From 4043e297b0db5b80f438f5d7183c51ece4df7eb3 Mon Sep 17 00:00:00 2001 From: Baobhan Sith <80159437+Heavrnl@users.noreply.github.com> Date: Sun, 27 Apr 2025 00:12:04 +0800 Subject: [PATCH] update --- packages/backend/src/auth/auth.controller.ts | 18 +++++++++- .../backend/src/services/passkey.service.ts | 36 +++++++++++++------ 2 files changed, 43 insertions(+), 11 deletions(-) diff --git a/packages/backend/src/auth/auth.controller.ts b/packages/backend/src/auth/auth.controller.ts index ac7eb6d..d154ae1 100644 --- a/packages/backend/src/auth/auth.controller.ts +++ b/packages/backend/src/auth/auth.controller.ts @@ -423,7 +423,13 @@ export const generatePasskeyRegistrationOptions = async (req: Request, res: Resp } try { - const options = await passkeyService.generateRegistrationOptions(username); + // 从请求中获取 hostname + const hostname = req.hostname; + // 注意: 确保 Express 配置了 'trust proxy' 如果应用在反向代理后面, + // 否则 req.hostname 可能返回不正确的值 (例如 'localhost')。 + // 可以在 Express 初始化时设置 app.set('trust proxy', true); + + const options = await passkeyService.generateRegistrationOptions(hostname, username); // 将 challenge 存储在 session 中,用于后续验证 req.session.currentChallenge = options.challenge; @@ -462,9 +468,19 @@ export const verifyPasskeyRegistration = async (req: Request, res: Response): Pr delete req.session.currentChallenge; try { + // 从请求中获取 hostname 和 origin + const hostname = req.hostname; + // 尝试从 Origin header 获取,如果不存在,则根据协议和主机名构造 + const originHeader = req.get('origin'); + const origin = originHeader || `${req.protocol}://${req.get('host')}`; // req.get('host') 包含端口 + + // 再次提醒: 确保 Express 配置了 'trust proxy' + const verification = await passkeyService.verifyRegistration( registrationResponse, expectedChallenge, + hostname, + origin, name ); diff --git a/packages/backend/src/services/passkey.service.ts b/packages/backend/src/services/passkey.service.ts index 2578406..f2a174d 100644 --- a/packages/backend/src/services/passkey.service.ts +++ b/packages/backend/src/services/passkey.service.ts @@ -19,11 +19,9 @@ import { PasskeyRepository, PasskeyRecord } from '../repositories/passkey.reposi // 定义 Relying Party (RP) 信息 - 这些应该来自配置或设置 const rpName = 'Nexus Terminal'; -// 重要: rpID 应该是你的网站域名 (不包含协议和端口) -// 对于本地开发,通常是 'localhost' -const rpID = process.env.NODE_ENV === 'development' ? 'localhost' : 'YOUR_PRODUCTION_DOMAIN'; // 需要替换为实际域名 -// 重要: origin 应该是你的前端应用的完整源 (包含协议和端口) -const expectedOrigin = process.env.FRONTEND_URL || 'http://localhost:5173'; // 确保与前端 URL 匹配 +// rpID 和 expectedOrigin 将从请求动态获取,不再在此处硬编码 +// const rpID = process.env.NODE_ENV === 'development' ? 'localhost' : 'YOUR_PRODUCTION_DOMAIN'; +// const expectedOrigin = process.env.FRONTEND_URL || 'http://localhost:5173'; export class PasskeyService { private passkeyRepository: PasskeyRepository; @@ -36,10 +34,13 @@ export class PasskeyService { /** * 生成 Passkey 注册选项 (挑战) + * @param hostname 请求的主机名 (例如 'myapp.example.com' 或 'localhost') + * @param userName WebAuthn 需要的用户名 */ - async generateRegistrationOptions(userName: string = 'nexus-user') { // WebAuthn 需要一个用户名 + async generateRegistrationOptions(hostname: string, userName: string = 'nexus-user') { // 暂时不获取已存在的凭证,允许同一用户注册多个设备 + const rpID = hostname; // 使用请求的主机名作为 RP ID const options: GenerateRegistrationOptionsOpts = { rpName, @@ -64,19 +65,26 @@ export class PasskeyService { * 验证 Passkey 注册响应 * @param registrationResponse 来自客户端的注册响应 * @param expectedChallenge 之前生成的、临时存储的挑战 + * @param hostname 请求的主机名 + * @param origin 请求的源 (例如 'https://myapp.example.com' 或 'http://localhost:5173') * @param passkeyName 用户为这个 Passkey 起的名字 (可选) */ async verifyRegistration( registrationResponse: RegistrationResponseJSON, expectedChallenge: string, + hostname: string, + origin: string, passkeyName?: string ): Promise { + const expectedRPID = hostname; + const expectedOrigin = origin; + const verificationOptions: VerifyRegistrationResponseOpts = { response: registrationResponse, expectedChallenge: expectedChallenge, expectedOrigin: expectedOrigin, - expectedRPID: rpID, + expectedRPID: expectedRPID, requireUserVerification: true, // 强制要求用户验证, simplewebauthn defaults this to true now }; @@ -120,9 +128,11 @@ export class PasskeyService { /** * 生成 Passkey 认证选项 (挑战) + * @param hostname 请求的主机名 */ - async generateAuthenticationOptions(): Promise> { + async generateAuthenticationOptions(hostname: string): Promise> { + const rpID = hostname; const options: GenerateAuthenticationOptionsOpts = { rpID, @@ -142,10 +152,14 @@ export class PasskeyService { * 验证 Passkey 认证响应 * @param authenticationResponse 来自客户端的认证响应 * @param expectedChallenge 之前生成的、临时存储的挑战 + * @param hostname 请求的主机名 + * @param origin 请求的源 */ async verifyAuthentication( authenticationResponse: AuthenticationResponseJSON, - expectedChallenge: string + expectedChallenge: string, + hostname: string, + origin: string ): Promise { const credentialIdBase64Url = authenticationResponse.id; // 客户端传回的 ID 已经是 Base64URL @@ -155,12 +169,14 @@ export class PasskeyService { throw new Error(`未找到 Credential ID 为 ${credentialIdBase64Url} 的认证器`); } + const expectedRPID = hostname; + const expectedOrigin = origin; const verificationOptions: VerifyAuthenticationResponseOpts = { response: authenticationResponse, expectedChallenge: expectedChallenge, expectedOrigin: expectedOrigin, - expectedRPID: rpID, + expectedRPID: expectedRPID, authenticator: { credentialID: Buffer.from(authenticator.credential_id, 'base64url'),