Common origin when registering (#2819)

dfinity · Jan 28, 2025 · be9eee2 · be9eee2
1 parent 6819061
commit be9eee2
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/src/frontend/src/flows/register/index.ts b/src/frontend/src/flows/register/index.ts
@@ -108,8 +108,12 @@ export const registerFlow = async ({
   const flowStart = precomputeFirst(() => identityRegistrationStart());
 
   const displayUserNumber = displayUserNumberWarmup();
+  // We register the device's origin in the current domain.
+  // If we want to change it, we need to change this line.
+  const deviceOrigin = window.location.origin;
   const savePasskeyResult = await savePasskeyOrPin({
     pinAllowed: await pinAllowed(),
+    origin: deviceOrigin,
   });
   if (savePasskeyResult === "canceled") {
     return "canceled";
@@ -161,6 +165,7 @@ export const registerFlow = async ({
           pubKey: identity.getPublicKey().toDer(),
           credentialId: identity.rawId,
           authenticatorAttachment: identity.getAuthenticatorAttachment(),
+          origin: deviceOrigin,
         }),
         authnMethod: "passkey" as const,
       };

diff --git a/src/frontend/src/flows/register/passkey.ts b/src/frontend/src/flows/register/passkey.ts
@@ -99,8 +99,10 @@ export const savePasskeyPage = renderPage(savePasskeyTemplate);
 // Prompt the user to create a WebAuthn identity or a PIN identity (if allowed)
 export const savePasskeyOrPin = async ({
   pinAllowed,
+  origin,
 }: {
   pinAllowed: boolean;
+  origin: string;
 }): Promise<IIWebAuthnIdentity | "pin" | "canceled" | undefined> => {
   if (pinAllowed) {
     return new Promise((resolve) => {
@@ -110,7 +112,13 @@ export const savePasskeyOrPin = async ({
         scrollToTop: true,
         constructPasskey: async () => {
           try {
-            const identity = await withLoader(() => constructIdentity({}));
+            const rpId =
+              origin === window.location.origin
+                ? undefined
+                : new URL(origin).hostname;
+            const identity = await withLoader(() =>
+              constructIdentity({ rpId })
+            );
             resolve(identity);
           } catch (e) {
             toast.error(errorMessage(e));

diff --git a/src/frontend/src/utils/authnMethodData.ts b/src/frontend/src/utils/authnMethodData.ts
@@ -40,17 +40,18 @@ export const passkeyAuthnMethodData = ({
   pubKey,
   credentialId,
   authenticatorAttachment,
+  origin,
 }: {
   alias: string;
   pubKey: DerEncodedPublicKey;
   credentialId: CredentialId;
   authenticatorAttachment?: AuthenticatorAttachment;
+  origin: string;
 }): AuthnMethodData => {
   const metadata: MetadataMapV2 = [
     ["alias", { String: alias }],
     // The origin in the metadata might not match the origin in the auth method if the origin is longer than 50 characters.
-    // TODO: Expect the origin as parameter because it might be different than the window if a RP ID is used.
-    ["origin", { String: window.origin }],
+    ["origin", { String: origin }],
   ];
   if (nonNullish(authenticatorAttachment)) {
     metadata.push([