From 19dc021246e1ff731a3105907f2a41463eebdb5e Mon Sep 17 00:00:00 2001 From: Bert Proesmans Date: Sat, 14 Feb 2026 21:55:00 +0000 Subject: [PATCH] Add option to validate keys where browser reports subdomain of domain URL --- src/api/core/two_factor/webauthn.rs | 9 +++++++-- src/config.rs | 3 +++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/api/core/two_factor/webauthn.rs b/src/api/core/two_factor/webauthn.rs index b10a5ded..07e1f3f7 100644 --- a/src/api/core/two_factor/webauthn.rs +++ b/src/api/core/two_factor/webauthn.rs @@ -32,12 +32,17 @@ use webauthn_rs_proto::{ static WEBAUTHN: LazyLock = LazyLock::new(|| { let domain = CONFIG.domain(); let domain_origin = CONFIG.domain_origin(); - let rp_id = Url::parse(&domain).map(|u| u.domain().map(str::to_owned)).ok().flatten().unwrap_or_default(); - let rp_origin = Url::parse(&domain_origin).unwrap(); + let rp_id = Url::parse(&domain) + .map(|u| u.domain().map(str::to_owned)) + .ok() + .flatten() + .expect("Invalid domain part for rp_id"); + let rp_origin = Url::parse(&domain_origin).expect("Invalid domain_origin for rp_origin"); let webauthn = WebauthnBuilder::new(&rp_id, &rp_origin) .expect("Creating WebauthnBuilder failed") .rp_name(&domain) + .allow_subdomains(CONFIG.webauthn_allow_subdomains()) .timeout(Duration::from_millis(60000)); webauthn.build().expect("Building Webauthn failed") diff --git a/src/config.rs b/src/config.rs index 4fb103fa..5e024976 100644 --- a/src/config.rs +++ b/src/config.rs @@ -793,6 +793,9 @@ make_config! { /// Prefer IPv6 (AAAA) resolving |> This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4 /// This could be useful in IPv6 only environments. dns_prefer_ipv6: bool, true, def, false; + + /// Accept passkeys bound to subdomains |> This setting controls if passkeys bound to sub-domains of are accepted for authentication. + webauthn_allow_subdomains: bool, false, def, false; }, /// OpenID Connect SSO settings