torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CORS testing documentation and HTML test page for Passkey Cross-Device Authentication
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 55s
Details

Browse Source 
Introduce a comprehensive CORS testing guide in CORS_TEST_ANLEITUNG.md, detailing steps for testing OPTIONS and POST requests, along with expected responses. Additionally, add a new HTML test page (test-cors.html) to facilitate interactive testing of CORS headers and responses for the Passkey registration API. Update the server API to ensure proper CORS headers are set for Cross-Device Authentication, enhancing the overall testing and debugging process.
This commit is contained in:
Torsten Schulz (local)
2026-01-08 11:14:22 +01:00
parent 010e89212f
commit 34968742f0
6 changed files with 592 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
server/api/auth/register-passkey-options.post.js
View File

@@ -125,17 +125,28 @@ export default defineEventHandler(async (event) => {
await writeAuditLog('auth.passkey.prereg.options', { email })
// CORS-Header für Cross-Device Authentication
if (requestOrigin) {
setHeader(event, 'Access-Control-Allow-Origin', requestOrigin)
// WICHTIG: Für Cross-Device muss CORS korrekt konfiguriert sein
const allowedOrigin = requestOrigin || webauthnOrigin
if (allowedOrigin) {
setHeader(event, 'Access-Control-Allow-Origin', allowedOrigin)
setHeader(event, 'Access-Control-Allow-Credentials', 'true')
setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')
console.log('[DEBUG] CORS headers set', { origin: requestOrigin })
setHeader(event, 'Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization, Origin, X-Requested-With')
setHeader(event, 'Access-Control-Max-Age', '86400') // 24 Stunden Cache für Preflight
console.log('[DEBUG] CORS headers set', {
origin: allowedOrigin,
requestOrigin,
webauthnOrigin,
method: getMethod(event)
})
}
// OPTIONS Preflight-Request für Cross-Device
if (getMethod(event) === 'OPTIONS') {
console.log('[DEBUG] OPTIONS request, returning early')
return { success: true }
console.log('[DEBUG] OPTIONS preflight request, returning 204')
setResponseStatus(event, 204)
return null
}
// Stelle sicher, dass die Options korrekt serialisiert werden

18
server/api/auth/register-passkey.post.js
View File

@@ -11,12 +11,30 @@ import { assertPasswordNotPwned } from '../../utils/hibp.js'
export default defineEventHandler(async (event) => {
const requestStart = Date.now()
const requestOrigin = getHeader(event, 'origin')
const { origin: webauthnOrigin } = getWebAuthnConfig()
console.log('[DEBUG] register-passkey request received', {
origin: requestOrigin,
webauthnOrigin,
timestamp: new Date().toISOString()
})
// CORS-Header für Cross-Device Authentication
const allowedOrigin = requestOrigin || webauthnOrigin
if (allowedOrigin) {
setHeader(event, 'Access-Control-Allow-Origin', allowedOrigin)
setHeader(event, 'Access-Control-Allow-Credentials', 'true')
setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization, Origin, X-Requested-With')
}
// OPTIONS Preflight-Request
if (getMethod(event) === 'OPTIONS') {
console.log('[DEBUG] OPTIONS preflight request, returning 204')
setResponseStatus(event, 204)
return null
}
const body = await readBody(event)
const registrationId = String(body?.registrationId || '')
const response = body?.credential