fix: pass topOriginValidator to CheckTopOrigin in requestCeremony() (#821)

Spomky · claude · web-flow · commit 6cdbfa3104d6 · 2026-03-23T22:59:24.000+01:00
* fix: pass topOriginValidator to CheckTopOrigin in requestCeremony() The custom TopOriginValidator set via enableTopOriginValidator() was only passed to CheckTopOrigin in creationCeremony() but not in requestCeremony(), causing the fallback HostTopOriginValidator to always be used during authentication. This broke cross-origin iframe scenarios where topOrigin differs from the host. Fixes #816 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: make enableTopOriginValidator actually enable the validation Previously, CheckTopOrigin always validated the top origin using a fallback HostTopOriginValidator when no custom validator was set. This made enableTopOriginValidator() misleading since validation was always active regardless. Now, when no TopOriginValidator is configured, the top origin check is skipped entirely. Calling enableTopOriginValidator() truly enables the validation, matching the method's name and intent. Fixes #816 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php b/src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php
@@ -169,7 +169,7 @@ public function requestCeremony(): CeremonyStepManager
                 $this->allowSubdomains,
                 $this->securedRelyingPartyId ?? []
             ),
-            new CheckTopOrigin(),
+            new CheckTopOrigin($this->topOriginValidator),
             new CheckRelyingPartyIdIdHash(),
             new CheckUserWasPresent(),
             new CheckUserVerification(),
diff --git a/src/webauthn/src/CeremonyStep/CheckTopOrigin.php b/src/webauthn/src/CeremonyStep/CheckTopOrigin.php
@@ -33,9 +33,8 @@ public function process(
             throw AuthenticatorResponseVerificationException::create('The response is not cross-origin.');
         }
         if ($this->topOriginValidator === null) {
-            (new HostTopOriginValidator($host))->validate($topOrigin);
-        } else {
-            $this->topOriginValidator->validate($topOrigin);
+            return;
         }
+        $this->topOriginValidator->validate($topOrigin);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -33,9 +33,8 @@ public function process(`
`33`	`33`	`throw AuthenticatorResponseVerificationException::create('The response is not cross-origin.');`
`34`	`34`	`}`
`35`	`35`	`if ($this->topOriginValidator === null) {`
`36`		`- (new HostTopOriginValidator($host))->validate($topOrigin);`
`37`		`- } else {`
`38`		`- $this->topOriginValidator->validate($topOrigin);`
	`36`	`+ return;`
`39`	`37`	`}`
	`38`	`+ $this->topOriginValidator->validate($topOrigin);`
`40`	`39`	`}`
`41`	`40`	`}`