fix: passkeys behind TLS reverse proxy (#225)

* fix: passkeys behind TLS reverse proxy Add passkeyPublicOrigin and wire it through passkey routes so origin/rpId match the browser when dev runs behind nginx. Expose dev-only /_emdash/api/dev/passkey-url, add admin messaging for insecure WebAuthn contexts, nginx repro under demos/simple, and direct kysely dependency for the simple demo Node adapter bundle. Made-with: Cursor * docs: add passkeyPublicOrigin to configuration reference Adds the new passkeyPublicOrigin option and reverse proxy guidance to the public-facing configuration docs as requested in PR review. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * update tests and more docs * fix: add missing refresh-server-pat fixture and restore docs heading --------- Co-authored-by: Joseph Eftekhari <jdeftekhari@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 23:41:07 -07:00
parent 28f98fda4f
commit d2114523a5
25 changed files with 526 additions and 53 deletions
--- a/packages/admin/tests/lib/webauthn-environment.test.ts
+++ b/packages/admin/tests/lib/webauthn-environment.test.ts
@@ -0,0 +1,54 @@
+import { describe, it, expect, afterEach } from "vitest";
+
+import {
+	isPasskeyEnvironmentUsable,
+	isPublicKeyCredentialConstructorAvailable,
+	isWebAuthnSecureContext,
+} from "../../src/lib/webauthn-environment";
+
+describe("webauthn-environment", () => {
+	const origPk = globalThis.window.PublicKeyCredential;
+	const desc = Object.getOwnPropertyDescriptor(globalThis.window, "isSecureContext");
+
+	afterEach(() => {
+		if (origPk === undefined) {
+			delete (globalThis.window as { PublicKeyCredential?: unknown }).PublicKeyCredential;
+		} else {
+			Object.defineProperty(globalThis.window, "PublicKeyCredential", {
+				value: origPk,
+				configurable: true,
+				writable: true,
+			});
+		}
+		if (desc) Object.defineProperty(globalThis.window, "isSecureContext", desc);
+	});
+
+	it("is usable only when secure context and PublicKeyCredential constructor exist", () => {
+		Object.defineProperty(globalThis.window, "isSecureContext", {
+			value: true,
+			configurable: true,
+		});
+		Object.defineProperty(globalThis.window, "PublicKeyCredential", {
+			value: function PublicKeyCredential() {},
+			configurable: true,
+			writable: true,
+		});
+		expect(isWebAuthnSecureContext()).toBe(true);
+		expect(isPublicKeyCredentialConstructorAvailable()).toBe(true);
+		expect(isPasskeyEnvironmentUsable()).toBe(true);
+	});
+
+	it("is not usable in an insecure context even if PublicKeyCredential is defined", () => {
+		Object.defineProperty(globalThis.window, "isSecureContext", {
+			value: false,
+			configurable: true,
+		});
+		Object.defineProperty(globalThis.window, "PublicKeyCredential", {
+			value: function PublicKeyCredential() {},
+			configurable: true,
+			writable: true,
+		});
+		expect(isWebAuthnSecureContext()).toBe(false);
+		expect(isPasskeyEnvironmentUsable()).toBe(false);
+	});
+});