Add option to validate keys where browser reports subdomain of domain URL

4 weeks ago · 19dc021246
2 changed files with 10 additions and 2 deletions
--- a/src/api/core/two_factor/webauthn.rs
+++ b/src/api/core/two_factor/webauthn.rs
@ -32,12 +32,17 @@ use webauthn_rs_proto::{
 static WEBAUTHN: LazyLock<Webauthn> = LazyLock::new(|| {
    let domain = CONFIG.domain();
    let domain_origin = CONFIG.domain_origin();
-    let rp_id = Url::parse(&domain).map(|u| u.domain().map(str::to_owned)).ok().flatten().unwrap_or_default();
-    let rp_origin = Url::parse(&domain_origin).unwrap();
+    let rp_id = Url::parse(&domain)
+        .map(|u| u.domain().map(str::to_owned))
+        .ok()
+        .flatten()
+        .expect("Invalid domain part for rp_id");
+    let rp_origin = Url::parse(&domain_origin).expect("Invalid domain_origin for rp_origin");

    let webauthn = WebauthnBuilder::new(&rp_id, &rp_origin)
        .expect("Creating WebauthnBuilder failed")
        .rp_name(&domain)
+        .allow_subdomains(CONFIG.webauthn_allow_subdomains())
        .timeout(Duration::from_millis(60000));

    webauthn.build().expect("Building Webauthn failed")
--- a/src/config.rs
+++ b/src/config.rs
@ -793,6 +793,9 @@ make_config! {
        /// Prefer IPv6 (AAAA) resolving |> This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
        /// This could be useful in IPv6 only environments.
        dns_prefer_ipv6: bool, true, def, false;
+
+        /// Accept passkeys bound to subdomains |> This setting controls if passkeys bound to sub-domains of <Domain URL> are accepted for authentication.
+        webauthn_allow_subdomains: bool, false, def, false;
    },

    /// OpenID Connect SSO settings