Add CORS testing documentation and HTML test page for Passkey Cross-Device Authentication

Introduce a comprehensive CORS testing guide in CORS_TEST_ANLEITUNG.md, detailing steps for testing OPTIONS and POST requests, along with expected responses. Additionally, add a new HTML test page (test-cors.html) to facilitate interactive testing of CORS headers and responses for the Passkey registration API. Update the server API to ensure proper CORS headers are set for Cross-Device Authentication, enhancing the overall testing and debugging process.
2026-01-08 11:14:22 +01:00
parent 010e89212f
commit 34968742f0
6 changed files with 592 additions and 30 deletions
--- a/server/api/auth/register-passkey-options.post.js
+++ b/server/api/auth/register-passkey-options.post.js
@@ -125,17 +125,28 @@ export default defineEventHandler(async (event) => {
  await writeAuditLog('auth.passkey.prereg.options', { email })

  // CORS-Header für Cross-Device Authentication
-  if (requestOrigin) {
-    setHeader(event, 'Access-Control-Allow-Origin', requestOrigin)
+  // WICHTIG: Für Cross-Device muss CORS korrekt konfiguriert sein
+  const allowedOrigin = requestOrigin || webauthnOrigin
+  
+  if (allowedOrigin) {
+    setHeader(event, 'Access-Control-Allow-Origin', allowedOrigin)
    setHeader(event, 'Access-Control-Allow-Credentials', 'true')
-    setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
-    setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')
-    console.log('[DEBUG] CORS headers set', { origin: requestOrigin })
+    setHeader(event, 'Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
+    setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization, Origin, X-Requested-With')
+    setHeader(event, 'Access-Control-Max-Age', '86400') // 24 Stunden Cache für Preflight
+    console.log('[DEBUG] CORS headers set', { 
+      origin: allowedOrigin,
+      requestOrigin,
+      webauthnOrigin,
+      method: getMethod(event)
+    })
  }

+  // OPTIONS Preflight-Request für Cross-Device
  if (getMethod(event) === 'OPTIONS') {
-    console.log('[DEBUG] OPTIONS request, returning early')
-    return { success: true }
+    console.log('[DEBUG] OPTIONS preflight request, returning 204')
+    setResponseStatus(event, 204)
+    return null
  }

  // Stelle sicher, dass die Options korrekt serialisiert werden