Noisy android origin log

[gnarroway-bullish]

Current state

• we have additional origins with format android:apk-key-hash:xxxxxx to support android devices
• this results in an error log e.g.

[com.yubico.webauthn.OriginMatcher] Allowed origin is not a valid URL; skipping port/subdomain matching: []

Code reference: https://github.com/Yubico/java-webauthn-server/blob/main/webauthn-server-core/src/main/java/com/yubico/webauthn/OriginMatcher.java#L37

Desired state

• The RelyingParty already uses a warn log when first setting up (see code) which is sensible
• The OriginMatcher should not log at all during the course of regular usage (in isAllowed),
  • At most it should be a debug log

In summary: warn when setting up, but not on the actual hot path

Rationale

• That same OriginMatcher class is happy to match for exact string match (allowedOriginString.equals(origin))),
  • This indicates it is not incorrect to configure such origins.
• RelyingParty only considers the same string formats a warning (not an error)
• Therefore it should not be an error in the OriginMatcher

[fdennis]

Thanks for letting us know and sharing your thoughts.

I agree, we will look over the logging level of that output in OriginMatcher.