fix: provide domain in session, passkey and u2f (#6097)

This fix provides a possibility to pass a domain on the session, which will be used (as rpID) to create a passkey / u2f assertion and attestation. This is useful in cases where the login UI is served under a different domain / origin than the ZITADEL API.
2025-08-11 19:07:30 +00:00 · 2023-06-27 14:36:07 +02:00
parent d0cda1b479
commit bd5defa96a
32 changed files with 287 additions and 123 deletions
--- a/internal/command/user_v2_u2f_test.go
+++ b/internal/command/user_v2_u2f_test.go
@@ -37,6 +37,7 @@ func TestCommands_RegisterUserU2F(t *testing.T) {
 	type args struct {
 		userID        string
 		resourceOwner string
+		rpID          string
 	}
 	tests := []struct {
 		name    string
@@ -114,7 +115,7 @@ func TestCommands_RegisterUserU2F(t *testing.T) {
 				idGenerator:    tt.fields.idGenerator,
 				webauthnConfig: webauthnConfig,
 			}
-			_, err := c.RegisterUserU2F(ctx, tt.args.userID, tt.args.resourceOwner)
+			_, err := c.RegisterUserU2F(ctx, tt.args.userID, tt.args.resourceOwner, tt.args.rpID)
 			require.ErrorIs(t, err, tt.wantErr)
 			// successful case can't be tested due to random challenge.
 		})
@@ -160,7 +161,7 @@ func TestCommands_pushUserU2F(t *testing.T) {
 		expectFilter(eventFromEventPusher(
 			user.NewHumanWebAuthNAddedEvent(eventstore.NewBaseEventForPush(
 				ctx, &org.NewAggregate("org1").Aggregate, user.HumanPasswordlessTokenAddedType,
-			), "111", "challenge"),
+			), "111", "challenge", "rpID"),
 		)),
 	}

@@ -174,7 +175,7 @@ func TestCommands_pushUserU2F(t *testing.T) {
 			expectPush: func(challenge string) expect {
 				return expectPushFailed(io.ErrClosedPipe, []*repository.Event{eventFromEventPusher(
 					user.NewHumanU2FAddedEvent(ctx,
-						userAgg, "123", challenge,
+						userAgg, "123", challenge, "rpID",
 					),
 				)})
 			},
@@ -185,7 +186,7 @@ func TestCommands_pushUserU2F(t *testing.T) {
 			expectPush: func(challenge string) expect {
 				return expectPush([]*repository.Event{eventFromEventPusher(
 					user.NewHumanU2FAddedEvent(ctx,
-						userAgg, "123", challenge,
+						userAgg, "123", challenge, "rpID",
 					),
 				)})
 			},
@@ -198,7 +199,7 @@ func TestCommands_pushUserU2F(t *testing.T) {
 				webauthnConfig: webauthnConfig,
 				idGenerator:    id_mock.NewIDGeneratorExpectIDs(t, "123"),
 			}
-			wm, userAgg, webAuthN, err := c.createUserPasskey(ctx, "user1", "org1", domain.AuthenticatorAttachmentCrossPlattform)
+			wm, userAgg, webAuthN, err := c.createUserPasskey(ctx, "user1", "org1", "rpID", domain.AuthenticatorAttachmentCrossPlattform)
 			require.NoError(t, err)

 			c.eventstore = eventstoreExpect(t, tt.expectPush(webAuthN.Challenge))