Use dynamic RP ID (#2746)

* Use dynamic RP ID * CR review changes
dfinity · Dec 13, 2024 · 411ed8a · 411ed8a
1 parent 860baae
commit 411ed8a
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/src/frontend/src/utils/multiWebAuthnIdentity.ts b/src/frontend/src/utils/multiWebAuthnIdentity.ts
@@ -7,12 +7,15 @@
  *   then we know which one the user is actually using
  * - It doesn't support creating credentials; use `WebAuthnIdentity` for that
  */
+import { DOMAIN_COMPATIBILITY } from "$src/featureFlags";
 import { PublicKey, Signature, SignIdentity } from "@dfinity/agent";
 import { DER_COSE_OID, unwrapDER, WebAuthnIdentity } from "@dfinity/identity";
 import { isNullish } from "@dfinity/utils";
 import borc from "borc";
 import { CredentialData } from "./credential-devices";
+import { findWebAuthnRpId, relatedDomains } from "./findWebAuthnRpId";
 import { bufferEqual } from "./iiConnection";
+import { supportsWebauthRoR } from "./userAgent";
 
 /**
  * A SignIdentity that uses `navigator.credentials`. See https://webauthn.guide/ for
@@ -64,6 +67,16 @@ export class MultiWebAuthnIdentity extends SignIdentity {
       return this._actualIdentity.sign(blob);
     }
 
+    const rpId =
+      DOMAIN_COMPATIBILITY.isEnabled() &&
+      supportsWebauthRoR(window.navigator.userAgent)
+        ? findWebAuthnRpId(
+            window.location.origin,
+            this.credentialData,
+            relatedDomains()
+          )
+        : undefined;
+
     const result = (await navigator.credentials.get({
       publicKey: {
         allowCredentials: this.credentialData.map((cd) => ({
@@ -72,6 +85,7 @@ export class MultiWebAuthnIdentity extends SignIdentity {
         })),
         challenge: blob,
         userVerification: "discouraged",
+        rpId,
       },
     })) as PublicKeyCredential;