From a16838ff4701aea8c8a90499b82689c0bdfa1933 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 7 Jan 2026 22:05:24 +0100
Subject: [PATCH] Enhance debug logging and validation in passkey registration
 process

Add detailed debug logging to track the verification parameters and errors during the passkey registration flow. Implement validation to ensure the expected origin does not include port 3100, improving error handling and providing clear guidance for configuration issues. This update aims to enhance troubleshooting and the overall robustness of the registration process.
---
 server/api/auth/register-passkey.post.js | 86 ++++++++++++++++++------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/server/api/auth/register-passkey.post.js b/server/api/auth/register-passkey.post.js
index 26116de..cafbb65 100644
--- a/server/api/auth/register-passkey.post.js
+++ b/server/api/auth/register-passkey.post.js
@@ -64,6 +64,11 @@ export default defineEventHandler(async (event) => {
       const decoded = Buffer.from(clientData, 'base64').toString('utf-8')
       const parsed = JSON.parse(decoded)
       actualOrigin = parsed.origin
+      console.log('[DEBUG] Parsed clientDataJSON', {
+        origin: parsed.origin,
+        type: parsed.type,
+        challenge: parsed.challenge ? 'present' : 'missing'
+      })
     } catch (e) {
       console.warn('[DEBUG] Could not parse clientDataJSON:', e)
     }
@@ -71,42 +76,79 @@ export default defineEventHandler(async (event) => {
   
   console.log('[DEBUG] WebAuthn config for verification', {
     expectedOrigin: origin,
+    expectedOriginType: typeof origin,
+    expectedOriginLength: origin?.length,
     actualOriginFromResponse: actualOrigin,
     rpId,
     requireUV,
-    originMatch: origin === actualOrigin
+    originMatch: origin === actualOrigin,
+    webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
+    baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
   })
+  
+  // WICHTIG: Sicherstellen, dass die Origin KEINEN Port hat
+  if (origin && origin.includes(':3100')) {
+    console.error('[DEBUG] ERROR: expectedOrigin contains port 3100! This will cause verification to fail.')
+    console.error('[DEBUG] Fix: Set WEBAUTHN_ORIGIN=https://harheimertc.tsschulz.de (without port) in .env')
+    throw createError({ 
+      statusCode: 500, 
+      statusMessage: 'WebAuthn-Konfiguration fehlerhaft: Origin enthält Port 3100. Bitte WEBAUTHN_ORIGIN in .env korrigieren.' 
+    })
+  }
 
   console.log('[DEBUG] Verifying registration response...')
-  const verifyStart = Date.now()
-  
-  const verification = await verifyRegistrationResponse({
-    response,
-    expectedChallenge: challenge,
+  console.log('[DEBUG] Verification parameters', {
     expectedOrigin: origin,
     expectedRPID: rpId,
-    requireUserVerification: requireUV
+    hasChallenge: !!challenge,
+    challengeLength: challenge?.length,
+    hasResponse: !!response,
+    responseId: response?.id
   })
+  
+  const verifyStart = Date.now()
+  
+  let verification
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge: challenge,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      requireUserVerification: requireUV
+    })
+  } catch (verifyError) {
+    const verifyDuration = Date.now() - verifyStart
+    console.error(`[DEBUG] Verification error (${verifyDuration}ms):`, {
+      error: verifyError,
+      message: verifyError?.message,
+      cause: verifyError?.cause?.message,
+      expectedOrigin: origin,
+      actualOriginFromResponse: actualOrigin,
+      stack: verifyError?.stack
+    })
+    throw verifyError
+  }
 
   const verifyDuration = Date.now() - verifyStart
   const { verified, registrationInfo } = verification
-  
-  console.log(`[DEBUG] Verification completed (${verifyDuration}ms)`, {
-    verified,
-    hasRegistrationInfo: !!registrationInfo,
-    credentialId: registrationInfo?.credentialID ? 'present' : 'missing',
-    deviceType: registrationInfo?.credentialDeviceType,
-    backedUp: registrationInfo?.credentialBackedUp
-  })
-  
-  if (!verified || !registrationInfo) {
-    console.error('[DEBUG] Verification failed', {
+    
+    console.log(`[DEBUG] Verification completed (${verifyDuration}ms)`, {
       verified,
-      hasRegistrationInfo: !!registrationInfo
+      hasRegistrationInfo: !!registrationInfo,
+      credentialId: registrationInfo?.credentialID ? 'present' : 'missing',
+      deviceType: registrationInfo?.credentialDeviceType,
+      backedUp: registrationInfo?.credentialBackedUp
     })
-    await writeAuditLog('auth.passkey.prereg.failed', { email })
-    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
-  }
+    
+    if (!verified || !registrationInfo) {
+      console.error('[DEBUG] Verification failed', {
+        verified,
+        hasRegistrationInfo: !!registrationInfo
+      })
+      await writeAuditLog('auth.passkey.prereg.failed', { email })
+      throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
+    }
 
   const {
     credentialID,