fix(core): bind WebAuthn rpId to request domain for account api (#7764)

* fix(core): bind WebAuthn rpId to request domain for account api

* chore: update chageset description

Author: xiaoyijun

.changeset/thin-walls-tap.md

@@ -0,0 +1,9 @@
+---
+"@logto/integration-tests": patch
+"@logto/core": patch
+---
+
+fix(core): bind WebAuthn `rpId` to request domain for account api
+
+- Before: WebAuthn registration via the account API always bound passkeys to the Logto default domain.
+- After: The `rpId` now matches the domain you use to access the API (including custom domains), consistent with the sign-in experience.

packages/core/src/routes/verification/index.ts

@@ -14,7 +14,6 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
-import { EnvSet, getTenantEndpoint } from '../../env-set/index.js';
 import {
   buildVerificationRecordByIdAndType,
   insertVerificationRecord,
@@ -251,6 +250,13 @@ export default function verificationRoutes<T extends UserRouter>(
     }
   );
 
+  /**
+   * WebAuthn registration (passkey binding)
+   *
+   * The rpId must be exactly the domain from which this API is accessed.
+   * This keeps behavior aligned with the experience flow.
+   *
+   */
   router.post(
     `${verificationApiPrefix}/web-authn/registration`,
     koaGuard({
@@ -262,21 +268,16 @@ export default function verificationRoutes<T extends UserRouter>(
       status: [200],
     }),
     async (ctx, next) => {
-      const { id: userId } = ctx.auth;
-
-      // If custom domain is enabled, use the custom domain as the RP ID.
-      // Otherwise, use the default tenant hostname as the RP ID.
-      // The background is that a passkey must be registered with a specific RP ID, which is a domain.
-      // In the future, we will support specifying the RP ID.
-      const domain = await queries.domains.findActiveDomain(tenantContext.id);
-      const rpId = domain
-        ? domain.domain
-        : getTenantEndpoint(tenantContext.id, EnvSet.values).hostname;
+      const {
+        auth: { id: userId },
+        URL: { hostname },
+      } = ctx;
 
       const webAuthnVerification = WebAuthnVerification.create(libraries, queries, userId);
 
-      const registrationOptions =
-        await webAuthnVerification.generateWebAuthnRegistrationOptions(rpId);
+      const registrationOptions = await webAuthnVerification.generateWebAuthnRegistrationOptions(
+        hostname // RP ID: Use the domain of the current API request (custom domain supported)
+      );
 
       const { expiresAt } = await insertVerificationRecord(webAuthnVerification, queries, userId);
 

packages/integration-tests/src/tests/api/account/mfa-webauthn.test.ts

@@ -6,6 +6,7 @@ import {
   createWebAuthnRegistrationOptions,
   verifyWebAuthnRegistration,
 } from '#src/api/verification-record.js';
+import { logtoUrl } from '#src/constants.js';
 import { expectRejects } from '#src/helpers/index.js';
 import {
   createDefaultTenantUserWithPassword,
@@ -40,7 +41,7 @@ describe('my-account (mfa - WebAuthn)', () => {
         await createWebAuthnRegistrationOptions(api);
 
       expect(verificationRecordId).toBeTruthy();
-      expect(registrationOptions.rp.name).toBe('localhost');
+      expect(registrationOptions.rp.name).toBe(new URL(logtoUrl).hostname);
       expect(registrationOptions.user.displayName).toBe(user.username);
 
       await deleteDefaultTenantUser(user.id);
@@ -60,7 +61,8 @@ describe('my-account (mfa - WebAuthn)', () => {
         },
       } = await createWebAuthnRegistrationOptions(api);
 
-      const rawId = Buffer.from(rpId ?? 'localhost')
+      const expectedHost = new URL(logtoUrl).hostname;
+      const rawId = Buffer.from(rpId ?? expectedHost)
         .toString('base64')
         .replaceAll('+', '-')
         .replaceAll('/', '_')
@@ -78,7 +80,7 @@ describe('my-account (mfa - WebAuthn)', () => {
               JSON.stringify({
                 type: 'webauthn.create',
                 challenge,
-                origin: 'http://localhost:3001',
+                origin: logtoUrl,
                 crossOrigin: false,
               })
             ).toString('base64url'),