Fixed Origin mismatch for passkeys

src/pages/api/auth/passkey/login/finish.ts

@@ -3,7 +3,7 @@ import { verifyAuthenticationResponse } from "@simplewebauthn/server";
 import { db } from "../../../../../db";
 import { users, passkeys, passkeyChallenges } from "../../../../../db/schema";
 import { eq, and, gt } from "drizzle-orm";
-import { setAuthCookie } from "../../../../../lib/auth";
+import { setAuthCookie, getOrigin } from "../../../../../lib/auth";
 
 export const POST: APIRoute = async ({ request, cookies }) => {
   const body = await request.json();
@@ -50,11 +50,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
   let verification;
   try {
+    const { origin, hostname } = getOrigin();
     verification = await verifyAuthenticationResponse({
       response: body,
       expectedChallenge: challenge as string,
-      expectedOrigin: new URL(request.url).origin,
-      expectedRPID: new URL(request.url).hostname,
+      expectedOrigin: origin,
+      expectedRPID: hostname,
       credential: {
         id: passkey.id,
         publicKey: new Uint8Array(Buffer.from(passkey.publicKey, "base64")),

src/pages/api/auth/passkey/login/start.ts

@@ -3,14 +3,17 @@ import { generateAuthenticationOptions } from "@simplewebauthn/server";
 import { db } from "../../../../../db";
 import { passkeyChallenges } from "../../../../../db/schema";
 import { lte } from "drizzle-orm";
+import { getOrigin } from "../../../../../lib/auth";
 
 export const GET: APIRoute = async ({ request }) => {
   await db
     .delete(passkeyChallenges)
     .where(lte(passkeyChallenges.expiresAt, new Date()));
 
+  const { hostname } = getOrigin();
+
   const options = await generateAuthenticationOptions({
-    rpID: new URL(request.url).hostname,
+    rpID: hostname,
     userVerification: "preferred",
   });
 

src/pages/api/auth/passkey/register/finish.ts

@@ -3,6 +3,7 @@ import { verifyRegistrationResponse } from "@simplewebauthn/server";
 import { db } from "../../../../../db";
 import { passkeys, passkeyChallenges } from "../../../../../db/schema";
 import { eq, and, gt } from "drizzle-orm";
+import { getOrigin } from "../../../../../lib/auth";
 
 export const POST: APIRoute = async ({ request, locals }) => {
   const user = locals.user;
@@ -41,11 +42,12 @@ export const POST: APIRoute = async ({ request, locals }) => {
 
   let verification;
   try {
+    const { origin, hostname } = getOrigin();
     verification = await verifyRegistrationResponse({
       response: body,
       expectedChallenge: challenge,
-      expectedOrigin: new URL(request.url).origin,
-      expectedRPID: new URL(request.url).hostname,
+      expectedOrigin: origin,
+      expectedRPID: hostname,
     });
   } catch (error) {
     console.error("Passkey registration verification failed:", error);

src/pages/api/auth/passkey/register/start.ts

@@ -3,6 +3,7 @@ import { generateRegistrationOptions } from "@simplewebauthn/server";
 import { db } from "../../../../../db";
 import { passkeys, passkeyChallenges } from "../../../../../db/schema";
 import { eq, lte } from "drizzle-orm";
+import { getOrigin } from "../../../../../lib/auth";
 
 export const GET: APIRoute = async ({ request, locals }) => {
   const user = locals.user;
@@ -21,9 +22,11 @@ export const GET: APIRoute = async ({ request, locals }) => {
     where: eq(passkeys.userId, user.id),
   });
 
+  const { hostname } = getOrigin();
+
   const options = await generateRegistrationOptions({
     rpName: "Chronus",
-    rpID: new URL(request.url).hostname,
+    rpID: hostname,
     userName: user.email,
     attestationType: "none",
     excludeCredentials: userPasskeys.map((passkey) => ({