torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refine WebAuthn configuration and enhance debug logging for origin verification
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 45s
Details

Browse Source 
Update the WebAuthn configuration to ensure HTTPS origins do not include ports, improving compliance with standards. Add detailed debug logging in the passkey registration process to verify the actual origin from the client response, aiding in troubleshooting and enhancing the clarity of the registration flow.
This commit is contained in:
Torsten Schulz (local)
2026-01-07 21:54:02 +01:00
parent c40780ef89
commit 83a2166399
2 changed files with 50 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
server/api/auth/register-passkey.post.js
View File

@@ -55,10 +55,26 @@ export default defineEventHandler(async (event) => {
} }
const { origin, rpId, requireUV } = getWebAuthnConfig() const { origin, rpId, requireUV } = getWebAuthnConfig()
// Debug: Prüfe die tatsächliche Origin aus der Response
const clientData = response?.response?.clientDataJSON
let actualOrigin = null
if (clientData) {
try {
const decoded = Buffer.from(clientData, 'base64').toString('utf-8')
const parsed = JSON.parse(decoded)
actualOrigin = parsed.origin
} catch (e) {
console.warn('[DEBUG] Could not parse clientDataJSON:', e)
}
}
console.log('[DEBUG] WebAuthn config for verification', { console.log('[DEBUG] WebAuthn config for verification', {
origin, expectedOrigin: origin,
actualOriginFromResponse: actualOrigin,
rpId, rpId,
requireUV requireUV,
originMatch: origin === actualOrigin
}) })
console.log('[DEBUG] Verifying registration response...') console.log('[DEBUG] Verifying registration response...')

34
server/utils/webauthn-config.js
View File

@@ -2,8 +2,15 @@ function deriveFromBaseUrl() {
const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100' const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
try { try {
const u = new URL(base) const u = new URL(base)
// Für HTTPS (Port 443) den Port weglassen, da er standardmäßig ist
// Für andere Ports (z.B. Dev auf 3100) den Port beibehalten
const port = u.port && u.port !== '443' && u.port !== '80' ? `:${u.port}` : ''
const origin = u.protocol === 'https:' && !port
? `${u.protocol}//${u.hostname}`
: `${u.protocol}//${u.hostname}${port}`
return { return {
origin: `${u.protocol}//${u.host}`, origin,
rpId: u.hostname rpId: u.hostname
} }
} catch { } catch {
@@ -16,10 +23,33 @@ export function getWebAuthnConfig() {
const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId
const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC' const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
const origin = process.env.WEBAUTHN_ORIGIN || derived.origin // WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
// WICHTIG: Origin sollte KEINEN Port enthalten für HTTPS (443 ist Standard)
let origin = process.env.WEBAUTHN_ORIGIN || derived.origin
// Sicherstellen, dass HTTPS-Origins keinen Port haben (außer es ist explizit gesetzt)
if (origin.startsWith('https://') && !process.env.WEBAUTHN_ORIGIN) {
try {
const u = new URL(origin)
if (u.port === '443' || (!u.port && u.protocol === 'https:')) {
origin = `https://${u.hostname}`
}
} catch {
// Ignore
}
}
const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true' const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
console.log('[DEBUG] WebAuthn Config', {
rpId,
rpName,
origin,
requireUV,
webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
})
return { rpId, rpName, origin, requireUV } return { rpId, rpName, origin, requireUV }
} }