feat(auth): implement Android refresh token handling and session management

- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints. - Implemented new tests for login, logout, and refresh functionalities specific to Android clients. - Enhanced password reset logging with normalization and masking of email addresses. - Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs. - Introduced a new utility for managing password reset logs with retention policies. - Added tests for password reset log utilities to ensure proper functionality and privacy compliance. - Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.
2026-05-27 19:34:32 +02:00
parent 755442fb70
commit 58fd7fa5c6
32 changed files with 1477 additions and 180 deletions
--- a/server/api/auth/register-passkey.post.js
+++ b/server/api/auth/register-passkey.post.js
@@ -96,7 +96,7 @@ export default defineEventHandler(async (event) => {
    throw createError({ statusCode: 409, message: 'Ein Benutzer mit dieser E-Mail-Adresse existiert bereits' })
  }

-  const { origin, rpId, requireUV } = getWebAuthnConfig()
+  const { origin, origins, rpId, requireUV } = getWebAuthnConfig()
  
  // Debug: Prüfe die tatsächliche Origin aus der Response
  const clientData = response?.response?.clientDataJSON
@@ -117,13 +117,11 @@ export default defineEventHandler(async (event) => {
  }
  
  console.log('[DEBUG] WebAuthn config for verification', {
-    expectedOrigin: origin,
-    expectedOriginType: typeof origin,
-    expectedOriginLength: origin?.length,
+    expectedOrigins: origins,
    actualOriginFromResponse: actualOrigin,
    rpId,
    requireUV,
-    originMatch: origin === actualOrigin,
+    originMatch: origins.includes(actualOrigin),
    webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
    baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
  })
@@ -140,7 +138,7 @@ export default defineEventHandler(async (event) => {

  console.log('[DEBUG] Verifying registration response...')
  console.log('[DEBUG] Verification parameters', {
-    expectedOrigin: origin,
+    expectedOrigins: origins,
    expectedRPID: rpId,
    hasChallenge: !!challenge,
    challengeLength: challenge?.length,
@@ -155,7 +153,7 @@ export default defineEventHandler(async (event) => {
    verification = await verifyRegistrationResponse({
      response,
      expectedChallenge: challenge,
-      expectedOrigin: origin,
+      expectedOrigin: origins,
      expectedRPID: rpId,
      requireUserVerification: requireUV
    })
@@ -165,11 +163,12 @@ export default defineEventHandler(async (event) => {
      error: verifyError,
      message: verifyError?.message,
      cause: verifyError?.cause?.message,
-      expectedOrigin: origin,
+      expectedOrigins: origins,
      actualOriginFromResponse: actualOrigin,
      stack: verifyError?.stack
    })
-    throw verifyError
+    await writeAuditLog('auth.passkey.prereg.failed', { email, reason: 'verification_error' })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
  }

  const verifyDuration = Date.now() - verifyStart
@@ -308,4 +307,3 @@ export default defineEventHandler(async (event) => {
    message: 'Registrierung erfolgreich. Sie erhalten eine E-Mail, sobald Ihr Zugang freigeschaltet wurde.'
  }
 })
-