Set a valid rpID when generating and validating registration options

beverloo · Apr 16, 2024 · f32dffe · f32dffe
1 parent 5b38e95
commit f32dffe
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 12 deletions.
diff --git a/app/api/auth/confirmIdentity.ts b/app/api/auth/confirmIdentity.ts
@@ -3,13 +3,11 @@
 
 import { generateAuthenticationOptions } from '@simplewebauthn/server';
 import { isoBase64URL } from '@simplewebauthn/server/helpers';
-import { notFound } from 'next/navigation';
 import { z } from 'zod';
 
 import type { ActionProps } from '../Action';
 import type { ApiDefinition, ApiRequest, ApiResponse } from '../Types';
 import { Log, LogType, LogSeverity } from '@lib/Log';
-import { determineEnvironment } from '@lib/Environment';
 import { isValidActivatedUser } from '@lib/auth/Authentication';
 import { retrieveCredentials } from './passkeys/PasskeyUtils';
 import { storeUserChallenge } from './passkeys/PasskeyUtils';
@@ -70,10 +68,6 @@ export async function confirmIdentity(request: Request, props: ActionProps): Pro
     if (!user)
         return { success: false };
 
-    const environment = await determineEnvironment();
-    if (!environment)
-        notFound();
-
     let authenticationOptions = undefined;
 
     const credentials = await retrieveCredentials(user);
@@ -83,7 +77,7 @@ export async function confirmIdentity(request: Request, props: ActionProps): Pro
                 id: isoBase64URL.fromBuffer(credential.credentialId),
                 // TODO: `transports`?
             })),
-            rpID: environment.environmentName,
+            rpID: props.origin.replace(/\:.*?$/g, ''),  // must be a domain
             userVerification: 'preferred',
         });
 

diff --git a/app/api/auth/passkeys/createChallenge.ts b/app/api/auth/passkeys/createChallenge.ts
@@ -56,7 +56,7 @@ export async function createChallenge(request: Request, props: ActionProps): Pro
 
     const options = await generateRegistrationOptions({
         rpName: `AnimeCon ${environment.environmentTitle}`,
-        rpID: environment.environmentName,
+        rpID: props.origin.replace(/\:.*?$/g, ''),  // must be a domain
         userID: isoUint8Array.fromUTF8String(`${props.user.userId}`),
         userName: props.user.username,
         userDisplayName: `${props.user.firstName} ${props.user.lastName}`,
@@ -67,10 +67,6 @@ export async function createChallenge(request: Request, props: ActionProps): Pro
         })),
     });
 
-    // Don't use the "relying party identifier": it defaults to the current domain, which is the
-    // behaviour we want as we're a multi-tenant system that wants to work on localhost too.
-    options.rp.id = undefined;
-
     if (!options || !options.challenge)
         return { success: false, error: 'Unable to generate a registration response' };