harheimertc/server/api/auth/passkeys/authentication-options.post.js

import { generateAuthenticationOptions } from '@simplewebauthn/server'
import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
import { setAuthChallenge } from '../../../utils/webauthn-challenges.js'

export default defineEventHandler(async (event) => {
  // CORS-Header für Cross-Device Authentication
  const origin = getHeader(event, 'origin')
  if (origin) {
    setHeader(event, 'Access-Control-Allow-Origin', origin)
    setHeader(event, 'Access-Control-Allow-Credentials', 'true')
    setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
    setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')
  }

  if (getMethod(event) === 'OPTIONS') {
    return { success: true }
  }

  const { rpId } = getWebAuthnConfig()

  // Username-less / discoverable credentials: allowCredentials absichtlich leer
  const options = await generateAuthenticationOptions({
    rpID: rpId,
    userVerification: 'preferred',
    // Timeout erhöhen für Cross-Device (Standard: 60s, hier: 5 Minuten)
    timeout: 300000
  })

  setAuthChallenge(options.challenge)

  return { success: true, options }
})