feat(webauthn): allow native Android origins

with the format: android:apk-key-hash:<base64Url-string-without-padding-of-fingerprint>

Author: JeanLuX

src/main/java/io/supertokens/webauthn/validator/OptionsValidator.java

@@ -40,6 +40,35 @@ public static void validateOptions(String origin, String rpId, Long timeout, Str
     }
 
     private static void validateOrigin(String origin, String rpId) throws InvalidWebauthNOptionsException {
+        // Support Android origins (android:apk-key-hash:<base64-hash>)
+        if (origin.startsWith("android:apk-key-hash:")) {
+            String hash = origin.substring("android:apk-key-hash:".length());
+
+            // Validate that the hash is not empty
+            if (hash.isEmpty()) {
+                throw new InvalidWebauthNOptionsException("Android origin must contain a valid base64 hash");
+            }
+
+            // Validate base64 format (alphanumeric, +, /, = and proper length)
+            if (!hash.matches("^[A-Za-z0-9+/]+=*$")) {
+                throw new InvalidWebauthNOptionsException("Android origin hash must be valid base64");
+            }
+
+            // Validate base64 padding (length must be multiple of 4 when considering padding)
+            if (hash.length() % 4 != 0) {
+                throw new InvalidWebauthNOptionsException("Android origin hash has invalid base64 padding");
+            }
+
+            // Validate that padding is only at the end
+            int paddingIndex = hash.indexOf('=');
+            if (paddingIndex != -1 && paddingIndex < hash.length() - 2) {
+                throw new InvalidWebauthNOptionsException("Android origin hash has invalid base64 padding");
+            }
+
+            return;
+        }
+
+        // Validate standard HTTP/HTTPS origins
         try {
             URL originUrl = new URL(origin);
             if (!originUrl.getHost().endsWith(rpId)) {

src/test/java/io/supertokens/test/webauthn/Utils.java

@@ -102,11 +102,15 @@ public static JsonObject registerCredentialForUser(Main main, String email, Stri
     }
 
     public static JsonObject registerOptions(Main main, String email) throws HttpResponseException, IOException {
+        return registerOptions(main, email, "http://example.com");
+    }
+
+    public static JsonObject registerOptions(Main main, String email, String origin) throws HttpResponseException, IOException {
         JsonObject requestBody = new JsonObject();
         requestBody.addProperty("email",email);
         requestBody.addProperty("relyingPartyName","supertokens.com");
         requestBody.addProperty("relyingPartyId","example.com");
-        requestBody.addProperty("origin","http://example.com");
+        requestBody.addProperty("origin", origin);
         requestBody.addProperty("timeout",10000);
 
         JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
@@ -117,10 +121,14 @@ public static JsonObject registerOptions(Main main, String email) throws HttpRes
     }
 
     public static JsonObject signInOptions(Main main) throws HttpResponseException, IOException {
+        return signInOptions(main, "http://example.com");
+    }
+
+    public static JsonObject signInOptions(Main main, String origin) throws HttpResponseException, IOException {
         JsonObject requestBody = new JsonObject();
         requestBody.addProperty("relyingPartyName","supertokens.com");
         requestBody.addProperty("relyingPartyId","example.com");
-        requestBody.addProperty("origin","http://example.com");
+        requestBody.addProperty("origin", origin);
         requestBody.addProperty("timeout",10000);
         requestBody.addProperty("userVerification","preferred");
         requestBody.addProperty("userPresence",false);

