fix: passkeys behind TLS reverse proxy (#225)

* fix: passkeys behind TLS reverse proxy Add passkeyPublicOrigin and wire it through passkey routes so origin/rpId match the browser when dev runs behind nginx. Expose dev-only /_emdash/api/dev/passkey-url, add admin messaging for insecure WebAuthn contexts, nginx repro under demos/simple, and direct kysely dependency for the simple demo Node adapter bundle. Made-with: Cursor * docs: add passkeyPublicOrigin to configuration reference Adds the new passkeyPublicOrigin option and reverse proxy guidance to the public-facing configuration docs as requested in PR review. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * update tests and more docs * fix: add missing refresh-server-pat fixture and restore docs heading --------- Co-authored-by: Joseph Eftekhari <jdeftekhari@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 23:41:07 -07:00
parent 28f98fda4f
commit d2114523a5
25 changed files with 526 additions and 53 deletions
--- a/demos/simple/astro.config.mjs
+++ b/demos/simple/astro.config.mjs
@@ -10,6 +10,13 @@ export default defineConfig({
 	adapter: node({
 		mode: "standalone",
 	}),
+	// Example: allowed domains for reverse proxy
+	// security: {
+	// 	allowedDomains: [
+	// 		{ hostname: "emdash.local", protocol: "http" },
+	// 		{ hostname: "emdash.local", protocol: "https" },
+	// 	],
+	// },
 	image: {
 		layout: "constrained",
 		responsiveStyles: true,
@@ -23,7 +30,15 @@ export default defineConfig({
 				baseUrl: "/_emdash/api/media/file",
 			}),
 			plugins: [auditLogPlugin()],
+			// HTTPS reverse proxy: uncomment so passkey verify matches browser origin
+			// passkeyPublicOrigin: "https://emdash.local:8443",
 		}),
 	],
 	devToolbar: { enabled: false },
+	// Example: allowed hosts for reverse proxy
+	// vite: {
+	// 	server: {
+	// 		allowedHosts: ["emdash.local"],
+	// 	},
+	// },
 });