[PM-28157] Revert "Add string extension to prefix URIs with www"

[SaintPatrck]

🎟️ Tracking

PM-28157
Reverts #6183
Relates to #6164

📔 Objective

Revert modification of RP ID during DAL verification. Per FIDO2 and Digital Asset Link specs, redirects are not allowed and the RP ID must map directly to the assetlink.json host.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @SaintPatrck's task —— View job

---

Code Review Complete

Overall Assessment: APPROVE

This is a clean, well-justified revert that correctly removes the www-prefixing functionality. The revert is necessary because the original implementation violated FIDO2 and Digital Asset Link specifications.

---

Change Classification

Low-Risk Change (Revert)

This PR cleanly reverts PR #6183, which introduced automatic www-prefixing of relying party IDs during Digital Asset Link verification. The revert is well-justified: per FIDO2 and DAL specs, the RP ID must map directly to the host serving assetlinks.json without redirects.

Revert Completeness

✅ Clean Revert Verified

• Removes prefixWwwIfNecessary() and prefixWwwIfNecessaryOrNull() extension functions from StringExtensions.kt
• Removes all 61 associated test cases from StringExtensionsTest.kt
• Removes the www-prefixing logic from OriginManagerImpl.kt:43
• Removes 3 test cases from OriginManagerTest.kt that validated www-prefixing behavior
• Removes unused import of prefixWwwIfNecessary from OriginManagerImpl.kt:6

✅ No Remnants Left Behind

• All references to the www-prefixing functionality have been removed
• Code returns to using only prefixHttpsIfNecessary() as before

Architecture & Security

Correct Architectural Decision

The revert is architecturally sound and security-positive:

• FIDO2 Compliance: The original change attempted to "fix" compatibility issues by modifying the RP ID, but this violates the FIDO2 spec where the RP ID must exactly match the domain serving the Digital Asset Link file
• DAL Specification: Digital Asset Links do not allow redirects, so the RP ID must map directly to the host without modification
• Security Implications: Automatically prefixing www could create security issues where an RP ID is validated against a different domain than intended

Code Quality

The revert is executed properly:

• All code changes are consistent
• No orphaned tests or dead code
• Imports properly cleaned up

Test Coverage

Appropriate test cleanup:

• Removes all 61 tests for the reverted prefixWwwIfNecessary functions
• Removes 3 integration tests from OriginManagerTest that validated the www-prefixing behavior
• Existing tests for the remaining functionality are intact

Recommendation

APPROVE - This revert should be merged.

The revert correctly addresses a specification violation in the original implementation. The original PR attempted to improve compatibility with www subdomains, but did so in a way that violated FIDO2/DAL specifications by modifying the RP ID before validation.

The proper solution (for future consideration) would be for relying parties to:

1. Host their assetlinks.json at the exact domain specified in the RP ID, OR
2. Use the www subdomain explicitly in their RP ID if their assetlinks.json is at www

[github-actions]

Checkmarx One – Scan Summary & Details – ac691a19-abc8-488c-af6e-fac037cf8425

Great job! No new security vulnerabilities introduced in this pull request

[vvolkgang]

👍🏾

One of the QR related tests failed, triggered a merge from main as it may be related to have been fixed by @david-livefront's camera PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.41%. Comparing base (9831358) to head (196b6ee).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6192      +/-   ##
==========================================
- Coverage   85.41%   85.41%   -0.01%     
==========================================
  Files         755      755              
  Lines       54114    54105       -9     
  Branches     7803     7798       -5     
==========================================
- Hits        46220    46212       -8     
  Misses       5180     5180              
+ Partials     2714     2713       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.