torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CORS support for Cross-Device Authentication in passkey handling
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 45s
Details

Browse Source 
Enhance authentication options in the server API by adding CORS headers to support cross-device authentication. Implement handling for preflight OPTIONS requests and increase timeout for registration and authentication processes to 5 minutes, improving user experience and compatibility across devices.
This commit is contained in:
Torsten Schulz (local)
2026-01-07 20:59:48 +01:00
parent 3d9b6b57dc
commit ad21534862
4 changed files with 70 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
server/api/auth/passkeys/registration-options.post.js
View File

@@ -5,6 +5,19 @@ import { setRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
import { writeAuditLog } from '../../../utils/audit-log.js'
export default defineEventHandler(async (event) => {
// CORS-Header für Cross-Device Authentication
const origin = getHeader(event, 'origin')
if (origin) {
setHeader(event, 'Access-Control-Allow-Origin', origin)
setHeader(event, 'Access-Control-Allow-Credentials', 'true')
setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')
}
if (getMethod(event) === 'OPTIONS') {
return { success: true }
}
const token = getCookie(event, 'auth_token')
const user = token ? await getUserFromToken(token) : null
@@ -17,7 +30,16 @@ export default defineEventHandler(async (event) => {
throw createError({ statusCode: 403, statusMessage: 'Keine Berechtigung' })
}
const { rpId, rpName } = getWebAuthnConfig()
const { rpId, rpName, origin: webauthnOrigin } = getWebAuthnConfig()
// Debug: Log für Cross-Device Troubleshooting
const requestOrigin = getHeader(event, 'origin')
console.log('[WebAuthn Registration]', {
rpId,
webauthnOrigin,
requestOrigin,
userAgent: getHeader(event, 'user-agent')
})
const existing = Array.isArray(user.passkeys) ? user.passkeys : []
const excludeCredentials = existing
@@ -39,8 +61,11 @@ export default defineEventHandler(async (event) => {
authenticatorSelection: {
residentKey: 'preferred',
userVerification: 'preferred'
// authenticatorAttachment weglassen = beide Typen erlauben (platform + cross-platform)
},
excludeCredentials
excludeCredentials,
// Timeout erhöhen für Cross-Device (Standard: 60s, hier: 5 Minuten)
timeout: 300000
})
setRegistrationChallenge(user.id, options.challenge)