feat(keychain): tighten capacitor origin verification (#2375)

This PR tightens the Capacitor origin verification in the Keychain to
only auto-verify the default 'localhost' origin. Custom Capacitor
hostnames now require explicit authorization in the project's preset
origins.

### Changes:
- **Keychain**: Updated to check for exact match instead of any prefix.
- **Capacitor Example**: 
  - Updated  to use a custom hostname .
- Updated with security guidance on custom hostnames and how to
authorize them in presets.

This improves security by preventing malicious Capacitor apps from
spoofing verified origins just by using the scheme.

Author: broody

examples/capacitor/README.md

@@ -78,3 +78,32 @@ Add an intent filter for the custom scheme in
   intercept it with `@capacitor/browser` to ensure the system browser opens.
 - After authorizing the session in the browser, return to the app to complete
   the flow.
+
+## Security and Custom Hostnames
+
+By default, Capacitor apps use `localhost` as the hostname (`capacitor://localhost` on iOS). For production apps, it is recommended to set a custom hostname to prevent other Capacitor apps from potentially spoofing your origin.
+
+1. Set a custom hostname and schemes in `capacitor.config.ts`:
+
+```typescript
+server: {
+  hostname: "my-custom-app",
+  iosScheme: "capacitor",
+  androidScheme: "https"
+}
+```
+
+2. Add the hostname to the `origin` list in your Controller preset configuration. The Keychain will only verify custom Capacitor origins if the hostname is explicitly authorized in your preset.
+
+Example preset configuration:
+
+```json
+{
+  "origin": ["my-custom-app"],
+  ...
+}
+```
+
+This ensures that your app is verified on both iOS (`capacitor://my-custom-app`) and Android (`https://my-custom-app`).
+
+Note: Default `localhost` origins are always allowed for development convenience.

examples/capacitor/capacitor.config.ts

@@ -4,6 +4,11 @@ const config: CapacitorConfig = {
   appId: "gg.cartridge.controller.capacitor",
   appName: "Cartridge Session",
   webDir: "dist",
+  server: {
+    hostname: "controller-capacitor", // Recommended: Set a custom hostname for production
+    androidScheme: "https",
+    iosScheme: "capacitor",
+  },
 };
 
 export default config;

packages/keychain/src/hooks/connection.ts

@@ -441,10 +441,10 @@ export function useConnectionValue() {
           const redirectUrlObj = new URL(redirectUrl);
           const redirectOrigin = redirectUrlObj.origin;
 
-          // Always consider localhost and capacitor as verified for development
+          // Always consider localhost and default capacitor as verified for development
           const isLocalhost =
             redirectOrigin.includes("localhost") ||
-            redirectOrigin.startsWith("capacitor://");
+            redirectOrigin === "capacitor://localhost";
           const isOriginAllowed = isOriginVerified(
             redirectOrigin,
             allowedOrigins,
@@ -469,10 +469,10 @@ export function useConnectionValue() {
     }
 
     // Embedded mode: verify against parent origin
-    // Always consider localhost and capacitor as verified for development (not 127.0.0.1)
+    // Always consider localhost and default capacitor as verified for development (not 127.0.0.1)
     if (origin) {
       const isLocalhost =
-        origin.includes("localhost") || origin.startsWith("capacitor://");
+        origin.includes("localhost") || origin === "capacitor://localhost";
       const isOriginAllowed = isOriginVerified(origin, allowedOrigins);
       const finalVerified = isLocalhost || isOriginAllowed;
       setVerified(finalVerified);