.01%)	⬇️
lib-data-ui	1.03% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – ee42c8eb-af23-43a8-bfd2-48a4ba1c3098

Great job! No new security vulnerabilities introduced in this pull request

[iinuwa]

I thought about this some more from my previous suggestion: While this "works" to trick the SDK into not doing extra validation, it means that the generated clientDataJSON will look like {"origin":"https://rpId.com", ...} rather than {"origin":"https://relatedorigin.com", ...}, which means that the relying party loses information.

The correct thing to do is to fix this in the SDK. I think it's OK to move forward with this workaround, but maybe we should add a TODO to address that later?

[SaintPatrck]

Agreed. Is there a ticket we can reference here?

[iinuwa]

LGTM, but this should be reviewed by someone else with more experience with the Android implementation than me to be sure.

[SaintPatrck]

⛏️

Suggested change

	// ensure that related-origin requests are process successfully. In the future, the SDK
	// ensure that related-origin requests are processed successfully. In the future, the SDK

[SaintPatrck]

Agreed. Is there a ticket we can reference here?

[david-livefront]

Thanks @SaintPatrck & @iinuwa