passport-webauthn
passport-webauthn copied to clipboard
jaredhanson
Orgin Mismatch Error
working perfect on localhost but when host on some domain eg(account.abc.com) says Orgin Missmatch , I Resolved This Error Tempory Based
replace node_modules/passport-fido2-webauthn/lib/utils.js
exports.originalOrigin = function(req, options) { options = options || {}; var app = req.app; if (app && app.get && app.get('trust proxy')) { options.proxy = true; } var trustProxy = options.proxy;
var proto = (req.headers['x-forwarded-proto'] || '').toLowerCase()
, tls = req.connection.encrypted || (trustProxy && 'https' == proto.split(/\s*,\s*/)[0])
, host = (trustProxy && req.headers['x-forwarded-host']) || req.headers.host
, protocol = tls ? 'https' : 'http';
return protocol + '://' + host;
};
TO
exports.originalOrigin = function(req, options) { const origin = req.get('origin'); return origin; };
Could you please provide the headers of the request (Host and Origin in particular), so I can understand why one works and the other does not?
When i host developer.fourreck.com
const origin = req.get('origin');
if (origin !== clientData.origin) {
return self.fail({ message: 'Origin mismatch' }, 403);
}
clientData:{
challenge:'FHsFxGoaCd7s4QZY_*****',
crossOrigin:false,
origin:'https://developer.fourreck.com',
type:'webauthn.create'
}
origin => shows : http://localhost:3000 clientData.origin => shows : https://developer.fourreck.com
result => shows : Origin mismatch
please update the passport-fido2-webauthn package have some basic changes @jaredhanson
any update on this? It is happening to me as well. If there is any info I can provide lmk.
This is still relevant, happening also in localhost if you serve the backend and the frontend on different ports
quick fix is to add
app.enable('trust proxy');
in app.js
This will resolve issue for web app. But I am still facing issues with android APP.
origin from headers: https://23b0-45-112-22-143.in.ngrok.io clientData.origin: android:apk-key-hash:R8xO7rlQWaWL4BlFygptWRb5qcKWdfjzZIaSRit9XVw
This is indeed a core bug. The fix at https://github.com/jaredhanson/passport-webauthn/issues/5#issue-1330728864 should suffice.
PR submitted at https://github.com/jaredhanson/passport-webauthn/pull/8
Note that you can use our package/fork for https://forwardemail.net by installing @forwardemail/passport-fido2-webauthn.
@titanism replace the file node_modules/passport-fido2-webauthn/lib/utils.js
var proto = (req.headers['x-forwarded-proto'] || '').toLowerCase() , tls = req.connection.encrypted || (trustProxy && 'https' == proto.split(/\s*,\s*/)[0]) , host = (trustProxy && req.headers['x-forwarded-host']) || req.headers.host , protocol = tls ? 'https' : 'http'; return protocol + '://' + host;
TO
exports.originalOrigin = function(req, options) { const origin = req.get('origin'); return origin; };
will wok until it updates the utils file
We're well aware of how to fix this @MudasarRather, and we maintain our own npm package now per https://github.com/jaredhanson/passport-webauthn/issues/5#issuecomment-1855107808.
@MudasarRather see https://github.com/orgs/forwardemail/discussions/182#discussioncomment-7848427 for our implementation
What's the blocker here to not merge the provided PR? It seems to clearly fix the issue and I don't think a fork should need to be needed to use this fix. Can someone please continue with the review?
