feat(core): allow origin list for webauthn register and verify (#7424)

Author: wangsijie

packages/core/src/routes/experience/classes/verifications/web-authn-verification.ts

@@ -117,15 +117,12 @@ export class WebAuthnVerification implements MfaVerificationRecord<VerificationT
    * Keep it as the single source of truth for generating the WebAuthn registration options.
    * TODO: Consider relocating the function under a shared folder
    */
-  async generateWebAuthnRegistrationOptions(
-    ctx: WithLogContext
-  ): Promise<WebAuthnRegistrationOptions> {
-    const { hostname } = ctx.URL;
+  async generateWebAuthnRegistrationOptions(rpId: string): Promise<WebAuthnRegistrationOptions> {
     const user = await this.findUser();
 
     const registrationOptions = await generateWebAuthnRegistrationOptions({
       user,
-      rpId: hostname,
+      rpId,
     });
 
     this.registrationChallenge = registrationOptions.challenge;
@@ -146,20 +143,20 @@ export class WebAuthnVerification implements MfaVerificationRecord<VerificationT
     ctx: WithLogContext,
     payload: Omit<BindWebAuthnPayload, 'type'>
   ) {
-    const { hostname, origin } = ctx.URL;
     const {
       request: {
         headers: { 'user-agent': userAgent = '' },
       },
+      origin,
     } = ctx;
+    const { webauthnRelatedOrigins } = await this.queries.accountCenters.findDefaultAccountCenter();
 
     assertThat(this.registrationChallenge, 'session.mfa.pending_info_not_found');
 
     const { verified, registrationInfo } = await verifyWebAuthnRegistration(
       payload,
       this.registrationChallenge,
-      hostname,
-      origin
+      [origin, ...webauthnRelatedOrigins]
     );
 
     assertThat(verified, 'session.mfa.webauthn_verification_failed');

packages/core/src/routes/experience/verification-routes/web-authn-verification.ts

@@ -55,8 +55,9 @@ export default function webAuthnVerificationRoute<T extends ExperienceInteractio
         experienceInteraction.identifiedUserId
       );
 
-      const registrationOptions =
-        await webAuthnVerification.generateWebAuthnRegistrationOptions(ctx);
+      const registrationOptions = await webAuthnVerification.generateWebAuthnRegistrationOptions(
+        ctx.URL.hostname
+      );
 
       experienceInteraction.setVerificationRecord(webAuthnVerification);
 

packages/core/src/routes/interaction/utils/webauthn.test.ts

@@ -54,7 +54,7 @@ describe('generateWebAuthnRegistrationOptions', () => {
 describe('verifyWebAuthnRegistration', () => {
   it('should verify registration response', async () => {
     await expect(
-      verifyWebAuthnRegistration(mockBindWebAuthnPayload, 'challenge', rpId, origin)
+      verifyWebAuthnRegistration(mockBindWebAuthnPayload, 'challenge', [origin])
     ).resolves.toHaveProperty('verified', true);
     expect(verifyRegistrationResponse).toHaveBeenCalled();
   });

packages/core/src/routes/interaction/utils/webauthn.ts

@@ -64,17 +64,15 @@ export const generateWebAuthnRegistrationOptions = async ({
 export const verifyWebAuthnRegistration = async (
   payload: Omit<BindWebAuthnPayload, 'type'>,
   challenge: string,
-  rpId: string,
-  origin: string
+  origins: string[]
 ) => {
   const options: VerifyRegistrationResponseOpts = {
     response: {
       ...payload,
       type: 'public-key',
     },
     expectedChallenge: challenge,
-    expectedOrigin: origin,
-    expectedRPID: rpId,
+    expectedOrigin: origins,
     requireUserVerification: false,
   };
   return verifyRegistrationResponse(options);

packages/core/src/routes/interaction/verifications/mfa-payload-verification.ts

@@ -92,12 +92,9 @@ const verifyBindWebAuthn = async (
 
   const { type, ...rest } = payload;
   const { challenge } = pendingMfa;
-  const { verified, registrationInfo } = await verifyWebAuthnRegistration(
-    rest,
-    challenge,
-    rpId,
-    origin
-  );
+  const { verified, registrationInfo } = await verifyWebAuthnRegistration(rest, challenge, [
+    origin,
+  ]);
 
   assertThat(verified, 'session.mfa.webauthn_verification_failed');
   assertThat(registrationInfo, 'session.mfa.webauthn_verification_failed');

packages/core/src/routes/verification/index.ts

@@ -14,7 +14,7 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
-import { EnvSet } from '../../env-set/index.js';
+import { EnvSet, getTenantEndpoint } from '../../env-set/index.js';
 import {
   buildVerificationRecordByIdAndType,
   insertVerificationRecord,
@@ -267,10 +267,19 @@ export default function verificationRoutes<T extends UserRouter>(
     async (ctx, next) => {
       const { id: userId } = ctx.auth;
 
+      // If custom domain is enabled, use the custom domain as the RP ID.
+      // Otherwise, use the default tenant hostname as the RP ID.
+      // The background is that a passkey must be registered with a specific RP ID, which is a domain.
+      // In the future, we will support specifying the RP ID.
+      const domain = await queries.domains.findActiveDomain(tenantContext.id);
+      const rpId = domain
+        ? domain.domain
+        : getTenantEndpoint(tenantContext.id, EnvSet.values).hostname;
+
       const webAuthnVerification = WebAuthnVerification.create(libraries, queries, userId);
 
       const registrationOptions =
-        await webAuthnVerification.generateWebAuthnRegistrationOptions(ctx);
+        await webAuthnVerification.generateWebAuthnRegistrationOptions(rpId);
 
       const { expiresAt } = await insertVerificationRecord(webAuthnVerification, queries, userId);