passport-webauthn

passport-webauthn copied to clipboard

First of all, thanks a lot for this plugin. It's awesome to be able to easily bring this security layer into our apps so "easily".

That being said, I'm facing a problem and I think this plugin is not following the specs to the letter: my application has two different subdomains, app.xyz.com for the client and api.xyz.com for the backend. The webauthn specs (https://www.w3.org/TR/webauthn-2/) said that this scenario can work as long as we define an 'RP ID' on the client interaction with the browser to retrieve the challenge and key.

From the docs:

but this library is performing an strict equality check between origin and host (or proxied host):

https://github.com/jaredhanson/passport-webauthn/blob/master/lib/strategy.js#L63-L65

and also the RP ID hashes won't match as defined in the code:

https://github.com/jaredhanson/passport-webauthn/blob/master/lib/strategy.js#L106-L108

and here:

https://github.com/jaredhanson/passport-webauthn/blob/master/lib/strategy.js#L181-L183

I will try to raise an MR with the fixes ASAP.

But please, let me know if my assumptions are correct, this is really new to me and was just reading about it because I could not make it work in my production environment.

More details on what a "registrable domain suffix" is:

https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to

I've forked your repo and fixed the issue in my copy, which you can find here:

https://github.com/dplabs/passport-webauthn

aside from the fix, I'm heavily refactoring the code, so I'm not sure if you'd like to have this changes back into your repo, or if this is actually more an actual fork.

Let me know and I'll raise an MR if you're happy with the changes, otherwise I'll keep my fork open.