From 83a216639912ff9d91db55dd6399375ad6783ed2 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 7 Jan 2026 21:54:02 +0100
Subject: [PATCH] Refine WebAuthn configuration and enhance debug logging for
 origin verification

Update the WebAuthn configuration to ensure HTTPS origins do not include ports, improving compliance with standards. Add detailed debug logging in the passkey registration process to verify the actual origin from the client response, aiding in troubleshooting and enhancing the clarity of the registration flow.
---
 server/api/auth/register-passkey.post.js | 20 ++++++++++++--
 server/utils/webauthn-config.js          | 34 ++++++++++++++++++++++--
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/server/api/auth/register-passkey.post.js b/server/api/auth/register-passkey.post.js
index d879cf7..26116de 100644
--- a/server/api/auth/register-passkey.post.js
+++ b/server/api/auth/register-passkey.post.js
@@ -55,10 +55,26 @@ export default defineEventHandler(async (event) => {
   }
 
   const { origin, rpId, requireUV } = getWebAuthnConfig()
+  
+  // Debug: Prüfe die tatsächliche Origin aus der Response
+  const clientData = response?.response?.clientDataJSON
+  let actualOrigin = null
+  if (clientData) {
+    try {
+      const decoded = Buffer.from(clientData, 'base64').toString('utf-8')
+      const parsed = JSON.parse(decoded)
+      actualOrigin = parsed.origin
+    } catch (e) {
+      console.warn('[DEBUG] Could not parse clientDataJSON:', e)
+    }
+  }
+  
   console.log('[DEBUG] WebAuthn config for verification', {
-    origin,
+    expectedOrigin: origin,
+    actualOriginFromResponse: actualOrigin,
     rpId,
-    requireUV
+    requireUV,
+    originMatch: origin === actualOrigin
   })
 
   console.log('[DEBUG] Verifying registration response...')
diff --git a/server/utils/webauthn-config.js b/server/utils/webauthn-config.js
index b4cfa57..93d9128 100644
--- a/server/utils/webauthn-config.js
+++ b/server/utils/webauthn-config.js
@@ -2,8 +2,15 @@ function deriveFromBaseUrl() {
   const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
   try {
     const u = new URL(base)
+    // Für HTTPS (Port 443) den Port weglassen, da er standardmäßig ist
+    // Für andere Ports (z.B. Dev auf 3100) den Port beibehalten
+    const port = u.port && u.port !== '443' && u.port !== '80' ? `:${u.port}` : ''
+    const origin = u.protocol === 'https:' && !port
+      ? `${u.protocol}//${u.hostname}`
+      : `${u.protocol}//${u.hostname}${port}`
+    
     return {
-      origin: `${u.protocol}//${u.host}`,
+      origin,
       rpId: u.hostname
     }
   } catch {
@@ -16,10 +23,33 @@ export function getWebAuthnConfig() {
 
   const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId
   const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
-  const origin = process.env.WEBAUTHN_ORIGIN || derived.origin
+  // WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
+  // WICHTIG: Origin sollte KEINEN Port enthalten für HTTPS (443 ist Standard)
+  let origin = process.env.WEBAUTHN_ORIGIN || derived.origin
+  
+  // Sicherstellen, dass HTTPS-Origins keinen Port haben (außer es ist explizit gesetzt)
+  if (origin.startsWith('https://') && !process.env.WEBAUTHN_ORIGIN) {
+    try {
+      const u = new URL(origin)
+      if (u.port === '443' || (!u.port && u.protocol === 'https:')) {
+        origin = `https://${u.hostname}`
+      }
+    } catch {
+      // Ignore
+    }
+  }
 
   const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
 
+  console.log('[DEBUG] WebAuthn Config', {
+    rpId,
+    rpName,
+    origin,
+    requireUV,
+    webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
+    baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
+  })
+
   return { rpId, rpName, origin, requireUV }
 }