fix: enhance preset verification for Capacitor and custom schemes

broody · broody · commit 2368fc6e180a · 2026-02-03T15:11:35.000-10:00
- Added capacitor:// to the automatic verification bypass (alongside localhost)
- Improved isOriginVerified to support full origin matching and custom schemes
- Refactored allowedOrigins calculation for consistency
diff --git a/packages/keychain/src/hooks/connection.ts b/packages/keychain/src/hooks/connection.ts
@@ -429,11 +429,6 @@ export function useConnectionValue() {
       return;
     }
 
-    if (!configData.origin) {
-      setVerified(false);
-      return;
-    }
-
     const allowedOrigins = toArray(configData.origin as string | string[]);
 
     // In standalone mode (not iframe), verify preset if redirect_url matches preset whitelist
@@ -446,8 +441,10 @@ export function useConnectionValue() {
           const redirectUrlObj = new URL(redirectUrl);
           const redirectOrigin = redirectUrlObj.origin;
 
-          // Always consider localhost as verified for development
-          const isLocalhost = redirectOrigin.includes("localhost");
+          // Always consider localhost and capacitor as verified for development
+          const isLocalhost =
+            redirectOrigin.includes("localhost") ||
+            redirectOrigin.startsWith("capacitor://");
           const isOriginAllowed = isOriginVerified(
             redirectOrigin,
             allowedOrigins,
@@ -466,10 +463,16 @@ export function useConnectionValue() {
       return;
     }
 
+    if (!configData.origin) {
+      setVerified(false);
+      return;
+    }
+
     // Embedded mode: verify against parent origin
-    // Always consider localhost as verified for development (not 127.0.0.1)
+    // Always consider localhost and capacitor as verified for development (not 127.0.0.1)
     if (origin) {
-      const isLocalhost = origin.includes("localhost");
+      const isLocalhost =
+        origin.includes("localhost") || origin.startsWith("capacitor://");
       const isOriginAllowed = isOriginVerified(origin, allowedOrigins);
       const finalVerified = isLocalhost || isOriginAllowed;
       setVerified(finalVerified);
@@ -839,6 +842,11 @@ export function isOriginVerified(
     const currentHostname = originUrl.hostname;
 
     return allowedOrigins.some((allowedOrigin) => {
+      // Check for exact origin match (including scheme)
+      if (origin === allowedOrigin || originUrl.origin === allowedOrigin) {
+        return true;
+      }
+
       // Check for wildcard subdomain matching
       if (allowedOrigin.startsWith("*.")) {
         const baseDomain = allowedOrigin.substring(2);
