Refine WebAuthn configuration and enhance debug logging for origin verification
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 45s
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 45s
Update the WebAuthn configuration to ensure HTTPS origins do not include ports, improving compliance with standards. Add detailed debug logging in the passkey registration process to verify the actual origin from the client response, aiding in troubleshooting and enhancing the clarity of the registration flow.
This commit is contained in:
Torsten Schulz (local)
@@ -55,10 +55,26 @@ export default defineEventHandler(async (event) => {
|
||||
}
|
||||
|
||||
const { origin, rpId, requireUV } = getWebAuthnConfig()
|
||||
|
||||
// Debug: Prüfe die tatsächliche Origin aus der Response
|
||||
const clientData = response?.response?.clientDataJSON
|
||||
let actualOrigin = null
|
||||
if (clientData) {
|
||||
try {
|
||||
const decoded = Buffer.from(clientData, 'base64').toString('utf-8')
|
||||
const parsed = JSON.parse(decoded)
|
||||
actualOrigin = parsed.origin
|
||||
} catch (e) {
|
||||
console.warn('[DEBUG] Could not parse clientDataJSON:', e)
|
||||
}
|
||||
}
|
||||
|
||||
console.log('[DEBUG] WebAuthn config for verification', {
|
||||
origin,
|
||||
expectedOrigin: origin,
|
||||
actualOriginFromResponse: actualOrigin,
|
||||
rpId,
|
||||
requireUV
|
||||
requireUV,
|
||||
originMatch: origin === actualOrigin
|
||||
})
|
||||
|
||||
console.log('[DEBUG] Verifying registration response...')
|
||||
|
||||
@@ -2,8 +2,15 @@ function deriveFromBaseUrl() {
|
||||
const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
|
||||
try {
|
||||
const u = new URL(base)
|
||||
// Für HTTPS (Port 443) den Port weglassen, da er standardmäßig ist
|
||||
// Für andere Ports (z.B. Dev auf 3100) den Port beibehalten
|
||||
const port = u.port && u.port !== '443' && u.port !== '80' ? `:${u.port}` : ''
|
||||
const origin = u.protocol === 'https:' && !port
|
||||
? `${u.protocol}//${u.hostname}`
|
||||
: `${u.protocol}//${u.hostname}${port}`
|
||||
|
||||
return {
|
||||
origin: `${u.protocol}//${u.host}`,
|
||||
origin,
|
||||
rpId: u.hostname
|
||||
}
|
||||
} catch {
|
||||
@@ -16,10 +23,33 @@ export function getWebAuthnConfig() {
|
||||
|
||||
const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId
|
||||
const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
|
||||
const origin = process.env.WEBAUTHN_ORIGIN || derived.origin
|
||||
// WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
|
||||
// WICHTIG: Origin sollte KEINEN Port enthalten für HTTPS (443 ist Standard)
|
||||
let origin = process.env.WEBAUTHN_ORIGIN || derived.origin
|
||||
|
||||
// Sicherstellen, dass HTTPS-Origins keinen Port haben (außer es ist explizit gesetzt)
|
||||
if (origin.startsWith('https://') && !process.env.WEBAUTHN_ORIGIN) {
|
||||
try {
|
||||
const u = new URL(origin)
|
||||
if (u.port === '443' || (!u.port && u.protocol === 'https:')) {
|
||||
origin = `https://${u.hostname}`
|
||||
}
|
||||
} catch {
|
||||
// Ignore
|
||||
}
|
||||
}
|
||||
|
||||
const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
|
||||
|
||||
console.log('[DEBUG] WebAuthn Config', {
|
||||
rpId,
|
||||
rpName,
|
||||
origin,
|
||||
requireUV,
|
||||
webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
|
||||
baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
|
||||
})
|
||||
|
||||
return { rpId, rpName, origin, requireUV }
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user