src/test/java/io/supertokens/test/webauthn/api/TestAndroidOriginValidation.java

@@ -0,0 +1,299 @@
+package io.supertokens.test.webauthn.api;
+
+import com.google.gson.JsonObject;
+import io.supertokens.ProcessState;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.test.httpRequest.HttpResponseException;
+import io.supertokens.utils.SemVer;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import static org.junit.Assert.*;
+
+public class TestAndroidOriginValidation {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @Rule
+    public TestRule retryFlaky = Utils.retryFlakyTest();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+    }
+
+    @Test
+    public void testValidAndroidOrigin() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("email", "[email protected]");
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:Lir5oIjf552K/XN4bTul0VS2aiE=");
+
+        try {
+            JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                    "http://localhost:3567/recipe/webauthn/options/register", req, 1000, 1000, null,
+                    SemVer.v5_3.get(), "webauthn");
+            assertEquals("OK", resp.get("status").getAsString());
+        } catch (HttpResponseException e) {
+            fail("Valid Android origin should be accepted: " + e.getMessage());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testValidAndroidOriginWithLongerHash() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("email", "[email protected]");
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:dGVzdHRlc3R0ZXN0dGVzdHRlc3Q0NTY3ODk=");
+
+        try {
+            JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                    "http://localhost:3567/recipe/webauthn/options/register", req, 1000, 1000, null,
+                    SemVer.v5_3.get(), "webauthn");
+            assertEquals("OK", resp.get("status").getAsString());
+        } catch (HttpResponseException e) {
+            fail("Valid Android origin with longer hash should be accepted: " + e.getMessage());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAndroidOriginWithEmptyHash() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("email", "[email protected]");
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:");
+
+        JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                "http://localhost:3567/recipe/webauthn/options/register", req, 1000, 1000, null,
+                SemVer.v5_3.get(), "webauthn");
+        assertEquals("INVALID_OPTIONS_ERROR", resp.get("status").getAsString());
+        assertTrue(resp.get("reason").getAsString().contains("Android origin must contain a valid base64 hash"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAndroidOriginWithInvalidCharacters() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("email", "[email protected]");
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:invalid@hash#with$special!");
+
+        JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                "http://localhost:3567/recipe/webauthn/options/register", req, 1000, 1000, null,
+                SemVer.v5_3.get(), "webauthn");
+        assertEquals("INVALID_OPTIONS_ERROR", resp.get("status").getAsString());
+        assertTrue(resp.get("reason").getAsString().contains("Android origin hash must be valid base64"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAndroidOriginWithInvalidLength() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("email", "[email protected]");
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:abc");
+
+        JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                "http://localhost:3567/recipe/webauthn/options/register", req, 1000, 1000, null,
+                SemVer.v5_3.get(), "webauthn");
+        assertEquals("INVALID_OPTIONS_ERROR", resp.get("status").getAsString());
+        assertTrue(resp.get("reason").getAsString().contains("Android origin hash has invalid base64 padding"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAndroidOriginWithInvalidPadding() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("email", "[email protected]");
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:test=abc");
+
+        JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                "http://localhost:3567/recipe/webauthn/options/register", req, 1000, 1000, null,
+                SemVer.v5_3.get(), "webauthn");
+        assertEquals("INVALID_OPTIONS_ERROR", resp.get("status").getAsString());
+        assertTrue(resp.get("reason").getAsString().contains("Android origin hash must be valid base64"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAndroidOriginForSignInOptions() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject req = new JsonObject();
+        req.addProperty("relyingPartyName", "Example");
+        req.addProperty("relyingPartyId", "example.com");
+        req.addProperty("origin", "android:apk-key-hash:Lir5oIjf552K/XN4bTul0VS2aiE=");
+        req.addProperty("timeout", 10000);
+        req.addProperty("userVerification", "preferred");
+        req.addProperty("userPresence", false);
+
+        try {
+            JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                    "http://localhost:3567/recipe/webauthn/options/signin", req, 1000, 1000, null,
+                    SemVer.v5_3.get(), "webauthn");
+            assertEquals("OK", resp.get("status").getAsString());
+        } catch (HttpResponseException e) {
+            fail("Valid Android origin should be accepted for signin options: " + e.getMessage());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testMixedOriginsSupport() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        // Test that regular HTTP origins still work
+        JsonObject req1 = new JsonObject();
+        req1.addProperty("email", "[email protected]");
+        req1.addProperty("relyingPartyName", "Example");
+        req1.addProperty("relyingPartyId", "example.com");
+        req1.addProperty("origin", "http://example.com");
+
+        try {
+            JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                    "http://localhost:3567/recipe/webauthn/options/register", req1, 1000, 1000, null,
+                    SemVer.v5_3.get(), "webauthn");
+            assertEquals("OK", resp.get("status").getAsString());
+        } catch (HttpResponseException e) {
+            fail("Regular HTTP origin should still work: " + e.getMessage());
+        }
+
+        // Test that HTTPS origins still work
+        JsonObject req2 = new JsonObject();
+        req2.addProperty("email", "[email protected]");
+        req2.addProperty("relyingPartyName", "Example");
+        req2.addProperty("relyingPartyId", "example.com");
+        req2.addProperty("origin", "https://example.com");
+
+        try {
+            JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                    "http://localhost:3567/recipe/webauthn/options/register", req2, 1000, 1000, null,
+                    SemVer.v5_3.get(), "webauthn");
+            assertEquals("OK", resp.get("status").getAsString());
+        } catch (HttpResponseException e) {
+            fail("Regular HTTPS origin should still work: " + e.getMessage());
+        }
+
+        // Test that Android origins work
+        JsonObject req3 = new JsonObject();
+        req3.addProperty("email", "[email protected]");
+        req3.addProperty("relyingPartyName", "Example");
+        req3.addProperty("relyingPartyId", "example.com");
+        req3.addProperty("origin", "android:apk-key-hash:Lir5oIjf552K/XN4bTul0VS2aiE=");
+
+        try {
+            JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(process.getProcess(), "",
+                    "http://localhost:3567/recipe/webauthn/options/register", req3, 1000, 1000, null,
+                    SemVer.v5_3.get(), "webauthn");
+            assertEquals("OK", resp.get("status").getAsString());
+        } catch (HttpResponseException e) {
+            fail("Android origin should work alongside HTTP/HTTPS origins: " + e.getMessage());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+}