fix: passkeys behind TLS reverse proxy (#225)

* fix: passkeys behind TLS reverse proxy

Add passkeyPublicOrigin and wire it through passkey routes so origin/rpId match
the browser when dev runs behind nginx. Expose dev-only /_emdash/api/dev/passkey-url,
add admin messaging for insecure WebAuthn contexts, nginx repro under demos/simple,
and direct kysely dependency for the simple demo Node adapter bundle.

Made-with: Cursor

* docs: add passkeyPublicOrigin to configuration reference

Adds the new passkeyPublicOrigin option and reverse proxy guidance
to the public-facing configuration docs as requested in PR review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* update tests and more docs

* fix: add missing refresh-server-pat fixture and restore docs heading

---------

Co-authored-by: Joseph Eftekhari <jdeftekhari@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/core/tests/unit/auth/passkey-config.test.ts

@@ -2,8 +2,54 @@ import { describe, it, expect } from "vitest";
 
 import { getPasskeyConfig } from "../../../src/auth/passkey-config.js";
 
+/** URL shape from `new URL(request.url)` after trusted proxy + Astro `security.allowedDomains`. */
+function urlAfterTrustedProxy(path: string, host: string, proto: "http" | "https"): URL {
+	return new URL(path, `${proto}://${host}`);
+}
+
 describe("passkey-config", () => {
+	describe("getPasskeyConfig() via emulated reverse proxy URL", () => {
+		const internalDevUrl = "http://127.0.0.1:4321/_emdash/api/auth/passkey/register/options";
+
+		it("loopback URL alone matches Node before rewrite — rpId is not the public host", () => {
+			const url = new URL(internalDevUrl);
+			expect(getPasskeyConfig(url).rpId).toBe("127.0.0.1");
+		});
+
+		it("forwarded Host/Proto yield the URL handlers see; rp matches HTTP reverse-proxy edge", () => {
+			const url = urlAfterTrustedProxy(
+				"/_emdash/api/auth/passkey/register/options",
+				"emdash.local:8080",
+				"http",
+			);
+			const config = getPasskeyConfig(url, "My Site");
+			expect(config.rpId).toBe("emdash.local");
+			expect(config.rpName).toBe("My Site");
+			expect(config.origin).toBe("http://emdash.local:8080");
+		});
+
+		it("HTTPS listener on proxy with HTTP upstream: passkeyPublicOrigin aligns origin with browser", () => {
+			const urlAstroSeesFromForwardedHttp = urlAfterTrustedProxy(
+				"/_emdash/api/setup/admin",
+				"emdash.local:8080",
+				"http",
+			);
+			const browserOrigin = "https://emdash.local:8443";
+			const config = getPasskeyConfig(urlAstroSeesFromForwardedHttp, "My Site", browserOrigin);
+			expect(config.rpId).toBe("emdash.local");
+			expect(config.rpName).toBe("My Site");
+			expect(config.origin).toBe(browserOrigin);
+		});
+	});
+
 	describe("getPasskeyConfig()", () => {
+		it("throws when passkeyPublicOrigin is not a valid URL", () => {
+			const url = new URL("http://localhost:4321/admin");
+			expect(() => getPasskeyConfig(url, "Site", "::not-a-url")).toThrow(
+				"Invalid passkeyPublicOrigin",
+			);
+		});
+
 		it("extracts rpId from localhost URL", () => {
 			const url = new URL("http://localhost:4321/admin");
 			const config = getPasskeyConfig(url);
@@ -78,5 +124,47 @@ describe("passkey-config", () => {
 			expect(config.origin).toBe("https://example.com");
 			expect(config.rpId).toBe("example.com");
 		});
+
+		it("documents HTTPS reverse-proxy dev pitfall: server URL scheme must match the browser", () => {
+			const serverDevUrl = new URL("http://emdash.local:8443/_emdash/api/setup/admin");
+			const browserPageOrigin = new URL("https://emdash.local:8443/_emdash/admin/setup");
+
+			const fromServer = getPasskeyConfig(serverDevUrl);
+			const fromBrowser = getPasskeyConfig(browserPageOrigin);
+
+			expect(fromServer.rpId).toBe(fromBrowser.rpId);
+			expect(fromServer.origin).toBe("http://emdash.local:8443");
+			expect(fromBrowser.origin).toBe("https://emdash.local:8443");
+			// verifyRegistrationResponse requires clientData.origin === config.origin (see @emdash-cms/auth/passkey)
+			expect(fromServer.origin).not.toBe(fromBrowser.origin);
+		});
+
+		it("passkeyPublicOrigin overrides origin and rpId (TLS termination and loopback request URL)", () => {
+			const fromForwardedHttp = getPasskeyConfig(
+				new URL("http://emdash.local:8443/_emdash/api/setup/admin"),
+				"My Site",
+				"https://emdash.local:8443",
+			);
+			expect(fromForwardedHttp.rpName).toBe("My Site");
+			expect(fromForwardedHttp.rpId).toBe("emdash.local");
+			expect(fromForwardedHttp.origin).toBe("https://emdash.local:8443");
+
+			const fromLoopback = getPasskeyConfig(
+				new URL("http://127.0.0.1:4321/_emdash/api/setup/admin"),
+				"My CMS",
+				"https://public.example:8443",
+			);
+			expect(fromLoopback.rpId).toBe("public.example");
+			expect(fromLoopback.rpName).toBe("My CMS");
+			expect(fromLoopback.origin).toBe("https://public.example:8443");
+
+			const hostnameOnly = getPasskeyConfig(
+				new URL("http://127.0.0.1:4321/x"),
+				undefined,
+				"https://public.example:8443",
+			);
+			expect(hostnameOnly.rpName).toBe("public.example");
+			expect(hostnameOnly.rpId).toBe("public.example");
+		});
 	});
 });