Add CORS support for Cross-Device Authentication in passkey handling

Enhance authentication options in the server API by adding CORS headers to support cross-device authentication. Implement handling for preflight OPTIONS requests and increase timeout for registration and authentication processes to 5 minutes, improving user experience and compatibility across devices.
2026-01-07 20:59:48 +01:00
parent 3d9b6b57dc
commit ad21534862
4 changed files with 70 additions and 4 deletions
--- a/server/api/auth/passkeys/authentication-options.post.js
+++ b/server/api/auth/passkeys/authentication-options.post.js
@@ -2,13 +2,28 @@ import { generateAuthenticationOptions } from '@simplewebauthn/server'
 import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
 import { setAuthChallenge } from '../../../utils/webauthn-challenges.js'

-export default defineEventHandler(async (_event) => {
+export default defineEventHandler(async (event) => {
+  // CORS-Header für Cross-Device Authentication
+  const origin = getHeader(event, 'origin')
+  if (origin) {
+    setHeader(event, 'Access-Control-Allow-Origin', origin)
+    setHeader(event, 'Access-Control-Allow-Credentials', 'true')
+    setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
+    setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')
+  }
+
+  if (getMethod(event) === 'OPTIONS') {
+    return { success: true }
+  }
+
  const { rpId } = getWebAuthnConfig()

  // Username-less / discoverable credentials: allowCredentials absichtlich leer
  const options = await generateAuthenticationOptions({
    rpID: rpId,
-    userVerification: 'preferred'
+    userVerification: 'preferred',
+    // Timeout erhöhen für Cross-Device (Standard: 60s, hier: 5 Minuten)
+    timeout: 300000
  })

  setAuthChallenge(options.challenge)