feat(auth): add configuring u2f expect origin

2026-01-16 20:04:32 -05:00 · 2023-01-23 13:52:58 +01:00
parent 657aaf75ec
commit 1797bc8181
7 changed files with 13 additions and 2 deletions
--- a/packages/auth/.env.sample
+++ b/packages/auth/.env.sample
@@ -71,3 +71,4 @@ WEB_SOCKET_CONNECTION_TOKEN_SECRET=
 # (Optional) U2F Setup
 U2F_RELYING_PARTY_ID=
 U2F_RELYING_PARTY_NAME=
+U2F_EXPECTED_ORIGIN=
--- a/packages/auth/src/Bootstrap/Container.ts
+++ b/packages/auth/src/Bootstrap/Container.ts
@@ -462,6 +462,9 @@ export class ContainerConfigLoader {
    container
      .bind(TYPES.U2F_RELYING_PARTY_ID)
      .toConstantValue(env.get('U2F_RELYING_PARTY_ID', true) ?? 'standardnotes.com')
+    container
+      .bind(TYPES.U2F_EXPECTED_ORIGIN)
+      .toConstantValue(env.get('U2F_EXPECTED_ORIGIN', true) ?? 'https://app.standardnotes.com')
    // Services
    container.bind<UAParser>(TYPES.DeviceDetector).toConstantValue(new UAParser())
    container.bind<SessionService>(TYPES.SessionService).to(SessionService)
@@ -575,6 +578,7 @@ export class ContainerConfigLoader {
          container.get(TYPES.AuthenticatorRepository),
          container.get(TYPES.AuthenticatorChallengeRepository),
          container.get(TYPES.U2F_RELYING_PARTY_ID),
+          container.get(TYPES.U2F_EXPECTED_ORIGIN),
        ),
      )
    container
@@ -592,6 +596,7 @@ export class ContainerConfigLoader {
          container.get(TYPES.AuthenticatorRepository),
          container.get(TYPES.AuthenticatorChallengeRepository),
          container.get(TYPES.U2F_RELYING_PARTY_ID),
+          container.get(TYPES.U2F_EXPECTED_ORIGIN),
        ),
      )
    container
--- a/packages/auth/src/Bootstrap/Types.ts
+++ b/packages/auth/src/Bootstrap/Types.ts
@@ -96,6 +96,7 @@ const TYPES = {
  SESSION_TRACE_DAYS_TTL: Symbol.for('SESSION_TRACE_DAYS_TTL'),
  U2F_RELYING_PARTY_ID: Symbol.for('U2F_RELYING_PARTY_ID'),
  U2F_RELYING_PARTY_NAME: Symbol.for('U2F_RELYING_PARTY_NAME'),
+  U2F_EXPECTED_ORIGIN: Symbol.for('U2F_EXPECTED_ORIGIN'),
  // use cases
  AuthenticateUser: Symbol.for('AuthenticateUser'),
  AuthenticateRequest: Symbol.for('AuthenticateRequest'),
--- a/packages/auth/src/Domain/UseCase/VerifyAuthenticatorAuthenticationResponse/VerifyAuthenticatorAuthenticationResponse.spec.ts
+++ b/packages/auth/src/Domain/UseCase/VerifyAuthenticatorAuthenticationResponse/VerifyAuthenticatorAuthenticationResponse.spec.ts
@@ -17,6 +17,7 @@ describe('VerifyAuthenticatorAuthenticationResponse', () => {
      authenticatorRepository,
      authenticatorChallengeRepository,
      'standardnotes.com',
+      'https://app.standardnotes.com',
    )

  beforeEach(() => {
--- a/packages/auth/src/Domain/UseCase/VerifyAuthenticatorAuthenticationResponse/VerifyAuthenticatorAuthenticationResponse.ts
+++ b/packages/auth/src/Domain/UseCase/VerifyAuthenticatorAuthenticationResponse/VerifyAuthenticatorAuthenticationResponse.ts
@@ -11,6 +11,7 @@ export class VerifyAuthenticatorAuthenticationResponse implements UseCaseInterfa
    private authenticatorRepository: AuthenticatorRepositoryInterface,
    private authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface,
    private relyingPartyId: string,
+    private expectedOrigin: string,
  ) {}

  async execute(dto: VerifyAuthenticatorAuthenticationResponseDTO): Promise<Result<boolean>> {
@@ -40,7 +41,7 @@ export class VerifyAuthenticatorAuthenticationResponse implements UseCaseInterfa
      verification = await verifyAuthenticationResponse({
        response: dto.authenticatorResponse,
        expectedChallenge: authenticatorChallenge.props.challenge.toString(),
-        expectedOrigin: `https://${this.relyingPartyId}`,
+        expectedOrigin: this.expectedOrigin,
        expectedRPID: this.relyingPartyId,
        authenticator: {
          counter: authenticator.props.counter,
--- a/packages/auth/src/Domain/UseCase/VerifyAuthenticatorRegistrationResponse/VerifyAuthenticatorRegistrationResponse.spec.ts
+++ b/packages/auth/src/Domain/UseCase/VerifyAuthenticatorRegistrationResponse/VerifyAuthenticatorRegistrationResponse.spec.ts
@@ -17,6 +17,7 @@ describe('VerifyAuthenticatorRegistrationResponse', () => {
      authenticatorRepository,
      authenticatorChallengeRepository,
      'standardnotes.com',
+      'https://app.standardnotes.com',
    )

  beforeEach(() => {
--- a/packages/auth/src/Domain/UseCase/VerifyAuthenticatorRegistrationResponse/VerifyAuthenticatorRegistrationResponse.ts
+++ b/packages/auth/src/Domain/UseCase/VerifyAuthenticatorRegistrationResponse/VerifyAuthenticatorRegistrationResponse.ts
@@ -11,6 +11,7 @@ export class VerifyAuthenticatorRegistrationResponse implements UseCaseInterface
    private authenticatorRepository: AuthenticatorRepositoryInterface,
    private authenticatorChallengeRepository: AuthenticatorChallengeRepositoryInterface,
    private relyingPartyId: string,
+    private expectedOrigin: string,
  ) {}

  async execute(dto: VerifyAuthenticatorRegistrationResponseDTO): Promise<Result<boolean>> {
@@ -35,7 +36,7 @@ export class VerifyAuthenticatorRegistrationResponse implements UseCaseInterface
      verification = await verifyRegistrationResponse({
        response: dto.attestationResponse,
        expectedChallenge: authenticatorChallenge.props.challenge.toString(),
-        expectedOrigin: `https://${this.relyingPartyId}`,
+        expectedOrigin: this.expectedOrigin,
        expectedRPID: this.relyingPartyId,
      })